Вы находитесь на странице: 1из 124

risk &

& compliance

RC

APR-JUN 2016

www.riskandcompliancemagazine.com

Inside this issue:


FEATURE

The Bribery Act strikes back


EXPERT FORUM

Mitigating and managing fraud risk in


the energy & natural resources sector
HOT TOPIC

Data privacy challenges for the


Asia-Pacic region

CONTENTS

& CONTENTS
RC

006
008

013
121

FOREWORD

019

EXPERT FORUM

FEATURE

Mitigating and managing fraud risk in the


energy & natural resources sector

The Bribery Act strikes back

Clement Advisory Group; Koury Lopes Advogados;

FEATURE

The spectre of business interruption

029

EDITORIAL PARTNERS

Editor: Mark Williams


Associate Editor: Fraser Tennant
Staff Writer: Richard Summereld
Publisher: Peter Livingstone
Publisher: James Spavin
Production: Mark Truman
Design: Karen Watkins
Risk & Compliance
Published by Financier Worldwide Ltd
23rd Floor, Alpha Tower
Suffolk Street, Queensway
Birmingham B1 1TT
United Kingdom
+44 (0)845 345 0456
riskandcompliance@nancierworldwide.com
www.riskandcompliancemagazine.com
ISSN: 2056-8975

034
039
043

2016 FINANCIER WORLDWIDE LTD


All rights reserved.
No part of this publication may be copied, reproduced,
transmitted or held in a retrievable system without
the written permission of the publishers. Whilst every
effort is made to ensure the accuracy of all material
published in Financier Worldwide, the publishers accept
no responsibility for any errors or omissions, nor for any
claims made as a result of such errors or omissions. Views
expressed by contributors are not necessarily those of the
publishers. Any statements expressed by professionals
in this publication are understood to be general opinions
and should not be relied upon as legal or nancial advice.
Opinions expressed herein do not necessarily represent
the views of the authors rms or clients.

047

Ropes & Gray

PERSPECTIVES

Creating a culture of compliance: regulating


behaviour to manage fraud and corruption
risks
Gadens

PERSPECTIVES

Fraud enforcement in Canada is stepping up


Bennett Jones LLP

PERSPECTIVES

Battling the dark arts: tracing the historical


roots of stock market manipulation in
Australia
University of Queensland

PERSPECTIVES

The implications of last years updates to


the FRCs corporate governance code with
regard to board-level responsibilities for risk
management
CoreStream

PERSPECTIVES

Making sense of the increasingly complex


compliance process
The Risk Advisory Group

Financier Worldwide reserves full rights of international use


of all published materials and all material is protected by
copyright. Financier Worldwide retains the right to reprint
any or all editorial material for promotional or nonprot
use, with credit given.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016

CONTENTS

050
054
059
064
068
072
075
078

PERSPECTIVES

Beyond compliance: properly leveraging ERM


for additional value
RSM US LLP

PERSPECTIVES

Behavioural risk managements focus on the


role of conicting personalities
Santa Clara University

PERSPECTIVES

Be a sporting hero sort out your governance

082
086
090

ICSA: The Governance Institute

PERSPECTIVES

New Iran business opportunities following


EU and US sanctions relaxation
Steptoe & Johnson LLP

PERSPECTIVES

The death of disclosure-only settlements:


trying to ght perverse incentives
McDermott Will & Emery LLP

PERSPECTIVES

Principles for boards in overseeing cyber


risk management
Internet Security Alliance (ISA)

PERSPECTIVES

What is your million dollar blind spot score?


FiscalDoctor

096

ONE-ON-ONE INTERVIEW

Identifying and managing risks within


nancial institutions
Zurich Global Corporate; KBC Group

Allegro Development

PERSPECTIVES

Modern slavery reporting requirement: dont


treat this as box-ticking exercise
The Chartered Institute of Procurement & Supply (CIPS)

Good information security, data protection


and CIA
Advent IM Ltd

100

PERSPECTIVES

MIFID II implementation is delayed again


but theres no room for complacency

PERSPECTIVES

PERSPECTIVES

Data transfers, Safe Harbour and the EU/US


Privacy Shield
Wedlake Bell

104
108

PERSPECTIVES

Why your data holds the secret to industryleading compliance


Pitney Bowes

HOT TOPIC

Data privacy challenges for the Asia-Pacic


region

PERSPECTIVES

Akin Gump Strauss Hauer & Feld LLP; MasterCard;

The Foreign Supplier Verication Program


signicant new requirements for importers
of food into the US

Microsoft Asia; Simmons & Simmons

Keller and Heckman LLP


4

RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

FOREWORD

F O R E WORD
Welcome to the fourteenth issue of Risk &
Compliance, an e-magazine dedicated to the latest developments
in corporate risk management and regulatory compliance. Published
quarterly by Financier Worldwide, Risk & Compliance draws on the
experience and expertise of leading experts in the eld to deliver
insight on the myriad risks facing global companies, the insurance
solutions available to mitigate them, and the in-house processes and
controls companies must adopt to manage them.
In this issue we present features on the UK Bribery Act and on
business interruption. We also look fraud risk in the energy & natural
resources sector; creating a culture of compliance; fraud enforcement
in Canada; stock market manipulation; board-level responsibilities for
risk management; the increasingly complex compliance process; going
beyond compliance; behavioural risk management; managing risk
within nancial institutions; MIFid II implementation; modern slavery
reporting; foreign supplier verication; new Iran business opportunities;
disclosure-only settlements; overseeing cyber risk management;
information security and data protection; data transfers; industryleading compliance; data privacy challenges for the Asia-Pacic region;
and more.
Thanks go to our esteemed editorial partners for their valued
contribution: Zurich Insurance Group; the Chartered Institute of
Procurement & Supply (CIPS); ICSA: The Governance Institute; the
Internet Security Alliance (ISA); and the University of Queensland.

Editor
6

RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

FOREWORD

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016

FEATURE

FEATURE

THE B R I B E RY AC T
STRIK E S B AC K
BY FRASER TENNANT

he Bribery Act 2010 was intended to be a big

The Act contains four main offences: (i) offering,

answer to a big question: how can extant

promising or giving a bribe (Section 1); (ii) requesting,

anti-bribery compliance programmes best be

agreeing to receive or accepting a bribe (Section 2);

improved so that they can further mitigate the risk

(iii) bribing a foreign public ofcial (Section 6); and (iv)

of bribery in the UK (and abroad) and maintain the

failing to prevent bribery (Section 7), which applies to

integrity of British business?

relevant commercial organisations only.

The answer to the conundrum, as far as the

The Act also updated and claried the law on

Act was concerned, was to align the UK with the

personal criminal liability for paying or receiving

convention drawn up by the member states of

bribes, as well as introducing a strict liability

the Organisation for Economic Cooperation and

offence, meaning that a commercial organisation is

Development (OECD) for dealing with corruption of

automatically held liable for bribes paid by any of its

foreign public ofcials.

employees, agents or associated persons to secure

RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

FEATURE

Practices Act (FCPA) in the US, for a period of


perhaps four years or so, nothing much happened.
And then, in the latter part of 2015, three cases
of corporate wrongdoing came to the fore, namely
Brand-Rex Ltd in September 2015, Standard Bank in
November 2015 and Sweett Group plc in December
2015. All three cases resulted in the imposition of
substantial nancial sanctions by the Serious Fraud
Ofce (SFO).
As well as the outcome of these cases having
served to thrust the Act back into the spotlight, they
have also re-emphasised, practically rather than
theoretically, the importance of the legislation to the
UK anti-bribery landscape.
business.
The only
defence available, so says
the Act, is if an organisation can demonstrate
that it had adequate procedures in place to prevent
bribery.
Back in 2010/2011, it was very much a matter of
so far so good, with lawmakers condent that the
Act provided the legislative chops to deal with any
instances of bribery (applying as it does to all UK
and foreign corporations that have a presence or
an operation in the UK as well as to any citizen or
resident of the UK), as and when they may arise.
However, even though the Act was, and is,
considered to be much more stringent than other
anti-bribery legislation such as the Foreign Corrupt

www.riskandcompliancemagazine.com

Yet to fully appreciate the overriding signicance


of the Brand-Rex, Standard Bank and Sweet Group
settlements, it is necessary to examine how the
anti-bribery legislation that made them possible was
initially received by the corporate world and why its
use as a prosecution tool has been essentially nonexistent until recently.

The Act: reception and interpretation


Although the Act was widely discussed before
and after its enactment, the interpretation and
implementation of its ner points by the business
community has proved to be a mixed bag; which
may be why its application has been somewhat
sparse in the years since 2010.
Many businesses met the Act with a mixture of
fear, apprehension, myths and irritation, recalls
RISK & COMPLIANCE Apr-Jun 2016

THE BRIBERY ACT STRIKES BACK

Claus K. Andersen, a partner at Royds. Much of this


was due to the perception that it was to be another

FEATURE

The Act: difculties in application


In some quarters, the Act has been criticised, as

layer of red tape and bureaucracy. The concern

has its counterpart the FCPA, for being too broad

was also that British businesses would be at a

in its scope, prompting the question as to whether

competitive disadvantage, as they often complete in

juries have found the Act difcult to apply when

jurisdictions where bribery is an accepted way to do

passing a verdict on individuals or businesses being

business.

prosecuted for bribery.

Further interpretation difculties surrounded

So far no, says Maya Paunrana, a criminal

the wording of the Act, specically the perceived

litigator at Mackrell Turner Garrett. To date, only

ambiguity of phrases such as carry on a business

individuals have been tried for Bribery Act 2010

in the United Kingdom and what was meant by

offences, and if the matter has progressed to a trial,

reference to commercial organisations. However,

the prosecution has already done the leg-work.

that the Act represented a major step forward in the

The jury is then directed accordingly. The challenges

bolstering of UK anti-bribery legislation has never

may well arise when a jury is instated for the trial

really been in question.

of a corporate body, which is something we are

Arguably it is the toughest global anti-bribery

yet to see. The concept of the controlling mind

legislation in place, says Nigel Rowley, managing

test to establish corporate liability may well prove

partner and head of litigation at Mackrell Turner

challenging for a jury to apply.

Garrett. Most controversial of all is Section 7 which

Ms Paunrana likens the difculties in applying the

criminalises the failure of a corporate body to

Act to the initial challenges that were faced when

prevent bribery and corruption. The government has

the offence of corporate manslaughter was rst

issued guidance to help commercial organisations

introduced a law full of such complexities that it

put into place anti-corruption procedures but of

took several years for the Crown Prosecution Service

course, the test of adequacy depends very much on

(CPS) to iron them out before it could be presented

the particular characteristics of each organisation.

to a jury in a digestible format.

For example, the SFO suggests that corporate

The Bribery Act is broader than the FCPA, but I

hospitality has to be reasonable and proportionate.

do not think that this has been an issue, suggests

All very well in theory, but in reality, many

Mr Andersen. When presented with relevant cases,

commercial bodies have had to turn to experts to

the Act has been interpreted and applied against

ensure that their anti-bribery policies are adequate.

the relevant set of circumstances. Some have

10 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

FEATURE

THE BRIBERY ACT STRIKES BACK

suggested that the lack of court cases means that

For Mr Andersen, there are three key lessons

the authorities do not feel comfortable with the Act.

to be learned from Brand-Rex, Standard Bank and

I think that the number of cases are down to bribery

Sweett Group. Firstly, the Act is a signicant piece

cases being notoriously difcult to investigate

of legislation which involves substantial nes and

and the authorities wishing to get it right before

should be taken seriously and not ignored. Secondly,

charging.

in none of the three cases were the companies


able to prove that they had adopted adequate

The Act: lessons learned from Brand-Rex,


Standard Bank and Sweett
Group

procedures, which highlights how important it is

What could be considered as the


coming-of-age of the Act were the
outcomes of the Brand-Rex, Standard
Bank and Sweett Group prosecutions
in the closing months of last year. Each
case showcased the strength of the

In some quarters, the Act has been


criticised, as has its counterpart the FCPA,
for being too broad in its scope.

legislation, particularly the use of a


Deferred Prosecution Agreement (DPA)
in respect of Standard Bank.
The Standard Bank case represents
the rst use of a DPA, which allows a prosecution

that such procedures are implemented. Thirdly, it

to be suspended provided the organisation meets

is of some consequence that all the issues came

certain conditions, such as penalty payments,

to light via self reporting, which shows that a good

compensation or ongoing cooperation, explains

audit can catch many incidents.

David Stevens, integrity and law manager at the

The outcomes of these three cases reminds

Institute of Chartered Accountants in England and

commercial bodies that it is not sufcient to simply

Wales (ICAEW). As a result, costly trials can be

have in place an anti-bribery and corruption policy,

avoided and DPAs are viewed to be a useful tool in

points out Mr Rowley. What is vital is that the

the ght against economic crime. It may be that the

policy is reviewed rigorously and enforced as part

Act will be more effective now that complementary

of day-to-day business activity. If during a review a

measures such as DPAs are in place.

corporate entity becomes aware of irregular activity,

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 11

FEATURE

THE BRIBERY ACT STRIKES BACK

it is extremely important that it promptly reports the

the Acts recently, greatly increased prole, it is likely

matter to the SFO. The DPA in the Standard Bank

that the government will revisit proposals to amend

case will hopefully set a precedent for the way in

various sections of it. One of the major criticisms is

which the SFO will deal with Section 7 offences

that the Act creates a blanket ban over facilitation

that are reported promptly and on an open and

payments to foreign ofcials, she notes. It fails to

cooperative basis.

take into account cultural differences where such


payments are seen as customary and not a form of

The Act: trends and developments


Despite the apparent validation of the Act provided

bribery. In the US, facilitation payments are allowed


at very low levels by the FCPA. Whilst this could be

by the Brand-Rex, Standard Bank and Sweett Group

something for the UK to consider in due course, it is

cases, rumours abound as to government plans

premature to suggest that a change is immediately

to make changes, especially given the ongoing

necessary for the Act.

concerns over whether the Act is still too restrictive


in some areas.
Since the Act came into force there has been

The Act: conclusion


If the judicial outcomes of the Brand-Rex, Standard

talk of using it as a template for a broader corporate

Bank and Sweett Group cases are anything to go by,

offence of failure to prevent economic crime,

the Bribery Act 2010, after a period of what could

afrms Mr Stevens. Given how dysfunctional the

perhaps be described as inexplicable dormancy, has

common law is on corporate criminal liability, more

nally come into its own as a powerful legislative

general reform would be useful. However, there

tool.

have recently been rumours of a possible relaxation,

Stringent when compared to anti-bribery

which would not be a particularly desirable move at

legislation in other jurisdictions, not least because

this point. Having enacted this world-leading piece

transgressions can carry unlimited nes, the Act

of legislation (the Act), it would be a shame, a mere

is now well on the way to becoming established

ve years on, to see what could be the beginning of

as a credible means of tackling corporate bribery

a regression to former practices.

and achieving its self-proclaimed ultimate purpose:

Someone who does expect to see the Act undergo

&
safeguarding the integrity of British business. RC

a facelift is Ms Paunrana, who believes that due to

12 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

FEATURE

FEATURE

THE S P E C T R E
OF BU S I N E S S
INTER R U P T I O N
BY RICHARD SUMMERFIELD

perating in the modern business landscape

a substantial shift in the risk landscape for many

can be a dangerous and daunting task;

businesses.

companies face a litany of threats to their

Thirty-eight percent of those surveyed felt

potential growth and protability. From SMEs to huge

business interruption was one of the three most

multinational corporations, the spectre of business

important risks companies face in todays market.

interruption looms large on the horizon.

Given the nature of the 21st century economy,

Business interruption including supply chain

and the increasingly interconnected corporate

disruption is one of the biggest challenges facing

environment, many other risks highlighted in

companies today. For the fourth year running, it

the report will also have major repercussions

tops the list of global business risks, according to

for companies, as well as business interruption

the recent Allianz Global Corporate & Specialty Risk

implications. Cyber security and geopolitical risks are

Barometer. Allianz surveyed 800 risk managers and

just two examples.

insurance experts across 44 different countries,

Surprisingly, however, many of those surveyed are

and found that many companies are in the midst

becoming less concerned by the potential impact

of a change in their risk perception. 2016 is seeing

of other, more traditional industrial risks. In previous

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 13

XXX

FEATURE

years, natural disasters have featured prominently.

explosion worries also declined, according to the

The physical damage caused by weather events and

report, and are now the eighth biggest concern for

earthquakes can cause serious business interruption

companies, compared to the third biggest in the

and revenue loss. Yet natural catastrophes fell two

previous years survey.

positions to fourth in 2016. This reects the declining

For many companies, non-traditional risks are

number of insurance claims for this category, which

attracting the most attention. Business models are

fell to $27bn in total value during 2015. Fire and

under pressure, and companies are concerned about

14 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

THE SPECTRE OF BUSINESS INTERRUPTION

the operational risks they face from non-traditional

FEATURE

Companies are only just beginning to grasp the

sources. According to the report, companies expect

signicance of the current inux of tech. Big Data,

the majority of business interruption losses to be

cloud computing, smart devices and the like are

caused by cyber attacks, technical failures and

proliferating through the business world, spanning

geopolitical volatility. For many risk experts, these

a wide gamut of company sizes from the smallest

new forms of non-physical damage will be long

mom & pop business, which might be utilising NFC

term causes of business disruption, affecting supply

technology at their till, to the largest multinational

chains, IT networks and everything in between.

corporations reliant on Big Data analysis to drive

A further operational risk is the increasing level of


competition in the market. Companies diversifying

product development and distribution.


Yet for all the benets companies may derive

their operations into other business areas and

from technology, the threat levels are climbing

the rise of agile and dynamic start ups can create

exponentially. Data centres, for example, have

headaches for established businesses. Respondents

become an integral part of business operations.

to Allianzs survey listed intensifying competition

Companies rely on data centres, whether leased or

as the second biggest threat they face in the global

owned, to carry out a multitude of functions. Much

economy. Thirty-four percent of survey respondents

of the stored data is business critical and extremely

highlighted competition as a major risk, ranking it

sensitive. Processes such as payroll, customer

second highest.

reporting and order management often rely on


regional data centres; any loss of business critical

Technology risk
The risk landscape is evolving, with cyber crime,

processes such as these would be catastrophic.


Accordingly, data centres present rms with

cyber terrorism and geopolitical risks increasing

business interruption challenges which must be

considerably in recent years to pose the biggest

mitigated. Of course, natural catastrophes, break-

threats to companies and the future of their

ins, res and so on are still a risk, but the biggest

operations.

potential threat to data centres is cyber attack.

According to the report, cyber incidents will be

Many aspects of a companys operations could be

the most important long-term risk companies will

compromised by a cyber attack. In December 2014,

face in the next 10 years. As they integrate more

hackers struck an unnamed steel mill in Germany,

technology into their day to day operations, the next

causing signicant physical damage to the mill. This

wave of business interruptions is more likely to be

was achieved by manipulating and disrupting control

technology based.

systems to such a degree that a blast furnace could

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 15

THE SPECTRE OF BUSINESS INTERRUPTION

FEATURE

not be properly shut down. Typically, though, cyber

how it affects them. Regular training and education

attacks focus on non-physical damage, theft or

sessions should be held to keep staff vigilant against

disruption to digital networks.

attack be it internal or external.

Malicious individuals, hacking groups and state


sponsored organisations have a multitude of

The nature of the global economy means


that companies no longer operate in isolation.

weapons available to them. Malicious


code can render websites inoperable.
Worms and viruses can inltrate
companies systems and delete or
take hostage business critical data.
Distributed denial of service (DDoS)
attacks can overload websites, leaving
them unavailable to customers and
employees.

Fluctuations such as the recent volatility


in the global oil market can have a
damaging impact on companies along the
entire supply chain.

Attacks of this nature can be


crippling, so businesses must take
every precaution to protect themselves
or hasten recovery. Failure to do so can increase the

Increasingly, they rely on a deeply interconnected

cost of working and also result in loss of revenue.

network of organisations in various locations, some

Experts are urging companies to draw up

of which may be volatile. In 2016 and beyond, supply

comprehensive risk management plans to address

chain vulnerabilities will be one of the major factors

the character of their IT systems and their functions.

inuencing business interruption, whether as a

What sort of data is stored where? How critical is

result of cyber attack or a more traditional form of

that data to the operations of the company? Who

disruption. Supply chains exist in a VUCA world a

has access to it and why? What safeguards are in

business environment which is volatile, uncertain,

place to protect it?

complex, and ambiguous. Accordingly, uctuations

Internal security systems need to be robust and

such as the recent volatility in the global oil market

kept up to date. Cyber security policies must be

can have a damaging impact on companies along

created and regularly revised to reect changes in

the entire supply chain.

technology. Employees should be fully versed in

Globalisation has exposed companies to VUCA

the intricacies of the companys cyber setup and

environments where previously they were isolated.

16 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

FEATURE

THE SPECTRE OF BUSINESS INTERRUPTION

Cheaper labour, industry consolidation and

but there may be advantages to reducing shipping

increased competition have encouraged companies

distances and cutting freight transport costs, for

to move more of their operations overseas. Supply

example.

chains have become more complicated and diverse.

If one link in the supply chain is broken, then

The vulnerabilities linked to globalisation mean

results may be catastrophic. Companies must

companies must implement better supply chain risk

not only consider the nancial implications but

management systems and though the development

also the reputational damage caused by a service

and implementation of such systems. The cost

outage. With the internet and social media merely

of designing these systems surely outweighs the

a few taps of a screen away, consumers are more

potential downside if key parts of the supply chain

accustomed to venting their frustrations to a broad

are compromised.

online audience. The nancial damage caused by

In some cases it may benet companies to

business interruption can be readily quantied, but

shorten their supply chain. Consolidating elements

the reputational damage, which may be harder to

in a number of locations may y against the idea of

value, can often be far more destructive in the long

globalisation and the efciencies of diversication,

&
run. RC

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 17

www.riskandcompliancemagazine.com

1 Visit the

new website

2 Sign-up

to our free
emailing list

3 Forward the link


to colleagues
and clients

4 Receive and enjoy

future copies of
Risk & Compliance

EXPERT FORUM

E XPERT FORUM

MITIGATING AND
MANAGING FRAUD RISK
IN THE ENERGY &
NATURAL RESOURCES
SECTOR

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 19

MITIGATING AND MANAGING FRAUD RISK IN THE ENERGY &...

EXPERT FORUM

PANEL EXPERTS
Garry W.G. Clement

An internationally known speaker, author and trainer, Garry W.G.


Clement has worked in the nancial crime arena for more than three
decades. He served as the national director for the Royal Canadian
Clement Advisory Group
Mounted Polices Proceeds of Crime Program, in addition to working
as an investigator and undercover operator. He is certied in the
T: +1 (905) 355 1066
E: gclement@clementadvisorygroup.ca Certied Fraud Examiners and Association of Certied Anti-Money
Laundering Specialists, in addition to his certication as a nancial
crime specialist (ACFCS). Since 2007, Mr Clement has worked as a
consultant with a focus on nancial crime and independent money
laundering reviews for the money service business industry, credit
unions and securities rms.
President & CEO

Paulo Prado
Partner
Koury Lopes Advogados
T: +55 11 3799 8187
E: pprado@klalaw.com.br

Alexandre Rene
Partner
Ropes & Gray
T: +1 (202) 508 4812
E: alexandre.rene@ropesgray.com

20 RISK & COMPLIANCE Apr-Jun 2016

Paulo Prado works primarily in the practice areas of administrative


law, especially with public procurement, governmental contracts and
regulatory law, with emphasis on the infrastructure, healthcare and
pharmaceutical sectors. His responsibilities in KLAs Anti-Corruption &
Compliance group are focused on risk analysis of bidding processes
with public bodies and agencies, developing risk mitigation strategies
for clients dealing with the public administration, and mapping the
legal interaction scope between the private and public sectors. Mr
Prado has been recently ranked as a reference in the Legal 500 2014
and the Latin Lawyer 250, as well as in other publications during the
previous years.

