Financial crimes

Public sector fraud fight

InternatIonal SanCtIonSnon-compliance is non-negotiable

DIGItal DISrUPtIonWill your firm be next?

DUMB anD DUMBerthe ridiculous cost of regulatory overkill

CYBer aDVerSarIeSaustralia in their crosshairs

DIFFerent VIeWSC-suite at odds with risk managers

August 2015 | the OfficiAl MAgAzine Of the gRc institute

CRISIS, WHAT CRISIS?WHen DISaSter StrIKeS,

WHAT WILL YOU DO?

 

Change Catalyst

The GRC InsTITuTe’s 19Th AnnuAl ConfeRenCe

GOVERNANCE • RISK • COMPLIANCE

C o n f e r e n C e28–30 Oct 2015 • MelbOurne crOwn cOnference centre

The GRC2015 conference 3 day program features inspirational leaders exploring topics across the change management spectrum at an organisational and individual level.

GRC2015 provides an exciting opportunity for networking and professional development and exposure for commercial partners to consolidate in the GRC marketplace.

To book your seat at this exceptional event or for sponsorship opportunities please visit: www.grcconference.com.au

Cover story

14 Crisis, what crisis? Major headlines about massive data breaches, large-scale product recalls, mysterious plane crashes, combined with aggressive government investigations, have justifiably raised concerns about corporate reputation and brand damage. But the very worst time to start managing a crisis is when one strikes.

Contact us

GRC Professional is the official monthly

publication of gRci in Australia, new

zealand, hong Kong & south-east Asia.

GrC Institute

President: Alf estebanVice President: carolyn hansontreasurer: gillian Kinder Director: susan cretanDirector: David MorrisDirector: stephen lukDirector: lois MccowanDirector: Kellie Powell

Managing Director: Martin tolarmartin.tolar@thegrcinstitute.org

national Manager: naomi Burleynaomi.burley@thegrcinstitute.org

Ph: +61 2 9290 1788fax: +61 2 9262 3311www.thegrcinstitute.orggPO BOX 4117 sydney nsW 2001 Australia

GrC Professional

editor: Mark Phillips+61 2 8245 0704Mark.Phillips@thegrcinstitute.org

advertising: naomi Burley +61 2 9290 1788naomi.burley@thegrcinstitute.org

Disclaimer: While gRci uses its best endeavours in preparing and ensuring the accuracy of the content of this publication, it makes no representation or warranty with respect to the accuracy, applicability, fitness, legal correctness or completeness of any of the contents of this publication. information contained in this publication is strictly for educational purposes only and should not be considered legal advice. Readers must obtain their own independent legal advice in relation to the application of any of the material published in this journal to their individual circumstances. the institute disclaims any liability to any party for loss or any damages howsoever arising from the use of, or reliance upon, any of the material contained in this publication.

MD’S MeSSaGe X page 4reaDer Poll X page 6neWS X page 8neWS FeatUreS Hackers target australia X page 10top global risks X page 12new focus on It governance X page 13

FInanCIal CrIMeS neWS X page 19

Fighting public sector fraudInternal fraud by public servants and other government employees is on the decline, but their collusion with workers in the private sector is on the rise. X page 21

International sanctions: everyone’s a target Increasing regulatory rigour means that when it comes to global sanctions, non-compliance is non-negotiable. And woe betide any organisation that begs to differ. X page 22

Digital disruption: Will you be the next victim?As digital innovations accelerate, businesses have even shorter timeframes to react and make the changes to their models needed to survive and thrive. But how can this be done? X page 27

Cutting the cost of regulatory overkillRules and regulations have become the norm in everyday life and in business, and while most believe they’ve gone too far, a few are actually doing something about it. X page 30

Fraudsec: a unique process solution for the GrCIA new agreement has been entered into that aims to alleviate member concern about potential fraud or ethical breaches adversely impacting the GRCI. X page 36

Institute newsThe latest from the GRC Institute. X page 37

Contents

4 GRC Professional • August 2015

MD’S MeSSaGe

As ReGulAR ReAdeRs of ThIs mAGAzIne would know, ThIs Is my last column as managing director of the GRC Institute. while tradition dictates that on such occasions a retrospective piece is in order, I believe given the amount of change that has taken place at the institute and in the broader GRC profession during my nine years in the role, a brief recount of the journey we have taken can certainly be justified.

I recall one of my first tasks after being appointed was to give the final address at the 2006 annual conference. The subject of my presentation – pre-determined before my ar-rival – was “the current state of the compliance profession”. Being new to the role and the profession, this was always going to be an outsider’s perspective.

one of the main themes of that presentation was the need for compliance professionals to be heard, to be given a seat at the table to ensure they are able to effectively undertake the important responsibilities they have been charged with. nine years on and despite significant inroads, sadly, for some organisations, these words still need to be emphasised to ensure that compliance and risk practitioners are paid more than just mere lip service.

In most instances, the lack of recognition our profession receives is at least in part a result of organisational culture, which is driven downwards from directors and the Ceo.

I have encountered many outstanding members who have been able to rise above this and fight the good fight, changing a company’s culture and shifting the perspective on risk and compliance. unfortunately, however, we do not have enough of these champions among our number.

we need more GRC professionals who are willing to sell the benefits of our profession, to push harder, to speak out for the benefit of their organisations and peers. we need to promote our wins and successes, to embrace our annual awards and promote the winners, and celebrate the difference we have been able to make.

while the meek may inherit the earth, it’s usually the most vocal that make it to the boardroom.

organisationally, the institute has embraced change. we have changed our name and branding on a number of occasions to meet the needs of a changing market, and we now have members in new zealand, hong kong, singapore and beyond. we have become an RTo offering fully recognised qualifications, our publications are now industry must-reads, we have embraced a variety of communication mediums, we have participated in significant policy debates and turned the Australian Compliance standard into a joint standard with new zealand, and finally last year a fully recognised international benchmark.

Together, we have achieved a lot, but I believe there is still a long way to go. And I would encourage you, if you are not already, to become involved in the institute and its activities. After all, a small contribution from one individual has the potential to reap significant rewards for the entire profession.

finally, I would like to take a moment to thank the dedicated staff who I have had the pleasure to work with over the years for their commitment to both the institute and the profession. without their enthusiasm and energy we would not have been able to achieve what we have.

I would also like to thank the various GRC Institute directors I have worked with, each of whom has made a contribution in their own way. And, of course, to our wonderful members – it’s been a pleasure to have been able to serve you and make some small difference to your roles. without your continued support the GRC Institute would not be the organisation that it is today.

I wish you all the very best for the future.

Speak up and speak out

martin Tolar ccP, managing Director, Grci

GRCI’s Graduate Certificate in Compliance Management 91517 nsW has been designed exclusively for senior governance, risk and compliance professionals looking to further develop skills for career progression to the most senior level.

Considered the benchmark accreditation for compliance professionals, this course is a nationally accredited qualification.

This course offers you a career advantage through demonstrable skill development over an intense study period of four days. You will also become part of a strong network of professionals supported by GRCI, including special events exclusively for CCP alumni.

next available certificate courses:

Sydney, 7-11 October 2015 New Zealand, 10-13 November 2015

for more information and bookings please visit: www.thegrcinstitute.org or email education@thegrcinstitute.org

GOVERNANCE • RISK • COMPLIANCE

Graduate CertifiCate in ComplianCe manaGement91517 NSWCertified Compliance Professional (CCP)

Graduate CertifiCate in ComplianCe manaGement91517 NSWCertified Compliance Professional (CCP)

GOVERNANCE • RISK • COMPLIANCE

5

reaDer Poll

6 GRC Professional • August 2015

reaDer Poll laSt MontH’S Poll

Is manager liability a step too far?

As we noTe In ouR sToRy “Crisis, what crisis?” on page 14, it is a fact that the long-term damage a crisis inflicts on the reputation of a business can be just as devastating as the immediate interruption to operations.

Although business continuity manage-ment (BCm) and disaster recovery (dR) pro-grams have, through necessity, been getting better, it seems work still needs to be done to increase the quality and maturity of such pro-grams.

how would you rate the preparedness of your firm’s crisis management strategy? Is it “state of the art”, “getting there”, or given the nature and extent of potential risks the organisation faces, “completely inadequate”.

email mark.phillips@thegrcinstitute.org and we will publish your views in the next issue.

BeSt FroM aroUnD tHe WeB these were the stories being discussed at the gRc institute this month:

lAsT monTh we Asked foR youR views on the divide on whether making managers personally liable for their actions will have any real impact on ethical behaviour.

As we note on page 19 in this issue, former uBs and Citi trader, Tom hayes, has been sentenced to 14 years jail after a london jury found him guilty on all eight charges of conspiracy to defraud between 2006 and 2010 in the libor-rigging scandal.

Tellingly, the judge said: “The conduct involved here is to be marked out as dishonest and wrong, and a message needs to be sent to the world of banking.”

The sentence certainly sends a message, but will it be heeded by the wider business community?

Respondents to our survey mostly believe that making individuals personally liable for corporate misconduct will have the desired effect. In fact, just over 65 per cent said the stick has more influence on behaviour than the carrot.

nonetheless, a significant minority rejected the notion, seriously questioning the viability of trying to scare people into behaving ethically.

FalSe teStIMonIalS CoMe BaCK to BIte X

IntroDUCtIon to FraUD X

YaHoo HIt BY “MalVertISInG” X

telSa CoUrtS HaCKerS X

Contact us for a demonstration+61 2 8096 8300 icsasoftware.com/bponeworld aunz@icsasoftware.com

© 2015 ICSA Software International Limited.

Blueprint OneWorld is a registered trademark of ICSA Software International Limited.

Add extra protection against Malware threats

Blueprint BrowserProtect is the solution for advanced browser security

8 GRC Professional • August 2015

neWS

Australian business leaders and the hon Christian Porter mP gathered recently at deloitte to discuss the key initiatives raised at the Prime minister’s Cyber security summit in July.

At the summit, business leaders asked for national leadership and a coordinated approach to address cyber security threats, one that included strong partnership between the government, businesses and the research community.

At the roundtable, Porter requested that the business sector work with government to co-design a range of practical initiatives, including how best to share critical information about cyber threats and enable rapid response to issues.

“one of the most important initiatives we discussed was ways to grow Australia’s cyber security workforce to meet critical job needs,” says deloitte APAC and Australia cyber leader James nunn-Price.

“our experience is that the niche skills are out there – it is more the complex matter of securing, coordinating and continuing to develop them, as the threat to Australia’s cyber security is growing in sophistication and severity.’

Porter, while re-emphasising the need to develop home-grown cyber security capability, says innovation is also vital and that feedback from the summit would be used to inform a new Cyber security strategy (www.dpmc.gov.au), to be released later this year.

nunn-Price adds: “Cyber risks are a result of dynamic targeted threats. on an industrial scale they are focused at the digital assets, operations and information of the organisation. Both complex and severe, these risks are evolving faster than business can react.

“It’s all about ‘actionable intelligence’ and being secure, vigilant and sufficiently resilient to recover when incidents do occur.” •••

Spam on the declineIn a surprising revelation, the amount of spam besetting the internet has dropped to its lowest level in more than a decade.

According to security firm symantec, spam now accounts for less than half the total number of emails. In fact, at 49.7 per cent, it has dropped below the half-way mark for the first time since september 2003.

