bifm risk management event 8th september 2016
TRANSCRIPT
BIFM North Region:
“Risk Management
in FM”
Mark Whittaker
Deputy Chair, BIFM North
2 | 2016 Key Learning Event – Risk Management in FM
3 | 2016 Key Learning Event – Risk Management in FM
Welcome & Thanks
4 | 2016 Key Learning Event – Risk Management in FM
Future Events: Workplaces: Fit for purpose?
Today’s Event
6 | 2016 Key Learning Event – Risk Management in FM
Risk Management in FM?
7 | 2016 Key Learning Event – Risk Management in FM
Introduction to today’s speakers
Business Resilience The Role of Facilities Management
A Case Study
Financial Products Trading Organisation
Pre- IPO
What is Business Resilience?
• A framework of capabilities, enabling resources and information resources designed to establish & support the identified priorities & strategies
• An organisation and programme to ensure that resources and capabilities continue to be fit for purpose
• A joined up process for risk, compliance and operational continuity that produces actionable intelligence
What we needed
• Transparent & auditable
• Easy to operate
• Enterprise wide
• Finger on the pulse
How we……….
• Prioritised
• Designed
• Managed
.
< Business Resilience >
Protect Incident Management / Business Continuity / Recovery
Specific actions for specific threats and regulatory requirements • Fire, flood, terrorism, vandalism,
utilities, IT systems failure, cyber attack
Overarching contingency arrangements for loss of availability specific assets • Workplace • Access to information & systems • People
The Big Picture……….
• Objectives
• Strategy
• Tactics
.
• What do we get paid to do? • If we were prevented from doing it –
what kind of reputational, contractual, regulatory and financial exposure would be created?
• What can we do to protect ourselves? • What if our protective measures were
overwhelmed? • Set the strategy for supporting
resources by understanding priorities
Focus……….
• Customer “touch points”
• Regulations
.
Workplace Information Systems
Materials & Equipment
Supply Chain
Overarching Strategies for Resilience
• Information Systems
• Workplace
• Critical environments
• Regulatory compliance (Fire Risk, H & S) • Workplace protection (utilities, flood,
terrorism) • Workforce flexibility • Access to information systems • Workforce mobility
Threat Protect
Detect Respond
Contingency (BCP)
Assure
Power
Water
Terrorism
Flood/Escape of Water
Regulatory compliance
Vandalism
Workplace Resilience Framework
• PPM Schedule for regulatory obligations and general workplace resilience
• Special focus on critical environments
– Establish capability
– Verify capability
• Documented strategy
PPM Schedule
Critical Environments Where IT systems meet the physical world
• UPS
– Server Room
– Comms room(s)
– Trading Desks
• Environmental monitoring & sensor equipment
• “out of bounds” alerting
• Two stage work area recovery
Critical Environments Need TLC !!
• Moves, adds & changes
– People
– Equipment
• Factor into change management
• Audit your UPS
Critical Environments Need TLC !!
Business Continuity (for the FM)
• Incident Management
– Evacuation Management
– Emergency Services liaison (building plans)
• Recovery & Restoration
– Workplace impact assessment
– Relocation logistics
– Repair, restoration & relocation
– Contractor management
Joined up Resilience Management…….
Priorities for Resilience
Risk, Compliance & PPM
Critical Environment Strategies
“out of bounds” alerts
Business Continuity Arrangements
Key Messages
• Workplace a key factor in business resilience resilience – even in the digital world
• Change erodes relevance
– audit & test regularly
• Purpose built, sustainable management systems
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Mike Gillespie
BIFM – Risk Management in FM event
Cyber Security Risk in FM
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
agenda
• Introductions
• When we say ‘cyber’…
• Cyber in FM
• Security and Cyber
• Cyber and Health & Safety
• Collaboration and Governance
• Threat Landscape
• Corporate Risk & Risk Management
• Collaboration & Governance
• Culture
• Questions
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Introductions
Mike Gillespie
• Founder and MD of Advent IM Ltd
• Director of Cyber Strategy & Research for The Security Institute
• Member of the CSCSS Global
• Industry commentator and speaker
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
When we say ‘cyber’…
• The language is welcoming and intuitive
• The parameters are clearly defined
• Its easy to collaborate across disciplines to get best overall outcome
• We understand the interconnected nature of our lives
• We take appropriate steps to ensure our resilience and security
• We constantly learn about new threats
• We have a risk-based approach to our organisation as an entity
• IT does security
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
When we say ‘cyber’….
• Your fridge
• Your TV
• Your car
• Your train
• Your medical aid
• Your aircon
• Your fire and life systems
• O and your corporate network
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Threat convergence
Some images courtesy of mapichai at FreeDigitalPhotos.net
physical
cyber
work
home
Many Cyber Attacks are only made possible because of Physical vulnerabilities.
