Risk Management May 2011 by LexisNexis Media

March May 2011 2011 Issue Issue 8583

PP255003/06868

INTERNAL AUDIT: INSURANCE D&O INSURANCE UNDER THE HOLLAND STRAIN POST-GFC COMPANY’S INSURANCE GROUND-UP APPROACH CLOUD COMPUTING THE RISKS OF TAKING SOCIAL MEDIA: DATA OFFSHORE THE RISKS TO BRAND CAREERS AND IMAGE RISK PEOPLE HEDGE IN DEMAND FUNDS: THE COURT CASE WHICH RATTLED WALL STREET

SPECIAL REPORT: D&O UNDER STRAIN NEWS POST-GFC MAN REPORT: THE RISKS OF A RISING DOLLAR

CLEAR VISION Fraud: ON CORPORATE GOVERNANCE top level managers WHY A TICK-BOX APPROACH hold the key SIMPLY WON’T WORK to prevention

HAS BCM LOST ITS WAY? CHALLENGING THE STATUS QUO

THE CHINA SYNDROME

RISK PEOPLE: CAMERON SMITH FROM THE WESTPAC GROUP TALKS ABOUT MOVING FROM AUDIT TO OPERATIONAL RISK

CYBERTHREAT PREDICTIONS FOR 2011

www.riskmagazine.com.au www.riskmagazine.com.au

MANAGING ENVIRONMENTAL RISKS

RISK PEOPLE: SUNCORP’S RISK AND COMPLIANCE MANAGER, PAUL MUIR, ON THE HALLMARKS OF SUCCESSFUL ERM

C ontents

COVER STORY

Fraud is an ongoing issue for many Australian organisations. Craig Donaldson looks at the latest fraud trends, explores the most common vulnerabilities and details how companies can take a proactive and preventative approach to fraud

FEATURES AND REPORTS News Report: The risks of a rising dollar 11 With a high Australian dollar, companies should revisit their risk management strategies and implement good hedging policies

Case Study: Building internal audit from the ground up 16 The Hollard Insurance Company has taken a whole-of-business approach in building a strong internal audit program

Risk Feature: Has BCM lost itâ&#x20AC;&#x2122;s way?

22 26 ENVIRONMENTAL RISK: THE CHINA SYNDROME

Business continuity management professionals need to challenge the status quo by providing simple and efficient solutions, writes Craig Donaldson

REGULARS Editorial note News review Opinion & Comment Risk People Risk Careers

SOCIAL MEDIA REPORT

RISKY BUSINESS

05 06 08 24 25 Risk May 2011 3

F rom the editor

Sarah O’Carroll Editor

oes your BCP work?

What’s your take on this quote? To have your say write to the editor sarah.ocarroll@lexisnexis.com.au Best comments will be published in the May issue of Risk

No executive will thank a business continuity manager for saying “I told you so”. But because many in the business continuity area have experienced the feeling of banging their head against a brick wall with executives in the past, many have lost their passion and zeal and resorted to a tick-the-box approach to business continuity planning. Therefore, according to Alex Serrano, senior manager, advisory at Ernst and Young, managers have forgotten to ask whether their carefully scripted business continuity plans actually work in practice. Given the recent spate of natural disasters, coupled with ongoing reported terrorist threats, executives are becoming more acutely aware of the need for crisis communication plans, remote disaster recovery sites and emergency PR strategies. Lately, it would seem foolish not to be prepared. However, these plans are often criticised for being too complicated and ineffective when it comes to the crunch. Although all the boxes have been ticked, plans drawn up and files stored, the reality is, when disaster strikes they often don’t work. Very often the work of the business continuity manager may never be put to the test and indeed if it is – it might just be the once. But Serrano believes it’s time for business continuity managers to regain their zeal and challenge the status quo. He believes business continuity management is being challenged to “pay its way” more than ever before.

“Senior management and boards are, frankly, fed up with silo-based approaches to operational risk, and are demanding that BCM ‘up-periscopes’ better to work out how its approaches enmesh properly with the fundamental risk management processes within an organization,” he said. (see news report p20). As many companies disclose their business continuity preparedness, it’s one thing to have a plan but it’s another to practice it. And even if they’re feeling demotivated, they won’t be thanked for being able to say “I told you so”.

“Working collaboratively and in partnership with our internal and external governance bodies generally ensures successful working relationships” Adam Plummer, fraud manager, Zurich Financial Services Australia

A bout us Editor: Sarah O’Carroll Journalist: Ben Nice Contributor: Craig Donaldson Designer: Ken McLaren Design Manager: Anthony Vandenberg Production Manager: Kirsten Wissel

Cab Member since December 2005

Subscribe today Risk Magazine is published monthly and is available by subscription. Please email: subscriptions@riskmagazine.com.au All subscription payments should be sent to: Locked Bag 2333, Chatswood D/C, Chatswood, NSW 2067

Advertising enquiries: Marika Biro - (08) 8371 5800 marika@agsmedia.com.au Editorial enquiries: All mail for the editorial department should be sent to: Risk Magazine, Level 1 Tower 2, 475 Victoria Ave Chatswood, NSW 2067

Copyright is reserved throughout. No part of this publication may be reproduced without the express written permission of the publisher. Contributions are invited, but copies of all work should be kept as Risk Magazine can accept no responsibility for loss. Risk Magazine and LexisNexis are divisions of Reed International Books Australia Pty Limited, ACN 001 002 357 Level 1 Tower 2, 475 Victoria Ave, Chatswood, NSW 2067 tel (02) 9422 2203 fax (02) 9422 2946 ISSN 1833-5209 Important Privacy Notice You have both a right of access to the personal information we hold about you and to ask us to correct if it is inaccurate or out of date. Please direct any queries to: The Privacy Officer, LexisNexis Australia or email to privacy@lexisnexis.com.au. © 2009 Reed International Books Australia Pty Ltd (ABN 70 001 002 357) trading as LexisNexis. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., and used under license.

5 Risk May 2011

Risk April 2011 5

N ews Review

CFOs’ appetite for risk on the rise FOR the first time in 12 months, most chief financial officers (CFOs) believe that now is a good time to take additional risk onto their balance sheets, recent research has found. “CFOs see 2011 as the year to invest in their businesses to deliver growth,” said Keith Skinner, chief operating officer at Deloitte, which conducted the research. It found that 52 per cent of CFOs were willing to take additional risk onto their balance sheets while 61 per cent are planning to increase capital expenditure – with 26 per cent planning to do so by 20 per cent or more, compared to 2010. Underlying confidence in their own business performance continues to grow, with more than 81 per cent of CFOs believing their operating cash flow will increase over the next 12 months. A further 54 per cent of CFOs are more optimistic about the financial prospects for their company than they were three

months ago. “Despite a number of shocks at home and abroad, CFOs are enjoying a period of good performance and this is contributing to increased confidence and a renewed appetite for risk,” said Skinner. When asked about the potential impact of a price on carbon, the vast majority, 84 per cent expected it to make Australia less competitive globally. However, when asked about the impact on their own company’s financial performance, CFOs were split, with 44 per cent believing it would have no impact and 52 per cent predicting a negative impact. However, 95 per cent think corporate profit margins will decline, possibly indicating that companies would not be passing on all of the cost implications of a price for carbon. “There is still significant uncertainty about the shape of the final legislation

however, at this point CFOs are expecting to pass on most of the carbon price to consumers, or will be lobbying government for assistance if they are trade exposed,” said Deloitte climate change and sustainability leader, Brad Pollock. “The sector and the price elasticity of demand for their products will dictate just how much will be passed on to consumers.” The good news for the policymakers, according to Pollock, is that 73 per cent of CFOs do expect the price on carbon to drive increased investment in low carbon and renewable energy and three quarters (76 per cent) expect it to drive a demand for low carbon products. The Deloitte CFO Quarterly survey captured the opinions of 85 CFOs, representing businesses with a combined market value of approximately $397 billion or 26 per cent of the Australian quoted equity market.

