You are on page 1of 101

Faculty of Science and Technology

Master of Occupational Safety and Health Risk Management


SMRK5103 RISK MANAGEMENT
SEPTEMBER SEMESTER 2012
ASSIGNMENT (60%)





Prepared by,
Aizuddin Sugara Bin Akbar Jahan (CGS00716430)

Tutor:
MOHD RAFEE BAHARUDIN







1

Executive Summary

This paper discusses Enterprise Risk Management (ERM) of Jabil Circuit Sdn Bhd (Jabil) for
Fiscal Year (1st October 2012 31st September 2013). ERM takes a broad perspective on
identifying the risks that could cause an organization to fail to meet its strategies and
objectives. Several methods for identifying risks are discussed and illustrated with examples
from company experiences. Once risks are identified, the next issue is to determine the root
causes or what drives the risks. A suggested approach is described and followed by a
discussion of several qualitative and quantitative procedures for assessing risks. Some
practical ERM implementation considerations are also explored, including infrastructure and
maturity models, staging adoption, the role of the management accountant, education and
training, technology, aligning corporate culture, building a case for ERM, and the ROI of
ERM. Jabil Circuit Sdn Bhd, a large organisation which has a stakeholder with expectations
for business success can benefit from the tools and methods provided in this paper.

2


Table of Contents
1. Introduction ........................................................................................................................ 5
a. Jabil Circuit Sdn Bhd ...................................................................................................... 6
b. Explanation of Enterprise Risk Management (ERM) ..................................................... 7
i. Definition of Enterprise Risk Management (ERM) .................................................... 9
ii. Differences of ERM and Traditional Risk Management ............................................ 9
iii. Benefits of Enterprise Risk Management (ERM) ..................................................... 10
iv. Limitation of Enterprise Risk Management (ERM) .................................................. 12
2. Role of ERM in Occupational Safety and Health ............................................................. 14
a. Identifying hazards........................................................................................................ 15
b. Assessing associated risks............................................................................................. 15
c. Taking action to mitigate risks ...................................................................................... 16
d. Monitoring the effectiveness......................................................................................... 16
3. Implementing Enterprise Risk Management (ERM) ........................................................ 18
a. Committee of Sponsoring Organizations ERM ........................................................... 20
b. Relationship of Objectives and Components ................................................................ 27
c. Key Implementation Factors ......................................................................................... 28
4. Work Plan: Target Achievement of Objectives ................................................................ 31
a. Objectives ..................................................................................................................... 31
5. Work Plan: Components of ERM ..................................................................................... 33
a. Internal Environment .................................................................................................... 33
i. Initiative Goal of ERM - Internal Environment ........................................................ 36
b. Objective Setting ........................................................................................................... 37
i. Corporate Background .............................................................................................. 40
ii. Corporate Risk Summary .......................................................................................... 42
iii. Jabils Mission Statement ......................................................................................... 45
iv. COSO ERM Risk Objective Setting Components .................................................... 46
c. Event Identification ....................................................................................................... 46
d. Risk Assessment, Response, and Control Activities .................................................... 50
i. Planning ..................................................................................................................... 50
ii. Required Systems ...................................................................................................... 51
iii. Unique Assets ............................................................................................................ 56

3

iv. Security Profile .......................................................................................................... 66
v. Threat Identification and Resource Requirements for Business Continuity ............. 67
e. Information and Communication .................................................................................. 77
f. Monitoring .................................................................................................................... 80
i. Role of Internal Audit ............................................................................................... 81
6. Risk Manager Role ........................................................................................................... 85
a. Analysis of Jabils Safety and Health Policy in accordance to risk management ........ 85
b. OSH Policy of Jabil Circuit Sdn Bhd ........................................................................... 86
c. Discussion of Jabil OSH Policy .................................................................................... 87
7. Conclusion ........................................................................................................................ 95
8. References ........................................................................................................................ 96
Appendix A: Jabil Business Conduct...97
Appendix B: Jabil Rules of The Road......98
Appendix C: Jabil Integrity Hotline.....99
Appendix D: Risk Identification Template....100




4

Figure 1 - A Continuous Risk Management Process ................................................................. 6
Figure 2 - COSO ERM Framework ......................................................................................... 27
Figure 3 - Industry Portfolio of Risks ...................................................................................... 38
Figure 4 - Components of Objective Setting ........................................................................... 46
Figure 5 - Flow of Information and Communication............................................................... 79
Figure 6 - Risk Management Process ...................................................................................... 92
Figure 7 - OSH Transformation ............................................................................................... 94

Table 1 - Buildings and its function ........................................................................................... 7
Table 2 - Differences of ERM and Traditional Risk Management ............................................ 9
Table 3 - ERM Objectives' Categories and its Description ..................................................... 22
Table 4 - ERM Component's Description ................................................................................ 26
Table 5 - Jabil's Objectives ...................................................................................................... 32
Table 6 - Key Risk-Oriented Characteristics of Jabil ............................................................. 42
Table 7 - Corporate Risk Summary ......................................................................................... 44
Table 8 - Risk Assessment Planning Task ............................................................................... 51
Table 9 - Required Systems ..................................................................................................... 56
Table 10 - Unique Assets ......................................................................................................... 66
Table 11 - Security Profile ....................................................................................................... 67
Table 12 - Tools in ERM Process of Monitoring .................................................................... 83
Table 13 - Jabil OSH Training for Year 2012 ......................................................................... 91
Table 14 - EHS Objectives and Target .................................................................................... 93



5

1. Introduction

In the economic landscape of the 21st century an organizations business model is challenged
constantly by competitors and events that could give rise to substantial risks. An organization
must strive to find creative ways to continuously reinvent its business model in order to
sustain growth and create value for stakeholders. Companies make money and increase
stakeholder value by engaging in activities that have some risk, yet stakeholders also tend to
appreciate and reward some level of stability in their expected returns. Failure to identify,
assesses, and manages the major risks facing the organizations business model, however,
may unexpectedly result in significant loss of stakeholder value. Thus, senior leadership must
implement processes to manage effectively any substantial risks confronting the organization.
This dual responsibility of growing the business and managing risk has been noted by Mark
Mondelo, Chairman and CEO at Jabil Circuit Inc., when he described his position at Jabil:
My job is to figure out how to grow and manage risk and volatility at the same time.

While it may not be possible to eliminate all risks, it is certainly possible to devise measures
to prevent them and to control losses and its impacts through proven principles of risk
management.


6


Figure 1 - A Continuous Risk Management Process

a. Jabil Circuit Sdn Bhd

Jabil Circuit Sdn Bhd Malaysia (Jabil) is a multi-national company based in Penang,
headquartered in St Petersburg, Florida, USA. Jabils global operations encompass more
than 60 sites on four continents and employ over 100,000 peoples.
Jabil is one of world's largest Electronic Manufacturing Services (EMS) companies,
providing customised design, manufacturing, distribution, and aftermarket services for
some of today's largest companies. To ensure continued financial success and growth,
Jabil operate in a variety of sectors, including aftermarket services, computing & storage,
defence & aerospace, digital home & office, healthcare & instrumentation, industrial &
clean tech, materials technology, mobility EMS, networking, and telecommunications.

7

For the past 16 years, Jabil have experienced double-digit growth due to unwavering
commitment to the right combination of services, industries, locations, systems, and
people.

In Penang, there five buildings of Jabil comprised as one campus of large organisation
located at Free Industrial Zone. The five buildings and its main function are listed as
below:
Building Function
Jabil Plant 1 Facilitate primary production floor
Jabil Plant 2 Facilitate secondary production floor
Jabil Global Business Centre 1 Support worldwide operation of Supply
Chain Management
Jabil Global Business Centre 2 Support worldwide operation of
Information Technology and Finance
Jabil After Marketing Services Support after marketing services
Table 1 - Buildings and its function

b. Explanation of Enterprise Risk Management (ERM)

No entity operates in a risk-free environment, and Enterprise Risk Management (ERM)
does not create such an environment. Rather, ERM enables management to operate more
effectively in environments filled with risks (R. S. Khatta, 2008).

8

Enterprise risk can include a variety of factors with potential impact on an organisation
activities, processes, and resources. External factors can result from economic change,
financial market developments, and dangers arising in political, legal, technological, and
demographic environments. Risks can arrive over time, as the public may change their
views on products or practices. In term of Jabil business operation, we can list few public
views on products and practices such as below:
Mobile Devices Software Office Appliances
Computer Executive Salaries Disposable packaging
Appliances Safety
Manufacturing services
from Third Country
Technology

Most of these are beyond the control of Jabil, although Jabil can prepare and protect
themselves in timely efficient ways. Internal risks include human error, fraud, systems
failure, disrupted production, and etcetera. Thus, organisation such as Jabil needs robust,
reliable systems to control risks that arise in all facets of life.

9

i. Definition of Enterprise Risk Management (ERM)
ERM involves the identification and evaluation of significance risks, assignment
of ownership, and completion and monitoring of mitigating actions to manage
these risks within the risk appetite of the organisation.

Output of ERM is provision of information for management to improve business
decisions, reduce uncertainty and provide reasonable assurance regarding the
achievement of the objectives of the organisation.

Thus, ERM is defined to have a significant positive progress during occurrence of
unforeseen or unexpected event. In spite of that, it is designed to improve
efficiency and the delivery of services, improve allocation of resources (capital) to
business improvement, create shareholder value and enhance risk reporting to
stakeholders.

ii. Differences of ERM and Traditional Risk Management
Traditional Risk Management ERM
Risk as individual hazards Risk viewed in context of business
strategy
Risk identification and assessment Risk portfolio development
Focus on discrete risks Focus on critical risks
Risk mitigation Risk optimization
Risk limits Risk strategy
Risks with no owners Defined risk responsibilities
Haphazard risk quantification Monitoring and measurement of risks
Risk responsibility is perceived
individually
Risk is everyones responsibility
Table 2 - Differences of ERM and Traditional Risk Management

10

iii. Benefits of Enterprise Risk Management (ERM)

Determining whether an entitys enterprise risk management is effective is a judgment
resulting from an assessment of whether ERM components are present and functioning
effectively. Thus, the components are also criteria for effective ERM. For the
components to be present and functioning properly there can be no material weaknesses,
and risk needs to have been brought within the entitys risk appetite.

When ERM is determined to be effective in each of its categories of objectives,
respectively, the board of directors and management have reasonable assurance that they
understand the extent to which the entitys strategic and operations objectives are being
achieved, and that the entitys reporting is reliable and applicable laws and regulations
are being complied with.