This is in marked contrast to the period from 2008 to 2010, when spam made up nine in 10 emails as a result of hackers giving up on using their own servers and moving instead to large bot networks which, by installing malicious software on millions of victims’ computers, allowed them to not only distribute email spam more efficiently and on a greater scale, but to more effectively avoid law enforcement.

spam levels have actually been on the decline since the peak of 2010, in part because network providers have become more attuned to the problem and can now respond more quickly when issues on their servers do occur. Concurrently, improved filtering and blocking also means that fewer unsolicited marketing messages reach inboxes where unsuspecting users might click on a message to buy bogus products.

Although symantec says it expects email spam rates to continue to decline, on the downside, there were 57.6 million new malware variants created in June this year, up from 44.5 million pieces of malware created in may and 29.2 million in April.

Ransomware attacks also increased for the second month in a row and so-called “crypto-ransomware” has reached its highest levels since december 2014.

The upshot, symantec warns, is that while the use of phishing and email-based malware is waning, “attackers are simply moving to other areas of the threat landscape”. •••

Cyber risks evolving faster than businesses can react

Cyber facts• the average cost of a data breach per Australian organisation is

more than $2.5 million per year – and rising.• the average breach involves more than 20,000 records in

Australia over the five years to 2014.• there was a 25 per cent increase in data loss between 2013 and

2014 globally.• Most organisations are focused on prevention as opposed to

detection.• 92% of breaches are perpetrated by outsiders: organised crime

(55%); state affiliated hackers (21%); activists (2%); and former employees (1%).

• Only 14% of breaches are by insiders, but this is rising as they are lying in wait within organisations.

• More than three-quarters of breach incidents are caused by weak or stolen credentials.

neWS

9

The highest ranked government and commercial organisations in the inaugural deloitte Australian Privacy Index are the Australian Taxa-tion office (ATo) and Commonwealth Bank of Australia (CBA).

“Both winners are examples of organisations that have gone beyond the compliance-only approach of just providing a privacy policy on their website for customers to download,” says deloitte privacy partner Gavin Cartwright. “They have moved toward better practice by offering education about privacy, such as how to delete cookies and so be more in control of your data.”

Cartwright says the websites of the ATo and CBA show good evidence of one of the key themes of the Australian Privacy Principles – transparency – by providing easy-to-follow privacy material and good detail on how personal information is handled, including relevant contacts to obtain more information. further, they had few or no major privacy events reported in the media.

Both the ATo, and CBA received positive feedback from more than 1000 Australian consumers who were surveyed about their views on how well Australia’s 104 leading consumer brands are doing when it comes to privacy.

The index also includes quali-tative analysis of brands across 11 industry sectors, including gover-nance policies and procedures, and being up to date with current regu-latory change. •••

aCCC appeals quashedThe full Court of the federal Court of Australia has dismissed an appeal by the Australian Competition and Consumer Commission (ACCC) against a decision of the federal Court which dismissed the regulator’s price fixing allegations against Australia and new zealand Banking Group (Anz).

The proceedings concerned allegations by the ACCC that Anz had made and given effect to a price fixing agreement, in breach of the then Trade Practices Act 1974, now called the Competition and Consumer Act 2010.

Also, despite an appeal by the ACCC, the full Court has allowed an appeal by flight Centre Travel Group against a decision of the fed-eral Court in which flight Centre was found to have attempted to in-duce anti-competitive arrangements with three international airlines to eliminate differences in international airfares offered to customers, and ordered to pay penalties totalling $11 million. •••

aSIC culture focusThe Australian securities and Investments Commission (AsIC) has advised that it will be upping the ante in its focus on culture in the financial sector throughout 2015-16.

According to chairman Greg medcraft, the regulator will in particular be scrutinising the behaviour of investors and, with regards gatekeepers, behavioural drivers such as “culture, incentives and deterrence”.

speaking before a Parliamentary Joint Committee on Corporations and financial services earlier this month, medcraft said; “In respect of culture – boards and management play a critical role – if we find a firm’s culture is lacking, it is a red flag that there may be broader regulatory problems.”

he warned that AsIC would address culture not just in markets but in financial services more generally, as well as assessing the link between culture and conduct.

Privacy Index industry ratings1. government2. Banking and finance3. social media4. Health and fitness5. Retail6. insurance7. technology8. energy9. travel and transport (airlines, agencies, hotels, taxis)10. telecommunications (mobile, internet, phone)11. Media (news, television, radio, entertainment)

ato and CBa tops on privacy

Justice minister michael keenan has confirmed that the personal information of eight Australians was compromised earlier this month in a hack by terrorist group Islamic state.

most of those on the list were unaware that their details, includ-ing names, mobile phone numbers, email addresses, passwords and home suburbs, had been compromised until they were contacted by fairfax media.

despite the information being available online for about 10 hours

– along with a message from a group calling itself the Islamic state hacking division, which warned the group “we will strike at your necks in your own lands” – the Australians, which included defence department employees and family members, a Victoria mP, and a former Army reservist, were apparently kept in the dark by authorities.

In response to media enquiries about the breach, keenan said: “If there was any physical risk to an Australian then we would take action immediately.” •••

IS hacks into private data

10 GRC Professional • August 2015

neWS

CYBer aDVerSarIeS Zero In on aUStralIa The tyranny of distance is no deterrent for attackers determinedly targeting Australian networks.

“there are gaps in our understanding of the extent and nature of malicious activity, particularly against the business sector.”

The “ACsC 2015 Threat Report” notes that, while it is difficult to put a figure on the true cost of cyber-crime in Australia, the total could be well exceed $1 billion, as the Computer emergency Response Team (CeRT) of the ACsC responded to over 11,000 cyber security incidents across the country in 2014.

worryingly, it also reveals that 153 attacks were launched against “systems of national interest, criti-cal infrastructure and government,” with the energy,

In A sTARTlInG And somewhAT sobering first, the Australian Cyber security Centre (ACsC) has publicly detailed the national threat faced by Australian consumers and businesses – and it issues a stark warning: the threat is undeniable, unrelenting and continues to grow.

If an organisation is connected to the internet, it is vulnerable, and the incidents in the public eye are just the tip of the iceberg.

Tax dodgers targetedA senate committee investigating multibillion-dollar corporate tax dodging appears set to recommend sweeping “name and shame” transparency measures to put a stop to the rort.

In combination with a public register, the Australian Tax office would be obliged to disclose all tax avoidance settlements above a certain threshold, further exposing offending companies.

The initiative is particularly significant in that it will capture both Australian and multinational organisations such as Google and Apple, forcing them to annually disclose the tax they pay, the Australia-based revenue they generate, and any tax deductions or other write-offs they receive. •••

Disaster losses top US$37 billionnatural and man-made disasters caused us$37.4 billion in economic losses during the first half of 2015, according to preliminary estimates from swiss Re.

however, the global reinsurance group said they were far less than in recent years.

In total, the global reinsurance industry covered nearly 45 per cent (us$16.6 billion) of the losses, which was actually higher than the previous 10 year average cover of 27 per cent. Around 18,000 people lost their lives in disaster events in h1 2015, up from more

than 4800 in the first half of last year. The earthquakes in nepal, and a heatwave in India and Pakistan, claimed the highest number of victims.

natural catastrophes caused total economic losses of us$33 billion in the first half of the year. however, this was well below the us$54 billion in h1 2014 and also the average first-half loss over the previous 10 years (us$99 billion).

of the insured losses, us$12.9 billion came from natural disasters, down from nearly us$20 billion in h1 2014 and again below the average first-half year loss of the previous 10 years (us$25 billion).

The costliest natural catastrophes for the insurance industry resulted from severe winter weather and thunderstorms in the us and europe. Indeed, in february alone, a winter storm in the northeastern us caused insurance losses of us$1.8 billion – the highest loss of any event so far this year.

man-made disasters, meanwhile, triggered an additional us$ 3.6 billion in overall insurance losses in h1 2015.

As is frequently the case, poorer nations generally faced a gap between overall economic damage and insurance payouts.

for example, in nepal, where earthquakes are estimated to have caused more than us$5 billion in losses, only us$160 million was passed on to insurers.

“The tragic events in nepal are a reminder of the utility of insurance,” swiss Re chief economist kurt karl says.

“Insurance cover does not lessen the emotional trauma that natu-ral catastrophes inflict, but it can help people better manage the finan-cial fallout from disasters so they can start to rebuild their lives.” •••

11

neWS FeatUre

4 top strategies to mitigate intrusions

According to the Australian signals Directorate (AsD), at least 85 per cent of the targeted cyber intrusions it responds to could be prevented by the following, which in testing have been shown to be in order of effectiveness:

• use application whitelisting to help prevent malicious software and unapproved programs from running;

• patch applications such as Java, PDf viewers, flash, web browsers and Microsoft Office;

• patch operating system vulnerabilities; and• restrict administrative privileges to operating systems and applications

based on user duties.

All of the above are mandatory for Australian government agencies.

• foreign state-sponsored adversaries, including nation states, seeking economic, foreign policy, defence and security information for strategic advantage. frequently referred to as Advanced Persistent Threats (APTs), these have tradition-ally possessed the most advanced and sophis-ticated tools to conduct their activities, some-times maintaining access to an organisation’s network for years at a time to steal the informa-tion they require.

• serious and organised criminals motivated to exploit and access systems for financial gain. The ACsC says these are of most concern, specifically those which develop, share, sell and use sophisticated tools and techniques to access networks and systems impacting Australia’s interests.

• Issue-motivated hacktivist groups and individu-als with personal grievances who, while usually less capable and sophisticated, can nonetheless in their bids to draw attention to themselves and causes are still able to cause disruption to Australian government and businesses.“many countries will continue to deny they

have a cyber espionage program, however as more cyber security firms publicise these activities, it is becoming more difficult for adversaries to plausibly deny their capabilities,” the ACsC says. “[They] offer high returns with relatively low cost and risk.”

As if all this were not enough, the ACsC warns that cybercrime activity will continue to increase over at least the next five years, and with it result in even more disruption of services or networks affecting Australian government and businesses. •••

“there is a range of cyber adversaries determinedly targeting Australian networks.”

banking and financial services, communications, de-fence and transport industries all being top targets.

This year marks the first time the report has been unclassified, and it includes input from all ACsC partner agencies to provide information specifically tailored for Australian organisations about the key threats their networks face from cyber espionage, cyber attacks and cybercrime.

however, it cautions: “Cyber adversaries are constantly improving their tradecraft in their attempts to defeat our network. There are gaps in our understanding of the extent and nature of malicious activity, particularly against the business sector.”

one area it concedes it really is on the back foot is against so-called ransomware, revealing that a new wave of ransomware emails are currently targeting Australian government and private sector enterprises in the guise of emails purporting to be from Australia Post parcel collection and also Australian federal Police infringement notices.

According to the ACsC, the sheer scale of the attack and the continual use of new domains by the hackers have reduced the effectiveness of domain-blocking as a long-term solution. once executed, this particular ransomware encrypts users’ files, including those on networked or shared drives used in the corporate environment, making them inaccessible.

