February 2011 Issue 82
PP255003/06868
INSURANCE D&O INSURANCE UNDER STRAIN POST-GFC CLOUD COMPUTING THE RISKS OF TAKING DATA OFFSHORE CAREERS RISK PEOPLE IN DEMAND
CLEAR VISION ON CORPORATE GOVERNANCE WHY A TICK-BOX APPROACH SIMPLY WON’T WORK
RISK PEOPLE:
10
CAMERON SMITH FROM THE WESTPAC GROUP TALKS ABOUT MOVING FROM AUDIT TO OPERATIONAL RISK
CYBER THREAT PREDICTIONS FOR 2011
www.riskmagazine.com.au
IN THIS ISSUE
REGULARS From the editor News review News report Risk Careers Risky Directory
5 6 10 24 26
18 BRIDGING THE GAP
FEATURES AND REPORTS Executive Panel: 12 What is the most important piece of technology impacting risk management? Risk Magazine asks three experts their view on the technology risk professionals must be up-to-date with to stay ahead of the game.
Insurance: D&O insurance under strain post-GFC
14
Directors and officers (D&O) insurance policies are coming under strain as mounting class actions and ASIC enforcement activity severely test the adequacy of current policies.
Bridging the risk and compliance gap
25 RISK CAREERS
18
While corporate governance is well developed in listed Australian companies, the practice of risk management is less so, with some companies considered complacent in terms of risk management planning, writes Craig Donaldson
Risk People: Cameron Smith
24
Executive manager, operational risk at The Westpac Group speaks to Tom Washington about his career and the challenges of moving from working in audit to operational risk.
COVER STORY Paving the way to corporate governance
20
Corporate governance has come a long way in recent years. However many companies still struggle to build a strong organisation-wide culture of governance, writes Craig Donaldson
26 RISKY BUSINESS
RISK February 2011
3
Only one governance course carries real weight CSA’s Graduate Diploma of Applied Corporate Governance • dedicated risk and compliance subject • presented by leaders in governance • full higher education accreditation • over 600 enrolments nationally each semester • designed for senior governance and risk roles • board-ready knowledge • recognised both here and overseas Serious about studying governance? Visit www.studygovernance.com or call 1800 251 849 Enrol now for Semester 1, commencing 7 March 2011
CSA756
FROM THE EDITOR
QUOTE OF THE MONTH
"Align your corporate governance models with where you are now, but also importantly, where you think you'd like to be"
EDITOR’S NOTE
Risk management and the economy
Tom Washington Journalist
John Colvin, CEO, Australian Institute of Company Directors. p20
What’s your take on this quote? To have your say write to the editor sarah.ocarroll@lexisnexis.com.au Best comments will be published in the March issue of Risk
ABOUTUS Editor: Sarah O’Carroll Journalist: Tom Washington Contributor: Craig Donaldson Designer: Ken McLaren Publisher: Fiona Marcar Design and Production Manager: Alys Martin Production Manager: Kirsten Wissel Subscribe today Risk Magazineis published monthly and is available by subscription. Please email: subscriptions@riskmagazine.com.au All subscription payments should be sent to: Locked Bag 2333, Chatswood D/C, Chatswood, NSW 2067 Advertising enquiries: Marika Biro - (08) 8371 5800 marika@agsmedia.com.au Editorial enquiries: All mail for the editorial department should be sent to: Risk Magazine, Level 1 Tower 2, 475 Victoria Ave Chatswood, NSW 2067
The Queensland floods of last month have taken a monumental toll on the region's businesses, not to mention the terrible impact on people's lives. Early estimates suggest the cost to Queensland's economy will be well into the billions, and such sudden and unexpected damage brings the need for solid risk management sharply into focus. For small businesses, the floods may have left nothing but the foundations to rebuild on and for larger organisations disaster recovery, business continuity, safety planning and future risk proofing will all be firmly on the executive agenda – not just in Queensland but throughout the entire country. Having witnessed one natural disaster be swiftly followed by another, cyclone Yasi, it really drills it home to businesses that if they fail to prepare, they do so at their own risk. In the future, risk management committees of board and safety teams will surely include the impact of flash flooding and riverine flooding in contingency plans, and evaluate the safe working conditions for staff not only at remote sites such as mines, railways and ports, but also in corporate head offices.
It will be a slow process, yes, but risk management will be at the forefront of the rebuilding. Australian organisations have bounced back from such catastrophes before and will do so again. Another area where risk and compliance professionals are set to have a busy year is in the financial ser vices. According to analysis from eFinancialCareers, risk and compliance has been at the top of the job charts since the global financial crisis reinforced the importance of good governance almost two years ago. As Australian banks continue to recover and drive the economy in 2011, the workloads of these risk and compliance teams will only increase and banks will need to boost numbers in order to help them cope. See our cover story (p 20) for more on corporate governance. So whether it's planning against potential disasters, ensuring safety in the booming energy sector, or keeping on top of compliance in the financial services, risk management has a big part to play in shaping Australia's economy. Let's hope the profession can live up to its billing in 2011.
Copyright is reserved throughout. No part of this publication may be reproduced without the express written permission of the publisher. Contributions are invited, but copies of all work should be kept as Risk Magazine can accept no responsibility for loss. Risk Magazine and LexisNexis are divisions of Reed International Books Australia Pty Limited, ACN 001 002 357 Level 1 Tower 2, 475 Victoria Ave, Chatswood, NSW 2067 tel (02) 9422 2203 fax (02) 9422 2946 ISSN 1833-5209 Important Privacy Notice You have both a right of access to the personal information we hold about you and to ask us to correct if it is inaccurate or out of date. Please direct any queries to: The Privacy Officer, LexisNexis Australia or email to privacy@lexisnexis.com.au. © 2009 Reed International Books Australia Pty Ltd (ABN 70 001 002 357) trading as LexisNexis. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., and used under license.
CAB MEMBER SINCE DECEMBER 2005
RISK February 2011
5
NEWS REVIEW
Demand for re-financing builds Businesses need to identify the areas their banks might be concerned about and demonstrate what they are doing to minimise the risks in order to get ahead of competition for capital over the coming year. With a wave of re-financing due in the next 1218 months, Ernst & Young’s debt advisory leader, Paul Clark, said competition for this capital will only get tougher. “Businesses that are better positioned in the eyes of the banks are going to have a significant competitive advantage – they will have better access to more debt at relatively lower prices,” said Clark. A recent Ernst & Young survey found 34 per cent of Australian companies need to re-finance in the next 12 months, while 48 per cent need to re-finance loan or debt obligations in the next four years. “We have moved more and more to short term funding since the financial crisis, in response to the higher costs of longer term funding – this is why we’ve seen larger corporates tapping into overseas bond markets and the United States Private Placement market to access cheaper longer term funding,” said Clark. “However this is really only an option for big end of town and what we are now going to see is a relentless wave of demand for re-financing over the next few years, at a time when access to capital remains tight.” “There will be more companies competing for a
smaller pool of funding over the next few years. Many companies still have deals funded in 2008 at lower margins and these will mature in 2011-2012.” Rebuilding following the Queensland floods will also add to demand for capital. While insurance will cover a significant proportion for businesses impacted, Clark said the interim loss of income and the sheer number of businesses needing to effectively start from scratch will inevitably mean more demand for capital. As such, businesses need to go beyond tactical working capital improvements in order to best position themselves with the banks. “It is now about better procurement, getting out of non-core businesses, and re-negotiating facilities with your bank to reduce interest costs,” he said. “They really need to make sure the banks understand their business and that they keep them informed.” Banks will continue to fund good businesses where they understand their strategy, he said. “There is a real flight to quality by the banks. Banks will compete for those businesses that can demonstrate a proven trading performance, strong risk management, a strong management team and sustainable, competitive advantage,” said Clark. “We’ve been involved with many clients that have been able to show this and what it means is access to larger amounts of money at cheaper rates.”