The ERM components will not function identically in every entity. Application in small
and mid-size entities, for example, may be less formal and less structured. Nonetheless,
small entities still can have effective enterprise risk management, as long as each of the
components is present and functioning properly. ERM provides enhanced capability to:
Align risk appetite and strategy Risk appetite is the degree of risk, on a broad-
based level, that a company or other entity is willing to accept in pursuit of its
goals. Management considers the entitys risk appetite first in evaluating strategic
alternatives, then in setting objectives aligned with the selected strategy and in
developing mechanisms to manage the related risks.
Link growth, risk and return Entities accept risk as part of value creation and
preservation, and they expect return commensurate with the risk. Enterprise risk

11

management provides an enhanced ability to identify and assess risks, and
establish acceptable levels of risk relative to growth and return objectives.
Enhance risk response decisions Enterprise risk management provides the rigor
to identify and select among alternative risk responses risk avoidance,
reduction, sharing and acceptance. Enterprise risk management provides
methodologies and techniques for making these decisions.
Minimize operational surprises and losses Entities have enhanced capability to
identify potential events, assess risk and establish responses, thereby reducing the
occurrence of surprises and related costs or losses.
Identify and manage cross-enterprise risks Every entity faces a myriad of risks
affecting different parts of the organization. Management needs to not only
manage individual risks, but also understand interrelated impacts.
Provide integrated responses to multiple risks Business processes carry many
inherent risks, and enterprise risk management enables integrated solutions for
managing the risks.
Seize opportunities Management considers potential events, rather than just
risks, and by considering a full range of events, management gains an
understanding of how certain events represent opportunities.
Rationalize capital More robust information on an entitys total risk allows
management to more effectively assess overall capital needs and improve capital
allocation.

Enterprise risk management helps an entity achieve its performance and profitability
targets, and prevent loss of resources. It helps ensure effective reporting. And, it helps

12

ensure that the entity complies with laws and regulations, avoiding damage to its
reputation and other consequences. In sum, it helps an entity get to where it wants to go
and avoid pitfalls and surprises along the way.

iv. Limitation of Enterprise Risk Management (ERM)

While enterprise risk management provides important benefits, limitations exist. In
addition to factors discussed above, limitations result from the realities that human
judgment in decision making can be faulty, decisions on responding to risk and
establishing controls need to consider the relative costs and benefits, breakdowns can
occur because of human failures such as simple errors or mistakes, controls can be
circumvented by collusion of two or more people, and management has the ability to
override enterprise risk management decisions. These limitations preclude a board and
management from having absolute assurance as to achievement of the entitys objectives.

Effective enterprise risk management helps management achieve objectives. But in
ERM, no matter how well it was designed and operated, it still does not ensure an entity's
success.

The achievement of objectives is affected by limitations inherent in all management
processes. Shifts in policy or programs, competitors' actions or economic conditions can
be beyond management's control. ERM cannot change an inherently poor manager into a
good one. Additionally, controls can be circumvented by the collusion of two or more

13

people, and management has the ability to override the ERM process, including risk
responses and controls.

The design of ERM must reflect the reality of resource constraints, and the risk
management benefits must be considered relative to their costs. Thus, while ERM can
help management achieve its objectives, but it is not a solution or remedy for all
difficulties.


14

2. Role of ERM in Occupational Safety and Health

Occupational Safety and Health (OSH) already is a legal requirement in several countries.
Others have established such system but the application is still optional.

ERM is an integral part of performing OSH. It serves to identify and assess the risks derived
from the hazards. It finally leads to appropriate action to reduce or even eliminate such risks.
Risk management subject is the critical success factor in managing OSH in any workplace.

Management system provides a framework for process of identifying hazards, assessing
associated risks, taking action and reviewing the outcome. Like any modern management
system it conforms to the kind of management system as it was developed for quality
management (ISO9000). Hence, the OSH management system just has to be integrated into
the existing management systems.

The following are the elements of a management system for as suggested by OSHAS 18001.
It is based on the Plan - Do - Check - Act cycle as described below.
Defining the OHS Strategy
Planning
Implementation and Operation
Checking and Corrective Action
Management Review
Continual Improvement


15

This description provides an idea that OSH is highly related with risk management subject
because it suggests a frame for the process in OSH management by outlining items as below.

a. Identifying hazards

A hazard is anything that is a threat to health and safety in an organisation. Therefore it is
linked to the people of the organisation and it immediately becomes clear that everybody
has to contribute to finding hazards at his or her workplace. It is a legal requirement in
some countries that employers have to consult their employees.

b. Assessing associated risks

Prior to assessing risks these risks associated to the identified hazards have to be
determined. Mind the gap and clearly understand that hazards and risks resulting from
hazards are something different. Risk assessment itself is very much the same as with risk
assessment in other management systems. Typically, a risk is assessed by its likelihood
and its consequence. Risk assessments provide with an insight in organisations risks and
allow prioritising risks for taking mitigating actions.


16

c. Taking action to mitigate risks

Mitigating actions focus on reducing the likelihood and/or consequence. There is a
hierarchy in different solutions whereby the most effective usually is also the most
difficult and sometimes most expensive to realise:

Actions that remove the hazard and eliminate risk.
Actions that replace the hazard by a less dangerous one.
Actions that modify the product or process design.
Actions that isolate the hazard from people.
Actions that use engineering solutions such as a new machinery or plant.
Actions that use administrative controls, e.g. new procedures.
Actions that protect through personal equipment from hazards.

d. Monitoring the effectiveness

The outcome of each risk mitigating action has to be reviewed on two levels:
To ensure that the actions taken are effective and continue to be effective
To ensure that no new hazard/risk was introduced by the actions taken.

Any control measures have to be maintained in order to ensure that they are kept in
working order. As well procedures have to be audited to ensure they are being followed
as intended.

17

After completing one entire cycle of risk management the next has to be scheduled to
ensure that always the best actions are taken and new hazards are included into risk
management.

Risk management of OSH will be a regular guest on the agenda of management and ERM is
a component of risk management subject that can address OSH issue. However, apart from
just being a requirement, management may realise the benefits and profitability in OSH
through proper presentation of related risk management modules, especially when registered
to the respective local standard as listed below.
Reduction of risk.
Competitive advantages.
Compliance with legal requirements.
Improvement of overall performance.








18

3. Implementing Enterprise Risk Management (ERM)

ERM cuts across an organizations silos to identify and manage a spectrum of risks. Consider
these ERM action items:
Resolve to proactively manage risks, rather than react to them. Implementing ERM
takes total commitment by management, as well as recognition by the board of its
responsibility.
Clarify the organizations risk philosophy. As discussed in the COSO ERM
framework (Enterprise Risk ManagementIntegrated Framework), organizations
need to know their risk capacity in terms of people capability and capital. The board
and management must come to an understanding, factoring in the risk appetite of all
significant stakeholders.
Develop a strategy. Since risk relates to the events or actions that jeopardize achieving
the organizations objectives, effective risk management depends on an understanding
of the organizations strategy and goals. One of the benefits of ERM implementation
is the revelation that those responsible for achieving the objectives have varying
degrees of understanding about them. ERM helps get everyone on the same page.
Think broadly and examine carefully events that may affect the organizations
objectives. This involves taking your business and industry apart. Pore over your
strategy, its key components and related objectives. Use a variety of identification
techniques such as brainstorming, interviews, self-assessment, facilitated workshops,
questionnaires and scenario analyses. In selecting among these techniques, consider
how rigorously each business unit can implement them, and if openness among the
participants would result. Analyze how both external and internal events can change
the organizations risk landscape. This initial effort does not have to take months to

19

accomplish. Start with a top-down approach. Begin to identify risks through
workshops or interviews with executive management and by focusing on strategies
and related business objectives.
Assess risks. Initially, try to reach a consensus on the impact and likelihood of each
risk. Placing risks on a risk map can be a valuable focal point for further discussion.
As the risk assessment process matures, consider applying more sophisticated risk
measurement tools and techniques.
Develop action plans and assign responsibilities. Every risk must have an owner
somewhere in the organization. Manage the biggest risks first and gain some early
wins.
Maintain the flexibility to respond to new or unanticipated risks. Put a business
continuity and crisis management plan into place. If your organization is in a volatile
environment, you should anticipate even more unknowns.
Use metrics to monitor the effectiveness of the risk management process where
possible.
Communicate the risks identified as critical. Circulate risk information throughout the
organization. The board of directors and audit committee should be given regular
reports on the key risks facing the organization. It is not acceptable to identify
important risks and never communicate them to the appropriate people.
Embed ERM into the culture. Integrate the knowledge of risks in your internal audit
planning, balanced scorecards, budgets and performance management system.


20

a. Committee of Sponsoring Organizations ERM

Committee of Sponsoring Organizations (COSO) is a body to provide thought leadership
through the development of comprehensive frameworks and guidance on enterprise risk
management, internal control and fraud deterrence designed to improve organizational
performance and governance and to reduce the extent of fraud in organizations.

COSO has comes out with an ERM framework as a main guidelines to implement the
ERM within organisation. This framework defines essential components, suggests a
common language, and provides clear direction and guidance for ERM.

Entity objectives can be viewed in the context of four categories as presented in table as
below:
Categories Description Type of Risks
Strategic
High-level goals,
aligned with and
supporting its
mission.
Damage to reputation
Competition
Customer Wants
Demographic and social/ cultural trends
Technological innovations/ patents
Capital investment
Shareholder requirements
Regulatory and political trends
Operational
Effective and
Business operations (e.g., human resources,

21

Categories Description Type of Risks
efficient use of its
resources.
product development, capacity, efficiency,
product/service failure, channel
management, supply chain management,
business cycles)
Empowerment (leadership, change
willingness)
Information Technology
Financial/
Reporting
Reliability of
reporting.
Price (e.g., asset value, interest rate, foreign
exchange)
Liquidity (cash flow, call risk, opportunity
cost)
Credit (e.g. rating)
Inflation, purchasing power and
Basis financial risk (e.g., hedging)
Wrong or incomplete reporting (e.g.,
financial performance)
Information/ business reporting (e.g.
budgeting and planning, accounting,
information, taxation)
Hazard/
Compliance
Individual errors
and compliance
with applicable
Fire and property damage
Windstorms and other natural phenomena
Theft and other crime incl. personal injury

22

Categories Description Type of Risks
laws and
regulations.
Business interruption and
Liability claims
Table 3 - ERM Objectives' Categories and its Description

ERM considers activities at all levels of the organization:
Enterprise-level
Division or subsidiary
Business unit processes

The ERM framework concerns on management consideration in viewing how individual
risks interrelate. The management develops a portfolio view from two perspectives:
Business unit level
Entity level

There are eight components of ERM framework which are interrelated to each other.
Below are the list of components and brief description on each of them.
ERM Components Description
Internal Environment
Establishes a philosophy regarding risk management. It
recognizes that unexpected as well as expected events may

23

ERM Components Description
occur.

Establishes the entitys risk culture.

Considers all other aspects of how the organizations actions
may affect its risk culture.
Objective Setting
Is applied when management considers risks strategy in the
setting of objectives.

Forms the risk appetite of the entity a high-level view of how
much risk management and the board are willing to accept.

Risk tolerance, the acceptable level of variation around
objectives, is aligned with risk appetite.
Event Identification
Differentiates risks and opportunities.

Events that may have a negative impact represent risks.


24

ERM Components Description
Events that may have a positive impact represent natural offsets
(opportunities), which management channels back to strategy
setting.

Involves identifying those incidents, occurring internally or
externally, that could affect strategy and achievement of
objectives.

Addresses how internal and external factors combine and
interact to influence the risk profile.
Risk Assessment
Allows an entity to understand the extent to which potential
events might impact objectives.

