Click to add the presentation’s main title

Report
Risk management
frameworks for foundation
Asset Information Systems
Lessons drawn from experiences in the
utilities industry
AMC Melbourne Chapter
15 July 2011
Greg Williams
Contentions……..
1.Asset management is essentially a risk-based process
Asset
Management
=
Information
Risk
Management
=
Risk
Management
2.Infrastructure related businesses invest heavily in Asset
Information systems to help manage their assets and
improve their overall performance.
3.The necessity for good asset information is growing
rather than reducing.
4.Asset Information system requirements are becoming
more sophisticated.
5.The number of stakeholders and complexity of collating
and sharing information is increasing.
6.Drivers include changing regulation, private finance
initiatives to fund major capital programs, and a greater
collective understanding of asset management risk.
7.The information and systems necessary to manage
physical assets also have value.
8.We should address information risks as part of asset
management
2
Agenda
I’d like you to consider the following….
1. What are your ‘foundation asset information
systems’ and why are they important?
2. Where are your information risk exposures?
3. What is ‘Information risk management’
4. Are risk management frameworks suitable for
managing asset information?
5. What challenges lay ahead for you?
Lets prompt a few thoughts……
3
Foundation asset information systems –
some definitions
What are Asset Information Systems?
The asset information systems an organization has in place to support the asset
management activities and decision-making processes in accordance with the asset
information strategy.
Why are these systems the ‘foundation systems’?
• Those that contain the essential data describing the physical asset
• Physical & Functional parameters (What is it, where is it, how does it connect to
others?)
• Condition, age, operating state
• History, changes, modifications
• These systems allow us to take control of the information regarding an asset.
Examples of foundation systems
• Geographic Information Systems (GIS)
• Maintenance Management Systems (MMS)
• Works Management Systems (WMS)
• Project Management Systems (PMS)
• Customer Management Systems (CMS)
• Incident Management Systems (IMS)
Why do foundation systems form the
basics?
1.
Compliance

2.
Governance

3.
Inform planning to enable accurate project development
Safety

5.
Enable accurate and timely decision making
Planning

4.
Reduce compliance risk, keep records of compliance actions
Enable safe operation of the asset
Configuration

Allow capture and control of changes to the configuration and operating state
6. Information supply chain

