This document discusses implementing enterprise risk management (ERM) at Jabil Circuit Sdn Bhd for fiscal year 2013. It outlines Jabil's objectives, assesses risks through various methods like identifying hazards and risk assessment. It also discusses implementing the Committee of Sponsoring Organizations' ERM framework which includes components like internal environment, objective setting, event identification, and monitoring. The document provides work plans and templates to help Jabil mitigate risks and achieve its safety, health, and business objectives through a continuous ERM process.
This document discusses implementing enterprise risk management (ERM) at Jabil Circuit Sdn Bhd for fiscal year 2013. It outlines Jabil's objectives, assesses risks through various methods like identifying hazards and risk assessment. It also discusses implementing the Committee of Sponsoring Organizations' ERM framework which includes components like internal environment, objective setting, event identification, and monitoring. The document provides work plans and templates to help Jabil mitigate risks and achieve its safety, health, and business objectives through a continuous ERM process.
Direitos autorais:
Attribution Non-Commercial (BY-NC)
Formatos disponíveis
Baixe no formato PDF, TXT ou leia online no Scribd
This document discusses implementing enterprise risk management (ERM) at Jabil Circuit Sdn Bhd for fiscal year 2013. It outlines Jabil's objectives, assesses risks through various methods like identifying hazards and risk assessment. It also discusses implementing the Committee of Sponsoring Organizations' ERM framework which includes components like internal environment, objective setting, event identification, and monitoring. The document provides work plans and templates to help Jabil mitigate risks and achieve its safety, health, and business objectives through a continuous ERM process.
Direitos autorais:
Attribution Non-Commercial (BY-NC)
Formatos disponíveis
Baixe no formato PDF, TXT ou leia online no Scribd
Master of Occupational Safety and Health Risk Management
SMRK5103 RISK MANAGEMENT SEPTEMBER SEMESTER 2012 ASSIGNMENT (60%)
Prepared by, Aizuddin Sugara Bin Akbar Jahan (CGS00716430)
Tutor: MOHD RAFEE BAHARUDIN
1
Executive Summary
This paper discusses Enterprise Risk Management (ERM) of Jabil Circuit Sdn Bhd (Jabil) for Fiscal Year (1st October 2012 31st September 2013). ERM takes a broad perspective on identifying the risks that could cause an organization to fail to meet its strategies and objectives. Several methods for identifying risks are discussed and illustrated with examples from company experiences. Once risks are identified, the next issue is to determine the root causes or what drives the risks. A suggested approach is described and followed by a discussion of several qualitative and quantitative procedures for assessing risks. Some practical ERM implementation considerations are also explored, including infrastructure and maturity models, staging adoption, the role of the management accountant, education and training, technology, aligning corporate culture, building a case for ERM, and the ROI of ERM. Jabil Circuit Sdn Bhd, a large organisation which has a stakeholder with expectations for business success can benefit from the tools and methods provided in this paper.
2
Table of Contents 1. Introduction ........................................................................................................................ 5 a. Jabil Circuit Sdn Bhd ...................................................................................................... 6 b. Explanation of Enterprise Risk Management (ERM) ..................................................... 7 i. Definition of Enterprise Risk Management (ERM) .................................................... 9 ii. Differences of ERM and Traditional Risk Management ............................................ 9 iii. Benefits of Enterprise Risk Management (ERM) ..................................................... 10 iv. Limitation of Enterprise Risk Management (ERM) .................................................. 12 2. Role of ERM in Occupational Safety and Health ............................................................. 14 a. Identifying hazards........................................................................................................ 15 b. Assessing associated risks............................................................................................. 15 c. Taking action to mitigate risks ...................................................................................... 16 d. Monitoring the effectiveness......................................................................................... 16 3. Implementing Enterprise Risk Management (ERM) ........................................................ 18 a. Committee of Sponsoring Organizations ERM ........................................................... 20 b. Relationship of Objectives and Components ................................................................ 27 c. Key Implementation Factors ......................................................................................... 28 4. Work Plan: Target Achievement of Objectives ................................................................ 31 a. Objectives ..................................................................................................................... 31 5. Work Plan: Components of ERM ..................................................................................... 33 a. Internal Environment .................................................................................................... 33 i. Initiative Goal of ERM - Internal Environment ........................................................ 36 b. Objective Setting ........................................................................................................... 37 i. Corporate Background .............................................................................................. 40 ii. Corporate Risk Summary .......................................................................................... 42 iii. Jabils Mission Statement ......................................................................................... 45 iv. COSO ERM Risk Objective Setting Components .................................................... 46 c. Event Identification ....................................................................................................... 46 d. Risk Assessment, Response, and Control Activities .................................................... 50 i. Planning ..................................................................................................................... 50 ii. Required Systems ...................................................................................................... 51 iii. Unique Assets ............................................................................................................ 56
3
iv. Security Profile .......................................................................................................... 66 v. Threat Identification and Resource Requirements for Business Continuity ............. 67 e. Information and Communication .................................................................................. 77 f. Monitoring .................................................................................................................... 80 i. Role of Internal Audit ............................................................................................... 81 6. Risk Manager Role ........................................................................................................... 85 a. Analysis of Jabils Safety and Health Policy in accordance to risk management ........ 85 b. OSH Policy of Jabil Circuit Sdn Bhd ........................................................................... 86 c. Discussion of Jabil OSH Policy .................................................................................... 87 7. Conclusion ........................................................................................................................ 95 8. References ........................................................................................................................ 96 Appendix A: Jabil Business Conduct...97 Appendix B: Jabil Rules of The Road......98 Appendix C: Jabil Integrity Hotline.....99 Appendix D: Risk Identification Template....100
4
Figure 1 - A Continuous Risk Management Process ................................................................. 6 Figure 2 - COSO ERM Framework ......................................................................................... 27 Figure 3 - Industry Portfolio of Risks ...................................................................................... 38 Figure 4 - Components of Objective Setting ........................................................................... 46 Figure 5 - Flow of Information and Communication............................................................... 79 Figure 6 - Risk Management Process ...................................................................................... 92 Figure 7 - OSH Transformation ............................................................................................... 94
Table 1 - Buildings and its function ........................................................................................... 7 Table 2 - Differences of ERM and Traditional Risk Management ............................................ 9 Table 3 - ERM Objectives' Categories and its Description ..................................................... 22 Table 4 - ERM Component's Description ................................................................................ 26 Table 5 - Jabil's Objectives ...................................................................................................... 32 Table 6 - Key Risk-Oriented Characteristics of Jabil ............................................................. 42 Table 7 - Corporate Risk Summary ......................................................................................... 44 Table 8 - Risk Assessment Planning Task ............................................................................... 51 Table 9 - Required Systems ..................................................................................................... 56 Table 10 - Unique Assets ......................................................................................................... 66 Table 11 - Security Profile ....................................................................................................... 67 Table 12 - Tools in ERM Process of Monitoring .................................................................... 83 Table 13 - Jabil OSH Training for Year 2012 ......................................................................... 91 Table 14 - EHS Objectives and Target .................................................................................... 93
5
1. Introduction
In the economic landscape of the 21st century an organizations business model is challenged constantly by competitors and events that could give rise to substantial risks. An organization must strive to find creative ways to continuously reinvent its business model in order to sustain growth and create value for stakeholders. Companies make money and increase stakeholder value by engaging in activities that have some risk, yet stakeholders also tend to appreciate and reward some level of stability in their expected returns. Failure to identify, assesses, and manages the major risks facing the organizations business model, however, may unexpectedly result in significant loss of stakeholder value. Thus, senior leadership must implement processes to manage effectively any substantial risks confronting the organization. This dual responsibility of growing the business and managing risk has been noted by Mark Mondelo, Chairman and CEO at Jabil Circuit Inc., when he described his position at Jabil: My job is to figure out how to grow and manage risk and volatility at the same time.
While it may not be possible to eliminate all risks, it is certainly possible to devise measures to prevent them and to control losses and its impacts through proven principles of risk management.
6
Figure 1 - A Continuous Risk Management Process
a. Jabil Circuit Sdn Bhd
Jabil Circuit Sdn Bhd Malaysia (Jabil) is a multi-national company based in Penang, headquartered in St Petersburg, Florida, USA. Jabils global operations encompass more than 60 sites on four continents and employ over 100,000 peoples. Jabil is one of world's largest Electronic Manufacturing Services (EMS) companies, providing customised design, manufacturing, distribution, and aftermarket services for some of today's largest companies. To ensure continued financial success and growth, Jabil operate in a variety of sectors, including aftermarket services, computing & storage, defence & aerospace, digital home & office, healthcare & instrumentation, industrial & clean tech, materials technology, mobility EMS, networking, and telecommunications.
7
For the past 16 years, Jabil have experienced double-digit growth due to unwavering commitment to the right combination of services, industries, locations, systems, and people.
In Penang, there five buildings of Jabil comprised as one campus of large organisation located at Free Industrial Zone. The five buildings and its main function are listed as below: Building Function Jabil Plant 1 Facilitate primary production floor Jabil Plant 2 Facilitate secondary production floor Jabil Global Business Centre 1 Support worldwide operation of Supply Chain Management Jabil Global Business Centre 2 Support worldwide operation of Information Technology and Finance Jabil After Marketing Services Support after marketing services Table 1 - Buildings and its function
b. Explanation of Enterprise Risk Management (ERM)
No entity operates in a risk-free environment, and Enterprise Risk Management (ERM) does not create such an environment. Rather, ERM enables management to operate more effectively in environments filled with risks (R. S. Khatta, 2008).
8
Enterprise risk can include a variety of factors with potential impact on an organisation activities, processes, and resources. External factors can result from economic change, financial market developments, and dangers arising in political, legal, technological, and demographic environments. Risks can arrive over time, as the public may change their views on products or practices. In term of Jabil business operation, we can list few public views on products and practices such as below: Mobile Devices Software Office Appliances Computer Executive Salaries Disposable packaging Appliances Safety Manufacturing services from Third Country Technology
Most of these are beyond the control of Jabil, although Jabil can prepare and protect themselves in timely efficient ways. Internal risks include human error, fraud, systems failure, disrupted production, and etcetera. Thus, organisation such as Jabil needs robust, reliable systems to control risks that arise in all facets of life.