“Despite a number of shocks at home and abroad, CFOs are enjoying a period of good performance and this is contributing to increased confidence and a renewed appetite for risk” Keith Skinner, chief operating officer, Deloitte

Risk plus finance equals Managing brand risk in a crisis higher profitability FINANCIAL institutions that align their risk and finance functions are more profitable, according to recent research. A global survey of nearly 200 senior banking executives in finance and risk found that of those who have much better alignment between their risk and finance functions, 60 per cent are much better when it comes to financial performance while 92 per cent are above average. The research, conducted by the Economist Intelligence Unit in collaboration with CFO Research Services and sponsored by Oracle, found that the benefits of closer alignment between finance and risk are both specific, such as identifying potentially profitable clients, and general, such as providing a greater understanding of the global context in which major strategic decisions are made. Alignment between risk and finance begins with good data, however, the survey pointed to significant differences in the perspectives and cultures of the two functions, with the leading risk-related priorities for finance departments cited as improving processes (54 per cent), data integration (46 per cent) and data management (40 per cent). Alignment involves the creation of a common view of risk, and common data relating to it, across a company – and especially between the risk 6 Risk May 2011

and finance departments, according to the research report, Transforming the CFO role in financial institutions: Towards better alignment of risk, finance and performance management. It also found that a majority of finance functions are not applying risk data beyond compliance and product allocation to areas like analysis and budgeting. Just over half of financial institutions have increased their use of risk data in compliance efforts, and 54 per cent in product allocation – both areas where its application was already well established. Furthermore, fewer are applying the data more broadly, to significant responsibilities of the finance function such as financial analysis (41 per cent), front office lending (39 per cent) and budgeting (36 per cent). The research report also found that the main barriers to incorporating risk-based data into financial and performance management are poorly integrated systems (41 per cent) and inconsistent metrics within their companies (37 per cent). Moreover, 28 per cent of respondents believe that information silos within their companies erode the capacity to share relevant risk information, however, financial institutions have responded with significant investment in this area.

Defining intangible risks

Like all areas of risk management, clear terminology in brand and reputational risk is important, according to Wayne Middleton, principal of Reliance Risk. Brand: Is a collection of values or personalities connected with a service, a person or another entity. Image and reputation: Comes from peoples’ experience of the brand and how the brand is perceived, such as customer service and quality of experience, for example. Reputation risk: The loss of positive image and trust built over time comes from a customer’s experience with the brand. This image and trust is what the organisation must provide to attract customers, employees and partners.

WHILE most organisations tend to understand brand and crisis management, there is often a disconnection between those in marketing who manage brands and those who facilitate risk management processes across a business, according to a local risk expert. While professionals tend to understand the importance of effective communication with stakeholders and media management when under the spotlight, the above disconnection, however, means that “perhaps not enough preventative effort is placed on clearly understanding the organisation’s brand vulnerabilities in the context of risk management”, said Wayne Middleton, principal of Reliance Risk. “I believe a lot of organisations do intuitive risk management of their brand and reputation without formalising some of it using risk assessment, applying the organisation’s risk management framework (if they have one) to these consequence categories, and reporting against them in the context of other significant risks to the business.” As such, Middleton recommended organisations undertake a brand vulnerability risk assessment, which includes a solid stakeholder analysis that looks at customers, employees, industry, key influencers, regulators and competitors. He said the assessment should seek to establish actions to: identify risk prevention strategies through the enterprise wide risk program; implement goodwill strategies with major stakeholders (as goodwill can be an effective barricade against short-term brand erosion in a crisis); implement a communications plan to keep constituents informed including a pledge to do the right thing; and link with the crisis management plan.

N ews Review

Inside trader fraud case rattles Wall Street HEDGE fund trader and Wall Street billionaire, Raj Rajaratnam has been found guilty on 14 counts of conspiracy and securities fraud, after scamming $US63.8 million ($60 million) in illicit earnings. Galleon Group founder, Rajaratnam - the richest Sri Lankan in the world - faces a minimum of 15-anda-half years in jail following a government crackdown on the illegal practice of insider trading. The investigation has been labelled as the largest hedge fund insider trading case in history, with the FBI using phone-taps to monitor the self-made billionaire. As only the first person to go on trial from the total of 26 people charged in the case, the verdict for Rajaratnum sent a strong warning to other would-be fraudsters in Wall Street, with Manhattan U.S. Attorney Preet Bharara using the outcome to deter the practice of inside trading. “Let greed and corruption cause his undoing,” he said. “We will continue to pursue and prosecute those who believe they are both above the law and too smart to get caught.” Simon Franklin, partner at Australian corporate advisory firm, Dequity Partners, said that while he didn’t believe that the case would dramatically affect the risk industry, he expected the high-profile nature of the case to raise awareness. “These stories, and the newsworthiness of them, will certainly raise awareness, especially in terms of the big penalties involved,” Franklin said. “From a compliance or risk point of view, in order to prevent it from happening in the first place, there must be education. I think that’s where the industry is heading.” Franklin said that the approach of most boards, directors or governance people would be to educate the management team as to what they could say in

“It’s quite severe and it might put you off, but there’ll always be someone who wants to profit from information,” Simon Franklin, Partner, Dequity Partners

public, to prevent getting tangled up in such practices. Also highlighting the difficulty in defining what constituted insider trading, Franklin said that it was hard to stop the practice, given the loose and sometimes contradictory nature of the crime, and expected to see more cases like it in the future. “It’s quite severe and it might put you off, but there’ll always be someone who wants to profit from information,” he said. Columbia Law School Professor, John Coffee said that the use of government wire-taps was crucial to the verdict, and also emphasised the significance of Rajaratnum’s coconspirators in the case. “Everyone cooperated against Rajaratnam,” he told Fox Business News. “Why should he be the only standup guy? Quite frankly,

professionals learn what is legal and illegal not by the law that is on the books, but by who goes to prison and for what,” he said. “And I think a generation of traders, expert networks, securities analysts and others now recognize that participating in an insider trading network is dangerous, because, if one of the participants gets caught, our pleabargaining system makes it likely he’ll turn in his co-conspirators and all the financial dominoes will fall,” he explained. After the verdict was announced, Rajaratnam was released on a $US100 million bail package, which includes an electronic tag and house arrest in his Manhattan apartment until sentencing begins on July 29. John Dowd, Rajaratnum’s lawyer, said that his client would keep fighting, and would be lodging an appeal.

Internal audit leaders need new skills INTERNAL audit leaders can no longer rely on business and financial acumen, but must also develop “relationship acumen” in order to establish and maintain strong relationships with key stakeholders in a business, according to a recent whitepaper. Internal auditing’s top stakeholders – executive management and the audit committee of the board of directors – are increasingly demanding that internal audit leaders partner with management when providing both consulting and assurance advisory services. The white paper, conducted by The Institute of Internal Auditors and Korn/Ferry International, found that these sometimes conflicting expectations require a broad range of communication skills and sensitivities. It also delineates six attributes that are a must for top audit executives, including positive intent, which is a fair,

independent, and objective approach to the job, and diplomacy, which the whitepaper defined as direct, forthright communication (including listening) skills, political astuteness, and sensitivity to the organisation’s culture and how things get done. Other attributes included prescience – an ability to see matters with fresh eyes and a willingness to question assumptions – and trustworthiness (walking the talk, keeping confidences, operating with integrity and maintaining credibility). The last two attributes in the white paper are leadership (setting the tone for the entire internal audit staff, steering others toward consensus, managing conflict and gaining alignment on issues) and empathy (understanding and focusing on each stakeholder’s point of view and being sensitive to their needs and feelings).

“What makes the difference is stopping to reflect on what has been, and still can be, learned.”

The whitepaper, The Relationship Advantage: Maximizing Chief Audit Executive Success, also said it is essential that internal audit leader candidates should have worked in jobs or situations in which strong relationships are required in order to succeed, and in which something important is at stake. These might include: change management roles, international assignments, staff leadership without formal authority, or turnaround situations in which roles are not clearly defined. “What makes the difference is stopping to reflect on what has been, and still can be, learned,” said the whitepaper. “This extra step separates lifelong learners from those who don’t grow over time. Risk May 2011 7

N ews Review

Most Australian businesses fail to manage risk

Comment

Internal audit: two steps forward one step back I turned 40 recently. And my work is making me feel old. You see I’ve become that guy who says things like “back in the mid-90’s when we were rolling out CSA, we used to produce these great assurance maps…” or “that way of dealing with strategic risk is so late-90’s, it’s okay in theory, but you’ll find that…”. Sure, I was working at the vanguard of audit practice at the time, but with a little over 15 years in the game I find myself as “old man audit” - a source of institutional knowledge on assurance and risk practices. There is some wonderful knowledge that’s been lost – what works and doesn’t in CSA programs, how to use internal audit to drive re-engineering outcomes, why CoCo is easier to embed than COSO etc. And without this knowledge we’re not sophisticated buyers. The snake oil salesmen are alive and well and the old-rope is sounding pretty good with its new names and marketing narrative. In part this stems from changes in sponsorship and restructuring in the organisations we serve, but a lot of it is also self-inflicted as a result of how we resource ourselves. Internal audit is a transitory game. It draws on people from all walks of life, many who haven’t dabbled in internal audit much before. For most it’s a stepping-stone of 2-4 years, moving onto something else before mastering their craft. The resulting loss of institutional knowledge, and difficulty in moving forward is enormous. Indeed, in 2011 I see companies implementing 90’s ideas or discovering them for the first time. Worse still, I see some companies reinventing the wheel or going down the wrong paths with ideas that have been tested extensively in years gone by. The level of inherent atrophy and wasted investment is enormous. While this is a great platform for a business like mine it does raise a big issue for the internal audit profession. We really should be a lot further ahead than where we are today. Until we find ways to capture and build on institutional knowledge the profession will continue to spin its wheels. Its aspirations will continue to be for a base level of consistency rather than excellence. And we will struggle to keep pace with the needs of our stakeholders. Until we become proficient in institutionalising this knowledge, we will keep on taking two steps forward, one step back. Todd Davies is one of the region’s pre-eminent thought leaders and innovators in internal audit. For more information: www.todddavies.com.au

8 Risk May 2011

SIXTY-ONE per cent of Australian businesses who conduct international operations do not have sufficient risk strategies in place. The International Trade Tracker revealed that despite high levels of concern about currency fluctuation, Australian businesses were far less likely to manage financial risk when trading internationally, compared to their counterparts in the UK (55 per cent) and US (54 per cent). Canvassing the views of 1,500 businesses throughout the three countries, the survey led by American Express FX International Payments (AMEX FXIP), found that fluctuations in currency concerned Australian businesses more than anything else, beating issues such as red tape and legislation, cash flow problems, and pricing.

