Embed Size (px)
DESCRIPTION
Australia's leading publication for risk management professionals. This issue: we examine the key role top level managers play in preventing fraud, take a look at the effectiveness of business continuity management, check out the growing risks around social media and this month's case study looks at building internal audit from the ground up.
Citation preview
March 2011 Issue 83 PP255003/06868
www.riskmagazine.com.au
CLEAR VISION ON CORPORATE GOVERNANCE
WHY A TICK-BOX APPROACH SIMPLY WON’T WORK
RISK PEOPLE:CAMERON SMITH FROM THE WESTPAC GROUP TALKS ABOUT MOVING FROM AUDIT TO OPERATIONAL RISK
10 CYBER THREAT PREDICTIONS FOR 2011
SPECIAL REPORT:D&O UNDER STRAIN POST-GFC MAN
INSURANCE D&O INSURANCE UNDER STRAIN POST-GFC
CLOUD COMPUTING THE RISKS OF TAKING DATA OFFSHORE
CAREERSRISK PEOPLE IN DEMAND
www.riskmagazine.com.au
RISK PEOPLE:SUNCORP’S RISK AND
COMPLIANCE MANAGER, PAUL MUIR, ON THE
HALLMARKS OF SUCCESSFUL ERM
HAS BCM LOST ITS WAY?
CHALLENGING THE STATUS QUO
THE CHINA SYNDROME
MANAGING ENVIRONMENTAL RISKS
NEWS REPORT:THE RISKS OF A RISING DOLLAR
INTERNAL AUDIT: THE HOLLAND INSURANCE COMPANY’S GROUND-UP APPROACH
SOCIAL MEDIA:THE RISKS TO BRAND AND IMAGE
HEDGE FUNDS:THE COURT CASE WHICH RATTLED WALL STREET
Fraud:top level managers
hold the key to prevention
May 2011 Issue 85 PP255003/06868
R M _ 8 5 . p g 0 0 1 . p d f P a g e 1 1 2 / 0 5 / 1 1 , 5 : 2 2 P M
8 5 R M . p g 0 0 2 . p d f P a g e 2 1 2 / 0 5 / 1 1 , 1 1 : 1 8 A M
FEATURES AND REPORTS
News Report: The risks of a rising dollar 11With a high Australian dollar, companies should revisit their risk management strategies and implement good hedging policies
Case Study: Building internal audit from the ground up 16The Hollard Insurance Company has taken a whole-of-business approach in building a strong internal audit program
Risk Feature: Has BCM lost it’s way? 20Business continuity management professionals need to challenge the status quo by providing simple and effi cient solutions, writes Craig Donaldson
REGULARS
Editorial note 05 News review 06 Opinion & Comment 08 Risk People 24Risk Careers 25
C ontents
2226
18
ENVIRONMENTAL RISK: THE CHINA SYNDROME
RISKY BUSINESS
Risk May 2011 3
Fraud is an ongoing issue for many Australian organisations. Craig Donaldson looks at the latest fraud trends, explores the most common vulnerabilities and details how companies can take a proactive and preventative approach to fraud
COVER STORY
12SOCIAL MEDIA REPORT
R M _ 8 5 . p g 0 0 3 . p d f P a g e 3 1 2 / 0 5 / 1 1 , 4 : 2 6 P M
8 5 R M . p g 0 0 2 . p d f P a g e 2 1 2 / 0 5 / 1 1 , 1 1 : 1 8 A M
FEATURES AND REPORTS
News Report: The risks of a rising dollar 11With a high Australian dollar, companies should revisit their risk management strategies and implement good hedging policies
Case Study: Building internal audit from the ground up 16The Hollard Insurance Company has taken a whole-of-business approach in building a strong internal audit program
Risk Feature: Has BCM lost it’s way? 20Business continuity management professionals need to challenge the status quo by providing simple and effi cient solutions, writes Craig Donaldson
REGULARS
Editorial note 05 News review 06 Opinion & Comment 08 Risk People 24Risk Careers 25
C ontents
2226
18
ENVIRONMENTAL RISK: THE CHINA SYNDROME
RISKY BUSINESS
Risk May 2011 3
Fraud is an ongoing issue for many Australian organisations. Craig Donaldson looks at the latest fraud trends, explores the most common vulnerabilities and details how companies can take a proactive and preventative approach to fraud
COVER STORY
12SOCIAL MEDIA REPORT
R M _ 8 5 . p g 0 0 3 . p d f P a g e 3 1 2 / 0 5 / 1 1 , 4 : 2 6 P M
8 5 R M . p g 0 0 4 . p d f P a g e 4 1 2 / 0 5 / 1 1 , 1 1 : 1 9 A M
Risk April 2011 55 Risk May 2011
F rom the editor
Editor: Sarah O’CarrollJournalist: Ben NiceContributor: Craig DonaldsonDesigner: Ken McLarenDesign Manager: Anthony Vandenberg Production Manager: Kirsten Wissel
Cab Member since December 2005
Subscribe todayRisk Magazine is published monthly and is available by subscription. Please email: [email protected] All subscription payments should be sent to: Locked Bag 2333, Chatswood D/C, Chatswood, NSW 2067
Advertising enquiries: Marika Biro - (08) 8371 5800 [email protected] Editorial enquiries: All mail for the editorial department should be sent to: Risk Magazine, Level 1 Tower 2, 475 Victoria Ave Chatswood, NSW 2067
Copyright is reserved throughout. No part of this publication may be reproduced without the express written permission of the publisher. Contributions are invited, but copies of all work should be kept as Risk Magazine can accept no responsibility for loss. Risk Magazine and LexisNexis are divisions of Reed International Books Australia Pty Limited, ACN 001 002 357 Level 1 Tower 2, 475 Victoria Ave, Chatswood, NSW 2067 tel (02) 9422 2203 fax (02) 9422 2946 ISSN 1833-5209 Important Privacy Notice You have both a right of access to the personal information we hold about you and to ask us to correct if it is inaccurate or out of date. Please direct any queries to: The Privacy Offi cer, LexisNexis Australia or email to [email protected]. © 2009 Reed International Books Australia Pty Ltd (ABN 70 001 002 357) trading as LexisNexis. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., and used under license.
A bout us
“Working collaboratively and in partnership with our internal and external governance bodies generally ensures successful working relationships”Adam Plummer, fraud manager, Zurich Financial Services Australia
oes your BCP work?
“Senior management and boards are, frankly, fed up with silo-based approaches to operational risk, and are demanding that BCM ‘up-periscopes’ better to work out how its approaches enmesh properly with the fundamental risk management processes within an organization,” he said. (see news report p20).
As many companies disclose their business continuity preparedness, it’s one thing to have a plan but it’s another to practice it. And even if they’re feeling demotivated, they won’t be thanked for being able to say “I told you so”.
D No executive will thank a business continuity manager for saying “I told you so”.
But because many in the business continuity area have experienced the feeling of banging their head against a brick wall with executives in the past, many have lost their passion and zeal and resorted to a tick-the-box approach to business continuity planning.
Therefore, according to Alex Serrano, senior manager, advisory at Ernst and Young, managers have forgotten to ask whether their carefully scripted business continuity plans actually work in practice.
Given the recent spate of natural disasters, coupled with ongoing reported terrorist threats, executives are becoming more acutely aware of the need for crisis communication plans, remote disaster recovery sites and emergency PR strategies. Lately, it would seem foolish not to be prepared.
However, these plans are often criticised for being too complicated and ineffective when it comes to the crunch. Although all the boxes have been ticked, plans drawn up and fi les stored, the reality is, when disaster strikes they often don’t work.
Very often the work of the business continuity manager may never be put to the test and indeed if it is – it might just be the once.
But Serrano believes it’s time for business continuity managers to regain their zeal and challenge the status quo. He believes business continuity management is being challenged to “pay its way” more than ever before.
What’s your take on this quote?
To have your say write to the editor [email protected]
Best comments will be published in the May issue of Risk
Sarah O’Carroll Editor
R M _ 8 5 . p g 0 0 5 . p d f P a g e 5 1 2 / 0 5 / 1 1 , 5 : 3 5 P M
8 5 R M . p g 0 0 4 . p d f P a g e 4 1 2 / 0 5 / 1 1 , 1 1 : 1 9 A M
Risk April 2011 55 Risk May 2011
F rom the editor
Editor: Sarah O’CarrollJournalist: Ben NiceContributor: Craig DonaldsonDesigner: Ken McLarenDesign Manager: Anthony Vandenberg Production Manager: Kirsten Wissel
Cab Member since December 2005
Subscribe todayRisk Magazine is published monthly and is available by subscription. Please email: [email protected] All subscription payments should be sent to: Locked Bag 2333, Chatswood D/C, Chatswood, NSW 2067
Advertising enquiries: Marika Biro - (08) 8371 5800 [email protected] Editorial enquiries: All mail for the editorial department should be sent to: Risk Magazine, Level 1 Tower 2, 475 Victoria Ave Chatswood, NSW 2067
Copyright is reserved throughout. No part of this publication may be reproduced without the express written permission of the publisher. Contributions are invited, but copies of all work should be kept as Risk Magazine can accept no responsibility for loss. Risk Magazine and LexisNexis are divisions of Reed International Books Australia Pty Limited, ACN 001 002 357 Level 1 Tower 2, 475 Victoria Ave, Chatswood, NSW 2067 tel (02) 9422 2203 fax (02) 9422 2946 ISSN 1833-5209 Important Privacy Notice You have both a right of access to the personal information we hold about you and to ask us to correct if it is inaccurate or out of date. Please direct any queries to: The Privacy Offi cer, LexisNexis Australia or email to [email protected]. © 2009 Reed International Books Australia Pty Ltd (ABN 70 001 002 357) trading as LexisNexis. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., and used under license.
A bout us
“Working collaboratively and in partnership with our internal and external governance bodies generally ensures successful working relationships”Adam Plummer, fraud manager, Zurich Financial Services Australia
oes your BCP work?
“Senior management and boards are, frankly, fed up with silo-based approaches to operational risk, and are demanding that BCM ‘up-periscopes’ better to work out how its approaches enmesh properly with the fundamental risk management processes within an organization,” he said. (see news report p20).
As many companies disclose their business continuity preparedness, it’s one thing to have a plan but it’s another to practice it. And even if they’re feeling demotivated, they won’t be thanked for being able to say “I told you so”.
D No executive will thank a business continuity manager for saying “I told you so”.
But because many in the business continuity area have experienced the feeling of banging their head against a brick wall with executives in the past, many have lost their passion and zeal and resorted to a tick-the-box approach to business continuity planning.
Therefore, according to Alex Serrano, senior manager, advisory at Ernst and Young, managers have forgotten to ask whether their carefully scripted business continuity plans actually work in practice.
Given the recent spate of natural disasters, coupled with ongoing reported terrorist threats, executives are becoming more acutely aware of the need for crisis communication plans, remote disaster recovery sites and emergency PR strategies. Lately, it would seem foolish not to be prepared.
However, these plans are often criticised for being too complicated and ineffective when it comes to the crunch. Although all the boxes have been ticked, plans drawn up and fi les stored, the reality is, when disaster strikes they often don’t work.
Very often the work of the business continuity manager may never be put to the test and indeed if it is – it might just be the once.
But Serrano believes it’s time for business continuity managers to regain their zeal and challenge the status quo. He believes business continuity management is being challenged to “pay its way” more than ever before.
What’s your take on this quote?
To have your say write to the editor [email protected]
Best comments will be published in the May issue of Risk
Sarah O’Carroll Editor
R M _ 8 5 . p g 0 0 5 . p d f P a g e 5 1 2 / 0 5 / 1 1 , 5 : 3 5 P M
6 Risk May 2011
N ews Review
CFOs’ appetite for risk on the rise
Risk plus finance equals higher profitabilityFINANCIAL institutions that align their risk and fi nance functions are more profi table, according to recent research.
A global survey of nearly 200 senior banking executives in fi nance and risk found that of those who have much better alignment between their risk and fi nance functions, 60 per cent are much better when it comes to fi nancial performance while 92 per cent are above average.