9
i. Definition of Enterprise Risk Management (ERM) ERM involves the identification and evaluation of significance risks, assignment of ownership, and completion and monitoring of mitigating actions to manage these risks within the risk appetite of the organisation.
Output of ERM is provision of information for management to improve business decisions, reduce uncertainty and provide reasonable assurance regarding the achievement of the objectives of the organisation.
Thus, ERM is defined to have a significant positive progress during occurrence of unforeseen or unexpected event. In spite of that, it is designed to improve efficiency and the delivery of services, improve allocation of resources (capital) to business improvement, create shareholder value and enhance risk reporting to stakeholders.
ii. Differences of ERM and Traditional Risk Management Traditional Risk Management ERM Risk as individual hazards Risk viewed in context of business strategy Risk identification and assessment Risk portfolio development Focus on discrete risks Focus on critical risks Risk mitigation Risk optimization Risk limits Risk strategy Risks with no owners Defined risk responsibilities Haphazard risk quantification Monitoring and measurement of risks Risk responsibility is perceived individually Risk is everyones responsibility Table 2 - Differences of ERM and Traditional Risk Management
10
iii. Benefits of Enterprise Risk Management (ERM)
Determining whether an entitys enterprise risk management is effective is a judgment resulting from an assessment of whether ERM components are present and functioning effectively. Thus, the components are also criteria for effective ERM. For the components to be present and functioning properly there can be no material weaknesses, and risk needs to have been brought within the entitys risk appetite.
When ERM is determined to be effective in each of its categories of objectives, respectively, the board of directors and management have reasonable assurance that they understand the extent to which the entitys strategic and operations objectives are being achieved, and that the entitys reporting is reliable and applicable laws and regulations are being complied with.
The ERM components will not function identically in every entity. Application in small and mid-size entities, for example, may be less formal and less structured. Nonetheless, small entities still can have effective enterprise risk management, as long as each of the components is present and functioning properly. ERM provides enhanced capability to: Align risk appetite and strategy Risk appetite is the degree of risk, on a broad- based level, that a company or other entity is willing to accept in pursuit of its goals. Management considers the entitys risk appetite first in evaluating strategic alternatives, then in setting objectives aligned with the selected strategy and in developing mechanisms to manage the related risks. Link growth, risk and return Entities accept risk as part of value creation and preservation, and they expect return commensurate with the risk. Enterprise risk
11
management provides an enhanced ability to identify and assess risks, and establish acceptable levels of risk relative to growth and return objectives. Enhance risk response decisions Enterprise risk management provides the rigor to identify and select among alternative risk responses risk avoidance, reduction, sharing and acceptance. Enterprise risk management provides methodologies and techniques for making these decisions. Minimize operational surprises and losses Entities have enhanced capability to identify potential events, assess risk and establish responses, thereby reducing the occurrence of surprises and related costs or losses. Identify and manage cross-enterprise risks Every entity faces a myriad of risks affecting different parts of the organization. Management needs to not only manage individual risks, but also understand interrelated impacts. Provide integrated responses to multiple risks Business processes carry many inherent risks, and enterprise risk management enables integrated solutions for managing the risks. Seize opportunities Management considers potential events, rather than just risks, and by considering a full range of events, management gains an understanding of how certain events represent opportunities. Rationalize capital More robust information on an entitys total risk allows management to more effectively assess overall capital needs and improve capital allocation.
Enterprise risk management helps an entity achieve its performance and profitability targets, and prevent loss of resources. It helps ensure effective reporting. And, it helps
12
ensure that the entity complies with laws and regulations, avoiding damage to its reputation and other consequences. In sum, it helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.
iv. Limitation of Enterprise Risk Management (ERM)
While enterprise risk management provides important benefits, limitations exist. In addition to factors discussed above, limitations result from the realities that human judgment in decision making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions. These limitations preclude a board and management from having absolute assurance as to achievement of the entitys objectives.
Effective enterprise risk management helps management achieve objectives. But in ERM, no matter how well it was designed and operated, it still does not ensure an entity's success.
The achievement of objectives is affected by limitations inherent in all management processes. Shifts in policy or programs, competitors' actions or economic conditions can be beyond management's control. ERM cannot change an inherently poor manager into a good one. Additionally, controls can be circumvented by the collusion of two or more
13
people, and management has the ability to override the ERM process, including risk responses and controls.
The design of ERM must reflect the reality of resource constraints, and the risk management benefits must be considered relative to their costs. Thus, while ERM can help management achieve its objectives, but it is not a solution or remedy for all difficulties.
14
2. Role of ERM in Occupational Safety and Health
Occupational Safety and Health (OSH) already is a legal requirement in several countries. Others have established such system but the application is still optional.
ERM is an integral part of performing OSH. It serves to identify and assess the risks derived from the hazards. It finally leads to appropriate action to reduce or even eliminate such risks. Risk management subject is the critical success factor in managing OSH in any workplace.
Management system provides a framework for process of identifying hazards, assessing associated risks, taking action and reviewing the outcome. Like any modern management system it conforms to the kind of management system as it was developed for quality management (ISO9000). Hence, the OSH management system just has to be integrated into the existing management systems.
The following are the elements of a management system for as suggested by OSHAS 18001. It is based on the Plan - Do - Check - Act cycle as described below. Defining the OHS Strategy Planning Implementation and Operation Checking and Corrective Action Management Review Continual Improvement
15
This description provides an idea that OSH is highly related with risk management subject because it suggests a frame for the process in OSH management by outlining items as below.
a. Identifying hazards
A hazard is anything that is a threat to health and safety in an organisation. Therefore it is linked to the people of the organisation and it immediately becomes clear that everybody has to contribute to finding hazards at his or her workplace. It is a legal requirement in some countries that employers have to consult their employees.
b. Assessing associated risks
Prior to assessing risks these risks associated to the identified hazards have to be determined. Mind the gap and clearly understand that hazards and risks resulting from hazards are something different. Risk assessment itself is very much the same as with risk assessment in other management systems. Typically, a risk is assessed by its likelihood and its consequence. Risk assessments provide with an insight in organisations risks and allow prioritising risks for taking mitigating actions.
16
c. Taking action to mitigate risks
Mitigating actions focus on reducing the likelihood and/or consequence. There is a hierarchy in different solutions whereby the most effective usually is also the most difficult and sometimes most expensive to realise:
Actions that remove the hazard and eliminate risk. Actions that replace the hazard by a less dangerous one. Actions that modify the product or process design. Actions that isolate the hazard from people. Actions that use engineering solutions such as a new machinery or plant. Actions that use administrative controls, e.g. new procedures. Actions that protect through personal equipment from hazards.
d. Monitoring the effectiveness
The outcome of each risk mitigating action has to be reviewed on two levels: To ensure that the actions taken are effective and continue to be effective To ensure that no new hazard/risk was introduced by the actions taken.
Any control measures have to be maintained in order to ensure that they are kept in working order. As well procedures have to be audited to ensure they are being followed as intended.
17
After completing one entire cycle of risk management the next has to be scheduled to ensure that always the best actions are taken and new hazards are included into risk management.
Risk management of OSH will be a regular guest on the agenda of management and ERM is a component of risk management subject that can address OSH issue. However, apart from just being a requirement, management may realise the benefits and profitability in OSH through proper presentation of related risk management modules, especially when registered to the respective local standard as listed below. Reduction of risk. Competitive advantages. Compliance with legal requirements. Improvement of overall performance.
18
3. Implementing Enterprise Risk Management (ERM)
ERM cuts across an organizations silos to identify and manage a spectrum of risks. Consider these ERM action items: Resolve to proactively manage risks, rather than react to them. Implementing ERM takes total commitment by management, as well as recognition by the board of its responsibility. Clarify the organizations risk philosophy. As discussed in the COSO ERM framework (Enterprise Risk ManagementIntegrated Framework), organizations need to know their risk capacity in terms of people capability and capital. The board and management must come to an understanding, factoring in the risk appetite of all significant stakeholders. Develop a strategy. Since risk relates to the events or actions that jeopardize achieving the organizations objectives, effective risk management depends on an understanding of the organizations strategy and goals. One of the benefits of ERM implementation is the revelation that those responsible for achieving the objectives have varying degrees of understanding about them. ERM helps get everyone on the same page. Think broadly and examine carefully events that may affect the organizations objectives. This involves taking your business and industry apart. Pore over your strategy, its key components and related objectives. Use a variety of identification techniques such as brainstorming, interviews, self-assessment, facilitated workshops, questionnaires and scenario analyses. In selecting among these techniques, consider how rigorously each business unit can implement them, and if openness among the participants would result. Analyze how both external and internal events can change the organizations risk landscape. This initial effort does not have to take months to
19
accomplish. Start with a top-down approach. Begin to identify risks through workshops or interviews with executive management and by focusing on strategies and related business objectives. Assess risks. Initially, try to reach a consensus on the impact and likelihood of each risk. Placing risks on a risk map can be a valuable focal point for further discussion. As the risk assessment process matures, consider applying more sophisticated risk measurement tools and techniques. Develop action plans and assign responsibilities. Every risk must have an owner somewhere in the organization. Manage the biggest risks first and gain some early wins. Maintain the flexibility to respond to new or unanticipated risks. Put a business continuity and crisis management plan into place. If your organization is in a volatile environment, you should anticipate even more unknowns. Use metrics to monitor the effectiveness of the risk management process where possible. Communicate the risks identified as critical. Circulate risk information throughout the organization. The board of directors and audit committee should be given regular reports on the key risks facing the organization. It is not acceptable to identify important risks and never communicate them to the appropriate people. Embed ERM into the culture. Integrate the knowledge of risks in your internal audit planning, balanced scorecards, budgets and performance management system.