Being a globally important resources sector with expertise in certain fields of scientific research, manufacturing and technology, as well as a country with particular bilateral relationships and alliances and a prominent role in the Indo-Pacific region, has made Australia a target-rich environment for cyber adversaries, according to the report. Indeed, there is a range of cyber adversaries determinedly targeting Australian networks, among them:

• use application whitelisting to help prevent malicious software and unapproved programs from running;

• patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office;

• patch operating system vulnerabilities; and • restrict administrative privileges to operating systems and applications based on user

duties.

All of the above are mandatory for Australian government agencies.

ENDS

(VISUAL)

Source: ACSC 2015 Threat Report Source: ACSC 2015 Threat Report

12 GRC Professional • August 2015

neWS FeatUre

“risk managers focused on liability-related issues such as cyber, property damage and third party liability.”

“while new risks such as cyber have moved to cen-tre stage, established risks like damage to reputation or brand, are taking on new dimensions and complexi-ties,” moloney says. “The interconnected nature of these risks reinforces the importance of strategic risk management in every organisation.” •••

DIFFerent PerSPeCtIVeS despite an alarming difference in risk perception between the C-suite and risk managers, damage to reputation and brand has been identified as the top risk to global organisations.

“typically, financial and economic risks, including commodity price risk, economic slowdown and technology failure were seen as damaging at C-suite level.”

Aon RIsk soluTIons, The GloBAl RIsk management business of Aon, has unveiled the key risks as identified by its clients across the globe.

for the first time ever, cyber risk entered the top 10 at number nine, reinforcing its emergence as a key risk factor. however, damage to brand and reputation was cited as the top overall concern facing global organisations – further underscoring the increasing importance of cyber risk, which has been regularly linked to brand and reputation issues in the wake of data breaches.

In the study, damage to brand and reputation ranked as a top concern across almost all regions and industries. According to Aon, this can be attributed to the growing challenges businesses are facing among the risks found in the top 10 list, such as cyber risk, but also business interruption, property damage and failure to innovate.

The 1400 respondents to Aon’s 2015 “Global Risk management survey” included Ceos, Cfos and risk managers, providing comparative insight into different perceptions of risk. Typically, financial and economic risks, including commodity price risk, economic slowdown and technology failure were seen as damaging at C-suite level, with risk managers focused on liability-related issues such as cyber, property damage and third party liability.

“It’s little surprise to see cyber risk enter the top 10 at the same time we are seeing increasing concern about corporate reputation, as the two issues are a great example of the interconnectivity of risk,” says Aon chief innovation officer stephen Cross.

“what is surprising was the lack of alignment between the board and the risk manager. such diverse views illustrate how imperative it is that the board of directors have effective and regular communication with risk managers to effectively assess and mitigate the company’s risk exposure.”

According to Rory moloney, Ceo Aon Global Risk Consulting, the study reveals a number of challenges driven by today’s globally interdependent environment.

Key movers

failure to innovate or meet customer needs remained at sixth spot in the study and is projected to rank at four in 2018. Respondents in the technology industry indicated that this is the most significant risk to their business. The threat severity of the risk, tied to increasing competition, which is expected to top the list in three years, raises a red flag for the insurance industry.

Property damage also re-entered the top 10 global risk list for the first time since 2007, up from 17 in 2013. this risk was ranked highest by hotels and hospitality, non-aviation transportation and real estate. unprecedented weather events in recent years have bundled this risk with the cause and effect of business interruption, which took seventh spot on the 2015 list, with reported losses down more than 10 per cent from the 2013 survey.

top 10 global risks

1. Damage to reputation/brand2. economic slowdown/slow recovery3. Regulatory/legislative changes4. increasing competition5. failure to attract or retain top talent6. failure to innovate/meet customer needs7. Business interruption8. third party liability9. cyber risk (computer crime/hacking/ viruses/

malicious codes)10. Property damage

13

neWS FeatUre

of respondents indicated that they receive sponsorship and support for their information security programs from leadership outside of the IT organisation – a significant increase from 54 per cent in 2014.

notably, Ceo and/or board-level sponsorship has remained constant at 30 per cent (29 percent in 2014) while sponsorship from a steering committee increased from seven to 12 per cent. however, there are interesting regional differences, with 57 per cent of practitioners in the us indicating sponsorship from outside IT, which is considerably lower than the 63 per cent in western europe and 67 per cent in the Asia Pacific region.

“A senior executive mandate for the security program is fundamental,” scholtz maintains. “without it, the security program has little chance of getting the requisite support from the rest of the organisation. Also, because a corporate information security steering committee (CIssC) should consist primarily of business representatives, we expect that the level of sponsorship from such bodies will continue to increase as governance functions continue to mature. Indeed, an effective governance forum, such as the CIssC, becomes the authoritative representative of the Ceo, the board and senior business unit managers.”

on the effectiveness of security policies, although half of the respondents said the governance body is involved in assessing and approving policies, just 30 per cent indicated that the business units are actively involved in developing the policies that will affect their businesses.

Although a considerable improvement from pre-vious years (16 per cent in 2014), it still demonstrates a lack of active engagement with the business. This is a major cause of different risk views between the se-curity team and business, which can result in redun-dant and mismanaged controls, which in turn result in unnecessary audit findings and ultimately in reduced productivity. •••

InForMatIon SeCUrItY: CorPorate GoVernanCe taKeS Pole PoSItIonThere is an increasing realisation that dealing with IT risk is a key part of corporate governance, and boards around the world are beginning to buy into it.

InfoRmATIon seCuRITy GoVeRnAnCe practices are slowly maturing, according to Gartner’s annual end-user survey for privacy, IT risk manage-ment, information security, business continuity or regulatory compliance.

for the study, “Information security Governance, 2015-16” the researcher surveyed 964 respondents in organisations with at least us$50 million equivalent in total annual revenue for fiscal year 2014, and with a minimum of 100 employees, in seven countries between february and April 2015.

“Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cybersecurity incidents, are making IT risk a board level issue,” says Gartner vice president and fellow, Tom scholtz. “seventy-one per cent of respondents indicated that IT risk management data influences decisions at a board level. This also reflects an increasing focus on dealing with IT risk as part of corporate governance.”

According to scholtz, the nature of the reporting lines of the information security team is one of the key attributes of effective governance. Indeed, 38 per cent of survey respondents indicated explicitly that the most senior person responsible for information security reports outside of the IT organisation.

“The primary reasons for establishing this reporting line outside of IT are to improve separation between execution and oversight, to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that ‘security is an IT problem’,” he says.

“organisations increasingly recognise that security must be managed as a business risk issue, and not just as an operational IT issue. There is an increasing un-derstanding that cybersecurity challenges go beyond the traditional realm of IT into areas such as opera-tional technology and the Internet of Things security.”

The seniority level from which security programs are sponsored is also improving. sixty-three per cent

“organisations increasingly recognise that security must be managed as a business risk issue, and not just as an operational It issue.”

14 GRC Professional • August 2015

CrISIS ManaGeMent

CRISIS? WHAT CRISIS?The very worst time to start managing a crisis is when one strikes.

mark Phillips reports.

“As the world’s political map and regulatory landscape evolve, compliance is becoming more crucial to a company’s bottom line.”

however, risk managers seem to be paying more attention to liability-related risks such as third party liability, property damage and cyber security issues.

As the report notes, these diverse views illustrate the importance of gathering a cross-section of stakeholders in the decision-making process, so that each one can bring a different perspective. obviously, it is also important that senior executives and boards of directors communicate with risk managers, taking an active role in assessing and covering the company’s risk exposure to ensure it is in line with strategic goals.

“for example, compliance is traditionally overlooked by corporate leadership, who see it as a burden: a risk without reward,” Aon states. “As the world’s political map and regulatory landscape evolve, compliance is becoming more crucial to a company’s bottom line. senior leadership has to stay involved in all aspects of risk management and align with risk managers in the decision-making process.”

Interconnectednessof particular note is the emphasis on the increasing interconnectedness of risks.

“The proliferation of mobile devices is creating a rapidly expanding network of new connections between individuals, groups and things. The combination of accelerated connectivity, accelerated data accumulation, accelerated computer power, and accelerated accessibility is a great leap forward, but also a great expansion of risks.”

high levels of connectivity have added to risk complexity: when the dominos start to fall, they fall fast. non-compliance, for example, could damage a company’s reputation. A company with a damaged reputation might find it hard to be competitive and attract top talent. The lack of talent would result in failure to innovate and meet customer needs.

The list goes on, but this interdependency between risks illustrates that organisations can no longer evaluate risks in isolation, but must consider their interconnectedness.

mAJoR heAdlInes ABouT mAssIVe dATA breaches, large-scale product recalls, mysterious plane crashes, combined with aggressive government investigations, have justifiably raised concerns about corporate reputation and brand damage.

The unpredictable nature of such crises, especially in an age of 24-hour news cycles and instant social media, clearly poses a serious threat to a company’s hard-earned global image. little wonder, then, as GRC Professional reports on page 12, that in Aon’s just-released study on the top risks companies now face, reputation damage is ranked number-one. As the study states, while news coverage can undermine an organisation’s reputation in a matter of minutes or hours after a crisis, intensive media scrutiny also heightens awareness of crisis preparedness.

unfortunately, it is a fact that the long-term dam-age a crisis inflicts on the reputation of a business can be just as devastating as the immediate interruption to operations. smallgoods manufacturer Garibaldi and Pan Pharmaceuticals are just two examples of Australian companies that were decimated not just by contamination crises, but inappropriate and ill-con-sidered communication strategies.

Perhaps Jim lentz, Ceo of Toyota north Amer-ica, put it best at a recent forum sponsored by the na-tional Automobile dealers Association, when he said: “It is easier repairing recalled products, but fixing the damage done to a company’s image will be a tougher process that takes time and tremendous effort.”

Different prioritiesone of the most interesting things to emerge from Aon’s study is the seeming disconnect between the C-suite and risk managers as to what, exactly, are the most pressing threats to not only corporate reputation, but business continuity.

As would be expected, Ceos and Cfos rank very high on their top risk list those with strong concrete financial implications – economic slowdown, a slow recovery, commodity price risk, cash flow/liquidity risk, as well as technology/system failure.

15

CrISIS ManaGeMent

on the other hand, predicting potential crises is a lot easier said than done. There are many kinds of emergency events that can affect an operation – everything from building system failures to fire, natural disasters, cyber attacks, contamination, server failure, terrorism, or even a pandemic.

The last is a good – albeit extreme – example, because absenteeism in the event of a pandemic could be up to 10 times greater than the four per cent of the workplace that is absent from the office on a typical workday. what’s more, these absences could last for up to three months, devastating industry as workers struggle to cope with illness, loss of family members and general infrastructure failures such as transport, shopping and communications.

risk maturityAlthough business continuity management (BCm) and disaster recovery (dR) programs have, through necessity, been getting better, it seems work still needs to be done to increase the quality and maturity of such programs. Indeed, at a recent conference in london Gartner told information and risk management delegates that nearly 60 per cent of organisations only plan for their longest outage to be seven days.

This indicates a huge hole in those organisations’ ability to sustain business operations if a major crisis strikes because, obviously, the impact of a disaster that lasts more than one week can have enormous negative impact on revenue, reputation and brand. Regional incidents, terrorism, service provider outages and pandemics can easily last longer than seven days. Therefore, enterprises must be prepared. more mature BCm/dR programs plan for outages of at least 30 days.

with the growing awareness that continuing business operations after a disaster requires a lot of planning, organisations are also realising that the approach to best manage an incident is to have a dedicated group of people on a crisis management team.