The research, conducted by the Economist Intelligence Unit in collaboration with CFO Research Services and sponsored by Oracle, found that the benefi ts of closer alignment between fi nance and risk are both specifi c, such as identifying potentially profi table clients, and general, such as providing a greater understanding of the global context in which major strategic decisions are made.
Alignment between risk and fi nance begins with good data, however, the survey pointed to signifi cant differences in the perspectives and cultures of the two functions, with the leading risk-related priorities for fi nance departments cited as improving processes (54 per cent), data integration (46 per cent) and data management (40 per cent).
Alignment involves the creation of a common view of risk, and common data relating to it, across a company – and especially between the risk
and fi nance departments, according to the research report, Transforming the CFO role in fi nancial institutions: Towards better alignment of risk, fi nance and performance management.
It also found that a majority of fi nance functions are not applying risk data beyond compliance and product allocation to areas like analysis and budgeting.
Just over half of fi nancial institutions have increased their use of risk data in compliance efforts, and 54 per cent in product allocation – both areas where its application was already well established.
Furthermore, fewer are applying the data more broadly, to signifi cant responsibilities of the fi nance function such as fi nancial analysis (41 per cent), front offi ce lending (39 per cent) and budgeting (36 per cent).
The research report also found that the main barriers to incorporating risk-based data into fi nancial and performance management are poorly integrated systems (41 per cent) and inconsistent metrics within their companies (37 per cent).
Moreover, 28 per cent of respondents believe that information silos within their companies erode the capacity to share relevant risk information, however, fi nancial institutions have responded with signifi cant investment in this area.
FOR the fi rst time in 12 months, most chief fi nancial offi cers (CFOs) believe that now is a good time to take additional risk onto their balance sheets, recent research has found.
“CFOs see 2011 as the year to invest in their businesses to deliver growth,” said Keith Skinner, chief operating offi cer at Deloitte, which conducted the research.
It found that 52 per cent of CFOs were willing to take additional risk onto their balance sheets while 61 per cent are planning to increase capital expenditure – with 26 per cent planning to do so by 20 per cent or more, compared to 2010.
Underlying confi dence in their own business performance continues to grow, with more than 81 per cent of CFOs believing their operating cash fl ow will increase over the next 12 months.
A further 54 per cent of CFOs are more optimistic about the fi nancial prospects for their company than they were three
months ago.“Despite a number of shocks at home
and abroad, CFOs are enjoying a period of good performance and this is contributing to increased confi dence and a renewed appetite for risk,” said Skinner.
When asked about the potential impact of a price on carbon, the vast majority, 84 per cent expected it to make Australia less competitive globally.
However, when asked about the impact on their own company’s fi nancial performance, CFOs were split, with 44 per cent believing it would have no impact and 52 per cent predicting a negative impact.
However, 95 per cent think corporate profi t margins will decline, possibly indicating that companies would not be passing on all of the cost implications of a price for carbon.
“There is still signifi cant uncertainty about the shape of the fi nal legislation
however, at this point CFOs are expecting to pass on most of the carbon price to consumers, or will be lobbying government for assistance if they are trade exposed,” said Deloitte climate change and sustainability leader, Brad Pollock.
“The sector and the price elasticity of demand for their products will dictate just how much will be passed on to consumers.”
The good news for the policymakers, according to Pollock, is that 73 per cent of CFOs do expect the price on carbon to drive increased investment in low carbon and renewable energy and three quarters (76 per cent) expect it to drive a demand for low carbon products.
The Deloitte CFO Quarterly survey captured the opinions of 85 CFOs, representing businesses with a combined market value of approximately $397 billion or 26 per cent of the Australian quoted equity market.
“Despite a number of shocks at home and abroad, CFOs are enjoying a period of good performance and this is contributing to increased confi dence and a renewed appetite for risk”Keith Skinner, chief operating offi cer, Deloitte
Defining intangible risksLike all areas of risk management, clear terminology in brand and reputational risk is important, according to Wayne Middleton, principal of Reliance Risk.
Brand: Is a collection of values or personalities connected with a service, a person or another entity.
Image and reputation: Comes from peoples’ experience of the brand and how the brand is perceived, such as customer service and quality of experience, for example.
Reputation risk: The loss of positive image and trust built over time comes from a customer’s experience with the brand. This image and trust is what the organisation must provide to attract customers, employees and partners.
Managing brand risk in a crisisWHILE most organisations tend to understand brand and crisis management, there is often a disconnection between those in marketing who manage brands and those who facilitate risk management processes across a business, according to a local risk expert.
While professionals tend to understand the importance of effective communication with stakeholders and media management when under the spotlight, the above disconnection, however, means that “perhaps not enough preventative effort is placed on clearly understanding the organisation’s brand vulnerabilities in the context of risk management”, said Wayne Middleton, principal of Reliance Risk.
“I believe a lot of organisations do intuitive risk management of their brand and reputation without formalising some of it using risk assessment, applying the organisation’s risk management framework (if they have one) to these consequence categories, and reporting against them in the context of other signifi cant risks to the business.”
As such, Middleton recommended organisations undertake a brand vulnerability risk assessment, which includes a solid stakeholder analysis that looks at customers, employees, industry, key infl uencers, regulators and competitors.
He said the assessment should seek to establish actions to: identify risk prevention strategies through the enterprise wide risk program; implement goodwill strategies with major stakeholders (as goodwill can be an effective barricade against short-term brand erosion in a crisis); implement a communications plan to keep constituents informed including a pledge to do the right thing; and link with the crisis management plan.
R M _ 8 5 . p g 0 0 6 . p d f P a g e 6 1 2 / 0 5 / 1 1 , 5 : 2 7 P M
Risk May 2011 7
N ews Review
Inside trader fraud case rattles Wall Street
Internal audit leaders need new skills
HEDGE fund trader and Wall Street billionaire, Raj Rajaratnam has been found guilty on 14 counts of conspiracy and securities fraud, after scamming $US63.8 million ($60 million) in illicit earnings.
Galleon Group founder, Rajaratnam - the richest Sri Lankan in the world - faces a minimum of 15-and-a-half years in jail following a government crackdown on the illegal practice of insider trading.
The investigation has been labelled as the largest hedge fund insider trading case in history, with the FBI using phone-taps to monitor the self-made billionaire.
As only the fi rst person to go on trial from the total of 26 people charged in the case, the verdict for Rajaratnum sent a strong warning to other would-be fraudsters in Wall Street, with Manhattan U.S. Attorney Preet Bharara using the outcome to deter the practice of inside trading. “Let greed and corruption cause his undoing,” he said. “We will continue to pursue and prosecute those who believe they are both above the law and too smart to get caught.”
Simon Franklin, partner at Australian corporate advisory fi rm, Dequity Partners, said that while he didn’t believe that the case would dramatically affect the risk industry, he expected the high-profi le nature of the case to raise awareness.
“These stories, and the newsworthiness of them, will certainly raise awareness, especially in terms of the big penalties involved,” Franklin said. “From a compliance or risk point of view, in order to prevent it from happening in the fi rst place, there must be education. I think that’s where the industry is heading.”
Franklin said that the approach of most boards, directors or governance people would be to educate the management team as to what they could say in
INTERNAL audit leaders can no longer rely on business and fi nancial acumen, but must also develop “relationship acumen” in order to establish and maintain strong relationships with key stakeholders in a business, according to a recent whitepaper.
Internal auditing’s top stakeholders – executive management and the audit committee of the board of directors – are increasingly demanding that internal audit leaders partner with management when providing both consulting and assurance advisory services.
The white paper, conducted by The Institute of Internal Auditors and Korn/Ferry International, found that these sometimes confl icting expectations require a broad range of communication skills and sensitivities.
It also delineates six attributes that are a must for top audit executives, including positive intent, which is a fair,
independent, and objective approach to the job, and diplomacy, which the whitepaper defi ned as direct, forthright communication (including listening) skills, political astuteness, and sensitivity to the organisation’s culture and how things get done.
Other attributes included prescience – an ability to see matters with fresh eyes and a willingness to question assumptions – and trustworthiness (walking the talk, keeping confi dences, operating with integrity and maintaining credibility).
The last two attributes in the white paper are leadership (setting the tone for the entire internal audit staff, steering others toward consensus, managing confl ict and gaining alignment on issues) and empathy (understanding and focusing on each stakeholder’s point of view and being sensitive to their needs and feelings).
“It’s quite severe and it might put you off, but there’ll always be someone who wants to profi t from information,”Simon Franklin, Partner, Dequity Partners
“What makes the difference is stopping to refl ect on what has been, and still can be, learned.”
public, to prevent getting tangled up in such practices. Also highlighting the diffi culty in defi ning what constituted insider trading, Franklin said that it was hard to stop the practice, given the loose and sometimes contradictory nature of the crime, and expected to see more cases like it in the future.
“It’s quite severe and it might put you off, but there’ll always be someone who wants to profi t from information,” he said.
Columbia Law School Professor, John Coffee said that the use of government wire-taps was crucial to the verdict, and also emphasised the signifi cance of Rajaratnum’s co-conspirators in the case.
“Everyone cooperated against Rajaratnam,” he told Fox Business News. “Why should he be the only standup guy? Quite frankly,
professionals learn what is legal and illegal not by the law that is on the books, but by who goes to prison and for what,” he said.
“And I think a generation of traders, expert networks, securities analysts and others now recognize that participating in an insider trading network is dangerous, because, if one of the participants gets caught, our plea-bargaining system makes it likely he’ll turn in his co-conspirators and all the fi nancial dominoes will fall,” he explained.
After the verdict was announced, Rajaratnam was released on a $US100 million bail package, which includes an electronic tag and house arrest in his Manhattan apartment until sentencing begins on July 29.
John Dowd, Rajaratnum’s lawyer, said that his client would keep fi ghting, and would be lodging an appeal.
The whitepaper, The Relationship Advantage: Maximizing Chief Audit Executive Success, also said it is essential that internal audit leader candidates should have worked in jobs or situations in which strong relationships are required in order to succeed, and in which something important is at stake.
These might include: change management roles, international assignments, staff leadership without formal authority, or turnaround situations in which roles are not clearly defi ned.
“What makes the difference is stopping to refl ect on what has been, and still can be, learned,” said the whitepaper.
“This extra step separates lifelong learners from those who don’t grow over time.
R M _ 8 5 . p g 0 0 7 . p d f P a g e 7 1 2 / 0 5 / 1 1 , 5 : 2 7 P M
6 Risk May 2011
N ews Review
CFOs’ appetite for risk on the rise
Risk plus finance equals higher profitabilityFINANCIAL institutions that align their risk and fi nance functions are more profi table, according to recent research.
A global survey of nearly 200 senior banking executives in fi nance and risk found that of those who have much better alignment between their risk and fi nance functions, 60 per cent are much better when it comes to fi nancial performance while 92 per cent are above average.
The research, conducted by the Economist Intelligence Unit in collaboration with CFO Research Services and sponsored by Oracle, found that the benefi ts of closer alignment between fi nance and risk are both specifi c, such as identifying potentially profi table clients, and general, such as providing a greater understanding of the global context in which major strategic decisions are made.
Alignment between risk and fi nance begins with good data, however, the survey pointed to signifi cant differences in the perspectives and cultures of the two functions, with the leading risk-related priorities for fi nance departments cited as improving processes (54 per cent), data integration (46 per cent) and data management (40 per cent).
Alignment involves the creation of a common view of risk, and common data relating to it, across a company – and especially between the risk
and fi nance departments, according to the research report, Transforming the CFO role in fi nancial institutions: Towards better alignment of risk, fi nance and performance management.
It also found that a majority of fi nance functions are not applying risk data beyond compliance and product allocation to areas like analysis and budgeting.
Just over half of fi nancial institutions have increased their use of risk data in compliance efforts, and 54 per cent in product allocation – both areas where its application was already well established.
Furthermore, fewer are applying the data more broadly, to signifi cant responsibilities of the fi nance function such as fi nancial analysis (41 per cent), front offi ce lending (39 per cent) and budgeting (36 per cent).
The research report also found that the main barriers to incorporating risk-based data into fi nancial and performance management are poorly integrated systems (41 per cent) and inconsistent metrics within their companies (37 per cent).
Moreover, 28 per cent of respondents believe that information silos within their companies erode the capacity to share relevant risk information, however, fi nancial institutions have responded with signifi cant investment in this area.