“Banks will compete for those businesses that can demonstrate a proven trading performance, strong risk management, a strong management team and sustainable, competitive advantage” -Paul Clark, debt advisory leader, Ernst & Young
AUSTRAC cost recovery plans under fire Banks and businesses that report suspicious financial transactions have railed against government plans for the Australian Transaction Reports and Analysis Centre (AUSTRAC) to charge an annual supervisory levy as well as pay per-report fees from July. Under the plans, which were announced in the 2010 budget, about 17,000 businesses registered with AUSTRAC would be charged an annual levy ranging from $240 to $1000 to register and file transaction reports, in addition to pay per-report fees based on reporting volumes and the value of transactions reported. While the charges would save the federal government almost $90 million over three years and provide AUSTRAC with extra funds to crack down on organised crime, revenue evasion and financial fraud, industry groups including the Association of Superannuation Funds (ASFA) have spoken out against the plans. In a discussion paper submitted to AUSTRAC, ASFA, said that the proposal for cost recovery of AUSTRAC’s regulatory function is akin to the ATO charging tax6
RISK February 2011
“It appears to be a clear case of extracting the money from those who can afford to pay – large entities” -Association of Superannuation Funds
payers a fee for lodging their tax return. ASFA also said that the design of the Australian anti-money laundering/counter-terrorism financing (AML/CTF) regime has taken the approach where regulation produces the greatest effect for the least cost to the economy. “Through their active and diligent participation these reporting entities are
assisting in the fight against crime. Is this a privilege they should be paying for?” ASFA asked. The association also noted that reporting entities are currently bearing a significant proportion of the total costs of Australia’s AML/CTF program. “In this instance the basic levy structure ensures that all or a part of this cost will be
born by entities that are not small business. It appears to be a clear case of extracting the money from those who can afford to pay – large entities,” the paper said. The Australian Bankers’Association (ABA) was also critical of the plans, and noted in its discussion paper that that levy was intended to recover the cost of regulatory activity and not financial intelligence (FIU) activity, and therefore that the levy should not be tied to reporting activities that generate financial intelligence, largely for AUSTRAC and other agencies, and not for industry. “We believe that the proposed changes would introduce a complicated dimension into the regulator-reporting entity relationship and potentially discourage reporting by some reporting entities,” the ABA said. It also noted that the large entity component of the proposed supervisory levy is ambiguous, and to charge a levy based on the number of people employed by a reporting entity with more than 150 employees) “is not practical and adds to the cost of compliance”.
NEWS REVIEW
WikiLeaks: a wake-up call for data governance The ongoing release of sensitive, often embarrassing WikiLeaks has highlighted the need for all organisations – public and private – to have a solid data governance plan to address a new generation of cyber threats, according to an IT governance and risk expert. The WikiLeaks site, run by the now infamous Australian Julian Assange, has revealed previously confidential cables to and from the US embassy and has put many a nose out of place in the process. Gary Anderson, managing director of global business and risk consulting firm Protiviti, said that risks around security and privacy of sensitive data have been around for a long time, but the WikiLeaks phenomenon has created a new and highly damaging form of corporate data breach. “Organisations are reasonably aware of the need to protect information subject to tight privacy laws such as credit card data, personal financial information, health records and the like,” he said. “WikiLeaks however, has shown that a slew of other
non-regulated data could also be very damaging to an organisation’s reputation if disclosed.” Indeed, rumours of revealing cables involving a top US bank are abound, with Assange claiming that they will shed light on a culture of unethical practices and corruption from the highest ranks down. An immediate fall in the
suspect bank’s share price followed. Anderson added that while the WikiLeaks scandal has fuelled a race by governments and the cyber security industry to find ‘band-aid’ technology to ‘plug’ the information leaks, organisations must not lose sight of the real issue at hand. This, he said, was the need to have a comprehensive data governance policy and process to manage the organisation’s information throughout its life cycle – from creation or acquisition, all the way through to disposal or destruction. “Few organisations take a lifecycle view and therefore fail to do data governance effectively. Organisations are often also embarrassed when they find out the information they’ve kept unnecessarily for years is admissible in court proceedings. “Not having a data governance program is expensive in the long run, complicates the management process and now, thanks to WikiLeaks, creates an extra layer of reputational risk and liability exposure”.
Cyber criminals diversify attacks
SMEs unprepared for disasters
There were more than 339,600 different malware strains identified in malicious emails blocked in 2010, as cyber criminals diversify their attack tactics to sustain spam and malware at high levels. This figure represents more than a hundredfold increase since 2009, a rise that the new MessageLabs Intelligence 2010 Security Report puts down to changes in ‘botnet’activity. A botnet is a collection of software agents, or robots, that run autonomously and automatically. Paul Wood, MessageLabs Intelligence senior analyst, Symantec Hosted Services, said: “With successful and resilient botnet operations established in prior years, the cyber criminals experimented with many tactics to keep spam campaigns active and fresh this year. “From leveraging newsworthy events like the FIFA World Cup to taking advantage of the widespread popularity of URL shortening services and social networks, the spammers deployed a variety of tricks to bypass spam filters and lure potential victims.” Spam rates peaked in August 2010 at 92 per cent when the Rustock botnet was being aggressively seeded by new malware variants and quickly put to use, lending to an overall increase in spam activity for the year, with average spam levels reaching 89 per cent, an increase of 1.4 per cent compared with 2009. One of the most impactful security threats of the year was the ‘Here You Have’ virus which on September 9, 2010 used old mass-mailer techniques to send malicious emails, peaking at 2,000
Most small and mid-size enterprises (SMEs) are not making disaster preparedness a priority until they experience a disaster or data loss, recent research has found. Furthermore, many SMEs do not understand the importance of disaster preparedness and face significant financial losses should downtime occur. The research, conducted by Symantec, found that 43 per cent of SMEs in Australia and New Zealand (ANZ) do not have a plan in place, and of these businesses, 55 per cent said that it never occurred to them to put together a plan and 18 per cent stated that disaster preparedness is not a priority for them. This is despite the fact that 73 per cent of respondents live in regions susceptible to natural disasters, and in the past 12 months, the typical SME in ANZ experienced four outages, with the leading causes being power outages, natural disasters, cyber attacks or employees accidentally deleting data. The research, which took in more than 1,840 respondents globally (200 of which came from ANZ), found that less than half of SMEs back up their data weekly or more frequently and only 23 per cent of businesses in ANZ and globally back up daily, while half of SMEs in ANZ would lose at least 30 per cent of their data in the event of a disaster. According to the survey findings, 55 per cent of the SMEs that have implemented disaster preparedness plans did so after experiencing an outage and/or data loss, while 38 per cent put together their plans within the last six months. However, only 26 per cent have actually tested their recovery plans, which is a critical component of actually being prepared for a potential disaster. The research also found that disasters can have a significant financial impact on SMEs, and the median cost of downtime for an SME is US$32,800 ($32,399) per day in ANZ, while 47 per cent of SME customer respondents reported they have switched SME vendors due to unreliable computing systems. A further 26 per cent of SME customers surveyed stated that their SME vendors were temporarily shut down due to a disaster.
emails blocked per minute. Other top trends in 2010 include: Web Security: For 2010, the average number of new malicious websites blocked each day rose to 3,066 compared to 2,465 for 2009, an increase of 24.3 per cent. MessageLabs Intelligence identified malicious web threats on 42,926 distinct domains, the majority of which were compromised legitimate domains. Spam: In 2010 the annual average global spam rate was 89.1 per cent, an increase of 1.4 per cent on the 2009. In August, the global spam rate peaked at 92.2 per cent when the proportion of spam sent from botnets rose to 95 per cent as a new variant of the Rustock botnet was seeded and quickly put to use. Viruses: In 2010, the average rate for malware contained in email traffic was 1 in 284.2 emails (0.352 per cent) almost unchanged when compared with 1 in 286.4 (0.349%) for 2009. In 2010, over 115.6 million emails were blocked by Skeptic representing an increase of 58.1 per cent compared with 2009. There were 339.673 different malware strains identified in the malicious emails blocked. This represents more than a hundred fold increase over 2009 and is due to growth in polymorphic malware variants. Phishing: In 2010, the average ratio of email traffic blocked as phishing attacks was 1 in 444.5 (0.23 per cent), compared with 1 in 325.2 (0.31 per cent) in 2009. Approximately 95.1 billion phishing emails were projected to be in circulation in 2010.