Conducting a business impact analysis (BIA) is the most critical process in the development of a dR strategy and associated plans because it provides the business requirement used to develop the plan. Testing on a regular basis is the second most critical component of a BCm program. That said, having a plan is only a fraction of the maturity of the BCm/dR process.

significantly, most BCm/dR plans are also for a single facility outage, with planning for regional

disasters having dropped in priority during the past couple of years, according to Aon.

enterprises with the best BCm and dR practices have a corporate culture that values availability and an understanding of the costs (in terms of the financial and reputational implications) associated with business process outages. These enterprises also realise that following a well-defined process when disaster occurs is significantly better than trying to respond to an incident in crisis mode without the benefit of planning, coordination and testing, which helps minimise downtime and costs.

Sounds like a planknowing that the plan works during an actual emergency is the key to a business’s survival.

most managers, however, would object to crash-ing a TnT-laden truck into the building, setting fire to a few offices or inviting a uzi-armed psychopath into the workplace so as to test their organisation’s emergency response capabilities. Instead, full-scale incident simulations can be conducted, and

“the combination of accelerated connectivity, accelerated data accumulation, accelerated computer power, and accelerated accessibility is a great leap forward, but also a great expansion of risks.” X

16 GRC Professional • August 2015

flexibility to deal with building occupants who might, for example, have a disability. The merits of alarms with flashing or strobe lights as well voice enunciators might be considered, along with lessons learned in real-life disasters.

for example, in the case of the world Trade Centre in new york, emergency lighting in the stairwells and corridors was set up on a backup battery power source (the failure of the emergency lighting in the 1993 crisis was a major problem in evacuation). The lights in the stairwells were also redesigned in modular sections, so that if one section failed, the other sections stayed on (like Christmas trees). The lights were functioning on the lower levels of the Towers, even as the top floors were collapsing.

Handling the medianonetheless, it remains that many businesses are not prepared for a crisis – especially when it comes to handling the media which, inevitably, is there when the going gets tough.

There is a common perception that the media cannot be managed and that it will always draw its own conclusions, regardless of what you do or say. True, it is not realistic to expect to be able to manage the media, but businesses can certainly manage their relationships with the media.

These relationships – in good times and in bad – can make all the difference when the media finds reason to turn the spotlight on a company. In fact, as part of a media plan and appropriate training, they are a company’s insurance policy against loss of reputation.

The worst time to start getting familiar with the media is when a crisis hits. As aerospace businessman norman R Augustine once said: “It is instructive to recall that noah started building the ark before it began to rain.”

The challenge for business is to get to know the media: which outlets are – and are likely to be – interested in your business, who specifically is likely to write about, talk to, or take pictures of you and your business, what it is they need to know about the way you operate, and what do you need to know about the way they operate?

what you can’t predict is when a crisis is going to happen and how it will manifest – you’ve just got to have the mechanisms in place to deal

CrISIS ManaGeMent

“Following a well-defined process when disaster occurs is significantly better than trying to respond to an incident in crisis mode.”

by assembling a group of people from key depart-ments for discussion a broad picture of the operation and its vulnerabilities is likely to come to light.

In these types of drills a facilitator would describe an emergency scenario and each department head talk through their team’s actions, noting input that might be required from other departments, local authorities or external suppliers. In this way the scenario is developed in real time until a detailed response plan emerges, ideally incorporating

X

17

CrISIS ManaGeMent

“It is not realistic to expect to be able to manage the media, but businesses can certainly manage their relationships with the media.”

with it. As such, businesses need to learn to recognise smouldering and potential issues, and then assess their potential to attract media coverage.

so what constitutes modern-day “news”? The over-riding factor is fear. note how many news stories are about the things people fear most; threats to health, lifestyle, and reputation. what businesses need to know is how they impact on the public and how any given crisis or issue is likely to affect people – either physically (will it cost them anything or cause inconvenience?) or emotionally (will it shake their confidence in trusted people or understanding of the way things should operate?).

a town called Sagomuch has been written about the dos and don’ts when dealing with the media during a crisis, but rarely have they been more forcefully conveyed than in two not dissimilar mine incidents. one occurred in Beaconsfield, Tasmania, in April 2006, the other on the other side of the world in sago, west Virginia, in January 2006.

The two-week rescue of miners Todd Russell and Brant webb at the Beaconsfield gold mine is widely regarded as textbook, not only in its execution under the auspices of mine manager matthew Gill, but in the media liaison conducted by then Australian workers’ union national secretary, Bill shorten (now federal leader of the Australian labor Party).

under intense scrutiny from both local and international media, a worst-case scenario was seamlessly managed by well-versed crisis teams that interfaced with surface management, government, operations and rescue personnel, victim support counsellors and, of course, one of the largest media contingents in Australian history. shorten was without exception objective and matter-of-fact in updating what was going on, clearly articulating to the viewing public that the rescue team was well-trained and the effort itself strategically well-planned.

The situation at the sago coal mine, where 13 miners were trapped underground, stands in stark contrast. Almost unbelievably, a breakdown in communications resulted in next-of-kin being notified that 12 of the miners were, thankfully, safe. Tragically, relief and euphoria turned to unimaginable grief when the terrible mistake was discovered – 12 of the miners were actually dead. Just one had survived. All of this occurred under around-the-clock media coverage by the likes of Cnn, fox, msnBC and all major American news broadcasts.

Again, while risk managers cannot predict an emergency situation, they are in the unique position to prepare for one. A plan that addresses preparedness, response and recovery operations, as well as media communication, might never have to be used in real life. on the other hand, who would want to be a manager at a mine in a town called sago?

Put people first

Business continuity planning often hinges on mission critical infrastructure, such as maintaining reliable power sources or data backup. But equipment and facilities can always be replaced over time; however, replacing great people is not so easy.

Post-crisis, the first responsibility a company has is to its employees’ and their families’ safety and security. Only then can employees come to work and bring back critical operations that assist in business recovery.

Business continuity considerations that take into account both the work environment and the employee include:

Pre-disaster: Who within your organisation would be involved with temporary lodging for displaced employees? how does your organisation provide relocation resources and contact information to its employees? Does your organisation have a written plan for securing office space and temporary furniture if an office has been damaged? Does your organisation set up offices and send staff to disaster-affected areas for recovery efforts?

Post-disaster: Who within your organisation is in contact with employees still in need of temporary lodging? What is being done to help them secure a place to stay? Assess the immediate to 90 day requirements for employees and the work environment, and then a six to 12 month requirement, and lastly 12 months or longer.

companies and government agencies that proactively prepare for both their facilities and employees are more successful in the management of their business during a time of crisis. Operational resiliency depends on having pre-approved and reliable national suppliers ready and able to provide the products and services required to help employees and companies get back to business.

X

18 GRC Professional • August 2015

CrISIS ManaGeMent

“It is instructive to recall that Noah started building the ark before it began to rain.”

5 steps to business continuity

1. Consider a range of possible scenarios. Downtime – whether it is a result of a storm, fire, power outage, hardware failure or human error – inevitably impacts it infrastructure and ultimately productivity and the bottom line. When developing a disaster recovery strategy, consider various possible disaster recovery scenarios and plan accordingly.

2. Understand time and data requirements. Determine how much time your company can afford to be down – also known as Recovery Time Objective (RTO) – as well as how much data you can afford to lose – Recovery Point Objective (RPO). given such information a company can monetise risk by balancing recovery requirements, risk tolerance and how much it is willing to spend on a disaster recovery strategy.

3. Keep people, systems and information connected. An effective business continuity strategy needs to encompass information, systems, people and processes, as well as the complex interdependencies among them. if the workforce cannot connect to systems and data, there is no business. As part of the planning process, it is important to ascertain the best strategy for the company in managing critical systems and components – either internally, with a managed hosting provider, or both.

4. investigate advanced technologies. Disaster recovery technologies have progressed rapidly over recent years, with solutions common in large enterprises, such as replication, vaulting and virtualisation, now becoming more accessible to sMes and making it easier to achieve greater precision in recovery timeframes and data points.

5. Plan and test. Planning involves far more than just backing up data. Although many companies claim to have a disaster recovery plan, unless it is regularly tested it is only a plan on paper, not in practicality. it is essential to develop and test plans so that the first time it is executed is not during an emergency. •••

19

Financial crimes

Hayes guilty in london libor trial

former uBs and Citi trader, Tom hayes, has been sentenced to 14 years jail after a london jury found him guilty of all eight charges of

conspiracy to defraud between 2006 and 2010 in the libor-rigging scandal.

It was the first criminal case against an individual related to manipulation of the benchmark interest rate, which is linked to the pricing of hundreds of trillions of dollars of financial products such as mortgages and loans around the world.

In sentencing, the judge told hayes: “The conduct involved here is to be marked out as dishonest and wrong, and a message needs to be sent to the world of banking. what this case has shown is the absence of that integrity which ought to characterise banking.”

six banks have already admitted rigging libor and paid settlements of approximately us$6.5 billion to regulators, while a number of other individuals face criminal proceed-ings or are currently being investigated.

Throughout the 10 week trial, hayes claimed that his tactics were well known to his senior managers and the practice of seek-ing to influence libor submitters was wide-spread across the industry.

however, the judge continued: “The fact that others were doing it is no excuse, and neither was the fact that senior managers condoned and encouraged it. The offences were thought through and regular. In short, these are offences of high culpability.”

hayes, a British national, worked at the Tokyo office of uBs from 2006 to mid-2009 and was subsequently head-hunted by us bank Citi, where he began trading in the To-kyo office in early 2010. he was fired in sep-tember 2010 after an internal investigation into his activities around libor.

following his arrest in december 2012, hayes was interviewed for five months by the uk’s serious fraud office, during which time he admitted dishonesty and was subse-quently charged in June 2013 •••

Fighting fraud in the public sectorPage 21

Fiat Ceo scandal deepens Page 20

Cybercrime costing US$445 billionPage 21

edition fourteen August 2015

new push to stop serious wildlife crime

In a widely welcomed development, the un General Assembly has passed Resolution A/69l.80 on “Tackling the Illicit Trafficking in wildlife”.

Co-sponsored by more than 80 nations, the resolution is the culmination of three years of diplomatic efforts to counter the problem of criminal activity that has an impact on the environment.

member states are urged to treat wildlife trafficking involving organised criminal groups as a serious crime, implement anti-

money laundering measures, establish national-level inter-agency wildlife crime taskforces, strengthen judicial process and law enforcement efforts, prevent and counter corruption, and reduce the demand for threatened wildlife products.

An official at the world wildlife fund said the resolution sent a “powerful message from the highest possible level” about the need to end what many feel is a growing criminal threat to wildlife. •••

20 GRC Professional • August 2015

The us securities and exchange Commission (seC) has an-nounced fraud charges against 32 defendants for taking part in a

scheme to profit from stolen non-public infor-mation about corporate earnings announce-ments.

Those charged include two ukrainian men who allegedly hacked into newswire services to obtain the information and 30 others in and outside the us who allegedly traded on it, generating in excess of a staggering us$100 million in illegal profits.