FOR the fi rst time in 12 months, most chief fi nancial offi cers (CFOs) believe that now is a good time to take additional risk onto their balance sheets, recent research has found.
“CFOs see 2011 as the year to invest in their businesses to deliver growth,” said Keith Skinner, chief operating offi cer at Deloitte, which conducted the research.
It found that 52 per cent of CFOs were willing to take additional risk onto their balance sheets while 61 per cent are planning to increase capital expenditure – with 26 per cent planning to do so by 20 per cent or more, compared to 2010.
Underlying confi dence in their own business performance continues to grow, with more than 81 per cent of CFOs believing their operating cash fl ow will increase over the next 12 months.
A further 54 per cent of CFOs are more optimistic about the fi nancial prospects for their company than they were three
months ago.“Despite a number of shocks at home
and abroad, CFOs are enjoying a period of good performance and this is contributing to increased confi dence and a renewed appetite for risk,” said Skinner.
When asked about the potential impact of a price on carbon, the vast majority, 84 per cent expected it to make Australia less competitive globally.
However, when asked about the impact on their own company’s fi nancial performance, CFOs were split, with 44 per cent believing it would have no impact and 52 per cent predicting a negative impact.
However, 95 per cent think corporate profi t margins will decline, possibly indicating that companies would not be passing on all of the cost implications of a price for carbon.
“There is still signifi cant uncertainty about the shape of the fi nal legislation
however, at this point CFOs are expecting to pass on most of the carbon price to consumers, or will be lobbying government for assistance if they are trade exposed,” said Deloitte climate change and sustainability leader, Brad Pollock.
“The sector and the price elasticity of demand for their products will dictate just how much will be passed on to consumers.”
The good news for the policymakers, according to Pollock, is that 73 per cent of CFOs do expect the price on carbon to drive increased investment in low carbon and renewable energy and three quarters (76 per cent) expect it to drive a demand for low carbon products.
The Deloitte CFO Quarterly survey captured the opinions of 85 CFOs, representing businesses with a combined market value of approximately $397 billion or 26 per cent of the Australian quoted equity market.
“Despite a number of shocks at home and abroad, CFOs are enjoying a period of good performance and this is contributing to increased confi dence and a renewed appetite for risk”Keith Skinner, chief operating offi cer, Deloitte
Defining intangible risksLike all areas of risk management, clear terminology in brand and reputational risk is important, according to Wayne Middleton, principal of Reliance Risk.
Brand: Is a collection of values or personalities connected with a service, a person or another entity.
Image and reputation: Comes from peoples’ experience of the brand and how the brand is perceived, such as customer service and quality of experience, for example.
Reputation risk: The loss of positive image and trust built over time comes from a customer’s experience with the brand. This image and trust is what the organisation must provide to attract customers, employees and partners.
Managing brand risk in a crisisWHILE most organisations tend to understand brand and crisis management, there is often a disconnection between those in marketing who manage brands and those who facilitate risk management processes across a business, according to a local risk expert.
While professionals tend to understand the importance of effective communication with stakeholders and media management when under the spotlight, the above disconnection, however, means that “perhaps not enough preventative effort is placed on clearly understanding the organisation’s brand vulnerabilities in the context of risk management”, said Wayne Middleton, principal of Reliance Risk.
“I believe a lot of organisations do intuitive risk management of their brand and reputation without formalising some of it using risk assessment, applying the organisation’s risk management framework (if they have one) to these consequence categories, and reporting against them in the context of other signifi cant risks to the business.”
As such, Middleton recommended organisations undertake a brand vulnerability risk assessment, which includes a solid stakeholder analysis that looks at customers, employees, industry, key infl uencers, regulators and competitors.
He said the assessment should seek to establish actions to: identify risk prevention strategies through the enterprise wide risk program; implement goodwill strategies with major stakeholders (as goodwill can be an effective barricade against short-term brand erosion in a crisis); implement a communications plan to keep constituents informed including a pledge to do the right thing; and link with the crisis management plan.
R M _ 8 5 . p g 0 0 6 . p d f P a g e 6 1 2 / 0 5 / 1 1 , 5 : 2 7 P M
Risk May 2011 7
N ews Review
Inside trader fraud case rattles Wall Street
Internal audit leaders need new skills
HEDGE fund trader and Wall Street billionaire, Raj Rajaratnam has been found guilty on 14 counts of conspiracy and securities fraud, after scamming $US63.8 million ($60 million) in illicit earnings.
Galleon Group founder, Rajaratnam - the richest Sri Lankan in the world - faces a minimum of 15-and-a-half years in jail following a government crackdown on the illegal practice of insider trading.
The investigation has been labelled as the largest hedge fund insider trading case in history, with the FBI using phone-taps to monitor the self-made billionaire.
As only the fi rst person to go on trial from the total of 26 people charged in the case, the verdict for Rajaratnum sent a strong warning to other would-be fraudsters in Wall Street, with Manhattan U.S. Attorney Preet Bharara using the outcome to deter the practice of inside trading. “Let greed and corruption cause his undoing,” he said. “We will continue to pursue and prosecute those who believe they are both above the law and too smart to get caught.”
Simon Franklin, partner at Australian corporate advisory fi rm, Dequity Partners, said that while he didn’t believe that the case would dramatically affect the risk industry, he expected the high-profi le nature of the case to raise awareness.
“These stories, and the newsworthiness of them, will certainly raise awareness, especially in terms of the big penalties involved,” Franklin said. “From a compliance or risk point of view, in order to prevent it from happening in the fi rst place, there must be education. I think that’s where the industry is heading.”
Franklin said that the approach of most boards, directors or governance people would be to educate the management team as to what they could say in
INTERNAL audit leaders can no longer rely on business and fi nancial acumen, but must also develop “relationship acumen” in order to establish and maintain strong relationships with key stakeholders in a business, according to a recent whitepaper.
Internal auditing’s top stakeholders – executive management and the audit committee of the board of directors – are increasingly demanding that internal audit leaders partner with management when providing both consulting and assurance advisory services.
The white paper, conducted by The Institute of Internal Auditors and Korn/Ferry International, found that these sometimes confl icting expectations require a broad range of communication skills and sensitivities.
It also delineates six attributes that are a must for top audit executives, including positive intent, which is a fair,
independent, and objective approach to the job, and diplomacy, which the whitepaper defi ned as direct, forthright communication (including listening) skills, political astuteness, and sensitivity to the organisation’s culture and how things get done.
Other attributes included prescience – an ability to see matters with fresh eyes and a willingness to question assumptions – and trustworthiness (walking the talk, keeping confi dences, operating with integrity and maintaining credibility).
The last two attributes in the white paper are leadership (setting the tone for the entire internal audit staff, steering others toward consensus, managing confl ict and gaining alignment on issues) and empathy (understanding and focusing on each stakeholder’s point of view and being sensitive to their needs and feelings).
“It’s quite severe and it might put you off, but there’ll always be someone who wants to profi t from information,”Simon Franklin, Partner, Dequity Partners
“What makes the difference is stopping to refl ect on what has been, and still can be, learned.”
public, to prevent getting tangled up in such practices. Also highlighting the diffi culty in defi ning what constituted insider trading, Franklin said that it was hard to stop the practice, given the loose and sometimes contradictory nature of the crime, and expected to see more cases like it in the future.
“It’s quite severe and it might put you off, but there’ll always be someone who wants to profi t from information,” he said.
Columbia Law School Professor, John Coffee said that the use of government wire-taps was crucial to the verdict, and also emphasised the signifi cance of Rajaratnum’s co-conspirators in the case.
“Everyone cooperated against Rajaratnam,” he told Fox Business News. “Why should he be the only standup guy? Quite frankly,
professionals learn what is legal and illegal not by the law that is on the books, but by who goes to prison and for what,” he said.
“And I think a generation of traders, expert networks, securities analysts and others now recognize that participating in an insider trading network is dangerous, because, if one of the participants gets caught, our plea-bargaining system makes it likely he’ll turn in his co-conspirators and all the fi nancial dominoes will fall,” he explained.
After the verdict was announced, Rajaratnam was released on a $US100 million bail package, which includes an electronic tag and house arrest in his Manhattan apartment until sentencing begins on July 29.
John Dowd, Rajaratnum’s lawyer, said that his client would keep fi ghting, and would be lodging an appeal.
The whitepaper, The Relationship Advantage: Maximizing Chief Audit Executive Success, also said it is essential that internal audit leader candidates should have worked in jobs or situations in which strong relationships are required in order to succeed, and in which something important is at stake.
These might include: change management roles, international assignments, staff leadership without formal authority, or turnaround situations in which roles are not clearly defi ned.
“What makes the difference is stopping to refl ect on what has been, and still can be, learned,” said the whitepaper.
“This extra step separates lifelong learners from those who don’t grow over time.
R M _ 8 5 . p g 0 0 7 . p d f P a g e 7 1 2 / 0 5 / 1 1 , 5 : 2 7 P M
8 Risk May 2011
N ews Review
I turned 40 recently. And my work is making me feel old.
You see I’ve become that guy who says things like “back in the mid-90’s when we were rolling out CSA, we used to produce these great assurance maps…” or “that way of dealing with strategic risk is so late-90’s, it’s okay in theory, but you’ll fi nd that…”.
Sure, I was working at the vanguard of audit practice at the time, but with a little over 15 years in the game I fi nd myself as “old man audit” - a source of institutional knowledge on assurance and risk practices.
There is some wonderful knowledge that’s been lost – what works and doesn’t in CSA programs, how to use internal audit to drive re-engineering outcomes, why CoCo is easier to embed than COSO etc.
And without this knowledge we’re not sophisticated buyers. The snake oil salesmen are alive and well and the old-rope is sounding pretty good with its new names and marketing narrative.
In part this stems from changes in sponsorship and restructuring in the organisations we serve, but a lot of it is also self-infl icted as a result of how we resource ourselves.
Internal audit is a transitory game. It draws on people from all walks of life, many who haven’t dabbled in internal audit much before. For most it’s a stepping-stone of 2-4 years, moving onto something else before mastering their craft. The resulting loss of institutional knowledge, and diffi culty in moving forward is enormous.
Indeed, in 2011 I see companies implementing 90’s ideas or discovering them for the fi rst time. Worse still, I see some companies reinventing the wheel or going down the wrong paths with ideas that have been tested extensively in years gone by. The level of inherent atrophy and wasted investment is enormous.
While this is a great platform for a business like mine it does raise a big issue for the internal audit profession. We really should be a lot further ahead than where we are today.
Until we fi nd ways to capture and build on institutional knowledge the profession will continue to spin its wheels. Its aspirations will continue to be for a base level of consistency rather than excellence. And we will struggle to keep pace with the needs of our stakeholders. Until we become profi cient in institutionalising this knowledge, we will keep on taking two steps forward, one step back.
Todd Davies is one of the region’s pre-eminent thought leaders and innovators in internal audit. For more information: www.todddavies.com.au
Most Australian businesses fail to manage risk
SIXTY-ONE per cent of Australian businesses who conduct international operations do not have suffi cient risk strategies in place.
The International Trade Tracker revealed that despite high levels of concern about currency fl uctuation, Australian businesses were far less likely to manage fi nancial risk when trading internationally, compared to their counterparts in the UK (55 per cent) and US (54 per cent).
Canvassing the views of 1,500 businesses throughout the three countries, the survey led by American Express FX International Payments (AMEX FXIP), found that fl uctuations in currency concerned Australian businesses more than anything else, beating issues such as red tape and legislation, cash fl ow problems, and pricing.
Paul Norwood, Director of Operations for AMEX FXIP said that the fi ndings were surprising, and said that he was alarmed at rate of complacency shown by many Australian companies.
“The Aussie dollar is one of the most volatile currency pairings in the world and it’s not uncommon for the dollar to move 1.5 or 2 per cent in the blink of an eye,” he said. “To have never considered it before, given the potential impact and what it means to Australian business, is defi nitely concerning.”
37 per cent of those who do not have strategies in place to hedge currency-related risks, said that they had not even considered implementing such strategies before, while 34 per cent said that they didn’t believe that they were large enough or conducted enough international business to justify the exercise.