Norwood maintained. A further 21 per cent said that while they were aware of the benefits, managing risk was ‘too much of a hassle’, and that the time, cost and research involved far outweighed the benefits of investing in basic hedging strategies. “If we look at all three reasons, from our point of view it does point to the fact that a lot of companies aren’t aware of the basic tools that are out there to enable them to effectively manage their risk,” he said. Norwood acknowledged that the soaring Aussie dollar and the relatively mild impact that the GFC had had on Australian businesses were possible factors when considering the findings. “There are a lot of positives pointing towards the Aussie dollar at

“A lot of companies aren’t aware of the basic tools that are out there to enable them to effectively manage their risk Paul Norwood, director of operations for AMEX FXIP

21% of Australian companies said that they failed to manage risk because it was ‘too much of a hassle’

Paul Norwood, Director of Operations for AMEX FXIP said that the findings were surprising, and said that he was alarmed at rate of complacency shown by many Australian companies. “The Aussie dollar is one of the most volatile currency pairings in the world and it’s not uncommon for the dollar to move 1.5 or 2 per cent in the blink of an eye,” he said. “To have never considered it before, given the potential impact and what it means to Australian business, is definitely concerning.” 37 per cent of those who do not have strategies in place to hedge currency-related risks, said that they had not even considered implementing such strategies before, while 34 per cent said that they didn’t believe that they were large enough or conducted enough international business to justify the exercise. “No matter how big or small you are, as the currency moves 17 per cent, as it has done in the past 12 months; that has to have some kind of impact on your profit margin,”

the moment, and most commentators can’t see a short term end to the strength.” The Amex director of operations told HR Leader that a lack of awareness was partially to blame for the failure to prepare for risk, and also said that there was a definite level of complacency in terms of hedging strategies in Australia. “Awareness is something that all FX providers need to focus on, and through that education process, Australian businesses will look more and more at different hedging strategies in terms of what options are available to them and what is right for them,” Norwood said. One simple way that businesses could cover themselves, he explained, was to engage in a forward exchange contract, which would give the company the ability to lock in a set exchange rate on future transactions involving foreign currency. “A forward exchange contract provides a peace of mind- the ability to lock in what is needed to pay in foreign currency in the future.”

N ews Review

Don’t let privacy get lost in the cloud THE cost of addressing security and privacy issues may outweigh potential operational and capital savings for government departments looking to shift to cloud computing, according to Victorian Privacy Commissioner Helen Versey. Cloud computing technology is being used increasingly by Victorian government agencies to reduce capital and operational costs, as the cost of storing data or accessing applications via offsite methods greatly reduces the need for technology infrastructure, IT support and staffing. However, there are privacy issues – particularly in relation to data security – that need to be addressed if an organisation plans to use cloud computing technology for hosting and accessing its data or applications, she said. Speaking on the release of recent cloud computing guidelines for Victorian public sector organisations, Versey added that implementing cloud technology requires a different mindset than traditional IT services, as using the cloud may swiftly reveal failures in security and procedural processes that have not been properly thought out. “The desire to reduce costs will need to be balanced with other factors, including ensuring privacy protections, when deciding whether or not to use cloud computing technologies,” she said. Victorian government agencies should only use a cloud service provider that agrees to ensure that privacy protection is essential and that agrees to comply with the Information Privacy Principles in the Information Privacy

Act 2000, Versey added. “Where the provider is located offshore or even outside of Victoria, taking reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure may be difficult or even impossible,” she said. “By using a cloud service, the government agency is relinquishing some – if not all – control over their data. This includes being able to control security measures, and can present problems if something goes wrong.”

“By using a cloud service, the government agency is relinquishing some – if not all – control over their data” Helen Versey, Privacy Commissioner, Victoria

Business continuity planning for the worst AN effective business continuity plan in the aftermath of an event of disastrous proportions is one that is simple with no unnecessary detail, according to an expert in the area. While early versions of business continuity plans frequently contain much verbiage as people get their head around what the subject is all about, Jim Truscott, CEO of Truscott Crisis Leaders, advised making them easy to read under stressful conditions, with plenty of white space like a CV. “Most people will only look at them once every 12 months at best,” said Truscott, who added that checklists, such as those used by pilots, are best. Speaking ahead of the Australasian Business Continuity Summit 2011, he said mature business continuity budgets usually equate to one to three per cent of operating costs. “But for the vast majority of organisations how do you do more, instantly, under extreme circumstances of terrorism and natural disasters with leaner organisations?” he asked. In an ideal world with unlimited resources, Truscott said there would be fully tested plans with a carefully chosen, regularly exercised crisis team.

However, the reality is that for the vast majority of organisations, planning is compromised by limited budgets and insufficient time and resources. As such, he said it is best to have a strong crisis management team, although some business continuity planning development is essential.

“Crisis management is just looking at the hole in the fence. Crisis leadership is seeing the open paddock beyond” Jim Truscott, CEO, Truscott Crisis Leaders “Keep the business continuity plans to the absolute bare minimum with no complicated procedures and processes; just simple information that the crisis management team can use at the basis of taking action and making decisions,” said Truscott. “Build the best team possible with your

resources. Train the team and exercise it again and again. Ensure that each team member is backed up by a deputy and empowered to make all necessary decisions. “If ‘no risk no champagne’ is your strategy, like some of the best companies in the world, then your team must be drilled in crisis leadership,” said Truscott, who observed that crisis leadership may become the dominant form of management in the years ahead. Leadership is the best thing that you can do before and after terrorist incidents and natural disasters, he said. “Crisis management is just looking at the hole in the fence. Crisis leadership is seeing the open paddock beyond. “Now that the best companies now disclose their crisis and business continuity preparedness in annual reports, just as they disclose remuneration, audit compliance and safety records, it is one thing to have a plan; it is another to practice it,” he said. Jim Truscott will be speaking at the Australasian Business Continuity Summit 2011, held from 8 to 10 June 2011 at the Sofitel Sydney Wentworth Hotel.

Risk May 2011 9

N ews Report

The risks of a

RISING DOLLAR With a high Australian dollar, companies should revisit their risk management strategies and implement good hedging policies

hile the high dollar is generally good for Australian tourists overseas, the flip side of this is that the high dollar makes Australian exports more expensive – presenting a significant number of risks to some sectors of the local economy. Manufacturing, tourism and agriculture are some obvious sectors that suffer from a high Australian dollar, and companies operating in these sectors would do well to revisit their risk management strategies and make sure they have sound hedging policies in place, according to experts. “The rising Australian dollar is a complete disaster for the manufacturing/ exporting sector,” according to Richard Hughes, founding director of Visual Risk, a software and consulting company which specialises in market risk management. If the Australian dollar is sustained at its current high levels it will fundamentally damage a lot of Australian exporters who produce goods, he says. “We don’t have enough manufacturing exporters as it is because our manufacturing sector is already in long term decline, so we really don’t need that.” For the resources sector, Hughes says that the high dollar is eroding profitability, although resources companies are picking up the benefit of high commodity prices which significantly offsets the cost of the rising dollar. “The fact of the matter is the high Aussie dollar is hurting them a lot as well because they’re selling commodities denominated in US dollars. So when they bring those dollars home it costs them a lot to buy the Aussie,” says Hughes. “But if, for example, you get an unusual situation where commodity prices collapse and the Aussie dollar stays high, they would get hit with a double whammy. In this nervous market, anything could happen right now.”

