StrategicRISK May 2011 by Nathan Skinner

VIEWPOINTS [ PEOPLE ] Nicola Harvey of Christie’s and Coca-Cola Hellenic’s Adam Greene share their views on the risk management career path

RISKS

European risk and corporate governance solutions

www.strategic-risk.eu [ May 2011 ] Issue 70 €25

[ THREATS ] Breaking a UN sanction could mean a he y ﬁne and having your proﬁts seized. And the risks are likely to escalate as political volatility rises

GOVERNANCE [ COMPLIANCE ] Everything risk managers are expected to know about the Bribery Act as it is ﬁnally enforced

THEORY & PRACTICE NEWS & ANALYSIS » Beneﬁts of a healthy workforce » Egypt’s road to recovery » Risk managers’ cyber fears »

[ BEST PRACTICE ] Cyber the is a fast-growing threat. Here are 10 things that risk managers need to do now

NUCLEAR FALLOUT

The mistakes that almost caused a meltdown and what it means for risk managers everywhere

Trouble at the top Success can breed behaviour that creates risk Risk ﬁnancing The options for transferring natural catastrophe exposures

LEADER [ MAY 2011 ]

Issue 70 May 2011

Nathan Skinner, EDITOR, STRATEGIC RISK

www.strategic-risk.eu WELCOME

Editor Nathan Skinner Editor-in-chief Sue Copeman Market analyst Andrew Leslie Group production editor Áine Kelly Deputy chief sub-editor Laura Sharp Group sales director Tom Sinclair Business development manager Donna Penfold +44 (0)20 7618 3426 Redesign Joe McAllister Production designer Nikki Easton Group production manager Tricia McBride Senior production controller Gareth Kime Head of events Debbie Kidman Events logistics manager Katherine Ball Publisher William Sanders +44 (0)20 7618 3452 Managing director Tim Whitehouse Cover image Jamie Sneddon Email: ﬁrstname.surname@ newsquestspecialistmedia.com

Making connections R

ISK INTERCONNECTIVITY – THE LINK BETWEEN ONE RISK AND ITS effect on a host of others. It’s one of the hardest things for risk managers to come

to terms with. But as organisations increasingly try to prepare for the consequences of risk (rather than inﬂuencing whether or not they arise in the ﬁrst place), it is even more important for them to understand how one thing affects another. Trying to map every single risk linkage throughout an entire organisation is a life’s work in itself, but offering insights into the knock-on effects of certain developments in conjunction with other company risks can provide a useful strategic advantage. Understanding the direct and indirect links between risks can help companies seize

ISSN 1470-8167

opportunities. Take the rising signiﬁcance of climate change and the link with water

Published by Newsquest Specialist Media Ltd 30 Cannon Street, London EC4M 6YJ tel: +44 (0)20 7618 3456 fax: +44 (0)20 7618 3420 (editorial) +44 (0)20 7618 3400 (advertising) email: strategic.risk@newsquest specialistmedia.com

security. A lack of access to water can have a huge number of effects and the repercussions

StrategicRISK is published eight times a year by Newsquest Specialist Media Ltd., and produced in association with Airmic (the Association of Insurance and Risk Managers). The mission of StrategicRISK is to deliver the latest risk and corporate governance solutions to key decision-takers in UK and European companies. StrategicRISK is BPA audited with a net average circulation of 10,046, June 2010.

can reverberate globally. Extreme stress on clean water supplies can lead to food crises, for example, or the spread of disease. Or it can contribute to political instability. But of particular economic signiﬁcance is the use of large quantities of water in the production of oil. If sufficient water is not available, oil production will decrease and operations will be interrupted, which could signiﬁcantly affect global oil supply and prices. These new challenges are stimulating innovative business ideas. General Electric (GE) has been quick to use its engineering expertise to help the oil industry reduce water use. Saudi Arabia, one of the Middle East’s fastest-growing economies, faces a growing demand for water to feed its massive oil production, but water is scarce.

For all subscription enquiries please contact: Newsquest Specialist Media, PO Box 6009, Thatcham, Berkshire, RG19 4TT, UK tel: +44 (0)1635 588868 email: customerservice@strategicrisk.eu Annual subscription (incl P&P) £249 €399 $499 Two-year subscription £449 €649 $849 Three-year subscription £427 €663 $821 Printed by Warners Midlands Plc © Newsquest Specialist Media Ltd 2011

Therefore, the Kingdom has mandated that 11% of its water should come from treated waste supplies and so GE is turning its attention to water reuse technology. That’s just one example of the link between risks. To learn more, search ‘risk interconnectivity’ at strategic-risk.eu for our infographic mapping the connections between 37 different global risks. Or download a copy at goo.gl/ep2kL. SR [CONTACT THE EDITOR] Email nathan.skinner@strategic-risk.eu or follow me at twitter.com/StrategicRISK

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

Soc ie

CONTENTS [ MAY 2011 ]

26 Busi

ness es

et ern Int

Nicolas Righetti/Panos Pictures

pion age

£7bn

wn do ak bre

Global risk register

Fraud

Technology risks

Data the and leakage

ris k

tra ns fe r

co st s

Protection ism

he r

lems ry prob

Economic

Risks [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

The Best of the Web The biggest stories online, including a cyber defence service launch, Middle East water security and violence in Syria Risk Indicator The companies ﬁghting the malaise of employee absenteeism, the biggest US sanctions settlements and the Fukushima threat put into frightening perspective News Analysis How quickly can democracy in Egypt lead to wellbeing in the country?; The growing wave of cyber crime that is costing billions COVER STORY: News Feature The disasterous events of 11 March in Japan and subsequent nuclear fears must teach us not to just be prepared, but to be very prepared

Viewpoints

24 26 28

Ahead of the pack Coca-Cola Hellenic’s group risk manager Adam Greene tells us how he looks beyond the statistics to the psychological factors inﬂuencing risk Ripples from Japan spread worldwide There are few electronics-based businesses that do not source some products from Japan, and the knock-on effects of the disaster will continue to be felt The gentle art of persuasion Christie’s group director of risk Nicola Harvey on the sometimes misunderstood and isolating life of the risk manager Headspace Igor Mikhaylov of Russia’s Mobile TeleSystems answers our questions about his loves, his fears, and what it feels like to go skiing near a Chechen warzone

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

Breaching the boundaries The number of sanctions in place make sticking to the rules a mineﬁeld. How do risk managers get to grips with the issue? RISK FINANCING: Catastrophes Even if you escape the direct effects of a disaster, you could still be impacted Trouble around every corner We are living in interesting times indeed, but what do risk managers make of it all? RISK ATLAS: Cyber crime An infected web page is found every 4.5 seconds. Which countries are playing host to the world’s malware?

Governance [ ETHICS ][ COMPLIANCE ][ REPORTING ]

[ PEOPLE ][ OPINION ][ COMMUNITY ]

ve ion reco Recess

[ THE LATEST BUSINESS ROUND-UP ]

8-10

Nicola Harvey, chairman, Airmic, and group director of risk, Christie’s >> see Viewpoints page 18

th eM

Slow US re cove ry

News & Analysis

‘Being a risk manager can be quite an isolating role – lots of people don’t really understand what you do’

Hi g

ption

ge an ch

Don’t look now: we ask Political turmoi 30 European risk Geopolitical managers about the risks biggest risks affecting their businesses W

n tio ﬂa In

Who to avoid: failing to stick to international sanctions can have serious implications for a company

m Terroris

hi ng sa nc tio ns

Ma li

ci o us

ha ck

al gic olo hn tec th wi ce pa ing ep Ke

risks

UK £27

Taking responsibility The Environmental Liability Directive focuses on the repercussions of polluting, and why you need to protect yourself It could be you … The new Bribery Act will make directors of companies liable for the corrupt practices of their companies – this time it’s personal

Theory & Practice [ INSIGHT ][ CASE STUDIES ][ BEST PRACTICE ]

36 37 38

The building blocks of risk When a business grows, how do you scale up the risk management side of things? How to manage environmental damage Six steps to ensure that your company’s exposure to eco-damage is minimised Strengthen your defences against cyber attacks Your business’s prized intellectual property may be at risk from hackers or rivals

NEWS MATRIX [ THE LATEST BUSINESS ROUND-UP ]

Top 10 essential online stories 08 01

01 CYBER RISK

09 05 02

New cyber defences

03 DISASTERS

Asia-Pac cats to cost €566m

Reuters

Detica, a BAE Systems company, has released a cyber defence service to prevent sophisticated cyber threats. The technology utilises techniques pioneered in national security defence and organised cyber crime prevention, and was previously only available to government and a few private companies. The system will offer a “unique behavioural analysis, based on massive-scale cloud technology to detect signs of potential compromise”. A team of expert cyber analysts will also be supporting the system, ensuring that previously ‘unseen and unchecked’ attacks on existing network defences are investigated. Detica’s technical director, Henry Harrison, said: “We see too many companies still believing that traditional defences are enough to protect them from cyber attacks. Businesses need to decide whether they’re going to try to do something to ﬁght back against these threats, or whether they want to resign themselves to being, in effect, ‘open source’ organisations.” web. goo.gl/ha1SL

Cyclone Yasi, the Christchurch earthquake and the Japanese tsunami will produce insurance claims of about €566m, estimated Zurich Financial Services Group. The losses for the ﬁve events include the Brisbane ﬂoods, Victoria storms and Cyclone Yasi that hit Australia, the Christchurch earthquake in New Zealand and the recent earthquake and tsunami in Japan. The estimate is preliminary, said Zurich. A full loss assessment and the ultimate cost will take time to complete. web. goo.gl/8MJDE

04 ENVIRONMENT

Bulgaria should boost efforts to ﬁght bribery

Middle-East water security fears could impact oil prices

Bulgaria should do more to prevent, report, detect and prosecute foreign bribery cases, according to a new report by the Organisation for Economic Co-operation and Development (OECD) Working Group on Bribery. The OECD recently completed an evaluation of Bulgaria’s enforcement of the anti-bribery convention. Bulgaria should also raise awareness of bribery offences, provide more training and substantially amend and enforce its laws better, argued the OECD. Bulgaria has one conviction for foreign bribery and is involved in an investigation in a second case. web. goo.gl/amrD6

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

Extreme water security risks across the Middle East and North Africa (MENA) may lead to increases in global oil prices and heightened political tensions in the future, a new study suggests. Maplecro ’s study rated the MENA region as having the least secure water supplies in the world, with 15 ‘extreme risk’ countries located in the troubled region. Mauritania, Kuwait, Jordan, Egypt, Israel, Niger, Iraq, Oman, UAE and Syria form the top 10 at risk countries, respectively. Six of the 12 members of the Organisation of the Petroleum Exporting Countries are in the highest risk category, while a further two are rated ‘high risk’. Collectively, these countries produced approximately 45% of all global oil in 2009. A lack of access to water can have a large number of direct and indirect effects and the repercussions can reverberate globally, said Maplecro . Large quantities of water are needed in the production of oil, so if sufficient water is not available productivity will decrease and operations will be interrupted, which could signiﬁcantly affect global oil supply and prices. web. goo.gl/fmBSe

Reuters

02 CORRUPTION

06 EMAIL

10 INSURANCE

Bribery Act guidance here

Data breach exposes customer info

Ferma welcomes liberalisation of Brazil’s insurance market

The Ministry of Justice released its final guidance on the Bribery Act, detailing what it considers to be “adequate procedures”, as well as what constitutes hospitality and facilitation payments. The Act could result in an unlimited fine for a firm failing to prevent bribery. The guidance contains some interesting developments since the dra last year, said Ernst & Young’s head of fraud investigation practice, John Smart. “There are six key principles of adequate procedures, consistent with the earlier consultation document, but two of them have been changed.” web. goo.gl/b5IOf

Attacks on major US email marketing ﬁrm, Epsilon, have le customers’ private data exposed. UK retail giant Marks & Spencers, which lost customer data in the breach, released a statement assuring customers that it does “take privacy very seriously” but added that customers should be prepared for spam and phishing attacks. The breach came as part of a much wider attack on the US email company, in which the private data of millions of customers of some of the world’s most recognised companies – including JP Morgan Chase, Hilton Hotels, Citigroup and Capital One – were stolen. web. goo.gl/au08o

07 INTERNATIONAL RISKS

Violence in Syria intensiﬁes

Reuters

05 LEGAL

08 REPUTATION

Rolls-Royce tops brand poll Rolls-Royce Aerospace is the most reputable company in the UK, according to the Reputation Institute’s 2011 UK RepTrak Pulse Study. The report, which measures customer perceptions of top UK companies on a ‘pulse’ scale of 0-100, ranked Rolls-Royce top, with a score of 86.89, ahead of Dyson, Alliance, Mothercare and Next. Despite recent controversy – one of their engines exploded mid-air – the company received an extremely high score in the area of products and services, with 93.37. 09 REGULATION DAMAGE

Reuters

Bank reforms won’t damage competition

Armed units from Syria’s Presidential Guard and Mukhabarat (military intelligence service) have began large-scale killings of Sunni protestors, according to political risk analysts. As the crackdown on unrest in Sunni strongholds intensiﬁed, credible source reports indicated that soldiers who have refused to shoot civilians have been executed, said Exclusive Analysis in a special incident update. Armed security forces also closed the border with Jordan. The Syrian state media has continually portrayed the uprisings as a foreign-sponsored insurgency, and conﬁrmed that troops searching vehicles on the border have found weapons and ammunition being smuggled into the country in cars. web. goo.gl/m8NzA

The UK’s Independent Commission on Banking (ICB) released a report on the future of Britain’s banks to a mixed response. As predicted, its key suggestion was that big banks’ retail wings should be ring-fenced from their investment operations. The report also recommended that banks hold more core capital – around 10% of their loans. The report failed to suggest a radical division of ‘universal’ banks into independent retail and investment banks, and was criticised for recommending vague and disappointing changes. Pointing to the importance of keeping Britain competitive for business, ICB chairman Sir John Vickers refuted such claims, insisting: “I absolutely reject any notion that we bottled it.” web. goo.gl/ocDCl

Ferma has welcomed a decision by the Brazilian government to liberalise its insurance market following concerns from risk managers, insurers and brokers. A new resolution will allow insurers to transfer up to 20% of reinsurance treaties to foreign-based companies that are linked or belonging to the same ﬁnancial conglomerate. But Ferma believes the concession is only a step in the right direction, and is now calling for more measures to liberalise the market. web. goo.gl/KZJ3J

Online Contents Most read stories UK guidance for the Bribery Act web. goo.gl/4jBIk Bribery Act training web. goo.gl/vJzgu Court ruling could cost banks £4.5bn web. goo.gl/z2Ee9 Tohoku quake could cost insurers £16bn web. goo.gl/mUfYh

2011 StrategicRISK Report Download your PDF of the 2011 StrategicRISK Report, which brings together the views of 30 leading European risk managers. web. goo.gl/NdGTV

Infographic: Cyber crime Notwithstanding the recent wave of politically inspired cyber attacks against and in aid of the WikiLeaks whistleblowing website, ﬁnancial gain is still the usual motivator for cyber crime. Here’s our graphic explaining how a sophisticated cyber crime ring works. web. goo.gl/6JV1B

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

RISK INDICATOR [ VISUALISING DATA AND TRENDS ]

HEALTH MANAGEMENT

Running a healthy company Companies are switching on to the beneﬁts of adopting a proactive healthcare risk management plan

BT case study The telecommunications giant saved £3m in March 2003 alone. By setting up ﬂexible working hours, the company retained 98% of those who took maternity or extended leave, saving in retraining costs.