“No matter how big or small you are, as the currency moves 17 per cent, as it has done in the past 12 months; that has to have some kind of impact on your profi t margin,”
Norwood maintained. A further 21 per cent said that
while they were aware of the benefi ts, managing risk was ‘too much of a hassle’, and that the time, cost and research involved far outweighed the benefi ts of investing in basic hedging strategies.
“If we look at all three reasons, from our point of view it does point to the fact that a lot of companies aren’t aware of the basic tools that are out there to enable them to effectively manage their risk,” he said.
Norwood acknowledged that the soaring Aussie dollar and the relatively mild impact that the GFC had had on Australian businesses were possible factors when considering the fi ndings.
“There are a lot of positives pointing towards the Aussie dollar at
the moment, and most commentators can’t see a short term end to the strength.”
The Amex director of operations told HR Leader that a lack of awareness was partially to blame for the failure to prepare for risk, and also said that there was a defi nite level of complacency in terms of hedging strategies in Australia.
“Awareness is something that all FX providers need to focus on, and through that education process, Australian businesses will look more and more at different hedging strategies in terms of what options are available to them and what is right for them,” Norwood said.
One simple way that businesses could cover themselves, he explained, was to engage in a forward exchange contract, which would give the company the ability to lock in a set exchange rate on future transactions involving foreign currency.
“A forward exchange contract provides a peace of mind- the ability to lock in what is needed to pay in foreign currency in the future.”
21%
of Australian companies said that they failed to manage risk because it was
‘too much of a hassle’
“A lot of companies aren’t aware of the basic tools that are out there to enable them to effectively manage their riskPaul Norwood, director of operations for AMEX FXIP
CommentInternal audit: two steps forward one step back
R M _ 8 5 . p g 0 0 8 . p d f P a g e 8 1 2 / 0 5 / 1 1 , 5 : 1 1 P M
8 Risk May 2011
N ews Review
I turned 40 recently. And my work is making me feel old.
You see I’ve become that guy who says things like “back in the mid-90’s when we were rolling out CSA, we used to produce these great assurance maps…” or “that way of dealing with strategic risk is so late-90’s, it’s okay in theory, but you’ll fi nd that…”.
Sure, I was working at the vanguard of audit practice at the time, but with a little over 15 years in the game I fi nd myself as “old man audit” - a source of institutional knowledge on assurance and risk practices.
There is some wonderful knowledge that’s been lost – what works and doesn’t in CSA programs, how to use internal audit to drive re-engineering outcomes, why CoCo is easier to embed than COSO etc.
And without this knowledge we’re not sophisticated buyers. The snake oil salesmen are alive and well and the old-rope is sounding pretty good with its new names and marketing narrative.
In part this stems from changes in sponsorship and restructuring in the organisations we serve, but a lot of it is also self-infl icted as a result of how we resource ourselves.
Internal audit is a transitory game. It draws on people from all walks of life, many who haven’t dabbled in internal audit much before. For most it’s a stepping-stone of 2-4 years, moving onto something else before mastering their craft. The resulting loss of institutional knowledge, and diffi culty in moving forward is enormous.
Indeed, in 2011 I see companies implementing 90’s ideas or discovering them for the fi rst time. Worse still, I see some companies reinventing the wheel or going down the wrong paths with ideas that have been tested extensively in years gone by. The level of inherent atrophy and wasted investment is enormous.
While this is a great platform for a business like mine it does raise a big issue for the internal audit profession. We really should be a lot further ahead than where we are today.
Until we fi nd ways to capture and build on institutional knowledge the profession will continue to spin its wheels. Its aspirations will continue to be for a base level of consistency rather than excellence. And we will struggle to keep pace with the needs of our stakeholders. Until we become profi cient in institutionalising this knowledge, we will keep on taking two steps forward, one step back.
Todd Davies is one of the region’s pre-eminent thought leaders and innovators in internal audit. For more information: www.todddavies.com.au
Most Australian businesses fail to manage risk
SIXTY-ONE per cent of Australian businesses who conduct international operations do not have suffi cient risk strategies in place.
The International Trade Tracker revealed that despite high levels of concern about currency fl uctuation, Australian businesses were far less likely to manage fi nancial risk when trading internationally, compared to their counterparts in the UK (55 per cent) and US (54 per cent).
Canvassing the views of 1,500 businesses throughout the three countries, the survey led by American Express FX International Payments (AMEX FXIP), found that fl uctuations in currency concerned Australian businesses more than anything else, beating issues such as red tape and legislation, cash fl ow problems, and pricing.
Paul Norwood, Director of Operations for AMEX FXIP said that the fi ndings were surprising, and said that he was alarmed at rate of complacency shown by many Australian companies.
“The Aussie dollar is one of the most volatile currency pairings in the world and it’s not uncommon for the dollar to move 1.5 or 2 per cent in the blink of an eye,” he said. “To have never considered it before, given the potential impact and what it means to Australian business, is defi nitely concerning.”
37 per cent of those who do not have strategies in place to hedge currency-related risks, said that they had not even considered implementing such strategies before, while 34 per cent said that they didn’t believe that they were large enough or conducted enough international business to justify the exercise.
“No matter how big or small you are, as the currency moves 17 per cent, as it has done in the past 12 months; that has to have some kind of impact on your profi t margin,”
Norwood maintained. A further 21 per cent said that
while they were aware of the benefi ts, managing risk was ‘too much of a hassle’, and that the time, cost and research involved far outweighed the benefi ts of investing in basic hedging strategies.
“If we look at all three reasons, from our point of view it does point to the fact that a lot of companies aren’t aware of the basic tools that are out there to enable them to effectively manage their risk,” he said.
Norwood acknowledged that the soaring Aussie dollar and the relatively mild impact that the GFC had had on Australian businesses were possible factors when considering the fi ndings.
“There are a lot of positives pointing towards the Aussie dollar at
the moment, and most commentators can’t see a short term end to the strength.”
The Amex director of operations told HR Leader that a lack of awareness was partially to blame for the failure to prepare for risk, and also said that there was a defi nite level of complacency in terms of hedging strategies in Australia.
“Awareness is something that all FX providers need to focus on, and through that education process, Australian businesses will look more and more at different hedging strategies in terms of what options are available to them and what is right for them,” Norwood said.
One simple way that businesses could cover themselves, he explained, was to engage in a forward exchange contract, which would give the company the ability to lock in a set exchange rate on future transactions involving foreign currency.
“A forward exchange contract provides a peace of mind- the ability to lock in what is needed to pay in foreign currency in the future.”
21%
of Australian companies said that they failed to manage risk because it was
‘too much of a hassle’
“A lot of companies aren’t aware of the basic tools that are out there to enable them to effectively manage their riskPaul Norwood, director of operations for AMEX FXIP
CommentInternal audit: two steps forward one step back
R M _ 8 5 . p g 0 0 8 . p d f P a g e 8 1 2 / 0 5 / 1 1 , 5 : 1 1 P M
Risk May 2011 9
N ews Review
Don’t let privacy get lost in the cloud
Business continuity planning for the worstAN effective business continuity plan in the aftermath of an event of disastrous proportions is one that is simple with no unnecessary detail, according to an expert in the area.
While early versions of business continuity plans frequently contain much verbiage as people get their head around what the subject is all about, Jim Truscott, CEO of Truscott Crisis Leaders, advised making them easy to read under stressful conditions, with plenty of white space like a CV.
“Most people will only look at them once every 12 months at best,” said Truscott, who added that checklists, such as those used by pilots, are best.
Speaking ahead of the Australasian Business Continuity Summit 2011, he said mature business continuity budgets usually equate to one to three per cent of operating costs.
“But for the vast majority of organisations how do you do more, instantly, under extreme circumstances of terrorism and natural disasters with leaner organisations?” he asked.
In an ideal world with unlimited resources, Truscott said there would be fully tested plans with a carefully chosen, regularly exercised crisis team.
However, the reality is that for the vast majority of organisations, planning is compromised by limited budgets and insuffi cient time and resources.
As such, he said it is best to have a strong crisis management team, although some business continuity planning development is essential.
“Keep the business continuity plans to the absolute bare minimum with no complicated procedures and processes; just simple information that the crisis management team can use at the basis of taking action and making decisions,” said Truscott.
“Build the best team possible with your
resources. Train the team and exercise it again and again. Ensure that each team member is backed up by a deputy and empowered to make all necessary decisions.
“If ‘no risk no champagne’ is your strategy, like some of the best companies in the world, then your team must be drilled in crisis leadership,” said Truscott, who observed that crisis leadership may become the dominant form of management in the years ahead.
Leadership is the best thing that you can do before and after terrorist incidents and natural disasters, he said.
“Crisis management is just looking at the hole in the fence. Crisis leadership is seeing the open paddock beyond.
“Now that the best companies now disclose their crisis and business continuity preparedness in annual reports, just as they disclose remuneration, audit compliance and safety records, it is one thing to have a plan; it is another to practice it,” he said.
Jim Truscott will be speaking at the Australasian Business Continuity Summit 2011, held from 8 to 10 June 2011 at the Sofi tel Sydney Wentworth Hotel.
THE cost of addressing security and privacy issues may outweigh potential operational and capital savings for government departments looking to shift to cloud computing, according to Victorian Privacy Commissioner Helen Versey.
Cloud computing technology is being used increasingly by Victorian government agencies to reduce capital and operational costs, as the cost of storing data or accessing applications via offsite methods greatly reduces the need for technology infrastructure, IT support and staffi ng.
However, there are privacy issues – particularly in relation to data security – that need to be addressed if an organisation plans to use cloud computing technology for hosting and accessing its data or applications, she said.
Speaking on the release of recent cloud computing guidelines for Victorian public sector organisations, Versey added that implementing cloud technology requires a different mindset than traditional IT services, as using the cloud may swiftly reveal failures in security and procedural processes that have not been properly thought out.
“The desire to reduce costs will need to be balanced with other factors, including ensuring privacy protections, when deciding whether or not to use cloud computing technologies,” she said.
Victorian government agencies should only use a cloud service provider that agrees to ensure that privacy protection is essential and that agrees to comply with the Information Privacy Principles in the Information Privacy
“By using a cloud service, the government agency is relinquishing some – if not all – control over their data”Helen Versey, Privacy Commissioner, Victoria
“Crisis management is just looking at the hole in the fence. Crisis leadership is seeing the open paddock beyond”Jim Truscott, CEO, Truscott Crisis Leaders
Act 2000, Versey added.“Where the provider is located offshore or
even outside of Victoria, taking reasonable steps to protect personal information from misuse, loss, unauthorised access, modifi cation or disclosure may be diffi cult or even impossible,” she said.
“By using a cloud service, the government agency is relinquishing some – if not all – control over their data. This includes being able to control security measures, and can present problems if something goes wrong.”
R M _ 8 5 . p g 0 0 9 . p d f P a g e 9 1 2 / 0 5 / 1 1 , 3 : 5 5 P M
The risks of a RISING DOLLAR
While the high dollar is generally good for Australian tourists over-seas, the fl ip side of this is that the high dollar makes Australian exports more expensive – presenting a signifi cant number of risks to some sectors of the local economy.
Manufacturing, tourism and agriculture are some obvious sectors that suffer from a high Australian dollar, and companies operating in these sectors would do well to revisit their risk management strategies and make sure they have sound hedging policies in place, according to experts.
“The rising Australian dollar is a complete disaster for the manufacturing/exporting sector,” according to Richard Hughes, founding director of Visual Risk, a software and consulting company which specialises in market risk management.
If the Australian dollar is sustained at its current high levels it will fundamentally damage a lot of Australian exporters who produce goods, he says. “We don’t have enough manufacturing exporters as it is because our manufacturing sector is already in long term decline, so we really don’t need that.”
For the resources sector, Hughes says that the high dollar is eroding profi tability, although resources companies are picking up the benefi t of high commodity prices which signifi cantly offsets the cost of the rising dollar. “The fact of the matter is the high Aussie dollar is hurting them a lot as well because they’re selling commodities denominated in US dollars. So when they bring those dollars home it costs them a lot to buy the Aussie,” says Hughes.