Deliver the right info to the right stakeholder in the right format at the right time
Without foundation systems these objectives are challenging to
achieve!
Sources of information risk
Is your asset information:
 Correct
 Accurate
 Available
 Relevant
 Consistent (in form between systems)
 Timely (or current in it’s validity)
 Common or standard
 Secure
 Recoverable
If your asset information doesn’t meet all of these requirements, you may have
symptoms of information risk.
Consult the nearest risk manager for further advice.
Where are our exposures?
• Key person dependencies
Examples of information risk scenarios
•
Key person dependencies
• GIS updates were done manually by a KEY PERSON
• No ratings on conductors in feeder spans in control room schematics
• Data was reviewed prior to a regular upload to parent systems used in
control room environments to manage a distributed network
• No post-processing or review of critical data after uploads
• Conductor rating and existing state not represented to Network Controllers
• What are the on-going risks?
Where are our exposures?
•
•
•
•
•
Key person dependencies
New information systems
Changes to existing systems
Brownfield projects create new data and changes to system configurations
PPP and major capital projects build new systems
Examples of information risk scenarios
• Major change of parent asset information system
• Asset owner decision to restructure management model and data
requirements with emphasis on least cost
• Existing system left with major Service Provider and entirely new system
built for new contract
• All historical data ‘archived’ and only selected elements of current data
exported to new system
• Archive data stored in old formats – asset history now inaccessible
• Data matching by Service Providers using works management and interfaces
• Asset planning now based on limited range of data with little reference to
maintenance and performance history
• What are the on-going risks in this scenario?
Where are our exposures?
•
•
•
•
•
•
•
•
•
•
Key person dependencies
New information systems
Changes to existing systems
Brownfield projects create new data and changes to system configurations
PPP and major capital projects build new systems
Increases in data volume (quantities)
Large increases in data available on-line
Lumpy data, such as discrete time stamped parameters
Lack of structured system/data configurations (master data)
No current, operational data (state, condition, etc)
Where are our exposures?
Increases in data volume (quantities), type & availability
 Major upgrade and expansion of the installed asset base (eg, Smart Meters) which
introduced new technology
 Automation in smart networks causing large increases in data available on-line
 Data consisting of lumps of discrete, time stamped parameters (voltage, current,
power and energy measurements)
 Overloading of data - 10 times increase in data volumes made available to AIM
systems
 Corresponding increase in data storage requirements, retrieval, sorting
 Unresolved challenges in useability of data (relevance, currency, etc)
• What are the on-going risks?
• ‘Too much data and not enough information can lead to disastrous mismanagement,
other misrepresentations and controversies.’
• (IAM 2003).
 Industry response is introduction of pattern recognition to interpret and identify
quality data
Where are our exposures?
•
•
•
•
•
•
•
•
•
•
•
•
•
Key person dependencies
New information systems
Changes to existing systems
Brownfield projects create new data and changes to system configurations
PPP and major capital projects build new systems
Increases in data volume (quantities)
Large increases in data available on-line
Lumpy data, such as discrete time stamped parameters
Lack of structured system/data configurations (master data)
No current, operational data (state, condition, etc)
Inadequate storage and back-up
Unable to recover from a disaster (no DR procedure or test)
Hacking, unauthorised use or data breaches (cyber criminals)
Where are our exposures?
Unauthorised use or data breaches
Read this!
Do these
things!
Source: Risk Management, June 2011, p8
Where are our exposures?
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Key person dependencies
New information systems
Changes to existing systems
Increases in data volume (quantities)
Large increases in data available on-line
Lumpy data, such as discrete time stamped parameters
Inadequate storage and back-up
Unable to recover from a disaster (no DR procedure or test)
Lack of structured system/data configurations (master data)
No current, operational data (state, condition, etc)
Brownfield projects create new data and changes to system configurations
PPP and major capital projects build new systems
Hacking, unauthorised use or data breaches (cyber criminals)
Ambiguous organizational objectives
Where are our exposures?
Ambiguous organizational objectives
• Organizations tend to collect information that is easiest to collect,
irrespective of the need for it or the subsequent usefulness.
• Departmental objectives also based on such thinking; maintainers and
technical service providers may be given budget targets or deadlines
irrespective of the potential ‘trade-off’ impact against operational
performance.
• Production, operations, or customer relations personnel, on the other hand,
are motivated and measured in the terms of output volumes or quality,
irrespective of the costs incurred by others to achieve such output.
• ‘The current scenario requires an asset management system which connects
to organizational objectives.’
• (IAM, 2003).
How are information risks being managed
in utilities businesses?
1. GIS is the core or parent platform (geocodes)
2. Regular and full updates to related information systems
3. Common and standard data sets (Master Data)
4. Driving developments of solutions that deliver all the required
capability
5. Adopting risk management frameworks for asset information
6. The big challenge - Systems integration where necessary to
ensure data flows are efficient and error free
Information Risk Management
What is it?
• Process of understanding and responding to factors that may lead to a failure in
the confidentiality, integrity or availability of an information system.
• Adapts the generic process of risk management and applies it to the integrity,
availability and confidentiality of information assets1
How do we do it?
• Focus our attention on processes that together ensures information risks are
adequately reduced to a tolerable level.
• Include methods for identifying and assessing risks, plus the methods for
determining which controls need to be applied, for checking that those controls
have been applied, and then for tracking the actual level of protection being
achieved.
• Apply an adequate level of risk mitigation to those situations where the risks are
highest and ensure solutions are not over-engineered where the risks are
minimal.
• Take risk-based approaches so that mitigation efforts are applied in proportion to
the level of risk being addressed.2
Sources:
1. QLD Govt BPG Information Risk Management V1.0 Jul 01
2. Information Security Awareness Forum
Risk management frameworks
 Three main influences:
1. Industry specifications or requirements for asset information & systems
•
AS 2885.3-2001 Pipelines – Gas and Liquid Petroleum
•
NZS 7901:2008 Electricity & Gas Industries Safety Management Systems
2. Standards for management systems
•
PAS 55-1:2008 Asset Management (also see ISO55000:2011)
•
AS/ISO31000:2009 Risk Management
•
AS/ISO9001:2004 Quality Management