S COMPANIES BECOME increasingly aware of the economic benefits of a healthy workforce, more and more employers are investing in healthcare risk management plans. Case studies show that health risk management systems have brought significant returns to those companies that have implemented them, and while these may take time to show, the financial benefits of reduced sick leave and absence within a workforce are significant. However, many businesses simply do not account for the impact of absences: a 2010 Investor in People report revealed that only a quarter of UK employers calculated the cost of absence to the business, despite reports that employers spend up to 10% of their annual pay bill managing the direct and indirect fallout of high absence rates. Though it may require short-term outlay, the benefits of improved employee health are, as Dame Carol Black’s 2008 government report suggested, resoundingly clear. While employers will not want to be accused of failure to provide care or, conversely, nannying their staff, getting the balance right can bring long-term dividends, regardless of the size or nature of the firm.

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

SETTLEMENTS

Fukushima crisis second only to Chernobyl in severity

Top ﬁve

APAN’S FUKUSHIMA NUCLEAR CRISIS is the second worst of its kind, topped only by the 1986 Chernobyl disaster, says leading nuclear expert Wolfgang Weiss. Weiss, chairman of the UN Scientiﬁc Committee on the Effects of Atomic Radiation, said it was “not as dramatic as Chernobyl, but it is certainly much much more serious than in Three Mile Island.” The claim comes a month a er the crisis ﬁrst hit, with the exact consequences still unknown. Weiss noted that “the information we are getting is far from pointing out an accurate picture … measurements are patchy and unclear”. The Japanese authorities began by rating the severity of the incident at level 5 out of a possible 7 – a level previously only ever achieved by Chernobyl. But it was later upgraded to level 7, in recognition that dangerous amounts of radiation had escaped the plant, causing a serious risk to the public. Although nuclear technicians are battling to contain the crisis, the emergence of traces of nuclear material originating from Fukushima as far away as Glasgow suggest the threat is still very real.

Reuters

JAPAN EARTHQUAKE

[ US SANCTIONS SETTLEMENTS ]

FALLOUT FACTSK FINANCIAL COSTS • Chernobyl cost 18bn rubles ($600bn)b • Fukushima costs are around $50bn b • The Three Mile disaster cost around $1bn b EXCLUSION ZONE b • 30km Chernobyl b • 20km Fukushima b • 15km Three Mile b

Sources: The Battle of Chernobyl, Execution Noble and American Scientist

Credit Suisse – $536m The US Treasury’s Office of Foreign Assets Control settled for a record sum in December 2009 a er helping clients to violate sanctions agreements against Iran, Sudan and Cuba. ABN AMRO – $500m ABN admitted systematically violating US sanctions against Iran, Libya, Cuba and the Sudan between 1995 and 2005. It settled in May 2010. Lloyds TSB – $350m Found guilty of violating US trade sanctions against Iran by facilitating customer transactions, Lloyds settled in January 2009. Barclays – $298m Found guilty of breaking trade sanctions against Iran, Cuba, Libya, Myanmar and Sudan, Barclays settled in August 2010. UBS – $100m Over eight years, UBS transferred $4-$5bn to countries under US sanctions and settled in 2004. Source: various media

THE BIG NUMBER

DATABASE

OVERHEARD

20km

The worst industrial accidents in Europe

“Soundbites”

This is the radius of the exclusion zone around Japan’s Fukushima Daiichi plant that authorities have begun enforcing. The damaged nuclear reactor has continued to emit harmful particles a er the earthquake and tsunami caused damage on 11 March. The plant’s operators expect it to be around nine months before they bring the damaged reactors to a cold shut down. Eighty thousand people live in the affected zone. Residents will be allowed to enter to visit their houses, but they will have to wear protective suits and be decontaminated when they leave.

Prestige oil spill: £3bn The Prestige spilt 20 million gallons of crude oil into the ocean, damaging thousand of kilometres of Galician coastline around France, Spain and Portugal in November 2002.

Piper Alpha: £1.7bn An explosion and consequent ﬁre on this North Sea oil rig in July 1988 resulted in 167 deaths. AZF factory disaster: £1.5bn In September 2001, a factory producing ammonium nitrate in Toulouse, France, exploded, killing 29 people and injuring thousands.

‘Where is the line between being pragmatic and being paranoid?’ Igor Mikhaylov Mobile Telesystems >> see Headspace pages 40

‘The chemical imbalances in your brain that occur if you skip breakfast can affect how you make decisions.’ Adam Greene Coca-Cola Hellenic >> see Viewpoints pages 15-17

Although they are rare, the consequences of industrial disasters can be devastating. Considering the history of industrial disasters and the nature of the industry, most companies can claim strong health and safety records, ensuring that casualties and damage remain at a minimum. Yet, although the accident rate has reduced in recent years, it takes only one incident to irrevocably destroy a company and an industry’s reputation and, along with them, potentially many lives.

‘‘The world feels like a smaller place, and threats to supply lines are always a concern because we rely on things being done efficiently and smoothly.’ Chris McGloin Invensys >> see Risks page 24-25

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

NEWS ANALYSIS [ CONTEXT & INSIGHT ]

POLITICAL RISK

Egypt shows us the way forward I

NSPIRED BY THE JASMINE Revolution in Tunisia, a wave of revolutionary fervour has swept across the Middle East and North Africa. Some of these uprisings have proved successful, others have faltered, underscoring the huge dangers of protesting against totalitarian regimes. For countries across the region, Egypt serves as a paragon of hope for stability. Despite important political and social progress, however, economic conditions remain unstable in Egypt. A significant drop in tourism and employment rates, combined with increasing commodity and food price inflation (up 11.5% on last year) threaten further unrest if, as Tunisian finance minister Jaloul Ayed said at the US-Islamic forum, “democracy doesn’t translate soon into well-being”. Yet the tone is one of cautious optimism amongst economists and risk analysts. Beazley’s head of political risk and contingency, Adrian Lewers, told StrategicRISK that Egypt is on a “positive trend line”. “The rate at which Egypt has resolved its situation has been quite astonishing. We must recognise that there will be wobbles along the way, but there are strong prospects for stability and democratic government.”

Climate for investment Moves towards stability are gathering momentum since the General Authority for Investment (GAFI) chairman Osama Saleh’s announcement of measures to attract foreign investors and encourage domestic business expansion. This follows the announcement of a ﬁve-year 500m Egyptian pound (€58m) investment in Egyptian healthcare by GlaxoSmithKline and a proposed review of Egypt’s gas export contracts – intended to raise €1.7bn-€2.25bn in extra revenues. Despite an International Monetary Fund report this week that revealed a contraction

of GDP to 1%, the mood in Egypt remains buoyant. With the arrest of Hosni Mubarak and his sons and a wide-reaching corruption investigation, both public and investor confidence is growing. Analyst for political risk consultancy Maplecro , Anthony Skinner, told StrategicRISK that while investors will take a “wait and see attitude”, the move away from Mubarak’s regime will offer companies “fewer risks of complicity in corrupt government, an improved corporate profile and potentially strong benefits”. An online poll conducted by Egypt’s most popular political website revealed that 75% of Egyptians maintained a ‘cautious optimism’ for their country’s future.

Reuters

Public and investor conﬁdence is growing in Egypt following the arrest of the Mubaraks, a corruption investigation and measures to foster business expansion. But its neighbours face a more troubled future

Turbulent outlook for Syria Yet, while Egypt staggers towards a transparent and democratic future, much of the Arab world can only look on in envy as unrest in Yemen, Bahrain and Syria escalates. In Syria, there are reports of large-scale killings of Sunni protestors by the Presidential Guard and Mukhabarat (military intelligence). While Syria’s president Bashar al-Assad had intended to quadruple foreign investment by 2015 to $55bn (€62m), the violent suppression of Syrian citizens could scare western tourists and businesses away from the region and increase the intensity of uprisings. But international intervention, particularly from the USA, is unlikely. “If the Obama administration puts pressure on Syria, then they are likely to use Hezbollah to pressure Israel along with

Cost of revolution: A drop in tourism could provoke further unrest but analysts are optimistic about future stability

‘The rate at which Egypt has resolved its situation has been quite astonishing. There will be wobbles along the way, but there are strong prospects for stability’ Adrian Lewers, Beazley

Strategic RISK [ MAY 2011 ] www.strategicrisk.co.uk

America’s assets in the Middle East,” said Skinner. “Unlike Gaddaﬁ in Libya, Bashar carries substantial political and economic weight in the Middle East and North Africa region.” If foreign investors pull out of Syria, companies with remaining assets in the country will be faced with a struggle to mitigate increasingly likely losses. “The main risk for companies is physical damage to assets, and all they can really do is to try to protect them.,” Lewers said. “There might be insurers willing to discuss terms, but it will be expensive.” As in Yemen and Bahrain, the violent suppression may be intended as a political quick ﬁx, but it will cost potentially Syria billions in lost business and international alienation. SR

ahe ad a nd mak e th e

TOU DEC GH ISIO NS. D&O insurance that will be there for you. The risks faced by directors, officers and companies are constantly changing. That’s why we’ve enhanced our Directors and Officers liability insurance to safeguard individuals’ personal assets and protect the organisations they serve in today’s changing risk landscape. It’s market-leading coverage built on 40 years of D&O experience. Learn more and find out if your current insurance is doing enough. Europe: www.chartisinsurance.com/BusinessGuard UK: www.chartisinsurance.com/uk/d&o

All products are written by insurance company subsidiaries or afﬁliates of Chartis Inc. Coverage may not be available in all jurisdictions and is subject to actual policy language. For additional information, please visit our website at www.chartisinsurance.com.

NEWS ANALYSIS [ CONTEXT & INSIGHT ]

KNOWLEDGE Bank fraud on the rise The UK’s National Fraud Authority revealed that online banking fraud increased by £60m (€67.7m) from last year, a rise of 14%. According to the Office of Fair Trading, 39% of those who were scammed did so through money transfers, with 7% losing over £4,000

TECHNOLOGY

The Risk Index

Companies lose £21bn a year to cyber crime While China battles with an internet crime wave that even its government must recognise, data the is a key concern for European risk managers

OMPUTER CRIMES (AKA CYBER RISKS) are a major concern in China. It’s at the point where an official report from the Chinese authorities (which are not known for their transparency) has stated that cyber crime is growing and is being taken seriously. “Online fraud, online the and other forms of crime that encroach on the property of others are increasing rapidly,” said the government white paper The Internet in China. “Crimes such as producing and spreading computer viruses, and computer and network hacking are increasing.” But China is not the only country with a serious internet security problem (see Risk Atlas, page 28). A recent report from Detica, commissioned by the UK government, estimated that cyber crime costs the UK economy £27bn (€30.5bn) a year. The lion’s share of this ﬁgure (£21bn) is stolen from the private sector. It’s unsurprising that recent research by StrategicRISK, which involved in-depth interviews with 30 leading European risk managers, highlighted cyber crime as one of the interviewees’ biggest concerns. Those companies that rely on the internet to do business are most vulnerable to cyber attacks by criminals, competitors or

disenchanted employees. Intellectual property the or industrial espionage – which Detica says costs UK businesses £9bn a year – is also a big worry for risk managers. “We put a great deal of effort into security, training and communication about information leaks, because much of the value of our business is tied up in knowledge – and it’s not the kind of knowledge you can put patents or copyrights on,” one risk manager told StrategicRISK. Risk managers recognise that data the is not purely an IT issue. It’s clearly necessary to monitor the people handling the information, including those joining and leaving an organisation. Yet several risk managers admit that their security systems are not up to scratch. As one risk manager puts it: “The biggest possible source of leakage of information walks out of your offices and factories every day – it’s your people.” SR

‘China is one of the countries suffering most from hacking’ A Chinese government report, The Internet in China, states

142

Chinese public security departments dealt with this many computer crime cases in 1998, according to official sources

48,000

The number of official computer crime cases in China in 2009

‘Much of the value of our business is tied up in knowledge – and it’s not the kind of knowledge you can put patents or copyrights on’

18m

The number of Chinese computers infected by the Conﬁcker virus every month

Strategic RISK [ MAY 2011 ] www.strategicrisk.co.uk

Corbis

Web of deceit: China’s internet user population has reached 298 million as computer and network hacking continues to rise

42,000

The number of Chinese websites distorted by hackers

Source: The Internet in China, a report by China’s State Council Information Office

NEWS FEATURE [ COVER STORY ]

State of emergency: despite intense efforts to avoid meltdown in the Fukushima plant, Japan had to raise the threat level to seven

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

NUCLEAR RISKS

Braced for impact The natural disaster in Japan has shown just how vital preparation and planning is, but for complete cover, companies and organisations must expect the unexpected

VEN FOR A COUNTRY FAMOUSLY WELL PREPARED for natural disasters, it was the nightmare scenario: at 14:46 on 11 March, a massive, magnitude 9 earthquake barreled through the seabed off Japan’s north-east coast, creating a tsunami that devastated the coastal zone. Among the resulting chaos, there was one question that became more and more urgent: what about the nuclear power stations? Despite initial reassurances, within hours a state of emergency was declared at the Fukushima nuclear facility, and suddenly the global media was locked on. But despite everything that has happened at the Fukushima nuclear complex, there are reasons to be reassured; in many ways the reactors did exactly what they were designed to do. When the quake hit, all the operating reactors ‘tripped’, safely halting the nuclear ﬁssion process. But because the fuel continued to produce large amounts of heat, the battle was on the keep it cool and avoid a catastrophic meltdown. This has been far from easy, and a month after the quake, on 12 April, the Japanese authorities raised the threat level to seven – the same status as Chernobyl.