Global forces at play

While the dollar usually drops if commodity prices collapse, Hughes says the world “is a little bit different now. Nobody knows what the ‘new normal’ will actually be.” The main issue now is extreme risk in the world’s strongest currencies, which are the US dollar, the Yen and the Euro, because of government deficit problems. The strongest countries on the planet all want their currencies to be weak to make their exports cheaper, boost trade and subsequently stimulate growth in their economies. “The world’s financial markets are very unstable at the moment, and with most major currencies weak, our strong Aussie is collateral damage from that. This aberration is not a function of Australia’s strong economy so much, but rather a function of US dollar weakness, and that is our big problem,” says Hughes.

“I don’t believe anyone of our generation has seen a combination of financial risks of this nature before, so my key message to business is to take care” Richard Hughes, founding director, Visual Risk

The Australian dollar is currently around the fourth or fifth most traded currency in the world, whereas the Australian economy is about the 13th or 14th biggest economy in the world. This anomaly indicates that “we are, as a currency, punching way above our weight in terms of popularity with global investors”, says Hughes. “The only reason that the currency’s traded as much as it is because Aus is seen as a relatively stable economy, but the AUD is seen as a good commodity/China market play. So it’s a highly risky currency and it’s prone to fairly violent swings.”

Currency risk management

As such, Australian companies need to be careful of currency shocks and keep a close eye on overseas markets. “Risk managers shouldn’t only look domestically for risk factors, because the real danger lies offshore. I think there’s a dangerous level of complacency in Australia right now in terms of risk management,” says Hughes. “Many people think we’ve dodged a bullet from other market shocks quite often in the past and, fingers crossed we can continue to do that, but I think it’s a very dangerous assumption. My takeaway comment is that companies should take care.” Companies should spend more time on their risk management than they have been in the past because “right now they are facing more risk than they have ever faced in the past”, says Hughes. “My advice to senior management is to focus more attention onto risk management and make sure that their cashflows that are exposed to market risk are hedged sufficiently so they can deliver some certainty as these are the cash-flows needed to sustain the business.” Hughes adds that he is very nervous of the current markets. “I don’t believe anyone of our generation has seen a combination of financial risks of this nature before, so my key message to business is to take great care.”

Currency risk management planning There are six basic principles organisations should have in place to manage market risk: 1. Understand and quantify the organisations’ risk exposures (worst and best case). It is useful to perform scenario models and sensitivity analysis on worst and best case situations. 2. Determine the organisations’ risk tolerance. Determine its need to take risk. 3. State the organisations’ risk management objectives and hedging approach. What are the risk management objectives of the organisation and how will credit, operational and market risk of the business be managed? When deciding upon a hedging strategy the core problem is to strike a balance between uncertainty and the risk of opportunity loss. In establishing the balance, consider the risk aversion and the risk preferences of shareholders. 4. Define risk metrics and policy guidelines. Risk metrics are a set of financial models used by the organisation to measure financial risks. These include: standard deviation, value at risk, expected shortfall, marginal VAR, incremental risk, coherent risk measures and assessing risk measures. 5. Monitor, measure and report the risk. For more strategic and longer term risk management, it is time to go back to basics: measure, monitor, mitigate and report. 6. Review, stress-test and refine the approach. Source: Corporate Financial Risk Management update, KPMG

Risk May 2011 11

C over Story

Chinks in the armour Fraud is an ongoing issue for many Australian organisations. Craig Donaldson looks at the latest fraud trends, explores the most common vulnerabilities and details how companies can take a proactive and preventative approach to fraud

raud is an ever-present risk for Australian organisations. Recent research has found that financial institutions continue to be the largest victims of fraud, having lost almost $40 million to fraudsters over the 6-month period to December 2010. While Australia’s fraud levels eased from $2.3 million per case to pre-GFC levels of $1.7 million per case, the steady stream of fraud activity is still concerning, given the cost to organisations, according to Gary Gill, national head of KPMG forensic, which conducted the research. Fraudulent loans, investment scams and theft of investors’ money accounted for about half of the frauds over the 6-month period to December 2010, while accounting fraud accounted for another third. In addition to these perennial fraud types, Gill says fraud through social media is an emerging issue. “I think organisations are struggling to understand what the fraud implications of social media might be,” he says. “There is a lot of concern about social media and fraud, as most employees have the ability to access social media, whether it’s through their work computer or through their mobile phone, combined with the ability to share information quickly through social media networks. It’s a real emerging issue and there are no clear answers at this stage.” Malcolm Shackell, a partner in forensic services at PricewaterhouseCoopers, observes that there has been a lot more corporate expense-related fraud over the past 12 to 18 months. “That’s really been something that’s surprised us,” he says.

12 Risk May 2011

C over Story

“Usually with this fraud, it tends to be what I call nickel and dime stuff, where there might be questions around whether or not a particular charge is authorised or whether it’s for personal use. But some of the cases we’re seeing now are much more serious, with some expense frauds up in the hundreds of thousands of dollars.” Shackell also says that procurement fraud is an ongoing issue. “We are seeing plenty of frauds that involve false documentation, and by that I mean false invoicing, false vendors, payment system manipulation, that kind of thing. This kind of internal fraud is always focused on where funds leave the business, and again, the scale of some of these frauds can be quite surprising because very often they’ve been going on for a long time.”

Tone from the top

The single most important thing in addressing fraud is “tone from the top”, according to Shackell. The very top levels of management, including the CEO, should sponsor or communicate fraud control and awareness, rather than just leaving this up to the functions which typically deal with the process at an operational level. “The messaging that comes down from senior management is incredibly important,” he says. Where there is a lack of tone from the top, or where this tone is vague or senior management seems uninterested in fraud management and only interested in the revenue line, Shackell says this can have dramatic effects down the track. If employees believe that those at the top of the organisation aren’t interested, or worse, are ambivalent about fraud, “the culture suffers terribly as a result and frauds often occurs in this kind of environment”, he says. Gill agrees, and says senior management n eeds to understand fraud risks and take them seriously. “They need to deal with issues as they arise in a way which demonstrates that they’re taking it seriously. And it has to be done on an open and transparent basis and it has to be done consistently,” he says.

Tackling fraud There are a number of hallmarks of best practice approaches to fraud management and prevention, according to Matt Fehon, a forensic partner at McGrathNicol. These include: Culture: An organisation that promotes a culture with a high awareness of fraud risks and strong integrity consciousness. Risk assessment: A risk assessment program that regularly examines and tests internal controls. Detection programs: Proactive methods of detection, including audit techniques, data analysis and internal and external staff reporting mechanisms. “The attributes I have mentioned go some way to achieving better practice, however, I find that if there is senior management commitment and a manager responsible for driving the program, it results in the organisation having a solid approach to management and prevention,” says Fehon.

Continued on p14

THE BEST ROLES IN RISK AND COMPLIANCE OPERATIONAL RISK CONSULTANT SYDNEY

An innovative and expanding deposit taking institution is actively seeking a 3-8 year PQE risk consultant. You will be responsible for the management, interaction and responding to the business on risk and control advisory requests. Experience in working across all levels of a �� effective controls is critical. The successful candidate will be rewarded with a competitive remuneration package and an award winning learning and development program. NJB/185228

LEGAL AND COMPLIANCE COUNSEL SYDNEY

A unique opportunity exists for an English and Mandarin speaking legal, compliance and operational risk specialist. Reporting directly to the GC of this expanding Asian banking powerhouse, the successful candidate will play a vital role in the management of the regulatory obligations. Candidates with 2-5 years PQE legal experience, success in managing relationships with regulators and thorough understanding of operational risk will achieve success in this dynamic professional environment. NJB/195852

SOX ANALYST SYDNEY

�� seeks an experienced and motivated SOX analyst to join the risk team. The successful candidate will be responsible for the coordination and management of the SOX framework across the retail bank, preparing SOX related documents and implementing processes, controls and testing. Experience and success working across a large retail bank and building strong working relationships will ensure success. Salary package negotiable depending on experience. NJB/110504

For further information on any of these roles, please contact Nicholas Behringer on ��

sydney: 02 9233 7977 melbourne: 03 9938 8700 nc@nclegal.com.au www.nclegal.com.au

The best legal opportunities

Risk May 2011 13

C over Story

Continued from p13

“So if a senior guy’s fiddling his expense forms and then claiming stuff that he shouldn’t be and nothing gets done about that, well, you can bet your bottom dollar that somebody else at a lower level will find out about it, and if they’re seeing the guy at the top doing it then it sets a really bad example for others to follow.”

