bifm risk management event 8th september 2016

BIFM North Region:

“Risk Management

in FM”

Mark Whittaker

Deputy Chair, BIFM North

2 | 2016 Key Learning Event – Risk Management in FM


Welcome & Thanks


Future Events: Workplaces: Fit for purpose?

Today’s Event


Risk Management in FM?


Introduction to today’s speakers

Business Resilience The Role of Facilities Management

A Case Study

Financial Products Trading Organisation

Pre- IPO

What is Business Resilience?

• A framework of capabilities, enabling resources and information resources designed to establish & support the identified priorities & strategies

• An organisation and programme to ensure that resources and capabilities continue to be fit for purpose

• A joined up process for risk, compliance and operational continuity that produces actionable intelligence

What we needed

• Transparent & auditable

• Easy to operate

• Enterprise wide

• Finger on the pulse

How we……….

• Prioritised

• Designed

• Managed

.

< Business Resilience >

Protect Incident Management / Business Continuity / Recovery

Specific actions for specific threats and regulatory requirements • Fire, flood, terrorism, vandalism,

utilities, IT systems failure, cyber attack

Overarching contingency arrangements for loss of availability specific assets • Workplace • Access to information & systems • People

The Big Picture……….

• Objectives

• Strategy

• Tactics

.

• What do we get paid to do? • If we were prevented from doing it –

what kind of reputational, contractual, regulatory and financial exposure would be created?

• What can we do to protect ourselves? • What if our protective measures were

overwhelmed? • Set the strategy for supporting

resources by understanding priorities

Focus……….

• Customer “touch points”

• Regulations

.

Workplace Information Systems

Materials & Equipment

Supply Chain

Overarching Strategies for Resilience

• Information Systems

• Workplace

• Critical environments

• Regulatory compliance (Fire Risk, H & S) • Workplace protection (utilities, flood,

terrorism) • Workforce flexibility • Access to information systems • Workforce mobility

Threat Protect

Detect Respond

Contingency (BCP)

Assure

Power

Water

Terrorism

Flood/Escape of Water

Regulatory compliance

Vandalism

Workplace Resilience Framework

• PPM Schedule for regulatory obligations and general workplace resilience

• Special focus on critical environments

– Establish capability

– Verify capability

• Documented strategy

PPM Schedule

Critical Environments Where IT systems meet the physical world

• UPS

– Server Room

– Comms room(s)

– Trading Desks

• Environmental monitoring & sensor equipment

• “out of bounds” alerting

• Two stage work area recovery

Critical Environments Need TLC !!

• Moves, adds & changes

– People

– Equipment

• Factor into change management

• Audit your UPS

Critical Environments Need TLC !!

Business Continuity (for the FM)

• Incident Management

– Evacuation Management

– Emergency Services liaison (building plans)

• Recovery & Restoration

– Workplace impact assessment

– Relocation logistics

– Repair, restoration & relocation

– Contractor management

Joined up Resilience Management…….

Priorities for Resilience

Risk, Compliance & PPM

Critical Environment Strategies

“out of bounds” alerts

Business Continuity Arrangements

Key Messages

• Workplace a key factor in business resilience resilience – even in the digital world

• Change erodes relevance

– audit & test regularly

• Purpose built, sustainable management systems

©Advent IM Ltd 2016

p e o p l e p l a c e s i n f o r m a t i o n t e c h n o l o g y

Mike Gillespie

BIFM – Risk Management in FM event

Cyber Security Risk in FM



agenda

• Introductions

• When we say ‘cyber’…

• Cyber in FM

• Security and Cyber

• Cyber and Health & Safety

• Collaboration and Governance

• Threat Landscape

• Corporate Risk & Risk Management

• Collaboration & Governance

• Culture

• Questions



Introductions

Mike Gillespie

• Founder and MD of Advent IM Ltd

• Director of Cyber Strategy & Research for The Security Institute

• Member of the CSCSS Global

• Industry commentator and speaker



When we say ‘cyber’…

• The language is welcoming and intuitive

• The parameters are clearly defined

• Its easy to collaborate across disciplines to get best overall outcome

• We understand the interconnected nature of our lives

• We take appropriate steps to ensure our resilience and security

• We constantly learn about new threats

• We have a risk-based approach to our organisation as an entity

• IT does security



When we say ‘cyber’….

• Your fridge

• Your TV

• Your car

• Your train

• Your medical aid

• Your aircon

• Your fire and life systems

• O and your corporate network



Threat convergence

Some images courtesy of mapichai at FreeDigitalPhotos.net

physical

cyber

work

home

Many Cyber Attacks are only made possible because of Physical vulnerabilities.