Many Physical Attacks are only made possible because of Cyber vulnerabilities. We need to cover ALL of our bases…
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
The Internet of Things
WWW
“With a quadrillion sensors embedded in the environment—all connected by computing systems, software and services—it will be possible to hear the heartbeat of the Earth; impacting human interaction with the globe as profoundly as the Internet has revolutionised communications” Peter Hartwell, senior researcher at HP Labs
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Cybersecurity in Facility Management
• FM systems • BMS
• Security management
• Fire and Life
• Aircon and climate control
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Security and Cyber
• Physical security systems
• Networked management
• Collaboration between Security disciplines
• Language challenges • ‘Cyber’ is not always intuitive
• Maintaining securely • Anti-malware • Change management • Security updates
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Cyber and Health & Safety
• German steel Mill
• Polish tram system
• Stuxnet
• Jeep hack (x2)
• S. Korean Nuclear plant
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Why this all matters - Security Landscape
places information people technology
terror sabotage subversion Organised
crime espionage
chemical biological radiological nuclear cyber
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Corporate Risk and Risk Appetite
• Management not avoidance
• Feeding into corporate risk agendas and registers
• Understanding Risk appetite to enable • Agility
• Secure growth
• Confident collaboration
• Resilient supply chains
• Holistic understanding of Threat and Risk • These things do not work in isolation
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Cyber risk management is not cyber risk avoidance
• Agile business environments – global market place
• Complex supply chains
• Security doesn’t arbitrarily say, no.
• Risk appetite
• Increasing efficiency and safety of employees as well as quality of work environment
Some images courtesy: Boaz Yiftach at FreeDigitalPhotos.net
Can we? No, of course not.
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Risk, Risk Appetite and Risk Tolerance
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Collaboration and Governance
• Understanding Threat and Risk – “What do I
need to do?” Not “what have I always done?”.
• Who do we need to have on-board to get this
Risk properly mitigated?
• Is there senior leadership in place?
• Have we got a framework in place to keep
ahead of the game?
• Do we have a clear understanding of
accountability and of devolved responsibility?
• Does all of this support and enable business?
picture courtesy of winnond at freedigitialphots.net
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Culture
• Leadership
• Governance
• Best practice
• Do as I say not as I do?
• A fish rots from the head, down…
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
C-suite culture
Business management
Business practices
Good quality security behaviour Risky security behaviour
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
“Culture eats strategy for breakfast!” Peter Drucker
What our policy says
What we actually do The culture gap
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
“Culture eats strategy for breakfast!”
80%
20%
Source Ponemon 2014 ‘Exposing CyberSecurity Cracks”
80% of respondents say their company’s leaders do not equate losing confidential data with a potential loss of revenue, despite Ponemon Institute research indicating the average cost of an organizational data breach is $5.4 million.
Culture comes from the top...
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
79% Use private, non- commercial email accounts ( eg.
Gmail, Yahoo et al) to send board documents
2013 and 2014 Board Governance report from Thomson Reuters found a worrying lack of security understanding in the Boardroom…
68% Never use a dedicated and exclusive email
account that was specifically set up to receive board communications
47% Never encrypt this sensitive and confidential
Board information
…of their own sensitive and critical information in Board Reports.
2013
Never or rarely encrypt this sensitive and confidential Board information
2014
60%
2013
51% Never use a dedicated and exclusive email
account that was specifically set up to receive board communications
2014
Data Source: Thomson Reuters Board Governance Report. Some images courtesy of freedigitalphotos.net
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
55%
33%
34%
33%
Yes No Dunno
56% 2013 2014
2013
40% 60%
Yes No/Dunno
2014
“Are you confident Board members
destroy all printed and emailed
documentation inline with your document retention policy?”
Print and carry sensitive Board documents
Data Source: Thomson Reuters Board Governance Report. Some images courtesy of freedigitalphotos.net
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Data Source: Thomson Reuters Board Governance Report. Some images courtesy of freedigitalphotos.net
One in ten had a board member
who had a computing devices either stolen or lost
65% store board communications on mobile
devices such as ipads and laptops
2014
Cyber Security information is the least requested
information by the board...only 32% requesting…
2014
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
• Can you picture a board meeting in progress without any representation from Finance or HR?
• We know there are huge cost implications of a breach but some organisations have NO cyber/information security representation in the Boardroom.
• Only 5% of organisation have a Chief Risk Officer and the majority of organisations (56%) align the Information Security with their IT policy and not with their Risk Appetite (38%).
More on culture….
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
In summary
• Cyber space offers serious risk to FM and Security systems
• Collaboration is king
• Leadership is catching up but needs to get far more involved
• Cultural change is hard but it’s the only way to make a real difference
• We are only ever going to have more IP enabled kit, not less. Lets get on top of it right now.
©Advent IM Ltd 2016
p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y
Questions advent-im.co.uk