Assesses risks from two perspectives:
- Likelihood
- Impact

Is used to assess risks and is normally also used to measure the
related objectives.

25

ERM Components Description

Employs a combination of both qualitative and quantitative risk
assessment methodologies.

Relates time horizons to objective horizons.

Assesses risk on both an inherent and a residual basis.
Risk Response
Identifies and evaluates possible responses to risk.

Evaluates options in relation to entitys risk appetite, cost vs.
benefit of potential risk responses, and degree to which a
response will reduce impact and/or likelihood.

Selects and executes response based
on evaluation of the portfolio of risks and responses.
Control Activities
Policies and procedures that help ensure that the risk responses,
as well as other entity directives, are carried out.


26

ERM Components Description
Occur throughout the organization, at all levels and in all
functions.

Include application and general information technology
controls.
Information &
Communication
Management identifies, captures, and communicates pertinent
information in a form and timeframe that enables people to
carry out their responsibilities.

Communication occurs in a broader sense, flowing down,
across, and up the organization.
Monitoring
Effectiveness of the other ERM
components is monitored through:
- Ongoing monitoring activities.
- Separate evaluations.
- A combination of the two.
Internal Control
A strong system of internal control is essential to effective
enterprise risk management.
Table 4 - ERM Component's Description


27

b. Relationship of Objectives and Components

There is a direct relationship between objectives, which are what an entity strives to
achieve, and the enterprise risk management components, which represent what is needed
to achieve them. The relationship is depicted in a three-dimensional matrix, in the shape
of a cube, shown in figure as below.



Figure 2 - COSO ERM Framework


28

The four objectives categories strategic, operations, reporting, and compliance are
represented by the vertical columns
The eight components are represented by horizontal rows.
The entity and its units are depicted by the third dimension of the cube.

c. Key Implementation Factors

Enterprise risk management is a procedure to minimize the adverse effect of a possible
financial loss by
Identifying potential sources of loss;
Measuring the financial consequences of a loss occurring and
Using controls to minimize actual losses or their financial consequences.
The purpose of monitoring all risks is to increase the value of each single activity within
the company. The potential benefits and threats of all factors connected with these
activities have to be ordered and documented. If all employees are aware of the
importance of the risk management process, the probability of success will be increased
while at the same time failure will become unlikely.

Risk identification is not solely done by an individual. All relevant stakeholders are
involved to keep an eye on all risks that matter. Generally the risk identification sessions
should include as many as the following participants:
Risk management team

29

Subject matter experts from other parts of the company
Customers and end-user
Other project managers and stakeholders
Outside experts
Project team
The participants may vary but the risk management team should always be involved
because they are dealing with the subject every day and therefore need fresh information
at any time. Outside stakeholders and experts could provide objective and unbiased
information for the risk identification step and are therefore an essential part of the
process.

Risk identification has to be done as a continuous process. If it is treated like a one-time
event, then the whole company runs the risk of overlooking new emerging problems. The
process starts in the initiation phase where first risks are identified. In the planning stage
the team determines risks and mitigation measures and documents them. In following
stages of resource allocation, scheduling and budgeting the associated reserve planning is
also documented.

After the initial phase of risk identification, all risks have to be managed until each risk is
closed or terminated. New risks will occur as the company moves on and matures and the
outer and inner environment of the company changes. In the case of the increased
probability of a risk or if the risk becomes real, it is time for the risk management team to
respond to it. The executives and managers have to think about the problem and develop

30

strategies to deal with its impact. All the re-planning actions can mean a change to the
baseline of budget, schedule and resource planning.

How the company will deal with risks has to be clearly defined in the early stages of
getting involved in ERM, then documented and executed appropriately during the
planning cycle.


31

4. Work Plan: Target Achievement of Objectives

Within the context of an entitys established mission or vision, Jabils management
establishes strategic objectives, selects strategy, and sets aligned objectives cascading through
the enterprise.

a. Objectives

There are four categories of objectives. Jabil sees these objectives into its business
perspectives as described below.
Category Description Remarks
Strategic
Achieving a 60% market share
Maintain technological in the industry
Risk may comes as
externalities and it is
beyond the control of
management
Operational
Maintaining a defect rate to less than
0.1% of production.
Achieving plant availability at 95%.
Containing over time hours to less than
2% of the total hours worked.
Reporting
All internal controls personnel must be
competent in financial reporting.
Comply with Sarbanes-Oxley Act
(applicable to United States of America
Risk management is
highly dependable to
the control of internal

32

Category Description Remarks
based company) management
Compliance
Compliance with health and safety
regulation.
Compliance with hazardous materials
regulation.
Compliance with environmental
protection, security laws, and civil laws.
Table 5 - Jabil's Objectives

This categorization of entity objectives allows a focus on separate aspects of enterprise
risk management. These distinct but overlapping categories a particular objective can
fall into more than one category address different entity needs and may be the direct
responsibility of different executives. This categorization also allows distinctions between
what can be expected from each category of objectives. Another category, safeguarding
of resources, used by some entities, also is described.





33

5. Work Plan: Components of ERM

Enterprise risk management consists of eight interrelated components. These are derived
from the way of Jabils management runs an enterprise and are integrated with the
management process.

a. Internal Environment

Internal environment is composed of the elements within the organization, including
current employees, management, and especially corporate culture, which defines
employee behaviour.
It encompasses the tone of an organization, influencing the risk consciousness of its
people, and is the basis for all other components of ERM, providing discipline and
structure. Internal environmental factors include an entitys risk management philosophy;
its risk appetite; oversight by the board of directors; the integrity, ethical values, and
competence of the entitys people; and the way management assigns authority and
responsibility and organizes and develops its people.
COSO has described internal environment is interrelated to a concept of tone at the top.
According to COSO, the tone at the top plays a crucial role in creating the control
consciousness of an organization, one that is capable of leading employees to a higher
ethical standard of conduct or creating a breeding ground for fraudulent activity. It is the
ethical atmosphere that an organizations leadership creates in the workplace. Whatever
tone senior management sets has a direct impact on the employees of the company.

34

Control internal environment that is, the overall attitude, awareness, and actions of
directors and management regarding the internal control system and its importance to the
organization is the key to setting the tone of the organization because it influences the
control consciousness of its people.
Concerning factors to the control environment of Jabil include:
Integrity and ethical values communicated by executive management in speaking
and writing and demonstrated by action.
Responses to incentives and temptations clear policies and actions that prohibit
the acceptance of inappropriate gifts, for example.
Moral guidance, as communicated through a code of business conduct and ethics.
A commitment to competence, as demonstrated by robust human resource policies
and clear job descriptions for the purpose of hiring and retaining qualified people.
A board of directors and audit committee that are engaged, ask questions, and take
appropriate action.
A management philosophy and operating style that place high value on risk
assessment and internal control.
A well-defined organizational structure that is appropriate to the companys size
and complexity.
Appropriate assignment of authority and responsibility, with well-defined
authority and duties that are appropriately segregated to prevent or detect error
and fraud.
Human resource recruiting and retention policies and practices to ensure that
human capital is valued.

35

Ways to settle internal differences, such as a forum to discuss and settle
differences of opinion between management and employees.

These factors have shape the tone at the top and come out with business conduct of Jabil
(Refer Appendix A). In spite of that, there are rules formulated for employees reference
while conducting the whole organisations business in a preferred way. This formula
named as Jabil Rules of the Road (Refer Appendix B).
Jabil always highlight the important of business integrity. Thus, a mechanism is created
(Refer Appendix C) to report any wrongdoing such as potential violations of the law,
regulations, professional standards, policy, or the applicable Code of Ethics that is
believed not being handled properly. Such potential violations could include, but are not
limited to:
Non-compliance with professional standards
Unlawful discrimination
Harassment
Workplace violence
Substance abuse
Conflicts of interest
Falsification of documents
Inappropriate gifts and entertainment
Inappropriate political activities and contributions
Insider trading or other securities law violations
Breaches of a client's or a Jabil Circuit, Inc.'s confidentiality

36

Inappropriate disposal of a Jabil Circuit, Inc.'s documents
Inappropriate personal use of a Jabil Circuit, Inc.'s resources
Theft
Bribes and kickbacks
Inappropriate client billings
Inappropriate reporting of time or expenses
Other potential violations of policies

i. Initiative Goal of ERM - Internal Environment

Some believe that the only way to correct issues related to the tone at the top is to
make personnel changes. Such measures may sometimes be warranted, but
through initiative such as education, frequent communication or even formal
classroom training, could be a remedy as well and in fact might accelerate the
general adoption of a more ethical corporate culture in an organization.
Leadership from the top of the organization is essential to maintain rigorous
internal control and make progress on ERM and fraud prevention. A growing
number of organizations are formalizing their antifraud programs. In addition,
external auditors are reviewing companies antifraud controls and risk assessments
as part of their work.
All of these activities, when supported by the board and performed
conscientiously, set the right tone and help reduce the risk of fraud. Only by
setting the bar high will an ethical corporate culture be sustained.

37

On the other hand, initiative goal of this component is to integrate ERM into the
culture and strategic decision making processes of the organization.

b. Objective Setting

Objectives must exist before management can identify potential events affecting their
achievement. ERM ensures that management has in place a process to set objectives
and that the chosen objectives support and align with the entitys mission and are
consistent with its risk appetite.
By referring to Table 5 - Jabil's Objectives, concerning objectives are listed under
strategic and operational category. They are:
1. Achieving a 60% market share.
2. Maintain technological in the industry.
3. Maintaining a defect rate to less than 0.1% of production.
4. Achieving plant availability at 95%.
5. Containing over time hours to less than 2% of the total hours worked.

When objectives are stated clearly and understood by the participants, a brainstorming
session drawing on the creativity of the participants can be used to generate a list of
risks. In a well facilitated brainstorming session, the participants are collaborators,
comprising a team that works together to articulate the risks that may be known by
some in the group. In the session, risks that are known unknowns may emerge, and

38

perhaps even some risks that were previously unknown unknowns may become
known.
Seeding or providing participants with some form of stimulation on risks is very
important in a brainstorming session. One possibility is to provide an event inventory
for the industry or a generic inventory of risks as below.


Figure 3 - Industry Portfolio of Risks


39


In a brainstorming session or facilitated workshop, the goal is to reduce the event
inventory to those relevant to the company and define each risk specific to the
company. Every participant has to fill up a survey risk identification template (refer
Appendix D) appropriately.


40

i. Corporate Background

Some key risk-oriented characteristics of Jabil include:
Characteristics Description
Locations and Operations The company has a headquarters office in the St. Petersburg,
Florida, United States of America area with a computer security
development facility in San Jose, California, and four product
distribution centres in smaller-city locations in the United
States, as well as a distribution office in Belgium. In addition,
the company has several hardware manufacturing facilities in
Asia and a software production and distribution facility in India.
All facilities are leased or licensed, and customer service
functions have been outsourced.
Management team The company's CEO was originally the founder of the company.
He and three senior engineers are the only employees left over
from the early days and its initial public stock offering (IPO).
Due to turnover often typical in the industry, most employees
have fairly short tenures. The CFO is quite new, as the prior
officer was asked to resign because of a Sar-banes-Oxley-
related dispute with the audit committee. The company makes
extensive use of nonemployee contract workers. Reporting to
the CAO, Global has a relatively small internal audit
department as well as a single general counsel.