20
a. Committee of Sponsoring Organizations ERM
Committee of Sponsoring Organizations (COSO) is a body to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.
COSO has comes out with an ERM framework as a main guidelines to implement the ERM within organisation. This framework defines essential components, suggests a common language, and provides clear direction and guidance for ERM.
Entity objectives can be viewed in the context of four categories as presented in table as below: Categories Description Type of Risks Strategic High-level goals, aligned with and supporting its mission. Damage to reputation Competition Customer Wants Demographic and social/ cultural trends Technological innovations/ patents Capital investment Shareholder requirements Regulatory and political trends Operational Effective and Business operations (e.g., human resources,
21
Categories Description Type of Risks efficient use of its resources. product development, capacity, efficiency, product/service failure, channel management, supply chain management, business cycles) Empowerment (leadership, change willingness) Information Technology Financial/ Reporting Reliability of reporting. Price (e.g., asset value, interest rate, foreign exchange) Liquidity (cash flow, call risk, opportunity cost) Credit (e.g. rating) Inflation, purchasing power and Basis financial risk (e.g., hedging) Wrong or incomplete reporting (e.g., financial performance) Information/ business reporting (e.g. budgeting and planning, accounting, information, taxation) Hazard/ Compliance Individual errors and compliance with applicable Fire and property damage Windstorms and other natural phenomena Theft and other crime incl. personal injury
22
Categories Description Type of Risks laws and regulations. Business interruption and Liability claims Table 3 - ERM Objectives' Categories and its Description
ERM considers activities at all levels of the organization: Enterprise-level Division or subsidiary Business unit processes
The ERM framework concerns on management consideration in viewing how individual risks interrelate. The management develops a portfolio view from two perspectives: Business unit level Entity level
There are eight components of ERM framework which are interrelated to each other. Below are the list of components and brief description on each of them. ERM Components Description Internal Environment Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may
23
ERM Components Description occur.
Establishes the entitys risk culture.
Considers all other aspects of how the organizations actions may affect its risk culture. Objective Setting Is applied when management considers risks strategy in the setting of objectives.
Forms the risk appetite of the entity a high-level view of how much risk management and the board are willing to accept.
Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite. Event Identification Differentiates risks and opportunities.
Events that may have a negative impact represent risks.
24
ERM Components Description Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.
Addresses how internal and external factors combine and interact to influence the risk profile. Risk Assessment Allows an entity to understand the extent to which potential events might impact objectives.
Assesses risks from two perspectives: - Likelihood - Impact
Is used to assess risks and is normally also used to measure the related objectives.
25
ERM Components Description
Employs a combination of both qualitative and quantitative risk assessment methodologies.
Relates time horizons to objective horizons.
Assesses risk on both an inherent and a residual basis. Risk Response Identifies and evaluates possible responses to risk.
Evaluates options in relation to entitys risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood.
Selects and executes response based on evaluation of the portfolio of risks and responses. Control Activities Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.
26
ERM Components Description Occur throughout the organization, at all levels and in all functions.
Include application and general information technology controls. Information & Communication Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities.
Communication occurs in a broader sense, flowing down, across, and up the organization. Monitoring Effectiveness of the other ERM components is monitored through: - Ongoing monitoring activities. - Separate evaluations. - A combination of the two. Internal Control A strong system of internal control is essential to effective enterprise risk management. Table 4 - ERM Component's Description
27
b. Relationship of Objectives and Components
There is a direct relationship between objectives, which are what an entity strives to achieve, and the enterprise risk management components, which represent what is needed to achieve them. The relationship is depicted in a three-dimensional matrix, in the shape of a cube, shown in figure as below.
Figure 2 - COSO ERM Framework
28
The four objectives categories strategic, operations, reporting, and compliance are represented by the vertical columns The eight components are represented by horizontal rows. The entity and its units are depicted by the third dimension of the cube.
c. Key Implementation Factors
Enterprise risk management is a procedure to minimize the adverse effect of a possible financial loss by Identifying potential sources of loss; Measuring the financial consequences of a loss occurring and Using controls to minimize actual losses or their financial consequences. The purpose of monitoring all risks is to increase the value of each single activity within the company. The potential benefits and threats of all factors connected with these activities have to be ordered and documented. If all employees are aware of the importance of the risk management process, the probability of success will be increased while at the same time failure will become unlikely.
Risk identification is not solely done by an individual. All relevant stakeholders are involved to keep an eye on all risks that matter. Generally the risk identification sessions should include as many as the following participants: Risk management team
29
Subject matter experts from other parts of the company Customers and end-user Other project managers and stakeholders Outside experts Project team The participants may vary but the risk management team should always be involved because they are dealing with the subject every day and therefore need fresh information at any time. Outside stakeholders and experts could provide objective and unbiased information for the risk identification step and are therefore an essential part of the process.
Risk identification has to be done as a continuous process. If it is treated like a one-time event, then the whole company runs the risk of overlooking new emerging problems. The process starts in the initiation phase where first risks are identified. In the planning stage the team determines risks and mitigation measures and documents them. In following stages of resource allocation, scheduling and budgeting the associated reserve planning is also documented.
After the initial phase of risk identification, all risks have to be managed until each risk is closed or terminated. New risks will occur as the company moves on and matures and the outer and inner environment of the company changes. In the case of the increased probability of a risk or if the risk becomes real, it is time for the risk management team to respond to it. The executives and managers have to think about the problem and develop
30
strategies to deal with its impact. All the re-planning actions can mean a change to the baseline of budget, schedule and resource planning.
How the company will deal with risks has to be clearly defined in the early stages of getting involved in ERM, then documented and executed appropriately during the planning cycle.
31
4. Work Plan: Target Achievement of Objectives
Within the context of an entitys established mission or vision, Jabils management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise.
a. Objectives
There are four categories of objectives. Jabil sees these objectives into its business perspectives as described below. Category Description Remarks Strategic Achieving a 60% market share Maintain technological in the industry Risk may comes as externalities and it is beyond the control of management Operational Maintaining a defect rate to less than 0.1% of production. Achieving plant availability at 95%. Containing over time hours to less than 2% of the total hours worked. Reporting All internal controls personnel must be competent in financial reporting. Comply with Sarbanes-Oxley Act (applicable to United States of America Risk management is highly dependable to the control of internal
32
Category Description Remarks based company) management Compliance Compliance with health and safety regulation. Compliance with hazardous materials regulation. Compliance with environmental protection, security laws, and civil laws. Table 5 - Jabil's Objectives
This categorization of entity objectives allows a focus on separate aspects of enterprise risk management. These distinct but overlapping categories a particular objective can fall into more than one category address different entity needs and may be the direct responsibility of different executives. This categorization also allows distinctions between what can be expected from each category of objectives. Another category, safeguarding of resources, used by some entities, also is described.
33
5. Work Plan: Components of ERM
Enterprise risk management consists of eight interrelated components. These are derived from the way of Jabils management runs an enterprise and are integrated with the management process.
a. Internal Environment
Internal environment is composed of the elements within the organization, including current employees, management, and especially corporate culture, which defines employee behaviour. It encompasses the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of ERM, providing discipline and structure. Internal environmental factors include an entitys risk management philosophy; its risk appetite; oversight by the board of directors; the integrity, ethical values, and competence of the entitys people; and the way management assigns authority and responsibility and organizes and develops its people. COSO has described internal environment is interrelated to a concept of tone at the top. According to COSO, the tone at the top plays a crucial role in creating the control consciousness of an organization, one that is capable of leading employees to a higher ethical standard of conduct or creating a breeding ground for fraudulent activity. It is the ethical atmosphere that an organizations leadership creates in the workplace. Whatever tone senior management sets has a direct impact on the employees of the company.
34
Control internal environment that is, the overall attitude, awareness, and actions of directors and management regarding the internal control system and its importance to the organization is the key to setting the tone of the organization because it influences the control consciousness of its people. Concerning factors to the control environment of Jabil include: Integrity and ethical values communicated by executive management in speaking and writing and demonstrated by action. Responses to incentives and temptations clear policies and actions that prohibit the acceptance of inappropriate gifts, for example. Moral guidance, as communicated through a code of business conduct and ethics. A commitment to competence, as demonstrated by robust human resource policies and clear job descriptions for the purpose of hiring and retaining qualified people. A board of directors and audit committee that are engaged, ask questions, and take appropriate action. A management philosophy and operating style that place high value on risk assessment and internal control. A well-defined organizational structure that is appropriate to the companys size and complexity. Appropriate assignment of authority and responsibility, with well-defined authority and duties that are appropriately segregated to prevent or detect error and fraud. Human resource recruiting and retention policies and practices to ensure that human capital is valued.
35
Ways to settle internal differences, such as a forum to discuss and settle differences of opinion between management and employees.
These factors have shape the tone at the top and come out with business conduct of Jabil (Refer Appendix A). In spite of that, there are rules formulated for employees reference while conducting the whole organisations business in a preferred way. This formula named as Jabil Rules of the Road (Refer Appendix B). Jabil always highlight the important of business integrity. Thus, a mechanism is created (Refer Appendix C) to report any wrongdoing such as potential violations of the law, regulations, professional standards, policy, or the applicable Code of Ethics that is believed not being handled properly. Such potential violations could include, but are not limited to: Non-compliance with professional standards Unlawful discrimination Harassment Workplace violence Substance abuse Conflicts of interest Falsification of documents Inappropriate gifts and entertainment Inappropriate political activities and contributions Insider trading or other securities law violations Breaches of a client's or a Jabil Circuit, Inc.'s confidentiality
36
Inappropriate disposal of a Jabil Circuit, Inc.'s documents Inappropriate personal use of a Jabil Circuit, Inc.'s resources Theft Bribes and kickbacks Inappropriate client billings Inappropriate reporting of time or expenses Other potential violations of policies
i. Initiative Goal of ERM - Internal Environment
Some believe that the only way to correct issues related to the tone at the top is to make personnel changes. Such measures may sometimes be warranted, but through initiative such as education, frequent communication or even formal classroom training, could be a remedy as well and in fact might accelerate the general adoption of a more ethical corporate culture in an organization. Leadership from the top of the organization is essential to maintain rigorous internal control and make progress on ERM and fraud prevention. A growing number of organizations are formalizing their antifraud programs. In addition, external auditors are reviewing companies antifraud controls and risk assessments as part of their work. All of these activities, when supported by the board and performed conscientiously, set the right tone and help reduce the risk of fraud. Only by setting the bar high will an ethical corporate culture be sustained.