Anti-fraud steps

It is also important to have a variety of mechanisms which enable employees to report fraud, Gill says. With internal fraud somebody always knows it is going on, but they often don’t speak up, he says. “Hopefully the person will simply talk to their boss and raise it that way, but if the boss is the problem then how do they blow the whistle? So having a whistle blower procedure in place, including an anonymous whistle blowing hotline is really important, and we’re seeing more and more organisations doing that,” he says. Another helpful process is a fraud risk assessment, which Shackell says involves working out which area of the organisation is likely to have the highest incidence of fraud and then testing controls which are in place to mitigate those risks. Data analytics can also contribute to effective fraud management. “I’d say that data analytics is a bit like a second layer of defence. This involves searching for fraud in your system data, particularly system data, around things such as purchasing and corporate expenses,” says Shackell. A third important hallmark of effective fraud

management involves incident management. “I have seen many organisations spend a lot of time and effort on being proactive about fraud, but when an incident does occur they can be a little bit all at sea about what to do next,” says Shackell. Companies need to think about how to react to an incident, who needs to be informed, what steps need to be taken, what the corporate attitude will be, when to engage lawyers, when to engage external help, when to report to police – “all these types of things need to be thought about before they actually occur”, he says. “The reason for this is because very often with investigations you do need to move quickly.” Gill agrees, and says it’s important to have a clear process in place in the event of a fraud. In addition to the above steps, it is important to consider fidelity insurance and what steps are involved in the event of fraud. “Normally you have to notify the insurer fairly quickly after the fraud has been discovered,” he says. “And then what processes do you have in place to close the door after the horse has bolted?

So it’s important to fix up the controls and other areas that clearly weren’t working which allowed the fraud to happen.”

Combating fraud at Zurich

Adam Plummer, fraud manager for Zurich Financial Services Australia, says the company’s insurance fraud program is underpinned and supported by an existing “robust and rigourous” global Zurich anti-fraud program. A combination of automated and manual fraud detection tools ensures that only the “right” referral is examined more closely for fraud and genuine claims are paid promptly, while he adds that a high degree of due diligence examination is applied on new claims received by the claims fraud team that ensures all commercial aspects are considered. Within the first 12 months of operation, the claims fraud team have delivered fraud savings in excess of $4 million with a 24 per cent strike rate, according to Plummer. “The introduction of a claims fraud team into Zurich Australia now provides the business with the appropriate resources to

“The messaging that comes down from senior management is incredibly important” Malcolm Shackell, partner in forensic services, PricewaterhouseCoopers

14 Risk May 2011

C over Story

Fraud trends Matt Fehon, a forensic partner at McGrathNicol, observes that cross-border fraud is continuing to be a greater problem, with Australian companies undertaking increasing levels of international business and offshoring. Electronic Funds Transfer fraud also continues to be a significant threat to businesses, he says. “We are finding that staff are more aware of weaknesses and methods to manipulate payment systems than was the case in the past. The systems and controls that organisations implement are critical to ensuring there are appropriate safeguards to the finances of the company.” Fehon recommends risk management professionals be innovative and look to combine traditional fraud detection and risk management techniques with technology. “Data is a useful source of information, which if used well, can aid a skilled risk management professional with a smarter selection of transactions in which to undertake a review.”

detect fraudulent claims and protect the financial bottom line of the business from paying fraudulent claims,” says Plummer, who adds that it has increased the overall awareness and knowledge of claims staff to be vigilant about the presence of fraud indicators when processing new claims. The claims fraud team works closely with Zurich’s risk and compliance function as well as internal audit and other internal governance bodies, while the team also regularly attends quarterly risk management working group meetings to share and exchange fraud information. “Working collaboratively and in partnership with our internal and external governance bodies generally ensures successful working relationships,” says Plummer. The claims fraud team are positioned right in the middle of the Zurich general insurance claims operation, which allows claims advisors

to seek guidance and assistance from the internal fraud function easily and promptly. A successful fraud program requires the buy in and participation of all claims staff, he adds. “This is achieved regularly by engaging claims staff, of all levels, into the development of fraud programs and initiatives,” says Plummer, who points out that Zurich has a zero tolerance to fraud policy and all staff are trained and educated on this via regular fraud training. Plummer recommends other internal audit/risk management professionals avoid relying purely on “out of the box” automated fraud detection solutions as being the total solution to fraud detection. “Excellent fraud outcomes are achieved from trained and skilled claims staff, coupled with data mining IT solutions and fraud intelligence capabilities,” he says.

Risk May 2011 15

C ase Study

Building internal audit from the ground up

he Hollard Insurance Company is a multinational with businesses in Australia, Africa, the United States, United Kingdom and South East Asia. It provides a wide range of insurance products and services to more than 6.5 million policyholders worldwide, and it employs more than 1500 people and holds assets in excess of $1.7 billion. In Australia, the company directly covers more than 150,000 policyholders with its home and contents, motor, landlord and life products, while many more are covered through its wholesale umbrella products. Hollard Australia has built its internal audit approach from the ground up over the past year. It has undertaken a program to completely integrate risk management practices with internal audit while maintaining independence

The Hollard Insurance Company has taken a whole-of-business approach in building a strong internal audit program, writes Craig Donaldson of the functions, according to David Hall, the company’s head of internal audit. “This has started at the top where we articulate our risk appetite under each of the categories of risk that we have defined. Our appetite for risk then drives the ratings through our risk registers, which are the responsibility of the general manager of each of our businesses,” he explains. “Our internal audit programs are then developed from the risk registers and this then flows through to our internal audit reporting. Through this mechanism, our internal audit team is able to focus its work on the controls in place to mitigate risks where current levels of exposure are inconsistent with our board’s appetite.” Hall says this ensures maximum value is gained from the efforts of the internal audit team and ensures some real value add from the function.

Benefits and lessons

“The internal auditor can no longer be limited to just being an accountant” David Hall, head of internal audit, The Hollard Insurance Company

16 Risk May 2011

The process has highlighted the importance of a top-down approach to risk management and the involvement of stakeholders from the board down, Hall explains. As a result, the internal audit function is more efficient as it is able to focus on relevant risks rather than needlessly spending time looking at processes which add little value, he says. This methodology has required a whole-ofbusiness approach, Hall says. “We needed to ensure that we had the necessary ‘buy in’ from every part of our business as the effectiveness of the internal audit program is entirely reliant on the ability of the business to properly articulate its risks,” he explains.

C ase Study

“In hindsight, we should have perhaps engaged with the business earlier to ensure that we were able to fully capture all relevant risks across the organisation. Leaving this until the audit plan was underway meant that the appropriate attention had not really been paid to the management of risk registers. I think the key to these sorts of initiatives is that all stakeholders see the value,” says Hall, who adds that certain governance committees were formed once the plan was already underway, rather than getting them in place upfront.

A broad business approach

While internal audit at Hollard is independent of the risk function, it is entirely dependent on its output to guide its programs of work. “Our audit program is very much operational in nature so while we have a close relationship with finance functions, we are more engaged in the questions of ‘how do you ensure risks are mitigated and controls are effective’ rather than a detailed assessment at a micro-level of all activities of the finance function,” Hall explains. “It is often the case that experienced finance personnel also understand the importance of risk management and internal audit; we

have therefore been able to create an almost collegiate approach to the auditing of key finance functions.” On a broader level, Hall says building a culture around this and engaging employees to encourage reporting of internal fraud and related issues is a “real challenge” in Australia. “I believe that there is still very much an attitude of not reporting some of the inappropriate behaviours that go on in the workplace,” Hall says. “No-one wants to be the person that blows the whistle for fear of reprisal. Here is where effective whistleblower programs with adequate protection for those who are willing to come forward. These are often best provided externally to provide that extra layer of comfort to employees.” Hollard manages its whistleblower program internally through internal audit, which Hall says is an appropriate approach for a business of its size. “I also find that the message from the top is critical. Management must be seen to act with integrity and with a zero tolerance to misconduct (fraud and otherwise) and this ensures that employees also grow within the business with these views,” Hall states.

Making the most of internal audit All too often internal audit programs are still driven by process, even when they claim to be risk-driven, according to David Hall, head of internal audit for The Hollard Insurance Company in Australia. “I think the best way to approach this is to step back before you perform any internal audit work and ask yourself what the real risks are in the area/business unit or process that you are about to review,” he says. “The internal auditor can no longer be limited to just being an accountant. A sound knowledge of the business and business practices is absolutely essential to ensure that they can fully understand what the risks are, how they are mitigated, and then to be able to devise audit tests to ensure that the mitigation steps are appropriate.”