Product description Jabil developed an electronic product that consists of both a

41

Characteristics Description
hardware device plugged in to a user's computer along with
software drivers. The hardware device consists of a plug-in card
based primarily on standard hardware chips along with some
embedded programming. The software is based on proprietary
algorithms. Elements of the product design are protected by
patents, although these rights have been both challenged in
courts and also have been somewhat copied by some
competitors.

Marketing Jabil's product is marketed by advertisements in professional
publications as well as through a team of sales representatives.
On a worldwide basis, 80% of sales are to individuals, with the
balance to smaller businesses. The United States accounts for
about 75% of product sales, with the balance from Europe.
There is also a small but growing segment of sales in Brazil,
where an independent agent is distributing the product. Jabil
ships products from its distribution centres direct to computer
equipment retailers as well as shipping to individual customers,
based on their Internet, mail, or telephone orders.

Sales and finances Jabil's $2.4 billion in sales is split in the following categories:
Consumer cash sales through credit
card purchases

41.0%

Sales to wholesale distributors 23.4%

42

Characteristics Description

Export sales to agents

12.7%

Licensing fees and royalties
4.9%


Table 6 - Key Risk-Oriented Characteristics of Jabil

Jabil is a public company, traded on NASDAQ. With its stock broadly distributed,
private equity venture capitalists hold 12% of the shares, and management holds
3%. Long-term debt totals $450 million, with the majority of that based on
debentures sold to the venture capital investors. That debenture issue included
warrants that could be converted into a substantial block of common stock.

ii. Corporate Risk Summary

These risks often cross the lines of the COSO ERM cube. They should just be
considered risks that impact the enterprise.

Category Description
Organization strategic
risks that could impact the
effectiveness of products
or operations
Changes in technology that impact the effectiveness of
company products

A currency crisis at one or another of the international
operations countries causing major operations problems


43

Category Description
Increased tariffs or import/export regulations

A major weather disturbance, such as a tornado or military
actions

New competitors offering attractive alternative products

Interest rate increases or other factors limiting the ability to
finance expansion

The failure of a key customer or vendor
Company operations risks iii. A computer system or network failure at one or several
locations

iv. The unexpected resignation of a key management or technical
senior manager

v. Labour unrest or related problems at one or another facility

vi. The failure to complete several key information systems
planned upgrades

vii. Product licensing disputes and resulting litigation


44

Category Description
viii. The failure of an ISO or some other standards audit

A major loss in stock market capitalization value due to
reported operating losses or other negative information
Financial and operational
reporting risks
Significant internal control weaknesses identified through a
SOx Section 404 review
Failure of one or another subsidiary units to secure a "clean"
external audit opinion
Errors in individual unit financial or operations reported that are
not readily detected at headquarters
Service support reporting weaknesses
Compliance risks Financial reporting errors or missed reports

Compliance reporting failures at any level of local or national
operations

Failure to establish appropriate company-wide ethical and
financial reporting compliance standards

Failure to meet product quality standards

Table 7 - Corporate Risk Summary


45

iii. Jabils Mission Statement

Jabil is one of the leading worldwide suppliers of electronic devices. With strong
attention given to computer security risks and threats, we strive to offer one of the
most secure but easy-to-use combined software and hardware products in today's
marketplace.
In order to build our products and market them in ever-expanding circles, we will
assemble a worldwide team of superior computer security technical talent to
produce our products while selling them in an efficient and ethical manner. We
will continue to monitor our strategic and operational risks in this complex and
ever-changing world of computer security risks and threats.


46

iv. COSO ERM Risk Objective Setting Components


Figure 4 - Components of Objective Setting

c. Event Identification

Events are incidents or occurrences, external or internal to the organization that
affects the implementation of the ERM strategy or the achievement of its objectives.

47

There is a strong level of performance monitoring taking place in many organizations
today, but that monitoring process tends to emphasize such matters as costs, budgets,
quality assurance compliance, and the like (Moeller, Robert R., 2007). The ERM risk
objectives can become lost in this process of monitoring more operational and
process-oriented objectives. Organizations usually have strong processes to monitor
such events as favourable and particularly unfavourable budget variances, but often
do not regularly monitor either the actual events or the influencing factors that are the
drivers of such budget variance events.

The COSO ERM executive summary framework documentation lists a series of the
types of influencing factors that should be part of the framework's event identification
component, including:
Events Description
External economic events There is a wide range of external events that need to be
monitored in order to help achieve an organization's ERM
objectives. Ongoing short- and long-term trends may impact
some elements of an organization's strategic objectives and thus
have an impact on its overall ERM framework.

Example, in December 2011 and after some ongoing currency
market turmoil, USA declared a major default of its public debt.
This type of external event had a major impact on many
enterprises in many different areas, whether they were credit
markets or suppliers of agricultural commodities, or had other

48

Events Description
business dealings in USA.
Natural environmental
events
Fire, flood, or earthquakes, numerous events can become
identified as incidents in ERM risk identification. Impacts here
may include loss of access to some key raw material, damage to
physical facilities, or unavailability of personnel.
Political events New laws and regulations as well as the results of elections can
have a significant risk event-related impact on organizations.
Many larger enterprises have a government affairs function that
reviews developments here and lobbies for changes.
Social factors While an external event such as an earthquake is sudden and
arrives with little warning, most social-factor changes are slowly
evolving events. These include demographic changes, social
mores, and other events that may impact an organization and its
customers over time. The growth of the Hispanic population in
the United States is such an example. As more and more
Hispanic people move to a city, for example, both the language-
related teaching requirements in public schools and the mix of
selections in grocery stores will change. As another example of
societal change, the previously referenced dismissal of a major
corporation CEO for a consensual sexual relationship with
another company employee would probably have been ignored
in another era. Changing social mores today led to that
dismissal.

49

Events Description
Internal infrastructure
events
Organizations often make benign changes that trigger other risk-
related events. For example, a change in customer service
arrangements can cause major complaints and a drop in
customer satisfaction. Strong customer demand for a new
product may cause changes in plant capacity requirements and
the need for additional personnel.
Internal process-related
events
Changes in key processes can trigger a wide range of risk
identification events. As with many such items, risk
identification may not be immediate, and some time may pass
before the process-related events signal the need for risk
identification.
External and internal
technological events
Wide assortment of ongoing technological events that will
trigger the need for formal risk identification. The Internet and
the World Wide Web have been with us for some time, and the
shift to an Internet environment has been somewhat gradual for
many. In other cases, a company may suddenly release a new
improvement that causes competitors everywhere to jump into
action.

An organization needs to clearly define what it considers significant risk events and
then should have processes in place to monitor all of those various potentially
significant risk events such that the organization can take appropriate actions.


50

d. Risk Assessment, Response, and Control Activities

The first step in developing a comprehensive service continuity strategy is to identify
risks, which can lead to the disruption of operations. Two factors are considered in
developing a Risk Assessment Matrix:
Likelihood of Occurrence
Potential impact to operations if event occurs

i. Planning

The following tasks are necessary.

# Task Assignment
1 Develop the work plan and assign
responsibilities for completing tasks.
Information Technology Manager
2 Introduce team to business continuity plan
concepts, processes and tools
Information Technology Manager
3 Review inventory of assets and resources to
verify completeness.
Information Technology Manager
System Administrator
Network Administrator
Business Analyst
4 Use existing information to prepare the
departments Security Profile.
Information Technology Manager
5 Identify threats to assets and resources. Information Technology Manager
6 Define process for keeping the plan current Information Technology Manager
System Administrator
Network Administrator
Business Analyst

51

Table 8 - Risk Assessment Planning Task

ii. Required Systems

Applications and databases used at the Jabil Penang site are owned by the following
management team:
General Manager
Engineering Manager
Manufacturing Manager
Materials Manager
Continuous Improvement Manager
Financial Controller
Human Resources Manager
Information Technology Manager
Criticality Rating:
1 - The site cannot function without the system
2 - The site can function partially without the system.
3 - The site can function fully without the system.

System Name Description Criticality Owner
Agile 3rd Party application for document
management, approval
1 Engineering
Manager

52

System Name Description Criticality Owner
Agilent 5DX -
Ray
Operating software to verify pass
/fail of PCBA's
2 Engineering
Manager
AMW (Assembly
Maintenance
Wizard)
MES QM Material and Checkpoint
configuration tool.
Process verification, Assembly
material verification and Checkpoint
configuration tool for TARS, CIQ
and Manual Test Entry.
2 Engineering
Manager
Auto Cad Draft and Design software, used
primarily for customer cad data
3 Engineering
Manager
BGA Repair Profile generation for removing,
placing, or reflowing surface
mounted components
2 Engineering
Manager
BRIO 3rd Party web Front End Module for
processing quality data entered into
MES by CIQ
Need to find out if it still being used
3 Engineering
Manager
Gagetrack Calibration Reporting System.
Data entry system for entering,
storing, and reporting calibration of
all required gauges and equipment
2 Engineering
Manager
CIMbridge Creation of Visual Aids 2 Engineering
Manager
Cuteftp Accessing ftp sites for transfer of
customer documents
3 Engineering
Manager
DR (Dynamic
Replenishment)
2 Materials
Manager
Scrubbing Tool -
Citrix access
BOM Scrubbing Tool 3 Engineering
Manager
IRIS - Citrix
Access
Golden BOM creation 2 Engineering
Manager
Agile BOM -
Citrix Access
Golden BOM Creation 2 Engineering
Manager

53

System Name Description Criticality Owner
Router Solutions 3rd Party application for Translating
CAD Data / reviewing BOM Info /
Translating CAD Data
3 Engineering
Manager
Package Inspector 3rd Party application for looking at
PDX packages
3 Engineering
Manager
Agile Express 3rd Party application for looking at
PDX packages
3 Engineering
Manager
Blue Beam 3rd Party application for creating
PDF documents
3 Engineering
Manager
WinRar 3rd Party application for file
compression and extractor tool
3 Engineering
Manager
WinZip 3rd Party application for file
compression and extractor tool
3 Engineering
Manager
ESS (Employee
Suggestion
Scheme)
Application and database to enter
process improvement suggestions
3 General
Manager
Exceed 3rd Party application for accessing
UNIX systems
2 Engineering
Manager
Fabmaster CAM CAD Tool, used by Test
Engineering
3 Engineering
Manager
First Windows Finance application 2 Financial
Controller
Heel Strap
Testing - CT8900
Data entry system for recording and
reporting employee testing of heel
and wrist straps for ESD purposes
3 Engineering
Manager
HR Database Application and Database storing
employee certification records, dates
and frequency
3 Human
Resource
Manager
JAFFA Feeder maintenance Application 3 Engineering
Manager
JEDI Manufacturing Application to view
documents stored in Agile
2 Engineering
Manager