“But if, for example, you get an unusual situation where commodity prices collapse and the Aussie dollar stays high, they would get hit with a double whammy. In this nervous market, anything could happen right now.”
Global forces at playWhile the dollar usually drops if commodity prices collapse, Hughes says the world “is a little bit different now. Nobody knows what the ‘new normal’ will actually be.”
The main issue now is extreme risk in the world’s strongest currencies, which are the US dollar, the Yen and the Euro, because of government defi cit problems. The strongest countries on the planet all want their currencies to be weak to make their exports cheaper, boost trade and subsequently stimulate growth in their economies.
“The world’s fi nancial markets are very unstable at the moment, and with most major currencies weak, our strong Aussie is collateral damage from that. This aberration is not a function of Australia’s strong economy so much, but rather a function of US dollar weakness, and that is our big problem,” says Hughes.
N ews Report
“I don’t believe anyone of our generation has seen a combination of fi nancial risks of this nature before, so my key message to business is to take care”Richard Hughes, founding director, Visual Risk
With a high Australian dollar, companies should revisit their risk management strategies and implement good hedging policies
R M _ 8 5 . p g 0 1 0 . p d f P a g e 1 0 1 2 / 0 5 / 1 1 , 2 : 0 7 P M
Risk May 2011 11
The Australian dollar is currently around the fourth or fi fth most traded currency in the world, whereas the Australian economy is about the 13th or 14th biggest economy in the world. This anomaly indicates that “we are, as a currency, punching way above our weight in terms of popularity with global investors”, says Hughes.
“The only reason that the currency’s traded as much as it is because Aus is seen as a relatively stable economy, but the AUD is seen as a good commodity/China market play. So it’s a highly risky currency and it’s prone to fairly violent swings.”
Currency risk managementAs such, Australian companies need to be careful of currency shocks and keep a close eye on overseas markets. “Risk managers shouldn’t only look domestically for risk factors, because the real danger lies offshore. I think there’s a dangerous level of complacency in Australia right now in terms of risk management,” says Hughes.
“Many people think we’ve dodged a bullet from other market shocks quite often in the past and, fi ngers crossed we can continue to do that, but I think it’s a very dangerous assumption. My takeaway comment is that companies should take care.”
Companies should spend more time on their risk management than they have been in the past because “right now they are facing more risk than they have ever faced in the past”, says Hughes.
“My advice to senior management is to focus more attention onto risk management and make sure that their cashfl ows that are exposed to market risk are hedged suffi ciently so they can deliver some certainty as these are the cash-fl ows needed to sustain the business.”
Hughes adds that he is very nervous of the current markets. “I don’t believe anyone of our generation has seen a combination of fi nancial risks of this nature before, so my key message to business is to take great care.”
Currency risk management planningThere are six basic principles organisations should have in place to manage market risk:1. Understand and quantify the organisations’ risk exposures (worst
and best case). It is useful to perform scenario models and sensitivity analysis on worst and best case situations.
2. Determine the organisations’ risk tolerance. Determine its need to take risk.
3. State the organisations’ risk management objectives and hedging approach. What are the risk management objectives of the organisation and how will credit, operational and market risk of the business be managed? When deciding upon a hedging strategy the core problem is to strike a balance between uncertainty and the risk of opportunity loss. In establishing the balance, consider the risk aversion and the risk preferences of shareholders.
4. Defi ne risk metrics and policy guidelines. Risk metrics are a set of fi nancial models used by the organisation to measure fi nancial risks. These include: standard deviation, value at risk, expected shortfall, marginal VAR, incremental risk, coherent risk measures and assessing risk measures.
5. Monitor, measure and report the risk. For more strategic and longer term risk management, it is time to go back to basics: measure, monitor, mitigate and report.
6. Review, stress-test and refi ne the approach.
Source: Corporate Financial Risk Management update, KPMG
R M _ 8 5 . p g 0 1 1 . p d f P a g e 1 1 1 2 / 0 5 / 1 1 , 2 : 0 8 P M
Fraud is an ongoing issue for many Australian organisations.
Craig Donaldson looks at the latest fraud
trends, explores the most common vulnerabilities and details how companies
can take a proactive and preventative
approach to fraud
Fraud is an ever-present risk for Australian organisations. Recent research has found that fi nancial institutions continue to be the largest victims of fraud, having lost almost $40 million to fraudsters over the 6-month period to December 2010. While Australia’s fraud levels eased
from $2.3 million per case to pre-GFC levels of $1.7 million per case, the steady stream of fraud activity is still concerning, given the cost to organisations, according to Gary Gill, national head of KPMG forensic, which conducted the research.
Fraudulent loans, investment scams and theft of investors’ money accounted for about half of the frauds over the 6-month period to December 2010, while accounting fraud accounted for another third. In addition to these perennial fraud types, Gill says fraud through social media is an emerging issue. “I think organisations are struggling to understand what the fraud implications of social media might be,” he says.
“There is a lot of concern about social media and fraud, as most employees have the ability to access social media, whether it’s through their work computer or through their mobile phone, combined with the ability to share information quickly through social media networks. It’s a real emerging issue and there are no clear answers at this stage.”
Malcolm Shackell, a partner in forensic services at PricewaterhouseCoopers, observes that there has been a lot more corporate expense-related fraud over the past 12 to 18 months. “That’s really been something that’s surprised us,” he says.
C over Story
Chinks in the armour
12 Risk May 2011
R M _ 8 5 . p g 0 1 2 . p d f P a g e 1 2 1 2 / 0 5 / 1 1 , 2 : 2 2 P M
Risk May 2011 13
The best legal opportunitiessydney: 02 9233 7977 melbourne: 03 9938 8700 [email protected] www.nclegal.com.au
OPERATIONAL RISK CONSULTANTSYDNEYAn innovative and expanding deposit taking institution is actively seeking a 3-8 year PQE risk consultant. You will be responsible for the management, interaction and responding to the business on risk and control advisory requests. Experience in working across all levels of a ������������������������������������������������effective controls is critical. The successful candidate will be rewarded with a competitive remuneration package and an award winning learning and development program. NJB/185228
LEGAL AND COMPLIANCE COUNSELSYDNEYA unique opportunity exists for an English and Mandarin speaking legal, compliance and operational risk specialist. Reporting directly to the GC of this expanding Asian banking powerhouse, the successful candidate will play a vital role in the management of the regulatory obligations. Candidates with 2-5 years PQE legal experience, success in managing relationships with regulators and thorough understanding of operational risk will achieve success in this dynamic professional environment. NJB/195852
SOX ANALYST SYDNEY���������������������������������������������������seeks an experienced and motivated SOX analyst to join the risk team. The successful candidate will be responsible for the coordination and management of the SOX framework across the retail bank, preparing SOX related documents and implementing processes, controls and testing. Experience and success working across a large retail bank and building strong working relationships will ensure success. Salary package negotiable depending on experience. NJB/110504
For further information on any of these roles, please contact Nicholas Behringer on ��������������������������������������������
THE BEST ROLES IN RISK AND COMPLIANCE
C over Story
Tackling fraudThere are a number of hallmarks of best practice approaches to fraud management and prevention, according to Matt Fehon, a forensic partner at McGrathNicol. These include:
Culture: An organisation that promotes a culture with a high awareness of fraud risks and strong integrity consciousness.
Risk assessment: A risk assessment program that regularly examines and tests internal controls.
Detection programs: Proactive methods of detection, including audit techniques, data analysis and internal and external staff reporting mechanisms.
“The attributes I have mentioned go some way to achieving better practice, however, I fi nd that if there is senior management commitment and a manager responsible for driving the program, it results in the organisation having a solid approach to management and prevention,” says Fehon.
Continued on p14
“Usually with this fraud, it tends to be what I call nickel and dime stuff, where there might be questions around whether or not a particular charge is authorised or whether it’s for personal use. But some of the cases we’re seeing now are much more serious, with some expense frauds up in the hundreds of thousands of dollars.”
Shackell also says that procurement fraud is an ongoing issue. “We are seeing plenty of frauds that involve false documentation, and by that I mean false invoicing, false vendors, payment system manipulation, that kind of thing. This kind of internal fraud is always focused on where funds leave the business, and again, the scale of some of these frauds can be quite surprising because very often they’ve been going on for a long time.”
Tone from the topThe single most important thing in addressing fraud is “tone from the top”, according to Shackell. The very top levels of management, including the CEO, should sponsor or communicate fraud control and awareness, rather than just leaving this up to the functions which typically deal with the process at an operational level. “The messaging that comes down from senior management is incredibly important,” he says.
Where there is a lack of tone from the top, or where this tone is vague or senior management seems uninterested in fraud management and only interested in the revenue line, Shackell says this can have dramatic effects down the track. If employees believe that those at the top of the organisation aren’t interested, or worse, are ambivalent about fraud, “the culture suffers terribly as a result and frauds often occurs in this kind of environment”, he says.
Gill agrees, and says senior management n eeds to understand fraud risks and take them seriously. “They need to deal with issues as they arise in a way which demonstrates that they’re taking it seriously. And it has to be done on an open and transparent basis and it has to be done consistently,” he says.
R M _ 8 5 . p g 0 1 3 . p d f P a g e 13 1 2 / 0 5 / 1 1 , 2 : 3 9 P M
14 Risk May 2011
“So if a senior guy’s fi ddling his expense forms and then claiming stuff that he shouldn’t be and nothing gets done about that, well, you can bet your bottom dollar that somebody else at a lower level will fi nd out about it, and if they’re seeing the guy at the top doing it then it sets a really bad example for others to follow.”
Anti-fraud stepsIt is also important to have a variety of mechanisms which enable employees to report fraud, Gill says. With internal fraud somebody always knows it is going on, but they often don’t speak up, he says. “Hopefully the person will simply talk to their boss and raise it that way, but if the boss is the problem then how do they blow the whistle? So having a whistle blower procedure in place, including an anonymous whistle blowing hotline is really important, and we’re seeing more and more organisations doing that,” he says.
Another helpful process is a fraud risk assessment, which Shackell says involves working out which area of the organisation is likely to have the highest incidence of fraud and then testing controls which are in place to mitigate those risks.
Data analytics can also contribute to effective fraud management. “I’d say that data analytics is a bit like a second layer of defence. This involves searching for fraud in your system data, particularly system data, around things such as purchasing and corporate expenses,” says Shackell.
A third important hallmark of effective fraud
management involves incident management. “I have seen many organisations spend a lot of time and effort on being proactive about fraud, but when an incident does occur they can be a little bit all at sea about what to do next,” says Shackell.
Companies need to think about how to react to an incident, who needs to be informed, what steps need to be taken, what the corporate attitude will be, when to engage lawyers, when to engage external help, when to report to police – “all these types of things need to be thought about before they actually occur”, he says. “The reason for this is because very often with investigations you do need to move quickly.”
Gill agrees, and says it’s important to have a clear process in place in the event of a fraud. In addition to the above steps, it is important to consider fi delity insurance and what steps are involved in the event of fraud. “Normally you have to notify the insurer fairly quickly after the fraud has been discovered,” he says.
“And then what processes do you have in place to close the door after the horse has bolted?
So it’s important to fi x up the controls and other areas that clearly weren’t working which allowed the fraud to happen.”
Combating fraud at ZurichAdam Plummer, fraud manager for Zurich Financial Services Australia, says the company’s insurance fraud program is underpinned and supported by an existing “robust and rigourous” global Zurich anti-fraud program.
A combination of automated and manual fraud detection tools ensures that only the “right” referral is examined more closely for fraud and genuine claims are paid promptly, while he adds that a high degree of due diligence examination is applied on new claims received by the claims fraud team that ensures all commercial aspects are considered.
Within the fi rst 12 months of operation, the claims fraud team have delivered fraud savings in excess of $4 million with a 24 per cent strike rate, according to Plummer.
“The introduction of a claims fraud team into Zurich Australia now provides the business with the appropriate resources to
C over Story
Continued from p13
“Working collaboratively and in partnership with our internal and external governance bodies generally ensures successful working relationships” Adam Plummer, fraud manager, Zurich Financial Services Australia
“The messaging that comes down from senior management
is incredibly important”Malcolm Shackell, partner in forensic services, PricewaterhouseCoopers
R M _ 8 5 . p g 0 1 4 . p d f P a g e 14 1 2 / 0 5 / 1 1 , 2 : 4 0 P M
Risk May 2011 15
detect fraudulent claims and protect the fi nancial bottom line of the business from paying fraudulent claims,” says Plummer, who adds that it has increased the overall awareness and knowledge of claims staff to be vigilant about the presence of fraud indicators when processing new claims.