Alexandre Rene has extensive experience representing corporate


entities and their executives in connection with litigation and
investigations arising out of white-collar criminal prosecutions, grand
jury investigations, criminal antitrust investigations and corporate
compliance matters. A seasoned litigator who has successfully
handled numerous cases in federal and state courts, Mr Rene has
represented clients in civil matters such as breach of contract, tortious
interference, business conspiracy, fraud, criminal conversion, and
forum non conveniens. He has also spent two years on secondment in
London advising primarily on anti-bribery issues.

www.riskandcompliancemagazine.com

MITIGATING AND MANAGING FRAUD RISK IN THE ENERGY &...

RC: In your opinion, what is extent of


fraud risk currently facing organisations
operating in the energy & natural
resources sector?

EXPERT FORUM

dispositions regarding the granting of mining rights.


Furthermore, recent developments have exposed
the involvement of Petrobras the Brazilian oil &
gas state owned company in several cases of
fraud, basically related to the downstream shipping

Clement: Whenever we are confronted with an

industry and rening companies, but also regarding

economic downturn, companies are forced to look

upstream oil & gas exploitation. Power generation,

for savings and adjust their strategic plans from

transmission and distribution is another sector that

aggressive growth to survival. This results in cutbacks

may be considered low risk, probably because most

at all levels of the organisation, inclusive of personnel

companies in the sector were privatised during the

within audit departments, thereby requiring everyone

1990s and also because the sector benets from a

to undertake more with less. The recent drop in oil

modern, transparent, more efcient and independent

& gas prices has had a direct impact on output and

regulatory regime, regardless of the fact that there

with the current market we are confronted with

are some specic cases under investigation.

a situation of oversupply. All of this results in less


information being available with which to ensure

Rene: The fraud risk in the energy & natural

appropriate governance within the organisation. On

resources sector is always high and is likely to remain

top of this, most organisations still remain vulnerable

so. The high degree of risk arises in large part based

to cyber crime and its associated fraud scheme risks.

on where the natural resources are located, which, in


many instances, tend to be areas of the world where

Prado: In Brazil, we need to bear in mind that

corruption risk is higher than average.

energy & natural resources encompasses different


sectors with very different levels of risk and legal
frameworks. For instance, the water resources
sector which includes both water collection and
wastewater disposal seems to have a low level of
risk, probably because it is not seen as a protable
area. However, the mining sector may face higher

RC: Has fraud been more of an issue due


to the volatility of the energy & natural
resources sector in recent months?
Are there any particular types of fraud
that are more likely to occur in these
circumstances?

levels of risk, since the applicable legal framework


is outdated, and lacks clear and transparent

Rene: We are seeing an increase in the attention


regulators are paying to fraud in the energy &

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 21

MITIGATING AND MANAGING FRAUD RISK IN THE ENERGY &...

EXPERT FORUM

natural resources sector. That heightened scrutiny

one of the most common cases of fraud: improper

may be at least partially attributable to the sectors

payments to obtain contracts with state owned

recent volatility. For example, the drop in oil prices

companies. Assuming that volatility has the effect of

weakened the Venezuelan economy, which in

reducing public investments, and also considering

turn led to attention on state-owned oil company

the current budget restraints faced by Brazilian

Petrleos de Venezuela (PdVSA), which in turn led to

authorities, including their state owned companies, it

the promulgation of a number of related corruption

would not be a surprise if government ofcials start

investigations both in Venezuela and around the

asking for bribes to release late payments.

world, including by the US Department of Justice.


It is likely that various regulators have focused

Clement: In the current environment where

on Brazilian state-owned oil company Petrobras

cutbacks are the norm, the potential for fraud has

for similar reasons: when a countrys economic

increased, from the inability to conduct enhanced

success is tied to a commodity like oil, companies

background checks on vendors to overlooking basic

that deal in that commodity can become easier or

background on employees. Many organisations

more politically popular targets. Regardless of the

still overlook the threat from the enemy within,

cause of the increased scrutiny, organisations do

and whenever a downturn exists, employees

need to maintain a higher level of vigilance than

should be considered a greater risk since loyalty

normal in the current down market. Because many

to the company and the threat of unemployment

energy producers and related rms are restructuring

will have certain individuals looking for loopholes

or otherwise struggling, companies should be on

to secure their future, inclusive of capitalising on

the lookout for bad actors that may perceive a

intellectual property. Corporately, where bonuses

heightened sense of opportunity and a reason to

are based on performance, there is a strong risk of

engage in fraudulent behaviour.

individuals misrepresenting inventory valuations


in order to offset commodity prices. Compliance

Prado: We do not see volatility in the energy and

and regulatory issues also become less of a

natural resources sector as a driving force behind

priority, thereby exposing the company to potential

rising fraud cases in Brazil. Actually, if we take the

litigation and regulatory violations. During economic

oil & gas industry both upstream and downstream

uncertainty it is essential to accept that loyalty

as an example, the decrease in global oil prices

within an organisation diminishes at all levels and

has led to lower or decelerating public investments

therefore where opportunities exist and oversight

in the space, reducing public contracts and in turn


22 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

MITIGATING AND MANAGING FRAUD RISK IN THE ENERGY &...

EXPERT FORUM

is not apparent, the risks rise commensurately for

bid rigging and other procedures related to public

fraudulent activity.

procurement, which are a big issue in Brazil.

RC: To what extent do weaknesses along


the supply chain contribute to instances
of fraud? How should organisations look
to tighten up their relationships
with third parties?
Prado: If suppliers are retained without
being subject to a vetting process, and
without a contract with a clear purpose
and sections against fraud, the entire
supply chain can be affected. Thus,

Clement: During a downturn, far too many


companies, during their cutback processes, fail to
accept that the need for appropriate screening,

Many organisations still overlook


the threat from the enemy within, and
whenever a downturn exists, employees
should be considered a greater risk.

organisations should have clear policies


and procedures for retaining third parties,
vetting third parties, conicts of interest,
and relationships with government

Garry W.G. Clement,


Clement Advisory Group

ofcials, among others. Furthermore,


organisations should have an effective compliance

oversight and internal audits becomes more pressing.

programme to help them avoid conicts of interest

Unfortunately, these areas usually receive the same

and internal fraud. Organisations should also train

rate of cutback as any other company department.

their employees regarding anti-corruption policies

Since this can result in less screening of third parties

implemented. In addition, organisations must execute

and less oversight when they are on the companys

contracts with third parties who act on their behalf

premises, the company is exposed to targeted

before public bodies. The contract should have a

vendor threats which can include cyber crime.

section on anti-corruption and the third party should

Malicious actors can utilise their vendor access as a

be trained and then constantly monitored afterwards.

backdoor to the rest of the organisation. The cyber

During the training sessions and when drafting

incident at Target, for example, is a primary example

policies, we recommend special attention is paid to

of what can occur when third parties are not properly


screened and controlled. The lack of audit and

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 23

EXPERT FORUM

oversight also impacts the quality of

audit rights into their agreements with third

the supply chain channels and therefore

parties.

opportunities emerge for substandard


products to be supplied.
Rene: In our experience, most violations

RC: If suspicions of fraud do surface,


what initial steps should companies take
in terms of conducting an investigation?

of bribery and corruption laws are


attributable to third parties for
example, as suppliers, distributors
or representatives. Companies
supply chains often incorporate such

Rene: The rst response when a company


suspects fraud should always be to
isolate the potential misconduct. By
ringing off any suspicious activity, a

third parties, so organisations

company can contain potential

always need to make scrutiny

damage and gain a more

of the supply chain a top

condent understanding of

priority for compliance.

the scope of a problem. Once any suspected fraud

Its important to know

is isolated, the organisations next step should

what steps your business

be to determine how to investigate. Companies

partners are taking to prevent

should consider the pros and cons of handling a

corruption. Companies that hire third

matter internally versus retaining outside counsel

party contractors must conduct due

to conduct an independent investigation under

diligence on all partners, all the way

attorney-client privilege.

down the supply chain and reaching


in-country representatives and

Prado: Before conducting an internal

partners. In addition, organisations

investigation, organisations should have a

should take care to implement their

policy and a procedure regarding investigations.

policies and procedures, including

Employees must be aware of the internal rules and

anti-corruption and anti-bribery

what happens if they violate them. If the company

policies, with supply-chain partners.

has not implemented this policy at such time

To minimise risk, we recommend

as suspicions of fraud arise, it is advisable that

that companies build specic

they enlist the services of an external consultant

representations, warranties and

prior to commencing the internal investigation.

24 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

EXPERT FORUM

Additionally, only those employees who must know


about the internal investigations should be aware
of the procedure.
Clement: Before it is able to detect fraud, an
organisation needs to undertake a fraud threat

RC: In your opinion, how effective are


whistleblowing hotlines in mitigating and
managing the risk of fraud? What further
action could be taken by organisations
to boost their internal controls and
processes?

risk in order to understand where its current


vulnerabilities exist. Additionally, it needs
to employ available software solutions
that can help in the detection of fraud,
either from within or through vendors.
When there is a suspicion of fraud, the
rst requirement is to accept that there
is an incident that appears to be out of

The rst response when a company


suspects fraud should always be to
isolate the potential misconduct.

the norm and report it to appropriate


levels within the organisation. Senior
management then needs to ensure
it either has individuals within the
organisation with the skills required to

Alexandre Rene,
Ropes & Gray

undertake an investigation and protect


the evidence, including that which is available

Clement: The value of sources, whether overt

in computer networks or on individual systems.

or covert, cannot be overemphasised. Law

If there is not the necessary expertise within

enforcement learned the value of whistleblowing

an organisation then it should be provided by a

hotlines more than two decades ago. The

previously identied outside service provider. If

Crimestoppers programme is essentially a

the company has done an appropriate threat risk

whistleblowing programme designed to protect the

assessment, tied to an action plan and a fraud

identity of the source and afford an opportunity to

occurs, protocols will already be in place and the

provide information on various aspects of criminal

investigation will become a seamless part of its

activity. Organisations need to be mature and

oversight programmes.

courageous enough to implement whistleblower

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 25

MITIGATING AND MANAGING FRAUD RISK IN THE ENERGY &...

EXPERT FORUM

programmes. There is clear evidence that these

practices to mediate them are constantly evolving.

programmes serve to uncover impropriety within

Cyber security is one example of a new area of focus

an organisation and therefore the organisations

where regulators have shown interest.

culture has to be such that the information that


is forthcoming will be welcomed
and objectively investigated. Closed
organisations that rely solely on their
internal hierarchy to report wrongdoing
will fail to uncover most of what occurs
due to the fear of retaliation and, should
the information relate to a superior, it will
go unreported.

Employees should be encouraged to


contact the hotline when they notice
that actions are taken in response to
their complaints.

Rene: Whistleblowing hotlines are now


an essential component of any compliance
programme. Companies need to have

Paulo Prado,
Koury Lopes Advogados

an avenue for anonymous submission of


suspected misdeeds, in a way in which the reports

Prado: Whistleblowing hotlines are a very

are sure to receive attention, and the hotline needs

effective way of mitigating and managing the risk

to be advertised broadly enough among company

of fraud, when organisations have clear policies

employees to make it a meaningful compliance tool.

and procedures. Employees should be encouraged

Organisations that do not implement hotlines are not

to contact the hotline when they notice that

keeping up with best practices. The implementation

actions are taken in response to their complaints.

of a hotline must also be accompanied by a robust

Furthermore, employees should also be encouraged

triage process for complaints. Reports made on the

to contact the hotline in order to make anonymous

hotline should be vetted thoroughly because of the

complaints. When it comes to boosting internal

potential for abuse of the hotline with, for example,

controls and processes, it is highly recommended

reports that are actually based on personal disputes.

that organisations retain third party specialists to

Organisations need to evaluate their internal controls

understand how the business works, the exposure

and processes constantly. In the current environment,

to violations that the organisation faces, and so on.

both the nature of compliance risks and the best

After a risk assessment has been completed, they

26 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

MITIGATING AND MANAGING FRAUD RISK IN THE ENERGY &...

EXPERT FORUM

should nd potential gaps and suggest a plan of

the rst cases of fraud became public, some bills

action to boost internal controls and processes.

that had been suspended at Congress were renewed


again such as the State Owned Statute and Mining

RC: Have there been any recent legal


and regulatory developments which have
had a signicant impact on the fraud risk
landscape? What advice would you give
organisations in terms of dealing with
regulators when fraud is alleged?

Code, which provides for more transparency and


control rules and should be discussed, and approved
or rejected, in the near future. Any analysis would
have to be done on a case by case basis, bearing in
mind which authorities would be required to enforce
the law and which laws would be applied in each
instance.

Prado: Since 2013, Brazil has had an anticorruption law with severe administrative and civil

Rene: The Department of Justices Yates Memo,

penalties for companies that have been found to

the most signicant development in the US regulatory

be involved in corrupt practices or fraud during

landscape, issued last fall, purports to refocus

public bidding processes. The anti-corruption law,

investigative priorities on prosecutions of individuals

which is known as the Clean Company Act, also

rather than just companies. While practitioners

provides for strict liability of companies involved

are still debating whether the Yates Memo will

in potential corrupt practices, and this legislation

cause a meaningful difference for enforcement

led many companies to invest in their compliance

on the ground, companies should be aware of

programmes, in an effort to avoid violations and

how the Department of Justice is positioning its

monetary nes which may vary from 0.1 to 20

public stance. Organisations should have a frank

percent of their gross revenues from the year

discussion with counsel regarding the pros and cons

preceding the violation. Another great paradigm shift

of different approaches to dealing with regulators

in Brazilian law and the prosecution of fraud was

when allegations of fraud surface. Depending on the

the recent use of the plea bargaining agreement

circumstances, a wide range of possibilities from

by public prosecutors and the judiciary. In addition

deciding not to disclose the allegation to opening the

to that, under the Brazilian Clean Company Act,

windows completely could be appropriate.

organisations that have committed illicit acts can


enter into a leniency agreement. That said, no

Clement: The focus today on climate change

leniency agreements have been executed so far

is likely the greatest challenge facing the modern

under the Brazilian Clean Company Act. Lastly, after

energy sector. The rush to implement carbon

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 27

MITIGATING AND MANAGING FRAUD RISK IN THE ENERGY &...

EXPERT FORUM

taxes in the current downturn has the potential

total compliance. Programmes such as whistleblower

to cripple the shale oil market. Pressure relative

hotlines need to be embraced. The board needs to

to environmental assessment for pipelines is

know what questions they should be posing to their

impacting companies ability to efciently move

IT personnel so that they are satised they have a

raw product and is continually pitting the energy

robust cyber crime programme and a backup plan

sector against environmentalists. The challenge of

for when a cyber attack occurs. Unfortunately, many

clean energy and the focus on this new segment

boards and senior managers rely totally on their IT

is challenging what we view as the basis of our

management team and therefore may not have a full

energy sector. Regulations focusing on foreign

picture until it is too late.

corrupt practices have now been well dened,


resulting in law enforcement engaging in more

Prado: Considering the current political scenario

aggressive investigations of overseas operations

and the actions performed by the federal police,

and relationships with foreign governments. Terrorist

public prosecutors and the judiciary, we would

nancing guidelines and sanction regulations

expect future fraud to be investigated by the

mandate the need for the energy sector, which

authorities. Thus, fraud risks should decrease. One of

operates in a world market, to ensure they adhere

the main reasons for this is the fact that individuals

to what has been legislated. Failure to know who

are now afraid of being arrested. Lastly, punctual

foreign partners are can impact banking relationships

changes in the regulation of each sub-sector of

due to their mandated anti-money laundering, anti-

energy & natural resources, and also the disposition

terrorist nancing regulatory requirements.

of regulators and the courts of auditors to prevent


and combat fraud, may also be responsible for

RC: How do you expect the fraud risk


landscape to unfold for energy & natural
resources companies? Will companies
need to respond to an ever-present risk of
fraud?

decreasing fraud-related risks, especially when it


comes to public bidding and contracts.
Rene: The risk of fraud in the energy & natural
resources sector is unlikely to diminish any time
in the future. The nature of the sector requires

Clement: Boards of directors and senior managers

organisations to conduct business in many areas of

are going to need to become more sensitive to the

the world where corruption is a risk, and companies

compliance requirements of their organisations and

need to remain apprised of the latest evolving risks

will need to ensure they put forth a rm culture of

&
and understand how to mitigate them. RC

28 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

CREAT I N G A C U LT U R E O F
COMP L I A N C E : R E G U L AT I N G
BEHAV I O U R T O M A N AG E
FRAUD A N D C O R R U P T I O N
R ISKS
BY BEN ALLEN
> GADENS

n February 2016, the chairman of the Australian

difculty for organisations is identifying appropriate

Prudential Regulation Authority (APRA), Wayne

culture and, perhaps more importantly, knowing how

Byres, informed a Senate Estimates Committee

to x bad culture. Striking the right culture balance

hearing that APRA and the Australian Securities

will be key to ensuring that regulatory compliance

and Investment Commission (ASIC) had each set

is adhered to and also key to minimising fraud and

up teams specically to focus on xing corporate

corruption risks.

culture. He went on to say that those teams


would be sharing information about organisations,
but acknowledged that you cant just regulate

Understanding risk culture


Assessing the risk culture within an organisation

[appropriate culture] into existence. Mr Byres

is a useful framework within which to assess the

saw leadership from executives as the key plank

effectiveness of existing or proposed compliance

to improving behaviour within organisations. The

programmes. In circumstances where the deterrent

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 29

CREATING A CULTURE OF COMPLIANCE: REGULATING BEHAVIOUR... PERSPECTIVES

principle informs civil penalties for regulatory


breaches, including bribery, corruption and fraud,
assessing the culture of compliance has a part to
play in the assessment of those breaches as well as
in determining liability.
In relation to that assessment, results from a 2015
global survey of leading corporates provide some
startling results while the enforcement of fraud,
bribery and corruption regimes globally is on the rise,
there has been a reduction in the level of reporting
on compliance issues to boards, and less than
50 percent of organisations have attended
training in relation to anti-bribery and
corruption risks. Perhaps one of the more
alarming trends to emerge is that less than
a third of respondents admitted
that they do not regularly
include anti-bribery due
diligence as part of their
mergers or acquisitions
process, and it was
agreed among a majority
of respondents that antibribery training is less likely
to occur in jurisdictions
where there is a higher
perceived risk of bribery.
Risk culture refers to the
awareness, attitudes and
behaviour towards risk and how
risk is identied and managed. A strong risk culture
30 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

CREATING A CULTURE OF COMPLIANCE: REGULATING BEHAVIOUR... PERSPECTIVES

is demonstrated when people within the organisation

culture of compliance to the satisfaction of regulators

instinctively do the right thing particularly where

may help an organisation escape from liability, but

policies may be unclear about how best to act.

begs the question what is required to create good

Working out how to create such a cultural shift

culture?

is easier said than done for many organisations,

In Australia, certainly in the context of anti-

particularly those with operations, intermediaries or

corruption regulation, there is very little guidance

agents in regions known to have higher perceived

about what constitutes a compliant corporate

risks of fraud and corruption or where routine

culture. This is in stark contrast to the US and the

engagement with government ofcials or authorities

Uk, where comprehensive guidance is offered to

in those jurisdictions is required.

organisations across a range of white-collar crime


offences, including bribery and corruption. In the

Corporate culture and regulation in


Australia
In order to attribute liability to an organisation for
a breach of Australias Commonwealth anti-bribery

absence of clear guidance in Australia, organisations


might look to generally recognised compliance
standards to assist in understanding an approach to
creating good culture.

legislation, that organisation is required to have


expressly, tacitly or impliedly authorised or permitted
the commission of the relevant offence. In practice,

Compliance management can assist


Recently, the International Organisation for

the means by which such authorisation or permission

Standardisation published the international standard

is established includes proving that a corporate

for compliance management systems, which

culture existed that directed, encouraged, tolerated

was adopted in Australia last year, replacing the

or led to non-compliance or that the organisation

previous standard for compliance programmes. The

failed to create and maintain a corporate culture

previous standard was referenced by numerous

that required compliance. Similarly, for those facing

regulators including APRA and ASIC and was seen

investigations of fraud or wrongdoing by other

as the benchmark against which an organisations

regulators (such as ASICs recently proposed action

compliance obligations were judged. The new

against those nancial institutions allegedly engaged

standard is likely to be similarly used, including by

in the rigging of Australias bank bill swap rate, or

the Australian Federal Police in the case of corruption

BBSW), demonstrating that wrongdoing was the work

regulation. However the new standard also presents

of individual bad apples and not the barrel in which

some important and far-reaching changes most

they were stored may prove critical. Establishing a

notably it requires compliance to be embedded in

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 31

CREATING A CULTURE OF COMPLIANCE: REGULATING BEHAVIOUR... PERSPECTIVES

the culture of the organisation. Helpfully, however,

accepted benchmark for making out due diligence

it gives some guidance about how this can be

defences, and ultimately for the assessment of

achieved.
Much like its predecessor, but in
a more prescriptive manner, the
new standard requires organisations
to adopt a risk-based approach to
compliance (in other words, asking
what can go wrong?) and, in particular,
it requires companies to develop an
organisational risk appetite for legal

To embed a true culture of compliance,


a focus on more than just leadership (or
tone at the top) is required.

compliance risks. It also requires that


organisations integrate compliance
management systems within business
processes to ensure organisational
culture and that the actions taken by its management

adequacy of organisational efforts in the context of

promotes a compliance culture. The standard is

breaches or control failures. As such, accountability

based on a four step method used for the control

will be a key, not just in communicating policies, but

and continuous improvement of processes plan, do,

in relation to who they are communicated to, and

check and act.

how.

The new standard is expected to serve as a

One of the unique features of the new standard

global benchmark for compliance ofcers, but

is that, as a guideline, it gives organisations

perhaps more importantly, for regulators overseeing

room to implement a proportionate, tailored and

an organisations compliance regime. With the

layered compliance programme that is adapted to

regulators focus on compliance culture, it is likely

individual requirements and combined with existing

that the application of this new standard will result in

management systems. However, in order for it to

not just ensuring that policies and procedures are in

become embedded, it must play a central role in

place, but that there is oversight about the manner

the culture of an organisation and the behaviour

in which they are communicated and implemented

and attitude of its employees. The emphasis from

within an organisation. It is also likely that this

the standard sits squarely with management in this

standard will be adopted by regulators as the

regard.

