Risk Management System in
Farm Frites Poland SA
Annual European Food Safety & Quality Summit
26-27 May 2016
Farm Frites Poland SA
We take potatoes to heart
Farm Frites Poland SA
•
opening in 1994
•
three production lines: fries, pancakes, flakes
•
two shareholders: Farm Frites and Aviko
•
three Customers: McDonald’s, Farm Frites, Aviko
•
211 employees: 4 brigades, 3 shifts
•
200.000 tons of potatoes processed annually
3
Integrated Management System
Integrated Management System
Environmental
Management
System
Human
Resource
Company
Committed
Quality &
Food Safety
System
Information
Security
Management
System
Occupational
Health & Safety
Management
System
Risk Management
System
Knowledge Management System
SCHEDULE
1. Introduction to Risk Management
2. Standards and models of Risk Management
3. Risk Management system
4. Risk Management system in Farm Frites Poland SA
5. Process of Risk Management
6. Status of Risk Management
1. Introduction to Risk Management
1. Introduction
Subconscious Risk Management:
• each of us in a private and professional life manages the risk
• natural character trait of an adult – predicting the consequences of
occurrences, avoiding unpleasantness
• the motivation of human behaviour - escaping from discomfort to comfort,
from pain to pleasure
systematization
2. Risk Management standards and models
2. Standards and models
2. Standards and models
 Ferma (2002) A Risk Management Standard
 COSO II (2004) Enterprise Risk Management – Integrated Framework
Executive Summary
 AS 4360 (2004) Risk Management
- HB 436:2004 Risk Management – Principles and Guidelines
 ISO guide 73:2009 Risk management - Vocabulary
 ISO 31000:2012 Risk management – Principles and guidelines
- ISO/IEC 31010:2010 Risk management – Risk assessment
techniques
- ISO/TR 31004:2013 Risk management – guidance for the
implementation of ISO 31000
- BS 31100:2011 Risk Management: Code of practice and
guidance for the implementation of BS ISO 31000
2. Standards and models
Which system is your guide for Risk Management
implementation?
a. Ferma (2002)
A Risk Management Standard
b. COSO II (2004) Enterprise Risk Management – Integrated Framework
Executive Summary
c. ISO 31000 (2012) Risk management – Principles and guidelines
2. Standards and models
Supporting systems:
• BS 10500:2011 Specification for an anti-bribery management system
•
•
•
•
•
•
•
•
•
(ABMS)
ISO 19600:2014 Compliance management system - Guidelines
ISO 22301:2012 Societal security – Business continuity management
system - Requirement
BS 25995:2007 Business continuity management
PAS 56 Business Continuity Management
ISO 27001:2013 Information security system. Requirements
BS-6079-3:2000 Project management. Guide to the management of
business related project risk
ISO 9001:2015 Quality management systems – Requirements
PAS 96:2014 Guide to protecting food and drink from deliberate attack
3. Risk Management system
3. Risk Management system
Risk:
• anything that can impact the fulfilment of corporate objectives
(organizational context)
• effect of uncertainty on objectives:
- positive
- negative
- a deviation from the expected
(ISO 31000, ISO Guide 73)
• the combination of the probability of an event and its consequence
(IRM)
3. Risk Management system
Types of risks:
• Pure (hazard) risk
• Speculative (opportunity) risk
• Control (uncertainty) risk
(ISO Guide 73)
• Pure risk
• Speculative risk
• Pure risk
• Control risk
• Risk
• Incidents (materialized) – crisis situations
3. Risk Management system
What is Risk Management:
•
•
•
•
•
Proportionate
Aligned
Comprehensive
Embedded
Dynamic
3. Risk management system
Risk Management benefits:
•
•
•
•
Compliance
Assurance
Decisions
Efficiency/Effectiveness/Efficacy
- strategy
- projects, programmes, processes
- operations
Increasing general knowledge of the company !!!
3. Risk Management system
What should be avoided?
• discouraging Operational Managers by too complicated system
• too many risks to be analysed and monitored
• lack of a wider look at consequences of risks materialization (whole
organisation, partnerships, etc.)
• uncritical implementation of ready system templates
• lack or imperfection of a place supervising the system
3. Risk Management system
At which level of maturity is your company?
risk-aware culture, proactive approach to RM
in all activities
a.
Level 4
Natural
b.
Level 3
Normalized
implementation of RM system, but not fully used to
all decisions
c.