Jamie Sneddon

Damage control

“We will see what we are seeing already in places like Iran, where they ﬁrst said they would be reconsidering nuclear power and now seem to be moving forward with it again. “[In Fukushima] we had a situation where there were six reactors built in the 1970s and they have withstood the most powerful earthquake to hit Japan for decades. That is a reason to argue that nuclear power is safer than we thought, especially if we continue to see no serious health impacts.” What Fukushima has shown us is that sometimes averting a disaster is not enough. The information war must be won and the gap closed between the public consciousness of real and perceived risk. “People are frightened of anything they can’t see, or that they can’t understand,” Ash says. “One of the problems [at Fukushima] was lack of information. A lot of the people who could have provided information were very busy dealing with the situation at the reactors … If there is a lesson, it is that there really needs to be a dedicated team in place to provide up-to-date information to avoid panic.” Ultimately, though, the new uncertainty around nuclear power may have a longer-term impact on Japan than the problems at the plant.

Despite the seriousness of the evolving crisis, however, leaks seem to have been minimal, with only the equivalent of 10% of the Looking ahead According to Exclusive Analysis, Japan’s heavy dependence on radioactive material released during the Ukrainian disaster in 1986 nuclear power, its total lack of hydrocarbon resources and the being detected in Japan. strength of the nuclear lobby all point against a wholesale move In fact, because the disaster was so massive and the leaks – away from nuclear power, which may have a knock-on effect on at least so far – have had minimal health and environmental the global price of other fuels. impacts, the prominent UK journalist and activist George “Although the situation does remain serious at Fukushima, Monbiot wrote in The Guardian recently that the disaster the problems in power generation [created by the nuclear has convinced him nuclear power is the safest way to combat shutdown] could be more of a problem,” Ash says. climate change. But other problems caused by the earthquake have been But his response was unusual and the situation is all too ‘real’. Establishing a 12-mile exclusion zone around still developing. Initially, by far the most common reaction Fukushima, along with widespread quake was panic, with embassies issuing warnings and tsunami damage – over 80,000 and hundreds of ex-pats ﬂeeing Tokyo. There buildings have been damaged and were reports of private jets being hired by ‘People are frightened of nearly 5,000 destroyed – has caused the bankers who didn’t care how much they cost, shutdown of large parts of they just wanted out. anything that they can’t widespread Japan, something that brings lessons for “I think a lot of the reaction we saw all risk managers. initially in the aftermath will be reconsidered see, or that they can’t “This really was a wide-area incident; a when the – literal and metaphorical – smoke understand’ huge number of interconnecting aspects of clears,” Exclusive Analysis risk analyst Alexia Alexia Ash Exclusive Analysis society were affected and that’s something we Ash says.

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

NEWS FEATURE [ COVER STORY ]

» need to prepare for,” Airmic chairman John Hurrell says. “In the UK we’ve seen similar, if far less serious, events in recent years and we should take that on board when we look at risk. We’ve had large-scale floods, we had the Bunsfield fire and two winters where large parts of the country have been iced out. Who knows what’s on the horizon? There could be a pandemic, more floods. “The core point to take away is that each time any of these events has occurred, it has exceeded our planning by some order of magnitude. It’s time to think the unthinkable and see where that leaves us.” Japan is widely considered one of the most well-prepared and methodical societies on Earth, and yet it could not prepare for the unexpected events of 11 March. Ultimately, perhaps, businesses need “We need to remember that the to be robust. “The assumption has been ‘It’s time to think the good data we have about world events is that in many cases everything has to only 100, maybe 200 years old, and that’s be working perfectly for things to work,” unthinkable and see nothing in terms of the lifespan of the Ash says. Earth,” Hurrell says. where that leaves us’ “What happens, say, when your “How many organisations plan for a staff can’t get to work because there John Hurrell Airmic situation where it isn’t only their business is no transport?” Hurrell asks. “When affected? What we are seeing are the schools are shut and they have to situations where everything is out. Japan stay at home with their kids? As soon is revealing just how complex modern supply lines as you widen the circle you’re looking at, things get very complex. are. A lot of businesses didn’t even know that they had a “We also need to ask: how relevant is our insurance? How connection with Japan somewhere down the line until it went will it protect us if everything is out? Can it cope? What if down. Very few people are looking at more than three degrees everyone else is claiming? What happens when everything is up of separation.” in the air?” SR RISK LESSONS

You can always be more prepared The main lesson from the ongoing situation in Japan is not so much ‘be prepared’, as ‘be more prepared’. All businesses have some contingencies in place to survive upheaval of various kinds. But recently, entirely unpredictable events such as those in Japan have clearly demonstrated that these may not be enough, and shrewd risk managers should be looking again at potential vulnerabilities right across their supply chains, human resources, ﬁnance, transport and technology. Nuclear power operators are obsessed with safety and yet at Fukushima emergency cooling pumps and generators repeatedly failed. A ﬁre engine brought in to help ran out of fuel. Ask yourself: are your back-ups enough? In the teeth of a problem, Fukushima has shown that good communication is key, both internally to keep coherence and

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

focus within the business, and externally to ensure the public has clear, accurate information about what is happening. This has multiple beneﬁts: • minimising the spread of fear and panic, which can dramatically exacerbate problems; • enrolling staff and public support in any mitigation strategies; and • reputation management. If possible, a dedicated team should be available to manage communications, deal with public and media questions and have the authority and access to get whatever information they need. It is essential this team is present across social media as well, as Japan has shown how sites like Twitter and Facebook were key in disseminating information.

> Q&A Nicola Harvey ............... 18 Christie’s global risk director

Jonas Svedberg

Viewpoints

[ PEOPLE ] [ OPINION ] [ COMMUNITY ]

> In my opinion Japan ............. 17 Japan’s earthquake and tsunami and nuclear crisis have had widespread repercussions

PROFILE

Ahead of the pack Understanding the behaviour of groups making decisions is at the core of Coca-Cola Hellenic Adam Greene’s strategy, which he believes every employee can and should put into operation

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

Jonas Svedberg

VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]

DAM GREENE’S METEORIC RISE UP THE RISK management career ladder is a combination of hard work and a fondness for challenging conventional wisdom. Just six years after graduating from university he was chief risk officer (CRO) of Thames Water. And since late 2008 he has worked for Coca-Cola Hellenic in Athens as group risk and insurance manager, spending most of his time on business and project risk management. In his eyes, though, there are a number of things risk managers need to do differently if they want to survive. Paying more attention to the psychological factors that influence risk rather than obsessing over statistical information is paramount, he says. If this does not happen, he thinks the future for risk management looks bleak. “When you look at the professional risk management environment, it is moving down the lines of economic rationality, implying the perfect risk decision option has been identified and is achievable, with measurement and statistics forming a large part of that,” Greene says. “But you find that economic rationality does not adequately describe the everyday rationality used by decisionmakers who assess and decide using personal emotions.” Another danger he foresees is that, as the profession develops increasingly esoteric tools and techniques, the process of risk management is becoming externalised. Instead of every employee managing risk as a matter of course, specialist risk managers are invited to analyse and treat risk. This, Greene argues, removes responsibility from everyone else. “What I try to do is enable decision-makers in our company to make better decisions and understand the influences that they unconsciously carry with them — their biases and heuristics.” Greene’s interest in the behavioural side of risk management was first inspired in academia. He began his professional career as a project manager with construction company Bovis. “The lifestyle of a project manager was a little hectic and full of stress. I decided I needed a fresh challenge,” he recalls. In 1999, Greene joined Loughborough University to study for a PhD in risk management, which was sponsored by the Engineering and Physical Sciences Council. “Originally I was employed to build a full project lifecycle map, right the way from conception of a need to disposal of an asset. That really didn’t grab my interest too much so I decided to look at the behavioural side of decision-making.”

Depends what you had for breakfast His curiosity led him deep into the field of individual and group decision-making. “I started to look at what influences people’s decisions. You can come up with an almost endless list, which includes obscure things like have you had breakfast – because the chemical imbalances in your brain that occur if you skip breakfast can affect how you make decisions – to the colour of the room you’re in or the background noise that you’re experiencing.” “There’s also the more obvious influences, such as whether you are penalised for failure or rewarded for taking risk. That direct motivation can affect decisions and how you perceive your environment.” Decision-making in a group is even more complex, Greene says. And this can have serious consequences for business risk management, where focus groups are widely used as a means of risk identification and assessment.“We say that risk management should occur in a group because a group is naturally better at

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

making decisions by virtue of there being a range of shared opinions, perceptions and preferences.” ‘Whether you are While this is true, risk workshop facilitators need to be aware of the range of influences that can penalised for failure or affect how a group of people make a decision. “The rewarded for taking risk language of a dominant character within a group can really alter perceptions,” Greene says. “If you can affect decisions’ walk into a group as the leader and you describe Adam Greene Coca-Cola Hellenic your environment as ‘chaotic’, you set a certain state of mind and perception is driven by that. So the group looks at the situation as chaotic. But if the leader walks in with confidence, then the confidence of the group is emboldened and it will make a different type of decision.”

Performance anxiety Even more worryingly, Greene notes, individuals who have no experience of the discussion matter tend to make up stories just to be seen as contributing. “There’s usually a lot of pressure in a group to be seen as an active participant and not to be the wallﬂower — particularly in a work setting.” Groups are prepared to accept higher levels of uncertainty and risk compared with individuals on their own, Greene adds. “One theory for that is the diffusion of responsibility. That’s true, but it’s also the case that the more vocal people in the group tend to be the PERCEPTIONS

Factors influencing risk decisions 1. The media The media can increase the sense of threat, and decide what we should be worrying about. Foreign criminals, teenage gangs, and avian flu are treated differently in different news outlets. 2. How risk is explained The statistical tools used to explain data in scientific journals can influence how it is interpreted, and how the public and media react to it. 3. Personal experience If an individual has had negative experiences,

they are much more likely to expect those things to happen to them again. 4. Entertainment The success of particular ﬁlms – like disaster movies – can inﬂuence how people perceive the risk of certain activities, such as air travel. 5. How you see the world How you perceive risk is shaped by your views. For example, a le wing person is unlikely to view industrial action as a ‘risk’ in the same way as a more rightwing person. A success-driven person will be more afraid of failure than someone more laid-back.

Sue Copeman,

EDITOR-IN-CHIEF, STRATEGIC RISK

more positive ones and therefore more likely to take a greater risk. As they are more vocal they pull the group in that direction.” In 2002, after he finished his PhD, Greene stepped on to the first rung of the risk management career ladder, working for Thames Water as a risk engineer. “I had to quickly realign my thinking,” he says. “At university, especially on a PhD, you have the luxury of a lot of time to do blue-sky thinking. If you apply it verbatim in a non-academic environment you become unstuck. So you have to go through a process of realignment.” But his PhD did help Greene to look at problems in a different light. “I spent a lot of time working with groups and individuals to understand how they deal with complex decisions. That made me a better facilitator of the decision-making process,” he says. Before leaving Thames in 2008, he was promoted to group level as CRO. So how does he account for his speedy rise to the top? “Fortune plays a part. You have to be in the right place at the right time. But you do need sponsors. Without someone who is prepared to say, ‘I think this chap is capable of doing more’, you can easily blend into the background. You have to make a name for yourself and establish your credentials. You have to be able to substantiate what you’re saying. Make it clear that you are here to help and that you can contribute something meaningful so that you can support other people. You need to be able to empathise with them too. To show that you care, that you can help and that you add value.” Greene acknowledges that business risk management needs a structure and a framework. “The organisation needs intelligence in what its operations are facing from a risk perspective. And we need to be able to aggregate and capture, assess and present that in a meaningful way. But in every step of that process, it is about enabling decision-makers to make better decisions for themselves.” So what do risk managers need to do to help people throughout their organisations make better decisions? First, Greene says, they need to understand behavioural influences and develop strong facilitation techniques. “I talk to departments about the decision-making theory, what to look out for in terms of biases and influences, and how to guard against them.”