The claims fraud team works closely with Zurich’s risk and compliance function as well as internal audit and other internal governance bodies, while the team also regularly attends quarterly risk management working group meetings to share and exchange fraud information. “Working collaboratively and in partnership with our internal and external governance bodies generally ensures successful working relationships,” says Plummer.
The claims fraud team are positioned right in the middle of the Zurich general insurance claims operation, which allows claims advisors
to seek guidance and assistance from the internal fraud function easily and promptly.
A successful fraud program requires the buy in and participation of all claims staff, he adds. “This is achieved regularly by engaging claims staff, of all levels, into the development of fraud programs and initiatives,” says Plummer, who points out that Zurich has a zero tolerance to fraud policy and all staff are trained and educated on this via regular fraud training.
Plummer recommends other internal audit/risk management professionals avoid relying purely on “out of the box” automated fraud detection solutions as being the total solution to fraud detection. “Excellent fraud outcomes are achieved from trained and skilled claims staff, coupled with data mining IT solutions and fraud intelligence capabilities,” he says.
C over Story
Fraud trendsMatt Fehon, a forensic partner at McGrathNicol, observes that cross-border fraud is continuing to be a greater problem, with Australian companies undertaking increasing levels of international business and offshoring.
Electronic Funds Transfer fraud also continues to be a signifi cant threat to businesses, he says. “We are fi nding that staff are more aware of weaknesses and methods to manipulate payment systems than was the case in the past. The systems and controls that organisations implement are critical to ensuring there are appropriate safeguards to the fi nances of the company.”
Fehon recommends risk management professionals be innovative and look to combine traditional fraud detection and risk management techniques with technology. “Data is a useful source of information, which if used well, can aid a skilled risk management professional with a smarter selection of transactions in which to undertake a review.”
R M _ 8 5 . p g 0 1 5 . p d f P a g e 15 1 2 / 0 5 / 1 1 , 2 : 5 6 P M
The Hollard Insurance Company is a multinational with businesses in Australia, Africa, the United States, United Kingdom and South East Asia. It provides a wide range
of insurance products and services to more than 6.5 million policyholders worldwide, and it employs more than 1500 people and holds assets in excess of $1.7 billion. In Aus-tralia, the company directly covers more than 150,000 policyholders with its home and con-tents, motor, landlord and life products, while many more are covered through its wholesale umbrella products.
Hollard Australia has built its internal audit approach from the ground up over the past year. It has undertaken a program to completely integrate risk management practices with internal audit while maintaining independence
of the functions, according to David Hall, the company’s head of internal audit. “This has started at the top where we articulate our risk appetite under each of the categories of risk that we have defi ned. Our appetite for risk then drives the ratings through our risk registers, which are the responsibility of the general manager of each of our businesses,” he explains.
“Our internal audit programs are then developed from the risk registers and this then fl ows through to our internal audit reporting. Through this mechanism, our internal audit team is able to focus its work on the controls in place to mitigate risks where current levels of exposure are inconsistent with our board’s appetite.” Hall says this ensures maximum value is gained from the efforts of the internal audit team and ensures some real value add from the function.
Benefits and lessonsThe process has highlighted the importance of a top-down approach to risk management and the involvement of stakeholders from the board down, Hall explains. As a result, the internal audit function is more effi cient as it is able to focus on relevant risks rather than needlessly spending time looking at processes which add little value, he says.
This methodology has required a whole-of-business approach, Hall says. “We needed to ensure that we had the necessary ‘buy in’ from every part of our business as the effectiveness of the internal audit program is entirely reliant on the ability of the business to properly articulate its risks,” he explains.
C ase Study
16 Risk May 2011
Building internal
audit from the ground up
The Hollard Insurance Company has taken a whole-of-business approach in building a strong internal audit program, writes Craig Donaldson
“The internal auditor can no longer be limited to just
being an accountant”David Hall, head of internal audit, The Hollard Insurance Company
R M _ 8 5 . p g 0 1 6 . p d f P a g e 1 6 1 2 / 0 5 / 1 1 , 1 1 : 5 5 A M
“In hindsight, we should have perhaps engaged with the business earlier to ensure that we were able to fully capture all relevant risks across the organisation. Leaving this until the audit plan was underway meant that the appropriate attention had not really been paid to the management of risk registers. I think the key to these sorts of initiatives is that all stakeholders see the value,” says Hall, who adds that certain governance committees were formed once the plan was already underway, rather than getting them in place upfront.
A broad business approachWhile internal audit at Hollard is independent of the risk function, it is entirely dependent on its output to guide its programs of work. “Our audit program is very much operational in nature so while we have a close relationship with fi nance functions, we are more engaged in the questions of ‘how do you ensure risks are mitigated and controls are effective’ rather than a detailed assessment at a micro-level of all activities of the fi nance function,” Hall explains.
“It is often the case that experienced fi nance personnel also understand the importance of risk management and internal audit; we
have therefore been able to create an almost collegiate approach to the auditing of key fi nance functions.”
On a broader level, Hall says building a culture around this and engaging employees to encourage reporting of internal fraud and related issues is a “real challenge” in Australia. “I believe that there is still very much an attitude of not reporting some of the inappropriate behaviours that go on in the workplace,” Hall says.
“No-one wants to be the person that blows the whistle for fear of reprisal. Here is where effective whistleblower programs with adequate protection for those who are willing to come forward. These are often best provided externally to provide that extra layer of comfort to employees.”
Hollard manages its whistleblower program internally through internal audit, which Hall says is an appropriate approach for a business of its size. “I also fi nd that the message from the top is critical. Management must be seen to act with integrity and with a zero tolerance to misconduct (fraud and otherwise) and this ensures that employees also grow within the business with these views,” Hall states.
C ase Study
Risk May 2011 17
Making the most of internal audit All too often internal audit programs are still driven by process, even when they claim to be risk-driven, according to David Hall, head of internal audit for The Hollard Insurance Company in Australia.
“I think the best way to approach this is to step back before you perform any internal audit work and ask yourself what the real risks are in the area/business unit or process that you are about to review,” he says.
“The internal auditor can no longer be limited to just being an accountant. A sound knowledge of the business and business practices is absolutely essential to ensure that they can fully understand what the risks are, how they are mitigated, and then to be able to devise audit tests to ensure that the mitigation steps are appropriate.”
R M _ 8 5 . p g 0 1 7 . p d f P a g e 1 7 1 2 / 0 5 / 1 1 , 1 1 : 5 6 A M
There is increased concern among companies about social media and associated risks to brand and image
S ocial Media
18 Risk May 2011
“Risk management professionals need to have the support of their
senior executives to ensure security of information assets is part of the
organisation’s culture”Neville Gollan, sales and marketing director, Sense of Security
Social media risks on the rise
“Brand and image” has been ranked as the number one risk concern in Aon’s Australasian Risk Benchmarking Survey for
the past four years. It has also been ranked among the top four risk concerns over the past nine years of the survey.
Interestingly, this year, increased use of social networks was specifi cally cited as providing potential risk to an organisation’s brand, image and reputation.
Brand and reputational risks do differ industry to industry, however, the increased degree of transparency and speed of information sharing via social media means that reputational issues can now become front page news in a matter of hours, according to industry experts.
“Over the past few years consumers, including shareholders and industry analysts, have been accessing news via the internet and mobile devices on a much larger scale,” said
James Griffi n, partner at SR7, a consulting fi rm which specialises in online reputation management.
“This has in turn led to a quickening of the news cycle and a hunger for more content.”
News is much more costly to report and produce than opinion, which Griffi n said can be delivered via social networking sites, Facebook, Twitter, forums and blogs.
“Everyone has an opinion about a company, its brands and products,” he said.
“Every company, regardless of industry, has critics. Social media allows them to rally together and broadcast information about your organisation to many.”
For example, a Deloitte survey has found that 74 per cent of employees believe it’s easy to damage a company’s reputation on social media, while 58 per cent of executives agree that reputational risk and social networking should be a board room issue – but only 15 per cent say it actually is.
Furthermore, the survey found that almost 50 per cent of employees said they would not change their online behavior if their company had a policy, while 27 per cent of employees do not consider the ethical consequences.
“Damage to brand and reputation ultimately affects shareholder value and the bottom line, so it is vital that brand and reputation management is an enterprise-wide effort not just confi ned to say the communications department,” said Griffi n.
Many companies have a limited understanding of how their brand is perceived in the marketplace, and he said a signifi cant weakness is a lack of understanding how social media can impact both positively and negatively on brand.
As such, brand and reputation management are too important to be left to any one department, according to Griffi n. “Your brand is what differentiates you from your competitors, so it is vital to understand how your brand is perceived,” he said.
“Finally, even if you think social media isn’t really suited to your industry look beyond it for marketing purposes but as a tool for feedback on your products, brands and services.”
Griffi n said risk managers need to request that brand and reputation risk be managed strategically just as other risks are, such as capital, legal and liquidity.
R M _ 8 5 . p g 0 1 8 . p d f P a g e 1 8 1 2 / 0 5 / 1 1 , 1 1 : 5 8 A M
20-21 OCTOBER 2011 HILTON BRISBANE15TH ANNUAL CONFERENCE
DIRECTINg YOuR CAREERYOuR ORgANISATION
YOuR AmBITION YOuR SuCCESS
Early bird discounts ($500 off official prices) plus group discounts (up to 10% off) will be made available up until Friday 9 September 2011. Don’t wait, book now!
Belinda GiBson deputy Commissioner, australian securities & investments Commission
sean HuGHes Chief executive officer - designate, Financial Markets authority nZ
Paul Bonello senior Manager operational Risk & Compliance, anZ
TiM KiTCHinG Head of Risk and Compliance, MlC – naB
eliZaBeTH HouRiGan Company secretary, senior legal Counsel, Compliance officer, Centro Properties Group
Julie o’neil Compliance auditor, Centro Properties Group
Randal denninGs Partner, Clayton utz
PeTeR WHynTie executive director, Compliance australia
PlenaRy sessions & WoRKsHoPs 20 & 21 october
PRe-ConFeRenCe WoRKsHoP 19 october 2011
WelCoMe ReCePTion 19 october 2011
annual GeneRal MeeTinG 19 october 2011
aWaRds CeReMony 20 october 2011
Gala dinneR 20 october 2011
CONTACT ACI TEL: +61 2 9290 1788 EmAIL: [email protected] WEb: WWW.COmpLIANCE.ORg.AU
ACI invites you to attend the premier compliance event for 2011. This year’s conference is scheduled for Thursday 20 & Friday 21 October 2011 at the Hilton Brisbane, Australia.
Now in its 15th year, the ACI Annual Conference will see a variety of both international and domestic speakers culminate for two days of speeches, interactive workshops, awards and social events.
Introducing Two New Plenary Streams on Day Two:FINANCIAL sERvICEs AND NON-FINANCIAL sERvICEs
GuesT sPeaKeRs inClude:
ReGisTRaTions noW oPen
evenT FeaTuRes
R M _ 8 5 . p g 0 1 9 . p d f P a g e 1 9 1 2 / 0 5 / 1 1 , 1 1 : 4 5 A M
Has BCM lost its way?
B usiness Continuity
20 Risk May 2011
W hile the mechanics of companies’ business continuity plans are often fi ne in theory, man-agement often overlooks the basic fact as to whether or not they would work in practice, according to Ernst & Young.
On one level, senior management has a better appreciation now than ever before of what business continuity management (BCM) is, why planning is necessary for disruptions and some key elements of such planning.
“They have experienced Y2K, and enhanced IT disaster recovery and service continuity plans,” said Alex Serrano, senior manager, advisory, Ernst & Young.
“They have experienced the terror threat surrounding 9/11, and understood the importance of crisis communications and remote disaster recovery sites. They have confronted pandemic infl uenza and SARS, and implemented people security measures and embraced societal resilience. These are all good things.”