37
On the other hand, initiative goal of this component is to integrate ERM into the culture and strategic decision making processes of the organization.
b. Objective Setting
Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entitys mission and are consistent with its risk appetite. By referring to Table 5 - Jabil's Objectives, concerning objectives are listed under strategic and operational category. They are: 1. Achieving a 60% market share. 2. Maintain technological in the industry. 3. Maintaining a defect rate to less than 0.1% of production. 4. Achieving plant availability at 95%. 5. Containing over time hours to less than 2% of the total hours worked.
When objectives are stated clearly and understood by the participants, a brainstorming session drawing on the creativity of the participants can be used to generate a list of risks. In a well facilitated brainstorming session, the participants are collaborators, comprising a team that works together to articulate the risks that may be known by some in the group. In the session, risks that are known unknowns may emerge, and
38
perhaps even some risks that were previously unknown unknowns may become known. Seeding or providing participants with some form of stimulation on risks is very important in a brainstorming session. One possibility is to provide an event inventory for the industry or a generic inventory of risks as below.
Figure 3 - Industry Portfolio of Risks
39
In a brainstorming session or facilitated workshop, the goal is to reduce the event inventory to those relevant to the company and define each risk specific to the company. Every participant has to fill up a survey risk identification template (refer Appendix D) appropriately.
40
i. Corporate Background
Some key risk-oriented characteristics of Jabil include: Characteristics Description Locations and Operations The company has a headquarters office in the St. Petersburg, Florida, United States of America area with a computer security development facility in San Jose, California, and four product distribution centres in smaller-city locations in the United States, as well as a distribution office in Belgium. In addition, the company has several hardware manufacturing facilities in Asia and a software production and distribution facility in India. All facilities are leased or licensed, and customer service functions have been outsourced. Management team The company's CEO was originally the founder of the company. He and three senior engineers are the only employees left over from the early days and its initial public stock offering (IPO). Due to turnover often typical in the industry, most employees have fairly short tenures. The CFO is quite new, as the prior officer was asked to resign because of a Sar-banes-Oxley- related dispute with the audit committee. The company makes extensive use of nonemployee contract workers. Reporting to the CAO, Global has a relatively small internal audit department as well as a single general counsel.
Product description Jabil developed an electronic product that consists of both a
41
Characteristics Description hardware device plugged in to a user's computer along with software drivers. The hardware device consists of a plug-in card based primarily on standard hardware chips along with some embedded programming. The software is based on proprietary algorithms. Elements of the product design are protected by patents, although these rights have been both challenged in courts and also have been somewhat copied by some competitors.
Marketing Jabil's product is marketed by advertisements in professional publications as well as through a team of sales representatives. On a worldwide basis, 80% of sales are to individuals, with the balance to smaller businesses. The United States accounts for about 75% of product sales, with the balance from Europe. There is also a small but growing segment of sales in Brazil, where an independent agent is distributing the product. Jabil ships products from its distribution centres direct to computer equipment retailers as well as shipping to individual customers, based on their Internet, mail, or telephone orders.
Sales and finances Jabil's $2.4 billion in sales is split in the following categories: Consumer cash sales through credit card purchases
41.0%
Sales to wholesale distributors 23.4%
42
Characteristics Description
Export sales to agents
12.7%
Licensing fees and royalties 4.9%
Table 6 - Key Risk-Oriented Characteristics of Jabil
Jabil is a public company, traded on NASDAQ. With its stock broadly distributed, private equity venture capitalists hold 12% of the shares, and management holds 3%. Long-term debt totals $450 million, with the majority of that based on debentures sold to the venture capital investors. That debenture issue included warrants that could be converted into a substantial block of common stock.
ii. Corporate Risk Summary
These risks often cross the lines of the COSO ERM cube. They should just be considered risks that impact the enterprise.
Category Description Organization strategic risks that could impact the effectiveness of products or operations Changes in technology that impact the effectiveness of company products
A currency crisis at one or another of the international operations countries causing major operations problems
43
Category Description Increased tariffs or import/export regulations
A major weather disturbance, such as a tornado or military actions
New competitors offering attractive alternative products
Interest rate increases or other factors limiting the ability to finance expansion
The failure of a key customer or vendor Company operations risks iii. A computer system or network failure at one or several locations
iv. The unexpected resignation of a key management or technical senior manager
v. Labour unrest or related problems at one or another facility
vi. The failure to complete several key information systems planned upgrades
vii. Product licensing disputes and resulting litigation
44
Category Description viii. The failure of an ISO or some other standards audit
A major loss in stock market capitalization value due to reported operating losses or other negative information Financial and operational reporting risks Significant internal control weaknesses identified through a SOx Section 404 review Failure of one or another subsidiary units to secure a "clean" external audit opinion Errors in individual unit financial or operations reported that are not readily detected at headquarters Service support reporting weaknesses Compliance risks Financial reporting errors or missed reports
Compliance reporting failures at any level of local or national operations
Failure to establish appropriate company-wide ethical and financial reporting compliance standards
Failure to meet product quality standards
Table 7 - Corporate Risk Summary
45
iii. Jabils Mission Statement
Jabil is one of the leading worldwide suppliers of electronic devices. With strong attention given to computer security risks and threats, we strive to offer one of the most secure but easy-to-use combined software and hardware products in today's marketplace. In order to build our products and market them in ever-expanding circles, we will assemble a worldwide team of superior computer security technical talent to produce our products while selling them in an efficient and ethical manner. We will continue to monitor our strategic and operational risks in this complex and ever-changing world of computer security risks and threats.
46
iv. COSO ERM Risk Objective Setting Components
Figure 4 - Components of Objective Setting
c. Event Identification
Events are incidents or occurrences, external or internal to the organization that affects the implementation of the ERM strategy or the achievement of its objectives.
47
There is a strong level of performance monitoring taking place in many organizations today, but that monitoring process tends to emphasize such matters as costs, budgets, quality assurance compliance, and the like (Moeller, Robert R., 2007). The ERM risk objectives can become lost in this process of monitoring more operational and process-oriented objectives. Organizations usually have strong processes to monitor such events as favourable and particularly unfavourable budget variances, but often do not regularly monitor either the actual events or the influencing factors that are the drivers of such budget variance events.
The COSO ERM executive summary framework documentation lists a series of the types of influencing factors that should be part of the framework's event identification component, including: Events Description External economic events There is a wide range of external events that need to be monitored in order to help achieve an organization's ERM objectives. Ongoing short- and long-term trends may impact some elements of an organization's strategic objectives and thus have an impact on its overall ERM framework.
Example, in December 2011 and after some ongoing currency market turmoil, USA declared a major default of its public debt. This type of external event had a major impact on many enterprises in many different areas, whether they were credit markets or suppliers of agricultural commodities, or had other
48
Events Description business dealings in USA. Natural environmental events Fire, flood, or earthquakes, numerous events can become identified as incidents in ERM risk identification. Impacts here may include loss of access to some key raw material, damage to physical facilities, or unavailability of personnel. Political events New laws and regulations as well as the results of elections can have a significant risk event-related impact on organizations. Many larger enterprises have a government affairs function that reviews developments here and lobbies for changes. Social factors While an external event such as an earthquake is sudden and arrives with little warning, most social-factor changes are slowly evolving events. These include demographic changes, social mores, and other events that may impact an organization and its customers over time. The growth of the Hispanic population in the United States is such an example. As more and more Hispanic people move to a city, for example, both the language- related teaching requirements in public schools and the mix of selections in grocery stores will change. As another example of societal change, the previously referenced dismissal of a major corporation CEO for a consensual sexual relationship with another company employee would probably have been ignored in another era. Changing social mores today led to that dismissal.
49
Events Description Internal infrastructure events Organizations often make benign changes that trigger other risk- related events. For example, a change in customer service arrangements can cause major complaints and a drop in customer satisfaction. Strong customer demand for a new product may cause changes in plant capacity requirements and the need for additional personnel. Internal process-related events Changes in key processes can trigger a wide range of risk identification events. As with many such items, risk identification may not be immediate, and some time may pass before the process-related events signal the need for risk identification. External and internal technological events Wide assortment of ongoing technological events that will trigger the need for formal risk identification. The Internet and the World Wide Web have been with us for some time, and the shift to an Internet environment has been somewhat gradual for many. In other cases, a company may suddenly release a new improvement that causes competitors everywhere to jump into action.
An organization needs to clearly define what it considers significant risk events and then should have processes in place to monitor all of those various potentially significant risk events such that the organization can take appropriate actions.
50
d. Risk Assessment, Response, and Control Activities
The first step in developing a comprehensive service continuity strategy is to identify risks, which can lead to the disruption of operations. Two factors are considered in developing a Risk Assessment Matrix: Likelihood of Occurrence Potential impact to operations if event occurs
i. Planning
The following tasks are necessary.
# Task Assignment 1 Develop the work plan and assign responsibilities for completing tasks. Information Technology Manager 2 Introduce team to business continuity plan concepts, processes and tools Information Technology Manager 3 Review inventory of assets and resources to verify completeness. Information Technology Manager System Administrator Network Administrator Business Analyst 4 Use existing information to prepare the departments Security Profile. Information Technology Manager 5 Identify threats to assets and resources. Information Technology Manager 6 Define process for keeping the plan current Information Technology Manager System Administrator Network Administrator Business Analyst
51
Table 8 - Risk Assessment Planning Task
ii. Required Systems
Applications and databases used at the Jabil Penang site are owned by the following management team: General Manager Engineering Manager Manufacturing Manager Materials Manager Continuous Improvement Manager Financial Controller Human Resources Manager Information Technology Manager Criticality Rating: 1 - The site cannot function without the system 2 - The site can function partially without the system. 3 - The site can function fully without the system.