32 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

CREATING A CULTURE OF COMPLIANCE: REGULATING BEHAVIOUR... PERSPECTIVES

Elements of an effective compliance


programme to regulate behaviour
Applying the principles from other jurisdictions,
as well as from the above standard, organisations
might have a clearer picture about what a culture of

internal network studies and interviews of staff to


understand workow and communication channels
and exploring the ethical culture that exists beneath
the organisation chart.
To embed a true culture of compliance, a focus

compliance actually looks like. To understand this,

on more than just leadership (or tone at the top) is

the corollary is perhaps easier to consider; or, put

required. It must extend to things such as appropriate

another way, what do the signs of a weak compliance

hiring (and increased vetting procedures for staff),

culture look like? An obvious one is an obsession

proper incentives tied to long term performance of

with quarterly nancial performance driven by

the organisation, adequate internal controls (such

demand from corporate stakeholders for immediate

as dual authorisations, segregation of duties and

performance returns as opposed to long term results.

suitable reporting structures), efcient internal audits

This can also be inextricably linked with incentivising

(including use of data analytics), budget support for

staff (directly or indirectly) for behaviours that reward

internal audit and compliance functions, promotion

short cuts, or promoting opportunity structures with

of an open communication channel throughout

relaxed oversight in effect, creating a culture of

the organisation (including a robust whistleblower

competition. Making excuses for the failure of the

regime), competent and empowered compliance

CEO to explicitly address compliance requirements

personnel as well as appropriate and tailored training

is another alarm bell. Perhaps the most telling sign

for all staff. Focusing only on the bad apples within

is where management appear disinterested in

an organisation ignores the barrel in which they

discussing the importance of compliance training,

are stored. A true culture of compliance requires

internal investigations of wrongdoing and other

weeding out the structures, processes and social

policy application issues.

systems of organisations that lead to opportunities

Organisations should also be careful not to

&
for wrongdoing to occur. RC

dogmatically impose a standalone compliance


team if the goal is to promote a true culture of
compliance. Instead, focus on and analyse an
organisations informal norms and processes and
adapt those to best meet the needs of a particular
organisational structure. This includes undertaking

www.riskandcompliancemagazine.com

Ben Allen
Partner
Gadens
T: +61 2 9035 7257
E: ben.allen@gadens.com

RISK & COMPLIANCE Apr-Jun 2016 33

PERSPECTIVES

PERSPECTIVES

FRAUD E N F O RC E M E N T I N
CANA DA I S S T E P P I N G U P
BY BRIGEETA C. RICHADLE AND NATHAN J. SHAHEEN
> BENNETT JONES LLP

anada historically had a fairly-earned

Recent developments in Canadas compliance

reputation for being a fraudsters playground.

and regulatory regimes are changing the landscape.

This reputation resulted from, among other

A Cooperative Capital Markets Regulatory System

things, arguably inadequate and underutilised

initiative is seeking to coordinate and strengthen

regulatory and criminal fraud enforcement regimes.

securities enforcement nationally, new provincial

Perceived shortcomings of the Integrated Market

regulatory tools are emerging, including a proposed

Enforcement Team of the Royal Canadian Mounted

whistleblower programme and non-contest

Police (RCMP), which charged only nine individuals

settlements being proposed by the lead securities

between 2004 and 2008 despite a $30m annual

regulatory, the Ontario Securities Commission (OSC),

budget, and at least the appearance of injustice

and cross-discipline teams specialising in fraud

resulting from investigation blunders in major

detection and prevention are being created to tackle

securities fraud matters such as Sino-Forest and

the most sophisticated of nancial crime. These

Bre-X, raised serious questions about the ultimate

measures suggest that prevention and enforcement

effectiveness of Canadas fraud prevention and

efforts are stepping up in an effort to better to

enforcement regime.
34 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

FRAUD ENFORCEMENT IN CANADA IS STEPPING UP

PERSPECTIVES

identify, interrupt and punish fraud taking place

Supreme Court of Canadas holding that the

within Canadas borders.

Canadian constitution vested responsibility for


securities regulation in the provinces. The Courts

Proposed national securities regulator

decision initially appeared to be a serious blow to

Canada is currently the only G7 economy, as

the prospect of a national regulator and signalled

well as the lone outlier among the more than 100

clearly that hard work would be required to

member countries of the International Association of

accomplish securities regulation across Canada to

Securities Commissions, without a national regulator.

address the status quo issues of fraud and broader

The current model sees provinces, not the federal

regulation deciencies.

government, implement distinct securities regimes

Fortunately, a creative solution has emerged. The

in an often inconsistent and patchwork manner. In

Cooperative Capital Markets Regulatory System

a global economy where nations shifted towards

(CCMRS) rests on collaboration and assertion of

increased consolidation of regulatory authority,

the provinces distinct authority to regulate their

Canada stands alone with its fragmented approach.

respective securities markets. The CCMRS is

As a result of this patchwork model, serious

currently supported by ve provinces, one territory

debate emerged about the merits and legality of

and the federal government, with the support of

adopting a national securities regulator. While the

two major provinces with securities regulators,

prior federal Conservative government appeared

Quebec and Alberta, remaining notably absent.

poised to push for the implementation of such

It is designed to streamline, coordinate and unify

a regulator, its efforts were sidetracked by the

the capital markets regulatory framework with a

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 35

PERSPECTIVES

FRAUD ENFORCEMENT IN CANADA IS STEPPING UP

goal of protecting investors and strengthening the

receiving nearly 4000 tips from whistleblowers in

management of systemic risk on a national basis.

2015 alone.

The new Liberal governments recently appointed

Under the OSCs proposed programme, individuals

minister of nance, Bill Morneau, has openly pledged

are highly incentivised to provide information

support for the national securities regulator and

regarding securities law violations. Tips of up to

expressed that the collaborative regime is favoured.

$1.5m are payable for valuable information, with

If fully implemented, the CCMRS


will signicantly alter the Canadian
regulatory landscape.

New regulator tools


In addition to CCMRS, provincial
regulators are seeking to intensify their
individual enforcement mandates by

If fully implemented, the CCMRS will


signicantly alter the Canadian regulatory
landscape.

introducing new tools. Most notably,


Canadas largest and most signicant
securities regulator, the OSC, is actively
implementing a new whistleblower
programme and has introduced no-contest

such limits reaching $5m if the information about

settlements, both signicant developments aimed at

misconduct leads to enforcement proceedings

detecting and preventing fraud in Ontarios securities

that result in the collection of a signicant nancial

market.

sanction. Notably, while lacking specic maximum

The OSCs whistleblower programme was formally

rewards, the SEC paid upwards of USD$37m to a

proposed in October 2015 and seeks to be the rst

mere eight whistleblowers in 2015. These gures

of its kind in Canada. The programme will encourage

are reasonably thought to reect the high value of

the reporting of securities law violations in exchange

whistleblower information to securities regulators.

for monetary awards payable to whistleblowers.

Such information should increasingly be available to

The programme follows in the footsteps of the US

the OSC under its new whistleblower programme,

initiative under the Dodd-Frank Act, which resulted

thereby assisting and ultimately sanctioning

in the Securities and Exchange Commission (SEC)

securities misconduct.

36 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

FRAUD ENFORCEMENT IN CANADA IS STEPPING UP

In another step towards increased enforcement,

PERSPECTIVES

JSOTs efforts are already paying dividends. In 2015

in March 2014, the OSC introduced a no-contest

alone, JSOT executed 69 search warrants, had seven

settlement programme that allows alleged

matters under investigation and 15 matters before

wrongdoers to settle their cases without admitting

the courts. When contrasted with the paltry charging

to the wrongdoing. While these settlements are

of only nine individuals by the RCMPs specialised

only used for cases that meet strict eligibility

unit just years earlier, these results represent

requirements, and not for criminal or other more

signicant progress.

serious forms of misconduct, they are proving

Specialised efforts by other provincial regulators

effective thus far. In one case, the OSC entered

are also having an impact. For instance, in 2012,

into a no-contest settlement for $13.5m with TD

the British Columbia Securities Commission (BCSC)

Waterhouse and related entities for their lack

implemented a three-year initiative to address

of system controls and supervision resulting in

offshore secrecy jurisdictions. The initiative is aimed

clients paying excess fees that were not detected

at investigating illegal activity hidden by foreign

or corrected in a timely manner. The magnitude of

nancial institutions trading for British Columbia

the penalty, which is a signicant increase on past

residents, brokers concealing insider trading through

penalties, appears likely to send a strong message

offshore trading, and nominees and newsletter

that registrants must establish and maintain effective

writers who facilitated market manipulations and

systems to ensure compliance with securities law,

insider trading by concealing the identity of the

that investors must be protected, and that facilitating

benecial owner. The initiative has had signicant

fair and efcient capital markets is essential.

success, including admission by Bank Gutenburg


that it had improperly traded securities on behalf

Specialised fraud teams


In 2013, the OSC created the Joint Serious Ofces

of British Columbia residents in a total transaction


volume of $327.8m. As a result, Bank Gutenberg

Team (JSOT), a cross-discipline team specialising

was sanctioned by the BCSC and ordered to pay

in addressing signicant fraud and nancial crimes

a nearly $1m penalty. In addition, like the OSCs

in Ontario, the home to Canadas nancial centre

efforts with JSOT, the BCSC has also increased

and major population base. JSOT is comprised of

its efforts to bring enforcement cases before the

various individuals, including provincial and federal

courts and seek penalties in the form of nes and

police ofcers, litigators, investigators and forensic

jail sentences through the implementation of its

accountants, and operates completely independently

Criminal Investigations Team, which has charged 27

from the rest of the OSCs enforcement division.

individuals since its creation in 2007.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 37

FRAUD ENFORCEMENT IN CANADA IS STEPPING UP

Canadian fraud prevention is also seeing

PERSPECTIVES

serious offenders, it appears that enforcement

improvements at the federal level. In addition to

is stepping up in an effort to better to address

announcing in March of 2015 that it would move its

and interrupt fraud taking place within Canadas

nancial crime unit to be co-located with the OSCs

borders. The days of Canada serving as a fraudsters

ofces, the RCMP has increased their focus on

&
playground appear to be coming to an end. RC

interrupting and investigating fraud by expanding the


mandate of its Commercial Crime Program to cover
several different types of major fraud les including
corporate fraud, investment fraud, securities fraud,
mass marketing fraud and credit fraud.

Brigeeta C. Richdale
Associate
Bennett Jones LLP
T: +1 (604) 891 5150
E: richdaleb@bennettjones.com

Conclusion
The recent developments in fraud enforcement
indicate that Canada is prioritising the ght against
fraud. With the shift towards a national securities
regulator, an increase in regulatory tools and

Nathan J. Shaheen
Associate
Bennett Jones LLP
T: +1 (416) 777 7306
E: shaheenn@bennettjones.com

programmes, and the formation of teams targeting

38 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

BATTL I N G T H E DA R K A RT S :
TRACI N G T H E H I S T O R I C A L
R OOT S O F S T O C K M A R K E T
MANIP U L AT I O N I N
AUSTRA L I A
BY GABRIL MOENS AND PAUL CONSTABLE
> UNIVERSITY OF QUEENSLAND

he Dark Arts, said Snape, are many, varied,

key strokes send orders onto exchange trading

ever-changing, and eternal. Fighting them is

platforms that articially interfere with the natural

like ghting a many-headed monster, which,

forces of supply and demand to inuence the prices

each time a neck is severed, sprouts a head even

of shares listed on Australias nancial markets,

ercer and cleverer than before. You are ghting that

unlawfully and unjustly benetting themselves at the

which is unxed, mutating, indestructible.

expense of innocent investors.

The words of Professor Severus Snape in J. K.

The battle has been long fought, and continues

Rowlings Harry Potter and the Half-Blood Prince

to rage between those intent on undermining the

resonate strongly with the subject of stock market

integrity of Australias nancial markets for personal

manipulation. The phrase dark arts invokes images

gain (the manipulators) and Australias federal

of faceless rocket scientists sitting in dimly lit rooms

regulator, the Australian Securities and Investments

staring at vast banks of computer screens, whose

Commission (ASIC), which tries to combat this

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 39

PERSPECTIVES

insidious and illegal activity. This


battle is not dissimilar to ghting a
many-headed monster, which, each
time a neck is severed, sprouts a head
even ercer and cleverer than before. Each time
enforcement action is taken against malefactors, the
abuse continues to be perpetrated by others using
new methods and new tools.
From De Berengers deliberate lies in 1814
relating to the defeat of the French and the killing

practices

of Napoleon that were designed to increase the

look for ways

price of British government securities, to the alleged

to articially inuence the price

nefarious activities of high frequency and algorithmic

of a security to enable them to benet from the

traders on todays stock markets, history is littered

consequent price change at the expense of other

with examples of people who have used various

participants in Australias securities markets,

means and devices to unlawfully and unfairly

including, for example, superannuation funds,

manipulate the prices of shares on stock markets

local and international investment banks and

around the world.

nancial service providers, as well as mum and

As recently as 14 April 2014, for example, the

dad investors. This type of misconduct has the

Sydney Morning Herald contained an article that

capacity to undermine the integrity, fairness,

referred to a claim by Australian researchers of

efciency and international competitiveness of one

the Capital Markets Co-operative Research Centre

of Australias key capital markets. The methods used

that market manipulation appeared to be rife on

by malefactors include the inducement of people to

Australias share market when compared to other

trade in a particular security or attempts to force the

major markets around the world. According to the

price of a security to an articial level.

article, dramatic price spikes occur just prior to

There is a considerable body of literature on

the close of trading each month, quarter and end

stock market manipulation, both in Australia and

of nancial year, which are said to be the strongest

internationally. A review of the domestic literature

proxy of market manipulation and which the

would lead one to reasonably conclude that the

article claims are being used to boost bonuses for

history of stock market manipulation in Australia

rogue fund managers.Perpetrators of manipulative

really only commenced in the late 1960s and early

40 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

of the 1800s that


describe conduct that
would constitute what is known
in modern parlance as rumourtrage, a
particular type of stock market manipulation.
This insidious activity involves the spreading of
1970s
following
the mineral
boom and the establishment
of the Senate Select Committee on Securities
and Exchange, Parliament of Australia, Australian

false or misleading rumours to deliberately affect


the price of shares, which is today a criminal offence
in Australia under s.1041E of the Corporations Act
2001. As such, there appears to be a gap in the
literature with respect to how instances of stock
market manipulation were historically dealt with by

Securities Markets and their Regulation,


known as the Rae Committee, which
investigated a range of misconduct
perpetrated across the local securities
industry, including the manipulation
of shares listed on Australias stock
exchanges.
However, despite the fact that
stock market manipulation was not

Each time enforcement action is taken


against malefactors, the abuse continues
to be perpetrated by others using new
methods and new tools.

specically outlawed in Australia


until the early 1970s in a number of
Australian states (New South Wales,
Queensland, Victoria and Western Australia), there is
evidence to suggest that stock market manipulation
was being perpetrated on Australias securities
markets as long ago as the 1870s, and possibly
earlier. For example, there are a number of reports
in Australias regional newspapers in the latter half

www.riskandcompliancemagazine.com

Australias state and federal governments and law


enforcement authorities.
Similarly, while there are a number of domestic
sources dealing with the general history and role
of Australias stock exchanges, there appears to
be a further gap in the literature with respect to
RISK & COMPLIANCE Apr-Jun 2016 41

BATTLING THE DARK ARTS: TRACING THE HISTORICAL ROOTS OF... PERSPECTIVES

how instances of stock market manipulation were

manipulation to not only complete the job of tracing

historically dealt with by the exchanges and their

the roots of this nefarious form of nancial market

internal committees. Stock exchanges in Australia

misconduct and document how it was historically

have historically been self-regulatory organisations,

dealt with by Australian governments and law

largely allowed to make rules governing their

enforcement authorities, but because people learn

operations and to impose punishments for non-

from history to understand the present. Perhaps

compliance with those rules. Any history of

there are lessons that can be learnt from the past

stock market manipulation in Australia would be

to help nally defeat the dark arts, which have

incomplete without a consideration of how this

plagued the trading of shares on domestic and

particular form of misconduct was governed and

&
international markets for far too long. RC

how identied instances of misconduct were dealt


with by the exchanges, including the imposition
of any penalties and other sanctions to punish

Gabriel Moens

malefactors and deter others.

Emeritus Professor of Law


University of Queensland

It is obvious that further research is needed to

T: +61 4 6614 4789

make an original contribution to the knowledge

E: g.moens@uq.edu.au

and understanding of the history of stock market


manipulation in Australia by addressing the apparent
gaps in the literature, particularly prior to the
watershed changes to local securities regulation in

Paul Constable
E: lucy_paul@bigpond.com

the 1970s.
It is necessary for scholars to ll the gaps
and further our understanding of stock market

42 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

THE I M P L I C AT I O N S O F
L AST Y E A R S U P DAT E S T O
THE F RC S C O R P O RAT E
GOVE R N A N C E C O D E W I T H
R EGA R D T O BOA R D - L E V E L
R ESPO N S I B I LI T I E S F O R
R ISK M A N AG E M E N T
BY RICHARD EDDOLLS
> CORESTREAM

n October 2015, the Financial Reporting Council

to demonstrate that the measures they have in place

(FRC) published its latest changes to the UK

are both appropriate and effective?

Corporate Governance Code. Geared towards

Theres no doubt that risk management has

ensuring that UK-based businesses identify and

become a primary consideration in terms of meeting

manage risk properly, the code affects all those

corporate governance objectives over recent

listed on the London Stock Exchange (LSE). But a

years. Increasingly, investors and regulators expect

year on from the publication of this new code, are

business leaders to be able to identify the principal

businesses taking it seriously and what can they do

risks to the business, to articulate how these risks

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 43

THE IMPLICATIONS OF LAST YEARS UPDATES TO THE FRCS...

PERSPECTIVES

are measured and managed, and to explain how

to manage these risks correctly. Put like this, its

their strategy ts with the organisations culture and

evident that effective risk management is the key to

appetite for risk.

long-term success. Yet businesses have to confront

Adding value is fundamental to business success,

the same challenge the world over. Continuous

but any attempt to create value also brings the risk

change combined with new technology, new

of miscalculation and this is where many businesses

markets and greater competition has increased both

fail. Failure happens as a result of either an inability

the rate at which these threats emerge and their

to understand the risks that they face or an inability

potential impact.

44 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

THE IMPLICATIONS OF LAST YEARS UPDATES TO THE FRCS...

PERSPECTIVES

Unfortunately, most British businesses are still

performance, solvency or liquidity. They should also

poorly placed to comply with the new standards.

describe those risks and explain how they are being

Back in September 2014, Deloitte reported: for

managed or mitigated.

the majority of businesses, especially those in less


regulated industries... the adoption of these changes
will represent a signicant challenge.
Fast-forward a year and Deloitte found that: many

Monitoring of risk management and


control systems
The board should monitor the companys risk

[organisations] do not yet have a risk process in

management and internal control systems, and

place that goes sufciently beyond the identication

review their effectiveness at least once a year.

of principal risks. The detailed work required to really

Monitoring and review should cover all material

understand these risks, how they are


being mitigated and monitored and
whether the risk prole is changing,
is often either absent, or currently
happening in an uncoordinated way...
there is also limited integration of the
risk management process into key
business planning and decision making

Its evident that effective risk


management is the key to long-term
success.

processes.
So what does the FRCs UK Corporate
Governance Code entail? Previously
it stated that the board of directors is
responsible for maintaining sound risk management

controls, including nancial, operational and

and internal control systems, and that these systems

compliance controls.

should be reviewed at least once a year. The new


code takes this considerably further.

In essence, the directors of any company wishing


to comply with the code must put in place a single,
comprehensive process for risk identication and

Assessment of principal risks


Directors must carry out a robust assessment of

management, which is continually monitored and


subject to regular review. Furthermore, they will

the principal risks facing the company, including

need to explain what action has been taken to

those that would threaten its business model, future

remedy any identied failing or vulnerability.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 45

THE IMPLICATIONS OF LAST YEARS UPDATES TO THE FRCS...

Meanwhile, updated auditing standards require

PERSPECTIVES

automated and efcient. Reports are in real time;

external auditors to state whether they have

and it is straightforward to identify issues that really

anything to add to the boards statements on

need attention, and whether particular risks or risk

principal risks and the results of their reviews.

types are causing concern across the business. It

Therefore, internal controls, monitoring tools and

helps solve the data problem.

reporting structures need to be clearly evidenced or

Remember: technology is an enabler rather than

demonstrated to satisfy the auditors that adequate

a solution. Poor risk management is principally a

measures are being taken.

matter of people and processes, and acquiring

While companies with a premium listing on the LSE

a set of new tools wont change this. However,

are subject to the code, it nonetheless represents

once underlying problems have been addressed,

best business practice, and as such it is reasonable

technology allows risk management to be more

to expect that a more comprehensive and integrated

coherent and efcient, and much less onerous.

approach to risk management will come to be seen

At the end of the day, the FRCs new standards

as the accepted standard for well-run companies.

provide an opportunity for improvement. Embedding

With this in mind, what should forward-thinking

risk management within the organisation, and

businesses be looking to do?

ensuring that it is integral to planning and decision

There is no off the shelf-solution to this problem

making processes makes sound business sense. It

technology, people and process must be considered

will focus business leaders on the companys core,

in equal measure. From a technology perspective,

value-adding operations and encourage them to deal

solutions provide a platform for centralising risk

pro-actively with risk. It will produce better quality,

management across the organisation, together

more timely management of information, which will

with a range of sophisticated tools that allow for

in turn result in better business decisions and an

maintenance and review of risk registers. This

organisation that is both more cohesive and far more

brings a number of benets: (i) risks can be linked to

&
responsive to change. RC

internal controls, mitigating action plans, policies and


processes, enabling the company to demonstrate
what is in place to manage or mitigate risk; (ii)
periodic or recurring reviews of risks and controls
can be initiated automatically, ensuring that the
system is properly maintained and regularly updated;

Richard Eddolls
Head of Platforms
CoreStream
T: +44 (0)20 7100 4378
E: richard.eddolls@corestream.co.uk

and (iii) with all content in one place, reporting is


46 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

MAKIN G S E N S E O F T H E
INCRE A S I N G LY C O M P L E X
COMP L I A N C E P R O C E S S
BY BILL WAITE
> THE RISK ADVISORY GROUP

ompliance is becoming more complex. Our

shift in government policy which started in the US

survey, conducted in late 2015, reveals just

approximately 15 years ago.

how much more complex it is becoming, and

the impact this increased complexity is having on

The state of corporate governance

compliance professionals. The picture that emerges is

In the US, and subsequently in other national

one of a business function under signicant pressure.

governments, there was recognition that they had

Sixty-nine percent of all respondents said they felt

the desire but not the competence nor the resources

that their business was more exposed to risk than it

to effectively regulate nancial markets, or to

was two years ago and 78 percent agreed that the

impose penalties on those that break the rules. As

sheer complexity of compliance represented a risk in

a result, in order to implement substantive change,

itself.

this obligation was transferred to corporations

Fear of scandal, increased regulation and increased

themselves. Anti-money laundering and terrorist

scrutiny were all highlighted as material concerns

nancing legislation, anti-bribery and corruption

helping to drive this change. Indeed, protecting the

controls, prohibitions on the transfer of technology

companys reputation was identied by 59 percent

and the Modern Slavery Act are all examples of this.

of respondents as compliances primary role.


What lies behind these drivers is a fundamental
www.riskandcompliancemagazine.com

However, unlike when a state function fails to


discharge its mandate, corporations now face
RISK & COMPLIANCE Apr-Jun 2016 47

MAKING SENSE OF THE INCREASINGLY COMPLEX COMPLIANCE...