RISK February 2011
7
NEWS REVIEW
Global political risks on the rise While the world economy is broadly on the road to recovery, the level of political risk has risen in more countries than it has declined, recent research has found. The negative effects of the global financial crisis impacted the economies of nations with traditionally low levels of risk, according to the research, while the continued emergence of several markets in Africa where more international trade and investment is occurring has led to a greater need for political risk insurance cover. The research, conducted by Aon Risk Solutions, measured the political risk of 211 countries and territories based on the level of risks such as currency inconvertibility and exchange transfer; strikes, riots and civil commotion; war; civil war; sovereign non-payment; political interference; supply chain disruption and legal and regulatory risk. Conducted every year, the research ranks countries on a six-point scale from low risk to very high risk. A downgrade indicates that the severity of the risk has heightened, while an upgrade indicates that the risk is less severe. Nineteen countries were downgraded on the 2011 map, while 11 countries were upgraded. “The perceived or actual risk of sovereign non-payment continues to be an issue in countries across the globe,” said Beverley Marsden, associate director of Aon Risk Solutions’crisis management team in London. “For example, we have seen thirteen island nations move into a higher risk category this year because of the effect of a decline in tourism on their economy.” However, the annual research has seen a nearly 30 per cent increase in the number of countries in the middle of the risk rankings – the medium low to medium high categories – as these countries have become more active in the world economy and their prosperity has increased. Globalisation has been blamed for recent incidents of economic volatility, but it has also had a positive impact
on global political and economic stability, and the research found that many countries previously designated as medium high or high have taken advantage of global trade links and have seen political risk levels decrease. This trend is demonstrated in South America, where countries like Brazil, Colombia and Mexico have all seen sustained improvements over the last five years. Aon said political risk will continue to be a major influencer for businesses transacting in emerging markets in 2011. While the apocalyptic predictions many made at the beginning of the financial crisis did not come to fruition, a new norm in world trade is being established. As such, political risk will remain elevated while the markets are unstable, but will return to traditional levels as the world economy improves, according to Aon. Similarly, recent research from Coface, a global firm which specialises in trade risk management, pointed to continued tension between sovereign risks in the euro zone and the financing of growth in the emerging countries. The Coface research, which took in 156 countries (of which 28 are classified as advanced countries) found that a key issue for the country risk will be private debt monitoring and growth financing. According to Coface’s forecasts, worldwide growth should slow down in 2011 at 3.4 per cent compared to 4 per cent in 2010, under the combined effects of debt reduction in the private sector, the setting up of restrictive budget policies in Europe, the possible rise in raw materials and the expected slowing in worldwide trade. Advanced countries will show growth of 1.8 per cent compared to 2.3 per cent in 2010 and the euro zone will experience limited growth deceleration (1.4 per cent compared to 1.7 per cent in 2010). This moderated drop will have a negative impact on the average credit risk for companies but the impact will be highly contained as the
growth differential between 2010 and 2011 is limited to 0.6 point of GDP. The research found that the big winners of the financial crisis are the emerging countries, which will continue the solid growth trajectory in 2011 with a slight slowdown: 6.2 per cent compared to 6.7 per cent in 2010. Contrary to the euro zone, where the private debt bubble has resulted in sovereign crises, activity in the emerging countries is not handicapped by the weight of private debt. “Traditionally the idea of country risk was reserved for emerging economies with a major risk linked to the foreign currency component of the debt of the emerging countries,” said François David, Chairman of Coface. “However, the euro zone has demonstrated that it is possible to be in a crisis with very high external debt but in local currency. This working framework is falling apart.”
Insolvency risks increase following QLD floods The immediate impact of the Queensland flooding disaster for many businesses is likely to include a reduction of incoming revenue, which could lead to a subsequent rise in insolvency risks and trade creditor concerns, according to an international law firm. Fixed obligations, including interest on borrowings, will remain payable despite the reduced cashflow, however, if the reduced cashflow affects the ability of a business to meet debts as and when they fall due, then there is a danger that a business may become technically insolvent. “It is important to remember that the test for insolvency is based on cashflow, so that an abundance of assets does not protect a company from insolvency if there are no funds available to meet 8
RISK February 2011
known debt obligations as they arise,” said Robert Milbourne, a partner at Norton Rose. “While liquidation is the ultimate result of insolvency, continuing to trade whilst insolvent raises immediate and important liability issues for directors of companies to consider.” If owners and/or operators are experiencing cashflow problems due to the recent floods, Milbourne said they should immediately analyse their organisation’s ability to meet its short and long term obligations and seek professional advice to assist with, for example, restructuring payments to creditors, seeking additional funding, or securing collection with respect to debtors. “Businesses contracting with third parties for goods and services should also ex-
ercise reasonable precautions with respect to third parties that may be at risk of becoming insolvent,” he said. “The safest course is not to contract with any company that you consider to be at risk, except on cash on delivery (COD) terms. However, where contracting on COD terms is not possible, the standard protections should be considered, for example, bank guarantees, letters of credit and parent company guarantees.” Commenting in a recent legal update, Milbourne said parties may also consider protecting themselves by inserting clauses into contracts granting a right to terminate on short notice without being required to show cause, and providing access to audit accounts where the contractor is unable to pay invoices on time.
NEWS REVIEW
Room for risk management improvement with boards Many boards struggle with defining and setting the risk appetite for their organisations in the key areas of strategy, finance and operations, according to a corporate governance expert. A key role of boards is to set the risk appetite for their organisation, or how much risk is appropriate given the aspirations of shareholders and other key stakeholders. Boards should be defining risk appetite against the AS/AZS ISO 31000 risk standard categories for likelihood and consequences, and decide which risks management may deal with as well as how and in what timeframe management must inform the board of such risks, according to James Beck, managing director of Effective Governance. In general most organisations understand that for every strategy that is being implemented there is an element of risk, but he said that many struggle with reporting back to the board the progress against the KPIs of each strategy and re-
“Generally poor-performing strategies can be attributed to risks that have not been mitigated through additional funding, resourcing or taking a revised approach” James Beck, managing director, Effective Governance
porting the status of the key risks associated with each strategy. “Generally poor-performing strategies can be attributed to risks that have not been mitigated through additional funding, resourcing or taking a revised approach,” he said.
“If your board has not defined/set its risk appetite – work to achieve this urgently, by taking time to workshop this through the management team and the board – as this provides the initial step of framework in which the organisation is to embed risk governance throughout your organisation.”
Secondly, Beck advised to succinctly define your organisations’ crisis management plan. “Within risk governance a crisis is the occurrence of a risk that was not foreseen/on the risk register or for which the mitigation process has failed,” he said. At the board level, a crisis management plan is not a detailed document (some organisations have detailed plan of 30 plus pages that are more like disaster recovery plans) but needs to cover just three things: • Who declares a crisis (such as CEO/senior management team, in consultation with CEO/Chair) • Who communicates a crisis (such as the Chair or another board member) • Who rectifies crisis (such as the CEO, but this should not be the same individual who communicates the crisis as they should be busy rectifying it) “As such a crisis management plan can be documented in three paragraphs, easily remembered and address all crisis’ facing an organisation,” Beck said.
RISK February 2011
9
NEWS REPORT
T
here is no arguing against the potential effectiveness of outsourcing data to a cloud computing application. It offers organisations a chance to redesign their IT systems and, crucially, reduce capital expenditure: current government ICT spend is $4.3 billion per annum. But there is also no questioning that engaging in a cloud application is difficult and complicated, and the risks of doing so must be carefully thought through. A new whitepaper commissioned by Macquarie Telecom, entitled Managing Jurisdictional Risks in the Cloud, identifies the risks when Australian businesses and government contemplate sending data offshore, warning that risk managers must equip themselves with enough knowledge of cloud computing to avoid incurring reputational damage and hidden costs. Author of the report, Connie Carnabuci, partner and head of the intellectual property/information technology practice group in Asia at Freshfields Bruckhaus Deringer, said that while some of the risks associated with cloud computing are similar risks that all businesses that have engaged in any kind of outsourcing, they are amplified. “This is because previous outsourcing models sent data from one static location to another, but the global cloud is not static,is in transit the whole time and moving across multiple jurisdictions.”
Managing regulatory compliance One area of concern for businesses when storing data offshore is analysing and managing regulatory compliance. Carnabuci encourages organisations to undertake a ‘red,amber,green’analysis for each cloud solution being considered, in order to categorise its risks.“In a
cloud, data is not necessarily going to one jurisdiction but many. Businesses have to look at rules and regulations that apply to their data in the jurisdiction where the data originates as well as what rules apply in the received jurisdiction.” Cloud providers currently tend to be domiciled in the US, so many contracts will be governed by US law. A crucial difference between Australia and the US, for example, is that the US does not have an overarching data privacy law across all industry sectors; instead it has a sector specific approach. KEY POINTS TO TAKE AWAY: • •
•
Get regulatory analysis right. If you don’t get that right, everything is flawed. There are some hidden operational risk associated with clouds. Try to flesh those out and factor them into your overall business case. Think carefully about how you might enforce the cross-border relationship with the US provider. It’s not as straight forward as dealing with an Australia service provider.
