INFORMATION AND OPERATIONAL RISK IMT 556 UW Fall

INFORMATION AND OPERATIONAL RISK IMT 556 – UW Fall Quarter 2013 University of Washington Week #3

GONG ZHANG 5 slides with examples of both internal and external fraud in China

3 Real World: Sanlu Group milk scandal 2008 • It was a food safety incident in China, involving milk and infant • • formula, and other food materials and components, adulterated with melamine. By November 2008, China reported an estimated 300, 000 victims, with six infants dying from kidney stones. The scandal broke on 16 July 2008, after sixteen infants who had been fed on milk powder produced by Sanlu Group, were diagnosed with kidney stones. On 19 December, Sanlu secured a loan of ¥ 902 million to pay medical expenses of and compensation to children affected by tainted milk powder it produced. It was announced on 25 December that Shijiazhuang court accepted a creditor's bankruptcy petition against Sanlu, which reportedly had net debt of ¥ 1. 1 billion. Sanlu Group was one of the largest dairy manufacturers; In China, it was the leader of powdered milk market for 15 years.

4 Reflections • Board of executives blindly chased market expansion, while paying little attention on risk management. • Sacrificed the quality of raw milk supplied by dairy farms to win price war against other competitors. • Sanlu had little concrete inspection process to control quality of raw milk purchased, however, it only focused on higher protein content in raw milk. • The chemical, melamine, appeared to have been added to milk to cause it to appear to have a higher protein content.

5 Real World: Chinese winter storm 2008

6 Real World: Chinese winter storm 2008 • The 2008 Chinese winter storms were a series of winter storm events that affected large portions of southern and central China starting on 25 January 2008 until 6 February 2008. • It is China's worst winter weather in half a century, which caused extensive damage on economy, transportation disruption, and regional electrical grid failure. • It happened just ahead of Chinese Lunar New Year holiday, during which nearly 100 million people travel through the country to go back their hometown. Thus, thousands of people were impeded in railway station for about a week, resulting to security problems. • CNN: The weather has paralyzed transportation, frozen the power grid and delivered a $4. 5 billion hit to the economy.

7 What’s in the news this past week? • People • Process • Systems • External Events

Risk and uncertainty • Operational risk is “the effect of uncertainty upon objectives. ” (ISO standard) • Single greatest cause of uncertainty = Nature • Magnitude and frequency of storms, hurricanes, earthquakes, tornadoes, flooding is increasing in part because of climate change. • Today we’re going to look at both real world and case studies around natural disasters. • Does planning make a difference?

9 Why is Preparedness Critical? • The indicators listed below will continue to grow: • Employee well being and corporate reputation • Investor and financial community expectations • Customer and partner expectations • Government and international standards • Technology risks • Incidents not prepared for are the ones that will cause a company crisis.

Continuity of Operations (COOP) • in the National Continuity Policy Implementation Plan (NCPIP) and the National Security Presidential Directive, it is defined as: • “An effort within individual executive departments and agencies to ensure that Primary Mission Essential Functions (PMEFs) continue to be performed during a wide range of emergencies, including localized acts of nature, accidents and technological or attack. ” • What is the Goal of Continuity? • The ultimate goal of continuity in the executive branch is the continuation of National Essential Functions (NEFs). In order to achieve that goal, the objective for organizations is to identify their Essential Functions (EFs) and ensure that those functions can be continued throughout, or resumed rapidly after, a disruption of normal activities. The Federal Government has an important partnership with other non-federal government entities and with private sector owners and operators who play integral roles inensuring our homeland security.

Elements of COOP • Essential Functions • Order of Succession • Delegation of Authority • Alternate Facilities • Crisis Communications • Vital Records Management • Human Capital • Tests, Training, Exercises • Devolution of Control and Direction • Reconstitution

Four Phases of Activation • Phase I Readiness and Preparedness • Phase II Activation to Alternate Facilities • Phase III Continuity of Operations at Alternate Facilities • Phase IV Resume operations at Primary Location • You can see this model with the four phases utilized every time FEMA is called in to assist with a natural disaster. Private sector partners directly with FEMA.

13 Best practice continuity questions are also the operational risk questions • What could a disruptive event look like? • What are the potential business impacts? • What are the competitive impacts? • What are upstream and downstream impacts on value chain? • What is the level of readiness and resilience of • The company • Suppliers • Distributors • Customers

Time To Respond Drives Cost Optimal Response Zone

15 Increasing trends that impact business continuity

Management Motivators § Organizational Liability § Risk Exposure § Previous litigation history § Duty of Care § What is expected? § Anxiety Management § Standard of Care § What are others doing?