Risk May 2011 17

S ocial Media

There is increased concern among companies about social media and associated risks to brand and image

“

Social media risks

on the rise

Brand and image” has been ranked as the number one risk concern in Aon’s Australasian Risk Benchmarking Survey for the past four years. It has also been ranked among the top four risk concerns over the past nine years of the survey. Interestingly, this year, increased use of social networks was specifically cited as providing potential risk to an organisation’s brand, image and reputation. Brand and reputational risks do differ industry to industry, however, the increased degree of transparency and speed of information sharing via social media means that reputational issues can now become front page news in a matter of hours, according to industry experts. “Over the past few years consumers, including shareholders and industry analysts, have been accessing news via the internet and mobile devices on a much larger scale,” said

“Risk management professionals need to have the support of their senior executives to ensure security of information assets is part of the organisation’s culture” Neville Gollan, sales and marketing director, Sense of Security

18 Risk May 2011

James Griffin, partner at SR7, a consulting firm which specialises in online reputation management. “This has in turn led to a quickening of the news cycle and a hunger for more content.” News is much more costly to report and produce than opinion, which Griffin said can be delivered via social networking sites, Facebook, Twitter, forums and blogs. “Everyone has an opinion about a company, its brands and products,” he said. “Every company, regardless of industry, has critics. Social media allows them to rally together and broadcast information about your organisation to many.” For example, a Deloitte survey has found that 74 per cent of employees believe it’s easy to damage a company’s reputation on social media, while 58 per cent of executives agree that reputational risk and social networking should be a board room issue – but only 15 per cent say it actually is. Furthermore, the survey found that almost 50 per cent of employees said they would not change their online behavior if their company had a policy, while 27 per cent of employees do not consider the ethical consequences.

“Damage to brand and reputation ultimately affects shareholder value and the bottom line, so it is vital that brand and reputation management is an enterprise-wide effort not just confined to say the communications department,” said Griffin. Many companies have a limited understanding of how their brand is perceived in the marketplace, and he said a significant weakness is a lack of understanding how social media can impact both positively and negatively on brand. As such, brand and reputation management are too important to be left to any one department, according to Griffin. “Your brand is what differentiates you from your competitors, so it is vital to understand how your brand is perceived,” he said. “Finally, even if you think social media isn’t really suited to your industry look beyond it for marketing purposes but as a tool for feedback on your products, brands and services.” Griffin said risk managers need to request that brand and reputation risk be managed strategically just as other risks are, such as capital, legal and liquidity.

15TH ANNUAL CONFERENCE 20-21 OCTOBER 2011 HILTON BRISBANE

Introducing Two New Plenary Streams on Day Two: FINANCIAL sERvICEs AND NON-FINANCIAL sERvICEs

DIRECTINg YOuR CAREER YOuR ORgANISATION YOuR AmBITION YOuR SuCCESS

ACI invites you to attend the premier compliance event for 2011. This year’s conference is scheduled for Thursday 20 & Friday 21 October 2011 at the Hilton Brisbane, Australia. Now in its 15th year, the ACI Annual Conference will see a variety of both international and domestic speakers culminate for two days of speeches, interactive workshops, awards and social events. GuesT sPeaKeRs inClude:

evenT FeaTuRes

Belinda GiBson deputy Commissioner, australian securities & investments Commission

eliZaBeTH HouRiGan Company secretary, senior legal Counsel, Compliance officer, Centro Properties Group

PlenaRy sessions & WoRKsHoPs 20 & 21 october

sean HuGHes Chief executive officer - designate, Financial Markets authority nZ

Julie o’neil Compliance auditor, Centro Properties Group

WelCoMe ReCePTion 19 october 2011

Paul Bonello senior Manager operational Risk & Compliance, anZ

Randal denninGs Partner, Clayton utz

TiM KiTCHinG Head of Risk and Compliance, MlC – naB

PeTeR WHynTie executive director, Compliance australia

PRe-ConFeRenCe WoRKsHoP 19 october 2011

annual GeneRal MeeTinG 19 october 2011 aWaRds CeReMony 20 october 2011 Gala dinneR 20 october 2011

ReGisTRaTions noW oPen

Early bird discounts ($500 off official prices) plus group discounts (up to 10% off) will be made available up until Friday 9 September 2011. Don’t wait, book now! CONTACT ACI TEL: +61 2 9290 1788 EmAIL: EvENTs@COmpLIANCE.ORg.AU WEb: WWW.COmpLIANCE.ORg.AU

B usiness Continuity

Has BCM lost its way? Business continuity management professionals need to challenge the status quo by providing simple and efficient solutions, writes Craig Donaldson

hile the mechanics of companies’ business continuity plans are often fine in theory, management often overlooks the basic fact as to whether or not they would work in practice, according to Ernst & Young. On one level, senior management has a better appreciation now than ever before of what business continuity management (BCM) is, why planning is necessary for disruptions and some key elements of such planning. “They have experienced Y2K, and enhanced IT disaster recovery and service continuity plans,” said Alex Serrano, senior manager, advisory, Ernst & Young. “They have experienced the terror threat surrounding 9/11, and understood the importance of crisis communications and remote disaster recovery sites. They have confronted pandemic influenza and SARS, and implemented people security measures and embraced societal resilience. These are all good things.” Yet within boardrooms and senior management teams, Serrano said the more familiarity that management has with BCM and its terms and concepts, the more complacency tends to take hold in some quarters. “Do we have a crisis plan? Check. Have we done a BIA? Check. Are the continuity plans in order? Check. And yet something is lost in this mechanistic focus on procedure,” he said. “Somewhere along the way management has forgotten to ask ‘do all these plans actually work?’” In some cases, Serrano said hard decisions about investing in BCM capability have been dodged, and BCM managers have at times become complicit in this process. “Being knocked back for necessary investment in risk-based mitigation decisions one too many times, some have stopped being ‘outrageous’ and demanding attention to core risks. When this happens I think it’s regrettable,” he said. Well-publicised recent natural disaster events in the Asia Pacific region, however, may be starting to refocus a number of boards and senior management teams on this key issue. “BCM is no fig leaf. Unlike some things an organisation chooses to pursue, BCM must carry its weight – it must be proven to work. Thankfully some corporates and leaders have never lost sight of that,” said Serrano. However, he noted that some things show little signs of changing. “For example, the main drivers for BCM remain the same – regulatory compliance and the boards of corporate organisations. For regulated industries (such as the banking

20 Risk May 2011

B usiness Continuity

sector) compliance requirements mean that Australian banks must be able to demonstrate capability according to the prudential standard APS 232,” said Serrano, who noted that listed entities and government organisations similarly need to address ongoing, stringent BCM compliance requirements. One of the key attributes of the BCM profession is that it is all about asking questions and challenging the status quo, he added. “Therefore, there is no contradiction between BCM achieving a level of process maturity while at the same time continuing to ‘reinvent’ itself with uncommon zeal and vigour. The emerging BCM global standard is just one example,” said Serrano. “There is no standing still in this industry, partly because the risks that BCM addresses are constantly evolving and altering, and partly because the tools we have available to meet resilience challenges are changing (and in many cases improving) all the time.” BCM is being challenged to “pay its way” more than ever before, said Serrano. “Senior management and boards are, frankly, fed up with silo-based approaches to operational risk, and are demanding that BCM ‘up-periscopes’ better to work out how its approaches enmesh properly with the fundamental risk management processes within an organisation,” he said. Business Impact Analyses (BIA) must not be allowed to wither and die on the vine as they remain core to the practice of BCM, but Serrano asserted that executives must not be confronted by multiple BIAs being performed in the

“Somewhere along the way management has forgotten to ask ‘do all these plans actually work?’” Alex Serrano, senior manager, advisory, Ernst & Young

same team/area/division as sometimes happens now, with BIAs according to BS25999 covering the same territory as application BIAs performed as part of ISMF rollouts. “It’s a recipe for confusion and it needs to stop,” he said. “The Australian Standard AU/NZS 5050:2010, although maligned in some quarters, is at least a legitimate attempt to ‘decrypt’ the practice of BCM and meaningfully interlink it with the wider corporate management of risk.” As a profession, he said BCM needs to focus on reinventing not only resilience solutions (such as Web 2.0 technology), but by educating itself around a streamlined set of global better practices that meet corporate governance and compliance demands while still positioning organisations as risk aware, agile and resilient. Alex Serrano will be speaking at the Australasian Business Continuity Summit 2011, held from 8 to 10 June 2011 at the Sofitel Sydney Wentworth Hotel.

CREDIT RISK OPERATIONAL RISK MARKET RISK COMPLIANCE RISK

Advancing the business continuity profession Business continuity professionals need to avoid the “middle-age” fatigue that can set in once a profession has carved out a niche for itself within a crowded risk solution landscape, according to Alex Serrano, senior manager, advisory, Ernst & Young. “I suggest we keep the passion, and foremost in our thinking should be the fire in the belly that activated us to the possibilities and importance of BCM in those early, heady days of first encounter,” he said. “At the same time we should continue on that never-ending quest for knowledge and professional clarity that will help us remain relevant within the overall context of proliferating corporate risks and ever-increasing push for risk management convergence. This process of self-education helps us continue to legitimately point out when the emperor is not wearing any clothes, and to notice if (or when) we aren’t wearing any ourselves.” If business continuity professionals can get these two focus points roughly right, they will be able to be effective change makers – treading a fine line between the ‘evangelist’ and the ‘fanatic’. “My suggestion – we work out our lines, stay on message, and rely on the best principles that underpin BCM – using a framework of useful knowledge to convince corporate and community leaders to take resilience seriously and invest accordingly,” said Serrano.