•
AS/ISO 10007-2003 Quality management systems – Guidelines for configuration
management
•
QLD Government BPG Information Risk Management V1.0 Jul 01
•
AS/NZS ISO/IEC 27002:2006 : Code of practice for information security management
3. Standards for asset data structures, configurations and security
•
ISO/IEC27000:2009 Information technology - Security techniques - Information security
management systems - Overview and vocabulary
•
ISO 15926 Integration of life-cycle data for process plants (7 parts)
•
STEP AP212 (BS EN 81714-2:2007) Graphical symbols for use in tech docs
 Most standards include guidance on what information may be required, how to manage
the information and how to assure your business that the information is valid
Risk management frameworks
Industry specifications
AS 2885.3-2001 Pipelines – Gas and Liquid Petroleum
Section 10 Records
The operating authority shall obtain, prepare and keep current…..
• Charts and maps showing location…
• Records of condition…
• Records of sections and components identified as potentially high risk…
• Etc
NZS 7901:2008 Electricity & Gas Industries Safety Management Systems
Section 5.9 Provision of Information
• Arrangements shall be in place to inform external parties about the safety and operation
of assets and the hazards associated with them. This shall include information to enable
those parties to report faults, defects, failures, and emergencies.
• Such arrangements may include provision of maps, public notification…..
But are these are really requirements?
Risk management frameworks
Management system standards
PAS 55-1:2008 Asset Management
4.4.6 Information Management
• The organization shall identify the asset management information it requires.....considering all phases
of the asset life cycle.
• The information shall be of a quality appropriate to the asset management decisions and activities it
supports.
• The organization shall design, implement and maintain a system for managing asset management
information.
• Employees and other stakeholders, including contracted service providers, shall have access to the
information relevant to their asset management activities or responsibilities.
• The organization shall establish, implement and maintain procedures for controlling all information
required. These procedures shall ensure:
• the adequacy of the information is approved by authorized personnel prior to use;
• information is maintained and adequacy assured through periodic review and revision, including
version control where appropriate;
• allocation of appropriate roles, responsibilities and authorities regarding the origination,
generation, capture, maintenance, assurance, transmission, rights of access, retention, archiving
and disposal of items of information;
• Etc…
Risk management frameworks
Management system standards
ISO31000:2009 Risk Management
• Provides principles and generic guidelines on risk
management
• Risk is the ‘effect of uncertainty on objectives’
• Principle 3 – risk management is part of decision making
• Principle 6 – risk management is based on the best
available information
• Controls Effectiveness
- Should be operating in the manner intended
- Can be demonstrated to be effective
- Based on proper documentation, recording and
reliable assurance processes
ISO31000 adapted to information risk
management
Source: QLD Government BPG Information Risk Management V1.0 Jul 01
Risk management frameworks
Data & security standards
ISO/IEC27000:2009 Information technology - Security techniques
• Provides all types of organization (e.g. commercial enterprises, government agencies and
non-profit organizations) with a basis to implement an information security management
systems (ISMS).
• Based on a simple Plan-Do-Check-Act (PDCA) process
• Defines requirements for an ISMS and for those certifying such and conformity
assessment for an ISMS.
ISO 15926 Integration of life-cycle data for process plants (7 parts)
• Standardisation of asset information is the key to Collaborative Asset Lifecycle
Management (CALM)
• CALM is the basis for information sharing between contractors and asset owners
• Provides standards for lifecycle data for process plants
• Formalises how assets are identified and how data should be structured so the same
terminology can be used consistently (same language)
• Contributes to the preservation of the value of asset information as it flows between
stakeholder systems
• Compliance can be at software configuration level up to integration of distributed systems
The bigger challenge - Integration where
necessary to ensure data flows are efficient
and error free
Holistic
Sustainable
Systematic
Integrated
Optimal
Systemic
Risk-based
Integrated asset information systems:
• support organizations to
• efficiently and sustainably manage the whole
lifecycle of physical assets in terms of
• performance,
• risks, and
• expenditures
• to achieve and maintain the stated business
objectives.
Example: OneWater by TechnologyOne
• Complete integration between all software and related systems, including SCADA, GIS, IMS,
MMS, PMS, 3rd party interfaces
• Under the system, a leak could be reported, SCADA data used to confirm the incident,
geocoding to pinpoint location, remedial works logged, replacement materials ordered
Integration example - Mapping content to
assets
Source:
Integration example - Mapping content to
assets
To enable operational readiness and excellence, the “information plant”
must match the “physical plant”
Matching of these aspects need to be:
• Complete and accurate
• Current and available
• Relevant, consistent and sustainable
Source: SAP 2011
In summary,
1. Make use of relevant management system
standards to determine your minimum
requirements for AIM, including data standards
PAS55, ISO31000, ISO27000
2. Adopt a risk-based approach to managing the
effectiveness of your asset information systems
3. Ensure asset information risks are registered in
your company Risk Management System
4. Wherever possible, seek to integrate systems if data
must flow in consistent forms (by use of Master
Data)
Greg Williams
(T): 03 8603 5472
(M): 0439 070 125
(E): [email protected]
Some interesting resources for bedtime reading:
• Queensland Government Information Architecture best practice guide, BPG Information Risk management, V1.0 November
2002
• IFS white paper, ‘Selecting software for AIM: Asset Information Management’, Christian Klingspor, IFS AB, August 2009
• SAP presentation, ‘Integrated information system for safety, risk and performance management’, ICOMS2011, Dr Ing Achim
Kruger, May 2011
• Harte Hanks Trillium Software white paper, ‘Where is your risk? How insurers use location intelligence to manage risk and
grow their business’, 2010
• Enterprise Strategy Group white paper, ‘Databases at risk’, Jon Oltsik, ESG, September 2009
• SANS Institute white paper, ’An introduction to information system risk management’, Steve Elky, May 2006
• Faiz, R.B., & Edirisinghe, E.A., ‘Decision making for predictive maintenance asset information management’, Interdisiplinary
Journal of Information, Knowledge and Management, Volume 4, 2009
• Ouertani, M.Z., Parlikad, A.K., & McFarlane, D., ‘Towards an approach to select an asset information management strategy’,
International Journal of Computer Science and Application, Volume 5, No. 36., 2008
• ‘How much does asset information cost?’, Strategic Asset Management Issue 143, June 2004
• ‘If asset managers lost control of their information, they lose control of everything’, Strategic Asset Management Issue 174,
September 2005

similar documents