17 Business impact analysis Potential Events (HIVA) Potential Impacts • Earthquakes • Cities uninhabitable • Cyber and bio threats • Buildings unusable • Bomb threats • Floods • Tornadoes • Snowstorms • Hurricanes • Civil unrest • Power outages • Internet disabled • Telcom systems down • Power disruptions • Key vendor unavailable • Personnel are lost • Data center destroyed

18 Business criticality & dependencies Core Processes Support Processes • Research • Technology • Logistics • Human Resources • Production planning • Security • Manufacturing • Corporate Services • Sales • Facilities Management • Finance

Abkowitz, “Hurricane Katrina 2005” • Majority of New Orleans is built lower than sea level • Levees and floodwalls failed – portions of city under 20’ • Economic loss estimated at $125 billion • Risk of flooding was well known, as was risk from Category 3 • • • hurricanes (111 -130 mph winds, surges between 9 -12 feet) happen every 2 years since 1800 s Katrina and flood decimated the civil infrastructure Local response poor with failed communications and interoperability problems between first responders even after help arrived FEMA was not activated immediately – big lesson here Thousands evacuated, 80% of 2, 000 who died from Katrina were from New Orleans Levees have since been rebuilt – expensive lesson

20 “After Japan 9. 0” PWC brochure (Selected) key questions • Should we reconsider worst case scenario? • Is continuity planning integrated into overall risk management? • Do crisis plans include employee needs? • How well can we manage FUD? • Do we rehearse crisis communications enough? • How rigid are out plans? (Agility) • Do we know our supply chain dependencies? • Should we plan for longer supply chain disruption?

21 Predictability: high impact/low frequency • You can rely upon certain types of historic data – Hazard Identification & Vulnerability Analysis (HIVA) and also loss data provide funnels to risk exposure levels; • Preparation for the worst case event (in the Northwest, it would be either an M 9 earthquake or terrorist event) can be designed with enough flex so that same protocols are followed for lower impact/higher frequency events like snowstorms, floods, droughts, extreme cold or heat

22 Three levels of management for disasters • Executive oversight • Regional/multiple sites • Local/Site based Crisis Management Emergency Response Incident Response 97% of all events are local incidents and may not need Crisis Management Team (CMT) activation Ideally the CMT should deal with the +/- 3% of situations that are rolled up to them from local teams because they involve Requests for extraordinary resources Reputational risk considerations/media Legal/compliance impacts

23 On the ground • If continuity plans have been built by the lines of business, then local teams can manage incidents that cover aspects of these interdependencies: • People • Processes • Providers (vendors) • Premises • Profile

24 97% of events are incidents • Plans are activated locally, in cooperation with government entities (City, State, FEMA) • Employees and customers are kept informed to minimize gossip, innuendo, false information • Crisis Management Team is kept informed via standardized reports and updates sent from the incident management team

25 3% is crisis management • Priorities for order of recovery and restoration • Overtime pay • Temporary closure of facilities • Additional security for damaged properties • Additional emergency supplies • Emergency employee assistance • Expense threshold overrides • Evacuating employees from foreign locations • Shaping the story through internal and external communications

How to mature a CM program • 1. Heed high pressure – making decisions under pressure is often by rule of thumb • 2. Learn from deviations – operational skews • 3. Root cause analysis – not just treating symptom • 4. Demand accountability – near miss risk analysis • 5. Consider worst case scenarios – Walmart/Katrina • 6. Evaluate projects at every stage – “pause and learn” or Gawande’s “pause points” on checklists • 7. Reward owning up – reward staff for uncovering near misses, including their own

PWC “Black swans turn grey” • Title refers to Nassim Nicholas Taleb’s “Black Swans, ” unforeseen events with high impacts (9/11) • Since then, it’s been applied broadly (BP, Arab Spring) • PWC summarizes three types of organizational risk • Known -- those that are planned for • Emerging – on radar but not yet 100% clear • Black swans – cannot be predicted or avoided • PWC feels boards feel existing risk management structures and investments are not agile enough to handle rapid evolutions of risks

PWC definitions of risk categories • Financial – credit, market, insurance, liquidity, currency or commodity risk • Operational – failures in operational processes and systems including IT or power outages, plant and machinery breaking down, or logistical, safety or environmental problems • Strategic – failure to respond to shifts, or from changes and/or flawed risk assumptions in the strategy • AIRMIC study, “Roads to Ruin” done by Cass Business School where dangers of misses are described

Preparedness Impacts Response Time • • Planning Mitigation Communication Exercises/Drills PREPAREDNES S

PWC Figure 1

Pwc’s three steps beyond ERM • Develop a risk aware culture • Industry, political and financial environments in which the business sits • Focus explicitly on risk appetite • Greater clarity, starting at the board level, on the actual exposure to risk that the business is willing to take so that executives are not too conservative or too reckless • Risk management as everyone’s job • Align risk and strategy • Integrate discussions around both • Consider seat on board for CRO • Reverse stress testing -- testing extreme impacts beyond control of the business

PWc’s four benefits to achieving wider resilience to unforeseen events • Holistic and flexible perspective and closer alignment to managing risk with business strategy • Clearer ownership of risks at the leadership level • Greater ability to influence and shape personal behavior in light of many examples of a single individual costing a business billions • A higher market rating, with a rating premium of up to 20%

33 Looking toward next week • We’ll be looking at manmade disaster next week with the 2007 -2008 financial crisis • Please do all readings, in particular my article on “The Lost Bank” • Bill Longbrake will discuss “The Rise and Fall of Washington Mutual” • Please have several question ready for him • Please review week’s events and come prepared to talk about operational risk news events.

QUESTIONS?