“I would suggest that the structure in the US is not substantially similar to the national privacy principles that we have. That means Australian businesses will need to incorporate something akin to the national privacy principles into their contracts with US providers,” explains Carnabuci. “If you don’t get the compliance part right,the entire proposal to enter into a cloud solution could be jeopardised and the business could be seriously at risk of being sued by customers and also reputational damage.
“Understanding the regulatory analysis is really a board-level issue, but it falls on risk managers to inform themselves a little bit about the cloud and what it actually means as a technical solution.”
Hidden costs The white paper also details several ‘hidden’ costs to using a cloud-based application that may not instinctively be factored into business cases up front, therefore presenting substantial financial risks going forward. First of all, outsourcing data can potentially create a taxable presence in the US. And while it’s not yet clear whether the mere storage of data in the US will constitute ‘doing business’ in the country, there have been some cases where a cost has been incurred. “All of the [cloud application] arrangements would need to be assessed by a US tax advisor,” said Carnabuci. Furthermore, US Government and law enforcement agencies possess comparatively strong powers permitting them to access private data, primarily due to ongoing concerns about national security. “The Foreign Surveillance Act and the Patriot Act, the US Government only needs to show that the party is a foreign government agency and then they can access an organisation’s data,” said Carnabuci. “Finally, the rules around discovery and document retention are more rigorous in the US than they are in Australia. So in the US are required to retain documents not only for pending litigation but for recent foreseeable litigation. Again there could be operational costs incurred.”
The risks of taking data offshore
10
RISK February 2011
EXECUTIVE PANEL
What is the most important piece of technology
impacting risk management?
S
John de Groot, Compliance and Internal Audit Manager, State Water Corporation
A
martphones! There has been a huge shift in the way we conduct business. We have moved from a largely “closed”system of commerce to an “open”system. Some of us remember having bank books which we took to the bank and when you made a deposit or withdrawl the teller recorded the transaction in your bank book. This was a relatively risk-free system because you had the book in your possession and unless you lost it or it was stolen, no one else could access it. Today though we have the situation where 75 per cent of our world has their infrastructure built on wireless technology communications for receiving payments, paying bills and making purchases. Most federal governments depend on private corporations to deliver national communications without regulating security. Mobile communication innovations via smart phones have rapidly been adopted by businesses and consumers in the last five years and this has opened a plethora of vulnerabilities. The Smart
s we come out of the GFC and on the back of some globally compelling events that occurred in the past decade, the need to manage risk within an organisation has become increasingly of focus. Events such as the swine flu breakout, acts of terrorism or the recent floods affecting Queensland and Western Australia, combined with individual events organisations are being asked to comply with, demonstrate compliance to an ever increasing regime of regulatory and legal guidelines. Organisations are being driven to focus on what will ultimately become one of the most important business systems for organisations moving forward, Enterprise Governance Risk and Compliance (eGRC). Organisations are finding that while they have invested significantly in mitigating controls, their ability to understand their current risk posture in real time has been significantly lacking. In addition, they are also starting to appreciate that the ability to govern their organisations across the domains of risk and compliance requires a broader appreciation of other aspects of their business that were previously managed in isolation. It seems that it is no longer acceptable to work in isolation as we are expected to do
12
RISK February 2011
Phone manufacturers do not build security, it is not their job; they leave that to the major wireless carriers, which have not taken security as their responsibility. For $59.95, you can buy a software package to enable your mobile phone to listen to any other targeted smartphone. All forms of communications are now vulnerable to theft and illegal miss-use. Every communications device is a potential target; mobile phones, laptops, satellite phones, walkie-talkies and all office phones using VoIP (Voice over IP). This breed of software means privacy is a thing of the past and your transactions, conversations, data, SMS messages etc can be viewed from any PC anywhere in the world running this low cost, easily accessible software. Identity theft is the fastest growing crime in the world and our mobile communications technology is largely responsible for that. If this technology is not in your risk register, it ought to be!
more with less and deliver faster and more business aligned understanding on a day-to-day basis. Organisations are calling for an enterprise platform that can help consolidate and integrate the enterprise wide information. This information currently exists within silo applications and business units and needs to be extracted and integrated in real time to present both top down and bottom up views of compliance, control effectiveness, risk posture or metrics pertaining to both Key Risk Indicators and/or Key Performance Indicators. eGRC platforms are coming to the forefront of technology considerations for organisations across the globe. These platforms are able to bring rigor and standardisation to core business processes across the domains of Finance, Legal, Operations and IT, providing a single pane of glass across enterprise Risk and Compliance. Companies are starting to recognise that GRC is a journey, not a destination. The sooner they invest in robust platforms that can adopt to their existing business processes and change with their organisation, the sooner they will be able to deliver on their stakeholders expectations and start making decisions based on demonstrable facts.
Chad Alpert, archer business manager, RSA
If this technology is not in your risk register, it ought to be T
Henry Ng, head of professional services Asia, Verizon Business
he most important technologies impacting the risk profession are those that encourage businesses to operate in a secure and compliant manner to safeguard financial data. For the many businesses at the centre of payment card transactions, it is vital that they adhere to standard security procedures and technologies to prevent the theft or misuse of confidential customer information. One of the key industry regulations that encourage businesses to put solid security technologies in place is the Payment Card Industry (PCI) standard – a comprehensive set of multifaceted requirements developed to facilitate the broad adoption of consistent data security measures on a global basis. The more personal financial data a business stores, the risk of potential data breaches increases in tandem. The recent Verizon Payment Card Industry Compliance Report shows that complying with industry security standards can dramatically reduce credit card data breaches. It also found data breaches are 50 per cent
less likely in businesses that are PCI DSS (Payment Card Industry Data Security Standard) compliant. Failure to operate in a PCI compliant environment can have serious ramifications. Demonstrating compliance and maintaining alignment with PCI requirements can serve you well, but the increasing complexities of today’s networked infrastructure can make this challenging. Without the right security and technology in place, businesses are left vulnerable, running the risk of data breaches, financial loss, downtime and reputational damage to the business brand in the event of a data breach. While an organisation’s journey towards compliance and risk management is not always easy, simple technologies can greatly assist in approaching security. These include the use of firewalls, encryption programs and tokenization technology – each designed to reduce vulnerabilities. The best advice I can offer businesses is to seek professional advice, implement additional security measures to minimise risk and above all, use common sense.
FINDING YOUR NEXT ROLE SHOULD NOT BE A RISKY BUSINESS. Naiman Clarke. Specialist recruiters in risk and compliance. sydney: 02 9233 7977 melbourne: 03 9938 8700 nc@nclegal.com.au www.nclegal.com.au
The best legal opportunities
RISK February 2011
13
INSURANCE
D&O insurance under strain post-GFC Mounting class actions and ASIC enforcement activity severely test the adequacy of current directors and officers (D&O) insurance policies
S
We’ve seen a big upsurge in legal actions against companies and directors as investors and liquidators galvanise to recover their losses and ASIC mobilises to crack down on so-called corporate crooks Greg Skehan, senior partner, Colin Biggers & Paisley
14
RISK February 2011
ix out of ever y ten D&O insurance providers saw the number of claims and notifications against their D&O policies at least double following the global financial crisis. A further 60 per cent predicted that in the coming year, class actions would be the main challenge for D&O policies, followed by greater enforcement action from regulators such as ASIC (20 per cent) and the rise in liquidator actions (8 per cent). “The corporate collapses from the GFC created a perfect storm of shareholder,creditor and regulator outrage,” said Greg Skehan, senior partner in the insurance group at law firm Colin Biggers & Paisley, which conducted the research. “We’ve seen a big upsurge in legal actions against companies and directors as investors and liquidators galvanise to recover their losses and ASIC mobilises to crack down on ‘so-called’ corporate crooks. “D&O insurance is consequently being called upon to cover a greater number of claims involving higher aggregate payouts so it’s no wonder many policies are being squeezed, particularly in the area of payout limits”. To illustrate, 20 per cent of D&O insurance providers revealed that the insured’s D&O policy did not fully cover their costs in up to 25 per cent of claims, while 10 per cent
indicated the policy was not sufficient to cover costs in 25 to 50 per cent of cases. While the system was not yet at breaking point, Skehan cautioned that there were clear signs cracks were developing, given 70 per cent of respondents reported that an insured’s claim costs were generally fully covered. Another significant area where directors were being left out of pocket was investigation costs – a bi-product of ASIC significantly ‘upping the ante’ on enforcement action in recent times, according to Skehan. The survey found that 80 per cent of respondents had observed an increase in claims for investigation costs, while 50 per cent reported that current sub-limits for this category of costs were not sufficient to fully cover claimants’ needs. “ASIC has not held back in using its powers to compel corporates to produce information and attend extensive interviews in recent years. Summonses often go out to multiple directors and executives which only increases the time and costs, as every individual called up needs to have capable legal representation,” said Skehan. “The regulator’s more active investigative role has meant that limits for representation costs are being eroded at a very early stage so there’s often little left in reserve for when proceed-
ings develop into serious litigation later down the track.” Skehan added that companies at risk of incurring substantial investigation and representation costs should consider negotiating more accommodating policy limits with their insurers and be prepared to pay a higher premium for those benefits. Similarly, Paul Smyth, national D&O manager at Aon Risk Services Australia, also noted that there was an immediate impact on D&O insurance following the GFC. “Availability and coverage retracted very quickly while prices went up very significantly – pretty much overnight – but as we’ve gone on, that’s levelled out,” he said. “Insurers are very much risk selective and I think that’s one of the key issues at the moment. Insurers are still trying to work through the 10 per cent [of clients] that are quite ugly, the 80 per cent that are somewhere in the middle and the 10 per cent that sits at the very top end of the attractive range for them.” Smyth said that insurers are paying close attention to the “ugly 10 per cent” which have short-term debt problems, inadequate cash flows, financing issues to deal with in a very short timeframe and poor corporate governance. For companies that might find it difficult in planning appropriate D&O insurance, Smyth said the best approach is to build a relationship with insurers, insurance advisors and/or lawyers. “It’s a much easier conversation to have with an insurer when they have seen the white’s of the eyes of the client. In other words, the client’s just not a piece of paper,” he said. “I think it’s important that clients build a rapport in the relationship with their insurers in the easier times, not when you’ve got lawyers breathing down your neck and your business is under stress. The ideal position is to have that relationship established before you actually need to call upon that relationship.”