PERSPECTIVES

signicant nancial and reputational penalties if they

for instance, the prospect of successor liability

fail to govern themselves correctly. CEOs, and in

has forced potential acquirers to look beyond

some cases entire boards, are terminated. Equally,

the integrity of nancial information, and on to

nancial sanctions have increased hugely over the

operational risks relating to the businesses they are

last decade. High prole companies such as BP,

seeking to acquire.

Pzer, GlaxoSmithKline, Siemens and Halliburton have

Both the SEC and DoJ have clearly stated that

been subject to penalties of between


$400m and $1.2bn in the last seven
years for bribery, antitrust, cartel and
environmental-related issues. These
considerable sums are matched by
equally huge sums spent on legal
defence and remedial action.
In 2012, HSBC was ned $1.9bn
for money laundering, and in 2014

As the global economy continues to


recover, it is likely that M&A will increase,
and along with it the challenges for
compliance as a discipline.

BNP Paribas was ned $8.8bn for


similar offences. It still isnt clear
what the nancial penalties imposed
on VW will be following last years
emissions scandal, but its new board will certainly be

when a company merges with or acquires another

wondering whether a $7bn provision is adequate.

company, the successor assumes the predecessor

Ultimately, the use of regulatory sanctions is

companys liabilities. Whilst the concept of

unlikely to change. Even if regulation fails to achieve

successor liability is not established in other legal

behavioural change in the way that governments

systems, it is clear that if you buy a business and it

want it to, it has become a signicant source of

continues to break the law, regulators will sanction in

income.

respect of post-acquisition conduct.


In 2014, 3.5 trillion of M&A deals were completed,

Mergers and acquisitions


As regulatory regimes expand and sanctions

which, according to ATKearney, was a 47 percent


increase on 2013, the largest increase since 2007.

increase, the role of the compliance function

Alongside this, deals in excess of $5bn doubled in

has become increasingly complicated. In M&A,

volume, with media, healthcare and energy the most

48 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

XXX

active sectors. As the global economy continues to

by those that have the mandate to protect their

recover, it is likely that M&A will increase, and along

organisations. That is perhaps why 16 percent of

with it the challenges for compliance as a discipline.

respondents said that more efcient processes


would make a difference to a compliance teams

The role of technology


Against this backdrop, it is hardly surprising that 38

ability to protect their business.


Consider the need to be able to demonstrate

percent of respondents to our survey said that more

that the same review processes on third-party

people with the right knowledge of the business

relationships are undertaken on a global basis,

would make the biggest difference to the compliance

that the same contracts are used, that appropriate

teams ability to protect a business. With compliance

training has been provided and executed, that all

touching every aspect of business, from deal or

reports are centralised, and that KPI and escalation

transaction origin, to operational risk and disposal, it

procedures are in place. Then add to that the need

is perhaps time to recognise that compliance is the

for information security and privilege, and you start to

wrong name. Executed in the right way, effective and

get some idea of the challenge. Without having some

rigorous risk management is a value creator, rather

kind of technology in place to facilitate this process,

than simply just a control mechanism.

&
companies are bound to fail. RC

Ensuring consistency of approach across the


globe is a major challenge for any multinational
organisation, but a coherent and consistent
approach is precisely what a regulator looks for. The
requirement to demonstrate adequate procedures
under the Bribery Act, or to fall the right side of

Bill Waite
Group Chief Executive Ofcer
The Risk Advisory Group
T: +44 (0)20 7578 0000
E: bill.waite@riskadvisory.net

the Federal Sentencing Guidelines, is understood


www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 49

PERSPECTIVES

PERSPECTIVES

BEYON D C O M P L I A N C E :
PROPE R LY L E V E RAG I N G
ERM F O R A D D I T I O N A L
VALUE
BY SHAWN DAHL AND ADAM MARSHALL
> RSM US LLP

hile many companies leverage enterprise

however, a more holistic view of risk, encompassing

risk management (ERM) from a

both opportunities and threats, can help effectively

compliance perspective, the approach is

manage compliance demands while achieving

much more than just a one-way street. Too often,


risk management efforts focus on regulatory and

business and strategic objectives.


The American Institute of CPAs 2015 Report on

compliance demands versus strategic and business

the Current State of Enterprise Risk Management:

objectives. However, changing the perspective of

Update on Trends and Opportunities found that

ERM can be a competitive differentiator, creating

the majority of companies surveyed only minimally

additional operational, cultural and nancial

viewed their ERM processes as a proprietary

advantages for any organisation.

strategic tool. The ndings did not greatly differ

In todays challenging risk atmosphere, greater

between middle market companies and larger

insight into the management of key risks is an

organisations, reecting missed opportunities to

immensely valuable asset. Satisfying regulatory and

create a competitive advantage in businesses of all

compliance risk obligations is certainly important,

sizes.

50 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

So how should an organisation begin to expand

the structure of the company; it also must consider

the scope of risk efforts to be more strategic?

various cultural aspects within the company. Many

To change the perspective of ERM, the business

parties play an active role in managing risk, and a

objectives need to be the starting point to any

successful ERM effort drives risk awareness through

enterprise risk assessment. If ERM is not based on

all levels and functions, developing a process that

and linked to business processes, risks can surface

reects the organisations culture.

that distract management from critical risk areas.

If a company has an established risk appetite, ERM

Integrating ERM and strategy will help management

can apply that threshold against key strategies to

better understand the underlying assumptions,

ensure the risk level it takes on is appropriate. ERM

threats and opportunities to the plan.

can be leveraged to manage downside risk, while

ERM develops a further understanding of the

planning and considering strategic objectives for

companys risk prole, helping to apply it to strategy

upcoming years. Conversely, ERM can also help an

development and execution. However, an effective

organisation consider upside risks, forecast market

ERM strategy must do more than simply align with

changes and identify external threats.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 51

BEYOND COMPLIANCE: PROPERLY LEVERAGING ERM FOR...

A core element of an ERM strategy should be to

PERSPECTIVES

potential of the business, stunt opportunities for

establish an organisation-wide taxonomy of risk

growth and foster an unhealthy atmosphere that

denitions and measurements, enabling risks to

allows dangerous risks to continue unchecked and

be identied and discussed in an objective manner

become more pervasive.

across the organisation. This approach


allows employees to consider risk
and raise concerns to develop a
stronger understanding of threats and
opportunities as they make decisions
and perform day-to-day activities.
Furthermore, the goal of a complete
ERM strategy is to help an organisation
shift risk focus from strict compliance
to a more strategic and operational

Without a holistic way of identifying


risk across the organisation, potentially
signicant risks might not surface, as some
behaviours may prevent dirty laundry
from being aired.

vantage point. It enables a top-level


view of risk throughout the entire
business.
For example, many companies grow through

However, integrating a more comprehensive ERM

mergers and acquisitions, resulting in multiple

strategy discourages this conduct, and provides

cultures existing within the same organisation.

signicant benets throughout several areas of the

Without a holistic way of identifying risk across the

business. From a culture perspective, it establishes

organisation, potentially signicant risks might not

a new risk management vision, allowing ongoing

surface, as some behaviours may prevent dirty

collaboration and discussion, which, in turn, leads

laundry from being aired. If a company is insular, or

to a better understanding of risk throughout the

does not share information, conducting business as

organisation. It uncovers and communicates risks so

usual can adversely affect the goals and objectives

they can be addressed appropriately.

of the larger organisation.

A more global ERM approach also allows board

Employees might not want risks to come to the

members and management to have a more explicit

surface for several reasons, including fear of losing

discussion about risk, changing the approach from

their jobs, business closures or substantial changes

ad hoc to systematic. It increases transparency

in response to the risks. This behaviour can limit the

into risks at the board level and allows company

52 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

BEYOND COMPLIANCE: PROPERLY LEVERAGING ERM FOR...

PERSPECTIVES

stakeholders to have a more informed and accurate

additional investment to get the full value from

conversation about establishing and monitoring the

ERM beyond a typical check the box compliance

risk appetite.

approach. Any increase in resources results in

ERM also transforms how organisations assess

improved focus on risk, and any increase in costs

risk within the company, implementing a formal

is typically more than offset by increased risk

measurement and understanding of risk. It creates

awareness and identication of new business

a discussion of risk not just an individual view,

opportunities.

but a shared view that encompasses the entire

Adopting a more inclusive risk culture through

organisation. Many companies simply need to

ERM encourages proactive risk management

better identify and manage key risks to achieve

throughout an organisation. Employees are armed at

their strategic objectives. ERM establishes a strong

all levels with information to make better decisions

approach to key risk mitigation and provides a

on how to approach and handle risk. ERMs ability

compass for proper resource allocation, more

to increase this collaboration and align cultures is a

effectively aligning employees to threats and

powerful tool to effectively manage risk by avoiding

opportunities.

&
threats and uncovering new opportunities. RC

A more strategic approach to ERM helps


companies go through a systematic process,
rst by implementing a standardised risk culture
throughout the organisation, and then encouraging
a collaborative dialogue with key members of
management representing all functions of the
business. These steps ensure that the entire

Shawn Dahl
Principal
RSM US LLP
T: +1 (212) 372 1716
E: shawn.dahl@rsmus.com

organisation fully understands risks and they have


been vetted throughout the group. Then, talking with
employees about risk should result in alignment
about the potential threats to the organisation, and
make decisions about the next steps easier.
Most importantly, from a nancial perspective,

Adam Marshall
Director
RSM US LLP
T: +1 (410) 246 9251
E: adam.marshall@rsmus.com

a company does not need to make a signicant

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 53

PERSPECTIVES

PERSPECTIVES

BEHAV I O U RA L
R ISK M A N AG E M E N T S
FOCU S O N T H E R O L E
OF CO N F L I C T I N G
PERSO N A L I T I E S
BY HERSH SHEFRIN
> SANTA CLARA UNIVERSITY

ehavioural risk management is a framework


for applying psychological theories and
concepts to the practice of risk management.

Front ofce, risk and compliance and


personality
The nature of personality differences emerges

Psychological issues lie at the very heart of risk

quite starkly in Joris Luyendijks book Swimming With

management, inuencing both judgments and

Sharks, which he based on a blog he wrote for The

behaviours. There is good reason to believe that

Guardian newspaper. Notably, Luyendijks source

those in the middle ofce and those in the front

material comes from interviews he conducted with

ofce agree on one thing: they have very different

people working in Londons nancial rms. In order

personalities. These differences are important, lying

to ferret out the way that traders and risk managers

at the core of the relationship between middle ofce

perceive themselves, Luyendijk asked some of his

risk managers and the front ofce traders they


monitor.
54 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

BEHAVIOURAL RISK MANAGEMENTS FOCUS ON THE ROLE OF...

PERSPECTIVES

interviewees what animal they thought most closely

importance attached to framing outcomes as gains

captured their personalities.

or losses, the degree to which people feel losses

Most of those in the front ofce described


themselves as predators. Some said wolves working

more intensely than gains, and the role played


by emotions such as fear, hope, and the success

in packs, prowling for clients. Some said


tigers, aggressively helping their banks
to be as protable as possible.
In contrast, some in the middle ofce
described themselves as dogs that are
loyal to their owners (management)
and bark at people when they behave
inappropriately. Others saw themselves
as beta male chimpanzees, whose

The psychology upon which behavioural


risk management is built focuses on the
manner in which people make judgments
of risk, and choices among risky
alternatives.

purpose is to help the dominant male


chimpanzee achieve his goals.
Especially interesting is how traders
and risk managers view each other. Traders who

that comes from achieving a goal. The strand

described themselves as tigers used a zoo keeper

of psychology associated with heuristics and

analogy, saying they felt caged in by the middle

biases identies the degree to which people rely

ofce. Those in risk and compliance noted that

on heuristics, or rules of thumb, when they make

traders viewed them as deal killers and show

judgments of risk, and the related biases which

stoppers, while they likened traders to rock stars and

these heuristics generate.

rain makers.

Survey evidence suggests that risk managers are


more loss averse than traders. The evidence also

Psychological concepts used in


behavioural risk management

suggests that risk managers express more fear and


less hope than traders, and are more inclined to

The psychology upon which behavioural risk

set specic goals. Some psychological experiments

management is built focuses on the manner in

conclude that behaviour can be strongly inuenced

which people make judgments of risk, and choices

by role. Because attitudes about risk bearing can be

among risky alternatives. The strand of psychology

impacted by role and related incentives, and not just

associated with choice theories identies the

by personality, the associated surveys are structured

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 55

BEHAVIOURAL RISK MANAGEMENTS FOCUS ON THE ROLE OF...

PERSPECTIVES

to mitigate any impact associated with role and

to the occurrence of favourable events and too

incentives.

low a probability to the occurrence of unfavourable

Heuristics and biases apply to judgments of

events. A person exhibits overcondence about his

risk. The heuristics and biases approach focuses

knowledge when he establishes condence intervals

on heuristic principles that underlie judgments.

that are too narrow.

An example of a heuristic principle is the


representativeness principle in which peoples
judgments are based on how representative an
object is relative to a particular class. For example,

Plural risk management and interacting


personalities
Conicts between front ofce and middle ofce

a trader looking at a rising price trend on a trading

can often be traced to personality differences.

screen is inclined to form an opinion about whether

An approach known as plural rationality theory

or not the trend will continue. If the trader believes

characterises four archetypal personalities that are

that the price changes displayed are representative

germane to risk management. These four styles

of strong fundamentals, he will be inclined to predict

are respectively called maximisers, conservators,

that the trend will continue. If the trader believes

managers and pragmatists. Notably, these

that the recent price changes are chance deviations

personality types implicitly embody the features

from stable fundamentals, representativeness based

emphasised in the behavioural risk management

thinking will induce him to predict that the trend will

framework.

reverse.

Roughly speaking, maximisers believe that

Heuristic-based judgments are prone to feature

markets are inherently stable, with a tendency for

particular biases, based on underlying views. Traders

destabilising shocks to fade away, thereby leading

who rely on representativeness and view the

to reversals. For traders, this view not only informs

fundamentals as being strong, are prone to a bias

the directions of their trades, but leads them to

known as hot hand fallacy, predicting excessive


continuation. Conversely, traders who rely on
representativeness and view fundamentals as being
stable are prone to a bias known as gamblers
fallacy, predicting unwarranted reversals.
The heuristics and biases approach identies
many biases. A person exhibits excessive
optimism when she attaches too high a probability
56 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

BEHAVIOURAL RISK MANAGEMENTS FOCUS ON THE ROLE OF...

PERSPECTIVES

attach more weight to expected protability than to

plans for staying exible with an ability to respond to

risk.

different scenarios.

Conservators believe that markets are inherently

Within nancial rms, judgments and decisions

unstable, and that shocks can generate destabilising

about risk will reect the personality mix of its

moves that cascade into major systemic events. As

members. If we accept the characterisation of

a result, conservators favour strong risk limits to

Luyendijks interviewees, traders are most likely

protect against cascading drawdowns.

to be maximisers or managers. Those in risk and

Managers believe that markets are stable when


shocks are small, but unstable when shocks are
large. Managers beliefs effectively blend those of
maximisers and those of conservators.
Pragmatists believe that markets are so
unpredictable that it is impossible to form an opinion
about the stability question. Instead they favour
establishing contingency

compliance are most likely to be managers, but


some will also be conservators or pragmatists.
The plural rationality framework is more granular
than the extreme characterisations which emerge
in Luyendijks interviews. These characterisations
featured stereotypes at the extremes, with
aggressive traders at one end and paranoid risk
managers at the other.
To be sure, a nancial rms culture partly reects
its mix of personalities, and the relative strength of
these personalities in respect to power. As one of
Luyendijks interviewees describes it, traders attempt
to lower risk estimates, and in consequence people
in the middle ofce must be strong.
The culture also reects how members of the
organisation view those whose personalities are
different from their own, as perceptions colour the
interactions they have with each other. The risk
managers that Luyendijk interviewed compared
traders views of their colleagues engaged in risk
and compliance to footballers views of linesmen:
losers who run back and forth on the eld, stopping
talented players from accomplishing great things. As
for relative strength, one risk manager told Luyendijk

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 57

BEHAVIOURAL RISK MANAGEMENTS FOCUS ON THE ROLE OF...

PERSPECTIVES

that nobody challenges the front ofce, there being a

maximisation, factoring in both the personality mix

climate of fear and blame where employees can be

and the relative strength of the different components

red in ve minutes.

&
of the mix. RC

Psychology plays an absolutely critical part in the


interactions between front ofce and those working
in the middle ofce. Behavioural risk management
theory provides a systematic framework for
analysing how the judgments and decisions at the

Hersh Shefrin
Mario L. Belotti Professor of Finance
Santa Clara University
T: +1 (408) 554 6893
E: hshefrin@scu.edu

level of the organisation emerge through constrained

58 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

BE A S P O RT I N G H E R O
SORT O U T YO U R
GOVE R N A N C E
BY LOUISE THOMSON
> ICSA: THE GOVERNANCE INSTITUTE

arely a week goes by when the integrity of

Protecting the bottom line

some high-prole sporting organisation is not

Some stars, clubs and sporting bodies earn a

called into question. You need look no further

fortune from sponsorship deals. The household

than FIFA, the International Association of Athletics

names that sponsor the more high prole sports

Federations (IAAF) and more recently tennis to see

like rugby, tennis and football are not keen on being

the damage that can be done to reputation when

associated with individuals, clubs or governing

individuals or the bodies that govern them are found

bodies that do not match up to the wholesome

lacking. With sport a multibillion pound industry,

image they are trying to portray. FIFA has lost

sports stars, sponsors and sporting bodies run the

numerous sponsors, including big names such as

risk of damaging more than just their reputation.

Sony and Emirates, since the exposure of bribery

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 59

BE A SPORTING HERO SORT OUT YOUR GOVERNANCE

PERSPECTIVES

and corruption at footballs governing body. With

given to celebrity brand endorsement, and by both

top-tier sponsors paying between 16m and 31m

sides. A major sports star might be paid millions

a year, and each four-year World Cup cycle bringing

to promote a product but this endorsement could

in over 1bn in sponsorship revenue, it is clear that

prove toxic if the trainers he or she is wearing are

these are high money stakes.

the product of child labour. Equally, a company


selling family values might not want Tiger Woods as

Do your homework

their gurehead.

With brand and reputation so closely entwined, it

Background checks need to be more thorough.

is essential that a considerable amount of thought is

Nike could have saved itself the expense of having

60 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

BE A SPORTING HERO SORT OUT YOUR GOVERNANCE

PERSPECTIVES

to pull an advert featuring Oscar Pistorius that had

or cover-up or defer the consequences for those

the strapline I am the bullet in the chamber if

caught. Governance in terms of ensuring that there

they had delved a little deeper into his background.

is a robust internal reporting process in place so

Even without him facing a charge for premeditated

that sportsmen and women can be condent that

murder, better due diligence could have helped them

their information will be acted upon should they

discover that he had been involved in a gun incident

choose to blow the whistle on fellow competitors.

in a South African restaurant. A fondness for guns

Governance in order to tackle conicts of interest,

is not necessarily something all companies want

such as the recent Lord Coe/Nike debacle. Most

associated with their brand.

importantly, governance in terms of the relevant


board making sure that there is a culture throughout

Stopping the rot


Sporting scandals are nothing new, and nor are
they conned to one sport in particular. Formula

the sport that militates against cheating. Zero


tolerance for cheating is essential to keeping sport
clean.

1 had spygate courtesy of McLaren, rugby has

As sport has become more professional, with top

had fake blood, cricket has had to contend with

players earning more in a year than most people will

ball tampering and cycling has had the Tour de

earn in a lifetime, increased prize money, training

Dopage, to name but a few. What is worrying with

demands and media coverage, there has been an

so many sports implicated is that cheating the very

expectation that those who govern those sports

antithesis of what sport is about appears endemic.

have professionalised their approach too. This

Match xing can be linked to individual greed,

couldnt be further from the truth. Many sporting

the FIFA debacle was the result of both greed and

bodies are still run by volunteers, who might be

unfettered power, and doping scandals like those

passionate about their particular sport but not

seen in Russia, and now alleged in China, are a

necessarily skilled in governance arrangements. A

failure of institutional culture. Whatever the reason,

grass roots football club like Hinckley Athletic hardly

the effect is always negative. Something needs to

has the same balance sheet as a Premier League

be done to stop sport damaging itself so irrevocably

giant like Arsenal and this disparity dictates their

that people stop paying to take part, attending as a

ability to pay professionals to manage the clubs

spectator or even watching it on TV.

affairs. There is likely to be a vast difference in terms

The answer is good governance. Governance in


terms of the independent monitoring of dope-testing

of the knowledge, time and resources available for


good governance at each.

labs and those who can, potentially, control them


www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 61

BE A SPORTING HERO SORT OUT YOUR GOVERNANCE

Increases in lottery and commercial funding for

PERSPECTIVES

need to be trained too. This applies equally to

sport have increased the nancial responsibilities

directors and trustees, as well as employees charged

of organisations, and with the UK government

with governance related roles, such as company

undertaking the largest review of sports policy

secretaries. Continued training and development is

in over a decade, more change in the way sport

crucial.

is funded and managed looks set to follow. It


is questionable, however, that everybody really

Governance is not a foolproof solution. It will


not protect against deliberate fraud or criminal

understands what is required of them.


Thirty years ago the term corporate
governance barely existed in the
vocabulary of business leaders let
alone those charged with leading sport
at international or domestic level. Now
its on the agenda, in some shape or
form, of every board and committee
meeting of those organisations and

To improve and uphold standards of


governance, it is imperative that the right
people have the right knowledge to do the
jobs they have been asked to do.

clubs who manage sport. How qualied


are volunteers in the sector to manage
and lead in this increasingly complex
world? The need for diverse and skilled boards with

behaviour, but it should make it harder for people to

clarity of their role and the governance landscape

act in such a manner and that is why it is important.

has never been greater, says Craig Hunter, GB Chef

To improve and uphold standards of governance,

de Mission for the London 2012 Paralympic Games

it is imperative that the right people have the right

and founding director of corporate governance and

knowledge to do the jobs they have been asked to

compliance consultancy VERSEC Limited.

do. As Hugh Robertson, ex-Minister for Sport and

The key factors in governance failures generally

the Olympics, stated in his foreword to the 2011

boil down to human factors. Even where policies

Voluntary Code of Good Governance for the Sector

and procedures are robust and effective on paper,

by the Sport and Recreation Alliance, Dedicated

operator error can render them useless in practice.

professionals working within strong, independent,

Just as sports stars must train before they become

transparent and accountable organisations are

experts, those involved in the governance of sport

the best way of ensuring that their sport is able to

62 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

BE A SPORTING HERO SORT OUT YOUR GOVERNANCE

PERSPECTIVES

reect the identity and expectations of the whole

about conicts of interest any real or perceived

community. As the birthplace of football, tennis,

favouritism or advantage gained because of that

rugby, golf and cricket, it is incumbent upon us in the

conict can spread disillusion and lack of trust faster

UK to ensure that sport is something to be proud of,

than it can take to declare an interest and manage

not something to be deplored.

it accordingly. Finally, sporting bodies should have

The top priorities for sporting bodies should be,

a balanced, inclusive and skilled board, and ensure

rstly, to act with integrity. This requires adopting

that their board members have continuous training.

a zero tolerance policy towards cheating and

&
RC

improper behaviour. They should also dene and


evaluate the role of the board and consider the
risks they are facing, including their appetite for
risk and how to mitigate risk, including those risks
over which they have no control. Sporting bodies

Louise Thomson
Head of Policy (NFP)
ICSA: The Governance Institute
T: +44 (0)20 7612 7040
E: lthomson@icsa.org.uk

should be accountable and transparent, and be clear

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 63

PERSPECTIVES

PERSPECTIVES

WHAT I S YO U R
MILLIO N D O L L A R
BLIND S P O T S C O R E ?
BY GARY W. PATTERSON
> FISCALDOCTOR

very business of signicant size periodically

main categories: unforeseen blind spots of varying

suffers from million dollar blind spots, or

degrees, systemic and widespread communication

more precisely, blockages that increase risk

failures, and outright fraud and deceit.

and dramatically restrict growth. However, this is not


an insurmountable obstacle; each of us has within
our power the means to identify, and then solve
these organisational blind spots.