In hands of those who use it “We are in 28 different territories, so I travel a lot. When I arrived at Coca-Cola Hellenic, the business risk assessment consisted of an annual trip to visit each of the territories. Now we have established a more robust business risk management process. Each of the territories has ownership over the process.” Because it’s impractical for Greene to visit every single facility each year, he relies on a network of risk advisers to facilitate risk workshops. “We have a set of deﬁned risk assessment criteria that we use to aggregate risk across the group,” he says. “We ground the process ﬁrmly and put it into the hands of the people who use it. The core process remains the same across every region: we identify the objectives, assess the risks and manage them.” Greene applies the same process to project delivery. “We are in the process of moving the business over on to a new technology platform. It’s an enormous and incredibly complex task, which we are delivering very well with no business interruption.” Success is a virtue of not only a strong risk management process but also a strong “risk intuition” within his organisation, says Greene. “People are very aware of risk and opportunity, as well as how to deal with it and manage it.” SR

IN MY OPINION

Ripples from Japan spread worldwide Setbacks in motor and electronics not only damage Japan’s exports but have global knock-on effects

HAT DO CONSTRUCTION AND MINING EQUIPMENT LEADER Caterpillar, technological giant Intel and international auto manufacturer General Motors have in common? They’ve all been affected – along with many other companies around the world – by an event that occurred thousands of miles away. Japan’s earthquake, tsunami and potential nuclear crisis have had widespread repercussions for the international business community. Despite the fact that the area directly affected was relatively small in terms of Japan’s industrial output, the knock-on effects have been huge, although it is hoped that they will be short-lived. The catastrophe highlights that, in the current global economy, the days are over when a disaster in one country only affected surrounding national businesses. A natural catastrophe can have unexpected consequences beyond local property damage, such as transport, power and other infrastructure issues, which reverberate in other national sectors and their global operations and markets. The immediate effects for companies in Japan have been well publicised. Particularly affected, as much if not more by national fuel shortages and power outages as by the direct damage, are two of Japan’s key sectors, the motor and electronics industries. This has been a major blow in a country whose economy is largely reliant on its exports, and Japanese companies’ European operations and customers are sharing in the fallout. Disrupted national production of vehicles and key components led to a world shortage, resulting in halted or decreased operations worldwide. Motor manufacturers whose operations both in Japan and internationally have been disrupted include Fuji, Honda, Mazda, Nissan, Suzuki and Toyota. The roll-on effect has extended to European vehicle manufacturers that buy parts from Japan, such as Mercedes, Opel, PSA Peugeot Citroën and Volkswagen. An equal if not greater impact has been experienced by the electronics sector. Reportedly, Japan produces around 40% of the world’s technology components including chips, memory for digital phones, cameras and PCs, glass for ﬂat screens, capacitors and transistors. It’s a formidable list and many of the manufacturers involved are well-established brand names in Europe. They include Canon, Panasonic, Sony and Toshiba. Less well known as brand names but nonetheless highly important in the electronics supply chain are leading chip maker Renesas Electronics and Shin-Etsu Chemical, the world’s leading maker of silicon wafers, used in integrated circuits for electronic devices. In the highly competitive world technology market there are few electronics- based businesses that do not source some products from Japan – and all the companies mentioned above have been affected by the Japanese disaster, with far-reaching results. For example, not only has production from Sony’s plants in Japan been affected by the catastrophe: mobile phone group Sony Ericsson, Sony’s joint venture with the Swedish company Telefonaktiebolaget LM Ericsson, has been forced to consider sourcing alternative supplies outside Japan. SR

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]

Nicola Harvey, CHAIRMAN, AIRMIC AND GROUP DIRECTOR OF RISK, CHRISTIE’S IN MY OPINION

The gentle art of persuasion Former broker Nicola Harvey was headhunted to manage risk for a client and moved on to Cable & Wireless and what is now Lloyd’s TSB. Now in her third year at ﬁne art auctioneers Christie’s, she has to market her function in a culture where corporate process takes second place to precious objects What’s the best thing about working for Christie’s? The art. I’m not a connoisseur or an expert at all. But I do love the art. It’s a lovely, interesting place to work. Every day, it’s like walking through a museum. And the uniqueness of the industry means it’s a fascinating business.

‘Risk managers need good communication skills. Boards don’t want a 20-page report to sign off; they want a succinct list of key issues. Use simple language and don’t over-complicate things’

Could you describe your role and responsibilities? The role I have is broad. I sit across the insurance and risk ﬁnancing function as well as the enterprise risk management (ERM) piece. I get heavily involved in operations like security, legal and IT. I also look after compliance. A lot of that is legal and to do with anti-money laundering legislation and making sure we comply with import and export regulations. Due to the nature of our business those are the things that affect us. These days I spend more time on ERM and compliance; but generally it goes in ﬁts and starts. When there’s an insurance renewal, for example, which usually happens towards the end of the year, I get hauled into that. A lot of our risk and compliance issues occur around the time of the Christie’s auction sale seasons.

How sophisticated is your ERM programme? There are organisations that have properly embedded their risk management, but for many it remains an add-on process that is not completely embedded. Ideally, everybody in an organisation should help to manage risk. A central risk management function can provide support and advice, as well as develop risk processes and monitor compliance. ERM could always be better embedded in most businesses. I think we are quite good at it but there’s still a fair bit of work to do to get that embedded and really part of the everyday business. Our corporate structure is quite unique. The group risk team in Lloyd’s was 90 people. That’s a massive risk infrastructure – people understood it. But generally it’s not like that in other organisations.

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

Reuters

What are your biggest risks? The sort of issues we could face are loss or damage to art and property. We take responsibility for the art while it is consigned to us through the auction process. We move it around a lot of the time on exhibition and sometimes things happen to clients’ property. Theft is a possibility. We have to be sure that the property we are selling is not fake; occasionally we don’t get it right. Fires could also be very costly. We have had one or two losses since I’ve been here but nothing huge. Security is a big issue. We have a lot of former military personnel and police who work for us. They do active risk management on a daily basis – things like physical security, CCTV, guarding the exhibitions, making sure the appropriate precautions are taken in terms of carrying property and moving it between sites, physical ﬁre protection and access control.

One of the biggest challenges for us is that people here aren’t corporately institutionalised. Christie’s is all about the ﬁne art and the history of the art and our clients. Added to that, we are not regulated so it’s difficult to get the attention and traction for risk management. What skills have been really useful in your career? Technical skills are always important. But risk managers need to have good communication skills. Having come up through the insurance route, I have noticed that communication skills in the insurance industry are not always that good. Everyone likes to cover their backs by putting as much down on paper as possible. That means it’s quite hard because boards just want to see a summary of the issues. They expect you to do your job. They don’t want a 20-page report to sign off; they want a succinct list of key issues. And they want to know what my recommendation is. Written verbal communications are really important. Use simple language and don’t over-complicate things. Who do you report to in your organisation? I sit within legal and risk so at the moment I report to the general counsel, but we’re in the process of restructuring. I think that’s quite a good home for risk management, because this way it is not seen as a purely insurance function but as a broader function, which is

Community update

probably how it should be seen. But I don’t think there’s a right and a wrong answer. How is your performance measured? We have annual performance appraisals and regular one-to-one meetings. It is sometimes quite difficult to demonstrate value, though. If you’re doing a good job and managing risk effectively, bad things should not be happening and then you can’t prove a negative. Being a risk manager can be quite an isolating role because lots of people don’t really understand what you do. Is it easy for you to attract the right risk management talent? There are lots of insurance people out there. That’s quite easy to access. On the risk side, it’s a lot harder because it’s quite an undefined discipline. If you go out and talk to a recruitment agency about risk managers and risk management, they’ll quite often look at the financial services sector. But that’s quite a different breed. It is not operational risk or ERM in the way we’d think about it. There are not very many agencies that understand what we are looking for. What do you think your next career move will be? I could go into this type of role in a bigger organisation. To a degree it’s easy to skip industries. If you can apply your knowledge and learn the business, you should be able to move between industries. But there is another step here for me. I’m not really a true chief risk officer with a seat in the boardroom the way CROs at financial institutions are. That would be the next step for me. It would mean being fundamentally involved in the strategy of the business and involved in key business decisions. The other thing that someone in my role could do is to move out into the business. By that I mean move away from doing a risk role altogether and into a business unit. But it’s not a natural thing for a risk manager to do. I think it’s quite hard to move out into the business and that’s why lots of risk managers don’t do it. SR [READ MORE ONLINE] Read StrategicRISK’s profile of Hans Læssøe, head of strategic risk for LEGO at goo.gl/DtYWW

A new Spanish insurance contract law that enforces the consumer rights could be good news for risk managers in Spain, according to experts gathered at a meeting in Madrid organised by Spanish risk association IGREA and law ﬁrm Hogan Lovells. The Bill, designed to defend the rights of the insured, is expected to be passed in the next few months.

Taking a lead from Ferma, which recently signed a transparency deal with European broker association Bipar, the Czech risk management association Aspar CZ is working on a deal of its own. The risk association is toing and froing with the country’s broker association on adopting a protocol to increase transparency and reduce conﬂicts of interest.

Poland’s risk management society, Polrisk, held it’s annual conference in Warsaw on 12 and 13 April. Polrisk president Tomasz Miazek, who is also the insurance manager at Telekomunikacja Polska Group, said that the association is working hard on a range of initiatives designed to raise the standards of risk management in Poland.

HOT ISSUE

Insurance in Latin America The CEA, Europe’s insurance association, has written to the Argentine Superintendant of Insurance and the Argentine government to express concern about new reinsurance rules. The country’s new resolution, enacted “without proper consultation” on 11 February, effectively prohibits cross-border reinsurance, said the CEA. It means that foreign reinsurers that have not set up an Argentine reinsurance subsidiary or branch will only be able to underwrite risks from Argentinian insurance companies if they hold local capital of at least €3.4m ($5m) (plus additional solvency, depending on the type of

business) and get regulatory approval, which will only be granted per policy on a case-by-case basis. The CEA said the new regulation is “highly discriminatory” and will lead to less capacity and higher premiums for Argentine policies. At around the same time, Ferma called for further measures to liberalise the insurance market across the border in Brazil. While Ferma welcomed new moves to liberalise intra-company cessions, it said that overall the current legislation could undermine development in Brazil and suggested that it will increase costs and concentrate risk domestically.

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

Join risk professionals from across Europe as StrategicRISK reveals the winners of this year’s European Risk Management Awards BOOK NOW Places are limited. To book your place visit www.strategicrisk.co.uk/awards2011 or contact Katherine Ball on +44 (0)20 7618 3492 | katherine.ball@strategicrisk.co.uk

DATE WEDNESDAY 25 MAY 2011

TIME 12:00PM

NEW VENUE INTERCONTINENTAL LONDON PARK LANE, LONDON W1J 7QY

COST TO ATTEND Single place: £150.00 + VAT Table of 10: £1,400.00 +VAT

W W W. S T R AT E G I C R I S K .CO. U K / AWA R D S 2 0 1 1

Congratulations to our finalists who have been shortlisted for this year’s StrategicRISK European Risk Management Awards of the year

EUROPEAN RISK MANAGER

MOST INNOVATIVE USE OF IT OR OTHER TECHNOLOGY

Annette Schutt Fiig Novo Nordisk Colin Campbell Arcadia Group plc Elaine Heyworth Everything Everywhere Igor V Mikhaylov Mobile TeleSystems OJSC John Ludlow IHG

Aon Benﬁeld Analytics Financial Information Systems Lambeth Council Science for Humanity Sonae Sierra

EUROPEAN RISK MANAGEMENT TEAM of the year Arcadia Group Ltd Dixons Retail plc Capital Shopping Centres plc Tesco plc Tetra Laval plc

ENTERPRISE RISK MANAGEMENT PROGRAMME of the year Aeroports de Paris Amlin plc Hoerbiger Holding AG SIBUR – ZAO SIBUR Holding UK Power Networks

BEST RISK COMMUNICATION of the year Aviva plc London Borough of Lambeth SAP Tesco plc Zurich Financial Services

BEST RISK TRAINING PROGRAMME Amlin plc BBC SIBUR – ZAO SIBUR Holding Tesco plc Yorkshire Water Services Ltd

RISK MANAGEMENT PRODUCT of the year Capital Shopping Centres plc Maplecro The Royal Bank of Scotland plc Trimble Wolters Kluwer Financial Services

THE BEST BUSINESS CONTINUITY APPROACH of the year Gategroup London Borough of Newham Rentokil Initial plc SAP AG The Co-operative

BEST RISK MANAGEMENT APPROACH IN THE PUBLIC SECTOR Ealing Council London Borough of Lambeth London Borough of Newham London Underground (Tﬂ) Woodleigh Outreach Support Service

RISK MANAGEMENT YOUNG ACHIEVER

The S t rategic R I S K E uro p ean R isk M anagem ent Award s 2011 are spons o red b y

of the year Claire Bromley John Wood Group plc Daniel Davies Network Rail Michael Szonyi Zurich Insurance Company Nicolas Vioix Westﬁeld Rachelle Banham Hertfordshire Constabulary

B O O K N OW P L A C E S A R E L I M I T E D

[ THREATS ] [ OPPORTUNITIES ] [ MANAGEMENT ]

RISK SANCTIONS

Breaching the boundaries

> Risk atlas Cyber crime ..........28 Where are all the cyber criminals hiding?