System Name Description Criticality Owner Agile 3rd Party application for document management, approval 1 Engineering Manager
52
System Name Description Criticality Owner Agilent 5DX - Ray Operating software to verify pass /fail of PCBA's 2 Engineering Manager AMW (Assembly Maintenance Wizard) MES QM Material and Checkpoint configuration tool. Process verification, Assembly material verification and Checkpoint configuration tool for TARS, CIQ and Manual Test Entry. 2 Engineering Manager Auto Cad Draft and Design software, used primarily for customer cad data 3 Engineering Manager BGA Repair Profile generation for removing, placing, or reflowing surface mounted components 2 Engineering Manager BRIO 3rd Party web Front End Module for processing quality data entered into MES by CIQ Need to find out if it still being used 3 Engineering Manager Gagetrack Calibration Reporting System. Data entry system for entering, storing, and reporting calibration of all required gauges and equipment 2 Engineering Manager CIMbridge Creation of Visual Aids 2 Engineering Manager Cuteftp Accessing ftp sites for transfer of customer documents 3 Engineering Manager DR (Dynamic Replenishment) 2 Materials Manager Scrubbing Tool - Citrix access BOM Scrubbing Tool 3 Engineering Manager IRIS - Citrix Access Golden BOM creation 2 Engineering Manager Agile BOM - Citrix Access Golden BOM Creation 2 Engineering Manager
53
System Name Description Criticality Owner Router Solutions 3rd Party application for Translating CAD Data / reviewing BOM Info / Translating CAD Data 3 Engineering Manager Package Inspector 3rd Party application for looking at PDX packages 3 Engineering Manager Agile Express 3rd Party application for looking at PDX packages 3 Engineering Manager Blue Beam 3rd Party application for creating PDF documents 3 Engineering Manager WinRar 3rd Party application for file compression and extractor tool 3 Engineering Manager WinZip 3rd Party application for file compression and extractor tool 3 Engineering Manager ESS (Employee Suggestion Scheme) Application and database to enter process improvement suggestions 3 General Manager Exceed 3rd Party application for accessing UNIX systems 2 Engineering Manager Fabmaster CAM CAD Tool, used by Test Engineering 3 Engineering Manager First Windows Finance application 2 Financial Controller Heel Strap Testing - CT8900 Data entry system for recording and reporting employee testing of heel and wrist straps for ESD purposes 3 Engineering Manager HR Database Application and Database storing employee certification records, dates and frequency 3 Human Resource Manager JAFFA Feeder maintenance Application 3 Engineering Manager JEDI Manufacturing Application to view documents stored in Agile 2 Engineering Manager
54
System Name Description Criticality Owner JOS (Jabil Operating System) Management system used to drive improvement activities 3 Manufacturi ng Manager JOS Metrics Application to correlate plant metrics 2 General Manager Knowledge Pathways On line training 3 Human Resource Manager Loftware (Label Management) Label Management 1 Engineering Manager MES Manufacturing Execution System for 1 Engineering Manager MES Reports Reporting system for MES 2 Engineering Manager Report Builder Reporting Tool for MES 2 Engineering Manager EPS Packout control system to prevent untested / failed product from shipping 2 Engineering Manager Microsoft Office Outlook, Word, Excel, Powerpoint, Visio, Access 2 General Manager MPC (Management Planning & Control) Forecasting application 3 Financial Controller Olives Visitor Login System 3 Human Resource Manager PLR (5DX software) Application to translate 5DX tester output 3 Engineering Manager Pointsec Encryption software for laptops 3 Information Technology Manager
55
System Name Description Criticality Owner QNET Document Control System 2 Engineering Manager SAP Material resource planning software 1 Material Manager SAT Sourcing Application 2 Material Manager SBA (Shipping Billing and Authorisation) Web application to authorize material for shipment 2 Material Manager Softscape Employee Appraisal System 3 Human Resource Manager SIS Supplier Information System 2 Material Manager SPS Supplier Performance System (Scorecards) 3 Material Manager SVS SPC / Charting - Need more information - is it still being used 3 Material Manager Axi to TARS Converts AXI records to TARS suitable records 3 Engineering Manager Manual Test Entry Manual Test entry station for non networked test systems 3 Engineering Manager CIQ (Computer Integrated Quality) Manual Test entry station for non networked test systems 1 Engineering Manager TARWIZ Tars Reporting Wizard 2 Engineering Manager VB TARS Used for diagnosing and recording repairs to product 1 Engineering Manager VB TARS RMA Used for entering returned material back into the TARS database 1 Engineering Manager
56
System Name Description Criticality Owner Time & Attendance Stores clock entry data, holiday\absence requests 2 Human Resource Manager Universal GSM Placement check for X, Y, and rotation data based on classification 2 Engineering Manager Universal HSP Placement check for X, Y, and rotation data based on classification 2 Engineering Manager Vidifax Supplier Fax solution 2 Material Manager Valor CAM CAD Tool, used for BOM comparisons, machine programming, set up sheets, etc 2 Engineering Manager Vitronics Oven Oven temperature control / SPC / Charting 2 Engineering Manager Waterfall Schedule Planning Excel based, VB planning tool with SQL database 2 Material Manager Web Plan / Rapid Response Material Reporting tool used for planning and business unit for making business decisions. 2 Material Manager Table 9 - Required Systems
iii. Unique Assets
The table below details the equipment and assets used at the Jabil Penang site. Criticality Rating: 1 - The site cannot function without the asset 2 - The site can function partially without the asset. 3 - The site can function fully without the asset.
57
Asset Description Asset Serial # Detail Role Vendor Criticality PROLIANT DL360 7J14FXX1SK01 PENTRM01A Terminal Server HP
2 PROLIANT DL360 7J14FXX1SK02 PENTRM01B Terminal Server 2 PROLIANT DL360 G3 7J34KYD11018 PENTRM01C Terminal Server 2 PROLIANT DL360 7J19FXK1A020 PENTRM01D Terminal Server 2 PROLIANT DL360 G3 J17NKYD11D PENTRM01E Terminal Server 2 PROLIANT DL360 G3 7J34KYD1101M PENTRM01G Terminal Server 2 PROLIANT DL360 G4 GBJ51103XG PENTRM01T Terminal Server 2 PROLIANT DL380 8145FSB11151 PENMFG01 SQL Server 2 PROLIANT DL365 G1 GB8721FHR8 PENCMP10 Com + 1 PROLIANT DL365 G1 GB8725KBNL PENCMP11 Com + 1 PROLIANT DL365 G1 GB8721FHMB PENJAFN10A JAF Server 1 PROLIANT DL365 G1 GB8721FHNP PENJAFN10B JAF Server 1 Desktop PENDEV01 Development SQL Server 3 Desktop PENDEVTEST0 1 Development SQL Server 3 PROLIANT DL380 G4 GB84512PAJ PENSQL06 Site SQL Server 1 PROLIANT DL380 G4 GB8527DA8D PENSQL08 Site SQL Server 1
58
Asset Description Asset Serial # Detail Role Vendor Criticality PROLIANT DL320 G2 J03MKVJB3N PENPRS10 Parser 1 PROLIANT DL320 G2 J050KVJB3N PENPRS11 Parser 1 PROLIANT DL320 G2 J04NKVJB3N PENPRS12 Parser 1 PROLIANT DL320 G4 GBJ61200EL PENPRS13 Parser 1 PROLIANT DL320 G4 GBJ61602M9 PENPRS14 Parser 1 DESKTOP 8139JYGZ014R PEN1IT100 Pointsec Server 3 PROLIANT 5500 8945CQW300240 PENFILE01 File Server 1 PROLIANT DL320 G2 7J37KVJ6M032 PENMRP02 MRP Download /Thinclient Server 1 PROLIANT DL360 G4 GBJ506003F PENNCU10 NCU Server 1 PROLIANT 1850R 8906CFW10220 PENNCU11 T&A Clocks System 2 PROLIANT DL380 G2 D205FRW1M008 PENOPU01 Oputils Server 3 PROLIANT DL320 G2 J03YKVJ61P PENPRNT02 Print Server 1 PROLIANT DL320 G2 J03TKVJ61P PENPRT01 Print Server 1 PROLIANT DL380 G4 GB8606XPD5 PENSMS02 SMS Server 2 PROLIANT DL380 G4 GB80442AMP PENVALOR01 Valor Server 2
59
Asset Description Asset Serial # Detail Role Vendor Criticality DESKTOP 8010CKH61502 PENVIDI01 VidiFax Server 2 PROLIANT DL320 G2 J04PKVJB3H PENWEB01 Web Server 3 PROLIANT DL320 G2 7J37KVJ6M066 PENWSUS01 WSUS Server 3 PROLIANT DL380 G4 GB86339N2X6 PENTEAPP05 TE Server 2 PROLIANT ML370 8030DKJ11022 PENTEAPP01 TE Server 2 PROLIANT DL360 G4p GB8627CPDR PENFAB10 Fabmaster Server 2 PROLIANT DL360 G5 GB8725KBJ8 PENFAB11 Fabview Server 2 PROLIANT DL580 D112DYT1K025 PENFAB01 Old Fabmaster Server 3 HP9000 CLHP68 3 HP9000 CLHP69 3 C240 CLHP90 3 C240 CLHP96 3 Desktop PEN3070filea 3 Desktop PEN3070fileb 3 PENteapp03 TE Server 3 Compaq Deskpro PENteapp04 TE Server 3
PBX 1 - Power Module - Fibre Receiver Card
Telecoms exchange
Telekom Malaysi a 1
60
Asset Description Asset Serial # Detail Role Vendor Criticality - RAN / PAG Card (Music) - 6 x Digital Card - 3 x Analogue Card
PBX 2 - Power Module - Fibre Receiver Card - 3 x Analogue Card - 7 x Digital Card - RAN / PAG Card (Music)
Telecoms exchange
1 PBX 3 - Power Module - Controller Card - 2 x PIR Card - PRI Card "Undocked" - Voice GTW Card - Analogue Card - 4 x Digital Card - Mail Module
Telecoms exchange
1 PBX 4 - Power Module - Fibre Receiver Card - 2 x Analogue Card - 5 x Digital Card
Telecoms exchange
1 Nortel Signalling Server Elan: 10.228.4.5 Tlan: 10.228.4.37
Asset Description Asset Serial # Detail Role Vendor Criticality shop floor switch WS-C1924-A FAB0346V0M0 shop floor switch 1 shop floor switch WS-C1924-A FAB0401U0SX shop floor switch 1 shop floor switch WS-C2924XL FOC0535Y07U shop floor switch 1 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16671 INACCESSABL E 24 port hub 2 24 port hub 3C16441 24 port hub 2
65
Asset Description Asset Serial # Detail Role Vendor Criticality 24 port hub 3C16441 INACCESSABL E 24 port hub 2 24 port hub 3C16441 INACCESSABL E 24 port hub 2 24 port hub 3C16441 MISSING 24 port hub 2 24 port hub 3C16441 INACCESSABL E 24 port hub 2 24 port hub 3C16450 INACCESSABL E 24 port hub 2 12 port switch 3C16920 12 port switch 2 Aironet 1200 access point AIR-AP1220B-E- K9 FHK0731K2Q6 Aironet 1200 access point 1 Aironet 1200 access point AIR-AP1220B-E- K9 FHK0731K2QB Aironet 1200 access point 1 Aironet 1200 access point AIR-AP1220B-E- K9 FHK0837K0BS Aironet 1200 access point 1 Aironet 1200 access point AIR-AP1220B-E- K9 FHK0837K0BX Aironet 1200 access point 1 Aironet 1200 access point AIR-AP1242AG- E-K9 FCZ095380BD Aironet 1200 access point 1 Aironet 1200 access point AIR-AP1220B-E- K9 FHK0731K2QN Aironet 1200 access point 1 Aironet 1200 access point AIR-AP1220B-E- K9 FHK0731K2QK Aironet 1200 access point 1 Aironet 1200 access point AIR-AP1220B-E- K9 FHK0731K2QD Aironet 1200 access point 1 Aironet 1200 access point AIR-AP1242AG- E-K9 FCZ101381UB Aironet 1200 access point 1 Aironet 1200 access point AIR-AP1231G-E- K9 FCZ0924Z117 Aironet 1200 access point 1
The table below details for each of the assets and resources included in the unique asset section the potential impact of loss of the resources. Criticality Rating: 1 - The site cannot function without support are high impact. 2 - The site can function partially without support are medium impact. 3 - The site can function fully without support are low impact.