“This international scheme is unprecedented in terms of the scope of the hacking, the number of traders, the number of securities traded and profits generated,” says seC chair mary Jo white. “These hackers and traders are charged with reaping more than us$100 million in illicit profits by stealing non-public information and trading based on that information. That deception ends today as we have exposed their fraudulent scheme and frozen their assets.”

The seC charges that over a five-year period, Ivan Turchynov and oleksandr Ieremenko spearheaded the scheme, using advanced techniques to hack into two or more newswire services and steal hundreds of corporate earnings announcements before the newswires released them publicly.

The seC further charges that Turchynov

and Ieremenko created a secret web-based location to transmit the stolen data to traders in Russia, ukraine, malta, Cyprus, france, and three us states. The traders are alleged to have used this non-public information in a short window of opportunity to place illicit trades in stocks, options, and other securities, sometimes purportedly funnelling a portion of their illegal profits to the hackers.

“This cyber hacking scheme is one of the most intricate and sophisticated trading rings that we have ever seen, spanning the globe and involving dozens of individuals and entities,” adds Andrew Ceresney, director of the seC’s division of enforcement. “our use of innovative analytical tools to find suspicious trading patterns and expose misconduct demonstrates that no trading scheme is beyond our ability to unwind.”

According to the seC, Turchynov and Ieremenko hid the intrusions by using proxy servers to mask their identities and by pos-ing as newswire service employees and cus-tomers. The two allegedly recruited traders with a video showcasing their ability to steal the earnings information before its public re-lease.

The complaint charges that in return for the information, the traders sometimes paid the hackers a share of their profits, even going so far as to give the hackers access to their brokerage accounts to monitor the trading

and ensure that they received the appropriate percentage of the profits. The complaint charges that the traders sought to conceal their illicit activity by establishing multiple accounts in a variety of names, channelling money to the hackers as supposed payments for construction and building equipment, and trading in products such as contracts for difference (Cfds).

At times, the hackers and traders had a very narrow window of opportunity to ex-tract and use the hacked information. In one particularly dramatic instance on may 1 2013, the hackers and traders apparently moved in the 36-minute period between a newswire’s receipt and release of an announcement that a company was revising its earnings and rev-enue projections downward.

According to the seC, 10 minutes after the company sent the still-confidential release to the newswire, traders began selling short its stock and selling Cfds, realising us$511,000 in profits when the company’s stock price fell following the announcement.

The seC’s complaint charges each of the 32 defendants with violating federal antifraud laws and related seC antifraud rules and seeks a final judgment ordering the defendants to pay penalties, return their allegedly ill-gotten gains with prejudgment interest, and be subject to permanent injunctions from future violations of antifraud laws. •••

Fiat ceO scandal deepens

hard though it may be to believe, the fiat Chrysler scandal reported in the last issue of GRC Professional has deepened, this time with yet another executive accused of excessive spending while managing the company.

In the July 2015 issue, we noted in the story “fiat Chrysler chief out of gas” that as a result of soccer star harry kewell making personal payments into the bank account of the auto giant’s boss, Clyde Campbell, after signing a $1 million deal to

become a brand ambassador for Jeep, the company had launched legal action to recoup more than $30 million it claims the Ceo misused or misappropriated to help fund a lavish lifestyle for himself and business associates.

Campbell allegedly authorised the purchase of Chrysler vehicles for a number of celebrities in Britain he called “brand ambassadors”, including kewell, even though the company has no such program there.

now, another former Ceo, Veronica Johns, has also been named as a defendant in the lawsuit.Johns succeeded Campbell but apparently left the company in may 2013 for “personal reasons”. According to fiat Chrysler, she allegedly

had renovations to her home done that were billed to the company. further, her husband and the builder are alleged to have received company vehicles meant for charity.

Campbell maintains that his spending was authorised by top international company executives and he has been singled out in what he calls a “power play” by others bidding for promotion within the company. •••

sec busts “unprecedented” fraud

21

A new report by the Australian Institute of Criminology (AIC) has detailed the extent of fraud perpetrated against

the commonwealth over the three years to 2012-13.

According to the “fraud against the Commonwealth” study 265,000 incidents of suspected internal and external fraud were recorded over the period, with an estimated $530 million worth of losses.

The most common types of fraud related to tax (127,614), social security payments (97,419) and visa and citizenship (83,765).

Alarmingly, the number and cost of collusion-related offences has substantially increased, leading the AIC to warn of an “emerging risk” of corruption and collusion between people in the private sector and public servants. This, it said, was likely to result in greater levels of financial loss, extend over a greater period of time and have a more substantial impact on morale in government departments than other fraud variants.

Indeed, it notes that the amount of money defrauded from this type of collusion in 2012-13 was $402,764, up dramatically from the previous period, with just over 60 instances detected. In addition, it warns that commonwealth grant money and aid programs are at particular risk, because of the massive sums involved.

however, public servants are them-selves proving to be an effective means of countering scams in their departments and agencies, blowing the whistle on around 2000 cases of internal fraud. They were only outdone by the increasingly sophisticated internal system controls that have been introduced by the sector, which stopped some 3500 frauds in their tracks. most in-volved instances of trying to obtain cash without permission, misuse of government credit cards, rorts against payroll depart-ments and inflated or completely fabricated travel and expense claims.

The AIC says the multi-agency fraud and Anti-Corruption Centre (fAC Centre), established a year ago, has also become integral to combating external fraud against the public sector, which is growing at an alarming rate. The centre was established within the Australian federal Police (AfP) and combines the resources and expertise of nine separate agencies.

The fAC Centre was designed to triage serious and complex fraud and corruption referrals to try to ensure suspected crimes are quickly directed to relevant law enforcement agencies for action. The agencies within the fAC Centre access existing intelligence resources, such as the Australian Crime Commission’s national Criminal Intelligence fusion Capability, drawing on specialists, data and analytics to develop fraud-related intelligence.

A recent example is operation Agron, an AfP-led joint agency investigation with the department of human services (dhs) and department of social services (dss), which involved alleged fraud against com-monwealth childcare and social welfare programs.

It is alleged that the sole director of a family day care business claimed Child Care Benefit subsidies she was not entitled to, totalling a staggering $3.6 million. It is further alleged that the accused created and lodged false documents to dhs to support the claims.

further, in march this year a former bank employee and worker at the Australian Bureau of statistics were imprisoned over a scam in which confidential and market-sensitive information was used in trades that resulted in profits of more than $7 million.

To date, property and cash in excess of $2.4 million has been restrained by the AfP as part of an associated proceeds to crime action.

Also in march, the AfP, dss and dhs executed multiple search warrants in the Albury-wodonga area and arrested a 27 year-old woman. The alleged offender is currently before court, facing charges of obtaining financial advantage by decep-tion, using forged documents, falsification of documents, and dealing in proceeds of crime worth $1 million or more. •••

Fighting fraud in the public sectorInternal fraud by public servants and other government employees is on the decline,

but their collusion with workers in the private sector is on the rise.

cybercrime costing Us$445 billion

washington-based think tank, the Center for strategic and International studies, claims that the annual cost of cybercrime and economic espionage to the world economy runs as high as us$445 billion – almost one per cent of global income.

worse, the figure does not include the intangible damage to an organisation. last year, the insurance industry took in an incredible us$2.5 billion in premiums on policies to protect companies from losses resulting from hacks. •••

22 GRC Professional • August 2015

SanCtIonS

SanCtIoneD!Increasing regulatory rigour means that when it comes to global

sanctions, non-compliance is non-negotiable. mark Phillips reports.

“earlier this year, a unit of schlumberger pleaded guilty to allegedly violating Us sanctions by trading with Iran and sudan and agreed to pay more than Us$232 million in fines and costs.”

drilling equipment with used equipment from a non-embargoed country and the new equipment was then sent on to Iran.

Then there’s the case involving dutch aircraft manufacturer fokker, which in 2014 was fined us$21 million for selling American-made goods to Iran, Burma and sudan in alleged violation of us and inter-national trade sanctions.

for more than five years, the company sold aircraft parts, technology and other services to the three countries. In court papers, it admitted to more than 1110 sales of banned parts and used a series of elabo-rate workarounds to get past us sanctions, which were designed “specifically to continue the company’s profit earnings” in those markets.

Indeed, on one occasion fokker services provided a us aerospace company with a work order that falsely represented the part as belonging to an aircraft owned by a Portuguese airline when, in reality, it was actually owned by an Iranian carrier. The us aerospace company fixed the part and returned it to fokker services, which then shipped it to Iran.

According to the us department of Justice, the fines would have been much higher but that “would have severely hurt the health of the company”.

tip of the icebergThese two examples are just the tip of the iceberg in terms of organisations knowingly – and being found out – breaching sanctions regimes. other companies hugely out of pocket include maersk, which has paid us3.1 million for breaking us sanctions on Iran and sudan over a four-year period, and esco, which has parted with us2 million for Cuba sanctions violations.

In the meantime, epsilon is challenging a us$4 million fine for violating Iran sanctions, and it is probably fair to say that Amsterdam-based InG Bank is still reeling from the record us$619 million it agreed to pay in 2012 to settle us government alle-gations that it violated sanctions against Cuba, Iran and other countries by moving us$1.6 billion

foR mAny ComPAnIes, ConfoRmInG to international sanctions regimes can be a complicated and costly compliance minefield, but the rationale behind them is really quite simple.

At their core, sanctions are an alternative to military intervention and in many cases, the only realistic tools to rein in the rogue actions of states, increase global security and tackle terrorism and other crimes.

for them to work, however, everybody has to toe the line – non-compliance is non-negotiable. should any organisation – regardless of location – be in any doubt over this, the united nations security Council, us office of foreign Assets Control, the administrative body of the european union and in the uk, hm Treasury, will inevitably remove that doubt.

There is no shortage of companies to have found this out the hard way.

Record finesearlier this year, a unit of schlumberger pleaded guilty to allegedly violating us sanctions by trading with Iran and sudan and agreed to pay more than us$232 million in fines and costs. The fine itself – us$155 million – was the largest ever criminal fine meted out in a sanctions case.

A unit of the company – schlumberger oilfield holdings – provided services to Iran and sudan and allegedly went to substantial lengths to hide its activities, according to officials at the us department of Justice.

schlumberger admitted that it hid prohibited transactions, including masking capital expenditure requests for work in the two countries, by entering a country code for a non-embargoed nation in its com-puters for processing.

The sanctions breaches happened between february 2004 and June 2010. In one incident, person-nel of the firm in the us arranged for oilfield drilling equipment to be exported from Canada to Iran. In another violation, it swapped new American-made X

23

SanCtIonS

23

with commodities like oil, gas and raw materials, engineering, and infrastructure increasingly in the spotlight.

“Certainly from the us perspective they are very wide ranging, but we’re also starting to see the same trend with anti-bribery and corruption with regards extra-territorial powers, and other countries are also beginning to introduce their own extra-territorial regimes,” he says.

dunn, who is responsible for product manage-ment development of lexisnexis Business Insight solutions due diligence applications, is also the organisation’s key spokesperson on anti-money laundering, anti-bribery and corruption, and sanc-tions compliance.

“with financial services firms, the regulators have been going back and looking at years and years of perceived misconduct, which is why many of the fines have been so significant – it has been

illegally through banks in the us from the early 1990s through 2007, and concealing the nature of the transactions.