Nicolas Righetti/Panos Pictures

Risks

> Risk financing Catastrophes.. 24 Japan put natural disasters at the forefront of peoples’ minds

Sanctions are in place for social, economic and political protection, but they’re not always obvious and failure to spot them can have serious consequences Case study It’s not only the big boys and the banks that get picked up for breaching sanctions. The relatively small UK Weir Group, a Scottish engineering company employing around 9,000 people, globally admitted breaking UN sanctions in its dealings with Iraq during Saddam Hussein’s regime. It breached the Oil-for-Food programme in place at the time by paying kickbacks to the government to secure lucrative contracts. The company was fined £3m for the breach and also had £13.9m of illegal profits confiscated.

“T

HE RISK OF BREAKING SANCTIONS IS VERY SERIOUS – and there are a lot of countries where sanctions apply. We have to be very careful about who our customers are delivering our products to and make sure that they are selling to reputable companies and not organisations that will sell those products on to others whose customer base may breach sanctions.” This was one risk manager’s response on being asked to identify key risks for their company in the next year for this year’s StrategicRISK Report (available for download at goo.gl/NdGTV). He believed that the risk of inadvertently breaching sanctions is likely to increase in the next 12 months, particularly in view of the volatile political situation, and civil unrest currently arising in a number of countries that have already increased sanctions and are likely to continue to do so. And his comments illustrate the difficulty of trying to track end buyers in the customer chain. Traditionally, banks have been the global watchdog as far as illegal activities such as breach of sanctions and money laundering are concerned. They’ve also tended to be the scapegoats if they turn a blind eye to suspicious transactions – a situation that has concentrated their minds signiﬁcantly on the problem. Risk intelligence organisation World-Check’s Andrew Yuille says: “Most things go through banks, so they are a fairly good place to catch on to something that should not be going on. But compliance with sanctions has to be far wider than the banking industry.” “You have to know who is on the sanctions list to check that they’re not a customer that might present an issue – but by the time an organisation or individual has been sanctioned, it’s almost too late. It’s better to have an early warning system so that you can see who is likely to end up on a sanction list and avoid having them as a client to start off with.” This might sound like a tall order but in fact regular sanctionbusters – those who supply goods to sanctioned organisations – often leave discernable footprints. Suspect customers are unlikely to be on an actual sanctions list, but the associates on which they rely are the ones to watch out for. Yuille cites the case of a small US business that had bought pipe bending tools from a Chinese business that turned out to be acting for an Iranian concern. Every time the organisation at that address in China was sanctioned it would change its name, a common trait with sanction busters which, along with language translation difficulties, can cloud transparency for foreign buyers.

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

Political mineﬁeld: it is difficult for companies to keep abreast of sanctions relating to countries such as North Korea

Another problem is the number of sanctions now in force. In addition to sanctions imposed by the UN and EU, individual countries take their own approach, targeting countries or businesses that may not be on other sanction lists. It can be a mineﬁeld for global companies with different production units around the world.

Be alert to suspicions So what’s the best way for risk managers to get to grips with this problem? Due diligence in respect of both suppliers and customers, in the ﬁrst instance. Airmic’s technical director Paul Hopkin suggests that risk managers employ the same techniques that they use to ensure an ethical supply chain, and to seek assurances from customers regarding the ongoing destination of products. “There’s a parallel between this and the kind of approach that risk managers take to limit their liability in respect of health and safety,” he says. “For example, component suppliers will specify any constraints on their use to guard against liability claims, so there’s no reason why they shouldn’t also specify constraints on their supply to sanctioned businesses or countries.”

EXPERT VIEW

The UN’s sanctions watch list Eritrea Direct or indirect supply, sale or transfer of arms and related material of all types.

Afghanistan Exportation, supply or delivery of any arms and related material to Osama bin Laden, the Al-Qaeda Organisation, the Taliban and their associates.

Cote de Ivoire Import of rough diamonds, except those used solely for scientiﬁc research to facilitate the development of technical Ivorian diamond production, provided the research is approved by the Kimberley Process Committee; and supply and delivery of arms and related material, except that supplied for the parties or purposes speciﬁed in the relevant UN Security Council’s Resolutions.

Democratic Republic of the Congo Supply and delivery of arms or related material, except to parties and under conditions speciﬁed in the UN Security Council’s Resolution 1771 (2007).

North Korea Direct or indirect supply, sale or transfer of all arms and related material as speciﬁed in the relevant UN Security Council Resolutions; all items as set out in the lists in the UN documents S/2006/814 and S/2006/815; and exportation of the above items (other than luxury goods) from North Korea.

Iran Direct or indirect supply, sale or transfer of all items that could contribute to Iran’s uranium-enrichment and reprocessing activities, heavy water activities or technology related to nuclear ballistic missiles set out in relevant sections of Security Council document S/2010/263 and the International Atomic Energy Agency documents INFCIRC/254/Rev. 9/Part 1 and INFCIRC/254/Rev. 7/Part 2, or determined as necessary by the Security Council, the cwommittee or the state.

Iraq Companies and their employees, particularly in the financial industries, shouldn’t turn a blind eye to something suspicious, as this could implicate them in what’s gone on, says Yuille. So risk managers should encourage whistleblowing. Yet history shows that whistleblowers tend to be very badly treated by their employers, so work needs to be done to encourage people. When employee of Wachovia bank Martin Woods suspected wrongdoing on the part of his employer, his report to them was dismissed as “defensive and undeserved”. He told StrategicRISK that he underwent a sustained campaign of harassment, bullying and fabricated disciplinary proceedings before his allegations were proven well-founded. He now advises companies and individuals on all aspects of financial crime including sanction breaches. A final word of warning. The USA has introduced a number of sanctions against countries – for example, the Comprehensive Iran Sanctions, Accountability, and Divestment Act (CISADA). There’s a possibility that such legislation could catch external companies that have a footprint in the USA in the same way as the US Foreign Corrupt Practices Act. SR

Sale or supply of arms and related material to Iraq, except for those required by the relevant authority stated in the UN Security Council’s Resolution 1483 (2003).

Lebanon Sale, supply or delivery of arms and related material, except for those authorised by the Government of Lebanon or by the UN Interim Force in Lebanon.

Liberia Direct or indirect supply, sale or transfer of arms and any related material to all non-governmental entities and individuals operating in the territory of Liberia.

Somalia Exportation, supply or delivery of any arms and related material, and any goods related to the manufacture or maintenance of weapons.

Sudan Supply and delivery of arms and related material to any non-governmental entity or individual, except for the parties or purposes speciﬁed in the UN Security Council’s Resolution 1591 (2005).

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

RISK FINANCING CATASTROPHES

Categorising catastrophes

Queensland ﬂoods, which triggered a drop in the global coal supply, as events which disrupted the ﬂow of goods. “Threats to supply lines are always a concern because we do rely on things being done efficiently and smoothly.”

Learning lessons

With catastrophic occurrences seemingly on the rise, it’s important that risk managers understand such scenarios and the cover they require

LOODS IN QUEENSLAND, A MAJOR EARTHQUAKE IN Christchurch and the Japanese earthquake and tsunami have meant a tumultuous start to 2011, testing the fortitude of affected populations and businesses, from mining operations in Queensland to nuclear facilities in north-eastern Japan. They have underlined the importance of having the right protection in place and put business continuity plans to the test. Managing catastrophe risk is one of the biggest challenges facing many multinational organisations. Identifying the safest location for your business is fraught with uncertainty, while inferior construction and unreliable infrastructure can increase vulnerabilities. Catastrophe risk financing is one way of protecting multinational firms against major losses following a catastrophe. Even if a business is lucky enough to escape the worst catastrophes, in today’s globalised world it can be indirectly impacted, explains Invensys vice-president of risk Chris McGloin. “What organisations like Invensys have got to do is understand where their risks are: not just how your own locations can be disrupted, but the supply chain and the extent of the supply chain.” He cites the 2010 eruptions of Iceland’s Eyjafjallajökull volcano, which grounded flights across much of Europe, and the

Cost of catastrophes The World Bank’s estimate of what the 11 March Japanese earthquake and tsunami may cost the country’s economy – 4% of GDP

$235bn February’s New Zealand earthquake, according to Swiss Re Recent ﬂooding in Australia, according to prime minister Julia Gillard

$12bn $5.58bn

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

Source: Official sources

In the Bowen Basin – home to Queensland’s coal mining industry – several operators declared ‘force majeure’ on their mining contracts, relieving them of their obligation to deliver to customers. Up to 50 of the state’s 57 mines were affected. While many were back up and running shortly a er the floods, flooded pits and damage to key infrastructure and ports delayed recovery times for others, bringing exports to a halt. Floods, wildfires and tropical storms are not unusual in Australia. Neither are earthquakes in New Zealand and Japan. What has come as something of a surprise is the aggregation of these events – each of them significant insurance events – affecting highly populated and industrialised areas. The size of Japan’s magnitude 9 quake and resulting tsunami is also highly significant, McGloin says. “Natural catastrophes are an inevitable feature of the global risk landscape and most countries have experienced major events at some point in their history. The important thing is to learn the lessons and to be prepared to take actions to address those risks that are considered to be too great. Insurance can be very important to provide businesses with access to capital to recover from such events.” The large gap between insurance loss estimates in Japan of between $20bn (€13.6bn) and $45bn and economic loss estimates of up to $300bn should make businesses wary, particularly that such a gap could occur in a developed nation with well-understood catastrophe exposures. While the Japanese government will assume a proportion of the losses, many are not covered.

Solid financial foundations Selecting the right insurance partner is of primary importance when looking to manage the risk from earthquakes, windstorms, floods and man-made catastrophes such as terrorism. While hazards in the USA, Europe and Japan are well modelled and understood, understanding in other regions is less sophisticated. International insurers and brokers can share information on how to best mitigate exposures in a given location. First and foremost, an insurer needs a solid financial strength rating, McGloin thinks. “You want to make sure you buy your cover from someone with the right sort of security rating or resources. A lot of the international carriers – if they’ve got broader spread and bigger resources – are better placed to provide that.” While many will hope to be covered for losses as a result of property damage and business interruption, the claims story has not always been straightforward. In Queensland, some carriers provided full riverine flood and others only flash flood. There is also confusion over the number of events and length of each event (with reinsurance contracts typically limiting one event to 72 hours). The picture is likely to be equally confusing in Japan, McGloin says, providing an important learning opportunity for multinationals in hazard zones. “If you look at an earthquake, a tsunami and radiation – three different triggers – the same

questions will arise. You need good engagement with the underwriters and the brokers to make sure these sorts of scenarios are understood, and that the buyer and provider have an understanding of what the cover is really going to give.” Business interruption has been a key attribute of the magnitude 6.3 earthquake that rocked Christchurch on 22 February. Firms in the central business district have been forced to move to temporary premises. In such circumstances, the ability to access capital for business continuity is of more immediate value than a traditional indemnity product, thinks Marsh New Zealand’s country head, Grant Milne. “Some businesses are still waiting for

an assessor to look at their property. So no money is coming in and they can’t get their business back up and running. Some insurers are offering payments to assist with payroll and payment of bills, but the full policy payout might be some time away.” He thinks there is inevitably an uninsured exposure for businesses affected by major catastrophes. “The biggest issue that exists, and that has been a discussion point from the last earthquake [the magnitude 7.1 Canterbury earthquake in September 2010] is very much around the depopulation scenario where people just leave the area so there’s less demand for businesses’ goods or services, and that’s an uninsurable risk.” SR

WILL CAT COSTS RISE? THE QUESTION ON MANY RISK MANAGERS’ LIPS AT present is: Is Japan a market-turning event? In the international catastrophe insurance market, prices so ened over the past six years. With Japan likely to prove the most expensive insurance loss outside the USA on record, could this push up premiums? Invensys’s McGloin says his recent discussions with insurers and brokers suggest it’s too early to say because “even given the terrible extent of the catastrophe, it’s not clear how much of that is insured”. All eyes were on the 1 April Japanese reinsurance renewals to see if carriers would respond. According to reinsurance broker Guy Carpenter, companies renewed unchanged capacity for earthquake pro rata treaties. However, for earthquake excess of loss covers renewal rates climbed by 15%-50% and

windstorm cat XL rates grew by 3%-10%. The US market has also shown some signs of being in transition, with pricing ﬂat or up slightly compared with decreases at the 1 January renewals. “While the impact ﬁrst-quarter losses will have on dedicated reinsurance sector capital for the full year remains to be seen, many reinsurers’ 2011 natural catastrophe budgets have been exhausted, and a portion of the sector’s excess capital has been absorbed,” says Guy Carpenter & Company’s global head of business intelligence, David Flandro. Many experts predict the market will respond with localised increases in catastrophe rates, similar to the spikes witnessed in Chile and in the energy sector last year in the a ermath of the earthquake and Deepwater Horizon disaster.