IT SECURITY
Last year’s most talked about new technologies could all be major targets for cybercriminals, while politically motivated attacks will be on the rise, as more groups are expected to follow WikiLeaks’lead.
2011: Cyber threats abound I
n McAfee’s 2011 Threat Predictions report, which outlines the top threats that researchers at McAfee Labs foresee for this year, Google’s Android, Apple’s iPhone, foursquare, Google TV and the Mac OS X platform all feature. Michael Sentonas, McAfee CTO for APAC, said that with more users adopting social networking for both personal and business activities, they have quickly become a highly vulnerable target for cybercriminals to exploit. “The popularity of social platforms and mobile devices will lead to a rapid increase in attacks putting user and corporate data at risk,” he said. The McAfee Labs Threat Predictions for 2011: Exploiting Social Media: URL-shortening services Social media sites such as Twitter and Facebook have created the movement toward an “instant” form of communication, a shift that will completely alter the threat landscape in 2011. Of the social media sites that will be most riddled with cybercriminal activity, McAfee Labs expects those with URL-shortening services will be at the forefront. The use of abbreviated URLs on sites like Twitter makes it easy for cybercriminals to mask and direct users to malicious websites. With more than 3,000 shortened URLs per minute being generated, McAfee Labs expects to see a growing number used for spam, scamming and other malicious purposes. 16
RISK February 2011
Exploiting Social Media: Geolocation services L o cat ive s er vices such as fours quare, Gowalla and Facebook Places can easily search, track and plot the whereabouts of friends and strangers. In just a few clicks, cybercriminals can see in real time who is tweeting, where they are located, what they are saying, what their interests are, and what operating systems and applications they are using. This wealth of personal information on individuals enables cybercriminals to craft a targeted attack. McAfee Labs predicts that cybercriminals will increasingly use these tactics across the most popular social networking sites in 2011.
Mobile: Usage is rising in the workplace, and so will attacks Threats on mobile devices have so far been few and far between, as “jailbreaking” on the iPhone and the arrival of Zeus were the primary mobile threats in 2010.With the widespread adoption of mobile devices in business environments, combined with historically fragile cellular infrastructure and slow strides toward encryption, McAfee Labs predicts that 2011
IT SECURITY
will bring a rapid escalation of attacks and threats to mobile devices, putting user and corporate data at very high risk. Apple: No longer flying under the radar Historically, the Mac OS platform has remained relatively unscathed by malicious attackers, but McAfee Labs warns that Mac-targeted malware will continue to increase in sophistication in 2011. The popularity of iPads and iPhones in business environments, combined with the lack of user understanding of proper security for these devices, will increase the risk for data and identity exposure, and will make Apple botnets and Trojans a common occurrence. Applications: Privacy leaks—from your TV New Internet TV platforms were some of the most highly-anticipated devices in 2010. Due to the growing popularity among users and “rush to market”thinking by developers, McAfee Labs expects an increasing number of suspicious and malicious apps for the most widely deployed media platforms, such as Google TV. These apps will target or expose privacy and identity data, and will allow cybercriminals to manipulate a variety of physical devices through compromised or controlled apps, eventually raising the effectiveness of botnets. Sophistication Mimics Legitimacy: Your next computer virus could be from a friend Malicious content disguised as personal or legitimate emails and files to trick unsuspecting victims will increase in sophistication in 2011.“Signed” malware that imitates legitimate files will become more prevalent, and “friendly fire,” in which threats appear to come from your friends but in fact are viruses such as Koobface or VBMania, will continue to grow as an attack of choice by cybercriminals. McAfee Labs expects these attacks will go hand in hand with the increased abuse of social networks, which will eventually overtake email as a leading attack vector. Botnets: The new face of Mergers & Acquisitions Botnets continue to use a seemingly infinite supply of stolen computing power and bandwidth around the globe. Following a number of successful botnet takedowns, including Mariposa, Bredolab and specific Zeus botnets, botnet controllers must adjust to the increasing pressure cybersecurity professionals are placing on them. McAfee Labs predicts that the recent merger of Zeus with SpyEye will produce more sophisticated bots due to improvements in bypassing security mechanisms and law enforcement monitoring. Additionally, McAfee Labs expects to see a significant botnet activity in the adoption of data-gathering and data-removal functionality, rather than the common use of sending spam. Hacktivism: Following the WikiLeaks path 2011 marks a time in which politically motivated attacks will proliferate and new sophisticated attacks will appear. More groups will repeat the WikiLeaks example, as hacktivism is conducted by people claiming to be independent of any particular government or movement, and will become more organised and strategic by incorporating social networks in the process. McAfee Labs believes hacktivism will become the new way to demonstrate political positions in 2011 and beyond. Advanced Persistent Threats: A whole new category Operation Aurora gave birth to the new category of advanced persistent threat (APT)— a targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than pure financial/criminal gain or political protest.McAfee Labs warns that companies of all sizes that have any involvement in national security or major global economic activities should expect to come under pervasive and continuous APT attacks that go after email archives, document stores, intellectual property repositories and other databases. RISK February 2011
17
COMPLIANCE
Bridging the risk management and compliance gap
A recent study of ASX500 companies found that governance and risk management frameworks are not integrated in many organisations, and while governance frameworks are considered mature, risk management remains at the operational level.
18
RISK February 2011
W
ith organisations involved in the implementation phase of cascading risk management through all areas of the business, the research, conducted late last year by Chartered Secretaries Australia (CSA) in conjunction with SAI Global, found that developing more sophisticated, strategic approaches to risk management at every level is yet to happen. The biggest implication of the research, according to Tim Sheehy, CSA chief executive, is that there are differing perspectives on what risk management is meant to deliver within companies.“If you’re in the boardroom you’re looking at risk management to focus on your organisation’s reputation and protect protecting your director’s liability. But if you’re in operations you’re less focused on reputational risk and more interested in operational risks and cascading risk management throughout the organisation,” Sheehy explains. “That means there’s no-one taking adequate, strategic oversight with risk management and how it can go beyond value protection and move in to value creation.” While governance frameworks are mature and well understood and integrated within organisations, Sheehy says risk management is comparatively new and as such not yet integrated into the strategic forward-thinking of organisations.