InG eliminated payment data that would have revealed the involvement of sanctioned countries and entities, according to authorities. The bank also told clients how to evade computer filters designed to prevent sanctioned entities from gaining access to the us banking system. further, it provided us finance services to sanctioned entities through shell compa-nies and misuse of an internal InG account.

needless to say, it has since taken steps to improve its compliance – and compliance is what all this comes down to.

everybody’s a targetAccording to mark dunn, segment leader for entity due diligence and monitoring at lexisnexis, while banks and other financial institutions remain under extremely close scrutiny, there is now an increasing focus on the dealings of non-financial companies with countries under sanctions regimes.

This is particularly the case given the more recent us and eu sanctions which have been imposed on Russia over the war in ukraine, in which there is not only restrictions on doing business with Russian com-panies, but individuals as well.

Although primarily aimed at strangling Russian access to capital markets, the sanctions have now been expanded to an arms embargo and an export ban on specialist energy equipment and other technology that can be used for both civilian and military use.

Indeed, dunn says international sanctions regimes in general are now capturing a whole range of companies undertaking cross-border activities,

“While banks and other financial institutions remain under extremely close scrutiny, there is now an increasing focus on the dealings of non-financial companies.”

X

Mark Dunn, segment leader for entity due diligence and monitoring, LexisNexis

24 GRC Professional • August 2015

SanCtIonS

“As the risk ramps up in direct proportion to the number of countries an entity is active in, compliance becomes much more of an industrial process.”

“you need the appropriate tools, all the relevant lists, the workflow, name-matching and the func-tionality to maintain that,” dunn says. “It is why in sectors such as financial services, there are now dedicated sanctions teams with dedicated analysts in place. It is a very significant process.”

Is outsourcing an option?In a bid to circumvent this, some companies have started to look at outsourcing the process, but dunn emphasises the reality.

“It’s true that this is an evolving area, but ultimate-ly from a regulatory point of view you really can’t out-source the risks,” he warns. “you can outsource the task monitoring and due diligence, but as a regulated entity, if things go wrong you will still be ultimately responsible for what happens. you cannot blame a third party and expect the regulator to go after that outsourced partner.

“where we’re seeing this sort of thing happen is in fairly basic areas like getting consistent client data and standard company information and profiles. There is an enormous amount happening there at the moment, with several initiatives going on in the private sector with different companies looking at how they can standardise and bring together collective databases that people can share and contribute to.

“Perhaps this has potential, but where I think outsourcing is less likely to happen is in much

a broad sweep because they want to recoup any gains from that time,” he says.

“But equally, because the sector has been a key area of focus for such a long period, the systems are now very well organised and the processes are now in place to monitor sanctions changes and react quickly to them. Importantly, these are now starting to be grouped together with financial crime risks, anti-money laundering, tax evasion and so on, so within banking the compliance aspect is quite evolved.

“where we’re seeing firms starting to struggle is in sectors outside financial services.”

obligatory complianceBut like it or not, compliance is a legal requirement, and as sanctions-type regulations are increas-ingly replicated across the corporate sector to take in everything from money laundering to bribery and corruption, companies have no choice other than to implement the same stringent controls and processes that have, through sheer necessity, been self-imposed throughout the finance sector.

however, the burden of compliance is far from insurmountable.

“To an extent, you can take a risk-based approach to sanctions and other controls,” dunn says. “you can look at the kind of business you have, the scope of that business in high risk or sanctioned markets, and initiate appropriate action.

“for example, if you’re a small firm predomi-nantly operating in the uk market and don’t have a big footprint in sanctioned territories or intend to expand into high risk markets, you might only need to occasionally monitor the treasury sanctions of the uk government and set up alerts from just that one list, rather than lots of other lists from lots of other jurisdictions.”

All these lists, which are published by the different authorities enacting sanctions regimes, are available in the public domain.

“It’s a straight-forward matter of logging on to the relevant site and being informed of significant changes,” dunn says. “A smaller company with a low risk profile can certainly apply a proportionate approach to sanctions compliance. however, as in all matters regarding regulatory compliance, ensure you take appropriate legal advice.”

not so, however, some others. As the risk ramps up in direct proportion to the number of countries an entity is active in, compliance becomes much more of an industrial process. X

25

SanCtIonS

25

new consumers or open up new areas of business development, obviously also have teams that are committed to taking market share. But against that backdrop, they have to be doing it in the right way and operating within very robust controls, because if misconduct – or suspected misconduct – occurs, the company is going to have to be in a position where it can demonstrate it did its best to avoid it.”

And if it can’t?“we’re seeing examples now of companies

exiting markets where the risks have become too great for them to operate,” dunn says. “They are literally walking away, even though some of those markets might be very attractive. They’re just leaving those markets because of the risk.”

for those that choose to stay, however, the risks are becoming exponential.

“There are four fundamental drivers,” dunn says, and reputation is arguably the most important.

“But then you have the regulatory impact as well, so it’s vital to meet the expectations of authorities, otherwise be subject to the financial cost, which means fixing things in terms of implementing proper process, training your staff, putting in place a policy and having a legal review. That’s on top of paying the actual fine. so it’s reputation, regulatory, and financial – but then there’s the strategic impact as well.

“If you’re proactive in trying to develop your business and access certain markets, but getting a bad reputation or being perceived as a company that’s taking too much risk, it’s not going to help you develop that business. Then there’s the upheaval of internal processes and the things that need to be fixed through enforcement.

reputation at risk“But reputation is the biggest issue. we’ve seen examples of enforcement where share prices have been impacted but ultimately recover, but when it comes to general reputation – especially if you’re dealing in markets where there are consumers involved – and despite everything you have a strong ethical stance, a sound CsR policy, and are trying to put out the right image, to be picked up on these things can be catastrophic.

“There have been instances where regulators have inferred that an institution has inadvertently supported terrorism. Those sorts of headlines are definitely not what you want to be associated with.” •••

higher risk areas – places for which you might have initial assessments done, but ultimately the decision to go forward or not is going to be based on your view and your research and your analysis. you can’t outsource that.”

training the keyIndeed, according to dunn, in those sectors where there is a great exposure to risk, companies need to have in place a dedicated training program, much in the same way as has developed with anti-bribery and corruption.

“It’s now fairly standard to have in place an elec-tronic training program that everybody signs up to do,” he notes. “They’re monitored until they have completed that program, and audited in the sense that the training is recorded until they have completed the course. Then there might be a refresher program in a year’s time.

“It is important to demonstrate as best you can that you are mitigating the risk, and training is one way of doing that. having a solid policy, having the board endorse that policy – you have to show that you are doing your best, whether it be sanctions, anti-corruption, anti-money laundering, or anything else.”

notably, in some jurisdictions, such as with the uk Bribery Act, it is actually a legal defence to have in place “adequate procedures” that effectively aim to mitigate the risks of bribery and corruption.

Australia is no exception with its anti-corruption legislation.

“If you have in place robust due diligence controls that apply to your employees, customers and third party business partners, it will be looked on favour-ably by the regulator if things go wrong,” dunn says. “so that can help, but ultimately if the criminal conduct is bad enough then, frankly, it doesn’t make much difference.”

Be realisticso what, exactly, entices companies into this mine-field in the first place?

“every company’s business development strate-gies mean high growth and emerging markets are the one they want to be in,” dunn says. “unfortunately, many countries that have high growth also have a very high perception of corruption when reviewed on surveys such as the annual Transparency International Corruption Perceptions Index.

“so, firms that are highly motivated and focused with strategies to get into those markets and access

“you can outsource the task monitoring and due diligence, but as a regulated entity, if things go wrong you will still be ultimately responsible for what happens.”

26 GRC Professional • August 2015

27

In DePtH

DIGItal DISrUPtIon: WIll YOU BE THE NEXT VICTIM?As digital innovations accelerate, businesses have even shorter

timeframes to react and make the changes to their models needed to

survive and thrive. But how can this be done?

“It’s a lesson in the dangers of complacency, and how quickly a 200 year-old brand can disintegrate in a new technological age under pressure from disruptive competitors.”

change and face it armed with the right knowledge, attitude and tools to respond appropriately.

“To be able to confront change with confidence, businesses need to have the systems, skills and culture to anticipate and respond quickly to disruptive trends,” Anderson says. “sustaining a business today requires more than the traditional processes for managing a company well. It involves building new capabilities into the company’s dnA so that it becomes ‘normal’ to challenge assumptions that have underpinned prior success. disruptive technologies often create new markets, so managers must become adept at imagining what those markets and customers could be and the products and services that will be of value to them.”

Anderson says businesses specifically need to be able to do four things really well. first, they must understand the critical assumptions underlying their business model. These are management’s assumptions about markets, customers, competition and technology and are the foundation for the business’s viability.

“A dramatic shift in any of these drivers will instantly jeopardise the company,” he says. “nokia’s demise is a classic example. It may have been first to market with smartphones but its slowness in reacting to the meteoric popularity of iPhones and their user-friendly touchscreen and app-based operating system, quickly led to the company losing its pioneering market share.”

second, businesses need to be able to apply scenario analysis capabilities to evaluate when an event or events will invalidate any of those critical assumptions. scenarios help management to understand the factors that will have greatest impact on the success or failure of the business model. for example, industries that lack strong barriers to

nokIA, BloCkBusTeR VIdeo, BoRdeRs, kodak – brands that were once household names, now wiped out by the scourge of digital disruption. Initially, it was IT, telco, retail and media businesses that bore the brunt. But today almost no industry is immune as the impacts of technology-driven disruption reverberate as far as the mining, finance, health, education and agriculture sectors.

disruptive change is more powerful today with the exponential pace of change. The advent of the internet over 20 years ago has been compounded by a rapid wave of further breakthroughs, from mobile technologies, broadband, smartphones, e-commerce, social networking and more recently, the spectre of the “Internet of everything” on the horizon. These developments have dramatically changed consumer behaviours and the competitive landscape as we know it. The way business is done has changed for good, and all in a relatively short space of time.

disruptive innovations may once have taken a decade to transform an industry. But research shows that today, the timeframe has been compressed by half. In fact, a recent study from the Global Centre for digital Business Transformation found that four out of today’s top incumbents in terms of market share in each industry, will be displaced by digital disruption in the next five years. And the threat of displacement extends not just to individual companies, but entire industries.

so how can businesses get and stay ahead of the disruption curve? how do they recognise that the winds have shifted and take appropriate action, before their boat is wrecked?

Gary Anderson, managing director of global risk consulting firm, Protiviti, believes that the only viable alternative to becoming a victim of this perpetual cycle of innovation, is to accept the inevitability of X

28 GRC Professional • August 2015

In DePtH

“Having knowledge of an emerging opportunity or risk without converting that knowledge into hard choices and actionable plans to innovate processes and offerings, is as useless as having no knowledge at all.”

order to evolve the business to meet customers’ next-generation expectations.”

According to Anderson, while these four capabilities can help a business recognise the vital signs of disruptive change, alone that isn’t enough. Timely reaction must follow – and this is critical in a dynamic environment.

“having knowledge of an emerging opportunity or risk without converting that knowledge into hard choices and actionable plans to innovate processes and offerings, is as useless as having no knowledge at all,” he says.

To ensure timely reaction, management must foster an organisational culture that encourages staff and executives to be attuned to changing market forces and consider their impact on the business model.