Hurricanes Ivan & Charley

Insured catastrophe losses Hurricane Andrew

Number of events 1970-2010 Weather-related nat cats Earthquake/tsunami Man-made disasters Total

Winterstorm Lothar

Attack on World Trade Center

Hurricane Katrina

$120bn

Hurricane Ike & Gustav

Northridge earthquake

1970

1975

Source: Willis Re

1980

1985

1990

1995

2000

2005

2010

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

Soc

ieta l ris

RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

Trouble round every corner At a time of heightened global turmoil, we asked Europe’s leading risk managers what they think will most affect their businesses

Global risk register

sks Environmental ri

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

[READ MORE ONLINE] For more information on global risks, download StrategicRISK’s 2011 Risk Report at www.strategic-risk.eu or goo.gl/NdGTV

th eM

ange

an d

SOCIETAL The perceived behaviour of a business and its senior executives can make it the focus of attention for demonstrators and adverse internet comments. “Our security people are starting to think about social networking – instant messaging and the like,” said one risk manager.

co m

Exch

ENVIRONMENTAL Most European businesses are concerned about the apparently increasing frequency and severity of extreme weather events. Most large companies consider their own organisations to be adequately protected, but perceive vulnerabilities in their supply chains that could disrupt business.

en er

Gove rnan ce fa ilure s

W ar

Slow US r ecov

ion rrupt nd co a e m Cri

Geopolitical risks

sin

Research for this report was undertaken in the ﬁrst three months of 2011. It was a period when unforeseen political turmoil in some countries was at the forefront of everyone’s minds so, not surprisingly, geopolitical risks shared ﬁrst place with economic risks in European companies’ concerns.

oil l turm

ica Polit

A question of timing

Br ea ch in gs an cti on s

m Terroris

ROM THE PROTESTS IN THE MIDDLE EAST to the rise of cyber crime and the continuing trials and tribulations of Western economies, these are nothing if not interesting times. StrategicRISK, in association with Marsh Risk Consulting, has released a report analysing European companies’ risks in five categories: economic, environmental, geopolitical, societal and technological. The report summarises the comments of 30 leading risk management professionals in European companies. While their views varied somewhat, reflecting different sectoral concerns, the single issue that all voiced was the interconnectivity of risk and its unpredictability. One example of this is last year’s ash cloud resulting from the Icelandic volcano eruption. Even companies that did not have suppliers in Iceland, and perhaps felt they had little or no exposure to natural catastrophes, did suffer disruption in deliveries. As one risk manager said: “There seems to be an increase in one risk triggering another – and that’s a risk in itself.” Another risk manager foresaw problems arising from the Australian floods. His firm has no direct suppliers in Australia, but the country does supply raw materials to some of its producers and the floods may well affect the availability of these. Interconnectivity is probably most apparent in the economic risk category. The ‘butterfly effect’ – that is, a small change in one place in a complex system that can have large effects elsewhere – has never been more apparent than in today’s globalised system. The financial markets are particularly interdependent.

Exto rtion £2bn Busi

n .5b

ud ra

£1

ef lin

et ern Int

ness e

spion

INSIGHT

age £

7bn

Top 10 risks

wn do ak bre

Cyber crime costs the UK economy £27bn per year

1 Economic recession 2 Political turmoil 3 Climate change

Fraud

Technology risks

es sin

4 Data the and leakage 5 Regulation

Data the and leakage

6 Security of IT systems 7 Energy and commodity prices

g in

s st co fe r ns tra isk gh er r Hi

10 Civil unrest

5% 22 n Ja pa

Spain 63

Public debt as a percentage of GDP

UK 7

m fro

Ire % 78 an y

l 83% Portuga

ina Ch

lan d9

Ge rm

Contin uing r ecessio n

pr ice s

ion tit pe om dc se rea Inc

m m od ity

US A

reg ula tion s

a 9% Russi 17% na Chi

Res tric tive

9 Exchange rates

ge an ch

Protection ism

Ma li

cio us

ha ck

al gic olo hn tec th wi ce pa ing ep Ke

n tio ﬂa In

Economic risks

ates

8 Crime and corruption

PUBLIC DEBT In European countries with very high public debt, some companies regard higher interest rates and taxation as inevitable. They are concerned that this, coupled with continuing recession, will impede their ability to invest and grow in these areas.

ms proble covery e r n io Recess

very

£9

CYBER CRIME Cyber crime heads the list of technological concerns. The main loser from cyber crime is business, according to a Detica report for the UK government. UK business loses an estimated £21bn per year as a result of intellectual property the and damage, said the report.

However, if comment had been sought six months earlier, it seems likely that the recession would have headed the list. Similarly, research was just coming to a close when the Japanese earthquake and tsunami struck. Would risk managers have rated the impact of natural catastrophes higher in the risk league if the research had been concluded a month later? It is natural for commentators to react more strongly to the issues of the moment. With this in mind, it is interesting to see that terrorism and pandemics were not among the top ﬁve risks – although governments and health organisations would probably rate them higher. It is clear that companies need to address the effects rather than the unpredictable and often uncontrollable causes of risk. For example, risk management of supply chain disruption– a major risk for most ﬁrms – needs to be robust, whatever causes the disruption. Companies need to be able to repatriate employees quickly and safely, regardless of where problems arise. How has today’s risk environment affected the role of risk managers? Some of our commentators volunteered views. “The good news for risk management is that its relative importance in the eyes of the board has increased,” was one comment. Another respondent stressed that risk managers cannot afford to operate in silos. “We have to help our business managers think more about what the knock-on effect might be of their decisions, how things may happen in conjunction with other risks the company may be running, and the ultimate major impact that might result – without getting in the way of the company’s ability to do business.” SR

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

RISK ATLAS CYBER CRIME

Hacking into insecurities Cyber crime is becoming increasingly sophisticated, and increasingly malicious

N 2 NOVEMBER 1988, 22-YEAR-OLD CORNELL UNIVERSITY student Robert Morris released an internet worm capable of exploiting vulnerabilities in UNIX operating systems, infecting an estimated 10% of the internet. Over 20 years on, the scale of computer crime has grown astronomically. Internet attacks today are organised and designed to steal information from consumers and corporations. The scale of global cyber criminal operations has reached such proportions that internet security ﬁrm Sophos discovers one new infected webpage every 4.5 seconds – 24 hours a day, 365 days a year. In addition, Sophos is sent some 20,000 new samples of suspect code every single day. The USA, China and Russia account for almost three-quarters of the world’s websites that spread malware, according to research by Sophos. The US tops the chart, with just under three in every eight infected webpages based there. China, which was responsible for hosting more than half (51.4%) of all the world’s malware in 2007, has now almost halved its contribution to the problem. The Czech Republic is a new entrant on the list and hosts over 1% of all the world’s malware. Poland, France, Canada and the Netherlands were in positions six, eight, nine and 10, respectively in 2007, but now have too few malicious websites to appear on the chart.

No one is immune A number of well-known organisations have fallen foul of malware, including thousands of websites belonging to Fortune 500 companies and government agencies, which were infected in January 2008. Traditionally done through emails, cyber criminals now primarily use the web to infect computers, o en driven by political motivations. Immediately before releasing a series of leaked diplomatic cables, Sweden-based WikiLeaks (the whistleblowing website) suffered several distributed denial of service (DDOS) attacks, which succeeded in putting the website temporarily offline. In an apparent act of revenge, sites that had refused to support WikiLeaks were targeted in return, with Mastercard brieﬂy being forced offline and Amazon also targeted. The ‘hacktivist’ group Anonymous, which had previously mostly conﬁned its actions to anti-pirate organisations and the Church of Scientology, was widely believed to have had a hand in these attacks, dubbed ‘Operation Payback’. SR

Strategic RISK [ MAY 2011 ] www.strategic-risk.eu

Top malware hosting countries Rank Country 1

USA

37%

China

27.7%

Russia

9.1%

Germany

2.3%

South Korea

2.1%

Ukraine

1.8%

1.7%

Turkey

1.5%

Czech Republic 1.3%

Thailand

1.2%

Iran In October 2010, a computer virus called Stuxnet disrupted nuclear facilities in Iran. Stuxnet represented a signiﬁcant leap forward in malware in that it speciﬁcally attacked so ware used in industrial infrastructure. There are rumours that Stuxnet may have also caused the failure of India’s INSAT-4B satellite in July 2010.

Belgium In May 2008, Belgium accused the Chinese government of cyberespionage, claiming that hacking attacks against the Belgian government had originated in China. Separately, Belgian minister of foreign affairs Steven Vanackere said that his ministry had been the subject of cyber-espionage by Chinese agents.

Georgia

Where internet criminals reside Rank Country

As tensions rose over South Ossetia in August 2008, Russian and Georgian hackers launched attacks against each other. This included distributed denial of service attacks and the defacement of the Georgian Ministry of Foreign Affairs website using pictures of Georgian president Mikheil Saakashvili and Adolf Hitler.

South Korea In September 2008, Seoul accused adversaries North Korea of stealing documents from military officers using spyware and a female agent. The spyware attack saw malicious email attachments designed to steal documents from infected computers.

USA

65.9%

10.4%

Nigeria

5.8%

India

China

3.1%

Canada

2.4%

Malaysia

Spain

Ghana

Cameroon

Australia

Government officials in New Delhi were said to have conﬁrmed that Chinese hackers targeted the Ministry of External Affairs and the National Informatics Centre, which provides the network backbone for central and state government. The unnamed officials claimed that this was China’s way of gaining “an asymmetrical advantage” over a potential adversary.

NB: Figures from US-based organisations

Source: Various media and Sophos 2009 Security Threat Report

IN ASSOCIATION WITH

3 7 9

EXPERT VIEW

6 4 8

Evelyn Rieger is a senior underwriter at Allianz

No certain safety 10

Key More than 30% 21%-30% 9%-20% 1%-8% Less than 1%

5 2

3 9

IT networks are essential to company management on all levels, including for example, R&D, production, purchasing and sales of goods, and provision of services. Processes, performance and results of a company therefore heavily depend on reliable IT systems, and any disruption of those systems can have a major impact. IT risks such as malicious code attacks, user errors, wrong command input, and non-availability of systems can result in significant additional expenditures and even business interruption (BI). Today, corporations use electronic data exchange for communication – internally and externally – so what happens if a company causes damage to another during this process? Far too o en, these scenarios are underestimated and companies deem themselves secure by the use of firewalls and data back-ups, but total security is not achievable. Why is that? Data is invisible, and so are data claims at first. We all know the pictures of collapsed bridges and flooded landscapes – but the loss of data doesn’t conjure up any images at all. Attainable security is limited and needs to be supported by prudent risk management. However, management, mitigation and avoidance of risk also raise the question of how to handle the remaining risk; whether this is borne by the company itself or whether it is transferred to a third party – the insurer – to protect the company’s balance sheet. Therefore both corporations and insurers are faced with the question of insurability of IT risks. Traditional insurance pays for lost profit and standing charges as well as additional costs following a property damage. However, in many cases, BI and additional costs caused by IT faults occur without property damage (human error, misconduct, cyber crime, malicious code). Protection against such scenarios is becoming increasingly important.

Source: Internet Crime Complaint Centre and Sophos

www.strategic-risk.eu [ MAY 2011 ] Strategic RISK

AT JLT SPECIALTY LIMITED WE DON’T RELY ON OFF-THE-SHELF SOLUTIONS We take time to listen and engage with clients, markets and colleagues so that we can understand aims and objectives, put strategies in place and successfully deliver them. To learn more about our services email tony_tyler@jltgroup.com or call +44 (0)20 7528 4133

JLT Specialty Limited. Lloyd’s Broker. Authorised and Regulated by the Financial Services Authority. A member of the Jardine Lloyd Thompson Group. Registered Office: 6 Crutched Friars, London EC3N 2PH. Registered in England No. 01536540. VAT No. 244 2321 96. www.jltgroup.com.

Reuters

Governance

[ ETHICS ] [ COMPLIANCE ] [ REPORTING ]

> New rules Bribery ................... 34 The much-anticipated Bribery Act will come into force on 1 July 2011. Here’s what you need to do to comply

Fish kill: the cause of this incident in Lousiana has not yet been determined, but the area the ﬁsh were discovered in was impacted by the BP oil spill

ENVIRONMENTAL LIABILITY

Taking responsibility The Environmental Liability Directive is creating waves throughout Europe, but some have concerns that its ethos remains misunderstood

HEN IT COMES TO ENVIRONMENTAL LIABILITY, there is a tendency to focus too much attention purely on the Environmental Liability Directive (ELD). “It is important to look at other environmental laws as well,” says ACE’s UK environmental practice leader, Wayne Harrington. While the ELD has provided a lot of regulation clarity, the UK, for example, already had a well-established tradition of environmental regulation before the ELD came along. In other parts of Europe, however, the ELD has introduced a new set of regulations altogether. What the ELD does do well is focus a lot more attention on the consequences of environmental damage, says Harrington. It is a recognition that perhaps the traditional laws did not go far enough. Environmental claimants no longer have to prove fault or negligence. Instead, the new regime is based on strict liability, so it is easier for stakeholders and the public to hold polluters accountable. Furthermore, the ELD introduces new legal concepts for environmental damage, including compensatory and complementary remediation.

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

Inset illustrations: Jonathan Edwards

GOVERNANCE [ ETHICS ][ COMPLIANCE ][ REPORTING ]

The ELD has added a substantial layer of liability. Previously, people were only concerned with traditional remediation costs, such as removal of pollution; now complimentary and compensatory remediation costs can be levied as well.

GERMANY

Environmental law is mostly governed by federal acts. But administering and enforcing the law is le to the 16 states. It is one of the hardest markets to ﬁnd environmental insurance in due t this patchwork of regulation.

FRANCE

France transposed the ELD in August 2008, but there is no legal obligation to buy ﬁnancial security against environmental risks. Companies are realising that their exposure and therefore their insurance needs have increased, says ACE continental Europe manager of environmental risk Dorothée Prunier.

SPAIN AND PORTUGAL

A dam breach at the Boliden mine near Seville in 1998 led to one of the country’s worst environmental incidents. It has since adopted the most stringent approach to the implementation of the ELD. Portugal introduced mandatory ﬁnancial protection against environmental risks in January 2010.

However, there is some confusion about how these potentially subjective concepts will be deﬁned in reality. And how much they are likely to cost. For example, a pollution incident could fundamentally damage the environment but it may not be hugely expensive to put right. On the other hand, how does one put a price on the extinction of a species or the destruction of a natural habitat altogether? The risks posed by a company to the environment may be the same wherever it has operations but the consequences of pollution are different depending on the jurisdiction – enforcement is in the hands of the local environmental authority, which means there are huge differences between each member state (see map above). Every place in Europe has legal nuances or types of legal defences that are either permitted or not. So far there have not been many cases to provide clariﬁcation of these matters. Resourcing is another issue that regulators are struggling with. As public bodies reduce staff numbers, it is difficult for them to enforce rules as strongly as before. There could also be trepidation from governments to enforce environmental rules too strictly because of the tough economic climate. As witnessed

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

in Hungary recently with the toxic sludge spill, governments don’t wish to put a company out of business.

