In the beginning, I introduced the background of Hong Kong Science and Technology Parks (HKSTP) and Hong Kong Society for Quality (HKSQ). After that I briefed the History of Risk Management (See reference) and reviewed different Risk Management Standards.
The earliest national standard was AS/NZS 4360:1995 “Risk management” and I briefed its structure. I also reviewed other standards included ISO/IEC Guide 73 (Terminology of RM); AIRMIC, ALARM, IRM: 2002; ISO 27005:2008; BS 31100:2008 & 2011; ISO 31000:2009
Then I discussed different RM tools which stated in BS 31100. The RM tools selection criteria were based on the characteristics of the user, task, tool and RM within the organization. In our company, I selected FMEA to be the RM tools because (1) Users had competence, (2) Tool considered as semi-quantitative method, (3) enough information of tool provided and (4) FMEA had well established in the organization.
During the case study, I introduced the InfoSec FMEA circle which combined PDCA and FMEA for continual improvement on the level of security. The result had been published in 2014 (Lai, Lotto KH & KS Chin, (2014)). The Risk Priority Number (RPN) is the product of Severity (S, 1-10), Occurrence (O, 1-10) and Detection (D, 1-10) rankings. RPN full mark is 10x10x10 = 1000. We set the acceptable level of RPN to 100. If an RPN larger than 100 which could occur in three situations with possible happen:
i) Catastrophic Failure and Semi-auto Detection, when S=10, O=2 and D=5;
ii) Routine Low Risk but Manual Handling, when S=1, O=10 and D=10; and
iii) Middle Situation, when S=4, O=5 and D=5.
Lastly, we took a group photo for memory. It is seldom to have ~40 auditors together on Saturday. It is HKQAA routine strategy meeting plus ISO 9001:2015 translation internal training. For this new ISO standard, it focuses on Risk-based Thinking.
HKQAA - http://www.hkqaa.org
HKSQ - http://www.hksq.org/
Kloman, F. (2002) A short history of risk management: 1900-2002. Risk Management Reports, http://riskjournal.blogspot.hk/2009/02/short-history-of-risk-management.html
Lai, Lotto K.H. and K.S. Chin (2014) “Development of a Failure Mode and Effects Analysis Based Risk Assessment Tool for Information Security”, Industrial Engineering & Management Systems, Vol 13, No. 1, pp.88-101.