However, Brian Roylett, president of the Risk Management Institution of Australasia (RMIA), says there is overwhelming evidence that the source of risk in the most spectacular corporate failures during the global financial crisis and catastrophic events resulting in significant loss of shareholder value, such as the recent BP crisis in the US, can be directly linked to poor management of operational risks and the inability of boards to understand the impact that these can have on the strategic objectives of the organisation. He noted that the research drew a distinction between strategic and operational risks, and therefore tended to place a higher priority on the former, without recognising the potential for operational risks to rapidly escalate to a level that threatens the very strategic objectives of an organisation. “It is therefore the responsibility of the risk professional to demonstrate to boards the need for thought leadership in balancing
COMPLIANCE
both strategic and operational risks, maximising opportunities within acceptable risk limits of the organisation,” said Roylett.
A reflection of the risk profession? The “risk profession” encompasses executive directors, CFOs, CROs, corporate risk managers and all those who contribute to risk identification, risk analysis, risk assessment and risk controls across the entire spectrum of organisational management, according to Roylett. “If strategic and operational risks and the means to manage these exposures within acceptable limits is not clearly appreciated by boards of directors then one could say that ‘risk professionals’ at all levels lack the ability to contribute strategically to the business in failing to educate and inform directors,” he says. The challenge for risk professionals in risk communication at the board and executive level is to demonstrate a clear relationship between operational risks and how these can impact upon the strategic goals and objectives of the organisation, says Roylett. “The continued segregation of both strategic and operational risks in the minds of executive management and how these are effectively managed will continue to create barriers in creation of an Enterprise Risk Management (ERM) program,” he says. While the survey findings are not necessarily a reflection of the risk profession and its lack of ability to contribute strategically to business, Sheehy believes there is a connection. “Any operational risk people don’t get into the board room. They don’t have that visibility at that level of discussion in the organisation so there’s a little more growth yet to occur in order for the profession to integrate itself into strategic discussion,” he says.
Suggestions for improvement The research highlighted several areas in which risk professionals could act on, according to Alf Esteban, general manager, Asia Pacific, SAI Global.“The first is that risk ownership is not clear in organisations and that many organisations do not have clear risk responsibilities and as a consequence, risk reporting is inadequate,” he says. “Risk professionals need to ensure that risk management frameworks are embedded in the daily operations of the organisation so that there is straightforward monitoring and reporting directly into governance and decision making.” The second area for risk professionals can focus on is in assisting governance professionals use risk management as a tool in value creation. Unfortunately, risk is often seen as a negative which can result in risk professionals being seen as conservative and risk averse, he says. “Risk management techniques can be applied
to positive risks or opportunities WESTFIELD ON RISK MANAGEMENTand should be used Eamonn Cunningham, chief risk officer of Westfield, believes most risk management professionals aren’t yet in a position where they can truly contribute at a strategic level. However, this process is a journey, according to Cunningham, who adds that most risk professionals are on this journey but “just haven’t reached the end yet”. He says risk management professionals need to partner with the whole of their business and also broaden their view to encompass risks such as people risks as well as brand and reputational risks. “If you regard yourself as the risk manager for the whole business, then you need to approach risk from a topdown basis and engage with the more senior levels of your organisation. This can take perseverance, but you also need to operate in a manner that makes yourself and your function relevant to the business. It is the business that owns the risk – you simply facilitate the practice of risk management by interacting with everybody right across the operation,” he explains. A “good common sense approach to business” will help risk professionals in gaining a broader view of risk management, Cunningham says. “I don’t think any specific educational stream automatically guarantees you the right to tap into this level of interaction. If you tap into the appetite the more senior parts of business have for risk management, then you’re talking about being part of that culture from the top that truly embraces risk management,” he says. “At this level you need to know the business well, have very good influencing skills, talk the talk and be absolutely relevant to your audience. So in other words you can’t demand entry to the club – you must earn your stripes.”
to drive value for organisations. Risk professionals have a role to play in assisting organisations in scenario testing and strategic risk management, shifting focus from operational issues to strategic issues,” says Esteban. Risk professionals should try and move across internal boundaries within an organisation and be champions of the need to integrate risk management across the organisation, asserts Sheehy. “So there is an element of the profession speaking up for itself and a champion is a way to do that,” he says. “And at the moment, the accounting profession will have one perspective on risk management, the actuarial profession will have another perspective on risk management, our own organisation has another. And if the risk management profession wants to be identified as a significant contributor it needs to be able to move risk management across an organisation and up into the board room,” he says.
WOOLWORTHS ON RISK MANAGEMENT Kerry McGoldrick, Woolworths’ enterprise risk manager, says there is no easy answer to how evolved the risk management profession is in Australia. Firstly, there isn’t a uniform regime for training and qualification for those working in risk in Australia, so he says it lacks one of the key characteristics attributed to the likes of the legal and accounting professions. Secondly, reflecting the many facets of risk, he says there are a wide range of educational pathways available, and a wide range of representative organisations and associations. “So risk management is a very broad church, which makes it difficult to comment on its evolution as a whole. Some disciplines within it are very mature, others are in the earlier stages of development. I would say that the branch of risk management focused on strategic, organisational programs is in a youthful stage,” he says. There is no one best way to implement risk management, and McGoldrick says a risk management program must fit the context, objectives and culture of a particular organisation. “So a contextual, objectives-focused approach is always required in order to add value. Risk management should ideally be integrated into an organisation’s broader governance framework and embedded within its strategic planning processes,” he says. It is important to remember that risk management is a means to an end – the responsible achievement of strategic objectives – not an end in itself, he adds. “Corporations are, after all, in the business of taking risk. So an approach that fosters a healthy, commercial approach to thinking about, taking and managing risk will usually be value accretive,” says McGoldrick, who adds that, at the board and senior management levels, information and tools that will inform explicit thinking about the alignment of risk appetite with objectives will also add value.
RISK February 2011
19
COVER STORY
Paving the way to corporate governance
20
RISK February 2011
COVER STORY
Corporate governance has come a long way in recent years. However many companies still struggle to build a strong organisation-wide culture of governance, writes Craig Donaldson
O
ver the past decade, the practice of corporate governance has improved significantly thanks to strengthening board oversight of management and more informed ownership by shareholders. A recent survey, conducted by Chartered Secretaries Australia and SAI Global,found that governance frameworks within Australian companies are considered mature while governance professionals are actively in the boardroom and rate the performance of their companies highly on the independence of mind that is central to any governance framework. Tim Sheehy, chief executive of Chartered Secretaries Australia (CSA), says that there are four key elements to good governance: transparency, accountability, stewardship and integrity. These elements need to be clearly enunciated within an organisation and visibly embraced by those who are in positions of influence, he asserts. “So if an organisation is about transparency and openness, it doesn’t hide things; if there are clear accountabilities then people are held to account and also rewarded for achievements; if the board has agreed on a direction then it provides long-term vision for the organisation; and all this needs to be done with integrity and a strong sense of ethics,” says Sheehy. “And then these elements need to be clearly communicated and seen to be clearly communicated.” John Colvin, CEO of the Australian Institute of Company Directors (AICD), also says there are two key indicators of good corporate governance within organisations: a culture of enquiry and a culture of education and training.While many large companies have training programs
in place, it is also important that the board is kept up-todate with what’s happening in the corporate governance world, Colvin says.“Boards that take corporate governance seriously are interested in understanding their roles and how they can better interrelate with the executive, making sure that employees know what good corporative governance looks like, and understanding how good corporate governance is tied in with good corporate performance over the long-term,” he says. “It’s a virtuous circle. Good corporate governance and strategy leads to better performance, which leads to better communication with stakeholders, and this is reinvigorated through continuous learning and improvement which then leads to better governance, results and so forth.”