Protect yourself Fortunately, companies are more aware of their environmental responsibilities than ever before. But the trend in the corporate sector towards behaving more ethically and responsibly is slow. “While companies may be more aware of environmental risk, they remain confused over the consequences,” says Harrington. “It is difficult for companies to understand clearly what the regulators will do if they are caught polluting. Or they may not be aware of what to do if they are caught or how to protect themselves ﬁnancially against those consequences. Companies that pose a risk to the environment should be cash reserving adequately.” A lot of companies cannot afford to assess their environmental risks, let alone pay a premium to transfer it. Others choose not to. In Scandinavia, the corporate insurance manager for truck, bus and engine maker, Scania, decided to seek an alternative form of insurance protection. “We don’t buy a speciﬁc environmental insurance policy,” says Martin Sijmons. “We prefer to extend the coverage of our

SCANDINAVIA

Not all companies choose to buy a speciﬁc environmental insurance policy. “We would like to prevent rather than insure,” says Swedish truck maker Scania’s corporate insurance manager Martin Sijmons. He doesn’t think the products exist for his company’s requirements. “We have to buy environmental cover in some markets, like Spain. But the ELD has not had much of an impact in Sweden.”

SPOTLIGHT

Mandatory insurance for Europe?

EASTERN EUROPE

Environmental liability in Eastern Europe is “a bit of a mess”, says chair of the environmental working group for Ferma Pierre Sonigo. Insurers aren’t touching the risks there, he says, because there are a host of facilities with poor safety records and environmental problems. But it is a concern that is likely to receive renewed attention following the toxic spill in Hungary on 4 October 2010.

‘While companies may be more aware of environmental risk they remain confused over the consequences’ Wayne Harrington ACE

[READ MORE ONLINE] For more information on environmental liability, download StrategicRISK’s 2011 Environmental Liability Guide at www. strategic-risk.eu or goo.gl/UX0vA

general liability policy to include sudden and accidental pollution.” He says the emphasis is on risk avoidance rather than risk transfer.

New prominence The goal for the insurance industry is to eventually see environmental insurance viewed in the same league as other major classes, such as property or directors’ and officers’ (D&O) insurance. Harrington hopes it will become a major new class of insurance but he knows this will take time. Risk managers need to be aware of their risks and the potential consequences that can occur if something goes wrong. Large corporates have picked up the issues quicker than most, but some don’t have a choice in the matter as they are subject to ﬁnancial reporting requirements that dictate they have to disclose their environmental risks. Others have a less impressive stance. But, in the current economic climate companies may be unable to pay if the consequences of environmental pollution are severe. For these businesses, preparing appropriately in advance could be the difference between life and death. SR

Following the Hungarian toxic sludge disaster and the Deepwater Horizon Gulf oil spill, the European Commission has been encouraged to reconsider its position on mandatory insurance protection for environmental liabilities. The Commission is currently considering a EU-wide compulsory scheme for all oil companies. As it stands, ﬁnancial protection is compulsory in only European countries. Ferma, representing the interest of risk managers in Europe, is against the idea and any type of mandatory insurance for large risks. “We do not think there should be mandatory insurance,” says chairman of Ferma’s environmental liability working group, Pierre Sonigo. “We feel there are sufficient solutions for the oil industry in the commercial insurance market, so there is no need to make it mandatory. As a principle, we are against mandatory insurance, because we think this increases prices and removes competition. Other options, such as self-insurance, disappear for risk managers if the government imposes mandatory insurance protection, says Sonigo. “The EU wants to add security by creating guaranteed security schemes to pay for environmental damage, because it is the government that ultimately will have to pay. But this is not the way to do it.”

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

Panos Pictures

GOVERNANCE [ ETHICS ][ COMPLIANCE ][ REPORTING ]

BRIBERY

It could be you … The Bribery Act, coming into force in July, widens the deﬁnition of bribery and holds directors responsible for failing to prevent it – even when it takes place abroad. Don’t get caught out

Key points 01: The Bribery Act makes directors accountable for commercial failure to prevent bribery 02: Facilitation payments are prohibited, as is using an intermediary to pay bribes 03: Penalties for individuals failing to prevent bribery are imprisonment or a ﬁne, and companies can receive an unlimited ﬁne 04: Corruption is known to be prevalent in the emerging markets of Russia, China and India

OM WILSON, THE CHIEF EXECUTIVE OF A HEALTH equipment supplier, is attending a board meeting in the City when police arrest him. He is relieved to hear the charge: they are trying to pin liability on him for the actions of a company agent in Mozambique. This agent has paid financial gifts to Mozambican customs officials to smooth deliveries of the firm’s equipment through the notoriously sluggish warehouses of Maputo. Wilson says: “What does it concern me that an agent paid a bribe to an official somewhere I have never been, and in a place where these kinds of payments are made all the time by companies trying to keep ahead of the game?” But he and countless other directors will have to think again, because such an arrest will become a real concern after the beginning of July 2011, when the UK Bribery Act comes into force. The act is significant for company directors because they can be held accountable for management lapses amounting to ‘commercial failure to prevent bribery’. One of a series of international laws designed to combat cross-border corruption, the new act follows in the wake of the 1977 US Foreign Corrupt Practices Act (FCPA), which makes it possible to prosecute companies in the US courts for paying bribes to foreign officials, even if the offence took place abroad.

A tough act to follow Enforcement of the FCPA is tough, as Paris-based telecoms ﬁrm Alcatel-Lucent found this year when it paid $45m (€31.2m) to the Securities and Exchange Commission (SEC) and $92m to the US Department of Justice to settle charges that it bribed foreign government officials to win contracts in Latin America and Asia. The Bribery Act will catch situations where someone ‘offers, promises or gives a ﬁnancial or other advantage to another person’ with a view to inducing them to ‘perform improperly a relevant function or duty’. Obvious examples in a business context include payments to government officials to obtain contracts, or to secure a reduction in customs or tax duty. The new law covers payments to both public officials and representatives of private companies in the UK and abroad. The inclusion of private sector bribe recipients means that it goes further than the FCPA, which only covers bribes to foreign officials. Bribes may be paid both directly and indirectly, for example, through a company’s agents and commercial representatives. This is an essential principle that is also in the FCPA and is important because most foreign bribery cases involve payments made through intermediaries.

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

In the past, it was commonplace for companies to avoid blame for bribes paid by their agents using part of their commissions. The UK authorities were already trying to put an end to the practice. In September 2009, engineering company Mabey & Johnson was fined €6.6m for bribes paid through commercial agents in Ghana and Jamaica. This case was brought under the old corruption rules in the UK, so prosecutors are likely to make the most of their new powers since the new law specifically outlaws such third-party payments. It also prohibits ‘facilitation payments’ – small payments to officials to speed up routine actions such as customs clearances – which are not illegal under the FCPA, so smaller as well as larger payments will now count as bribes. Applying to companies incorporated in any part of the UK, the offence of failure of commercial organisations to prevent bribery applies whether the company’s acts or omissions take place in the UK or elsewhere, giving the UK very wide jurisdiction. The penalties for individuals include a fine or imprisonment or both; the potential penalty for a company convicted of bribery, or failure to prevent bribery, is an unlimited fine. But the act protects companies that have taken risk assessment and compliance seriously. Failure of compliance systems has long been the target of anti-bribery rules. SEC director of enforcement Robert Khuzami

PRACTICAL GUIDE

How to manage bribery 1.

Ensure senior management articulate their personal commitment to high standards of business integrity.

2. Back this up with effective training and communication at every level of the business. 3.

Compliance programmes that look good but are not backed up in practice will count against the company if it ever comes under investigation.

4. Risk assess each territory where the company operates. 5.

Nigeria: ambitious companies must be alert to the corruption that continues to grow in their target countries

6. Subject new business contacts, prospective joint venture partners, or commercial agents to rigorous integrity with due diligence. 7.

said of the Alcatel case that “it was the product of a lax corporate control environment at the company”. There is a defence in the new law for companies that have ‘adequate procedures’ to prevent bribery. If an individual employee pays a bribe, such companies will be able to argue that this was a personal aberration, and not the result of a systemic failure. What exactly constitutes ‘adequate procedures’ to prevent bribery is not deﬁned by the act, but new guidance has been issued by the Ministry of Justice. Ernst & Young consultant John Smart says: “The tone of the document will be a welcome relief for some as it advocates proportionality and reasonableness in its guidance in parts of the act rather than strict interpretations and enforcement.”

All corners of the globe Certainly those companies implementing a management plan along the lines recommended (see box, right) will be well prepared for the act. One of the biggest challenges facing companies will be assessing each territory where they operate. As our map on indicative risk across the world shows, the 10 most corrupt countries – including Nigeria and the Democratic Republic of Congo – come as little surprise. But there remains an extreme and high risk of corruption across the most of the globe. This includes the world’s fastest-growing developing countries: Brazil,

Speciﬁc transactions – for example, negotiating for planning permission or importing expensive technical equipment – should also be individually risk assessed.

Split gi s and hospitality into three categories: generally acceptable (pens and mugs), acceptable subject to senior management approval (corporate entertainment), and never acceptable (bribes).

8. The act does not apply retrospectively and it may be some time before the ﬁrst cases are brought. Monitor any developments as it beds down to ensure good practice is up to date.

China and India – jurisdictions ambitious companies cannot ignore. The Chinese government has made efforts to tackle the problem, pursuing a concerted anti-corruption drive. However, corruption is prevalent in activities linked to government agencies such as public procurement, where the potential for gain is often the greatest. High-risk sectors include construction, natural resources, banking and ﬁnance, and healthcare. Maplecroft chief executive Professor Alyson Warhurst says: “Monitoring corruption risks and government enforcement in supply chains, as well as ensuring compliance and preventative mechanisms are in place within one’s own operations, would seem prudent.” SR [READ MORE ONLINE] Download the Bribery Act guidance at www.strategic-risk.eu or goo.gl/rGpor

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK

Theory & Practice RISK MANAGEMENT

The building blocks of risk T

AKE A SNAPSHOT OF SUCCESS, fast forward a few years, and you discover how ephemeral it can be. On the 10th anniversary of the publication of Built to Last, for example, seven of the 18 companies selected by Jim Collins and Jerry Porras as exemplars of their principles either no longer existed or had experienced a major failure. Success, while better than failure, creates its own risks. Some of those risks are based on the inevitable failure of successful companies to scale their risk management processes and systems to cope with a bigger and broader business. Many, though, stem from the response of employees, managers and investors to success. Here is a small selection of those risky behaviours.

DELIVERING THE NUMBERS BECOMES THE STRATEGY Success creates inﬂated expectations of quarterly sales numbers. “Organisations become so focused on meeting next quarter’s earnings-per-share targets that manipulation is going on,” says Dean Kreymeyer, executive director of the Institute for Corporate Ethics. WorldCom is the best example. When internal auditor Cynthia Cooper questioned the numbers, management warned her to “stay away” from her investigation. She worked secretly to expose the ﬁnancial engineering that departmental heads were incentivised to put in place to make their numbers. For example, $771m of unused network was reallocated as “construction in progress”. When one departmental head refused to change his reported numbers to the satisfaction of his manager, general accounting did it for him – behind his back.

BANISHING NEGATIVITY Success can weaken the position of the risk management function if its processes

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

istockohoto.com/scibak

Success breeds success, so the saying goes. But successful companies can also breed behaviour that creates risk to the business. And if it goes unchecked, such behaviour can lead to spectacular failure

[ INSIGHT ] [ CASE STUDIES ] [ BEST PRACTICE ]

court appointed examiner called the decision “actionable balance sheet manipulation”.

IT WORKED LAST TIME The concentration of inﬂuence in a small group of managers who have delivered success can create a single-strategy company that gradually becomes exposed to massive risk from rare events. Northern Rock wrote mortgages for customers who were acquired by brokers. Its growth targets demanded that it borrowed wholesale money to lend as new mortgages. It securitised the loans and sold them to other banks. The bank was incentivised to offer ever-riskier products (125% mortgages) with fewer checks (self-certiﬁed mortgages). It became a giant one-way bet based on inter-bank wholesale lending remaining available.

The concentration of inﬂuence in a small group of managers can create a single-strategy company that gradually becomes exposed to massive risk are seen to impede growth. A er the £28bn merger of Bank of Scotland and Halifax Building Society, the entrepreneurial zeal of Halifax came to dominate. It created an organisation in which head of regulatory risk Paul Moore could be told by one employee that “we’ll never hit our sales targets and sell ethically”. Moore reported the failure of risk management to the board, and soon a er was made redundant with no remedial action taken. The culture can lead to “opinion shopping”, where the business will look for someone, anyone, to support destructive or dishonest behaviour. Thus Lehman Brothers reported its “Repo 105” loans as sales a er an opinion offered by external UK counsel. US counsel had already rejected this course of action. A er Lehman’s bankruptcy the

WHATEVER WORKS CULTURE Success driven by strong management can lead to failure driven by the same force. At Bear Stearns, ‘Ace’ Greenberg hired recruits who were ‘PSDs’: poor, smart and with a deep desire to get rich. These PSDs not only set the tone but could push through day-to-day decisions with devastating results, because they enjoyed the conﬁdence of the management. This eventually led to a trader, Ralph Cioffi, creating a fund that was leveraged 35 times and blew up. His response? Create another fund, leveraged 100 times. When that also blew up, he tried to salvage it by creating a listed company to contain the toxic debt.

