ocean park corporation enterprise risk management system
TRANSCRIPT
Enterprise Risk Management (ERM)
Speaker: Mr. Matthias Li Deputy Chief Executive & Chief Financial Officer Ocean Park Corporation Hong Kong
Agenda
• Goal of ERM
• Structure and Processes of an ERM
System
• Risk Assessments and Controls
• Crisis Management, Emergency
Responses and Business Continuity
2
Ocean Park Hong Kong
3
4
Ocean Park - Waterfront
Ocean Park - Summit
5
ERM at Ocean Park
Milestone Dates • 1985: First Safety Committee • 1995: First Emergency Response Plan • 2001: Setting up of EHS Department • 2006: Enterprise Risk Management
6
ERM at Ocean Park
Milestone Dates
• 2007: Crisis Management Plan • 2007: Revamped Emergency Response Plan • 2008: Strategic / Corporate Risk Register • 2008: Operational Risk Register • 2010: Project Risk Register • 2011: Divisional Operational Risk Registers • 2012: Business Continuity Plan
7
On August 13, 1995, at 2:17am ...
8
Landslide Occurred
Landslide incident at Ocean Park
Collapsed Road Surface
9
Landslide Occurred
Landslide incident at Ocean Park - 1995 10
Immediate Impacts
Blocked the ONLY vehicular access to the Summit
The Summit area was closed for 2 weeks
Power failure and no water supply
Limited daily capacity
One-third Admission Fee
…etc. 11
First Emergency Plan
First Emergency Plan established
– Combining elements in on-site emergency
handling and crisis management at a
corporate level
12
EHS Department
Set up Environmental, Health & Safety (EHS) Department – A CORPORATE function – Systematically oversees
EHS management system of the Park
Sr. EHS Manager
Environmental Team
Health & Safety Team
13
Master Redevelopment Project (MRP)
• US$710 Million redevelopment project
• Increased number of attractions from 35 to 70
• Commenced in 2006 and completed in 2012
14
Expansion of OP - Attendance
-
2.00
4.00
6.00
8.00
1995/96 2001/02 2006/07 2009/10 2010/11 2011/12
3.02 3.39
4.92 5.09 5.89
7.08
Mill
ion
Year
Annual Attendance
Expansion of OP - Headcount
500
1,000
1,500
2,000
1995/96 2001/02 2006/07 2009/10 2010/11 2011/12
735 775
1,038
1,384
1,566
1,856
Year
Headcount
Expansion of OP – Revenue, OPEX & Fixed Assets
52.93 68.77 114.19 132.13 165.94 211.48
150.84 193.42 202.71
396.77
869.42 933.55
32.39 43.48 71.23 92.13 112.00 123.48 -
200
400
600
800
1,000
1,200
1995/96 2001/02 2006/07 2009/10 2010/11 2011/12
Mill
ion
(US$
'M)
Year
Gross Revenue Gross Fixed Assets Opex
ERM Launched!
In view of the Park’s expansion, the
Enterprise Risk Management (ERM)
System is setup to identify and manage
risks in a Proactive & Systematic manner.
18
ERM Structure Risk Management System Document
Set out: - Risk Management Policy
- Roles and Responsibilities - Minimum requirements, etc. for Risk
Management within Ocean Park
Strategic & Corporate Risk
Register
Operational Risk Register
Occupational Health & Safety
Risk Register
Contract Risk
Register
Contract Risk
Register
Contract Risk
Register
Contract Risk
Register
OPC’s vulnerabilities & capabilities, as
documented in the risk registers, informs
the contents of Response Plans
Crisis Management Plan
Emergency Response
Plan
Business Continuity
Plan
Departmental Recovery Plan A
Departmental Recovery Plan B
Departmental Recovery Plan C
Departmental Recovery Plan D
Risk Registers Business Continuity Management Response Plans
Strategic R
esponse
Tactical R
esponse
Operation
Response
19
Ocean Park Risk Management Policy
Risk Management Policy
Recognises risk is an INHERENT part of our
businessz
Commitment to identifying & managing risks in a
PROACTIVE AND SYSTEMATIC MANNER
21
Risk Management Policy
• Future uncertain event that impacts upon objectives
Risk
• Normal business risks • Extreme risks (i.e. sudden / dramatic events
and require immediate management) • Business Continuity Management
ERM System covers
22
Risk Management Policy
By understanding and managing DOWNSIDE risks, we:
Protect staff,
guests, neighbours,
and the animals
collection
Ensure business continuity
Minimize negative financial impacts
Protect reputation & standing
• Risks, for all aspects of business & projects, will be:
Identified Assessed Controlled
Risk Management Policy
24
Risk Management Policy - Responsibilities
• Oversee the overall implementation of the ERM System Board
• Review the ongoing effectiveness of the ERM System
• Report the risk profiles to the Board on a timely manner
Chief Executive
25
Risk Management Policy - Responsibilities
• Manage risks in collaboration with the Risk Management Committee and the Senior EHS Manager
• Ensure the effective implementation and maintenance of the ERM System
Deputy Chief Executive &
CFO
26
Goals of ERM
Reducing Loss Achieving
Company Objectives
27
ERM Process
• The process by which the probable gains and losses associated with an activity are
, and
Identification
Evaluation
Control 28
ERM Looks at Risk!