Dedicated to advancing the use of sound risk principles in an enterprise approach to risk management, the RMA exists to benefit professionals and institutions engaged in Operation, Credit, Market and Compliance Risk. Through an array of event programs and educational resources, the RMA aims to further the ability of its members to identify, assess and manage the impacts of risks on their businesses and customers.

The rma is the premier association for financial risk management professionals The RMA provides an independant forum for: thought leadership; the promotion of industry best practise; an awareness of market trends and developments; endorsement of ethical standards and professional conduct; recognition for ﬁnancial risk management professionals. RMA Australia represents members at a national level and its initiatives reach over 1,500 individual members and risk related practitioners across the ﬁnancial services market. Globally the RMA represents 3,000 institutions and has over 18,000 individual members in the US, Canada, UK, Hong Kong, Singapore, and Australia. For more information on the benefits of RMA membership

RMA Australia, PO Box 576, Crows Nest NSW 1585 Tel: 02 9431 8689 Email: info@rmaaustralia.org

www.rmaaustralia.org Risk May 2011 21

E nvironmental Risk

Managing environmental compliance risks: the China syndrome Dr Ulysses Chiotto asks why corporates are going green

nvironmental compliance means corporate conformity to environmental laws, regulations and standards. The many concerns can be confusing to the average executive or company director navigating these compliance demands, including keeping track of a mountain of legal instruments and regulatory information, whether trading locally or globally. Despite the media’s confabulation, everyone’s “going green” – including China, contrary to perceptions, almost a syndrome that China is not acting on environmental concerns. It’s not just about climate change and carbon emissions but also toxic waste and its disposal, and keeping our water clean. Professor Tim Flannery, the head of Australia’s Climate Commission, told a recent forum that “the challenge for climate issues is communicating a complex set of concerns”. The imperative is to balance energy demands (electricity), waste and compliance regimes while preparing for, and responding to, extreme events caused partly by increasing energy demands and waste management practices. Is this “greening” because of a sense of responsibility for environmental sustainability or a competitive and regulatory necessity to go “hulk”? Society’s mood is a growing concern about the environmental impact of products and services, and the threat of extreme events such as natural disasters. Is societal anxiety about the environment exercising the minds of corporate executives? Boards and management must redo their risk assessments (RA), focusing on the multiple ways of making decisions when facing uncertainty and variability, as well as the decision rules used in selecting one option over another. They must apply advances in RA methodology to an environmental context and focus attention on risks that can arise in multiple synergistic hazards over extended periods and entire communities – think of the Queensland floods, Japan’s earthquakes and nuclear plant failure – not just from a single-source, acute exposure as traditionally assessed. The subtlety is how uncertainty and 22 Risk May 2011

“Is societal anxiety about the environment exercising the minds of corporate executives?” Dr. Ulysses Chioatto, lawyer, organisational consultant and the facilitator of the Responsible Officers and Managers Forum

variability profiles interact as you advance through the steps of the RA; disaster recovery and business continuity management are critical! Concerns for extreme events are important in how we view and manage risk. Rather than being led by the law of averages, we tend to expect and fear extremes such as climate change events and terrorist acts. The extent that a risk is a surprise is more likely to influence the design of the risk management strategy. Companies need to assess risks in terms that risks generated under one regulatory jurisdiction have significant impact in another region or globally, and concern regulators and society at large. Extreme events capture our imaginations with fear and increasing apprehension. The focus in risk management is on moving to address, assess, protect and design for extreme events. RA helps to understand and evaluate the implications. There are several methods for defining extreme events; one is to define them in terms of their low frequency, relative to a specific context or problem framing. When Professor Flannery commented on risk communication, he was reflecting

the research on communicating risks of extreme events. The challenge is in part due to overweighting small probabilities in decision-making. An example of this; i.e. being trapped by our “hard-wired” perceptions of risk is communicating RA to boards, set in the face of surprise events such as freak storms or failing nuclear power plants. In a practical sense, a risk ladder works better than a pie chart in communicating absolute levels of risk reduction. Regardless of dry statistics about probability and consequences, risks are perceived differently; the risk of cancer, for example, is perceived as a high risk rather than a familiar and immediate risk like a car accident. In Australia, National Greenhouse and Energy Reporting (NGER); the National Carbon Offset Standard (NCOS); and the Environment Protection and Biodiversity Conservation Act (EPBC) dominate compliance risks. The EPBC environmental legislation, around since 2000, has a strong framework and range of enforcement mechanisms for suspected or identified noncompliance including audit, civil/ criminal penalties and enforceable undertakings. Another mechanism, the recently tabled Carbon

E nvironmental Risk

Farming Initiative (CFI) legislation, supports a market mechanism for rural sector abatement activities; that is, carbon credits for compliance carbon markets.

EU and Chinese environmental regulations

EU regulations: Restriction of Hazardous Substances (RoHS) and Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH) directives affect manufacturers globally. Since 2007, Korea, Australia, Canada, China and US states such as California introduced similar RoHS legislation. There are 1324, and growing, environmental regulations affecting global manufacturers. In 2004, the Sarbanes-Oxley Act (SOX) cost US firms more than $US5 billion and the European Union estimates compliance with REACH regulations to be more than £5.2 billion globally, so compliance is expensive. Not complying is costlier, however, due to the risk of exclusion from key markets, stopped shipments, product recalls and damage to brand reputation. Violating RoHS in one EU state generates problems in the other 26, with cumulative fines, product recalls, and gaol for offending executives. In my opinion the limited media coverage of environmental compliance in China, or China syndrome, overlooks the intricate network of laws in China, such as those passed

by the Tenth National People’s Congress, February 2005 and 2008. China has banned the manufacture, sale, and import of noncomplying, energy-consuming products. It also requires an accountability system for energy conservation targets. Manufacturers that import or sell non-compliant products risk orders to cease production, confiscation of their products, fines of up to 500 per cent of illegal proceeds, and licence revocation. China incentivises manufacturers to utilise energy saving technologies through tax preferences, credit support and preferential loans.

Carbon pricing

Carbon pricing presents risk management issues. One certainty is that once a scheme is implemented, prepared businesses will better manage any risk from the scheme’s introduction. The Garnaut Climate Change Review of March 2011 provides some details of the scheme. The question is: does your business/ industry have a cost point in your economic chain to impose carbon-related costs onto your customers? While we’re waiting on a scheme, energy efficiency opportunities and finding sustainability in the supply chain is a key focus. Dr. Ulysses Chioatto is a lawyer and organisational consultant and the facilitator of the Responsible Officers and Managers Forum

Risk May 2011 23

R isk People

Hallmarks of successful ERM Risk Management speaks with Paul Muir, executive manager of risk and compliance at Suncorp, about the makings of successful risk management in the private sector What would you say are the essential elements of a risk aware culture?

A risk aware culture must be evidenced at both senior management level and within the day-to-day operations of the business. Strategic decisions need to incorporate risk as part of the business planning discussion. Not only must the adverse impacts be considered; attention must also be focused on the opportunities within the boundaries of a properly considered and boardapproved risk appetite statement (RAS). A business that has visibility of its RAS will be able to unlock intrinsic value as it pursues its corporate objectives. Viewed in this manner, risk will be seen as a value-add for the business ensuring that risk management is embraced. At the operational level, business owners must appreciate that they are responsible for the management of risk within their business. Often a control environment is seen as an obstacle to achieving business targets. A risk-aware culture recognises that appropriate controls based upon risk impacts (as part of risk profiling) will assist in achieving such targets. Further, by implementing the RAS at an operational level, initiatives producing high returns with commensurate high risk can be explored within a control environment that provides business assurance. 24 Risk May 2011

How advanced would you say most Australian organisations are in their understanding of compliance and risk management?

Compliance and risk management are two distinct disciplines that deserve management attention in their own right. Traditionally, organisations have focused upon compliance due to the immediate adverse effects of non-compliance including penalties and fines and increased regulatory oversight. Further, compliance tends to impact the current state while risk management looks to the future. Post-global financial crisis, risk management has been a focus at board level and is now becoming established throughout the business. Organisations are starting to appreciate the benefits of risk management and are investing in the appropriate skillsets such as capital management, scenario analysis and stress testing to compliment the existing legal and compliance capabilities. It is important that appropriate resources are dedicated to both compliance and risk management functions. Both are necessary components of a risk-aware culture.

What steps can companies and their risk management leaders take to embed a risk-aware culture?