Level 2
Initial
aware of the potential benefits of managing
risk, but implementation is not effectively
d.
Level 1
Naive
unaware of need or the value of structured approach
was not recognize
3. Risk Management system
Responsibilities of Risk Management:
The 2008 salmonella outbreak traced back to peanut
butter paste manufactured by PCA killed 9 people and
sickened 714 others, some critically, across 46 states.
Stewart Parnell (CEO) has maintained all along that his company
engaged in commercial fraud but he was not aware of it.
A federal judge handed Parnell a 28-year prison sentence (the toughest
penalty ever for a corporate executive in a food poisoning outbreak).
Vice-President received a 20-year sentence and QA Manager: 5-year.
4. Risk Management System in Farm Frites Poland
4. Risk Management System in FFP
Business Continuity
Risk Management System RMS
Food Safety Management System
(FSMS)
Food
Safety
Food Fraud
Food
Defence
Information
Security
Management
System
Occupational
Health & Safety
Management
System (OHS)
Cyber
Security
Fire
Protection
Personal
details
HACCP
VACCP
TACCP
MEHARI
Environmental
Management System
PN-N18001
Ammonia
system
4. Risk Management System in FFP
Organisational
structure:
4. Risk Management System in FFP
Processes architecture:
Wytyczanie
kierunków rozwoju i
planowanie
działalności
4. Risk Management System in FFP
Risk classification:
COSO
ISO31100
IRM
FIRM
PESTLE
FFP
strategic
strategic
strategic
financial
political
strategic
operations
operational
operational
infrastructure
economic
operational
reporting
financial
financial
reputational
sociological
financial
compliance
programme
hazard
marketplace
technological
regulatory/
compliance
legal
food safety
environmental
environmental
project
people health
& safety
information
security
4. Risk Management System in FFP
Business Continuity
Risk Management System
Food
Safety
HACCP
Team
Process
Owner
Regulatory
Strategy
Quality
Assurance
Manager
Top Manage
ment
Financial
CFO
Processes
Information
Security
Cyber
Security
Team/
HR Director
People
Health &
Safety
5S&SH
Team
Operational
Environmen
tal
Fire &
Ammonia
Protection
Team/QAM
objectives
4. Risk Management System in FFP
Structure of goals:
Strategic goals
Operational goals
(projects, SPI, KPI, budget)
Processes objectives
risks
risks
5. Risk Management process
5. Risk Management process
5. Risk Management process
RISK
DOCUMENTATION/5.7
1.Procedure & instructions
2. Policy
RISK
STRUCTURE (RMS) /4
3. Risk assessment registrations
RISK
MONITORING &
REVIEW/5.6
1. Internal and external
communications
4. Corrective action cards
5. Risk Management Team
reports
6. Complaint’s reports
7. MOCK & audit’s reports
2. Risk Management Team
8. AMR presentations
3. CSR group
9.Minutes of Management
4. Top Management
Meetings
5. Annual Management
Review
Compliance (GRC)/3, 4.2
mittings
2. RM project/4.3,4.4
1.1. Organizational context/4.3.1
COMPANY STRATEGY
(Integrated
Management System)
6. Crisis Management
1. Governance/Risk/
1.2. RM policy/4.3.2
1.3. IMS/Processes in
organization/4.3.4
1.4. Communication /4.3.6,4.3.7
Procedure verification
3. System improvement/4.6
7. MOCK analysis
1. Identification
8. Internal & external audits
2. Analysis
.