Blind spots
We are all prone to a variety of blind spots
ranging from those we might not believe could
happen which are off the radar or beyond our

Unwelcome surprises
C-level executives and board members, at some

comprehension to a vague, unsettling sense that


something, somewhere, is wrong.

point, have probably been surprised by bad news


affecting their organisation and its bottom line. A
3am phone call, a We need to actfast! memo,

Unforeseen blind spots


Some blind spots are difcult to anticipate,

or a nervous or angry knock at the ofce door;

but likely fall into one or more of the following

experience shows that these crises stem from three

categories. First, there is the incomprehensible.

64 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

WHAT IS YOUR MILLION DOLLAR BLIND SPOT SCORE?

PERSPECTIVES

Many businesses were blindsided by the

provide fertile ground for this problematic thinking

incomprehensible 1980 eruption of Mount St.

or assumption. For example, inventory may be ying

Helens in Washington State. Mother nature is

out the door amid a strange, progressive increase

impartial, and so are stakeholders. The unanticipated

in stock levels. Though this doesnt seem right,

requires a crisis management strategy.

business looks so good. This core problem can go

Next there is the we ought to know better blind

on for a long time before alarm bells sound. Will

spot. Thwarting regulations didnt pay off for lenders

this rm face product obsolescence? Is there poor

or borrowers involved in liar loans, which blindsided

inventory planning? The beginning of an economic

investors during the recent mortgage meltdown. A

slowdown? These are all examples of a specic core

liar loan occurs when a lending institution tells a

problem which might explain this particular gut

prospective borrower that he or she needs income

feeling is disturbing symptom.

X in order to qualify for a mortgage, but then slyly


assures the prospect that their reported income

Communication failures

wont be veried. Management should have stopped

Organisations sometimes encounter problems

this unethical practice. Barring that, regulators ought

with their communication channels. Issues range

to have reported it.

from a lack of trust within the organisation to people

Thirdly, there is the its possible, though unlikely

just not speaking the same language (guratively and

blind spot. These are risks we generally rank as on

linguistically), to misunderstandings in how different

the radar, yet we mistakenly view them as being

people interpret data.

comfortably remote. We dont take the necessary

The rst communication failure blind spot relates

steps until it is too late. And too late strikes

to magic thinking Maybe somebody else will

lightning-fast, particularly for billion-dollar companies

x it. In instances such as these, executives often

leveraging incredible IT resources. In 2012, a

sense that there may be a core problem, but fall

computer glitch cost American global nancial

short in their responsibility to tackle the issue,

services rm Knight Capital Group $440m within

preferring to assume that it has been successfully

30 minutes, nearly destroying the rm. That kind of

delegated elsewhere. Maybe they feel they are too

result is possible, though extremely unlikely... until it

busy, or maybe they are just saying theyre too busy

happens to you. Was someone asleep at the switch?

or they lack the tools needed, but in any event,

Finally, in terms of unforeseen blind spots, there is

they hope somebody else steps up. Executives

the notion that something just doesnt feel right. Is

often intentionally refuse to seek out problems,

it just my imagination, or... High-growth companies

particularly in an environment where everybody is

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 65

WHAT IS YOUR MILLION DOLLAR BLIND SPOT SCORE?

PERSPECTIVES

The longer a signicant problem goes


unaddressed, the greater the likelihood
executives will ignore it as well.

already scrambling to keep up with the needs of the


business or put out other res.
The second communication blind spots is the
notion that with acknowledgement comes blame,
or passing the buck. Some members of the
management team know that a large problem
needs to be addressed, but ignore it because they
fear others will blame them for not correcting
it earlier. The longer a signicant problem
goes unaddressed, the greater the likelihood
executives will ignore it as well. In the political
realm, funding for future social security benets
is a perfect example.
Next is the fear of owning the problem.
Somebody within the organisation may be sort
of aware that a signicant problem needs to
be addressed, but they fear that bringing it to
light equates to volunteering responsibility
for the solution on top of their many
other responsibilities and commitments.
This scenario is most likely when

66 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

WHAT IS YOUR MILLION DOLLAR BLIND SPOT SCORE?

executives or staff are overextended and


overworked.
A lack of a common language is another

The last potential blind spot relates the scourge


of duplicity. Some unscrupulous people pursue selfaggrandising agendas through lies and deceit. This

communication failure. Teammates may discuss

brings to mind images of two-faced bosses and the

the problem at lower levels but the conversation

other sides politicians. Perhaps the most notorious

doesnt, or hasnt, bubbled up to the c-suite, where

example for sheer scale is Bernie Madoff, an outright

resources can be properly deployed. Ah, the boss

crook by all standards, yet thousands of smart,

isnt going to do anything about it... This trust

accomplished people and institutions trusted him

gap is common to every type of organisation. This

with their lives, fortunes and futures.

unfortunate, though entirely preventable, situation

The 10 causes of negative surprises outlined above

occurs when subordinates regard their leadership as

can hinder, harm and ultimately cripple a business.

indifferent, manipulative, cowardly or so politically

Although each cause has subtle differences, they all

motivated that they speak out of both sides of their

fall within three general categories: unforeseen blind

mouths.

spots of varying degrees, systemic and widespread

The nal communication failure blind spot relates


to the notion of shooting the messenger. When
staff see that the rst person to raise a problem is

communication failures, and outright fraud and


deceit.
Companies are encouraged to reect on each area

scapegoated and penalised, you can be certain the

and ask honest, probing questions about potential

rest will take the lesson and keep their mouths shut

weaknesses in their own corporate culture that may

when other problems are encountered. Again, this

&
give rise to these blind spots. RC

negative and often fatal organisational climate is all


too common.

Fraud and deceit the human factor


All people within organisations are prone to
basic human failings. Highly trusted colleagues can
and do work against organisations for their own
benet. They stay on guard, protect their people,
their reputation and their growth potential, and they

Gary W. Patterson
Founder
FiscalDoctor
T: +1 (678) 319 4739
E: gary@FiscalDoctor.com

perform due diligence.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 67

ONE-ON-ONE INTERVIEW

O NE- ON- ONE INTERVIE W

IDENTIFYING AND
MANAGING RISKS WITHIN
FINANCIAL INSTITUTIONS
Alain Wijnants

Chief Executive Ofcer


Zurich Global Corporate in Benelux
T: +32 2 639 55 00
E: alain.wijnants@zurich.com
Alain Wijnants joined Zurich in 2007 as the chief executive ofcer
for Zurich Global Corporate in Benelux. He is also a member of the
European Management Team for Zurich Global Corporate. Over
a 20 year career in insurance, Mr Wijnants has held a number of
leadership and management positions where he developed and
executed line of business strategies with CNA Insurance, AIG and
Chubb, both in Paris and Brussels. Mr Wijnants also holds a Masters
in Law from the Universitaire Instelling Antwerpen, Belgium.
Gerben Pauwels
Insurable Risk Manager/Chief Legal
Advisor KBC Group
Assessor Belgian Competition Authority
T: +32 498 519 222
E: gerben.pauwels@skynet.be
Gerben Pauwels is a Belgian company lawyer, active in KBCs
Group legal department since 1997. As of February 2015, he leads
the Legal Policies & Operations unit (including the corporate
insurable risk programme). Mr Pauwels has also been an assessor
in the Belgian Competition Authority (layman judge in the decision
taking panel) since 2013.

68 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

IDENTIFYING AND MANAGING RISKS WITHIN FINANCIAL...

Wijnants: Could you provide an


overview of some of the key risks both
traditional and emerging facing nancial
institutions today?

ONE-ON-ONE INTERVIEW

Pauwels: Financial institutions should use a


clear and intuitive risk scale that takes all relevant
consequences into account nancial, non-nancial
and reputational. The allocation of specic roles and
responsibilities should take place by using real life
examples of possible risks, focused on the company

Pauwels: Financial institutions are facing a


number of key risks. First is the pressure on margins

as well as its peers.

in an increasing competitive and transparent


environment. Second is the search for
high yield investments in a low interest
climate, what could trigger the risk of
misselling. Third is legal compliance
issues due to the regulatory tsunami,
which raises legal uncertainty in a
number of grey areas in the law. Fourth
is competition law risk, including recent

Financial institutions should use


a clear and intuitive risk scale that
takes all relevant consequences into
account nancial, non-nancial and
reputational.

enforcement activity in nancial markets,


such as Libor, Euribor, precious metals,
and sector investigations. Another risk is
digitalisation driven by both client demand

Gerben Pauwels,
KBC Group

and cost pressure for example, the use


of the cloud to store certain data.

Wijnants: What strategies should


nancial institutions deploy to quantify
and prioritise the risks they face? Is there
often a failure to allocate specic roles
and responsibilities to tackling the issue
effectively?

Wijnants: Given that the scale and


sophistication of cyber attacks on
nancial institutions is escalating rapidly,
what can rms do to mitigate the risk of a
damaging breach?
Pauwels: In my view, the awareness of all staff
members is the rst line of defence against cyber
attacks. The development of training and monitoring
tools is necessary for example, do staff members

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 69

IDENTIFYING AND MANAGING RISKS WITHIN FINANCIAL...

actually open email attachments from unknown

ONE-ON-ONE INTERVIEW

Pauwels: In my view, a nancial institution should

senders? Of course, the company should also have

treat all possible and real losses as if there was

an experienced and dedicated ICT team which is

no insurance in place, in order to avoid any moral

provided with sufcient resources to monitor cyber

hazards.

space and learn from it. The ICT team should be


empowered to take swift and appropriate action if a
cyber risk emerges. Finally, a proper cyber insurance
policy is a keystone to cover the remaining risk.

Wijnants: In your opinion, what tools


and resources are most benecial in
helping nancial institutions to navigate
the myriad risks associated with
regulatory compliance in todays highlyscrutinised market?

Wijnants: Overall, what advice would


you give to nancial institutions in terms
of developing and implementing an
effective risk management strategy for
their organisation? In your experience,
what improvements need to be made?
Pauwels: Financial institutions should avoid
theoretical concepts as much as possible. For
example, the use of probability scales estimating the
chance of occurrence of a certain risk of once in 300

Pauwels: There are several good tools available.

years is not very helpful. The development of proper

However, it is important that a company tailors these

monitoring tools is a key element in improving the

tools to its specic needs, and in line with its culture.

risk management of a company. In my experience,

In any case, a seamless cooperation both formal

monitoring tools have to be at least developed

and informal between the various control functions

in close cooperation with the business. The most

is indispensable to successfully navigate the myriad

effective monitoring tools are often created by the

risks.

business itself. Furthermore, a clear root cause


analysis for each signicant loss insured or

Wijnants: How would you characterise


the relationship between a rms
insurable and non-insurable risk
functions? What steps should nancial
institutions take to address these two
risk categories?

70 RISK & COMPLIANCE Apr-Jun 2016

otherwise combined with a proper response to


avoid future similar losses is crucial.

Wijnants: How do you expect risks and


risk management processes to unfold
for nancial institutions in the coming
years? What trends are likely to shape the
www.riskandcompliancemagazine.com

IDENTIFYING AND MANAGING RISKS WITHIN FINANCIAL...

industry, particularly in light of moves to


strengthen global nancial markets?

ONE-ON-ONE INTERVIEW

rising intensity of controls by an increased number


of regulators, such as the FCA controls that will
have more of a global scope. Last but certainly not

Pauwels: Financial institutions have an important

least, the nancial industry will be driven by the

role to play in society. Accordingly, walking the talk

unknown speed of digitalisation and technology for

will become even more important. Risk management

example, who to insure in relation to self-driving cars

processes should therefore also take reputational

which creates both new opportunities and new

issues into account. We expect increased

&
risks. RC

competition and transparency in the market, and a

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 71

PERSPECTIVES

PERSPECTIVES

MIFID I I I M P L E M E N TAT I O N
IS DEL AY E D AG A I N
BUT T H E R E S
NO RO O M F OR
COMP L AC E N CY
BY JONATHAN ENGLISH
> ALLEGRO DEVELOPMENT

iFID IIs arrival in the European commodity

there is a lot of uncertainty about what actions are

markets was delayed last year from

required to implement MiFID II and we are already

January 2017 to January 2018. However,

hearing that many smaller rms are scaling back

the chair of the European Securities and Markets


Authority (ESMA) recently suggested that even

their implementation efforts.


It would be a shame if that points to a wider

the proposed 12-month delay may actually not be

industry trend, because this latest set of rules aimed

enough.

at regulating commodity trading has serious and

While many of MiFID IIs regulatory technical

complex operational implications which require

standards are still being outlined, EU member states

an equally measured and well-planned technology

are procrastinating over ratication. This means that

response.

72 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

MIFID II IMPLEMENTATION IS DELAYED AGAIN BUT THERES...

MiFID II consists of a directive, which must be


implemented by each EU Member State, and

PERSPECTIVES

process with vendors should begin now, if it isnt


already underway.

a regulation which is applied across the EU. As

Despite the possibility of an extended deadline

with the recently implemented EMIR and REMIT

there are alternatives in terms of what large energy

regimes for commodity trading, technical standards

consumers and nancial services companies can do

and other secondary legislation must be drafted

now to prepare for MiFID II. Managing the process by

and adopted by ESMA before legislation can be

spreadsheet is not one of them. There are electronic

implemented.

reporting and data storage requirements involved in

Although it is too soon to make major changes, the


experience of EMIR in 2014 beset by delays then

each set of regulations that will quickly overwhelm


manual processes.

rushed in with a 90 day nal deadline


means steps to comply with MiFID
II need to be taken now. Even with so
much up in the air, there are things
you can do to mitigate exposure to
regulatory risk.
Smart technology investments can
help by surfacing exposures in the

Even with so much up in the air, there are


things you can do to mitigate exposure to
regulatory risk.

trading portfolio and providing quick


assurance that trades and related
activities happening today are at least
aligned with the current direction of
travel for MiFID II compliance. This has already been

Outsourcing may be a solution, but it comes with

shown through EMIR and REMIT, which compelled

its own costs and risks. There is the added overhead

many companies to invest in or revisit their

of an ongoing contract to manage, so how active you

Commodity Trading and Risk Management (CTRM)

are in the energy trading arena will determine your

systems. MiFID II could well necessitate another

breakpoints nancially. But in the end, do you really

round of IT upgrades, particularly in the area of

want to outsource a liability you will ultimately be

reporting to trade repositories.

held accountable for should any errors or delays in

While it is still too soon to make rm or detailed


recommendations, beginning the due diligence
www.riskandcompliancemagazine.com

compliance occur? A third party provider will most


likely not be responsible for paying nes. Even if you
RISK & COMPLIANCE Apr-Jun 2016 73

MIFID II IMPLEMENTATION IS DELAYED AGAIN BUT THERES...

PERSPECTIVES

could negotiate a contract that held them nancially

as you integrate the system into other areas of the

liable, what would an infraction mean to your brand

business.

reputation? The collateral cost of cleaning up a


public relations nightmare could be devastating.
That leaves accepting higher energy prices

Direct connectivity to trade repositories should


also be a core capability, including all required
regulatory identiers and formats. The system should

by abandoning a hedging strategy altogether, or

be able to simplify the threshold monitoring for

automating the process. After weighing the options,

non-nancial counterparties (e.g., energy intensive

automation is the best business decision.

businesses operating a hedging strategy) and

Automating regulatory processes requires a basic


energy trading and risk management (ETRM) system,
which is a comprehensive regulatory solution

facilitate risk mitigation obligations, including EMIRs


requirement for periodic portfolio reconciliations.
It is a frustrating reality of commodity trading

for commodity trading and corporate nancial

that, if it isnt geopolitics or extreme weather

compliance. ETRM is generally not a standalone

injecting risk into the energy value chain, todays

application and needs to incorporate contract data,

regulatory environment constantly evolves new

hedge accounting, revenue allocation and the all

rules and penalties creating uncertainty. The fastest

import regulatory reporting requirements for your

and best approach to meeting MiFID IIs regulatory

geographic markets.

&
requirements is an automated solution. RC

In light of the evolving standards for EMIR and


REMIT, you will want to choose a solution that
allows you to upgrade and manage your regulatory
compliance process quickly. Another qualier to
consider is the ability to install software on a captive
system and maintain it internally, or purchase a
software-as-a-service contract and maintain it
virtually in the cloud. Implementing this option

Jonathan English
Managing Director, EMEA & APEC
Allegro Development
T: +44 (0)20 7382 4310
E: j.english@allegrodevelopment.com

could affect your overall total cost of ownership

74 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

MODE R N S L AV E RY
R EPO RT I N G R E Q U I R E M E N T:
DONT T R E AT T H I S A S
BOX-T I C K I N G E X E RC I S E
BY DAVID NOBLE
> CHARTERED INSTITUTE OF PROCUREMENT & SUPPLY (CIPS)

nder the UK Modern Slavery Act, which

in the UK and beyond cannot be overlooked or

came into force in October 2015, commercial

underestimated. A recent study by Walk Free found

organisations with a turnover of 36m or

that slave labour contributes to at least 136 products

more, that supply goods and services in the UK, must


publish an annual statement explaining what they are

made in 74 countries.
In the UK alone, the National Crime Agency

doing to eliminate slavery from their supply chains.

identied over 3300 victims of human trafcking,

The statements must be iterative and show year on

many of whom are also subject to unfair working

year progress. The reporting requirement applies to

conditions. The fact that modern slavery is often

organisations with their nancial year ending on or

hidden deep down in the tiers of the supply chain,

after the 1 April 2016.

and is rooted in the business culture where prot

Modern slavery, as dened by the Act,


encompasses all forms of unjust labour: human
trafcking and slavery, servitude and forced or
compulsory labour. The prevalence of modern slavery
www.riskandcompliancemagazine.com

maximisation takes precedence over human worth,


makes it very difcult to detect and deal with.
The Act has been designed to put the onus on
businesses to monitor their suppliers and ensure
RISK & COMPLIANCE Apr-Jun 2016 75

PERSPECTIVES

to say when their rst modern slavery report will be


due.
More alarmingly, businesses are failing to take
basic steps to identify modern slavery in their supply
chains. Our research found that of businesses with an
annual turnover of 36m and over, just a third claim
to have mapped all their suppliers to understand the
potential risks and exposure to modern slavery.
Only 41 percent of these businesses have ensured
all UK workers in their supply chains are in receipt
of the minimum wage and that robust immigration
checks are in place. In addition, less than 28 percent
of businesses in this group claim to have provided
there is no modern slavery at any stage of their
supply chain. With the reporting requirement,
businesses that fail to take meaningful action risk
damaging their reputation and consequently their

training to employees and local suppliers on modern


slavery, despite a quarter of the procurement
professionals surveyed citing lack of skills as the
main obstacle in dealing with the issue.

bottom line. This is because consumers,


armed with valuable information, can
now make informed decisions at the
checkout, and in this world of fast
communications, anyone caught out is
instantly pilloried.

Businesses are failing to take basic steps


to identify modern slavery in their supply
chains.

Despite this upcoming milestone,


our research found that the majority
of businesses are still woefully
unprepared. As the deadline for reporting looms,
almost one in ve UK supply chain managers at
businesses which fall under the new rules are
unaware of the requirements, with 38 percent unable

76 RISK & COMPLIANCE Apr-Jun 2016

Under the new reporting rule, businesses have


the option to simply state that they have taken no
steps on modern slavery, and still comply. Such
a declaration, however, could damage both their
www.riskandcompliancemagazine.com

MODERN SLAVERY REPORTING REQUIREMENT: DONT TREAT ...

PERSPECTIVES

reputation and ultimately prot if slavery is found

identities are protected and that they have board-

in their supply chains and consumers or business

level support.

partners decide to go elsewhere as a result. In

Processes. Businesses can establish processes

fact, over four in ve procurement professionals

to identify vulnerabilities within their supply chains.

surveyed believe reputational damage would have

While it is impractical for some companies to audit

the biggest impact on their business if slaves were to

and monitor each and every supplier in their entire

be found in their supply chain. Unfortunately, under

supply chain and at all levels, businesses should be

the connes of the Act, there are no penalties apart

able to identify key vulnerabilities resulting in a risk

from an injunction to force a company to complete

management approach and ethical procurement.

the statement, which is likely to happen to larger


companies.

Planning. Businesses should plan for situations


where corrective action is needed. This can take
place through audits, media reports and assisting

What can be done to safeguard vulnerable


people and your business?

whistleblowers. If necessary, businesses should be


prepared to exit a relationship with a supplier if they

It is true that todays global supply chains are

are found to condone or support modern slavery.

becoming longer and more complicated but it is

The Modern Slavery Act reporting requirement

possible for businesses to take denite steps to

means that businesses can no longer just turn a

ensure that their procurement practices comply with

blind eye to slavery within their supply chains. If they

the Act and do not contribute to modern slavery

are unable to convincingly outline the steps they

at any stage. Businesses could start with putting in

are taking to eradicate human exploitation, they risk

place the Three Ps framework: policies, processes

signicant damage to their own business.

and planning.
Policies. Businesses should put policies in place

As the deadline for UK businesses to report on


modern slavery approaches, businesses should to

to prevent and detect modern slavery within their

take decisive action to tackle the issue head-on, rather

own operations and the operations of suppliers

&
than treat this as box-ticking exercise, at best. RC

and business partners. With this, businesses are


advised to establish codes of conduct which set out
the essential standards of personal and corporate
conduct and the behaviours expected. Systems
should be in place to ensure that whistleblowers

David Noble
Group Chief Executive Ofcer
The Chartered Institute of Procurement
& Supply (CIPS)
T: +44 (0)1780 756 777
E: press@cips.org

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 77

PERSPECTIVES

PERSPECTIVES

THE F O R E I G N S U P P L I E R
VERIF I C AT I O N P R O G RA M
SIGN I F I C A N T N E W
R EQU I R E M E N T S F O R
IMPORT E R S O F F O O D
INTO T H E U S
BY LESLIE T. KRASNY
> KELLER AND HECKMAN LLP

he FDA Food Safety Modernisation Act (FSMA)


was signed into law in 2011, and is the most
signicant reform of US food safety laws in

over 70 years. The FSMA represents a dramatic


change in the countrys regulatory approach to
improving food safety by making prevention the key
goal, rather than detection and response. Industry
will be required to verify the safe production
and handling of food, both domestic and

78 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

THE FOREIGN SUPPLIER VERIFICATION PROGRAM SIGNIFICANT...