In the context of a risk-aware culture, everyone is a risk management leader. Risk should be considered as part of an organisation’s decision-making process. A governance framework ensures that a committee and reporting structure exists that facilitates an awareness of risk. Risk reporting and appropriate risk measures should be included in balance scorecards. It is important that leaders are seen as role models by operating in an ethical, values-based fashion. There are also a number of simple steps that can be introduced to embed a risk-aware culture. Risk and compliance training should be seen as part of the career development of all employees, and not as a mandatory tick-a-box exercise. Finally, risk should be implemented as a value producing function and not as a compliance driven process.

What are the best ways risk professionals can convert sceptics/key stakeholders into advocates? Traditionally compliance has been viewed as an impediment to achieving business objectives and risk has not been given adequate emphasis. Some of this criticism is deserved as unnecessary layers of bureaucracy are built into sign-off processes that delay new or enhanced products and services being delivered to customers. Engaging risk professionals at an early stage of business initiatives and business planning will ensure that strategic risk decisions are made as part of the process not as an addition to the process. In this way sceptics will see that risk is a value-add to the business. As the business experiences a positive relationship with risk professionals who bring value to the table the sceptics become risk advocates; this has certainly been our experience at Suncorp. Paul Muir will be speaking at IQPC’s 5th Annual Enterprise Risk Management for Government 2011, held at Sydney’s Quay Grand Hotel from 14 to 16 June, 2011.

“Traditionally compliance has been viewed as an impediment to achieving business objectives and risk has not been given adequate emphasis” Paul Muir, executive manager of risk and compliance, Suncorp

R isk Careers

Move out of risk to move up Finding competent staff is top challenge

isk management professionals should spend a period of time in a line management role or ideally running a profit centre, according to a risk management recruitment specialist. In order to get a broader business understanding that is more readily respected within senior business levels, actually moving out of risk for some time is a good career move, said Barry Maurer, director of Compliance and Risk Management Recruitment. Chief risk officers have historically come from non-risk functions because they have broader business experience, he said. “I would say 50 per cent of chief risk officers fit into this category,” said Maurer, who noted that this trend is changing. Increasingly, he said chief risk officers are risk professionals who have spent time in the business and then move into a chief risk officer role. “So you get the business knowledge together with the specific expertise – that’s probably where most chief risk officers are going to come from in the future,” he said. Maurer also recommended that risk management professionals take opportunities

to move between different risks disciplines, such as operational risk, credit risk or market risk. While the operational risk is in early stages of maturing, he noted that both the credit and market risk areas are already mature and relatively stable. “Operational risk is in the early stages of maturing, so there is still some growth and people are still moving around, but it’s not as dynamic as it was,” he said. Maurer also recommended that risk management professionals work on improving their non-technical skills, such as communication and influencing skills. Similarly, Clim Pacheco, general manager of education for the RMIA, recommended risk management practitioners broaden their professional base and also develop their presentation skills. “To be able to convince people right at the top, you have to be able to present your case very objectively,” he said. “This can be hard because risk is usually an emotive issue; one has to be more rational in this process, so you will definitely get more traction if you can present to boards and committees this way.”

The number one challenge facing Australian businesses continues to be the search for competent staff, an industry survey has found. The PricewaterhouseCoopers (PwC) Private Business Barometer found that for the second consecutive barometer, sourcing talent was the top issue facing employers, in light of predicted growth throughout the country. However, PwC private clients partner Gregory Will noted that businesses seemed to be surprisingly lagging in their attempts to attract new talent. “Despite indicators that competition for staff will grow, there was a decline in the number of businesses seeking to be more attractive employers of choice,” he said. While two-thirds of organisations would be looking to hire new staff in the next six months, an average wage increase of six per cent was also anticipated by four out of five businesses. The survey of more than 850 Australian businesses found that growth was top of employers’ to-do lists, and Will predicted that the private sector would transform short term caution into longer term optimism. “Private businesses have turned the funding tap back on and are reinvesting in their businesses for future growth,” he said. With Queensland still recovering from the aftermath of two natural disasters, Will said that although businesses in the state would be trying to find their feet in the short term, growth would be top of the agenda before long. “It’s not surprising that private businesses in Queensland have a modest outlook for growth, particularly in the retail sector where competition from new business and overseas is putting pressure on sales, product supply and growth,” he said. “..They are just working to a slightly different timeline. For them the short term is about finding their feet again and recovery before focussing in the longer term on growth.”

Amanda Atherton Compliance Sydney

taylorroot.com.au

Expect the market leader to know the market No-one knows the legal job market better than Taylor Root. After all, we’ve been leading the way in specialist legal recruitment for more than 20 years. As such, we are conﬁdent that we can provide extensive and professional advice on the widest range of compliance and risk opportunities. So whether you’re recruiting legal talent or looking for your next career move, talk to the experts. Contact us on +61 (0)2 9236 9000 or visit taylorroot.com.au THE SR GROUP . BREWER MORRIS . CARTER MURRAY . FRAZER JONES . PARKER WELLS . SR SEARCH . TAYLOR ROOT LONDON . DUBAI . HONG KONG . SINGAPORE . SYDNEY . MELBOURNE

Risk May 2011 25

R isky Business

A look at the month’s alternative risk stories Dealing with the GFC: Some ‘handy’ hints Alan Greenspan…..also known as the man who was at the bottom of the GFC, this month shares some of his wisdom in how to fix the GFC. When he’s not busy toppling global financial systems, it seems that old Al likes to give out advice on how to deal with the problems that he once created. And what nuggets of advice they are readers! Listen up…. In a statement, the 85-year-old former chairman of the US Federal Reserve, told people to….wait for it…. “relax and do nothing”. Sorry Al…you want us to do what? That’s right, in the shocking statement, our man Alan urged people to relax, because “the global invisible hand” of the free market would create a stable economy in the long g run. Adding to that, he told the UK’s Financial Times that the worlds lds current financial systems were unmanageable and complex, mplex, factors which unfortunately, were e “necessary conditions of growth”. Well that’s that then. If that’s the case e Al, Risky Business may as well call it a day…beer anyone?

Osama bin…under surveillance for a long time As conspiracy theories mount and news anchors try to grapple with the difference between Osama and Obama, Risky Business felt that it was only right to take a look at this month’s biggest story. With the Pakistani government left a little red-faced after the whole affair, it seems that they were dealt another blow this week, after it emerged that bin Laden, the man we love to hate, has actually been under CIA surveillance since August 2010. Using drones and technology to observe the compound which was literally minutes away from a Pakistani military training base, aw the CIA are reported to have camped out in a ssafe-house in Abbottabad for around 8-9 months without the Pakistani government mo even blinking an eyelid. eve Armed with cameras on the walls and electrified barbed wired,bin Laden was ele clearly concerned about security, and reports cle suggest that when local children kicked sug football over the fence, they were given a fo

money and told to go away. John Pike, director of GlobalSecurity. org said that the mixture of old fashioned police work and the technology which included unmanned surveillance planes meant that the CIA could isolate and move in on bin Laden. “When not listening, the U.S watches,” said Pike doing his best Big Brother impression in an interview with InnovationNewsDaily. He then mentioned the drones used to monitor bin Laden “Drone aircraft fill the sky by the hundreds, allowing American intelligence officers to follow targets of interest on a camera feed every minute of every day” OK…now we’re worried…. “It’s a stakeout, isn’t it? In the good old days, you’d park across the street and order in pizza. Well, the drone doesn’t need pizza,” he quipped. So, it seems that the Americans like fast food and spying on people. Any surprises?

Risk Business Directory

www.riskmanagementmagazine.com.au/Directory/Compliance-Risk-Software

26 Risk May 2011

15TH ANNUAL CONFERENCE 20-21 OCTOBER 2011 HILTON BRISBANE

Introducing Two New Plenary Streams on Day Two: FINANCIAL sERvICEs AND NON-FINANCIAL sERvICEs

DIRECTINg YOuR CAREER YOuR ORgANISATION YOuR AmBITION YOuR SuCCESS

evenT FeaTuRes

Belinda GiBson deputy Commissioner, australian securities & investments Commission

eliZaBeTH HouRiGan Company secretary, senior legal Counsel, Compliance officer, Centro Properties Group

PlenaRy sessions & WoRKsHoPs 20 & 21 october

sean HuGHes Chief executive officer - designate, Financial Markets authority nZ

Julie o’neil Compliance auditor, Centro Properties Group

WelCoMe ReCePTion 19 october 2011

Paul Bonello senior Manager operational Risk & Compliance, anZ

Randal denninGs Partner, Clayton utz

TiM KiTCHinG Head of Risk and Compliance, MlC – naB

PeTeR WHynTie executive director, Compliance australia

PRe-ConFeRenCe WoRKsHoP 19 october 2011

annual GeneRal MeeTinG 19 october 2011 aWaRds CeReMony 20 october 2011 Gala dinneR 20 october 2011

ReGisTRaTions noW oPen