Common issues A lot of challenges that organisations experience in this area can be put down to bad hiring, according to Sheehy. “You have to bring the right people onboard in the first place, so even in a tight labour market, getting people who align to the organisation’s values is almost up there with knowledge and experience.Hiring people that demonstrate your values is absolutely critical,” he states. Other challenges can be found in effective internal communication of values followed by effective external communication of demonstrated values and behaviours, Sheehy adds. “A lot of it boils down to how effectively companies communicate with their staff and then ensuring there’s clear, constant communication between the organisation and external stake-
“If you’re not serious about it the bulk of the staff in the organisation will see it very quickly and they’ll lose confidence” Tim Sheehy, chief executive, Chartered Secretaries Australia RISK February 2011
21
COVER STORY
TOP TEN STEPS TO GOOD GOVERNANCE 1. Recognise that good governance is not just about compliance. Boards need to balance conformance (compliance with legislation, regulation and codes of practice) with performance aspects of the board’s work (improving the performance of the organisation through strategy formulation and policy making). As a part of this process, a board needs to elaborate its position and understanding of the major functions it performs as opposed to those performed by management. These specifics will vary from board to board. Knowing the role of the board and who does what in relation to governance goes a long way towards maintaining a good relationship between the board and management. 2. Clarify the board’s role in strategy. It is generally accepted today that the board has a significant role to play in the formulation and adoption of the organisation’s strategic direction. The extent of the board’s contribution to strategy will range from approval at one end to development at the other. Each board must determine what role is appropriate for it to undertake and clarify this understanding with management. 3. Monitor organisational performance. Monitoring organisational performance is an essential board function and ensuring legal compliance is a major aspect of the board’s monitoring role. It ensures that corporate decision making is consistent with the strategy of the organisation and with owners’ expectations. This is best done by identifying the organisation’s key performance drivers and establishing appropriate measures for determining success. As a board, the directors should establish an agreed format for the reports they monitor to ensure that all matters that should be reported are in fact reported. 4. Understand that the board employs the CEO. In most cases, one of the major functions of the board is to appoint, review, work through and replace (when necessary), the CEO. The board/CEO relationship is crucial to effective corporate governance because it is the link between the board’s role in determining the organisation’s strategic direction and management’s role in achieving corporate objectives. 5. Recognise that the governance of risk is a board responsibility. Establishing a sound system of risk oversight and management and internal control is another fundamental role of the board. Effective risk management supports better decision making because it develops a deeper insight into the risk-reward trade-offs that all organisations face. 6. Ensure the directors have the information they need. Better information means better decisions. Regular board papers will provide directors with information that the CEO or management team has decided they need. But directors do not all have the same informational requirements, since they differ in their knowledge, skills and experience. Briefings, presentations, site visits, individual director development programs, and so on can all provide directors with additional information. Above all, directors need to be able to find answers to the questions they have, so an access to independent professional advice policy is recommended. 7. Build and maintain an effective governance infrastructure. Since the board is ultimately responsible for all the actions and decisions of an organisation, it will need to have in place specific policies to guide organisational behaviour. To ensure that the line of responsibility between board and management is clearly delineated, it is particularly important for the board to develop policies in relation to delegations. Also, under this topic are processes and procedures. Poor internal processes and procedures can lead to inadequate access to information, poor communication and uninformed decision making, resulting in a high level of dissatisfaction among directors. Enhancements to board meeting processes, meeting agendas, board papers and the board’s committee structure can often make the difference between a mediocre board and a high performing board. 8. Appoint a competent chairperson. Research has shown that board structure and formal governance regulations are less important in preventing governance breaches and corporate wrongdoing than the culture and trust created by the chairperson. As the “leader”of the board, the chairperson should demonstrate strong and acknowledged leadership ability, the ability to establish a sound relationship with the CEO, and have the capacity to conduct meetings and lead group decision-making processes. 9. Build a skills-based board. What is important for a board is that it has a good understanding of what skills it has and those skills it requires. Where possible, a board should seek to ensure that its members represent an appropriate balance between directors with experience and knowledge of the organisation and directors with specialist expertise or fresh perspective. Directors should also be considered on the additional qualities they possess, their “behavioural competencies”, as these qualities will influence the relationships around the boardroom table, between the board and management, and between directors and key stakeholders. 10. Evaluate board and director performance and pursue opportunities for improvement. Boards must be aware of their own strengths and weaknesses, if they are to govern effectively. Board effectiveness can only be gauged if the board regularly assesses its own performance and that of individual directors. Improvements to come from a board and director evaluation can include areas as diverse as board processes, director skills, competencies and motivation, or even boardroom relationships. It is critical that any agreed actions that come out of an evaluation are implemented and monitored. Boards should consider addressing weaknesses uncovered in board evaluations through director development programs and enhancing their governance processes. Source: James Beck, managing director, Effective Governance
22
RISK February 2011
“Align your corporate governance models with where you are now, but also importantly, where you think you’d like to be” John Colvin, CEO, Australian Institute of Company Directors
holders. People often don’t communicate the good things. The bad news surfaces anyway, but we also forget to champion the good news.” Another common trap that organisations fall into is taking a tick-box approach to governance, Colvin says. “Enron had a wonderful box-ticking corporate governance structure. It passed all the tests, but it didn’t really work because there was a disconnect with what was happening in the corporation. Box-ticking doesn’t really apply any rigour in the end. All it does is provide more and more bureaucracy and overheads,” he recalls. Another important consideration is aligning corporate governance with strategy.“So you align your corporate governance models with where you are now, but also importantly, where you think you’d like to be,” Colvin explains. “That way, you’ve got a living corporate governance system which is reviewed over time, which changes over time and which is aligned with where the company is at any given time. It shouldn’t become an inflexible model but one which is capable of being adapted as you go forward.”
COVER STORY
Steps for improving corporate governance
CORPORATE GOVERNANCE AT BHP BILLITON
The business world has changed significantly in recent years and lessons being learned from the GFC are still filtering through, according to Colvin. One particular issue for board members in the wake of the GFC is the expectation gap on non-executive directors, he says.“There’s an expectation by the community and politicians that non-executive directors are really full-time executive directors and employees, as opposed to being non-executive directors who have more of an oversight role,” Colvin says. “So people dealing with boards need to understand how the Australian model of corporate governance works overall, and not just in their own discipline. In other words, they should have a broader education so they can relate easily with other professionals and experts and also know how to communicate with and understand a board’s perspective.” Similarly, Sheehy recommends taking the process of corporate governance seriously.“If you’re not serious about it the bulk of the staff in the organisation will see it very quickly and they’ll lose confidence. It’s important to devote adequate time to it at the right time. So as you examine your strategy, look at your risk profile and identification of risks at the same time, for example,” he says. “What’s most important, however, is that you understand your organisation’s values, demonstrate them and not be afraid to stand up to unacceptable practices. That is really key.”
As the world’s largest mining company, BHP Billiton employs some 40,000 people across the globe. The company has well developed and refined corporate governance policies and practices in place, which are detailed in its Working with Integrity: Code of Business Conduct guide. Its code is founded on the company’s charter values, and Marius Kloppers, CEO of BHP Billiton, says the emphasis on integrity underpins everything the company does. “At times, you might be in a situation where complying with the code may appear to conflict with our ability to win or retain business. Do not allow anything – meeting production, competitive instincts or even a direct order from a manager – to compromise our commitment to working with integrity,” he says in the guide. The code of conduct covers off areas including: health and safety; alcohol, drug and tobacco use; working with government; political contributions and activities; bribery and corruption; conflict of interest; gifts and hospitality; business and travel; competition and antitrust; and insider trading. The code contains a “business conduct quick test” which covers off areas including values, safety, law, conscience and the media, while BHP Billiton also provides a worldwide business conduct advisory service (BHPBbusinessconduct.ethicspoint.com), which is designed to facilitate the resolution of business conduct queries and issues.
RISK February 2011
23
RISK PEOPLE
Risk people : Cameron Smith
Executive manager, operational risk, Westpac Group
W
I used to think what it took to be a good operational risk advisor was a black art!