PERSPECTIVES

imported, utilising comprehensive, risk-based

the revised Good Manufacturing Practices (GMPs).

standards.

Also, importers must verify that the foods are not

In November 2015, the US Food and Drug

adulterated or misbranded (with respect to allergen

Administration (FDA) issued a nal rule, under FSMA,

labelling) under the Federal Food, Drug and Cosmetic

to implement the Foreign Supplier Verication

Act (FD&C Act).

Program (FSVP). The nal rule was effective in

An importer, for purposes of the FSVP, is the US

January 2016, and importers have at least 18 months

owner or consignee of a food that is being imported,

to comply.

and is further dened as the person in the US

The current food import system relies heavily on

who, at the time of entry, either owns the food,

government inspection at the point of entry. The

has purchased the food, or has agreed in writing

FSVP imposes a mandatory food safety programme

to purchase the food. If there is no US owner or

that places major responsibility on importers

consignee at the time of entry, the importer is the

and foreign suppliers, and FDA estimates that

US agent or representative of the foreign owner or

approximately 60,000 importers will be covered.

consignee. The importer under the FSVP might be,

This focus responds to the enforcement challenges

but would not necessarily be, the importer of record

resulting from the fact that 15


percent of the US food
supply is imported,

under US Customs and Border Protection (CBP)


provisions.
Importers subject to the FSVP must: (i) determine

although less than 2

hazards that are reasonably likely to cause illness or

percent of imported

injury such hazards may occur naturally, may be

foods are inspected

unintentionally introduced, or may be intentionally

upon entry.

introduced (economically motivated adulteration);

The FSVP requires


importers to verify
that safety standards for
imported foods provide the same
level of public health protection as those
required for domestic foods under FSMA the
Hazard Analysis and Risk-Based Preventive
Controls (HARPC) rule for processed foods, the
Produce Safety rule for fruits and vegetables, and
www.riskandcompliancemagazine.com

(ii) evaluate the risk and approve foreign suppliers;


(iii) conduct supplier verication activities, such as
onsite audits, sampling and testing of foods, and
review of the foreign suppliers relevant food safety
records; (iv) take corrective actions, as appropriate,
to control a hazard; and (v) maintain records of FSVP
activities.
Importers may not be dealing directly with the
foreign supplier, and the FSVP permits importers to
RISK & COMPLIANCE Apr-Jun 2016 79

THE FOREIGN SUPPLIER VERIFICATION PROGRAM SIGNIFICANT ... PERSPECTIVES

obtain information relevant to compliance from other

FDA as a food facility because it is engaged in the

entities in the supply chain, such as distributors or

processing of food (alcoholic beverages). Another

consolidators, provided that the importer documents

exemption applies to foods for which a hazard

its review and assessment of the information. Also,

analysis has been conducted but there are no

an importer may rely on a customer to ensure that

identiable hazards requiring a control.

foods will be subsequently processed to control


hazards if the proper assurances are obtained and

There are modied requirements for very small


importers, imports from small suppliers, foods that

documentation accompanies the


shipment.
The development, implementation
and management of the FSVP must be
conducted by a qualied individual
with the requisite training, education
or experience. Moreover, such qualied
individual must not have any nancial
conicts of interest that could inuence
the results of the verication activities.

Enforcement options for violations of


FSMA include strict criminal liability,
which can be imposed on individuals,
under the responsible corporate ofcer
doctrine.

The FSVP includes a number of


exemptions. Foods subject to juice or
seafood Hazard Analysis and Critical
Control Point (HACCP) requirements are exempt, for

are transhipped or imported for processing and

example, as are foods regulated by the United States

export, foods that are returned to the US without

Department of Agriculture (USDA) meat, poultry

further processing in a foreign country, and imported

and egg products. Low-acid canned foods (LACF)

dietary supplements manufactured in compliance

are exempt with respect to microbiological hazards.

with FDAs GMPs for supplements. Importers of

Alcoholic beverages imported from a foreign

foods from qualied facilities under HARPC also have

supplier that is a facility are exempt provided that

modied requirements, such as not being required

if the facility were domestic, it would be required

to conduct a hazard analysis, and can verify foreign

to meet Department of the Treasury requirements

suppliers by obtaining written assurance of the

as a condition of doing business in the US, and that

suppliers compliance with applicable food safety

the foreign supplier is required to register with the

requirements.

80 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

THE FOREIGN SUPPLIER VERIFICATION PROGRAM SIGNIFICANT ... PERSPECTIVES

Importantly, foods imported from a country with

Enforcement options for violations of FSMA include

an ofcially recognised or equivalent food safety

strict criminal liability, which can be imposed on

system are exempt from most FSVP requirements.

individuals, under the responsible corporate ofcer

At this time, New Zealand is the only country

doctrine, even in the absence of actual knowledge,

ofcially recognised as having a food safety system

if the individual had the responsibility and authority

comparable to the US.

to prevent or correct the food safety violations.

Generally, exemptions from the FSVP are parallel

Misdemeanour convictions are punishable by up

to exemptions from the HARPC and Produce Safety

to one year of imprisonment and a ne of up to

rules, to create a level playing eld. But domestic

$100,000 for an individual. Greater nes may be

food contact substances are not subject to HARPC,

assessed if there is a substantial risk of bodily injury

while imported food contact substances are

or death. Felony counts can be brought for knowing

currently subject to the FSVP. The reason for this

violations.

inconsistency is that food facilities registered with

It is critical to determine an appropriate importer

the FDA under the Bioterrorism Act are subject to

for purposes of the FSVP, to conrm that such entity

HARPC (unless exempt), but domestic facilities that

will take responsibility for implementing the FSVP,

only manufacture food contact substances are not

and to have the importer evaluate the applicability of

required to register under the Bioterrorism Act.

requirements on a case-by-case basis. FDA provided

The FSVP, however, applies to imported food, as

exibility, as sought by industry, but now the onus is

dened in section 201(f) of the FD&C Act, rather

on companies throughout the supply chain to ensure

than to facilities. Food contact substances fall within

&
compliance. RC

a strict denition of food under this provision, and


therefore will be subject to the FSVP unless FDA
acts to remove this additional level of regulation that
is being imposed only on foreign suppliers of food
contact substances.
The failure to import foods that meet FSVP

Leslie T. Krasny
Partner
Keller and Heckman LLP
T: +1 (415) 948 2810
E: krasny@khlaw.com

requirements will be a violation of the FD&C Act.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 81

PERSPECTIVES

PERSPECTIVES

NEW I RA N B U S I N E S S
OPPO RT U N I T I E S
FOLLO W I N G E U A N D U S
S ANC T I O N S R E L A X AT I O N
BY MAURY SHENK AND ANTHONY RAPA
> STEPTOE & JOHNSON LLP

n 16 January 2016, the European Union


and the US formally implemented the Joint
Comprehensive Plan of Action (JCPOA)

EU changes substantial elimination of


sanctions
Until 16 January, the European Union and its

nuclear agreement with Iran, lifting a broad range of

member states imposed targeted sanctions on

economic sanctions and clearing a path for Iran to

various sectors of the Iranian economy, including

reintegrate itself into the global economy. Most of

nuclear, oil and gas, shipping and nancial services.

the sanctions relief is directed at non-US companies

The sanctions also froze the economic resources

and individuals, including non-US subsidiaries of

(i.e., assets and other transactional opportunities) of

US companies, which are authorised to engage in

a signicant number of listed entities and individuals,

trade with Iran (subject to certain limitations) for the

and required notication to EU member state

rst time since 2012. Overall, the JCPOA sanctions

authorities of payments to or from Iran of 10,000 or

relief should spur signicant economic activity with

more (even for otherwise permitted transactions).

Iran, although risks remain, including for US dollar


payments related to Iran.

82 RISK & COMPLIANCE Apr-Jun 2016

These sanctions have now been substantially


eliminated. The EU does retain an arms embargo

www.riskandcompliancemagazine.com

NEW IRAN BUSINESS OPPORTUNITIES FOLLOWING EU AND US...

PERSPECTIVES

on Iran and certain sanctions related to nuclear

over entirely non-US entities dealing with SDNs or

proliferation, and a smaller number of entities and

the IRGC, they retain the ability under US secondary

individual remain subject to a freeze of economic

sanctions to deny certain benets under US law to

resources. As a result, most commercial trade by EU

companies who do so.

entities with Iran is now permitted. That is, unless it


still falls foul of US sanctions.

US citizens, lawful permanent residents (i.e., green


card holders), and companies and persons located
in the US, remain subject to a broad embargo on

US changes relief for non-US companies


and individuals
The US sanctions relief, while far less sweeping,
is much more complex. The US has relaxed three

transactions with Iran. However, they can now


engage in certain narrow categories of trade with
Iran. There is a general licence in place authorising
imports of foodstuffs and carpets, and a favourable

main types of sanctions targeting Iran:


(i) secondary sanctions that allowed
the US to penalise non-US persons
engaging in certain types of business
with Iran; (ii) sanctions that prohibited
non-US subsidiaries of US companies
from engaging in trade with Iran;
and (iii) certain narrow categories of
sanctions applicable to US persons.

Most commercial trade by EU entities


with Iran is now permitted. That is, unless
it still falls foul of US sanctions.

There are various implications of this


sanctions relief.
Non-US individuals and companies
can do business with most sectors
of the Iranian economy without fear of running

policy for the issuance of specic licences for export

afoul of US sanctions. Certain restrictions remain

of commercial passenger aircraft.

in place, including sanctions applicable to dealings

US banks remain prohibited from providing

with Specially Designated Nationals (SDNs) i.e.,

nancial services or processing transactions related

restricted entities and individuals associated with

to Iran without a licence, with the exception of the

Iran, and the Islamic Revolutionary Guard Corps

imports of foodstuffs and carpets and exports of

(IRGC). Although US authorities lack direct jurisdiction

aircraft noted above, and certain other narrowly

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 83

NEW IRAN BUSINESS OPPORTUNITIES FOLLOWING EU AND US...

PERSPECTIVES

dened activities. Because many international US

is not authorised under the JCPOA; and (viii) activity

dollar payments ow through US clearing banks, this

that is restricted under US sanctions targeting Irans

can result in difculties in processing of US dollar

weapons of mass destruction proliferation activity,

payments associated with Iranian transactions, even

support for terrorism, destabilisation of Syria and

when the underlying transaction is not prohibited by

Yemen, and human rights abuses.

US sanctions.
The sanctions relief accorded to non-US

Notably, General License H provides a limited


authorisation for US persons to: (i) establish

subsidiaries of US companies is particularly notable.

operating policies and procedures for non-US

Before 2012, such entities were authorised to

subsidiaries to engage in authorised transactions;

engage in most trade with Iran, and now are again

and (ii) make available automated (i.e., operating

authorised to do so, subject to certain restrictions.

without human intervention) and globally integrated

The US Department of Treasury, Ofce of Foreign

(i.e., available to and used by the global organisation)

Assets Control (OFAC) has issued General License H

business support systems that are required

authorising such subsidiaries to engage in business

to process information related to authorised

with Iran to the same extent as other non-US

transactions between the non-US subsidiaries and

entities, except that they remain prohibited from

Iran. US persons remain otherwise subject to the

engaging in the following activity: (i) exports from

ITSR prohibition on facilitation or approval by non-

the US to Iran of goods, technology or services;

US persons (including non-US subsidiaries operating

(ii) re-exports to Iran from a third country of any

under General License H) of activities that otherwise

US-export-controlled goods or technology; (iii)

would be restricted if performed by a US person or

transfers of funds through the US nancial system

from the US.

for Iran-related activity; (iv) transactions involving any

For non-US companies and non-US subsidiaries

person on the SDN List (including, arguably, entities

of US companies, it remains important for any US

owned 50 percent or greater by SDNs) or on the

citizens or lawful permanent residents to be recused

Foreign Sanctions Evaders List; (v) activities involving

from Iran-related activities. Such recusal policies,

any item subject to the US Export Administration

if adopted properly, should not fall afoul on the

Regulations (EAR), and transactions involving

prohibitions under the ITSR on circumvention of

persons subject to certain export restrictions under

sanctions and facilitation of prohibited transactions.

the EAR; (vi) transactions involving Iranian military,


paramilitary, intelligence or law enforcement
agencies or ofcials; (vii) certain nuclear activity that
84 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

NEW IRAN BUSINESS OPPORTUNITIES FOLLOWING EU AND US...

Conclusions
The relaxation of EU and US sanctions provides
signicant new opportunities for business with Iran,
particularly for European companies and non-US
subsidiaries of US companies. However, pitfalls

PERSPECTIVES

Maury Shenk
Senior Advisor
Steptoe & Johnson LLP
T: +44 (0)20 7367 8050
E: mshenk@steptoe.com

remain, including ones associated with the broad


remaining US sanctions on US persons, the intricacy

Anthony Rapa

of exceptions from US sanctions, and the challenges

Of Counsel

of making US dollar payments related to Iran. And


the overall Iran sanctions situation remains uid at
the date of this publication, new sanctions were

Steptoe & Johnson LLP


T: +1 (202) 429 8120
E: arapa@steptoe.com

being debated at the United Nations because of an


&
Iranian ballistic missile test. RC

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 85

PERSPECTIVES

PERSPECTIVES

THE D E AT H O F
DISCLO S U R E - O N LY
SETTL E M E N T S : T RY I N G
TO FI G H T P E RV E R S E
INCEN T I V E S
BY BRIAN HOFFMANN AND PHILIP JOSEPH FEFFER
> MCDERMOTT WILL & EMERY LLP

istorically, where there have been mergers of

settlement. That practice might be over in Delaware

public companies, lawsuits have followed. In

after the recent decision by the Delaware Court of

the recent past, in Delaware, if there was a

Chancery, In Re Trulia, Inc. Stockholder Litigation.

merger valued over $100m, odds were good (over 90

There, the court wrote strongly about its disfavour for

percent) that someone would bring a suit challenging

disclosure only settlements with broad releases and

the transaction. These cases, often referred to

warned against seeking their approval in the future.

as a merger-tax, would be brought seeking only

Last year, the Delaware Court of Chancery ruled

additional disclosures (sometimes of questionable

on two disclosure only settlement cases, In Re

value) and attorneys fees. Companies would receive

Riverbed Technology and In Re Aruba Networks. The

a broad release of all other claims related to the

court rejected the proposed settlement for lack of

transaction in return for their agreement to the

sufcient benet to the shareholders in In Re Aruba

86 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

XXX

PERSPECTIVES

Networks. However, in In Re Riverbed Technology

challenging the merger of Trulia and Zillow. In the

the court ultimately approved of the disclosure only

opinion, before addressing the merits of the case at

settlement. In doing so, the court stated that part

hand, the court discussed general considerations

of its justication was the parties reliance on the

for this brand of deal litigation and disclosure

history of the courts approval of similar settlements.

settlement. The court stated that this litigation often

The court then stated that parties in the future should

has no useful purpose, infrequently creating real

not to continue to rely on a precedent of disclosure

economic benets for stockholders (In Re Trulia, Inc.

only settlement approval and warned against reliance

Stockholder Litigation). The court explained how the

on this specic case as approval precedent as well.

nancial incentives destroyed the adversarial process

Following that theme, In Re Trulia, Inc. Stockholder

of this deal litigation and left judges with the role of

Litigation, rejected a proposed settlement to litigation

deciding whether or not plaintiffs received enough

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 87

THE DEATH OF DISCLOSURE-ONLY SETTLEMENTS: TRYING TO...

PERSPECTIVES

value for the general releases given to companies.

It is more likely, however, that plaintiffs attorneys will

The court noted that in an effective adversarial

do an initial inquiry to see whether there is smoke

process motivated plaintiffs would enlist the help

and potential liability meriting further investigation.

of nancial advisers to aid in the process of sorting

If there is, they will bring those stronger cases and

out unhelpful information and press for real value

ignore the ones that are not worthwhile.

from the defendants; instead judges without the

Its clear that part of the motivation for these

specic training and background are left making

decisions was to address the actions of plaintiffs

a fairness judgement. The court had


no doubts about judge approved
disclosure only settlements being
a cause of the large volume of deal
litigation. The court commented on the
widespread judicial concern growing
around this settlement process before
deciding to re-examine the whole

It is more likely, however, that plaintiffs


attorneys will do an initial inquiry to see
whether there is smoke and potential
liability meriting further investigation.

process. Ultimately, the court claries


that future disclosure settlements will
be viewed unfavourably unless the
supplemental disclosures address
a plainly material misrepresentation or omission,

attorneys in the hopes that it would change their

and the subject matter of the proposed release is

behaviour. The decisions featured condemning

narrowly circumscribed to encompass nothing more

language from the judges writing them. Even

than disclosure claims and duciary duty claims

before Trulias criticisms, the court in Riverbed

concerning the sale process, if the record shows that

Technology spoke at length about the agency

such claims have been investigated sufciently.

problems and conicts of interest between plaintiffs

There is some potential that this decision will

attorneys and the proposed classes created by

be benecial to defendants. It is possible that the

the incentives involved in deal litigation. In Aruba

plaintiffs bar, seeing that it will be more difcult to

Networks, the court denied the settlement on the

bring a formulaic breach of duciary duty claim and

basis on inadequacy of the representation, saying

get a settlement that covers fees without too much

it appeared there was no basis to le the case and

time and effort, will bring far fewer frivolous claims.

that this does look to me like a harvesting-of-a-

88 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

THE DEATH OF DISCLOSURE-ONLY SETTLEMENTS: TRYING TO...

PERSPECTIVES

fee opportunity. In addition, other jurisdictions are

have prevented the eventual over $75m judgment

pushing back against disclosure only settlement

in that case. The risk of a similar judgment is the

with similarly harsh words. Judge Ramos, in his

reason the defendants bar would prefer the prior

acerbic decision in In The Matter Of Allied Healthcare

system of approving disclosure only settlements.

Shareholder Litigation, stated [t]he rationale for

It was remarkable then, after noting Rural/Metro,

this practice of rewarding plaintiffs counsel without

that the court would address the possibility of

any meaningful recovery is that even unsuccessful

plaintiffs continuing to bring these suits seeking

derivative litigation serves a societal purpose. That

disclosure settlements in other jurisdictions from

merely bringing on derivative litigation that seeks

the perspective of it being a negative for companies.

to examine the doings of corporate America has a

The court even mentions the ability for Delaware

prophylactic effect discouraging malfeasance. Horse-

companies to enact forum selection bylaws providing

hockey. If this was the standard, then all unsuccessful

for exclusive Delaware jurisdiction. In reality,

attorneys should be likewise compensated because,

Delaware companies should welcome claims in

as examples, the motoring public would drive more

more settlement favourable forums and would likely

carefully, doctors would avoid malpractice, spouses

waive the issue of jurisdiction if they sense that the

would not cheat and Wall Street would not have to

plaintiff would be happy working together towards a

be Occupied. Judges in many jurisdictions clearly

disclosure only settlement. Although this chance for

felt the best interests of shareholders were not being

life in other states remains, it is likely that disclosure

represented.

&
only settlements are dead in Delaware. RC

While on the surface it may seem like fewer


cases being brought is a win for companies, the
defendants bar should certainly be unhappy with the
decision. Instead of the option of paying a modest
fee and giving inconsequential additional disclosure

Brian Hofferman
Partner
McDermott Will & Emery LLP
T: +1 (212) 547 5402
E: bhoffmann@mwe.com

in exchange for a general release barring all future


claims, companies might have to risk exposure
to serious liability. The court in Trulia, in warning
of the possibilities of general releases preventing
substantial recoveries for plaintiffs, mentions the
near approval of a disclosure only settlement in

Philip Joseph Feffer


Associate
McDermott Will & Emery LLP
T: +1 (212) 547 5827
E: pfeffer@mwe.com

In re Rural/Metro Corp. Sholders Litig. that would


www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 89

PERSPECTIVES

PERSPECTIVES

PRINC I P L E S F O R BOA R D S
IN OV E R S E E I N G CY B E R
R ISK M A N AG E M E N T
BY RICHARD KNOWLTON
> INTERNET SECURITY ALLIANCE (ISA)

s well as providing tremendous

Unfortunately, boards too often shy away from cyber

opportunities, the digital age brings

issues, regarding them as voodoo magic, accessible

numerous signicant risks the loss of

only to technology experts.

intellectual property, the theft of customer data,

We have to break through this mindset and

fraud, reputational damage, disruption to critical

approach cyber just like any other enterprise risk

infrastructure, and legal and regulatory sanctions, to

management issue. That means addressing it from

name a few.

a strategic, cross-departmental and economic

Many companies especially SMEs still believe

perspective. The board may well require some expert

that they are too insignicant to be the target of

technical inputs, but so does the management of

cyber attacks. This is completely wrong. In fact, most

business risks relating to tax, for example.

cyber attacks target smaller organisations precisely


because they have fewer security resources.
In addition to being targets in their own right,
SMEs may also be an attack vector into the

Boards of directors must ensure that their


management has the appropriate tight grip on cyber
threat management. To do this effectively, they need
to follow four principles.

larger companies with which they do business.