67
Assets and resources N/A Low Medium High Terminal services File services Database services Web services Print services Parsers Encryption services Test Engineering services Faxing services Development services WAN LAN Customer networks Telecommunication services Table 11 - Security Profile
v. Threat Identification and Resource Requirements for Business Continuity
The table below highlights potential threats, risks, risk controls (resource requirements) and any conclusions, along with the estimated costs associated with the threat. Low Cost 0 MYR12500 Medium Cost MYR12500- MYR50000
68
High Cost >MYR50000 Power Failure High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
Risk: a) The main incoming power supply comes from two 11kv feeder cables on the same ring. The supply enters the site via the rail bridge.
Risk controls: - The site infrastructure has a UPS backup system. - There is a Mega stream connection to other plants. - Data is backed up and stored in an offsite data vault.
Conclusions: A new switching arrangement has been approved by Malaysian Power - where, in the event of power failure Jabil Penang will be fed from another source. Aircraft High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
69
Risk: The plant is situated approx. 3 KM from Bayan Lepas airport Wind High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16 The Penang site location is situated in a fairly exposed surrounding and is therefore exposed to the natural weather elements. However, the area is not normally subject to hurricane forces. Risk: a) High wind is unlikely to affect the building but could damage the electrical supply cables to the Penang area b) High winds may disrupt road traffic and employee travel arrangements but should not compromise production.
Bomb threat & sabotage. Civil insurrection High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
70
The situation is stable at the present time, however there is some risk in all companies of disgruntled ex-employees seeking retribution against their ex- employer. Also, there is a level of risk considering the current climate of terrorist attacks. Risk controls: Close circuit television. Security procedures and regular internal and external patrols should identify any would be perpetrators. Fire High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
71
The risk of fire in the site has reduced considerable with the introduction of the no smoking policy. Other areas of risk are the kitchen, the ovens and wave soldering machines in the main production area. Risk Controls: - Fire fighting appliances to BS 5306, BS 5423, and BS EN 3 These are maintained and serviced by BAFE registered company. - Sprinkler system installed throughout the building. - The fire detection and emergency lighting systems conform to BS5446. - Red care alarm system installed to the local fire brigade. - Basic fire fighting training program has been identified - Regular evacuation drills are carried out. - Jabil Penang complies with the Fire Services Act 1988 (Malaysia) and has a current fire certificate. - The Jabil Penang Facilities department retain the test records.
Conclusions Jabil Penang believes all necessary steps have been done to mitigate and reduce risk. Flood High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
72
The Jabil Penang site is considered safe because of Penangs small island terrain. Therefore there is no risk of high water flood. There is risk of accidental spillage from internal water and fire prevention systems but this risk is minimised through maintenance routines. Water Supply High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
Although there is not the means of monitoring water quality the incoming water. The water board charter states that they will maintain the water supply at agreed levels of purity and pH. The water reserve tank should supply hygiene services for two days should the supplies be disrupted. A consideration for the future would be to consider a recycling process for water by installing de-ionized water system. Gas Supply High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
73
Jabil Penang has a twin gas governor arrangement - no interruptions are experienced during routine maintenance operations. Petronas the gas supply pipeline, providing emergency support 24 hours a day 7 days a week for 365 days a year. Land Subsidence High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
Land subsidence is considered a very low risk: a) A full Geotechnical site investigation was carried out prior to Jabil purchasing the land- this did not highlight any significant future risk of subsidence. b) There is no site history of subsidence within site and surrounding boundaries
Hazardous material release High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
74
The main risk surrounds liquid nitrogen storage tanks and replenishment: - Storage vessels and associated pipe work is under maintenance contract - Delivery drivers and key Jabil Penang employees are aware of Emergency procedures - No significant incidents within history of Jabil Penang site
Transportation High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
There is no history of any significant transportation incidents at Jabil Penang site. However, currently there is a construction of second Penang bridge toward the main road to Penang site. Consideration by the local authorities to improve the transport infrastructure will take place in the event that Jabil Penang applies to expand the site. Food Poisoning High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
75
No incident of food poisoning has been recorded in the Jabil Penang site. The catering company that operates on site has very high hygiene and health and safety standards and adheres to various regulatory requirements. Contagious Diseases High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
In the event that a contagious disease or symptoms are discovered, Jabil Penang site is located less than 10 minutes from Hospital Pantai to allow quick diagnosis. Jabil maintains a Global Contagious Disease Contingency Plan. Wide Area Network (WAN) Circuit High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
76
Risk: Jabil Penang has network circuit connections to Global Crossing and Sprint. The two connections provide resilience and redundancy. The main risk resides with the last mile of both the Global Crossing and Sprint cable runs. The last mile for both circuits runs from the local exchange to the Jabil Penang site via a single duct. In the event a hole was dug and the cable was cut the Penang facility would have no network connectivity or access, every system would be offline. Risk controls: To reduce the level of risk a third circuit is currently being sized. The circuit being investigated is wireless, which would mitigate the single point of failure and risk. Technical Failure High cost Medium cost Low cost Minimal / No cost High risk 1 5 9 13 Medium risk 2 6 10 14 Low risk 3 7 11 15 Unlikely risk 4 8 12 16
77
Risk: Ability to provide continuity IT Services technical failure may occur to any one of the IT Services. Risk controls: The following risk controls are in place today to help mitigate or reduce the level of impact: - Backup and recovery strategy, including off-site storage - Elimination of single points of failure such as the single entry point into the Penang site for the WAN circuits, single power supply into the building - Services run from corporate and regional locations - Resilient IT systems and networks constantly change-managed to ensure maximum performance in meeting the increasing business requirements - Greater security controls such as a physical access control system using unique pin codes and restricted badge access - Better control to detect local service disruptions such as fire detection coupled with suppression systems, water, temperature and humidity detection systems - Improving procedures to reduce the likelihood of errors or failures such as Change control
e. Information and Communication
The COSO ERM application framework document suggests this monitoring could include the following types of activities.
78
Risk response component received residual and inherent risk inputs from the risk assessment component as well as risk tolerance support from the objective-setting component. ERM risk response then provided risk response and risk portfolio data to control activities as well as risk response feedback to the risk assessment component. Standing alone, the monitoring component does not have any direct information connections but has overall responsibility for reviewing all of these functions. Refer to image below (Figure 5 - Flow of Information and Communication) for the flow of communication within enterprise.
79
Figure 5 - Flow of Information and Communication
80
f. Monitoring The COSO ERM application framework document suggests this monitoring could include the following types of activities.
Implementation of a strong and ongoing management reporting mechanism such as cash positions, unit sales, and other key financial and operational data. A well- organized organization should not have to wait until fiscal month end or worse for these types of operational and financial status reports. Reporting tools should be expanded to include key ERM measures. This type of flash reporting should take place at all appropriate levels of the organization. Periodic reporting processes should be installed to specifically monitor key aspects of established risk criteria. These might include such things as acceptable error rates or items held in suspense. Rather than just reporting periodic statistics, such reporting should emphasize statistical trends and comparisons with prior periods as well as with other industry sectors. This type of reporting will highlight potential risk-related alerts. The current and periodic status of risk-related findings and recommendations from internal and external audit reports. This periodic reporting should include the status of ERM-related SOx identified gaps. Updated risk-related information from sources such as government revised regulations, industry trends, and general economic news. Again, this type of economic and operational reporting should be available for managers at all levels. That same information reporting should be expanded to include ERM issues as well.