• CHANCE of something happening
• Impact upon BUSINESS OBJECTIVES
Risk
29
Strategic & Corporate Objectives
1. Community Education
To provide & promote conservation awareness in the global community through education, research funding and direct involvement
2. Competitive position
To sustain market share from Hong Kong guests, grow international guests & diversity guest markets
3. Financial Performance
To sustain an operating surplus to fund ongoing operations, enable reinvestment & service future debt associated with redevelopment with adequate contingency reserve funds
Strategic & Corporate Objectives (cont’d)
4. Employees To attract and retain
capable, reliable and engaged employees
5. Project Viability To deliver a facility that
meets the needs of Ocean Park and its key stakeholders
31
Operational Objectives
1. Community Participation
To enable participation in Ocean Park’s activities amongst all community members regardless of financial position or physical and mental ability
2. Animal Welfare
To ensure all animals in Ocean Park’s care are and remain physically healthy and mentally enriched
3. Natural Environment
To continuously reduce adverse impacts to air, land, water, flora, fauna associated with our operations & to contribute financially to environmental improvement programs
Operational Objectives (cont’d)
4. Customer Satisfaction
To maximize customer satisfaction with our people, facilities, entertainment & events
5. Health & Safety To provide an injury free
environment for all people
6. Standards To maintain high status in global
zoological community including AZA accreditation whilst meeting all other relevant compliance requirements 33
Operational Objectives (cont’d)
7. Business Continuity
To constantly maintain business as usual ensuring full preparedness for out of usual events
8. Project Completion
To complete all projects on time, within budget, and with minimal disruption to existing facilities
34
Risk Categories
Downside Risks
Upside Risks
35
Downside Risks
Slip and Fall
Abrasion
Sore Shoulder Cut
Downside risks = Health & Safety??
36
Safety & ERM
Downside Risk is MORE THAN just Health & Safety…
It is an integral part of the
Enterprise Risk Management (ERM)
37
Risks at Enterprise Level
Enterprise Risks
Health & Safety risks
Marketing risks
Political / regulatory
risks
Reputational risks
Financial risks
Business Continuity
risks
Customer satisfaction
risks
There are other type of ENTERPRISE risks!
38
Risk Identification
Business downturn Competitions Terrorism Animal
activists Change in
government policies
Landslide Employee turnover & retention
Ride incident Animal
escape & attack
Major power failure
Risk Evaluation • Analyze the risk by considering the
CONSEQUENCES and their LIKELIHOOD; and “calculate” the risk rating
40
Outcome of a risk source affecting BUSINESS
OBJECTIVES
41
Consequence
Risk Sources & Consequences
Massive Fire at an
Exhibit
Customer Satisfaction
Competitive position & financial
performance
Risk Sources Business Objectives Being Impacted
Reduced attendance causing less
revenue
Reduced guest
experience damaging reputation
Consequences
42
Ride accident - Guest Injury / Fatality
Example of Consequence at Themed Park Industry
43
Loss of a coaster due to Hurricane Sandy
Example of Consequence at Themed Park Industry
44
Bad news on newspaper - Reputational Loss!
Example of Consequence at Themed Park Industry
45
Consequences Rating Level
Descriptor Financial (HKD)
Health & Safety Social & Natural Environment
Reputation & Brand Compliance
1 Insignificant < X1 No medical treatment required
Limited damage to minimal area of low significant
Public concern restricted to local complaints about OPC brand
Single minor breach of law with formal complaint
2 Minor X1 – X2 Minor first aid – no disabling
Minor effects on biological or physical or social environment
Minor, adverse local public or media attention or complaints about OPC brand
Multiple minor breaches of laws with formal complaints or standard requiring rectification
3 Moderate X2 – X3 Disabling incident requiring medical treatment with no permanent impact
Moderate, short-term effects but not affecting ecosystem function or ongoing social issues
Attention from media and/or heightened concern by local community complaints a bout OPC brand
Minor breach of laws resulting in prosecution. Failure to meet standard audits
4 Significant X3 – X4 Serious (permanent disabling injury that was life threatening – “near miss”
Serious medium term environmental effects or ongoing serious social issues
Significant adverse national media and public attention impacting on OPC brand
Single significant breach of laws resulting in prosecution. Failure to meet standard audits
5 Major X4 – X5 A fatality, or very serious irreversible injury to a small number of people in localized area
Very serious, long-term environmental impairment of ecosystem function or ongoing widespread social impacts
Serious public or media outcry, international coverage with significant impact on OPC brand
Multiple significant breaches of laws. Single loss of certification to international standard
6 Critical X5 – X6 Multiple fatalities, or very serious irreversible injury to multiple persons in localized area
Significant impact on highly valued species, habitat, or ecosystem or breakdown in social order
International media condemnation with major impact on OPC brand
Single major breach of laws. Loss of multiple certifications to internal standards
7 Catastrophic > X6 Over 10 fatalities or very serious irreversible injury to board group of persons across many areas
Very significant impact on highly valued species, habitat or ecosystem or complete breakdown in social order
Prolonged international condemnation with permanent damage to OPC brand
Multiple major breaches of laws resulting in imprisonment of executives. Loss of license to operate
Likelihood
• Frequency of happening • Could be quantified
– Once in a month – Twice a year – Once in 5 years – Once in 20 years – … etc.