This may involve facilitating dialogue between business lines or establishing “think tanks” comprising senior staff from diverse parts of the business with skillsets in customer behaviour, strategy, technology and the like, to evaluate the warning signs and formulate ideas to move forward. Reporting and communication channels that break down silos in the organisation can help ensure management receive more accurate, complete and timely information.

management should also be incentivised to come up with ideas to turn revised assumptions into actionable changes to strategy and product plans. An example is to introduce performance and

entry because they are lightly regulated or have lower capital requirements, may be more susceptible to technological progress as they are more likely to face new and unexpected sources of competition.

Third, companies should ensure they are collecting and analysing up-to-the-minute competitive and market intelligence to identify when the scenarios of greatest concern are developing or have occurred. Competitive intelligence involves monitoring competitors and market trends using a variety of internal and external sources, to obtain insights about competitor activities and market movements, before they become common knowledge. The aim is to maximise market opportunities as they emerge and minimise threats before they become a devastating force.

“having foreknowledge of market shifts and competitor plans is vital for any business that wants to stay ahead of the pack. This is considered so important that 90 per cent of fortune 500 companies now practise competitive intelligence or have a dedicated function,” Anderson adds.

finally, the business must also be able to distil information about critical assumptions, scenario analyses and market intelligence and promptly communicate those insights to relevant decision makers.

“Collecting the data is one thing, but making sure it gets to the right people is just as important. There’s no question that executives, whether in finance, R&d, sales or strategy, must have this information in X

2929

personal computers, until the company eventually went bankrupt in 1996. It’s a lesson in the dangers of complacency, and how quickly a 200 year-old brand can disintegrate in a new technological age under pressure from disruptive competitors.

“Resilience means not being content with historical success, but having the grit to make difficult decisions to support long-term performance in an unpredictable environment,” Anderson notes. “And it involves fostering a culture that supports innovation yet accepts that rational but bold experiments can sometimes fail.

“Change is a double-edged sword. It can be a sign of the beginning of the end, or present an opportunity to take the business to another level. what separates the winners from the losers is the ability to recognise the vital signs early and to act on them decisively.” •••

compensation arrangements that foster alertness to changing market conditions.

“If there are no incentives to question the durability of the business model, or if product and process owners have difficulty identifying new ways to enhance offerings – these are signs of trouble,” Anderson says.

Importantly, every business should strive for resilience. This is the ability to accept, not ignore, changing market realities and to act decisively to rework strategic and business plans when change is necessary.

The demise of Encyclopaedia Britannica is a case in point. It was one of the world’s best-known brands but by the 1990s, sales of Britannica’s multi-volume print sets had plunged by more than 50 per cent. despite this, management continued to downplay the impact of the arrival of Cd-roms, the internet and

“If there are no incentives to question the durability of the business model, or if product and process owners have difficulty identifying new ways to enhance offerings – these are signs of trouble.”

30 GRC Professional • August 2015

CoMPlIanCe

X

DUMB anD DUMBer: CoUnterInG reGUlatorY oVerKIllRules and regulations have become the norm in everyday life and

in business, and while most believe they’ve gone too far, a few are

actually doing something about it. mark Phillips reports.

“this country is on the verge of becoming the world’s dumbest nation. there will be a collapse of common sense here if health and safety wins out on every single discussion.”

so, next time you’re out for an intimate dinner at your favourite restaurant (eating inside, of course), you may well be staring at a picture of a cirrhotic liver on the wine bottle. should do wonders for ambience.

while there might be broad support for initiatives like plain packaging for cigarettes, it seems Australians are more sceptical about like-minded measures such as a “fat tax” on junk food and pre-commitment technology for poker machines. whatever happened to personal responsibility or, for that matter, the free market?

Business backlashlast year alone, the Australian federal Parliament passed 4607 pages of new legislation. Australia may be a very compliant society – and with three tiers of government, what choice do we have? – but in a new Galaxy poll conducted for the Institute of Public Affairs (IPA), 48 per cent of Australians said there is too much government regulation on businesses. only 18 per cent disagreed.

“There is now a red tape crisis,” says IPA deputy executive director James Paterson. “Australia runs the very real risk of losing new projects because of the compliance burdens companies face, and the problem is only getting worse.”

The Australian Chamber of Commerce and Industry appears to agree. According to its “2015 national Red Tape survey”, 96.7 per cent of businesses reported that the regulatory burden on their business was either the same or higher than it was 12 months ago.

AusTRAlIA hAs Rules AGAInsT eVeRy- thing. much like singapore, it has well and truly earned its global standing as a nanny state.

you can’t ride a pushbike without a helmet, because you’ll be fined. you can’t buy a drink at the pub, because it’s after midnight. you can’t dine alfresco, you can’t do this and you’d better not do that, because there are rules against it.

speaking a few months ago at the Vivid Ideas festival in sydney, Canadian journalist, magazine publisher and widely regarded guru on urban design and cities, Tyler Brûlé, said Australians were increasingly being mollycoddled through health and safety laws, and that Australian cities were at risk of becoming over-sanitised.

“This country is on the verge of becoming the world’s dumbest nation,” Brûlé said. “There will be a collapse of common sense here if health and safety wins out on every single discussion.”

well, guess what? Regulators could soon be looking to introduce graphic warning labels on the packaging of alcohol products, soft drinks and “junk” foods because they’re considered to be unhealthy.

At least, that’s the prediction of a senior partner at law firm herbert smith freehills, which is taking on the world health organisation on behalf of British American Tobacco (BAT) over plain packaging and warning labels on tobacco products. needless to say, Australia was a world pioneer in both initiatives.

According to Benjamin Rubinstein, who was part of the legal team that successfully defended BAT in a us$280 billion racketeering case in the us, tobacco is the “canary in the coal mine”.

31

“Australia runs the very real risk of losing new projects because of the compliance burdens companies face, and the problem is only getting worse.”

meanwhile, the Productivity Commission has for several years produced reports targeting regulatory clutter. In its most recent review of the compliance burden of government regulation, it found it disproportionately affected small business.

The research report “Regulator engagement with small Business” called for governments to apply “regulatory impact analysis principles”. legislation should be only that required to “regulate effectively”, with no duplication within government, it stated.

what’s more, the commission estimates that there are about 130 national government regulatory agencies in Australia, with another 350 operating in state and territory jurisdictions and a further 560 within local councils.

According to the Australian Institute of Company directors’ “directors sentiment Index” there are simply too many steps, rules, and checks. The amount and complexity of legislation, the survey concludes, invades decisions, meetings and planning, making it more difficult to engage in the business of business.

In fact, it’s hard to find anyone who begs to differ.“The aggregated burden for business and other

organisations that are subject to all of this regulation is significant – and is significantly higher than it needs to be,” says Australian Industry Group chief executive Innes willox.

Self-imposed costsBut is there another way of looking at the regulatory and compliance burden – at least insofar as businesses are concerned? unfortunately, the only way governments are going to roll back their “nannying” more generally is if they become so cash-strapped they can no longer afford armies of bureaucrats to enforce silly rules.

Professional services firm deloitte calculates the annual national cost to businesses of complying with rules and regulations at $250 billion ‘Get out of your own way: unleashing productivity’.

Interestingly, however, this cost comes in two parts: the cost of administering and complying with public sector regulations ($95 billion: $27 billion a year to administer, plus a huge $67 billion a year to comply with); and the matching cost of administering and complying with the rules that organisations choose to impose on themselves ($155 billion: $21 billion to develop and administer, and a stunning $134 billion a year in compliance costs).

In other words, the dollars locked up by busi-nesses in complying with self-imposed red tape are actually double those associated with government regulations. X

32 GRC Professional • August 2015

CoMPlIanCe

“the dollars locked up by businesses in complying with self-imposed red tape are actually double those associated with government regulations.”

is stopping you doing your job?’ And each time we identify a disappointing level of unnecessary rules, which we have to remove,” says deloitte ACT managing partner lynne Pezzullo.

“we did this only recently, for the fourth time, and still we are finding rules that slow us down.

“for us, our dumbest Things campaign is the beginning of a purposeful and programmatic unleashing of productivity across the organisation. It’s about actively reminding all our people that innovation comes from building a culture that focuses on what must go right, not what could go wrong.”

Pezzullo says there can be many reasons driving the excessive burden created by self-imposed red tape in businesses, among them poorly defined authorisation levels, divisional/branch structures that create activity and compliance silos, plus the poor use of technology for compliance services.

“Both the public and private sectors can benefit from a new approach to rules and regulations,” Pezzullo says. “There are huge potential efficiency gains to be had from ruling ourselves more effectively – by businesses slashing their own red tape. By cutting or simplifying rules, we can all get out of our own way.”

Making the best of itunfortunately, it is sometimes easier said than done for compliance officers to transform this kind of strategy into reality. despite the best of intentions, many companies across multiple industries still experience disruptive and fragmented business processes and compliance program implementations.

In essence, the challenge is to transform compliance programs from burden to enabler – to ensure that the investment in such programs most effectively results in both compliance and corporate benefit. By necessity, such a culture has to put strong emphasis on people, along with, of course, the sometimes valuable, but inevitable focus on business processes and technology.

This three-tiered strategy is certainly not new, but given the range of non-compliance prosecutions, the “people, process and technology” mantra seems to often get lost in corporate reactions to increasing compliance challenges. It can be forgotten that if they are to be truly effective, compliance laws and regulations require corporate commitment, and that means ensuring individual understanding

of course, businesses usually impose rules on themselves for good reason – to increase controls, avoid risk, create compliance or make the organisa-tion more effective. yet often there are unintended or unforeseen consequences, with the new rules creating overlaps in regulation, or old rules becoming outdat-ed due to changes in technology or business models. examples uncovered by deloitte include:• The commonwealth public servant who needed

two approvals to spend $35 on catering for a meeting.

• The hR department that went through with an interview process even though it knew that part of the organisation was being disbanded.

• The small taxi fares that have to await approval from the weekly executive team meeting.

• The firm that rejects application forms from potential customers if they are completed in blue ink.

• The firm that made engineers sign off on new parts at a fixed location, making them walk 15 kilometres a day.

• The rules that made staff record every guest coffee made, but let them order as much alcohol as they like.

• The firm that made staff do an ergonomic checklist when moving desks, then introduced hot-desking.

• The global hQ that told a newly acquired Australian subsidiary that it couldn’t put an excel spreadsheet on its website, even though the new subsidiary’s line of business was selling data in excel format to clients.

• The senior public servant in sydney who needed the approval of his departmental head to travel to Parramatta, as it was deemed to be outside city limits.Certainly the time required for employees to

comply with self-imposed rules has become a crippling burden. middle managers and senior executives chalk up 8.9 hours a week complying with the rules firms set for themselves, with other staff spending 6.4 hours.

In response, deloitte took a dose of its own medicine, asking its employees to identify “dumb rules” that get in the way of innovation, collaboration and creativity, with a “dumbest Things” internal campaign.

“every few years over the past decade we ask our people: ‘what are the dumb things we do? what X

33

CoMPlIanCe

“By cutting or simplifying rules, we can all get out of our own way.”