,
3. Evaluation
4. Treatment
RISK
ASSESSMENT/5.4
31
5. Risk Management process
Risk assessment:
Risk
materialization
1. Risk
1.1. Incident
Risk treatment
1. Mitigation
Risk identification
List of risks
Description
Process/project
Owner
Reason
Control
Risk classification
1. People
2. Finance
3. Environmental
4. Operation
6. Strategy
2. Taking (Chance)
7. Compliance, regulation
3. Elimination
8. IT security
4. Avoidance
9. Food safety
Risk matrix
Low - monitoring
High – treatment plans
Extreme - treatment plans
Risk consequence
Irrelevant
Small
Moderate
Serious
Disastrous
Risk likelihood
Very unlikely
Rare
Maybe
Possible
Likely
Certain
5. Risk Management process
Risk matrix:
Niemal pewne > 50%
(w codziennej
produkcji)/
CONSEQUENCES
Nieistotne/
Niewielkie/
Umiarkowane/
Poważne/
Katastrofalne/
Irrelevant
Small
Moderate
Serious
Disastrous
B1
B2
B3
B4
B5
A5
5
10
15
20
25
A4
4
8
12
16
20
A3
3
6
12
15
A2
2
4
6
8
10
A1
1
2
3
4
5
Certain
Prawdopodobne 3050%
(kilka x w miesiącu)/
Likely
Możliwe 10-30%
(w odstępach czasu,
sezonowo dla
poszczególnych
zagrożeń)/
9
LIKELIHOOD
Maybe
Rzadkie 1-10%
(min. 1 x rok)/
Rare
Bardzo mało
prawdopodobne <1%/
Very unlikely
5. Risk Management process
Risk criteria:
5. Risk Management process
CONSEQUENCES
Risk matrix:
Niemal pewne > 50%
(w codziennej
produkcji)/
Nieistotne/
Niewielkie/
Umiarkowane/
Poważne/
Katastrofalne/
Irrelevant
Small
Moderate
Serious
Disastrous
B1
B2
B3
B4
B5
3
4
1
2
9
10
11
12
13
25
26
27
28
14
15
16
A5
Certain
Prawdopodobne 3050%
(kilka x w miesiącu)/
A4
Likely
Możliwe 10-30%
(w odstępach czasu,
sezonowo dla
poszczególnych
zagrożeń)/
A3
21
5
6
7
A2
22
23
24
7
8
Maybe
Rzadkie 1-10%
(min. 1 x rok)/
LIKELIHOOD
Rare
Bardzo mało
prawdopodobne <1%/
Very unlikely
A1
29
30
31
32
17
18
19
20
5. Risk Management process
Risk matrix:
5. Risk Management process
Risk matrix:
RISK
ANALYSIS
Consequences Likelihood Risk
(1-5)
(1-5)
(C x L)
1
3
Low
1
5
Medium
1
1
2
3
Low
Low
3
4
High
5. Risk Management process
Risk treatment:
>10: EXTREME – detailed action plan required by Risk Management Team
5-10: HIGH
– needs action plan by Risk Owner (Process Owner/Manager)
<5: LOW
– monitoring by Risk Owner (Process Owner/Manager)
5. Risk Management process
likelihood
Risk treatment (4Ts):
Treat
Terminate
reduce the
likely impact
or exposure
the activity
generating
the risk
Tolerate
Transfer
the risk and
its impact
to another
party
consequences
5. Risk Management process
Risk treatment:
Risk situation description
Action and alternatives
Large scale product recall
Work in accordance to internal procedures , contingency plan
Extreme
Low
High
Backup supplier plan
Contingency plan, risk insurance, policy business interruption
Contingency plan, policy business interruption, fire prevention system
( trainings, fire drill etc.)
Factory security, monitoring, entry control system , external audits for
factory safety
Contingency plan, preventive maintenance
5. Risk Management process
Incident and crisis situation:
Lp./ Data/ Opis
Powiazanie z
No. Date incydentu/ ryzykiem
Description (nazwa ryzyka,
którego
dotyczy
zdarzenie)/
Risk
1
2
3
4
5
6
7
Oznaczenie
Rzeczy
Sytuacja
komórki
wista
kryzysowa/ organizacyjnej strata/
Crisis
(proces?)/
Actual
situation
Process/
loss
Department
Przyczyny Podjęte Działania
wystąpienia działania zapobiegawcze
zdarzenia / oraz ich (w tym nowych
Reason
efekty/ środków
Actions kontroli)/
Prevention
5. Risk Management process
• P7.0. Management of risk and crisis situation
• I7.0.1 Product recall
• I7.0.2 Traceability
6. Risk Management system status
6. Risk Management status
•
60% - companies has not implemented ERM
8% - fully implementation ERM
(COSO, 2010)
•
80% percent – use some tools
(FERMA, Europe Risk Management)
•
Poland: 2-3% SME – ERM
(Grant Thornton Frąckowiak, System kontroli i zarządzanie ryzykiem – praktyka spółek,
2011)
•
Risk Management: 70% financial risk, 66% - compliance risk, 65% - operational
risk, 57% strategic risk
(Deloitte, Strategic risk)
6. Risk Management status
Which risk’s type is main in your organization:
a.
b.
c.
d.
Financial risks
Compliance risks
Strategic risks
Operational risks