Yet within boardrooms and senior management teams, Serrano said the more familiarity that management has with BCM and its terms and concepts, the more complacency tends to take hold in some quarters.
“Do we have a crisis plan? Check. Have we done a BIA? Check. Are the continuity plans in order? Check. And yet something is lost in this mechanistic focus on procedure,” he said.
“Somewhere along the way management has forgotten to ask ‘do all these plans actually work?’”
In some cases, Serrano said hard decisions about investing in BCM capability have been dodged, and BCM managers have at times become complicit in this process.
“Being knocked back for necessary investment in risk-based mitigation decisions one too many times, some have stopped being ‘outrageous’ and demanding attention to core risks. When this happens I think it’s regrettable,” he said.
Well-publicised recent natural disaster events in the Asia Pacifi c region, however, may be starting to refocus a number of boards and senior management teams on this key issue.
“BCM is no fi g leaf. Unlike some things an organisation chooses to pursue, BCM must carry its weight – it must be proven to work. Thankfully some corporates and leaders have never lost sight of that,” said Serrano.
However, he noted that some things show little signs of changing. “For example, the main drivers for BCM remain the same – regulatory compliance and the boards of corporate organisations. For regulated industries (such as the banking
Business continuity management professionals need to challenge the status quo by providing simple and effi cient solutions, writes Craig Donaldson
R M _ 8 5 . p g 0 2 0 . p d f P a g e 20 1 2 / 0 5 / 1 1 , 1 2 : 5 5 P M
B usiness Continuity
Risk May 2011 21
“Somewhere along the way management
has forgotten to ask ‘do all these plans
actually work?’”Alex Serrano, senior manager,
advisory, Ernst & Young
sector) compliance requirements mean that Australian banks must be able to demonstrate capability according to the prudential standard APS 232,” said Serrano, who noted that listed entities and government organisations similarly need to address ongoing, stringent BCM compliance requirements. One of the key attributes of the BCM profession is that it is all about asking questions and challenging the status quo, he added.
“Therefore, there is no contradiction between BCM achieving a level of process maturity while at the same time continuing to ‘reinvent’ itself with uncommon zeal and vigour. The emerging BCM global standard is just one example,” said Serrano.
“There is no standing still in this industry, partly because the risks that BCM addresses are constantly evolving and altering, and partly because the tools we have available to meet resilience challenges are changing (and in many cases improving) all the time.”
BCM is being challenged to “pay its way” more than ever before, said Serrano. “Senior management and boards are, frankly, fed up with silo-based approaches to operational risk, and are demanding that BCM ‘up-periscopes’ better to work out how its approaches enmesh properly with the fundamental risk management processes within an organisation,” he said.
Business Impact Analyses (BIA) must not be allowed to wither and die on the vine as they remain core to the practice of BCM, but Serrano asserted that executives must not be confronted by multiple BIAs being performed in the
same team/area/division as sometimes happens now, with BIAs according to BS25999 covering the same territory as application BIAs performed as part of ISMF rollouts.
“It’s a recipe for confusion and it needs to stop,” he said. “The Australian Standard AU/NZS 5050:2010, although maligned in some quarters, is at least a legitimate attempt to ‘decrypt’ the practice of BCM and meaningfully interlink it with the wider corporate management of risk.”
As a profession, he said BCM needs to focus on reinventing not only resilience solutions (such as Web 2.0 technology), but by educating itself around a streamlined set of global better practices that meet corporate governance and compliance demands while still positioning organisations as risk aware, agile and resilient.
Alex Serrano will be speaking at the Australa-sian Business Continuity Summit 2011, held from 8 to 10 June 2011 at the Sofitel Sydney Wentworth Hotel.
The rma is the premier association forfinancial risk management professionals
Dedicated to advancing the use of sound risk principles in an enterprise approach to risk management, the RMA exists to benefit professionals and institutions engaged in Operation, Credit, Market and Compliance Risk.Through an array of event programs and educational resources, the RMA aims to further the ability of its members to identify, assess and manage the impacts of risks on their businesses and customers.
The RMA provides an independant forum for: thought leadership; the promotion of industry best practise; an awareness of market trends and developments; endorsement of ethical standards and professional conduct; recognition for financial risk management professionals.
RMA Australia represents members at a national level and its initiatives reach over 1,500 individualmembers and risk related practitioners across the financial services market.
Globally the RMA represents 3,000 institutions and has over 18,000 individual members in the US,Canada, UK, Hong Kong, Singapore, and Australia.
CREDIT RISK OPERATIONAL RISK MARKET RISK COMPLIANCE RISK
RMA Australia, PO Box 576, Crows Nest NSW 1585Tel: 02 9431 8689 Email: [email protected]
For more information on thebenefits of RMA membership
www.rmaaustralia.org
Advancing the business continuity professionBusiness continuity professionals need to avoid the “middle-age” fatigue that can set in once a profession has carved out a niche for itself within a crowded risk solution landscape, according to Alex Serrano, senior manager, advisory, Ernst & Young.
“I suggest we keep the passion, and foremost in our thinking should be the fi re in the belly that activated us to the possibilities and importance of BCM in those early, heady days of fi rst encounter,” he said.
“At the same time we should continue on that never-ending quest for knowledge and professional clarity that will help us remain relevant within the overall context of proliferating corporate risks and ever-increasing push for risk management convergence. This process of self-education helps us continue to legitimately point out when the emperor is not wearing any clothes, and to notice if (or when) we aren’t wearing any ourselves.”
If business continuity professionals can get these two focus points roughly right, they will be able to be effective change makers – treading a fi ne line between the ‘evangelist’ and the ‘fanatic’. “My suggestion – we work out our lines, stay on message, and rely on the best principles that underpin BCM – using a framework of useful knowledge to convince corporate and community leaders to take resilience seriously and invest accordingly,” said Serrano.
R M _ 8 5 . p g 0 2 1 . p d f P a g e 21 1 2 / 0 5 / 1 1 , 1 2 : 5 8 P M
Managing environmental compliance risks: the China syndromeDr Ulysses Chiotto asks why corporates are going green
Environmental compliance means cor-porate conformity to environmental laws, regulations and standards. The many concerns can be confusing to the average executive or company
director navigating these compliance demands, including keeping track of a mountain of legal instruments and regulatory information, whether trading locally or globally.
Despite the media’s confabulation, everyone’s “going green” – including China, contrary to perceptions, almost a syndrome that China is not acting on environmental concerns. It’s not just about climate change and carbon emissions but also toxic waste and its disposal, and keeping our water clean.
Professor Tim Flannery, the head of Australia’s Climate Commission, told a recent forum that “the challenge for climate issues is communicating a complex set of concerns”. The imperative is to balance energy demands (electricity), waste and compliance regimes while preparing for, and responding to, extreme events caused partly by increasing energy demands and waste management practices.
Is this “greening” because of a sense of responsibility for environmental sustainability or a competitive and regulatory necessity to go “hulk”? Society’s mood is a growing concern about the environmental impact of products and services, and the threat of extreme events such as natural disasters. Is societal anxiety about the environment exercising the minds of corporate executives?
Boards and management must redo their risk assessments (RA), focusing on the multiple ways of making decisions when facing uncertainty and variability, as well as the decision rules used in selecting one option over another. They must apply advances in RA methodology to an environmental context and focus attention on risks that can arise in multiple synergistic hazards over extended periods and entire communities – think of the Queensland fl oods, Japan’s earthquakes and nuclear plant failure – not just from a single-source, acute exposure as traditionally assessed. The subtlety is how uncertainty and
variability profi les interact as you advance through the steps of the RA; disaster recovery and business continuity management are critical!
Concerns for extreme events are important in how we view and manage risk. Rather than being led by the law of averages, we tend to expect and fear extremes such as climate change events and terrorist acts. The extent that a risk is a surprise is more likely to infl uence the design of the risk management strategy.
Companies need to assess risks in terms that risks generated under one regulatory jurisdiction have signifi cant impact in another region or globally, and concern regulators and society at large. Extreme events capture our imaginations with fear and increasing apprehension.
The focus in risk management is on moving to address, assess, protect and design for extreme events. RA helps to understand and evaluate the implications. There are several methods for defi ning extreme events; one is to defi ne them in terms of their low frequency, relative to a specifi c context or problem framing.
When Professor Flannery commented on risk communication, he was refl ecting
the research on communicating risks of extreme events. The challenge is in part due to overweighting small probabilities in decision-making. An example of this; i.e. being trapped by our “hard-wired” perceptions of risk is communicating RA to boards, set in the face of surprise events such as freak storms or failing nuclear power plants. In a practical sense, a risk ladder works better than a pie chart in communicating absolute levels of risk reduction. Regardless of dry statistics about probability and consequences, risks are perceived differently; the risk of cancer, for example, is perceived as a high risk rather than a familiar and immediate risk like a car accident.
In Australia, National Greenhouse and Energy Reporting (NGER); the National Carbon Offset Standard (NCOS); and the Environment Protection and Biodiversity Conservation Act (EPBC) dominate compliance risks. The EPBC environmental legislation, around since 2000, has a strong framework and range of enforcement mechanisms for suspected or identifi ed non-compliance including audit, civil/criminal penalties and enforceable undertakings. Another mechanism, the recently tabled Carbon
E nvironmental Risk
22 Risk May 2011
“Is societal anxiety
about the environment exercising the minds
of corporate executives?”
Dr. Ulysses Chioatto, lawyer, organisational
consultant and the facilitator of the
Responsible Offi cers and Managers Forum
R M _ 8 5 . p g 0 2 2 . p d f P a g e 22 1 2 / 0 5 / 1 1 , 5 : 1 3 P M
Farming Initiative (CFI) legislation, supports a market mechanism for rural sector abatement activities; that is, carbon credits for compliance carbon markets.
EU and Chinese environmental regulations EU regulations: Restriction of Hazardous Substances (RoHS) and Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH) directives affect manufacturers globally. Since 2007, Korea, Australia, Canada, China and US states such as California introduced similar RoHS legislation. There are 1324, and growing, environmental regulations affecting global manufacturers.
In 2004, the Sarbanes-Oxley Act (SOX) cost US fi rms more than $US5 billion and the European Union estimates compliance with REACH regulations to be more than £5.2 billion globally, so compliance is expensive. Not complying is costlier, however, due to the risk of exclusion from key markets, stopped shipments, product recalls and damage to brand reputation. Violating RoHS in one EU state generates problems in the other 26, with cumulative fi nes, product recalls, and gaol for offending executives.
In my opinion the limited media coverage of environmental compliance in China, or China syndrome, overlooks the intricate network of laws in China, such as those passed
by the Tenth National People’s Congress, February 2005 and 2008. China has banned the manufacture, sale, and import of non-complying, energy-consuming products. It also requires an accountability system for energy conservation targets. Manufacturers that import or sell non-compliant products risk orders to cease production, confi scation of their products, fi nes of up to 500 per cent of illegal proceeds, and licence revocation. China incentivises manufacturers to utilise energy saving technologies through tax preferences, credit support and preferential loans.
Carbon pricingCarbon pricing presents risk management issues. One certainty is that once a scheme is implemented, prepared businesses will better manage any risk from the scheme’s introduction. The Garnaut Climate Change Review of March 2011 provides some details of the scheme. The question is: does your business/industry have a cost point in your economic chain to impose carbon-related costs onto your customers? While we’re waiting on a scheme, energy effi ciency opportunities and fi nding sustainability in the supply chain is a key focus.
Dr. Ulysses Chioatto is a lawyer and organisational consultant and the facilitator of the Responsible Officers and Managers Forum
E nvironmental Risk
Risk May 2011 23
R M _ 8 5 . p g 0 2 3 . p d f P a g e 2 3 1 2 / 0 5 / 1 1 , 5 : 1 4 P M
R isk People
24 Risk May 2011
Risk Management speaks with Paul Muir, executive manager of risk and compliance at Suncorp, about the makings of successful risk management in the private sector
“Traditionally compliance has been viewed as an impediment to achieving business objectives and risk has not been given adequate emphasis”Paul Muir, executive manager of risk and compliance, Suncorp
Hallmarks ofsuccessful ERM
What would you say are the essential elements of a risk aware culture?A risk aware culture must be evidenced at both senior management level and within the day-to-day operations of the business.