Many Physical Attacks are only made possible because of Cyber vulnerabilities. We need to cover ALL of our bases…



The Internet of Things

WWW

“With a quadrillion sensors embedded in the environment—all connected by computing systems, software and services—it will be possible to hear the heartbeat of the Earth; impacting human interaction with the globe as profoundly as the Internet has revolutionised communications” Peter Hartwell, senior researcher at HP Labs



Cybersecurity in Facility Management

• FM systems • BMS

• Security management

• Fire and Life

• Aircon and climate control



Security and Cyber

• Physical security systems

• Networked management

• Collaboration between Security disciplines

• Language challenges • ‘Cyber’ is not always intuitive

• Maintaining securely • Anti-malware • Change management • Security updates

Image courtesy of Stuart Miles at FreeDigitalPhotos.net



Cyber and Health & Safety

• German steel Mill

• Polish tram system

• Stuxnet

• Jeep hack (x2)

• S. Korean Nuclear plant



Why this all matters - Security Landscape

places information people technology

terror sabotage subversion Organised

crime espionage

chemical biological radiological nuclear cyber



Corporate Risk and Risk Appetite

• Management not avoidance

• Feeding into corporate risk agendas and registers

• Understanding Risk appetite to enable • Agility

• Secure growth

• Confident collaboration

• Resilient supply chains

• Holistic understanding of Threat and Risk • These things do not work in isolation



Cyber risk management is not cyber risk avoidance

• Agile business environments – global market place

• Complex supply chains

• Security doesn’t arbitrarily say, no.

• Risk appetite

• Increasing efficiency and safety of employees as well as quality of work environment

Some images courtesy: Boaz Yiftach at FreeDigitalPhotos.net

Can we? No, of course not.



Risk, Risk Appetite and Risk Tolerance



Collaboration and Governance

• Understanding Threat and Risk – “What do I

need to do?” Not “what have I always done?”.

• Who do we need to have on-board to get this

Risk properly mitigated?

• Is there senior leadership in place?

• Have we got a framework in place to keep

ahead of the game?

• Do we have a clear understanding of

accountability and of devolved responsibility?

• Does all of this support and enable business?

picture courtesy of winnond at freedigitialphots.net



Culture

• Leadership

• Governance

• Best practice

• Do as I say not as I do?

• A fish rots from the head, down…



C-suite culture

Business management

Business practices

Good quality security behaviour Risky security behaviour



“Culture eats strategy for breakfast!” Peter Drucker

What our policy says

What we actually do The culture gap



“Culture eats strategy for breakfast!”

80%

20%

Source Ponemon 2014 ‘Exposing CyberSecurity Cracks”

80% of respondents say their company’s leaders do not equate losing confidential data with a potential loss of revenue, despite Ponemon Institute research indicating the average cost of an organizational data breach is $5.4 million.

Culture comes from the top...



79% Use private, non- commercial email accounts ( eg.

Gmail, Yahoo et al) to send board documents

2013 and 2014 Board Governance report from Thomson Reuters found a worrying lack of security understanding in the Boardroom…

68% Never use a dedicated and exclusive email

account that was specifically set up to receive board communications

47% Never encrypt this sensitive and confidential

Board information

…of their own sensitive and critical information in Board Reports.

2013

Never or rarely encrypt this sensitive and confidential Board information

2014

60%

2013

51% Never use a dedicated and exclusive email

account that was specifically set up to receive board communications

2014

Data Source: Thomson Reuters Board Governance Report. Some images courtesy of freedigitalphotos.net



55%

33%

34%

33%

Yes No Dunno

56% 2013 2014

2013

40% 60%

Yes No/Dunno

2014

“Are you confident Board members

destroy all printed and emailed

documentation inline with your document retention policy?”

Print and carry sensitive Board documents





One in ten had a board member

who had a computing devices either stolen or lost

65% store board communications on mobile

devices such as ipads and laptops

2014

Cyber Security information is the least requested

information by the board...only 32% requesting…

2014



• Can you picture a board meeting in progress without any representation from Finance or HR?

• We know there are huge cost implications of a breach but some organisations have NO cyber/information security representation in the Boardroom.

• Only 5% of organisation have a Chief Risk Officer and the majority of organisations (56%) align the Information Security with their IT policy and not with their Risk Appetite (38%).

More on culture….



In summary

• Cyber space offers serious risk to FM and Security systems

• Collaboration is king

• Leadership is catching up but needs to get far more involved

• Cultural change is hard but it’s the only way to make a real difference

• We are only ever going to have more IP enabled kit, not less. Lets get on top of it right now.



Questions advent-im.co.uk