YOU RECRUIT TO WIN, NOT TO MANAGE RISK Dr Doug Hirschhorn, who trains traders for investment banks, is surprised that only 10% of the banks he works for give potential recruits a personality test. So many take on the sort of behaviour displayed by traders: a tendency to over-trade, a lack of appreciation of real-time risk/reward outcomes, and an inability to accept that losses are sometimes inevitable. Allied with traders’ expertise in hiding these problems, and formal risk management practices are impossible to either teach or to implement. “A lot of behaviour is driven by how many people are watching,” Hirschhorn warns. SR

Tim Philips is the author of Fit to Bust, published by Kogan Page and available at bookstores and online

KNOWLEDGE Life a er Chernobyl Almost 25 years on, the Chernobyl exclusion zone still exists. Yet where humans ﬂed, wildlife now thrives. Many species, including rare ones such as the lynx and eagle owl, inhabit the area, and trees have re-grown. But some environmentalists remain sceptical. “The trees are having a terrible time knowing which way is up,” James Morris, a USC biologist, said. ENVIRONMENTAL CLAIMS

How to manage environmental damage A few steps can go a long way towards minimising harm to the environment and dealing with clean-ups quickly

F A COMPANY CAUSES large-scale pollution, it can be extremely costly. Clearing up pollution takes time and money. You only have to look at how much BP had to fork out to clean up a er the disaster in the Gulf of Mexico last year (around €25bn) as proof. All sorts of stakeholders have an interest in the environment, so it’s hard for ﬁrms to duck their duties. The environment is also highly regulated now – the European Environmental Liability Directive (ELD), for instance, has introduced new rules. Here are some things that companies can do to ensure issues get resolved more efficiently.

HAVE EFFECTIVE ENVIRONMENTAL RISK MANAGEMENT PLANS First things first: companies should have site-specific contingency plans and emergency response procedures to prevent significant environmental damage occurring in the first place.

ESTABLISH THE ENVIRONMENTAL BASELINE FOR EACH SITE OF OPERATION You cannot manage what you do not measure. Companies should deﬁne, as comprehensively as possible, the

quality and status of the ecology and habitats that existed around their sites before the disaster. Effectively deﬁning this baseline involves an economic evaluation of the natural environment surrounding and in close proximity to the site of operation. Once a baseline of environmental quality has been established to the satisfaction of the environmental regulator, then the extent of remediation, restoration and compensation that will be required to return the ecosystems and habitats to their prior condition can be deﬁned.

AGREE THIS WITH THE REGULATOR Agreement with the regulator will then be required on the extent of remediation and restoration considered necessary. Preferably a baseline would have been established, documented and agreed with the regulator prior to any environmental damage occurring. If not, the regulator may infer a scope of restoration required based on a speculative view of the environmental quality prior to the event and, as such, the cost of the loss could be highly uncertain.

DEFINE THE “VALUE” OF THE ENVIRONMENT The environment’s ‘value’ is based on the resources it provides. This can include direct value (wood, agriculture, food, water etc.) and indirect value (walking, leisure and public space).

ESTABLISH A MAXIMUM PROBABLE LOSS ESTIMATE This is an estimate of the scale of liabilities associated with environmental damage, based on maximum probable loss analyses for each site. Research has shown that the new ELD requirements for ‘complementary’ and ‘compensatory’ remediation could increase the costs of remediation 40 times. The maximum probable loss estimates should be based on scientiﬁc evidence concerning the species, ecosystems and habitats at risk, and the potential loss scenarios that could be envisaged for the site and operations. This will include an estimate of the extent of ecology and habitat destruction that it is possible to envisage and the possibility for wider damage. It’s also worth considering that remedial action may not be compatible with the baseline status,

in that the precise replacement and restocking of species, communities, habitats and ecosystems may not be possible on a like-for-like basis.

CONSIDER WHETHER INSURANCE IS NECESSARY Review requirements of financial security and environmental insurance associated with the potential to cause environmental damage at individual sites of operation, based on nature and scale of activity. The maximum probable loss will help to inform this decision-making process with regards to issues such as the appropriate limit of indemnity to be gained should environmental insurance be considered necessary. The implementation of the ELD in certain parts of Europe has included a mandatory requirement for operators of high-risk activities to hold financial security. Insurance is one of the most popular methods of financial security.

Cliff Warman is the environmental practice leader for the EMEA region at Marsh [READ MORE ONLINE] For more information on environmental liability, download StrategicRISK’s 2011 Environmental Liability Guide at www.strategic-risk.eu or goo.gl/UX0vA

ce the ake u u d q e h r t r o t a e How of an t c a p m i ﬁnancial ‘ Seismic Matters’. Our Free White Paper outlines a new engineering-based approach to minimising risk and loss. Download it now at www.fmglobal.co.uk/touchpoints

Secure the value you create

THEORY & PRACTICE [ INSIGHT ][ CASE STUDIES ][ BEST PRACTICE ]

CYBER CRIME

Strengthen your defences against cyber attacks You might think your intellectual property is safe, but cyber crime is a fast-growing threat. Here are 10 steps you can take to protect your company’s deepest secrets

PROTECT YOUR DATA Push data protection disciplines throughout the company, for instance, by forbidding employees from using obvious passwords because hackers always work their way through a disciplined system based on our human foibles. And don’t leave passwords in obvious places.

STICK TO THE CODE Too few companies have strict codes of online conduct backed up by effective enforcement, says 4Secure’s Thomson. “Employees always try to circumvent the system,” he says. Much cyber stealing can start from Hotmail, Gmail, ﬂash ﬁles and other documents downloaded onto the desktop.

Derailed: China has been accused of stealing Japan’s high-speed train technology. Kawasaki of Japan is one of the companies whose designs and innovations are said to have been cloned

Reuters

T’S YOUR COMPANY’S MOST valuable asset: a technological breakthrough, a unique database, a list of important clients, a project under development. Whatever it may be, it has taken years or decades of work and investment. Yet it can be taken in a moment by cyber criminals. Commercial cyber crime is growing at an exponential rate around the world. In the UK, the combined loss to businesses of intellectual property the and industrial espionage alone is £9.2bn a year, although “the real impact of cyber crime is likely to be much greater”, says a government-commissioned study by Detica. Commercially useful ideas, designs, methodologies and trade secrets are all on cyber criminals’ hit list. “If a product is attractive to somebody on the outside, it’s under threat,” says Stuart Poole-Robb, chief executive of risk specialist KCS Group. No business with saleable intellectual property is safe, says Will Thomson, director of Cardiff-based 4Secure. “Companies ask ‘why would anybody come a er us?’” he says. “I tell them to look at what they’ve got that somebody else might want.” The utilities, medical, pharmaceutical, media, so ware, ﬁnancial, electronics and telecommunications sectors are particularly at risk. But the fact is that any intellectual property-rich organisation where transaction volumes are high may be considered a target for highly professional, IT-savvy cyber criminals working from anywhere in the world.

Symantec, in March 2011 said: “The average data breach incident cost UK organisations £1.9m, or £71 per record.”

And although industry professionals say there’s no single solution – “all organisations are different” points out Thomson – there are several simple measures that can and should be taken.

VALUE YOUR ASSETS Start by conducting an audit of all the company’s intellectual property and assessing its external value. KCS Group managing director Massimo Cotrozzi says: “Many companies have no idea what their level of risk is.” Typically, even those that do attempt to put a price on intellectual assets they think are at risk from cyber crime o en make the mistake of under-valuing those they may not consider important, but which others will for different reasons.

DRAW UP A BUDGET Draw up a protection budget that bears a sensible relationship to the value of the property. “Many companies have ridiculously low

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

budgets that are not comparable with the importance of the business involved,” Cotrozzi says. “Obviously it makes no sense to protect a £1bn formula with a £100 bit of so ware.”

GET TECH SAVVY Don’t think the company is safe just because it’s got all the latest ﬁrewalls and other so ware. “Anti-virus so ware can’t defend itself against viruses it doesn’t know about,” Poole-Robb explains. “The best gateway into a company is an email address.” The big danger may not be inward traffic anyway. As Thomson says, “companies focus too much on what’s coming in instead of on what’s going out.”

ERASE SENSITIVE DATA Recovery specialist Kroll Ontrack says that more than half of all ﬁrms leave commercially useful information on old computers and hard drives. A Ponemon Institute study, sponsored by

CHECK YOUR STAFF Run short-term or contract staff through a security check. It’s not uncommon for a cyber criminal to get through the door as a replacement cleaner or employee. “Checks on short-term workers are usually inadequate,” Poole-Robb says.

NEED-TO-KNOW Throw a ‘security perimeter’ around the company. Intellectual property should be assigned levels of importance according to its external value and made available on a need-to-know basis. Thus only designated employees should take designated data into an unsecured wider perimeter.

MOBILE PROTECTION Develop a mobile phone policy. Mobiles o en contain important data, but are o en badly protected.

TREAT DATA WITH CARE The most sensitive data should be treated like pure gold. The biggest private equity ﬁrms only release details about a major investment in a fully protected room where nothing can be downloaded, copied or removed. SR

Airmic Annual Conference 6 â&#x20AC;&#x201C; 8 June 2011 Bournemouth Embracing New Horizons

Can you afford to miss it? The Airmic conference is the UK risk management and insurance gathering of the year... more than 650 risk professionals coming together for two days of talks, lectures, training sessions and workshops. Plus, of course, plenty of social opportunities to share ideas, meet old friends and make new ones.

We look forward to welcoming you.

www.airmicconference2011.com

Together Leading in Risk

VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]

WHAT’S INSIDE YOUR HEAD?

Headspace Igor Mikhaylov of Russia’s Mobile TeleSystems is willing to throw routine out of the window for new challenges What are you thinking about right now? The recent natural disasters in Japan. Sometimes, after tragedies such as this, there is a buying fever for personal protective equipment or food and water. It’s not possible for companies to serve that kind of peak in demand. And natural disasters can’t always be predicted. If you want to prepare for these disasters, you need to manage risk in advance. But where’s the line between being pragmatic and being paranoid? What is your greatest fear? Losing people who I love. The most important thing is to live life properly and make the most of it. What was your most embarrassing moment? It was during a school performance when I was young. It was such a successful performance that we were asked to perform in front of the whole school, our parents and teachers. But I hadn’t rehearsed properly so I felt nervous and couldn’t remember the script. I decided to lay parts of the script on the stage so I could read them during the performance. But I messed up because I paid too much attention to where the script was rather than focusing on my act. What is your most treasured possession? It’s difficult because I don’t attach much importance to material things. But I could say my electric piano. What makes you happy? I’m happy when I reach my targets, especially ones that seem unachievable. I’m happy to dare to solve problems that others refuse to do. I enjoy learning about new technologies and different applications of existing technology. I’m amazed by complex architecture, aerospace engineering, hybrid technologies, composite materials and hydroponics (growing plants in water without soil) – as well as many other advances in life. Illustration by Richard Phipps

StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

What makes you unhappy? Boring routines. At work, if operations become tiresome because they stay the same for a long time it makes me unhappy. Politics make me unhappy, particularly when it conceals inhumanity. Who is your greatest hero? I try to follow the example set by some remarkable and distinguished relatives of mine. They are my heroes because they played such important roles in society, science, economics and business. My grandfather worked for Unesco as a department head where he was involved in several large projects. He once directed an exhibition in Moscow and was a member of a delegation that hosted the Queen of England. My father is a professor and distinguished scientist of geophysics. And my brother works in the oil and gas industry. What’s the biggest risk you’ve ever taken? As a student I travelled very far to a Russian downhill ski resort. It was a spur of the moment decision and I hadn’t really done my research about skiing there. When I arrived I realised the ski hill was on the edge of a Chechen warzone. There were no tourists there because of the risk of being kidnapped. The locals all carried guns. What is the worst job you’ve ever done? Early in my career I was responsible for pricing strategy for radio networks. I was asked to prepare a presentation that I knew wasn’t necessary because everyone already knew the ‘I realised the ski information. Afterwards the hill was on the audience told me it edge of a war was a waste of time.

zone. There were no tourists because of the risk of being kidnapped and all the locals carried guns’

What is your greatest achievement? Graduating from Moscow Institute of Physics and Technology. The Nobel Prize for Physics was recently awarded to two scientists from here. In 2010, I won a Risk Management Award in Russia from RusRISK. What is the most important lesson you’ve learned? Never give up. Only ever set yourself difficult targets. Never agree to do something if you don’t believe in the end result. SR

Igor Mikhaylov is head of the risk management division at Mobile TeleSystems, Russia

BWise named Leader in Enterprise GRC Platforms by independent research ďŹ rm*

Take control Stay ahead BWise offers you an industry leading software solution to get in control of all your Governance, Risk and Compliance (GRC) challenges, such as strategic-, enterprise-, and operational risks. With our unique process-based approach, BWise turns GRC into a formidable driver of cost reduction and process optimization. Visit www.bwise-grc.co.uk to request a complimentary copy of the Gartner independent report.

*Gartnerâ&#x20AC;&#x2122;s Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms, Q3 2010

www.bwise-grc.co.uk

l a r e v e S . a i d n I n i s od o l f e r e v e “Se r a s r e r c tu a f u n a m r” e UK d n u e n go e v a h o t repor ted These days, there’s no such thing as a local incident. If you lose production in India, you can lose market share across Europe. That’s why FM Global takes a different approach. We base your property insurance on the site assessment of our engineers, not the calculations of actuaries. We work with you to look at critical sites in your supply chain. And we don’t just insure against loss, we help you to prevent it. You can actually save up to 85% of the cost of ﬂooding, with the right precautions. So your business can stay in business. Speak to your FM Global representative or contact your broker, and visit www.fmglobal.co.uk/touchpoints to read our latest White Papers.

Secure the value you create