Strategic decisions need to incorporate risk as part of the business planning discussion. Not only must the adverse impacts be considered; attention must also be focused on the opportunities within the boundaries of a properly considered and board-approved risk appetite statement (RAS). A business that has visibility of its RAS will be able to unlock intrinsic value as it pursues its corporate objectives. Viewed in this manner, risk will be seen as a value-add for the business ensuring that risk management is embraced.
At the operational level, business owners must appreciate that they are responsible for the management of risk within their business. Often a control environment is seen as an obstacle to achieving business targets. A risk-aware culture recognises that appropriate controls based upon risk impacts (as part of risk profi ling) will assist in achieving such targets. Further, by implementing the RAS at an operational level, initiatives producing high returns with commensurate high risk can be explored within a control environment that provides business assurance.
How advanced would you say most Australian organisations are in their understanding of compliance and risk management?Compliance and risk management are two distinct disciplines that deserve management attention in their own right. Traditionally, organisations have focused upon compliance due to the immediate adverse effects of non-compliance including penalties and fi nes and increased regulatory oversight. Further, compliance tends to impact the current state while risk management looks to the future.
Post-global fi nancial crisis, risk management has been a focus at board level and is now becoming established throughout the business. Organisations are starting to appreciate the benefi ts of risk management and are investing in the appropriate skill-sets such as capital management, scenario analysis and stress testing to compliment the existing legal and compliance capabilities.
It is important that appropriate resources are dedicated to both compliance and risk management functions. Both are necessary components of a risk-aware culture.
What steps can companies and their risk management leaders take to embed a risk-aware culture?In the context of a risk-aware culture, everyone is a risk management leader. Risk should be considered as part of an organisation’s decision-making process. A governance framework ensures that a committee and reporting structure exists that facilitates an awareness of risk. Risk reporting and appropriate risk measures should be included in balance scorecards. It is important that leaders are seen as role models by operating in an ethical, values-based fashion.
There are also a number of simple steps that can be introduced to embed a risk-aware culture. Risk and compliance training should be seen as part of the career development of all employees, and not as a mandatory tick-a-box exercise. Finally, risk should be implemented as a value producing function and not as a compliance driven process.
What are the best ways risk professionals can convert sceptics/key stakeholders into advocates?Traditionally compliance has been viewed as an impediment to achieving business objectives and risk has not been given adequate emphasis. Some of this criticism is deserved as unnecessary layers of bureaucracy are built into sign-off processes that delay new or enhanced products and services being delivered to customers. Engaging risk professionals at an early stage of business initiatives and business planning will ensure that strategic risk decisions are made as part of the process not as an addition to the process. In this way sceptics will see that risk is a value-add to the business. As the business experiences a positive relationship with risk professionals who bring value to the table the sceptics become risk advocates; this has certainly been our experience at Suncorp.
Paul Muir will be speaking at IQPC’s 5th Annual Enterprise Risk Management for Government 2011, held at Sydney’s Quay Grand Hotel from 14 to 16 June, 2011.
R M _ 8 5 . p g 0 2 4 . p d f P a g e 2 4 1 2 / 0 5 / 1 1 , 4 : 3 1 P M
R isk Careers
Amanda Atherton ComplianceSydney
THE SR GROUP . BREWER MORRIS . CARTER MURRAY . FRAZER JONES . PARKER WELLS . SR SEARCH . TAYLOR ROOT LONDON . DUBAI . HONG KONG . SINGAPORE . SYDNEY . MELBOURNE
Expect the market leader to know the marketNo-one knows the legal job market better than Taylor Root. After all, we’ve been leading the way in specialist legal recruitment for more than 20 years. As such, we are confident that we can provide extensive and professional advice on the widest range of compliance and risk opportunities. So whether you’re recruiting legal talent or looking for your next career move, talk to the experts. Contact us on +61 (0)2 9236 9000 or visit taylorroot.com.au
taylorroot.com.au
Move out of risk to move up
R isk management professionals should spend a period of time in a line
management role or ideally running a profi t centre, according to a risk management recruitment specialist.
In order to get a broader business understanding that is more readily respected within senior business levels, actually moving out of risk for some time is a good career move, said Barry Maurer, director of Compliance and Risk Management Recruitment.
Chief risk offi cers have historically come from non-risk functions because they have broader business experience, he said.
“I would say 50 per cent of chief risk offi cers fi t into this category,” said Maurer, who noted that this trend is changing.
Increasingly, he said chief risk offi cers are risk professionals who have spent time in the business and then move into a chief risk offi cer role.
“So you get the business knowledge together with the specifi c expertise – that’s probably where most chief risk offi cers are going to come from in the future,” he said.
Maurer also recommended that risk management professionals take opportunities
to move between different risks disciplines, such as operational risk, credit risk or market risk.
While the operational risk is in early stages of maturing, he noted that both the credit and market risk areas are already mature and relatively stable.
“Operational risk is in the early stages of maturing, so there is still some growth and people are still moving around, but it’s not as dynamic as it was,” he said.
Maurer also recommended that risk management professionals work on improving their non-technical skills, such as communication and infl uencing skills.
Similarly, Clim Pacheco, general manager of education for the RMIA, recommended risk management practitioners broaden their professional base and also develop their presentation skills.
“To be able to convince people right at the top, you have to be able to present your case very objectively,” he said.
“This can be hard because risk is usually an emotive issue; one has to be more rational in this process, so you will defi nitely get more traction if you can present to boards and committees this way.”
Risk May 2011 25
Finding competent staff is top challengeThe number one challenge facing Australian businesses continues to be the search for competent staff, an industry survey has found.
The PricewaterhouseCoopers (PwC) Private Business Barometer found that for the second consecutive barometer, sourcing talent was the top issue facing employers, in light of predicted growth throughout the country.
However, PwC private clients partner Gregory Will noted that businesses seemed to be surprisingly lagging in their attempts to attract new talent.
“Despite indicators that competition for staff will grow, there was a decline in the number of businesses seeking to be more attractive employers of choice,” he said.
While two-thirds of organisations would be looking to hire new staff in the next six months, an average wage increase of six per cent was also anticipated by four out of fi ve businesses.
The survey of more than 850 Australian businesses found that growth was top of employers’ to-do lists, and Will predicted that the private sector would transform short term caution into longer term optimism.
“Private businesses have turned the funding tap back on and are reinvesting in their businesses for future growth,” he said. With Queensland still recovering from the aftermath of two natural disasters, Will said that although businesses in the state would be trying to fi nd their feet in the short term, growth would be top of the agenda before long.
“It’s not surprising that private businesses in Queensland have a modest outlook for growth, particularly in the retail sector where competition from new business and overseas is putting pressure on sales, product supply and growth,” he said.
“..They are just working to a slightly different timeline. For them the short term is about fi nding their feet again and recovery before focussing in the longer term on growth.”
8 5 R M _ p g 0 2 5 . p d f P a g e 2 6 1 3 / 0 5 / 1 1 , 1 0 : 1 7 A M
R isky Business
A look at the month’s alternative risk stories
Dealing with the GFC: Some ‘handy’ hints
As conspiracy theories mount and news anchors try to grapple with the difference between Osama and Obama, Risky Business felt that it was only right to take a look at this month’s biggest story.
With the Pakistani government left a little red-faced after the whole affair, it seems that they were dealt another blow this week, after it emerged that bin Laden, the man we love to hate, has actually been under CIA surveillance since August 2010.
Using drones and technology to observe the compound which was literally minutes away from a Pakistani military training base, the CIA are reported to have camped out in a safe-house in Abbottabad for around 8-9 months without the Pakistani government even blinking an eyelid.
Armed with cameras on the walls and electrifi ed barbed wired,bin Laden was clearly concerned about security, and reports suggest that when local children kicked a football over the fence, they were given
money and told to go away. John Pike, director of GlobalSecurity.
org said that the mixture of old fashioned police work and the technology which included unmanned surveillance planes meant that the CIA could isolate and move in on bin Laden.
“When not listening, the U.S watches,” said Pike doing his best Big Brother impression in an interview with InnovationNewsDaily.
He then mentioned the drones used to monitor bin Laden “Drone aircraft fi ll the sky by the hundreds, allowing American intelligence offi cers to follow targets of interest on a camera feed every minute of every day” OK…now we’re worried….
“It’s a stakeout, isn’t it? In the good old days, you’d park across the street and order in pizza. Well, the drone doesn’t need pizza,” he quipped.
So, it seems that the Americans like fast food and spying on people. Any surprises?
Alan Greenspan…..also known as the man who was at the bottom of the GFC, this month shares some of his wisdom in how to fi x the GFC.
When he’s not busy toppling global fi nancial systems, it seems that old Al likes to give out advice on how to deal with the problems that he once created.
And what nuggets of advice they are readers! Listen up….In a statement, the 85-year-old former chairman of the US
Federal Reserve, told people to….wait for it…. “relax and do nothing”. Sorry Al…you want us to do what?
That’s right, in the shocking statement, our man Alan urged people to relax, because “the global invisible hand” of the free market would create a stable economy in the long run.
Adding to that, he told the UK’s Financial Times that the worlds current fi nancial systems were unmanageable and complex, factors which unfortunately, were “necessary conditions of growth”.
Well that’s that then. If that’s the case Al, Risky Business may as well call it a day…beer anyone?
Osama bin…under surveillance for a long time
26 Risk May 2011
Risk Business Directory
www.riskmanagementmagazine.com.au/Directory/Compliance-Risk-Software
awthea smoeve
eleclesuga fo
gAdding to that, he told the UK’s Financial Times that the lds current fi nancial systems were unmanageable and
mplex, factors which unfortunately, e “necessary conditions of growth”. Well that’s that then. If that’s the e Al, Risky Business may as wellit a day…beer anyone?
R M _ 8 5 . p g 0 2 6 . p d f P a g e 2 6 1 2 / 0 5 / 1 1 , 5 : 0 8 P M
8 5 R M . p g 0 2 7 . p d f P a g e 2 7 1 2 / 0 5 / 1 1 , 1 1 : 2 8 A M
20-21 OCTOBER 2011 HILTON BRISBANE15TH ANNUAL CONFERENCE
DIRECTINg YOuR CAREERYOuR ORgANISATION
YOuR AmBITION YOuR SuCCESS
Early bird discounts ($500 off official prices) plus group discounts (up to 10% off) will be made available up until Friday 9 September 2011. Don’t wait, book now!
Belinda GiBson deputy Commissioner, australian securities & investments Commission
sean HuGHes Chief executive officer - designate, Financial Markets authority nZ
Paul Bonello senior Manager operational Risk & Compliance, anZ
TiM KiTCHinG Head of Risk and Compliance, MlC – naB
eliZaBeTH HouRiGan Company secretary, senior legal Counsel, Compliance officer, Centro Properties Group
Julie o’neil Compliance auditor, Centro Properties Group
Randal denninGs Partner, Clayton utz
PeTeR WHynTie executive director, Compliance australia
PlenaRy sessions & WoRKsHoPs 20 & 21 october
PRe-ConFeRenCe WoRKsHoP 19 october 2011
WelCoMe ReCePTion 19 october 2011
annual GeneRal MeeTinG 19 october 2011
aWaRds CeReMony 20 october 2011
Gala dinneR 20 october 2011
CONTACT ACI TEL: +61 2 9290 1788 EmAIL: [email protected] WEb: WWW.COmpLIANCE.ORg.AU
ACI invites you to attend the premier compliance event for 2011. This year’s conference is scheduled for Thursday 20 & Friday 21 October 2011 at the Hilton Brisbane, Australia.
Now in its 15th year, the ACI Annual Conference will see a variety of both international and domestic speakers culminate for two days of speeches, interactive workshops, awards and social events.
Introducing Two New Plenary Streams on Day Two:FINANCIAL sERvICEs AND NON-FINANCIAL sERvICEs
GuesT sPeaKeRs inClude:
ReGisTRaTions noW oPen
evenT FeaTuRes
R M _ 8 5 . p g 0 2 8 . p d f P a g e 1 9 1 2 / 0 5 / 1 1 , 1 1 : 3 6 A M