81
i. Role of Internal Audit
Internal auditors represent the "eyes and ears" of management as specialists who visit all areas of an organization and report back to management on the status of the operations visited (Moeller, Robert R., 2011). They have historically had ongoing concerns and interests in risk management. In particular, internal auditors have regularly assessed the relative risks of areas to be examined when planning their upcoming audit activities, deciding which areas or functions within an organization to select for internal audits.
Whether it is internal audit, a risk management team under a Chief Risk Officer (CRO), outside consultants, or other trained staff from within the organization, any specific individual reviews of an ERM process might use the following tools:
Tools Description Process flowcharting As part of any identified ERM process, the parties responsible should have developed flowcharts documenting that process. If not for any other reason, such flowcharts would have been developed as part of their SOx Section 404 review work. These same process flowcharts can be very useful in completing an ERM review of an individual process. This requires looking at the documentation prepared for a process, determining if the process documentation is correct given current conditions, and
82
Tools Description updating the process flowcharts as appropriate. This update should determine if those identified risks still appear appropriate and if risks have been identified appropriately. Reviews of risk and control materials An ERM process often results in a large volume of guidance materials, documented procedures, report formats, and the like. There is often value to review the risk and control materials from an effectiveness perspective. A dedicated ERM team, internal audit, or the organization's quality assurance function can perform such reviews. Benchmarking Although an often misused term, benchmarking here is the process of looking at the ERM functions in other enterprises to assess their operations and to develop an approach based on the best practices of others. Gathering such comparative information is often a difficult task, as competing organizations are often reluctant to share competitive data. The process works best when one-to-one professional contacts can be developed, but information regarding how others have attempted to solve similar problems is often very valuable. Questionnaires A good method for gathering information from a wide range of people, questionnaires can be sent out to designated stakeholders with requests for specific information. This is a valuable technique for monitoring when the respondents are scattered geographically, such as a risk-monitoring survey of
83
Tools Description employees in a nationwide retail organization. Internal infrastructure events Organizations often make benign changes that trigger other risk- related events. For example, a change in customer service arrangements can cause major complaints and a drop in customer satisfaction. Strong customer demand for a new product may cause changes in plant capacity requirements and the need for additional personnel. Facilitated sessions Valuable information can often be gathered by asking selected people to participate in a focus group session led by a skilled conference leader. This is the approach used by many organizations for gathering market research information through what are called focus groups. This same general approach can be used to gather a team of peopleoften from different positions in the organizationto review the enterprise risk status of a particular area. People with different responsibilities can often work together to provide some good information about the risk-related status of selected activities. Table 12 - Tools in ERM Process of Monitoring
The purpose of this monitoring process is to assess how well the ERM framework is functioning in an organization. Deficiencies should be regularly reported to the managers responsible for enterprise risks in the specific area monitored as well as to the ERM or risk management office. The roles and responsibilities of the CRO and steps to
84
building an effective risk management program in an organization management office is to ascertain that enterprise risks are properly understood and translated into meaningful business requirements, objectives, and metrics. The concept behind this monitoring is not just to find faults or deficiencies but to identify areas where the ERM framework can be improved (R. S. Khatta, 2008). For example, if some event monitoring work points to areas where a function is assuming excessive levels of risk, processes need to be in place to install corrective actions.
85
6. Risk Manager Role
Both the position of a CRO and a supporting formal ERM function are new to many enterprises today (Moeller, Robert R., 2008). However, to implement this very important function or concept of COSO ERM, an enterprise should establish both of these concepts. An effective ERM group will improve the overall enterprise controls environment and will improve many of organisations procedures. While the enterprise risk function can operate similar to an internal audit function with its own reviews, it is important to remember that the CRO and the designated risk management function have a significant overall responsibility for helping to launch and manage the overall COSO ERM framework. a. Analysis of Jabils Safety and Health Policy in accordance to risk management
Jabil encourage a work environment that is free from safety and health hazards, intimidation and harassment, or any other behaviour not conducive to productive and excellent work. Jabil committed to abide by all health and safety rules applicable to any jobs. In spite of this, criteria of Occupational Safety and Health (OSH) must be implemented into the organisation as highlighted in Jabils OSH policy as in following section.
Occupational Safety and Health (OSH) legislation requires that all foreseeable hazards are identified and the risks arising from these hazards are eliminated or controlled.
Risk management is a legal requirement for all businesses regardless of their size and basically it involves asking the following questions: What hazards exist in the workplace?
86
How serious are the hazards? What can be done to control these hazards?
Risk management is a process whereby to identify hazards in the workplace, then assess the risk of those hazards and then implement control measures, which will eliminate or minimise the risk of injury or loss from the hazards you identified. Control measures which have been put in place must be reviewed periodically to check that they actually fix the problem, without creating another one.
b. OSH Policy of Jabil Circuit Sdn Bhd
Jabil Circuit Sdn Bhd, is an electronic manufacturer of circuit board assemblies and system for global electronic product companies. Jabil Circuit Sdn Bhd is fully committed to conduct its business in a responsible manner and committed to achieving excellence in occupational, health and safety practiced in all areas within Jabil Circuit Sdn Bhd. We continually strive to reduce the occupational, safety and health impact and risk in our operations.
We are committed to:
1) Complying with relevant Malaysian occupational, health and safety regulations and other requirements applicable to our operations.
2) Driving occupational, health and safety responsibility from top management to all levels.
87
3) Preventing by adopting industries best practices and providing a safe and healthy working environment.
4) Inculcating our employees, customers, contractors, vendors and suppliers with awareness on occupational health and safety.
5) Providing occupational, health and safety training and instructions to our employees.
6) Conducting audits and reviews our OSH objectives and targets regularly to create conducive working environment.
7) Pursuing continual improvements in OSH performance.
8) Communicating this policy to all employees and person(s) working for or on behalf of the organization and is available to the public.
This policy signed by Operations Director, Harwender Singh and dated on 1 st June 2012.
c. Discussion of Jabil OSH Policy
Jabils modus operand in running business must be understood when analysing Jabil OSH Policy and its relevancies to security management.
88
In term of conciseness, this policy concentrates and highlight on OSHs fundamental that easily can be understood by all level of employees. The first element in this policy state the company comply with Malaysia regulation and other relevant requirement. It is understood that the mentioned regulation is referring to Malaysian OSH Act 1994 (OSHA 1994). Thus, the company is committed to comply with OSH legal requirement and enforce the regulation in the workplace.
To elaborate OSHA 1994, a reference of its objective listed as below: For securing the safety, health and welfare of persons at work Protect persons at a place of work other than employees Promote a suitable environment for persons at work Enable previous legislation to be replaced by regulations and approved industry codes of practice operating in combination with the OSH Act 1994 By referring to Jabils OSH Policy, this first element is reflective from the whole picture to its counterpart of OSHA 1994 objectives. Therefore, obviously Jabil considered this criterion is the most important in OSH and put it as the highest element in OSH policy.
To ensure good practices of OSH and security management, Jabil took an approach to a method of preventive based on best practices as mentioned in third element of OSH policy. Continual research on OSH such as Hazard Identification, Risk Assessment and Risk Control (HIRARC) is concurrently running with Jabils operation to achieve best result of practices. HIRARC has become fundamental to the practice of planning, management and the operation of a business as a basic of risk management. With HIRARC, Jabil able to identify hazard, analyse, and assess its associated risk and then apply the suitable control measures.
89
Jabil managed to conduct a dedicated induction for those employees and emphasize signage for better communication.
A general Jabil induction for all employees and impacted parties includes: A tour of workplace Roles and responsibilities Emergency procedures General workplace hazards and safety signs Workplace hazards/incident reporting Introductions to fellow personnel in the work area Specific OSH instructions relevant to specific area (e.g. Personal Protective Equipment (PPE), safety signage, and safe work procedures) Consultation mechanisms
Each units or department in Jabil should perform local area inductions using Jabil staff induction guide. Monthly assembly is held to keep reminding of OSH policy and there will be a safety month at least once a year to rejoice all employees pertaining OSH matter through an attractive programs. Usually, Jabil invites Fire and Rescue Department of Malaysia (BOMBA) to conduct some events during safety month to create realistic environment on safety awareness.
Apart from this, Jabil correspond to the fifth element of OSH policy by providing proper OSH trainings to appropriate personnel within organisation to enhance their knowledge and skills. Those selected or voluntarily personnel are expected to become competent
90
worker and distribute their knowledge to others and ensure safety awareness is at highest level. Refer below, Table 13 - Jabil OSH Training for Year 2012.
91
JABIL OSH TRAINING FOR YEAR 2012 Progams Training Needs Target Group OSH-MS Understanding and establishing an effective of OSH-MS.OHSAS documentation requirements Safety Committee members, Internal Auditors, Selected personals Strategic Safety Management OSH related Acts. Principles of accident prevention, Implications of accidents, Prevention strategies, Safe work behavior, Effective change agent. Supervisors, Sr. Supervisors, Managers, Engineers, First Aid & CPR Ability to attend to emergencies during crisis. ERT members, Safety Committee, other interested personnals. Emergency response and planning ERP process and procedures, ERT members. Supervisory Personals. Security personals Fire Prevention Usage and inspection of fire fighting equipments. ERT members and other interested personals Positive and Proactive safety Committee Characteristics and performance indicators of safety committee, Effective Management of Safety committee, Effective Meeting Criteria, All Safety Committee Members, Managers , CEP programs Compliance to SHO legal requirements. Safety and Health Officers Table 13 - Jabil OSH Training for Year 2012
In order to implement good security management, Jabils conduct periodic evaluation on compliance legal and other requirements through risk management process (Figure 4). It is reviewed and confirmed there are no changes in the legal and other requirements since September 2011 to February 2012. During this period, Jabil did not receive complaints from any internal and external parties.