54

System Name Description Criticality Owner
JOS (Jabil
Operating
System)
Management system used to drive
improvement activities
3 Manufacturi
ng Manager
JOS Metrics Application to correlate plant
metrics
2 General
Manager
Knowledge
Pathways
On line training 3 Human
Resource
Manager
Loftware (Label
Management)
Label Management 1 Engineering
Manager
MES Manufacturing Execution System
for
1 Engineering
Manager
MES Reports Reporting system for MES 2 Engineering
Manager
Report Builder Reporting Tool for MES 2 Engineering
Manager
EPS Packout control system to prevent
untested / failed product from
shipping
2 Engineering
Manager
Microsoft Office Outlook, Word, Excel, Powerpoint,
Visio, Access
2 General
Manager
MPC
(Management
Planning &
Control)
Forecasting application 3 Financial
Controller
Olives Visitor Login System 3 Human
Resource
Manager
PLR (5DX
software)
Application to translate 5DX tester
output
3 Engineering
Manager
Pointsec Encryption software for laptops 3 Information
Technology
Manager

55

System Name Description Criticality Owner
QNET Document Control System 2 Engineering
Manager
SAP Material resource planning software 1 Material
Manager
SAT Sourcing Application 2 Material
Manager
SBA (Shipping
Billing and
Authorisation)
Web application to authorize
material for shipment
2 Material
Manager
Softscape Employee Appraisal System 3 Human
Resource
Manager
SIS Supplier Information System 2 Material
Manager
SPS Supplier Performance System
(Scorecards)
3 Material
Manager
SVS SPC / Charting - Need more
information - is it still being used
3 Material
Manager
Axi to TARS Converts AXI records to TARS
suitable records
3 Engineering
Manager
Manual Test
Entry
Manual Test entry station for non
networked test systems
3 Engineering
Manager
CIQ (Computer
Integrated
Quality)
Manual Test entry station for non
networked test systems
1 Engineering
Manager
TARWIZ Tars Reporting Wizard 2 Engineering
Manager
VB TARS Used for diagnosing and recording
repairs to product
1 Engineering
Manager
VB TARS RMA Used for entering returned material
back into the TARS database
1 Engineering
Manager

56

System Name Description Criticality Owner
Time &
Attendance
Stores clock entry data,
holiday\absence requests
2 Human
Resource
Manager
Universal GSM Placement check for X, Y, and
rotation data based on classification
2 Engineering
Manager
Universal HSP Placement check for X, Y, and
rotation data based on classification
2 Engineering
Manager
Vidifax Supplier Fax solution 2 Material
Manager
Valor CAM CAD Tool, used for BOM
comparisons, machine
programming, set up sheets, etc
2 Engineering
Manager
Vitronics Oven Oven temperature control / SPC /
Charting
2 Engineering
Manager
Waterfall
Schedule
Planning
Excel based, VB planning tool with
SQL database
2 Material
Manager
Web Plan / Rapid
Response
Material Reporting tool used for
planning and business unit for
making business decisions.
2 Material
Manager
Table 9 - Required Systems

iii. Unique Assets

The table below details the equipment and assets used at the Jabil Penang site.
Criticality Rating:
1 - The site cannot function without the asset
2 - The site can function partially without the asset.
3 - The site can function fully without the asset.

57

Asset Description Asset Serial # Detail Role Vendor Criticality
PROLIANT DL360 7J14FXX1SK01 PENTRM01A
Terminal
Server
HP

2
PROLIANT DL360 7J14FXX1SK02 PENTRM01B
Terminal
Server
2
PROLIANT DL360
G3 7J34KYD11018 PENTRM01C
Terminal
Server
2
PROLIANT DL360 7J19FXK1A020 PENTRM01D
Terminal
Server
2
PROLIANT DL360
G3 J17NKYD11D PENTRM01E
Terminal
Server
2
PROLIANT DL360
G3 7J34KYD1101M PENTRM01G
Terminal
Server
2
PROLIANT DL360
G4 GBJ51103XG PENTRM01T
Terminal
Server
2
PROLIANT DL380 8145FSB11151 PENMFG01 SQL Server 2
PROLIANT DL365
G1 GB8721FHR8 PENCMP10 Com +
1
PROLIANT DL365
G1 GB8725KBNL PENCMP11 Com +
1
PROLIANT DL365
G1 GB8721FHMB PENJAFN10A JAF Server
1
PROLIANT DL365
G1 GB8721FHNP PENJAFN10B JAF Server
1
Desktop PENDEV01
Development
SQL Server
3
Desktop
PENDEVTEST0
1
Development
SQL Server
3
PROLIANT DL380
G4 GB84512PAJ PENSQL06
Site SQL
Server
1
PROLIANT DL380
G4 GB8527DA8D PENSQL08
Site SQL
Server
1

58

Asset Description Asset Serial # Detail Role Vendor Criticality
PROLIANT DL320
G2 J03MKVJB3N PENPRS10 Parser
1
PROLIANT DL320
G2 J050KVJB3N PENPRS11 Parser
1
PROLIANT DL320
G2 J04NKVJB3N PENPRS12 Parser
1
PROLIANT DL320
G4 GBJ61200EL PENPRS13 Parser
1
PROLIANT DL320
G4 GBJ61602M9 PENPRS14 Parser
1
DESKTOP 8139JYGZ014R PEN1IT100
Pointsec
Server
3
PROLIANT 5500 8945CQW300240 PENFILE01 File Server 1
PROLIANT DL320
G2 7J37KVJ6M032 PENMRP02
MRP
Download
/Thinclient
Server
1
PROLIANT DL360
G4 GBJ506003F PENNCU10 NCU Server
1
PROLIANT 1850R 8906CFW10220 PENNCU11
T&A Clocks
System
2
PROLIANT DL380
G2 D205FRW1M008 PENOPU01
Oputils
Server
3
PROLIANT DL320
G2 J03YKVJ61P PENPRNT02 Print Server
1
PROLIANT DL320
G2 J03TKVJ61P PENPRT01 Print Server
1
PROLIANT DL380
G4 GB8606XPD5 PENSMS02 SMS Server
2
PROLIANT DL380
G4 GB80442AMP PENVALOR01 Valor Server
2

59

Asset Description Asset Serial # Detail Role Vendor Criticality
DESKTOP 8010CKH61502 PENVIDI01
VidiFax
Server
2
PROLIANT DL320
G2 J04PKVJB3H PENWEB01 Web Server
3
PROLIANT DL320
G2 7J37KVJ6M066 PENWSUS01
WSUS
Server
3
PROLIANT DL380
G4 GB86339N2X6 PENTEAPP05 TE Server
2
PROLIANT ML370 8030DKJ11022 PENTEAPP01 TE Server 2
PROLIANT DL360
G4p GB8627CPDR PENFAB10
Fabmaster
Server
2
PROLIANT DL360
G5 GB8725KBJ8 PENFAB11
Fabview
Server
2
PROLIANT DL580 D112DYT1K025 PENFAB01
Old
Fabmaster
Server
3
HP9000 CLHP68 3
HP9000 CLHP69 3
C240 CLHP90 3
C240 CLHP96 3
Desktop PEN3070filea 3
Desktop PEN3070fileb 3
PENteapp03 TE Server 3
Compaq Deskpro PENteapp04 TE Server 3

PBX 1
- Power Module
- Fibre Receiver
Card

Telecoms
exchange

Telekom
Malaysi
a
1

60

Asset Description Asset Serial # Detail Role Vendor Criticality
- RAN / PAG Card
(Music)
- 6 x Digital Card
- 3 x Analogue Card

PBX 2
- Power Module
- Fibre Receiver
Card
- 3 x Analogue Card
- 7 x Digital Card
- RAN / PAG Card
(Music)

Telecoms
exchange

1
PBX 3
- Power Module
- Controller Card
- 2 x PIR Card
- PRI Card
"Undocked"
- Voice GTW Card
- Analogue Card
- 4 x Digital Card
- Mail Module

Telecoms
exchange

1
PBX 4
- Power Module
- Fibre Receiver
Card
- 2 x Analogue Card
- 5 x Digital Card

Telecoms
exchange

1
Nortel Signalling
Server Elan:
10.228.4.5
Tlan: 10.228.4.37


1
APC SmartUPS RT
3000VA double
conversion on-line

UPS units for
comms rooms

RMD
CARSE
BRIDG
1

61

Asset Description Asset Serial # Detail Role Vendor Criticality
UPS E
Cisco 2600 Router CISCO2651 JMX0603K0H0 Cisco 2600
Router
Dimensi
on Data

1
Comp Room Switch WS-C2948G FOX05450EEZ Comp Room
Switch
1
Comms A 4000
switch
WS-X4013 JAB052505ZH Comms A
4000 switch
1
Comms A 10/100 48
port RJ45
WS-X4148-
RJ45V
JAB0529076S Comms A
10/100 48
port RJ45
1
Comms A 10/100 48
port RJ45
WS-X4148-
RJ45V
JAB052907DZ Comms A
10/100 48
port RJ45
1
Comms A 10/100 48
port RJ45
WS-X4148-
RJ45V
JAB052907DV Comms A
10/100 48
port RJ45
1
Comms A 10/100 48
port RJ45
WS-X4148-RJ JAB054106V8 Comms A
10/100 48
port RJ45
1
Comms B Switch WS-C2948G FOX05450EF4 Comms B
Switch
1
Comms D Switch WS-C2948G FOX05450EF9 Comms D
Switch
1
Comms D Switch WS-C2948G FOX05450EGB Comms D
Switch
1
Comp Room 6509
chassis
WS-C6509 SCA055200LS Comp Room
6509 chassis
1
Comp Room 6509
Policy Feature Card
WS-F6K-PFC2 SAD054302BW Comp Room
6509 Policy
Feature Card
1
Comp Room 6509
GBIC card
WS-X6416-GBIC SAL0551FJQY
Comp Room
6509 GBIC
1

62

Asset Description Asset Serial # Detail Role Vendor Criticality
card
Comp Room 6509
supervisor card
WS-X6K-SUP2-
2GE
SAD054604AZ Comp Room
6509
supervisor
card
1
Comp Room 6509
10/100 48 PORT rj45
WS-X6348-RJ-45 SAL0552FQZ6 Comp Room
6509 10/100
48 PORT
rj45
1
Comp Room 6509
10/100/1000 48
PORT rj45
WS-X6148-GE-
TX
SAL09264KML Comp Room
6509
10/100/1000
48 PORT
rj45
1
Comp Room 6509
10/100/1000 48
PORT rj45
WS-X6148-GE-
TX
SAL092642L0 Comp Room
6509
10/100/1000
48 PORT
rj45
1
RDC 6509 Chassis WS-6509 SCA0552200LV RDC 6509
Chassis
1
RDC 6509 Policy
Feature Card
WS-F6K-PFC2 SAD055104A9 RDC 6509
Policy
Feature Card
1
RDC 6509 10/100 48
PORT rj45
WS-X6348-RJ-45 SAL0552FQUD RDC 6509
10/100 48
PORT rj45
1
RDC 6509 GBIC
card
WS-X6416-GBIC SAL0551FJP2 RDC 6509
GBIC card
1
RDC 6509 supervisor
card
WS-X6K-SUP2-
2GE
SAD055101C1 RDC 6509
supervisor
card
1
RDC 3560G WS-C3560G-
48PS
FOC1108Y06G
RDC 3560G
1