90 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PRINCIPLES FOR BOARDS IN OVERSEEING CYBER RISK MANAGEMENT PERSPECTIVES

Ensure that management has an


enterprise-wide cyber risk management
framework

should ensure that the team meets regularly and


produces reports for the board that monitor and
quantify the business impact of cyber threat risk
management efforts. Developing and adopting a

Individual departments and


business units often make decisions
without fully taking into account the
interdependencies that come with
modern digital systems. It is essential
to break this tendency if a company
is to manage cyber threats effectively.
Boards, too, have a key role to play
in this. They should ensure that their
companies appoint a cross-functional

Boards must develop and adopt a


company-wide cyber risk management
plan and internal communications strategy
across all departments and business
units.

cyber risk management team that


represents all key stakeholder
departments. This could include the
heads of business units, legal, internal audit and

total and adequately resourced cyber risk budget

compliance, nance, media relations, HR, IT and

is a further task for the board. The budget for

corporate security. They must also appoint a senior

cyber security should not be exclusively tied to

executive to lead the team and with the authority to

the IT department, precisely because cyber threat

drive action across multiple departments. That might

management is not just a technology or IT issue.

be the CFO, CRO or COO, for example but not the


CIO, whose focus is purely technical. Furthermore,
boards must develop and adopt a companywide cyber risk management plan and internal
communications strategy across all departments
and business units. To repeat, while cyber security

Ensure there is adequate access to cyber


security expertise and give cyber risk
management issues regular and adequate
time on the board meeting agenda
Most boards of directors recognise that their

obviously has a substantial IT component, all

understanding of IT risk is inadequate. Its therefore

stakeholders need to be involved in developing the

little surprise that they nd it a challenge to oversee

corporate plan and to share ownership of it. They

what their management is doing to mitigate cyber


risk.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 91

PRINCIPLES FOR BOARDS IN OVERSEEING CYBER RISK MANAGEMENT PERSPECTIVES

As a result, some companies are even considering


whether they should recruit directors with cyber
security expertise directly on to their boards. But
whether or not they take this path, a board can
use other approaches to bring knowledgeable
perspectives on cyber security matters into
boardroom discussions. These include: (i) scheduling
deep dive briengs from third party experts,
including government agencies, specialist cyber
security rms, industry associations, etc.; (ii)
leveraging existing independent advisers, such as
external auditors and outside counsel, who will have
a multi-client and industry-wide perspective on cyber
risk trends; and (iii) enrolling their directors in cyber
education programmes.
Boards also need to receive regular and
adequately detailed management reports on
the state of their companys cyber security risk
management. If they lack up-to-date information,
boards simply cannot effectively oversee or approve
management priorities. And yet a very recent UK
survey found that only 36 percent of those polled
regarded an upstream communication channel from
the security leader to the CEO as essential or very
important.
A word of caution here: directors need to bear in
mind that management may tend to under-report the
true state of the risk environment to their board. One
study has found that 60 percent of IT staff do not
report cyber security risks until they are urgent and
when it may be too late to deal with the risk.
92 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PRINCIPLES FOR BOARDS IN OVERSEEING CYBER RISK MANAGEMENT PERSPECTIVES

Discuss which cyber risks to avoid, which


to accept, which to mitigate and which to
transfer
There is no such thing as total cyber security. As
with other areas of enterprise risk management,
boards should review their risk appetite in the
context of their investment strategy. To do this,
they should discuss the following questions:
What data and how much of it are we willing to
lose through theft or compromise? Boards need
to agree how they should allocate cyber risk
mitigation investments between basic and advanced
defences. In considering how to address the more
sophisticated cyber threats, a companys defences
need to focus on protecting its mission-critical
assets, such as its crown jewels. This hardly
seems controversial, but research shows that many
companies simply do not implement it. Instead,
they apply security controls equally to all data and
functions. Worse, the research shows that protecting
lower priority systems and data from sophisticated
threats will require greater investment than the
benets warrant.
When discussing sophisticated attacks, companies
should seriously consider accepting the security
risk of not protecting functions and data that have
the lowest impact on their companys business,
since the costs of this defence will likely exceed the
benet it brings.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 93

PRINCIPLES FOR BOARDS IN OVERSEEING CYBER RISK MANAGEMENT PERSPECTIVES

How should we assess the impact of cyber


events? This is probably more complicated than it
seems. For example, there is likely to be a public

to mitigate the risk of property damage and bodily


injury resulting from a cyber breach.
Some solutions also include access to proactive

relations angle to any cyber incident. Employees,

tools, employee training, IT security and expert

customers, suppliers, investors, the press, public and

response services, to add another layer of protection

government agencies all may see little difference

and expertise. The inclusion of these value-added

between a comparatively small breach and a large

services proves even further the importance of

or dangerous one. In fact, damage to corporate

moving cyber security outside the IT department and

reputation and even share price may not correspond

more into the boardroom.

directly to the size or severity of the event. As a


result, assessing damage based on the impact of a
potential event, as in traditional risk management,
is not always a reliable measure. The board should
seek assurances that management has carefully

Understand the legal and liability


implications of cyber risk as they apply to
the company
Corporate liability related to cyber-incidents is

thought through these implications in devising their

constantly evolving, and may well differ between

cyber risk strategy.

the jurisdictions where a company is doing business.

More generally, the board needs to integrate

Directors need to be aware of the legal risks

corporate risk appetite, risk tolerances and available

posed to their company, as well as potentially to

options for addressing cyber risk into its discussions

themselves through personal liability.

with management about their companys overall


business plan and strategy.

Apart from national legislation and regulations,


companies operating in the European Union need

Board-management discussions of risk appetite

to consider the implications for their businesses of

will help to identify the level of cyber risk that their

EU legislation. This will include the digital agenda

company will need to accept as a practical business

in general, and the Network Information Security

consideration. Risk transfer mechanisms, such as

(NIS) Directive and the General Data Protection

insurance, may also assist in nding an appropriate

Regulations (GDPR), in particular. Both will pass into

level of business risk.

EU law shortly, with a two-year grace period in which

Insurance products now offer a wide variety


of solutions that can assist in mitigating and

their provisions must be transposed into the law of


each individual member state.

transferring cyber risk. These solutions include not

In the case of the NIS Directive, boards also need

only coverage for nancial loss, but can even help

to be well-informed on their companys obligations

94 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

PRINCIPLES FOR BOARDS IN OVERSEEING CYBER RISK MANAGEMENT PERSPECTIVES

to report cyber incidents, particularly in cases where

to ensure that their executives are on top of any

customer data is lost or there are implications for

&
threats. RC

the critical national infrastructure.


In this context, board minutes should reect that
the board addressed cyber security and made
informed decisions about the companys cyber
security programme.
Cyber incidents are now an inevitable aspect

Richard Knowlton
Executive Director (Europe)
Internet Safety Alliance (ISA)
T: +44 (0)750 010 3164
E: rknowlton@isaeuropean.org

of doing business, all the more reason for boards

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 95

PERSPECTIVES

PERSPECTIVES

GOOD I N F O R M AT I O N
SECUR I T Y , DATA
PROT E C T I O N A N D C I A
BY MIKE GILLESPIE
> ADVENT IM LTD

hen most people hear CIA they think

end up costing companies money and damaging

of the same thing; however, this article

reputations.

has nothing to do with the US Central

First, let us establish what we mean by this model.

Intelligence Agency. Instead, it is looking at

Condentiality is not a complex concept; we are

condentiality, integrity and availability guiding

talking about protecting information assets in an

principles when talking about organisational

appropriate and proportionate manner. This means

information security. Specically, in this case, we

a combination of hardware, software, education and

are looking at the I and the A. Many organisations

training, and policy and procedure. It also means

place a high degree of importance (and spend)

that regular updates and careful management

on the C part of the model and do not apply the

of a companys software and systems must be

same stringent approach (or spend) to the other

maintained in order to get the full benet of the

constituent parts. To be sure, condentiality, or

protection they offer. Using an operating system

the protection of information assets, requires

that is no longer supported, for instance, means it

understanding, planning and budget, but the lack

will not receive security patching and so represents

of attention to integrity and availability can reduce

a risk. Condentiality, then, represents what many

the effectiveness of any strategy and actually

of us think about when we consider the topic of

96 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

GOOD INFORMATION SECURITY, DATA PROTECTION AND CIA

PERSPECTIVES

information security. We think rewalls, anti-malware,


security awareness training and clear policies on
managing devices, etc.
But what of Integrity? Integrity of data is a key
part of good data protection practice and refers
to the trustworthiness of the information assets.
The veracity and accuracy of the information
must be upheld, and since this is part of the
Data Protection Act, all UK organisations should
take it very seriously. Quite apart from the
obligations of the Act, having trustworthy
information assets is a business
requirement. Up to date statements,
email marketing lists and other assets
should be carefully audited and maintained
so they are useful as well as compliant. It is
also part of the integrity piece that they should
be protected from unauthorised alteration.
The integrity part of the model acknowledges
the insider threat, comprising those inadvertent
or occasionally hostile acts that can lead to loss,
damage or theft of information assets. Maintaining
integrity could mean segregation of data, making

misunderstanding and help prevent potentially

drives and folders or network locations available

expensive errors. Think about a scenario where out

only to those who actually need that access. It could

of date nancial or pricing is involved, and you can

mean using documents in un-editable formats

see that an organisations reputation could easily be

for general use with a restricted group of users

harmed if the integrity of information assets is not

actually able to change the content or format or

properly considered. It can also lead to the eye of

even delete those assets. It can also mean version

the ICO falling upon you; for instance, if your email

control, ensuring that only the very latest version of

marketing lists are incorrect or out of date and

an asset is in use or circulation, which will eliminate

individuals who have opted out are being contacted

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 97

GOOD INFORMATION SECURITY, DATA PROTECTION AND CIA

without their permission. It is an organisational

PERSPECTIVES

This brings us to a related topic of business

responsibility to ensure they are compliant and

continuity; availability needs to be considered for

actively aware in the area of integrity.

all users when preparing and testing business

Then we come to Availability. In actual fact, we

continuity plans. When talking ransomware, we

have touched on availability when talking about

also need to be aware that the majority of this kind

segregation of data. On the one hand, we need to

of malware is spread via phishing emails. So, we

ensure that data is segregated effectively to help

are back to the condentiality part of our triad of

ensure its veracity, but we also


need to ensure that those who
need access to this data are able to.
There are other considerations that
are also tied to the condentiality
part of the model, such as using up
to date software and monitoring to
prevent or limit the impact of events
such as Distributed Denial of Service

Ultimately, the aim of using CIA as a


holistic business model is to ensure that
we get the right information, to the right
people, in the right format, at the point of
need.

(DDoS) attacks. These attacks can


overload servers to the point that
they fall over, meaning that data
could possibly be unavailable for extended periods

protection, and the importance of training of staff

of time. Preventing or containing such attacks could

and management (and the board) in recognising and

be a vital part of ensuring availability. We also need

dealing with phishing emails. Once an email payload

to consider things like ransomware, when an

has been delivered there are a variety of things that

attacker encrypts the contents of a users machine

can happen, but we do know that these attacks may

or les. This would render it useless and access to

start simply with a phishing email but soon become

the information assets would be impossible. Making

complex and sophisticated. They can threaten

sure that les and drives are regularly backed up will

the condentiality of data and also its integrity, as

help reduce the impact and help business as usual

the purpose of the attack can also be to damage

be maintained until steps can be taken to resolve the

information assets. Think of an attack designed to

hardware situation.

remove or invalidate CCTV images for instance,


or to invalidate intellectual property or nancial

98 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

GOOD INFORMATION SECURITY, DATA PROTECTION AND CIA

information. The malware required to carry this out


could be delivered easily via a phishing email.
This brief exploration of the integrity and
availability aspects of information security offers

PERSPECTIVES

Ultimately, the aim of using CIA as a holistic


business model is to ensure that we get the right
information, to the right people, in the right format,
&
at the point of need. RC

some pointers not just in relation to quality


information security but also information asset
management. While we need to ensure businesses
are able to protect data and information assets, it
is vital that we never lose sight of the two other
elements in this guiding model, to ensure a more

Mike Gillespie
Managing Director
Advent IM Ltd
T: +44 (0)121 559 6699
E: bestpractice@advent-im.co.uk

resilient and agile use of those information assets.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 99

PERSPECTIVES

PERSPECTIVES

DATA T RA N S F E R S ,
S AFE H A R BO U R A N D T H E
EU/US P R I VACY S H I E L D
BY JAMES CASTRO-EDWARDS
> WEDLAKE BELL

ast Octobers ground breaking decision from


the Court of Justice of the European Union
(ECJ) on the US Safe Harbour has sent ripples

European data transfers, the US Safe


Harbour Decision, and Maximilian
Schrems

through the transatlantic business community.

European data protection laws stem from the

The judgement not only affects US businesses

European Data Protection Directive 95/46/EC (the

with subsidiaries in Europe, but IT-related service

Directive). The Directive prohibits the transfer of

providers (particularly online services) with European

EU citizens personal data to countries outside

customers. These businesses can no longer rely on

the European Economic Area (EEA), which do

the US Safe Harbour to transfer personal information

not guarantee its adequate protection. In 2000,

relating to their employees, customers and suppliers

the European Commission issued a decision

from Europe to the US. This article explains the

recognising the US Safe Harbour as providing

implications of the decision, how these affect

adequate protection. Since the decision, thousands

organisations and how businesses can address the

of businesses have relied upon the Safe Harbour to

change.

enable the transfer of their employees, customers

100 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

DATA TRANSFERS, SAFE HARBOUR AND THE EU/US PRIVACY...

PERSPECTIVES

and suppliers personal data from Europe to the US.

the powers available to the national supervisory

However, the ECJ decision of 5 October 2015 marked

authorities under the Charter of Fundamental Rights

the end of the Safe Harbour, and arguably the days

of the European Union and the directive; that is to

of easy transfers of data to the US, leaving many

say, even if the European Commission has adopted

businesses scrambling to nd alternatives, or risking

a decision, national data protection authorities may,

substantial nes from data protection authorities.

with complete independence, examine whether

The ECJ ruling was prompted by Austrian law

the transfer of personal data complies with the

student Maximilian Schrems ongoing dispute with


Facebook, over the social media sites use of his

requirements of the Directive.


The ECJ noted that US agencies were able

personal data. The complaint to the


Irish Data Protection Commissioner
concerned the transfer of personal
information by Facebook Ireland
to Facebook in the US. It followed
Edward Snowdens public revelations
of unfettered searching of EU citizens
personal information by the American

EU citizens fundamental rights to respect


for private life and for effective judicial
protection had been eroded.

National Security Agency. Mr Schrems


argued that such unfettered access
to European citizens personal data
demonstrated that the US Safe
Harbour did not adequately safeguard
personal data to European standards. The Irish

to access European citizens personal data for

Data Protection Commissioner initially rejected the

purposes that were incompatible with the purposes

complaint, so Mr Schrems appealed to the Irish High

for which the information had originally been

Court, which turned to the ECJ.

transferred. Further, access to the personal data by


US agencies was beyond what was strictly necessary

The ECJ Judgement


The ECJ held that the European Commission

and proportionate for the protection of US national


security. Accordingly, EU citizens fundamental rights

decision that had recognised the Safe Harbour 15

to respect for private life and for effective judicial

years previously cannot eliminate or even reduce

protection had been eroded. The ECJ ruled that the

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 101

DATA TRANSFERS, SAFE HARBOUR AND THE EU/US PRIVACY...

Irish Data Protection Commissioner must examine

European citizens personal data, including: requiring

Mr Schrems complaint and decide whether the

US companies to commit to processing EU personal

transfer of European Facebook users personal data

data in accordance with a number of standards;

to the US should be suspended on the grounds that

imposing access restrictions upon US government

it was not adequately protected.

agencies when they access EU citizens personal


data (subject to an annual EU / US joint review);

The EU-US Privacy Shield


On 2 February 2016, after widespread calls

and introducing a number of means of redress


for European citizens, including recourse to a US

from businesses either side of the Atlantic for a

ombudsman. The Privacy Shield has some way to go

replacement for the Safe Harbour, the European

before it can be used as a data transfer tool, and has

Commission and the US government broadly agreed

already been dismissed by some privacy advocates

the principles of the EU-US Privacy Shield. The details

as no more than a re-heated Safe Harbour,

have yet to be nalised, but the EU-US Privacy Shield

however it offers a glimmer of hope for transatlantic

would include a number of measures to protect

businesses looking to share personal data.

102 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

DATA TRANSFERS, SAFE HARBOUR AND THE EU/US PRIVACY...

Implications for business


The implications of the ECJ decision are wider than

PERSPECTIVES

rules, an adequacy assessment of the data recipient,


potentially the EU-US Privacy Shield and of course

they may rst appear. Many domestic companies

conguring systems so that EU employees and

may consider themselves unaffected, without

consumers data remains in Europe. The appropriate

realising that their providers for services such as HR

data transfer solution for a particular enterprise will

or CRM software as a service (SAAS) solutions or

depend on the specic circumstances. However,

cloud data storage rely on the US Safe Harbour to

companies should be aware that the EU-US Privacy

transfer data to servers located in the US. Perhaps

Shield is not necessarily the answer: it has some way

counterintuitively, it is generally the company rather

to go before being recognised as a lawful transfer

than the service provider that is responsible for

solution, and assuming it is accepted, it remains open

compliance with data protection laws, and the

to being challenged by European data protection

company that risks substantial nes for transferring

authorities or privacy activists such as Mr Schrems.

data unlawfully.
Organisations with an international footprint

For organisations rapidly trying to come to


terms with ever more complex and rigorous data

spanning Europe and the US may also nd

protection laws, this may seem a daunting challenge.

themselves affected if they have relied on the Safe

A data transfer review may be a signicant

Harbour to transfer, for example, information about

undertaking, but it is not insurmountable. However,

customers and employees to their US headquarters.

with a real likelihood of European data protection

Organisations may not necessarily realise that even

authorities taking enforcement action against

if their European employees or consumers personal

unlawful transfers, and the looming agreement of

information is held in the EU, if such information

the EU General Data Protection Regulation (which

is accessible from ofces outside Europe, this still

could introduce nes of up to 4 percent of worldwide

constitutes a data transfer and must be treated

annual turnover or 20m), businesses must act now

accordingly.

&
to address the risk. RC

A prudent rst step for concerned companies is


to identify what data they do transfer out of Europe,
and consider whether these transfers are affected by
the ECJ decision on the US Safe Harbour. Alternative
transfer solutions exist for organisations, including

James Castro-Edwards
Partner
Wedlake Bell
T: +44 (0)20 7395 3108
E: jcastro-edwards@wedlakebell.com

the EU approved model clauses, binding corporate

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 103

PERSPECTIVES

PERSPECTIVES

WHY YO U R DATA
HOLD S T H E S E C R E T
TO IN D U S T RY- L E A D I N G
COMP L I A N C E
BY ROBERT DALLISON
> PITNEY BOWES

ake a moment to imagine every book in

companies nancial results, as advertisers use data

every library, school, home and business in

on pages we like or engage with, apps and websites

the world. These books, combined, make up

we use, to deliver highly targeted advertisements.

just 6 percent of total human data. The remaining

Apps that we use on our mobile devices are also

94 percent is digital. We generate data as we

sharing lots of personal data with third parties,

move, through every connection, communication,

often without our consent. A study has revealed

transaction and digital interaction that we have. This

that the most popular smartphone apps send data,

has become a huge opportunity for businesses,

on average, to three different online services. This

many of whom use data to gain insight into their

includes names and email addresses, but also

clients behaviour, with some even using data to

personal data such as that gleaned from health and

create revenue streams. Facebook, for example,

tness apps. Most of this data, according to a study

utilises data in this way. Advertising revenues

from Digital Trends, ended up making its way to

mobile in particular plays a huge part in

Google, Facebook or Yahoo.

104 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

WHY YOUR DATA HOLDS THE SECRET TO INDUSTRY-LEADING...

PERSPECTIVES

Its getting personal


It follows that the more data we generate and
share, and the more businesses use our data in
more ways, the more open we are to having our data
compromised. On an almost-daily basis, we read
about data breaches, which seem to be getting more
frequent, more serious and more personal. Medical
records, bank details, even information on our
children is being compromised as businesses across
all sectors fall victim to intentional and unintentional
data breaches.
Businesses have a moral and regulatory
responsibility to safeguard our data. The
consequences of not protecting client data are
becoming even more signicant. Organisations that
have fallen prey to serious data breaches are, at
the very least, likely to suffer in terms of reputation,
and potentially in terms of market share and
performance, too. And from a regulatory perspective,
these breaches can have an even greater nancial
impact, with regulators cracking down on offending
companies and nes handed out.
UK based companies come under the governance
of the Data Protection Act, with the Information
Commissioner, or ICO, responsible for ning
companies it deems to have breached the Act. For
organisations with customers in Europe, the EUs
General Data Protection Regulations (GDPR) will have
major implications this year, creating far-reaching
change in the security and management of customer

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 105

WHY YOUR DATA HOLDS THE SECRET TO INDUSTRY-LEADING...

PERSPECTIVES

and employee data, potentially resulting in hefty

information on customers, structured in a consistent,

nes for non-compliance. Businesses will be under

transparent way. Data is prone to error and

pressure to comply with these regulations.

variation, and when you consider the size of many

Added pressure on the nancial industry

nancial institutions and insurers, the disconnected,

Banks and nancial services


organisations are under additional
regulatory pressure. Not only must
these businesses protect customer
data to comply with data regulations,
but they must be able to present a
transparent, detailed and precise
view of their customers, to comply

In the UK, the Financial Conduct


Authority is increasingly clamping down
and issuing nes for non-compliance.

with banking regulations. These


organisations must adhere to rigid Anti
Money Laundering (AML) regulations
and Know Your Customer (KYC)
requirements. AML regulations include the UK

unrelated systems and platforms holding data

Bribery Act, the USA PATRIOT Act, and the European

for different purposes, the number of different

Union Fourth Money Laundering Directive. KYC is

geographic locations, the legacy systems inherited

a legal and regulatory requirement, which requires

in M&A activity, and the sheer volume of data, the

banks to know and understand their customers

challenge of verifying a customers identity and

and, as a result, better manage risk. In France,

remaining compliant is a tough one to overcome.

there is a new law regarding inactive accounts,

Poor data, and an inability to understand the breadth

requiring institutions to publish a list of dormant

of customer data and customer relationships, is a

bank accounts, making it even more critical for

resource-intensive burden on businesses.

organisations to know who they are doing business


with.
In the UK, the Financial Conduct Authority is
increasingly clamping down and issuing nes for

Single customer view transitioning from


marketing teams to compliance teams
Single customer view is an expression which

non-compliance. Avoidance of these nes lies in a

probably originated in the marketing department, as

companys ability to provide accurate and detailed

businesses realised the benet of collating different

106 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

WHY YOUR DATA HOLDS THE SECRET TO INDUSTRY-LEADING...

PERSPECTIVES

communication touchpoints to create an overall view

current and relevant. If the data an organisation

of each customer, enabling the organisation to target

uses to make business decisions is dirty then

them with highly personalised campaigns. Achieving

any decisions they make are, by denition,

this single customer view is now mandatory for

awed. Businesses face losing revenue, damaging

all UK banks, as deposit guarantee schemes (the

reputation, ruining customer relationships,

Financial Services Compensation Scheme in the UK)

demoralising sales staff or risking nes for non-

are required to pay out compensation quickly with

compliance. And for data to stand up to regulatory

a payout target of seven days where appropriate.

scrutiny, which is only going to become even

To do this, a single customer view is required.

more exhaustive, businesses need to take steps to

Banks and nancial institutions are turning to

achieve greater management of data. As nancial

software to help them achieve this, to develop a

organisations shift their focus to improving service

clear understanding of risk and achieve industry-

delivery, they must deliver a diversity of different

leading, robust compliance. Entity resolution

products and take an omnichannel approach.

software takes data from different sources contact

This requires a structured, integrated approach

databases and transactional records for example

to data and its management there is no place

and creates consistent, precise customer data. It

for inaccessible data housed in silos across an

looks at different data sources and references to

organisation. These businesses need to ensure

an individual, taking into account inconsistencies,

datas accuracy and precision, eliminating errors,

errors, abbreviations and incomplete records, and

inconsistencies and duplications, and they need to

determines whether or not they relate to the same

make the necessary safeguards to store data safely.

entity. It also enables businesses to quickly nd, link

The right software can turn data from a burden into

and visualise complex relationships across parties,

&
a benet. RC

accounts and transactions.

Data holds the key


Data should be an organisations greatest asset,
not its downfall. Data quality is key here for a

Robert Dallison
UK Sales Director Digital Commerce
Solutions
Pitney Bowes

business to extract trustworthy, meaningful insight


from data, it is relying on that data to be clean,

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 107

HOT TOPIC

H OT TOPIC

DATA PRIVACY
CHALLENGES FOR THE
ASIA-PACIFIC REGION

108 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

HOT TOPIC

PANEL EXPERTS
Michelle K. Chan
Counsel
Akin Gump Strauss Hauer & Feld LLP
T: +852 3694.3026
E: michelle.chan@akingump.com

Derek Ho
Senior Counsel
MasterCard
T: +65 6390 5946
E: derek_ho@mastercard.com

Pierre Noel
Chief Security Ofcer
Microsoft Asia

Alexander Shepherd
Partner
Simmons & Simmons
T: +65 9241 6141
E: alexander.shepherd@simmonssimmons.com

www.riskandcompliancemagazine.com

Michelle K. Chan is a counsel in Akin Gumps Hong Kong ofce.