92
Figure 6 - Risk Management Process
Note that once a review has taken place it does not end there. A close monitor on Environmental Health and Safety (EHS) audit findings is also recorded periodically and to be discussed concurrently with risk management process. This review provides suggestions that need to be considered to improve safety outcomes, thus achieving sound security management. Through these suggestions, Jabils top management comes out with EHS objectives and target as below, Table 14 - EHS Objectives and Target.
93
EHS OBJECTIVES AND TARGET GLOBAL SITE NA Environment Scope Safety And Health Scope Reduce Energy Consumption Plant wide 8% To reduce the usage of electricity by 8% To drive and reduce accident 0% plant wide Establish process to assess building energy efficiency for new and existing building
To reduce the usage of water by 2 % Compliance to legal requirements by ensuring zero Non-Compliance Report (NCR) from Department of OSH (DOSH) and Department of Environment (DOE) Chemical management NA NA Table 14 - EHS Objectives and Target
For an OHS Risk Management strategy to be successful in an agency, it must be driven from senior management level, as this is the management level responsible for making critical decisions in terms of future direction. This statement emphasized through second element of Jabils OSH policy.
In a big organisation such as Jabil, it is top management responsibility to conduct OSH objectives and targets to all levels of employees through a systematic approach of communication. This approach is done hierarchal, starts from Senior Management, Line Managers, down to operators.
Risk management should be integrated during the initial stages of business planning. Within this context, interested parties such as human and financial resources should be made available to OSH practices and action plan by Senior Management as below:
94
Training and education of staff and line managers in hazard identification, risk assessment and risk management. Allocation of funds for purchase of appropriate safety equipment as required. Any workplace modifications, either physical or process changes, which are required as a result of a risk assessment.
Through discussion above, it is ascertained in order to control and manage the risks, organisations core business and key fundamentals of OSH policy must be understood thoroughly by all personnel to achieve OSH transformation as described below.
Figure 7 - OSH Transformation
Awareness Knowledge of OSH is well communicated among employees. All impacted parties must be able to picturised OSH fundamental of their workplace. Implementation Consist a set of procedures to be taken into action. Perform thoroughly a check list of actions required such as required training and develop a visitor sign in process. Compliance To make sure all departments within organisation compliance with OSH legislations. Periodic audit to ensure OSH practices are deployed by all impacted parties. Enhancement Efficiently managing resources to achieve better working environment and boost organisation's profitability. Able to enhance OSH program by blending current technology, organisational behaviour, and politics into an asset of organisation to move forward.
95
7. Conclusion
In Jabil, we realise that effective risk management must be based on holistic approach such as COSO ERM. By adhering to a standardized set of processes, procedures, and controls, Jabil can identify and assess risks and develop strategies or business priorities to mitigate them. Addressing those priorities may seem a complicated endeavour, but several key components make for a practical strategy, which can be delineated as; enterprise risk management is a holistic view of proper administration methodology within an organization. By this way, companies would be able look at the complete risk sphere in which they move. Beside the classical risks which can be strategic, financial and operational nature or concern the legal environment, so-called emerging risks must be also considered. In spite of that, an organization may benefits from a proactive approach to occupational safety and health whereby it will improves productivity, business image and minimize costs that associated with a work related injury or unnecessary loss.
96
8. References
[1] Robert R. Moeller (2007). COSO enterprise risk management: understanding the new integrated ERM framework, J. Wiley.
[2] Andrew Jaquith (2007). Security Metrics, Addison-Wesley.
[3] Michael Blyth (2008). Risk and Security Management, Wiley.
[4] R. S. Khatta (2008). Risk Management, Global India Publications.
[5] Cecilia Bailliet (2009). Security: A Multidisciplinary Normative Approach, Martinus Nijhoff Publishers.
[6] Robert R. Moeller (2011). COSO enterprise risk management: establishing effective governance, risk, and compliance processes (Second Edition), J. Wiley.
1abil Rules of the Road 2011 .
1abil's purpose is to be the world`s leading manuIacturing services provider by enabling employees to proactively oIIer customers innovative and strategically beneIicial solutions. Our values oI Empowerment and Accountability, Customer Intimacy, and Continuous Improvement drive our model, and we use these values to minimize bureaucracy and accelerate decision making in the day-to-day management oI our business. We believe everyone can make a diIIerence and want to encourage your creativity, innovation, and aggressive problem solving as individuals and as team members. Jabil is an energetic environment Iull oI motivated people working tirelessly to serve our customers. As you work, we do require you to observe a Iew unchanging Rules and Cultural Principles to help guide you day to day. These rules are not suggestions, they are the Jabil Law, and may be relied upon to resolve relevant conIlict by any Jabil employee. The cultural principles reIlect our values and should help guide our behavior and the way we interact with each other.
Rules: 1) Jabil Finance MUST APPROVE the credit worthiness oI all customers beIore any PO`s are accepted. 2) Customer contracts REQUIRE Jabil Legal approval. 3) Quarterly Iorecasts MUST BE submitted on time. Forecasts must be reviewed, signed oII, and are jointly owned by the Business Unit Manager/Director, Operations Manager and Plant Controller. 4) Quarterly Iorecasts MUST BE between 90 and 100 oI the MONTHLY master material plan Ior the three month period. The Jabil Division CEO, or the appropriate Senior VP must approve any exceptions to this variance. 5) NO material demand will be loaded into MPS without a legally binding document or written approval oI an appropriate Senior Vice President AND Finance OIIicer. 6) Master schedules and customer commitments must be based upon a complete review oI our projected operational capability (equipment, test, manpower, space, and materials) to build and deliver the plan and commitment. The operations planning Iunction OWNS the master material plan, sizing it to constraints, and its execution perIormance. 7) There will be NO oII-system purchasing. ALL supply must match the master material plan. 8) NO shipments will be made without a price and a legally binding process to invoice. Jabil Finance MUST APPROVE anything other than a purchase order with a price. 9) Excess and Obsolete material MUST BE dispositioned in a timely Iashion in accordance with Customer contract terms and conditions. 10) Capital asset requisitions MUST BE accompanied by a business case or P&L Iorecast Ior justiIication and CAN ONLY BE ORDERED once all required approvals are obtained. 11) ALL agreements with customers to amortize custom tooling, test Iixtures or other non-standard assets REQUIRE THE APPROVAL oI an appropriate Jabil OIIicer.
Cultural Principles: 1) Our Employees are our GREATEST asset. We will provide a respectIul and saIe working environment to empowered and accountable employees. All oI our employees are entitled to mutual respect and will not be subject to unreasonable conditions or compelled to work in an unsustainable way. 2) Have FUN and help to create a Iun, productive environment Ior others. 3) We believe in EMPOWERMENT oI our people, and expect our people to solve issues that arise. It`s acceptable to agree to disagree on solutions to problems and then escalate to senior management. This must be done with a sense oI urgency, as velocity is key to our success. 4) We DO NOT Iire people Ior making honest mistakes; we DO Iire people Ior hiding mistakes. 5) We DO NOT tolerate politicians, autocrats, or dictators. We will treat all oI our Iellow employees with the same respect we expect Ior ourselves. 6) We are a Customer-centric company and we will do everything in our power to MEET or EXCEED our commitments to customers. ThereIore, commitments should have a reasonable probability oI success when made. . 7) We will LISTEN to our Customers, and BUILD INTIMACY with them. 8) Business Unit Managers (BUMs) are the leader oI their workcells and accountable Ior its operational and Iinancial perIormance. Additionally, BUMs are expected to contribute to the health and well-being oI the overall operations. 9) The Operations Manager is the leader oI the plant and is ACCOUNTABLE Ior plant level operational and Iinancial perIormance. Operations Managers are expected to contribute to the health and well-being oI the workcells. 10) Business development OWNS whom we do business with and on what terms. 11) We will build a SUSTAINABLE business, be socially responsible, will work to preserve and protect our natural resources, and will positively contribute to the communities in which we operate. Jabil Integrity Hotline Jabil does business honestly. We need the help of all our employees to maintain the highest level of integrity. If you learn of any suspected wrongdoing, please report it to the company, either by speaking to a supervisor or by using the Jabil Integrity Hotline. Jabil employees and others may use the Jabil Integrity Hotline to anonymously report concerns such as: Theft of Jabil property Kickbacks and bribes Unlawful or improper accounting practices Unlawful or improper performance of a government contracts An investigator employed by an outside company (EthicPoint) will answer your call, take information you have to offer, and forward a report for appropriate follow-up and investigation. Jabil strictly prohibits supervisors or employees from taking retaliatory actions against someone who reports information under this process; however, you may remain anonymous.
TOLL FREE HOTLINE: 1-800-81-2354 OPERATORS AVAILABLE 24 HOURS PER DAY TRANSLATION SERVICES ARE AVAILABLE You can also report your concerns using a web form: www.jabilhotline.ethicspoint.com RISK IDENTIFICATION TEMPLATE
Please list the major strategies and/or objectives for your area of responsibility.
Please list the major risks your unit faces in achieving its objectives. List no more than 10 risks. 1. __________________________ 6. __________________________ 2. __________________________ 7. __________________________ 3. __________________________ 8. __________________________ 4. __________________________ 9. __________________________ 5. __________________________ 10. __________________________
Please assess the overall risk management capability within your area of responsibility to seize opportunities
MAJOR STRATEGIES/OBJECTIVES FOR YOUR UNIT Please list the major strategies/objectives for your unit
MAJOR RISKS FOR YOUR UNIT Please list the major risks your unit faces in achieving your objectives. List no more than 10 risks. 1. __________________________ 6. __________________________ 2. __________________________ 7. __________________________ 3. __________________________ 8. __________________________ 4. __________________________ 9. __________________________ 5. __________________________ 10. __________________________
Research Proposal (Assess the Safety Culture Awareness Among Managers, Supervisors and Workers in Construction Site in Klang-A Case Study at Hotwer Development Sdn Bhd Maiden Project - The BOSS Service Suites)