63

Asset Description Asset Serial # Detail Role Vendor Criticality
Portakabin 4000
series
WS-X4013 JAB052505KJ Portakabin
4000 series
1
Portakabin 4000
series 10/100 48 Port
rj45
WS-X4148-RJ JAB052908BQ Portakabin
4000 series
10/100 48
Port rj45
1
Portakabin 4000
series 10/100 48 Port
rj45
WS-X4148-RJ JAB052908CA Portakabin
4000 series
10/100 48
Port rj45
1
Computer Room
3560G
WS-C3560G-
48PS
FOC1108Y117 Computer
Room
3560G
1
Customer broadband
switch
WS-C1924-EN FAB0324T04K Customer
broadband
switch
1
Catalyst 2900XL
24x10/100
WS-C2924C-XL FAA0305H0HE Catalyst
2900XL
24x10/100
1
Catalyst 2900XL
24x10/100
WS-C2924-XL-
EN
F0C0534Y0Y4 Catalyst
2900XL
24x10/100
1
RDC 4006 WS-X4013 JAB053905LV RDC 4006 1
RDC 4006 WS-X4148-RJ JAB054106VL RDC 4006 1
RDC 4006 WS-X4548-GB-
RJ45
JAE0944PEFW
RDC 4006
1
shop floor switch WS-C1924-EN FAB031730TQ shop floor
switch
1
shop floor switch WS-C1924-EN FAB04083DHQ shop floor
switch
1
shop floor switch WS-C1924-A FAA0307G0XC shop floor
switch
1

64

Asset Description Asset Serial # Detail Role Vendor Criticality
shop floor switch WS-C1924-A FAB0346V0M0 shop floor
switch
1
shop floor switch WS-C1924-A FAB0401U0SX shop floor
switch
1
shop floor switch WS-C2924XL FOC0535Y07U shop floor
switch
1
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16671 INACCESSABL
E 24 port hub
2
24 port hub 3C16441 24 port hub 2

65

Asset Description Asset Serial # Detail Role Vendor Criticality
24 port hub 3C16441 INACCESSABL
E 24 port hub
2
24 port hub 3C16441 INACCESSABL
E 24 port hub
2
24 port hub 3C16441 MISSING 24 port hub 2
24 port hub 3C16441 INACCESSABL
E 24 port hub
2
24 port hub 3C16450 INACCESSABL
E 24 port hub
2
12 port switch 3C16920 12 port
switch
2
Aironet 1200 access
point
AIR-AP1220B-E-
K9
FHK0731K2Q6 Aironet 1200
access point
1
Aironet 1200 access
point
AIR-AP1220B-E-
K9
FHK0731K2QB Aironet 1200
access point
1
Aironet 1200 access
point
AIR-AP1220B-E-
K9
FHK0837K0BS Aironet 1200
access point
1
Aironet 1200 access
point
AIR-AP1220B-E-
K9
FHK0837K0BX Aironet 1200
access point
1
Aironet 1200 access
point
AIR-AP1242AG-
E-K9
FCZ095380BD Aironet 1200
access point
1
Aironet 1200 access
point
AIR-AP1220B-E-
K9
FHK0731K2QN Aironet 1200
access point
1
Aironet 1200 access
point
AIR-AP1220B-E-
K9
FHK0731K2QK Aironet 1200
access point
1
Aironet 1200 access
point
AIR-AP1220B-E-
K9
FHK0731K2QD Aironet 1200
access point
1
Aironet 1200 access
point
AIR-AP1242AG-
E-K9
FCZ101381UB Aironet 1200
access point
1
Aironet 1200 access
point
AIR-AP1231G-E-
K9
FCZ0924Z117 Aironet 1200
access point
1

66

Asset Description Asset Serial # Detail Role Vendor Criticality
CISCO WS-C3750-
48TS
WS-C3750-48TS CAT09451AJX CISCO WS-
C3750-48TS
1
CISCO WS-C3750-
48TS (spare)
WS-C3750-48TS CAT09451AF4 CISCO WS-
C3750-48TS
(spare)
1
Aironet 1200 access
point
AIR-AP1220B-E-
K9
FHK0837K0AT Aironet 1200
access point
1
Aironet 1200 access
point
AIR-AP1242AG-
E-K9
FCZ095380BG Aironet 1200
access point
1
16-port async access
server
AS2511-RJ 250736186 16-port async
access server
1
Cisco 2600 Router CISCO2611 SHN0243012X Cisco 2600
Router
1
Cisco 2600 Router CISCO2611 JAC0435A301 Cisco 2600
Router
1
Cisco 2500 Router CISCO2511 250915420 Cisco 2500
Router
1
Table 10 - Unique Assets

iv. Security Profile

The table below details for each of the assets and resources included in the unique
asset section the potential impact of loss of the resources.
Criticality Rating:
1 - The site cannot function without support are high impact.
2 - The site can function partially without support are medium impact.
3 - The site can function fully without support are low impact.



67

Assets and resources N/A Low Medium High
Terminal services
File services
Database services
Web services
Print services
Parsers
Encryption services
Test Engineering services
Faxing services
Development services
WAN
LAN
Customer networks
Telecommunication services
Table 11 - Security Profile


v. Threat Identification and Resource Requirements for Business Continuity

The table below highlights potential threats, risks, risk controls (resource
requirements) and any conclusions, along with the estimated costs associated with the
threat.
Low Cost 0 MYR12500
Medium Cost MYR12500-
MYR50000

68

High Cost >MYR50000
Power
Failure
High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely
risk
4 8 12 16

Risk:
a) The main incoming power supply comes from two 11kv feeder cables on
the same ring. The supply enters the site via the rail bridge.

Risk controls:
- The site infrastructure has a UPS backup system.
- There is a Mega stream connection to other plants.
- Data is backed up and stored in an offsite data vault.

Conclusions:
A new switching arrangement has been approved by Malaysian Power - where, in
the event of power failure Jabil Penang will be fed from another source.
Aircraft High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely
risk
4 8 12 16

69


Risk:
The plant is situated approx. 3 KM from Bayan Lepas airport
Wind High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely
risk
4 8 12 16
The Penang site location is situated in a fairly exposed surrounding and is
therefore exposed to the natural weather elements. However, the area is not
normally subject to hurricane forces.
Risk:
a) High wind is unlikely to affect the building but could damage the electrical
supply cables to the Penang area
b) High winds may disrupt road traffic and employee travel arrangements but
should not compromise production.

Bomb threat
& sabotage.
Civil
insurrection
High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely
risk
4 8 12 16

70


The situation is stable at the present time, however there is some risk in all
companies of disgruntled ex-employees seeking retribution against their ex-
employer. Also, there is a level of risk considering the current climate of terrorist
attacks.
Risk controls:
Close circuit television. Security procedures and regular internal and external
patrols should identify any would be perpetrators.
Fire High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely
risk
4 8 12 16

71

The risk of fire in the site has reduced considerable with the introduction of the no
smoking policy. Other areas of risk are the kitchen, the ovens and wave soldering
machines in the main production area.
Risk Controls:
- Fire fighting appliances to BS 5306, BS 5423, and BS EN 3 These are
maintained and serviced by BAFE registered company.
- Sprinkler system installed throughout the building.
- The fire detection and emergency lighting systems conform to BS5446.
- Red care alarm system installed to the local fire brigade.
- Basic fire fighting training program has been identified
- Regular evacuation drills are carried out.
- Jabil Penang complies with the Fire Services Act 1988 (Malaysia) and has
a current fire certificate.
- The Jabil Penang Facilities department retain the test records.

Conclusions
Jabil Penang believes all necessary steps have been done to mitigate and reduce
risk.
Flood High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely
risk
4 8 12 16

72


The Jabil Penang site is considered safe because of Penangs small island terrain.
Therefore there is no risk of high water flood.
There is risk of accidental spillage from internal water and fire prevention systems
but this risk is minimised through maintenance routines.
Water
Supply
High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely
risk
4 8 12 16

Although there is not the means of monitoring water quality the incoming water.
The water board charter states that they will maintain the water supply at agreed
levels of purity and pH.
The water reserve tank should supply hygiene services for two days should the
supplies be disrupted.
A consideration for the future would be to consider a recycling process for water
by installing de-ionized water system.
Gas Supply High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely
risk
4 8 12 16

73


Jabil Penang has a twin gas governor arrangement - no interruptions are
experienced during routine maintenance operations.
Petronas the gas supply pipeline, providing emergency support 24 hours a day 7
days a week for 365 days a year.
Land
Subsidence
High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely
risk
4 8 12 16

Land subsidence is considered a very low risk:
a) A full Geotechnical site investigation was carried out prior to Jabil
purchasing the land- this did not highlight any significant future risk of
subsidence.
b) There is no site history of subsidence within site and surrounding
boundaries

Hazardous
material
release
High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely
risk
4 8 12 16

74


The main risk surrounds liquid nitrogen storage tanks and replenishment:
- Storage vessels and associated pipe work is under maintenance contract
- Delivery drivers and key Jabil Penang employees are aware of Emergency
procedures
- No significant incidents within history of Jabil Penang site

Transportation High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely risk 4 8 12 16

There is no history of any significant transportation incidents at Jabil Penang site.
However, currently there is a construction of second Penang bridge toward the
main road to Penang site. Consideration by the local authorities to improve the
transport infrastructure will take place in the event that Jabil Penang applies to
expand the site.
Food
Poisoning
High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely risk 4 8 12 16

75


No incident of food poisoning has been recorded in the Jabil Penang site. The
catering company that operates on site has very high hygiene and health and safety
standards and adheres to various regulatory requirements.
Contagious
Diseases
High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely risk 4 8 12 16

In the event that a contagious disease or symptoms are discovered, Jabil Penang
site is located less than 10 minutes from Hospital Pantai to allow quick diagnosis.
Jabil maintains a Global Contagious Disease Contingency Plan.
Wide Area
Network
(WAN) Circuit
High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely risk 4 8 12 16

76


Risk:
Jabil Penang has network circuit connections to Global Crossing and Sprint. The
two connections provide resilience and redundancy. The main risk resides with
the last mile of both the Global Crossing and Sprint cable runs. The last mile for
both circuits runs from the local exchange to the Jabil Penang site via a single
duct. In the event a hole was dug and the cable was cut the Penang facility would
have no network connectivity or access, every system would be offline.
Risk controls:
To reduce the level of risk a third circuit is currently being sized. The circuit
being investigated is wireless, which would mitigate the single point of failure and
risk.
Technical
Failure
High cost Medium cost Low cost Minimal /
No cost
High risk 1 5 9 13
Medium risk 2 6 10 14
Low risk 3 7 11 15
Unlikely risk 4 8 12 16

77


Risk:
Ability to provide continuity IT Services technical failure may occur to any one
of the IT Services.
Risk controls:
The following risk controls are in place today to help mitigate or reduce the level
of impact:
- Backup and recovery strategy, including off-site storage
- Elimination of single points of failure such as the single entry point into
the Penang site for the WAN circuits, single power supply into the building
- Services run from corporate and regional locations
- Resilient IT systems and networks constantly change-managed to ensure
maximum performance in meeting the increasing business requirements
- Greater security controls such as a physical access control system using
unique pin codes and restricted badge access
- Better control to detect local service disruptions such as fire detection
coupled with suppression systems, water, temperature and humidity
detection systems
- Improving procedures to reduce the likelihood of errors or failures such as
Change control



e. Information and Communication

The COSO ERM application framework document suggests this monitoring could include
the following types of activities.