hen all-action Cameron Smith, executive manager, operational risk at The Westpac Group isn't leading a team of 15 risk and compliance advisors, he can be found on his surfboard looking for a nice wave or playing drums with his band mates. “I have a good mix of personal and family interests – but like most people, I would love to have more time to enjoy them.” Smith moved into the operational risk and compliance space around 10 years ago. Prior to this he was in an audit and advisory role with accounting firm PricewaterhouseCoopers. “Operational risk seemed a natural extension of the skill set that I developed in audit,” he says. According to Smith, the key shift from external audit to operational risk is that audit often takes a retrospective view, where as operational risk looks to be predictive and forwardlooking in its view. “After 10 years I still find it very challenging,” he says. ”As a discipline and a profession, operational risk has developed a great deal over the past decade and continues to constantly evolve.” At Westpac, group operations is responsible for supporting the bank’s consumer and business lending, transactional and collections
CREDIT RISK OPERATIONAL RISK MARKET RISK COMPLIANCE RISK
banking processes, as well as functions such as sourcing, HR shared services and property for the Westpac Group. Smith joined the Group three and a half years ago from St George. His initial role was to build an operational risk and compliance team. Early in his career Smith grabbed the chance to work in London, auditing general and reinsurance clients, an experience he still draws upon today to help solve problems. “A few of the insurance clients I worked with in London were in run off (closed for new business) and had fallen into the London market spiral, whereby the practice of insurance companies effectively buying reinsurance with a third party and then buying back some of their own risk that they had sold. “Talking and listening to the managers running these companies in run off was fascinating. It gave me early on some real insight to the risks that these companies and syndicates had taken but not really fully understood. These companies and syndicates were often long standing and much respected. Not cowboys by any stretch. They had just failed to really understand, and in turn manage, the many different risks they could face and as a result they had paid the price.” Another more recent career highlight has been leading the group operations risk and compliance advisory team at Westpac. ”I am very proud of the team that I lead and the reputation it has with our business for the proactive support and pragmatic advice it provides. Group operations was one of the areas in the merged Westpac Group [with St George] that
had a large amount of change as a result of bringing similar functions together. “During this high level of change our newly formed team focused not only on giving risk advice but also delivered the risk process changes necessary to harmonise the risk governance across the two heritage operations. All this was done quite seamlessly and the level of cooperation and teamwork to do this really was a standout.” Smith describes himself as pragmatic, adaptable and human but claims that the most critical attribute to succeed as a risk advisor is the ability to earn the respect of the business you support. As a result, if you can’t develop a relationship based upon mutual respect with the business you support then, in his view, you will never be able to understand the real issues or challenges facing the business. It is through these professional relationships and the risk advisor’s ability to be articulate, objective and holistic, that risk advisors can add value. “I used to think what it took to be a good operational risk advisor was a black art! I now know this is not the case,” he says. “The base attributes are strong technical risk knowledge and a healthy scepticism – without fear – without favour.This is just a start though. ”Due to the fact that operational risk resides in the business, and is actually owned by the business, the key to success for a risk advisor is being able to understand the business.The only way to understand the business successfully is for the business we support to appreciate our role (and their role) and how we can add value to their business.
Dedicated to advancing the use of sound risk principles in an enterprise approach to risk management, the RMA exists to benefit professionals and institutions engaged in Operation, Credit, Market and Compliance Risk. Through an array of event programs and educational resources, the RMA aims to further the ability of its members to identify, assess and manage the impacts of risks on their businesses and customers.
The rma is the premier association for financial risk management professionals The RMA provides an independant forum for: thought leadership; the promotion of industry best practise; an awareness of market trends and developments; endorsement of ethical standards and professional conduct; recognition for financial risk management professionals. RMA Australia represents members at a national level and its initiatives reach over 1,500 individual members and risk related practitioners across the financial services market. Globally the RMA represents 3,000 institutions and has over 18,000 individual members in the US, Canada, UK, Hong Kong, Singapore, and Australia. For more information on the benefits of RMA membership
RMA Australia, PO Box 576, Crows Nest NSW 1585 Tel: 02 9431 8689 Email: info@rmaaustralia.org
www.rmaaustralia.org 24
RISK February 2011
RISK CAREERS
WANT A PROMOTION? WAIT UNTIL JUNE
FINANCIAL RISK PEOPLE IN DEMAND Risk management and compliance professionals are expected to be in demand this year as financial services firms continue to focus on adhering to regulation, according to financial services career website, eFinancialCareers. eFinancialCareers head of Asia Pacific George McFerran said that risk roles have been at the top of the job charts since the global financial crisis reinforced the importance of good governance. “Demand for these positions is underpinned by many factors, including macro economic trends, leading to strong demand for resources bankers; regulatory pressures, creating demand for risk managers; and increases in trading volumes, resulting in more
professionals needed in product control,” he said. The workloads of risk management and compliance teams has increased as regulator y changes have appeared, so banks are expected to boost numbers in these areas in 2011 to help them cope.
EMPLOYERS WILL HAVE A WIDER CHOICE OF TALENT COMPARED WITH 12 MONTHS AGO However, McFerran said the talent pool is small, so banks may need to take talent from professional services firms and from overseas. The bi-produc t of banks poaching from one
another is that compensation is likely to rise. eFinancialCareers also predicted that the level of staff movement will increase in the first quarter of 2011, post bonuses, as people who were reluctant to move during the financial crisis look for new career opportunities. Employers will have a wider choice of talent compared with 12 months ago, but could suffer from skill shortages and therefore look to hire candidates from related sectors or from overseas if necessary. Other areas expected to see strong demand in 2011 include leveraged finance analysts; product control personnel; equity research analysts; and finance technology professionals.
If you're angling for a promotion at work this year, June and July are the months to make your move, new research suggests. The global study by internet-based professional networking organisation LinkedIn found that January is traditionally the month when Australian workers bag a promotion. But while last month was a good time to get yourself up another rung on the career ladder, many promotions are now being granted at the end of the financial year, LinkedIn says. "The LinkedIn research shows that most Australian professionals get their promotions in January or around the end of financial year," said LinkedIn's Sally-Anne Blanshard. "This is the time they should be looking at investing in developing their brand online and networking." The online group said there had been a recent spike in July promotions in the Australian accountancy and law sectors. And Generation Y workers - those born in the 1980s - are also more likely to be promoted in the middle of the year. Globally, January, July and September are the most popular months for promotion.
THIS IS THE TIME THEY SHOULD BE LOOKING AT INVESTING IN EVELOPING THEIR BRAND ONLINE AND NETWORKING
Compliance and Risk roles – Australia taylorroot.com.au Regional Head of Compliance
Sydney
This global financial services business is looking to appoint an Asia Pacific Head to be based out of Sydney and reporting to the Global Head. The key focus is to manage a team and have oversight of all regulatory and reputation risks within the region. We are seeking strong regulatory experience and regional exposure would be preferable. c. $200,000+
Risk Manager – contract
Sydney
This young and dynamic ASX listed energy company is seeking a Risk Manager. Reporting into the General Counsel, you will take ownership for the compliance and risk management framework. The ideal candidate will have had experience in developing an enterprise risk management framework and come from an electricity, gas or financial markets background. $150,000
Compliance Manager
Melbourne
This Australian financial services institution is recruiting an experienced compliance manager for its funds business. The focus will be on the management of the domestic platform and they are a leading provider within the wholesale market. Proactive approach and pragmatic problem resolution skills are essential. Excellent salary and benefits on offer. c. $140,000
To discuss Compliance and Risk roles, please contact Amanda Atherton in Sydney on +61 (0)2 9236 9000, Neil Williams for Melbourne on +61 (0)3 8610 8400 or email amandaatherton@taylorroot.com.au/neilwilliams@taylorroot.com.au THE SR GROUP . BREWER MORRIS . CARTER MURRAY . FRAZER JONES . PARKER WELLS . SR SEARCH . TAYLOR ROOT LONDON . DUBAI . HONG KONG . SINGAPORE . SYDNEY . MELBOURNE
RISK February 2011
25
RISKY BUSINESS
A LOOK AT THE MONTH’S ALTERNATIVE RISK STORIES RISKY REMUNERATION The link between risk and remuneration has been under intense scrutiny ever since the downfall of banks in the GFC. But when it comes to one Indonesian politician, the public are adamant he’s not getting paid enough to do a good job. Susilo Bambang Yudhoyono had been complaining about not receiving a pay rise for seven years, before members of parliament decided to start a collection. Unfortunately for Yudhoyono, however, only a few coins have been put in the transparent collection box, which was placed in the hallway of a parliamentary building this week. He repor tedly earns around 62 million rupiah ($6,800) a month, below the 265 million rupiah earned by the central bank governor or by executives at state-owned firms. So if you’re worried about an executive underperforming, maybe it’s time for a whip-round?
BOTTOM LINE SECURITY For those readers concerned about losing their dignity via new airport security scanners, fear no more. An American company has designed – wait for it – anti-radiation underwear to protect one’s privates during the scanning process. The Transportation Security Administration has come under growing pressure over new scanners that show the naked contours of passengers. And if passengers refuse to go through the scan, they face a detailed manual search, likened by opponents to ‘sexual groping’. But the new Rocky Flats Gear undies feature fig leaf patterns over the ‘sensitive’ area, with the leaves made out of material promising to “block natural and man-made radiation.” Not only does the garment block harmful rays of any kind (good to know), but crucially for those of shy disposition, the technology “insures privacy of medical and body scanner images,” according to the company website. Of course there is probably very little, if any, danger from radiation in the scans and the searches are completely necessary to prevent increasingly imaginative bombers from boarding planes, but if you’re struggling for Valentine’s Day gifts, these could be the answer.
RISK BUSINESS DIRECTORY
www.riskmanagementmagazine.com.au/Directory/Compliance-Risk-Software 26
RISK February 2010