• Also named as - Probability 47
Likelihood Rating Level
Descriptor Description Frequency
1 Extremely remote
The event is not expected to occur in most circumstances
Less than once in 100 years
2 Remote The event is not expected At least once in 100 years
3 Rare The event may occur only in exceptional circumstances
At least once in 50 years
4 Unlikely The event could occur at some time At least once in 25 years
5 Possible The event should occur at some time At least once in 10 years
6 Likely The event will probably occur in most circumstances
At least once in 2 years
7 Almost certain
The event is expected to occur in most circumstances
At least once per years
Quantifying Risk
• Risk = probability of an event times its consequences
Or Consequence x Likelihood
• Risk is now expressed as : Quantified monetary loss
49
Quantifying Risk
RISK = CONSEQUENCES (1 – 7) X LIKELIHOOD (1 – 7)
• Based on a 7 x 7 risk matrix • Therefore, Risk Rating ranges from 1 (1x1) to 49
(7x7)
50
7 x 7 Risk Matrix Li
kelih
ood
Ratin
g
7 14 21 28 35 42 49
6 12 18 24 30 36 42
5 10 15 20 25 30 35
4 8 12 16 20 24 28
3 6 9 12 15 18 21
2 4 6 8 10 12 14
1 2 3 4 5 6 7
Consequence Rating
Risk Rating = Consequences x Likelihood Risk Rating
Descriptor
28 – 49 Catastrophic
21 – 27 Major
14 – 20 Moderate
7 – 13 Minor
1 – 6 Insignificant
51
Inherent Risks
• Outcome: Inherent Risk Rating (1 – 49)
i.e. Risk rating BEFORE any control measures
are implemented
52
Risk Controls
Inherent Risk
Risk Control
Reducing Consequence
Reducing Likelihood
53
Hierarchy of Risk Control
Eliminate
Avoid
Reduce
Mitigate
Transfer Risk Custody
(residual risk)
54
Pref
eren
ce
Most Effective
Less Effective
Residual Risks
• Take the risk controls into account, calculate
the Residual Risk Rating
i.e. Risk rating AFTER control measures have
been implemented and considered
55
Risk Controls
Inherent Risk
Risk Control
Reducing Consequence
Reducing Likelihood
Lowering Risk Level: Residual
Risk
Brin
g do
wn
risk
ratin
g
56
Outcome: Risk Register
57
OP’s Risk Registers
• Strategic / Corporate Risk Register
• Operational Risk Register
• Project Risk Register
• Operational Risk Registers at Business Unit levels
58
On-going Monitoring & Review
Identify changes on: • Business environment • Risk profile • Progress of risk controls
59
Crisis & Emergency Risk Management System Document
Set out: - Risk Management Policy
- Roles and Responsibilities - Minimum requirements, etc. for Risk
Management within Ocean Park
Strategic & Corporate Risk
Register
Operational Risk Register
Occupational Health & Safety
Risk Register
Contract Risk
Register
Contract Risk
Register
Contract Risk
Register
Contract Risk
Register
OPC’s vulnerabilities & capabilities, as
documented in the risk registers, informs
the contents of Response Plans
Crisis Management Plan
Emergency Response
Plan
Risk Registers Business Continuity Management Response Plans
Strategic R
esponse
Tactical R
esponse
60
Crisis & Emergency
• Separate Emergency Plan into:
– Crisis Management Plan – Emergency Response Plan
61
Crisis Management Plan
Guide & support the strategic response at a corporate level when a
risk event occurs
Determine the immediate response of the Park
Minimize the short, medium and long term impacts to the
Park
Risk Event = Unexpected & outside the normal course of business, and require priority attention until controlled
62
Crisis Management Plan
• Incident reporting & escalation • Formation of Crisis Management
Team & responsibilities • Definition of Crisis Levels 1 to 3 • Setting of Emergency Control and
Information Center (ECIC) • Checklists for collecting facts &
prioritizing tasks • Media & communication handling • …etc.