Moving forwarddeloitte’s Pezzullo perhaps best sums up compliance overkill when she says:

“our rule-makers – both government and business – often try to achieve the unachievable. They set rules that are too prescriptive, overreact to momentary crises, let new rules overlap with existing rules, don’t listen to those most affected, and don’t go back later to check how well their rules are working or if they are still required.

“Bureaucracy isn’t soley something that govern-ments can do better – we all can.”

Indeed, a good example of bureaucracy gone mad was the howard government’s implementation of the draconian workchoices regime, which forced a whole new level of punitive rules on businesses that failed to keep log books of staff hours worked. had it not been repealed by the Rudd government, “bundy” clocks would probably have become ubiquitous in Australian offices.

fortunately, in certain respects we have come some way since then. only this month PwC announced that it has decided to extend a flexible working program it has been trialling to its entire 6000-strong workforce. under the initiative, staff will be free to decide their own hours of work.

however, PwC is not the first blue-chip organisation to lift the hand-brake on what it sees as unnecessary constraints. Telstra went down the same path two years ago, and so have the Australian stock exchange, Anz Bank and westpac. others are likely to follow suit.

of the rationale behind them, and most importantly, enterprise-wide adherence.

for compliance officers, this “back to basics” ap-proach means emphasising the role compliance has in achieving “standard” corporate goals such as revenue generation, customer satisfaction and efficiency.

“Viewing compliance strategies from this per-spective can transform adherence from a fear-driven cost burden to an enabler for brand protection, risk management, business continuity, cost savings and productivity increases,” the us-based Gilbane Group told attendees at a recent seminar it held in Boston.

so, how can compliance officers best ensure that the culture they oversee has a strong emphasis on people? In its presentation, a Gilbane spokesperson said there needs to be two areas of fundamental focus:• Providing easy-to-read and understand docu-

mented organisation mission statements, policy and procedure manuals, together with education-al tools that help process owners understand how they – individually and collectively – fit into the bigger picture.

• mentoring – or “chaperoning” – new personnel that need to ramp up on how regulations affect their responsibilities.In a prepared statement, Gilbane Group said:

“The simple fact is that policies, procedures and the technology that supports them do not work if they are not accessible, flexible and usable for the people they serve. They can certainly be implemented, but there’s little guarantee they will be used effectively and productively without these characteristics.” X

34 GRC Professional • August 2015

CoMPlIanCe

competing for the top talent in their markets. It should be no surprise that these organisations have realised that the best way to do that is by increasing freedom and self-determination.

unfortunately, in Australia such a common sense approach to governance is still very much the exception, rather than becoming the “rule”. •••

Gone are the days of having to go cap in hand to your manager if you want to take a flexible approach to your role. Instead, the onus is on managers to find a way to make the new arrangement work, unless they can convince their own bosses that it’s impractical.

It is no coincidence that PwC’s initiative comes at a time when many large employers are proactively

Securely delivering digital papers across many devices

© 2015 ICSA Boardroom Apps Limited.

BoardPad is a registered trademark of ICSA Boardroom Apps Limited.

Spending days producing your board packs? BoardPad lets you produce and dispatch instantly

Contact us today for a demonstrationICSA Boardroom Apps,Level 33, 264 George Street, Sydney+61 2 8096 8300 info@boardpad.com boardpad.com

Your problem... Our solution!

“Bureaucracy isn’t soley something that governments can do better – we all can.”

Indeed, a good example of bureaucracy gone mad was the Howard government’s implementation of the draconian Workchoices regime, which forced a whole new level of punitive rules on businesses that failed to keep log books of staff hours worked. Had it not been repealed by the Rudd government, “bundy” clocks would probably have become ubiquitous in Australian offices.

Fortunately, in certain respects we have come some way since then. Only this month PwC announced that it has decided to extend a flexible working program it has been trialling to its entire 6000-strong workforce. Under the initiative, staff will be free to decide their own hours of work.

However, PwC is not the first blue-chip organisation to lift the hand-brake on what it sees as unnecessary constraints. Telstra went down the same path two years ago, and so have the Australian Stock Exchange, ANZ Bank and Westpac. Others are likely to follow suit.

Gone are the days of having to go cap in hand to your manager if you want to take a flexible approach to your role. Instead, the onus is on managers to find a way to make the new arrangement work, unless they can convince their own bosses that it’s impractical.

It is no coincidence that PwC’s initiative comes at a time when many large employers are proactively competing for the top talent in their markets. It should be no surprise that these organisations have realised that the best way to do that is by increasing freedom and self-determination.

Unfortunately, in Australia such a common sense approach to governance is still very much the exception, rather than becoming the “rule”.

ENDS

(VISUALS)

Source: Deloitte

Annual cost of rules to Australian businesses and families

Source: Deloitte

annual cost of rules to australian businesses and families

Source: Deloitte

Source: Deloitte

“our rule-makers – both government and business – often try to achieve the unachievable.”

Hours spent per week on self-imposed rules

35Securely delivering digital papers across many devices

© 2015 ICSA Boardroom Apps Limited.

BoardPad is a registered trademark of ICSA Boardroom Apps Limited.

Spending days producing your board packs? BoardPad lets you produce and dispatch instantly

Contact us today for a demonstrationICSA Boardroom Apps,Level 33, 264 George Street, Sydney+61 2 8096 8300 info@boardpad.com boardpad.com

Your problem... Our solution!

36 GRC Professional • August 2015

InStItUte neWS

FraUDSeC: a UnIQUe ProCeSS SolUtIon For tHe GrCIA new agreement has been entered into that aims to alleviate member concern about potential fraud or ethical breaches adversely impacting the GRCI.

“It is an arrangement that will benefit all members because it funnels funds back into the Institute.”

as the GRCI’s, where integrity and reputation is of substantially higher value than the monetary consequences of potential fraud.

The way the GRCI system has been set up is to establish institute directors and key members of staff as the report recipients for when an incident is detected. Reports cannot be deleted, even if an individual for whom a report concerns is named. however, should that become an issue, other directors or staff will be able to remove a particular person’s name.

most importantly, an individual reporting a suspicious activity will at all times remain anonymous in the process, thereby ensuring that their identity is not only protected but also that the concerns they raise are actioned – even if they allude to activities by current staff or directors of the GRCI.

Clearly, this would not be possible using current methodologies – a process issue that has been previously raised by members and, through the new arrangement with fraudsec, has now been addressed. In other words, members will now have no reason not to report an issue they consider suspicious, potentially fraudulent, or simply unethical.

The GRCI will be using the fraudsec app in two ways:

1. As a portal for members and staff who may want to report known or suspected fraudulent use of members’ funds.

2. As a portal for members to report known or suspected breaches of the GRCI Code of ethics by members or officers of the GRCI.

should any members have concerns they would like to raise regarding the new arrangement with fraudsec, or a related matter, link to the following address and your comments will be relayed to all members via email: https://fraudsec.com/reports/add/grci •••

wITh fRAud And CoRRuPTIon ARound the world costing businesses around five per cent of their revenue, or over us$3.7 trillion every year, companies are obviously desperate for a solution.

A proven way to at least mitigate the problem has been to empower people to do the right thing by “blowing the whistle” when they believe something unethical or fraudulent is happening at work, with anonymous tips being the most effective method of protection.

unfortunately, traditional channels for whistle-blowing are often ineffective because whistleblowers are worried about the consequences for them from their actions.

enter fraudsec, which guarantees whistleblowers anonymity by providing organisations with a unique two-way communication platform via any web-enabled device.

fraudsec founder, sylvain mansotte, was himself a one-time whistleblower, exposing one of Australia’s largest frauds while working at leighton Contracting.

The GRC Institute has now entered into a profit share agreement with mansotte based on sales that arise from enquiries from our membership via the fraudsec app. It is an arrangement that will benefit all members because it funnels funds back into the institute.

Importantly, it also solves a process issue for the institute in that it allows us to apply the tool specifically to our own unique circumstances. It is a fit-for-purpose solution given the probable small scale or likely risk of an ethical breach among our membership which, regardless, could have a high impact on the GRCI should an issue arise without an appropriate channel through which to report and suitably deal with it.

It is certainly an attractive alternative solution for any organisation with an unusual scope such

37

InStItUte neWS

a FeaSt oF learnInG

“It’s always our goal to challenge and inspire conference attendees and the focus is very much front and centre on one of the biggest challenges faced by compliance professionals: managing change.”

for members in more senior roles who may be looking for training more tailored to their experience, we also have a residential session of the Graduate Certificate in Compliance management available in october in sydney and in november in Auckland.

we may be slightly biased about this course, but feedback from the sessions is always outstanding and the networks and friendships formed by attendees continue for many years. we also offer this as a distance education option for those who simply cannot make the residential, but it is a pretty unique experience to be able to spend five days with your senior peers, immersing yourself in the content and activities and, wherever possible, we suggest this be your first option.

due to demand, we also have scheduled in sep-tember another session for the Change management one day workshop with michelle Gibbings, to be held in sydney. The session booked out the first time we ran it, so this second session will hopefully suit those who couldn’t initially make it.

we are also running a pilot session of a half day training event dedicated solely to the new compliance Iso standard 19600. This event is designed to take participants through the standard and is especially suited to anyone new to a compliance standard – those who have not used either this Iso or the Australian and new zealand standard 3806 to develop their compliance programs.

A number of other first-time events are currently also in the works, so please keep an eye on our events page or your inbox for further details. •••

we hAVe A Busy end of yeAR AheAd at the GRC Institute. As is usual for this half of the year, much of what you hear will be about our premier conference, GRC2015, being held in melbourne at the end of october. The full hard copy program will shortly be landing on your desks and we encourage you to review the range of speakers and workshops lined up for this year.

It’s always our goal to challenge and inspire conference attendees and the focus is very much front and centre on one of the biggest challenges faced by compliance professionals: managing change.

whether it is a regulatory project implementation, organisation-wide updates to the compliance and/or risk framework, or the “big beast” – shifting the culture of an organisation in the right direction – we have sourced creative thought leaders who have faced similar challenges with success. we invite you to come along to hear what they have to say, to take those lessons back to your organisations, and to hopefully enjoy similar successes.

for those looking for other professional develop-ment options , we have a diverse range to fill your cal-endar – all of which can be viewed on the events page of our website.

for example, Certificate IV in Compliance management has a number of sessions scheduled leading up to december. Aside from providing a solid platform of professional knowledge about compliance and risk management, these courses are nationally recognised and ensure the skills and knowledge gained is portable and employers can understand the robust assessment process you would have undertaken to gain the qualifications.

 

C o n f e r e n C e28–30 Oct 2015 • MelbOurne crOwn cOnference centre

The GRC2015 conference 3 day program features inspirational leaders exploring topics across the change management spectrum at an organisational and individual level.

GRC2015 provides an exciting opportunity for networking and professional development and exposure for commercial partners to consolidate in the GRC marketplace.

To book your seat at this exceptional event or for sponsorship opportunities please visit: www.grcconference.com.au

Special offerIf you are a non-member and wish to attend the Grc2015 conference, mention our ‘cHaNGe caTalYST’ promotion and receive membership with Grc institute from september 2015 to 30 June 2016 when you book your full conference pass at $2200. to take up the offer simply email naomi.burley@thegrcinstitute.org and she will take care of your conference booking and membership.

Change Catalyst

THe Grc iNSTiTuTe’S 19TH aNNual coNfereNce