She is engaged in the practice of corporate and securities law
with a focus on mergers and acquisitions. Ms Chan primarily
works with public and private companies on mergers and
acquisitions transactions and private equity funds in acquiring
investments. In addition, she also advises companies on general
corporate matters relating to reporting and disclosure issues and
shareholder meetings.

Derek Ho is the senior regional counsel for privacy and data


protection at MasterCard for the Asia-Pacic and Middle East
Africa regions. Mr Ho is a Singapore qualied lawyer and he
specialises in privacy, technology and telecommunications
law. He is also a Certied Information Privacy Professional and
a Certied Information Privacy Manager. Prior to MasterCard,
Mr Ho held senior legal positions in multinational companies
in the Asia-Pacic region, and was part of Drew & Napier LLCs
telecommunications, media and technology practice in Singapore.

Pierre Noel is the chief security ofcer for Microsoft in Asia.


Originally a Belgian citizen, living in Asia for over 25 years, Mr Noel
has 30 years of international experience in information security
and enterprise risk management. He designed and built complete
security and enterprise risk management environments for
governments, nance, transport and large conglomerate industries
around the world. Mr Noel is currently helping several nations and
critical infrastructure organisations across Asia to build their cyber
security infrastructure and framework from the ground up. He is a
member of the board of advisers of Airbus Group.
Alexander Shepherd is a partner in Simmons & Simmonss
information, communications & technology group based in
Singapore and is head of the rms technology, media and
telecommunications (TMT) practice in South East Asia. Mr
Shepherd advises on commercial, regulatory and intellectual
property work with a particular focus on telecoms, media,
broadcasting, IT and technology and has signicant experience
advising on corporate nance transactions in the TMT sector
across Europe, Africa and the Middle East. He also advises on
technology procurement and outsourcing in the TMT and nancial
institutions sectors.

RISK & COMPLIANCE Apr-Jun 2016 109

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

RC: Could you provide a brief overview


of current data privacy challenges across
the Asia-Pacic region? How would you
characterise the quality of the physical
and virtual architecture security typically
installed by companies operating in the
region?

HOT TOPIC

resulting in the adaptation and cross-pollination of


legal concepts between countries.
Shepherd: Currently, there is limited
harmonisation and commonality between the
various jurisdictions in Asia and therefore regional
compliance can be time-consuming and resource
intensive. In addition, moves to harmonise and

Ho: More countries in the Asia-Pacic region

enhance data protection laws across the region have

will be introducing omnibus privacy and other

been hampered by international developments such

data related legislation. While these laws usually

as the Max Schrems case, the new EU Data Privacy

contain a set of data privacy principles which are

Regulation, issues surrounding Safe Harbour and

largely consistent with one another, the detailed

the subsequent new Privacy Shield. Accordingly, as

implementation of those principles in national

an example, moves by the Hong Kong government

legislation sometimes results in differences. For

to implement restrictions on cross-border data

example, each country in the Asia-Pacic region

transfers are now apparently being delayed while it

has varying legal bases for the processing of

waits to see what happens in Europe. Further, there

personal data. All countries in the region provide

has generally been a lack of signicant regulatory

for consent as a basis for processing but most

enforcement action in both established jurisdictions

do not contemplate processing on the basis of

and those which have recently implemented

the legitimate interest of the organisation. Some

legislation; this means that the legislation may not

countries recognise the data controller vs. data

be as effective deterrent as it could be, and also that

processor distinction, while others dont. It is a

there is some uncertainty as to how legislation will be

challenge for organisations of all sizes to keep up

applied.

with the changes, and manage the differences,


especially for businesses which operate in multiple

Noel: Asia-Pacic is a diverse region consisting

markets. That said, eventually this issue may become

of many countries, so there is no one common

less of a challenge as countries, in drafting their

challenge that all of the nations in the region face.

own privacy laws, acknowledge and refer to other

Countries have different levels of security and privacy

countries implementation of data privacy laws,

protection; countries like Australia, New Zealand,


Japan and Singapore that take these concerns

110 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

seriously have in place more advanced framework

HOT TOPIC

Chan: Cloud computing and storage, bring your

and technology, while emerging countries like China,

own device to work policies and mobile payments

Myanmar, Thailand and Vietnam generally may not

systems represent some of the biggest cyber security

perceive privacy as much of an issue yet. Of course,

risks facing companies today.

there are other factors at play as well, such as urban


movement and policies in each country. The quality

Ho: One of the biggest areas of cyber risk is mobile

of the physical and virtual architecture security

devices and mobile apps which users whether

in the region is generally similar, but businesses

enterprise or individual users use to process or

have varying levels of understanding of what cyber

gain access to personal data stored either on the

security means and its impact. Businesses


lacking signicant protection so far are
mainly from China, Malaysia, Thailand and
Indonesia, but this could be because they
have yet to be fully exposed to the risk of
cyber attacks.
Chan: Privacy legislation in the region

It is a challenge for organisations of all


sizes to keep up with the changes, and
manage the differences, especially for
businesses which operate in multiple
markets.

is not uniform, is generally less stringent


and is lagging behind legislation in place
in the US and EU. Historically, there has
been less of a culture of sharing in Asia;

Derek Ho,
MasterCard

therefore, less information is shared with


regulators and other governments to combat data

phone or elsewhere. As services and information are

breaches. Furthermore, there has been considerably

increasingly being accessed from mobile devices, the

less investment by companies in security measures,

mobile device represents both a treasure trove of

compared to their counterparts in the EU and US.

information but also a vector for access into remote


stores of data and also money. While there are

RC: In addition to the issues presented


by the Internet of Things, what other
areas represent heightened cyber security
risk?
www.riskandcompliancemagazine.com

documented instances of aws in the technology, the


weak link in many cases would be human, whether in
terms of implementation or users of the technology.
This weak link may be exploited through downloads
RISK & COMPLIANCE Apr-Jun 2016 111

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

of free but malicious apps, clicking on links which

HOT TOPIC

Shepherd: At a consumer level, there is vast

would result in malware being installed on the

and growing use of social media, especially via

phone, failures to install upgrades to OS or security

mobile devices, and increasing e-commerce

patches, and connection hijacking. An example

in jurisdictions where traditionally it was not

is the Zitmo malware which allowed criminals

commonplace. Inevitably, this growth will have

to steal money from bank accounts by stealing

generated risks. At the enterprise level, cloud

mobile transaction authorisation numbers sent

computing and Big Data are likely to be key risks.

via SMS which was enabled by users clicking on


links which resulted in the malware being installed
on their phones.
Noel: In my opinion, the Internet of Things
does not present as much risk yet as it is still

RC: With companies amassing data at an


ever-increasing rate, often via cloud-based
storage services, what steps should they
take to improve their data protection and
disaster recovery strategies?

an emerging technology. The areas that present


higher risk are anything that can be monetised

Noel: The steps are easy to explain, but difcult

by organised crime communities. These groups

to implement. The key take-away is

prey on privacy, in particular corporate privacy,

that companies need to classify data

where we have been seeing increasing cases of

into different levels, and set the kind of

blackmail or ransomware. Ransomware allows

protection that each level requires. For data

online thieves to remotely lock up les in return for

with more signicant risk, specic precautions

a hefty fee to get them back. There are also a lot of

must be taken, and the best measure could

phishing attacks targeted at retailers or corporate

sometimes be to store it in the cloud as it is more

organisations, where imposters try to extort

secure than data centres. A variety of options can

money from organisations.

112 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

HOT TOPIC

help reduce or eliminate planned and unplanned


downtime for your applications, with capabilities
that can help maintain service availability and
recover quickly from hardware failures.
Ho: In the rst instance, organisations should
consider whether all the data they hold is needed
for their business activity. Data minimisation is a
good principle to adopt as a way of minimising
the processing and storage of data which is not
required. Organisations could also adopt data
masking measures such as tokenisation which
replaces personal information or credentials with
alternative information on the mobile device or on
their servers. Tokenisation reduces the number of
potential data repositories from which personal
information may be stolen, while
still enabling the
transaction or
business
activity

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 113

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

HOT TOPIC

to be completed. Tokenisation services could further

to generalise. At one end of the spectrum there

enhance security through the possibility of limiting

appears to be little expectation of online privacy in

the use of these tokens with a specic device,

the PRC whereas privacy is heavily guarded in other

merchant or payment channel. Another useful data

jurisdictions like Singapore. There appears to be a

protection measure would be de-identication. This is

growing understanding of both data privacy risks and

useful as it protects the condentiality of information,

the protection relevant legislation affords consumers,

and also lessens the risk that personal information is

but individuals appear reluctant to pay for greater

compromised in a security incident.

security and privacy.

Chan: Companies should employ multilayer

Chan: Generally, there is a more lackadaisical

authentication techniques, such as two factor

approach to condentiality in Asia compared to the

authentication systems. They should also make

US and EU. Companies are seemingly less awareness

use of encryption wherever possible and store

of issues around condentiality and anonymity.

data relating to different business functions


separately, for example customer, nancial, HR, and

Noel: There is a lower premium placed on

so on. Companies should also recognise that data

condentiality and anonymity across Asia, compared

protection and security is not just an IT issue but a

to the US and Europe. Exceptions include Australia,

rm issue and senior executives and management

New Zealand, Japan, and to a larger extent Singapore

should be engaged in formulating the policies and

and Hong Kong, where there is a growing awareness.

setting the tone from the top down. Organisations

Australia and New Zealand have perhaps inherited

should also provide comprehensive employee

a colonial attitude toward data privacy, possibly

training on security awareness.

from Europe, and are taking the issue very seriously.


Japans approach can be attributed to internal issues,

RC: In your opinion, what is the


general cultural approach to personal
condentiality and anonymity across
Asia?

where the country has seen the importance of data


privacy grow over the years with a spate of high
prole hacking incidents and breaches. For Singapore
and Hong Kong, the reasons are rather practical
data privacy is good for business, and especially as

Shepherd: Asia consists of lots of different


jurisdictions with very different cultures and

nancial hubs it will obviously be in their interest to


support it.

with different approaches, so its very difcult


114 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

Ho: There is no one general cultural approach.


Asia is made up of many countries of diverse

HOT TOPIC

we will see enhanced cross-border data


privacy frameworks?

cultures, histories, types of government and levels


of economic development. The expression of privacy

Ho: As cross-border trade is increasingly

norms are thus dependent on multiple factors

dependent on cross-border data ows, ensuring the

including the nature of the information exchange,

unrestricted ow of data across borders becomes

the type of information being exchanged,


the context of the exchange, and whether
the exchange is consumer-to-business,
or citizen-to-government, and one would
have to consider each country in its own
specic context. For example, some
countries in Asia have long legal and

Generally, there is a more lackadaisical


approach to condentiality in Asia
compared to the US and EU.

legislative histories of protecting personal


data and privacy, and one would expect
a higher level of awareness in terms of
condentiality and anonymity. In countries
where there is a high level of trust in

Michelle Chan,
Akin Gump Strauss Hauer & Feld LLP

government institutions and the services


which they deliver, one could expect that citizens

important, not only for organisations, but also for

would more readily provide data to these institutions.

the economies in the region. Restrictions on the

Even within countries, one could have different

ow of data may have an impact on several fronts,

attitudes depending on the class status within society

including a reduction in the availability of services

to which the individual belongs and whether one

which rely on the free ow of data, increased costs

lives in a more collectivist or individualistic society.

for consumers and businesses due to the replication


of infrastructure, increased costs for regional

RC: To what extent have regulatory and


legislative developments had an impact
on data issues in the region? What scope
is there for improved data regulation
going forward, and how likely is it that
www.riskandcompliancemagazine.com

operations due to repatriation of data which is


offshore, and a negative environmental impact due
to the replication of energy intensive data centres.
Given these issues, cross-border data transfer

RISK & COMPLIANCE Apr-Jun 2016 115

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

HOT TOPIC

regimes based on the concept of accountability in

nowhere closer to having one. Discussions are still

the Australia Privacy Act, and the APEC Cross-Border

at an early stage, with some cross-border data

Privacy Rules, for example could be a model for

transfer between Australia and New Zealand. There

countries in the region to follow. Data regulatory

is a general reluctance to share data across borders

frameworks should also attempt to achieve a

elsewhere in Asia, which is problematic for cloud-

balance between protecting consumers privacy

service providers who cannot install cloud data

and allowing organisations to use data for good. For

centres here.

example, there are good outcomes for


societies and individuals if organisations
are able to analyse data for the purposes
of healthcare research, fraud prevention
or reducing environmental pollution
through monitoring urban transport use.
Regulations could enable these uses of
data through formally recognising a risk

Compliance can be hard to determine


in Asia, as organisations here lack
personal policies toward data privacy.

balancing approach, allowing for other


legal bases for the processing of data in
addition to consent, and providing clear
guidance on anonymisation and re-

Pierre Noel,
Microsoft Asia

identication risks.
Noel: Though the impact of regulatory and
legislative developments must be dealt with on a

Shepherd: The APEC Privacy Framework has

per country basis, it can certainly have signicant

been important in the implementation of data privacy

effects in places like China, where state enterprises

legislation over the last 10 years. The impact of

are barred from sharing data beyond the mainland.

international data privacy changes is likely to impact

It is detrimental when countries allow data from

legislative and regulatory change in the short term.

outside to come in, but prohibit their own data from


going out. This does not bode well for a healthy,

Chan: Most of the privacy legislation in the region

cross-border data privacy framework. There is

does not require mandatory notication of a data

no equivalent of Safe Harbour in Asia and we are

breach to the individuals whose data has been

116 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

compromised or to regulators. Furthermore, we are

HOT TOPIC

Chan: Companies should appoint a designated

unlikely to see a cross-border framework put into

data protection or privacy ofcer for the organisation

place but rather increased cross-border cooperation.

and engage senior executives and management.

Governments in the region are now engaging others

Adopting a top down approach would be benecial.

to share intelligence and best practices; indeed,

Organisations must demonstrate that they

cyber policy initiatives at the government decision

understand exactly what kinds of personal data they

making level are underway in the Asia-Pacic region.

are collecting, how it is collected and how it is used.


Organisations should know which global data privacy

RC: What advice would you give to


companies in terms of establishing
appropriate compliance solutions for
data privacy laws? What steps should
organisations undertake to ensure that
they identify and resolve weakness in
their current business operations?
Noel: There are three steps to establishing
appropriate compliance solutions. The
organisation rst needs to establish its own
data privacy policy, before comparing
it with the regulations of the country
it is operating in. Discrepancies
should then be identied between
the organisations personal policy
and external policies, in order to
determine the level of appropriateness
of compliance solutions. Compliance
can be hard to determine in Asia, as
organisations here lack personal policies
toward data privacy.

www.riskandcompliancemagazine.com

regimes have extraterritorial application and how that


affects their organisation.

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

Shepherd: There are a number of countries

HOT TOPIC

complex, organisations should try to avoid placing

with signicantly higher data privacy requirements

responsibility for the programme on an employee

than others. Companies operating in only a few

where this would be in addition to their other existing

jurisdictions may nd it easier to determine which of

responsibilities.

those jurisdictions has the highest requirements and


set that as their benchmark allowing them to operate
a consistent policy across the region. Those operating
in many jurisdictions may nd it more sensible to pick
two such standards a high and a moderate and

RC: What role is cyber insurance playing


in the region? Are more companies
evaluating the benets of this insurance
as part of their risk mitigation strategy?

apply them to jurisdictions accordingly. Either way, it


makes sense to implement a data privacy strategy

Shepherd: Regional clients are increasing

in all jurisdictions, even those with no relevant law,

enquiring about cyber insurance, possibly as a

in order to instil the right data privacy culture in the

number of recent high prole data security breaches.

business in preparation for the inevitable introduction

Clients in regulated industries should at least be

of appropriate laws in due course.

considering it as part of their overall risk mitigation


strategy, for example, given that the nancial

Ho: Organisations should institute an accountability

services regulators in Hong Kong and Singapore have

based approach to privacy and information

recently published new or updated guidance on the

governance. This would entail commitment within the

importance of managing cyber risks.

organisation to being responsible for how it handles


and processes data. This commitment translates into

Ho: This is a growing area as more attention

the implementation of policies and processes and

is being paid to managing risks relating to

the building of privacy considerations into business

data incidents as losses from such incidents

processes. It also requires organisations to establish

mount. Recent surveys in Asia reect that Asian

ways to monitor and assess the effectiveness

headquartered companies are creating risk

and adherence to these policies and processes.

committees to identify cyber risks. This might explain

Organisations should also invest in putting in place

the higher levels of interest in cyber insurance

dedicated resources to implement the policies,

products. That said, the cyber insurance market,

processes and monitor the effectiveness of their

though growing, remains relatively small in the

privacy programme. As data processing activities

region.

and the issues arising from them become more


118 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

Noel: Cyber insurance is still in its infancy

HOT TOPIC

Noel: Twelve months is short notice, but I hope

worldwide, not just in Asia. In fact, Singapore is trying

we can have something equivalent to a framework

to address this by raising the importance of cyber

for data privacy in 24 months. Singapore has tried

insurance, establishing a framework to


make it more relevant to businesses. Most
businesses do not know the benets of
insurance yet, because they have not
established which data to secure and
which is less important. We suspect
Singapore is likely to lead the world on this
issue. The country has been proactive in

Regional clients are increasing


enquiring about cyber insurance,
possibly as a number of recent high
prole data security breaches.

supporting initiatives such as a cyber risk


test-bed project that will help promote the
growth of the industry.

Alexander Shepherd,
Simmons & Simmons

Chan: It is not a very developed area; in


many respects the industry is still in its infancy in this

to come up with data protection standards for the

region but signicant growth is expected in the next

cloud, such as its Multi-Tier Cloud Security (MTCS)

three to ve years. Presently very few companies

Standard. MTCS aims to provide businesses with

currently buy specialised cyber insurance; indeed,

greater clarity on the levels of security offered by

there are not many providers of cyber insurance in

different cloud service providers. Other countries

the market.

should adopt this certication, or come up with their


own, so that data privacy will be simpler to address.

RC: How do you expect data privacy


challenges in the Asia-Pacic region
to develop over the next 12 months or
so? Are there any particular trends and
developments which may lead to evertightening data regulation in the region?

Chan: Going forward, we expect to see more


aggressive enforcement by regulators in the region
as a result of the growing number data breaches.
Shepherd: Given recent international
developments, our view is that there will be relatively
little legislative and regulatory change in the region

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 119

DATA PRIVACY CHALLENGES FOR THE ASIA-PACIFIC REGION

HOT TOPIC

in the next 12 months as the EU makes signicant

trigger a notication. Further, the increasing number

changes to its data privacy regime and regional

of privacy laws in the Asia-Pacic region will only

regulators have to consider the knock-on effect

add to the complexity and challenge in ensuring

of those changes. Obviously, other developments

compliance with the different laws. One of the bigger

may lead to reactive regulation major data leaks,

challenges for organisations will be trying to keep

for example, often lead to tightened regulation. The

up with the technology and managing the privacy

growing trend towards cloud-based solutions is an

implications which the technology will give rise to.

area that regulators may be pressured to try and

The rapid evolution of the Internet of Things and the

address.

expansion of the application of articial intelligence


into products and services will result in an explosion

Ho: The increasing number of data incidents will

of data which organisations will be collecting as more

continue to result in more countries introducing

devices collect data aided by an array of articial

mandatory data breach notication laws, and it

intelligence agents which dont take breaks or sleep.

may result in the lowering of thresholds which will

&
RC

120 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. z u r i c h . c o m

Zurich Insurance Group


Zurich Insurance Group is one of the worlds
largest insurance groups, and one of the few
to operate on a truly global basis. With over
60,000 employees serving customers in more
the best global insurer as measured by
shareholders, customers and employees. Zurich
offers products and services across a range
of businesses, in markets all over the world,
including: general insurance (property, accident,
car and liability insurance), life insurance,
pensions and savings and investments. The rm
is also a provider of nancial protection and has

KEY CONTACT

than 170 countries, Zurich aspires to become


Alain Wijnants
Chief Executive Ofcer
Brussels, Belgium
T: +32 2 639 55 00
E: alain.wijnants@zurich.com

strong positions in key markets such as North


America and Europe.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 121

EDITORIAL PARTNERS

ORGANISATION

ORGANISATION

Chartered Institute of
Procurement & Supply (CIPS)

ICSA: The Governance Institute

The Chartered Institute of Procurement & Supply (CIPS)


exists to promote and develop high standards of professional
skill, ability and integrity among all those engaged in purchasing
and supply chain management. As an inuential professional
body, CIPS helps all kinds of organisations achieve all-round
excellence in procurement and supply management. The
organisation achieves this by offering a range of products and
services to provide the knowledge, training and practical skills
that are needed to derive maximum benet from procurement
practices. Established in 1932 and based in the UK, CIPS assists
individuals, organisations and the profession as a whole.

ICSA: The Governance Institute is the professional body


for governance. With over 125 years experience working with
regulators and policymakers, the organisation supports its
members across all sectors of the economy, including large
corporates, SMEs, the public sector and charities. ICSA is the
only organisation to confer chartered secretary status on those
who are suitably qualied and experienced. Established in 1891,
the knowledge and expertise of ICSA is rooted in history and
continues to lead current thinking and practice. ICSAs stated
guiding values are openness, integrity and authority.

David Noble
Group Chief Executive Ofcer
United Kingdom
T: +44 (0)1780 756 777
E: press@cips.org

Louise Thomson
Head of Policy (NFP)
London, UK
T: +44 (0)20 7612 7040
E: lthomson@icsa.org.uk
www.icsa.org.uk

www.cips.org

122 RISK & COMPLIANCE Apr-Jun 2016

www.riskandcompliancemagazine.com

EDITORIAL PARTNERS

ORGANISATION

ORGANISATION

Internet Security Alliance (ISA)

University of Queensland (UQ)

The Internet Security Alliance (ISA) is a non-prot multisector trade association founded in Washington DC in 2001.
ISA sees cyber security not just as an IT challenge, but as an
enterprise-wide risk management issue. ISAs mission is to
combine technology with economics and public policy to create
a sustainable system of cyber security. It focuses on three main
goals: thought leadership, public policy advocacy and creating
standards and practices that effectively foster cyber security. In
Europe, ISA brings together leading European companies from
multiple industry sectors and different EU member states.

The University of Queensland (UQ) is one of Australias


leading research and teaching institutions and strives for
excellence through the creation, preservation, transfer and
application of knowledge. For more than a century, UQ has
educated and worked with outstanding people to deliver
knowledge leadership for a better world. The University ranks
in the top 50 as measured by the QS World University Rankings
and the Performance Ranking of Scientic Papers for World
Universities. UQ also ranks 52 in the US News Best Global
Universities Rankings, 60 in the Times Higher Education World
University Rankings and 77 in the Academic Ranking of World
Universities.

Richard Knowlton
Executive Director (Europe)
London, UK
T: +44 (0)750 010 3164
E: rknowlton@isaeuropean.org
www.isaeuropean.org

Gabriel Moens
Emeritus Professor of Law
Brisbane, Australia
T: +61 4 6614 4789
E: g.moens@uq.edu.au
www.uq.edu.au

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Apr-Jun 2016 123

risk &
& compliance

RC

APR-JUN 2016
www.riskandcompliancemagazine.com