78


Risk response component received residual and inherent risk inputs from the risk
assessment component as well as risk tolerance support from the objective-setting
component. ERM risk response then provided risk response and risk portfolio data to
control activities as well as risk response feedback to the risk assessment component.
Standing alone, the monitoring component does not have any direct information
connections but has overall responsibility for reviewing all of these functions. Refer to
image below (Figure 5 - Flow of Information and Communication) for the flow of
communication within enterprise.


79


Figure 5 - Flow of Information and Communication




80

f. Monitoring
The COSO ERM application framework document suggests this monitoring could include
the following types of activities.

Implementation of a strong and ongoing management reporting mechanism such
as cash positions, unit sales, and other key financial and operational data. A well-
organized organization should not have to wait until fiscal month end or worse for
these types of operational and financial status reports. Reporting tools should be
expanded to include key ERM measures. This type of flash reporting should take
place at all appropriate levels of the organization.
Periodic reporting processes should be installed to specifically monitor key
aspects of established risk criteria. These might include such things as acceptable
error rates or items held in suspense. Rather than just reporting periodic statistics,
such reporting should emphasize statistical trends and comparisons with prior
periods as well as with other industry sectors. This type of reporting will highlight
potential risk-related alerts.
The current and periodic status of risk-related findings and recommendations from
internal and external audit reports. This periodic reporting should include the
status of ERM-related SOx identified gaps.
Updated risk-related information from sources such as government revised
regulations, industry trends, and general economic news. Again, this type of
economic and operational reporting should be available for managers at all levels.
That same information reporting should be expanded to include ERM issues as
well.


81

i. Role of Internal Audit

Internal auditors represent the "eyes and ears" of management as specialists who visit
all areas of an organization and report back to management on the status of the
operations visited (Moeller, Robert R., 2011). They have historically had ongoing
concerns and interests in risk management. In particular, internal auditors have
regularly assessed the relative risks of areas to be examined when planning their
upcoming audit activities, deciding which areas or functions within an organization to
select for internal audits.

Whether it is internal audit, a risk management team under a Chief Risk Officer (CRO),
outside consultants, or other trained staff from within the organization, any specific
individual reviews of an ERM process might use the following tools:


Tools Description
Process flowcharting As part of any identified ERM process, the parties responsible
should have developed flowcharts documenting that process. If
not for any other reason, such flowcharts would have been
developed as part of their SOx Section 404 review work. These
same process flowcharts can be very useful in completing an
ERM review of an individual process. This requires looking at
the documentation prepared for a process, determining if the
process documentation is correct given current conditions, and

82

Tools Description
updating the process flowcharts as appropriate. This update
should determine if those identified risks still appear
appropriate and if risks have been identified appropriately.
Reviews of risk and
control materials
An ERM process often results in a large volume of guidance
materials, documented procedures, report formats, and the like.
There is often value to review the risk and control materials
from an effectiveness perspective. A dedicated ERM team,
internal audit, or the organization's quality assurance function
can perform such reviews.
Benchmarking Although an often misused term, benchmarking here is the
process of looking at the ERM functions in other enterprises to
assess their operations and to develop an approach based on the
best practices of others. Gathering such comparative
information is often a difficult task, as competing organizations
are often reluctant to share competitive data. The process works
best when one-to-one professional contacts can be developed,
but information regarding how others have attempted to solve
similar problems is often very valuable.
Questionnaires A good method for gathering information from a wide range of
people, questionnaires can be sent out to designated
stakeholders with requests for specific information. This is a
valuable technique for monitoring when the respondents are
scattered geographically, such as a risk-monitoring survey of

83

Tools Description
employees in a nationwide retail organization.
Internal infrastructure
events
Organizations often make benign changes that trigger other risk-
related events. For example, a change in customer service
arrangements can cause major complaints and a drop in
customer satisfaction. Strong customer demand for a new
product may cause changes in plant capacity requirements and
the need for additional personnel.
Facilitated sessions Valuable information can often be gathered by asking selected
people to participate in a focus group session led by a skilled
conference leader. This is the approach used by many
organizations for gathering market research information through
what are called focus groups. This same general approach can
be used to gather a team of peopleoften from different
positions in the organizationto review the enterprise risk
status of a particular area. People with different responsibilities
can often work together to provide some good information about
the risk-related status of selected activities.
Table 12 - Tools in ERM Process of Monitoring

The purpose of this monitoring process is to assess how well the ERM framework is
functioning in an organization. Deficiencies should be regularly reported to the
managers responsible for enterprise risks in the specific area monitored as well as to the
ERM or risk management office. The roles and responsibilities of the CRO and steps to

84

building an effective risk management program in an organization management office
is to ascertain that enterprise risks are properly understood and translated into
meaningful business requirements, objectives, and metrics. The concept behind this
monitoring is not just to find faults or deficiencies but to identify areas where the ERM
framework can be improved (R. S. Khatta, 2008). For example, if some event
monitoring work points to areas where a function is assuming excessive levels of risk,
processes need to be in place to install corrective actions.







85

6. Risk Manager Role

Both the position of a CRO and a supporting formal ERM function are new to many
enterprises today (Moeller, Robert R., 2008). However, to implement this very important
function or concept of COSO ERM, an enterprise should establish both of these concepts. An
effective ERM group will improve the overall enterprise controls environment and will
improve many of organisations procedures. While the enterprise risk function can operate
similar to an internal audit function with its own reviews, it is important to remember that the
CRO and the designated risk management function have a significant overall responsibility
for helping to launch and manage the overall COSO ERM framework.
a. Analysis of Jabils Safety and Health Policy in accordance to risk management

Jabil encourage a work environment that is free from safety and health hazards,
intimidation and harassment, or any other behaviour not conducive to productive and
excellent work. Jabil committed to abide by all health and safety rules applicable to any
jobs. In spite of this, criteria of Occupational Safety and Health (OSH) must be
implemented into the organisation as highlighted in Jabils OSH policy as in following
section.

Occupational Safety and Health (OSH) legislation requires that all foreseeable hazards
are identified and the risks arising from these hazards are eliminated or controlled.

Risk management is a legal requirement for all businesses regardless of their size and
basically it involves asking the following questions:
What hazards exist in the workplace?

86

How serious are the hazards?
What can be done to control these hazards?

Risk management is a process whereby to identify hazards in the workplace, then assess
the risk of those hazards and then implement control measures, which will eliminate or
minimise the risk of injury or loss from the hazards you identified. Control measures
which have been put in place must be reviewed periodically to check that they actually fix
the problem, without creating another one.

b. OSH Policy of Jabil Circuit Sdn Bhd

Jabil Circuit Sdn Bhd, is an electronic manufacturer of circuit board assemblies and
system for global electronic product companies. Jabil Circuit Sdn Bhd is fully committed
to conduct its business in a responsible manner and committed to achieving excellence in
occupational, health and safety practiced in all areas within Jabil Circuit Sdn Bhd. We
continually strive to reduce the occupational, safety and health impact and risk in our
operations.

We are committed to:

1) Complying with relevant Malaysian occupational, health and safety regulations
and other requirements applicable to our operations.

2) Driving occupational, health and safety responsibility from top management to all
levels.

87


3) Preventing by adopting industries best practices and providing a safe and healthy
working environment.

4) Inculcating our employees, customers, contractors, vendors and suppliers with
awareness on occupational health and safety.

5) Providing occupational, health and safety training and instructions to our
employees.

6) Conducting audits and reviews our OSH objectives and targets regularly to create
conducive working environment.

7) Pursuing continual improvements in OSH performance.

8) Communicating this policy to all employees and person(s) working for or on
behalf of the organization and is available to the public.

This policy signed by Operations Director, Harwender Singh and dated on 1
st
June 2012.

c. Discussion of Jabil OSH Policy

Jabils modus operand in running business must be understood when analysing Jabil
OSH Policy and its relevancies to security management.


88

In term of conciseness, this policy concentrates and highlight on OSHs fundamental that
easily can be understood by all level of employees. The first element in this policy state
the company comply with Malaysia regulation and other relevant requirement. It is
understood that the mentioned regulation is referring to Malaysian OSH Act 1994
(OSHA 1994). Thus, the company is committed to comply with OSH legal requirement
and enforce the regulation in the workplace.

To elaborate OSHA 1994, a reference of its objective listed as below:
For securing the safety, health and welfare of persons at work
Protect persons at a place of work other than employees
Promote a suitable environment for persons at work
Enable previous legislation to be replaced by regulations and approved industry
codes of practice operating in combination with the OSH Act 1994
By referring to Jabils OSH Policy, this first element is reflective from the whole picture
to its counterpart of OSHA 1994 objectives. Therefore, obviously Jabil considered this
criterion is the most important in OSH and put it as the highest element in OSH policy.

To ensure good practices of OSH and security management, Jabil took an approach to a
method of preventive based on best practices as mentioned in third element of OSH
policy. Continual research on OSH such as Hazard Identification, Risk Assessment and
Risk Control (HIRARC) is concurrently running with Jabils operation to achieve best
result of practices. HIRARC has become fundamental to the practice of planning,
management and the operation of a business as a basic of risk management. With
HIRARC, Jabil able to identify hazard, analyse, and assess its associated risk and then
apply the suitable control measures.

89


Jabil managed to conduct a dedicated induction for those employees and emphasize
signage for better communication.

A general Jabil induction for all employees and impacted parties includes:
A tour of workplace
Roles and responsibilities
Emergency procedures
General workplace hazards and safety signs
Workplace hazards/incident reporting
Introductions to fellow personnel in the work area
Specific OSH instructions relevant to specific area (e.g. Personal Protective
Equipment (PPE), safety signage, and safe work procedures)
Consultation mechanisms

Each units or department in Jabil should perform local area inductions using Jabil staff
induction guide. Monthly assembly is held to keep reminding of OSH policy and there
will be a safety month at least once a year to rejoice all employees pertaining OSH
matter through an attractive programs. Usually, Jabil invites Fire and Rescue Department
of Malaysia (BOMBA) to conduct some events during safety month to create realistic
environment on safety awareness.

Apart from this, Jabil correspond to the fifth element of OSH policy by providing proper
OSH trainings to appropriate personnel within organisation to enhance their knowledge
and skills. Those selected or voluntarily personnel are expected to become competent

90

worker and distribute their knowledge to others and ensure safety awareness is at highest
level. Refer below, Table 13 - Jabil OSH Training for Year 2012.