63
Crisis Levels Crisis Level
Potential Human Impact
Potential Environmental or animal Impact
Potential Operational Impact
Potential Reputation Impact
Ocean Park Response
Level 1 Minor First Aid – no disabling impact; no other threat; Guests trapped for < X minutes
Minor affect on biological or physical environment. Containable.
Temporary stoppage of ride or facility
Complaints, no media interest
Activate Emergency Response Team (ERT) where appropriate
Level 2 Medically treated injury; threat to other guests; guests trapped for > X minutes.
Moderate, short-term effects. Potentially difficult to contain. Loss of mammal.
> X minutes stoppage of ride or facility with guests trapped
Minor, adverse local public or media attention and complaints
Activate site ERT Activate Crisis Management Team (CMT) where appropriate
Level 3 Major injury or fatality
Serious medium term environmental impacts. Loss of more than one mammal.
Serious disruption to large area of park
Significant adverse media /public/NGO attention
Activate ERT and CMT
Emergency Response Plan
Guide & support on tactical response for
emergency phase when a risk event
occurs
Protect the safety of people & animals
Minimize the damages to the Park’s properties
65
Emergency Response Plan
Covering areas of:
• Rescue & life-saving • Contain damages • Evacuation & crowd control • Emergency transportation service • Manpower deployment • Emergency Guest Service…etc.
Business Continuity Risk Management System Document
Set out: - Risk Management Policy
- Roles and Responsibilities - Minimum requirements, etc. for Risk
Management within Ocean Park
Strategic & Corporate Risk
Register
Operational Risk Register
Occupational Health & Safety
Risk Register
Contract Risk
Register
Contract Risk
Register
Contract Risk
Register
Contract Risk
Register
OPC’s vulnerabilities & capabilities, as
documented in the risk registers, informs
the contents of Response Plans
Crisis Management Plan
Emergency Response
Plan
Business Continuity
Plan
Departmental Recovery Plan A
Departmental Recovery Plan B
Departmental Recovery Plan C
Departmental Recovery Plan D
Risk Registers Business Continuity Management Response Plans
Strategic R
esponse
Tactical R
esponse
Operation
Response
67
Business Continuity Plan
• Established Business Continuity Plan (BCP)
• Supported by various Departmental Recovery Plans at operational level
68
Guide & support on tactical
response to resume normal
operation
Resume normal operation within the SHORTEST
time
LIMIT THE DISRUPTIONS on
the business critical activities
Business Continuity Plan
Business Critical Activities
Maintain health of animals collection
Maintain adequate revenue
Meet customer expectations
70
Burnt down of Finance main
office
Finance office is not able to function as
normal
Purchasing
Payroll
Ticket Admission
Business Continuity - Example
Business Continuity: • Relocate to other cashier office • Home offices
Affected Functions
71
Business Continuity Plan
Covering areas of:
Monitoring & notification procedures
Maximum Tolerable Period of Disruption
Procedures to prioritize responses & recovery efforts
72
Drill Exercises
Categories Drills Conducted in 2012
Rides Rescue 258
Fire drill 18
Biological / Chemical Leakage 4
Animal Escape / Attack 4
Miscellaneous 5
Total 289 73
Fire Drill in Office Buildings
Ride Rescue Drill - Eagle
75
Ride Rescue Drill – Crazy Galleon
Night time drill! 76
Open Water Rescue
Scuba diver missing in open water 77
Water Rescue Drill – Grand Aquarium
Drill for snorkeling activity 78
Cable Car Vertical Rescue Drill
79
Panda Escape Drill
80
Biological Spillage Drill
81
Crisis Management in Action!
82
Board
Chief Executive
Deputy CE & CFO EHS Department
Risk Management Committee
Risk Owner
Risk Coordinator
Risk Owner
Risk Coordinator
Risk Owner
Risk Coordinator
1. Review risk reports & controls 2. Oversee the ERM implementation
1. Direct ERM & report to the Board
1. Implement ERM 2. Review progress of ERM & risk controls
1. Oversee & review the risk profile 2. Monitor risk controls
1. Oversee the ERM operation 2. Administer risk registers &
produce risk reports 3. Support CMP implementation 4. Maintain BCM Response Plans
1. Monitor risks 2. Ensure adequate controls 3. Review risk profile
1. Assist Risk Owner to follow up on risk controls
ERM Organization
83
Making ERM a Successful One!
Get LEADERSHIP
SUPPORT
ERM is MORE THAN JUST
SAFETY
Engage ALL staff
Continue ERM as an ON-GOING
process, not a “one-off” exercise
INTEGRATE risk
management into daily
operations
Thank You