91

JABIL OSH TRAINING FOR YEAR 2012
Progams Training Needs Target Group
OSH-MS
Understanding and establishing an
effective of OSH-MS.OHSAS
documentation requirements
Safety Committee
members, Internal
Auditors, Selected
personals
Strategic Safety
Management
OSH related Acts. Principles of
accident prevention, Implications
of accidents, Prevention
strategies, Safe work behavior,
Effective change agent.
Supervisors, Sr.
Supervisors, Managers,
Engineers,
First Aid & CPR
Ability to attend to emergencies
during crisis.
ERT members, Safety
Committee, other
interested personnals.
Emergency
response and
planning
ERP process and procedures,
ERT members. Supervisory
Personals. Security
personals
Fire Prevention
Usage and inspection of fire
fighting equipments.
ERT members and other
interested personals
Positive and
Proactive safety
Committee
Characteristics and performance
indicators of safety committee,
Effective Management of Safety
committee, Effective Meeting
Criteria,
All Safety Committee
Members, Managers ,
CEP programs
Compliance to SHO legal
requirements.
Safety and Health Officers
Table 13 - Jabil OSH Training for Year 2012

In order to implement good security management, Jabils conduct periodic evaluation on
compliance legal and other requirements through risk management process (Figure 4). It
is reviewed and confirmed there are no changes in the legal and other requirements since
September 2011 to February 2012. During this period, Jabil did not receive complaints
from any internal and external parties.

92


Figure 6 - Risk Management Process

Note that once a review has taken place it does not end there. A close monitor on
Environmental Health and Safety (EHS) audit findings is also recorded periodically and
to be discussed concurrently with risk management process. This review provides
suggestions that need to be considered to improve safety outcomes, thus achieving sound
security management. Through these suggestions, Jabils top management comes out
with EHS objectives and target as below, Table 14 - EHS Objectives and Target.







93

EHS OBJECTIVES AND TARGET
GLOBAL
SITE
NA Environment Scope Safety And Health Scope
Reduce Energy
Consumption Plant
wide 8%
To reduce the usage of
electricity by 8%
To drive and reduce accident
0% plant wide
Establish process to
assess building energy
efficiency for new and
existing building

To reduce the usage of
water by 2 %
Compliance to legal
requirements by ensuring zero
Non-Compliance Report
(NCR) from Department of
OSH (DOSH) and
Department of Environment
(DOE)
Chemical management
NA
NA
Table 14 - EHS Objectives and Target

For an OHS Risk Management strategy to be successful in an agency, it must be driven
from senior management level, as this is the management level responsible for making
critical decisions in terms of future direction. This statement emphasized through second
element of Jabils OSH policy.

In a big organisation such as Jabil, it is top management responsibility to conduct OSH
objectives and targets to all levels of employees through a systematic approach of
communication. This approach is done hierarchal, starts from Senior Management, Line
Managers, down to operators.

Risk management should be integrated during the initial stages of business planning.
Within this context, interested parties such as human and financial resources should be
made available to OSH practices and action plan by Senior Management as below:

94

Training and education of staff and line managers in hazard identification, risk
assessment and risk management.
Allocation of funds for purchase of appropriate safety equipment as required.
Any workplace modifications, either physical or process changes, which are
required as a result of a risk assessment.

Through discussion above, it is ascertained in order to control and manage the risks,
organisations core business and key fundamentals of OSH policy must be understood
thoroughly by all personnel to achieve OSH transformation as described below.




Figure 7 - OSH Transformation

Awareness
Knowledge of OSH is well communicated among employees.
All impacted parties must be able to picturised OSH fundamental of
their workplace.
Implementation
Consist a set of procedures to be taken into action.
Perform thoroughly a check list of actions required such as required
training and develop a visitor sign in process.
Compliance
To make sure all departments within organisation compliance with
OSH legislations.
Periodic audit to ensure OSH practices are deployed by all impacted
parties.
Enhancement
Efficiently managing resources to achieve better working environment
and boost organisation's profitability.
Able to enhance OSH program by blending current technology,
organisational behaviour, and politics into an asset of organisation to
move forward.

95

7. Conclusion

In Jabil, we realise that effective risk management must be based on holistic approach such as
COSO ERM. By adhering to a standardized set of processes, procedures, and controls, Jabil
can identify and assess risks and develop strategies or business priorities to mitigate them.
Addressing those priorities may seem a complicated endeavour, but several key components
make for a practical strategy, which can be delineated as; enterprise risk management is a
holistic view of proper administration methodology within an organization. By this way,
companies would be able look at the complete risk sphere in which they move. Beside the
classical risks which can be strategic, financial and operational nature or concern the legal
environment, so-called emerging risks must be also considered. In spite of that, an
organization may benefits from a proactive approach to occupational safety and health
whereby it will improves productivity, business image and minimize costs that associated
with a work related injury or unnecessary loss.


96

8. References

[1] Robert R. Moeller (2007). COSO enterprise risk management: understanding the new
integrated ERM framework, J. Wiley.

[2] Andrew Jaquith (2007). Security Metrics, Addison-Wesley.

[3] Michael Blyth (2008). Risk and Security Management, Wiley.

[4] R. S. Khatta (2008). Risk Management, Global India Publications.

[5] Cecilia Bailliet (2009). Security: A Multidisciplinary Normative Approach, Martinus
Nijhoff Publishers.

[6] Robert R. Moeller (2011). COSO enterprise risk management: establishing effective
governance, risk, and compliance processes (Second Edition), J. Wiley.


1abil Rules of the Road 2011 .

1abil's purpose is to be the world`s leading manuIacturing services provider by enabling employees to proactively oIIer
customers innovative and strategically beneIicial solutions. Our values oI Empowerment and Accountability, Customer Intimacy,
and Continuous Improvement drive our model, and we use these values to minimize bureaucracy and accelerate decision making in
the day-to-day management oI our business. We believe everyone can make a diIIerence and want to encourage your creativity,
innovation, and aggressive problem solving as individuals and as team members. Jabil is an energetic environment Iull oI
motivated people working tirelessly to serve our customers. As you work, we do require you to observe a Iew unchanging Rules and
Cultural Principles to help guide you day to day. These rules are not suggestions, they are the Jabil Law, and may be relied upon to
resolve relevant conIlict by any Jabil employee. The cultural principles reIlect our values and should help guide our behavior and
the way we interact with each other.

Rules:
1) Jabil Finance MUST APPROVE the credit worthiness oI all customers beIore any PO`s are accepted.
2) Customer contracts REQUIRE Jabil Legal approval.
3) Quarterly Iorecasts MUST BE submitted on time. Forecasts must be reviewed, signed oII, and are jointly owned by
the Business Unit Manager/Director, Operations Manager and Plant Controller.
4) Quarterly Iorecasts MUST BE between 90 and 100 oI the MONTHLY master material plan Ior the three month
period. The Jabil Division CEO, or the appropriate Senior VP must approve any exceptions to this variance.
5) NO material demand will be loaded into MPS without a legally binding document or written approval oI an
appropriate Senior Vice President AND Finance OIIicer.
6) Master schedules and customer commitments must be based upon a complete review oI our projected operational
capability (equipment, test, manpower, space, and materials) to build and deliver the plan and commitment. The
operations planning Iunction OWNS the master material plan, sizing it to constraints, and its execution
perIormance.
7) There will be NO oII-system purchasing. ALL supply must match the master material plan.
8) NO shipments will be made without a price and a legally binding process to invoice. Jabil Finance MUST
APPROVE anything other than a purchase order with a price.
9) Excess and Obsolete material MUST BE dispositioned in a timely Iashion in accordance with Customer contract
terms and conditions.
10) Capital asset requisitions MUST BE accompanied by a business case or P&L Iorecast Ior justiIication and CAN
ONLY BE ORDERED once all required approvals are obtained.
11) ALL agreements with customers to amortize custom tooling, test Iixtures or other non-standard assets REQUIRE
THE APPROVAL oI an appropriate Jabil OIIicer.

Cultural Principles:
1) Our Employees are our GREATEST asset. We will provide a respectIul and saIe working environment to empowered
and accountable employees. All oI our employees are entitled to mutual respect and will not be subject to unreasonable
conditions or compelled to work in an unsustainable way.
2) Have FUN and help to create a Iun, productive environment Ior others.
3) We believe in EMPOWERMENT oI our people, and expect our people to solve issues that arise. It`s acceptable to agree
to disagree on solutions to problems and then escalate to senior management. This must be done with a sense oI urgency,
as velocity is key to our success.
4) We DO NOT Iire people Ior making honest mistakes; we DO Iire people Ior hiding mistakes.
5) We DO NOT tolerate politicians, autocrats, or dictators. We will treat all oI our Iellow employees with the same respect
we expect Ior ourselves.
6) We are a Customer-centric company and we will do everything in our power to MEET or EXCEED our commitments to
customers. ThereIore, commitments should have a reasonable probability oI success when made. .
7) We will LISTEN to our Customers, and BUILD INTIMACY with them.
8) Business Unit Managers (BUMs) are the leader oI their workcells and accountable Ior its operational and Iinancial
perIormance. Additionally, BUMs are expected to contribute to the health and well-being oI the overall operations.
9) The Operations Manager is the leader oI the plant and is ACCOUNTABLE Ior plant level operational and Iinancial
perIormance. Operations Managers are expected to contribute to the health and well-being oI the workcells.
10) Business development OWNS whom we do business with and on what terms.
11) We will build a SUSTAINABLE business, be socially responsible, will work to preserve and protect our natural
resources, and will positively contribute to the communities in which we operate.
Jabil Integrity Hotline
Jabil does business honestly. We need the help of all our employees to
maintain the highest level of integrity. If you learn of any suspected
wrongdoing, please report it to the company, either by speaking to a
supervisor or by using the Jabil Integrity Hotline.
Jabil employees and others may use the Jabil Integrity Hotline to anonymously
report concerns such as:
Theft of Jabil property
Kickbacks and bribes
Unlawful or improper accounting practices
Unlawful or improper performance of a government contracts
An investigator employed by an outside company (EthicPoint) will answer your
call, take information you have to offer, and forward a report for appropriate
follow-up and investigation. Jabil strictly prohibits supervisors or employees
from taking retaliatory actions against someone who reports information
under this process; however, you may remain anonymous.

TOLL FREE HOTLINE: 1-800-81-2354
OPERATORS AVAILABLE 24 HOURS PER DAY
TRANSLATION SERVICES ARE AVAILABLE
You can also report your concerns using a web form:
www.jabilhotline.ethicspoint.com
RISK IDENTIFICATION TEMPLATE

Please list the major strategies and/or objectives for your area of responsibility.


Please list the major risks your unit faces in achieving its objectives. List no more than 10 risks.
1. __________________________ 6. __________________________
2. __________________________ 7. __________________________
3. __________________________ 8. __________________________
4. __________________________ 9. __________________________
5. __________________________ 10. __________________________

Please assess the overall risk management capability within your area of responsibility to seize
opportunities



MAJOR STRATEGIES/OBJECTIVES FOR YOUR UNIT
Please list the major strategies/objectives for your unit



MAJOR RISKS FOR YOUR UNIT
Please list the major risks your unit faces in achieving your objectives. List no more than 10 risks.
1. __________________________ 6. __________________________
2. __________________________ 7. __________________________
3. __________________________ 8. __________________________
4. __________________________ 9. __________________________
5. __________________________ 10. __________________________