Вы находитесь на странице: 1из 194

risk &

& compliance

RC
Inside this issue:
FEATURE

Cyber security legislation in the US


EXPERT FORUM

CEO pay disclosure requirements


HOT TOPIC

Shareholder activism
in the US banking industry

JAN-MAR 2016

www.riskandcompliancemagazine.com

CONTENTS

& CONTENTS
RC

006
008

015
181

FOREWORD

021

EXPERT FORUM

CEO pay disclosure requirements

FEATURE

Baker & McKenzie LLP; Cleary Gottlieb Steen & Hamilton

Cyber security legislation in the US

LLP; Pay Governance LLC; Skadden, Arps, Slate, Meagher &

FEATURE

Allying with the activists in the boardroom

039

Flom LLP and Afliates

043

Cleary Gottlieb Steen & Hamilton LLP

047

ICSA

055

Caldwell Partners

059

Frank C. Bucaro and Associates, Inc.

063

Hendricks & Co / Fieldsher LLP

071

Accenture

EDITORIAL PARTNERS

Editor: Mark Williams


Associate Editor: Fraser Tennant
Staff Writer: Richard Summereld
Publisher: Peter Livingstone
Publisher: James Spavin
Production: Mark Truman
Design: Karen Watkins
Risk & Compliance
Published by Financier Worldwide Ltd
23rd Floor, Alpha Tower
Suffolk Street, Queensway
Birmingham B1 1TT
United Kingdom
+44 (0)845 345 0456
riskandcompliance@nancierworldwide.com
www.riskandcompliancemagazine.com
ISSN: 2056-8975
2016 FINANCIER WORLDWIDE LTD
All rights reserved.
No part of this publication may be copied, reproduced,
transmitted or held in a retrievable system without
the written permission of the publishers. Whilst every
effort is made to ensure the accuracy of all material
published in Financier Worldwide, the publishers accept
no responsibility for any errors or omissions, nor for any
claims made as a result of such errors or omissions. Views
expressed by contributors are not necessarily those of the
publishers. Any statements expressed by professionals
in this publication are understood to be general opinions
and should not be relied upon as legal or nancial advice.
Opinions expressed herein do not necessarily represent
the views of the authors rms or clients.
Financier Worldwide reserves full rights of international use
of all published materials and all material is protected by
copyright. Financier Worldwide retains the right to reprint
any or all editorial material for promotional or nonprot
use, with credit given.

075

PERSPECTIVES

New rules concerning the clawback of


incentive-based compensation for US listed
companies

PERSPECTIVES

Address board culture to mitigate risk

MINI-ROUNDTABLE

Evolving role of the CEO

PERSPECTIVES

Key ethical challenges for leadership in 2016

PERSPECTIVES

German D&O policies as a deceptive package


for the supervisory board?

MINI-ROUNDTABLE

Commodity price risk management

PERSPECTIVES

Achieving supply chain resilience amid


increasing global risk
Chartered Institute of Procurement & Supply

PERSPECTIVES

Supply chain accountability: new dimensions


of business and legal risk
Clark Hill PLC

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016

CONTENTS

079

PERSPECTIVES

Why isnt ERM more of a team sport at your


organisation?

082

FiscalDoctor

086

AIR Worldwide (a Verisk Analytics business)

091

Miller & Chevalier Chartered

094

Peckar & Abramson

102

Zurich

PERSPECTIVES

Belling the black swan: preparing for extreme events

PERSPECTIVES

The Iran nuclear deal: sanctions relief brings


compliance challenges

PERSPECTIVES

Buy American vs. Buy America: what a


difference an n makes

MINI-ROUNDTABLE

The role of the board in tackling cyber risks

PERSPECTIVES

Mandatory regulations for cyber security:


do they work?

106

Internet Security Alliance for Europe (ISAFE)

110

CoreStream

114

ISACA

117

MetricStream

PERSPECTIVES

Taking the risk out of the digital revolution

PERSPECTIVES

Three actions you can take now to prepare


your programme for the Internet of Things

PERSPECTIVES

Software and cyber security: the new keys to


corporate governance in the auto industry

PERSPECTIVES

Cyber attack on JPMorgan Chase: hacking as a


business model

120

MINI-ROUNDTABLE

Complying with European data protection


legislation

131

GRG; Norrbom Vinding; PwC

136

King & Spalding

146

EY

150

KLA Koury Lopes Advogados

154

Epiq Systems

158

Sovos Compliance

163

Ropes & Gray LLP

166

Hewlett Packard Enterprise

PERSPECTIVES

Consequences and options for EU-US data


transfers in the post-Schrems world

MINI-ROUNDTABLE

Mitigating and managing corporate fraud in the


Asia Pacic region

PERSPECTIVES

Leniency agreements in Brazil

PERSPECTIVES

How to lose friends and alienate clients


in e-disclosure

PERSPECTIVES

FATCA: the challenges of complying and the


harbinger of the common reporting standard

PERSPECTIVES

IRS on the horizon: partnership audit reform in


the United States

PERSPECTIVES

Top worldwide banks fail to deliver a world class


mobile experience

HOT TOPIC

Shareholder activism in the US banking industry


Evercore; FTI Consulting; Innisfree M&A Incorporated;
Skadden, Arps, Slate, Meagher & Flom LLP and Afliates

CLT3 Consulting, LLC


4

RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

Any time.
Anywhere.
Any matter
of risk.
Global Corporate Compliance

www.bakermckenzie.com

Baker & McKenzie International is a Swiss Verein with member law


rms around the world. In accordance with the common terminology
used in professional services organizations, reference to a partner
means a person who is a partner, or equivalent, in such a law rm.
Similarly, reference to an ofce means an ofce of any such law rm.

FOREWORD

F O R E WORD
Welcome to the thirteenth issue of Risk &
Compliance, an e-magazine dedicated to the latest developments in
corporate risk management and regulatory compliance. Published quarterly
by Financier Worldwide, Risk & Compliance draws on the experience and
expertise of leading experts in the eld to deliver insight on the myriad risks
facing global companies, the insurance solutions available to mitigate them,
and the in-house processes and controls companies must adopt to manage
them.
In this issue we present features on cyber security legislation in the US
and on activists in the boardroom. We also look at CEO pay disclosure
requirements; addressing board culture; the evolving role of the CEO;
ethical challenges in 2016; commodity price risk management; supply
chain resilience and accountability; ERM as a team sport; preparing for
extreme events; the role of the board in tackling cyber risks; mandatory
cyber security regulations; preparing for the Internet of Things; hacking as
a business model; European data protection legislation; corporate fraud
in the Asia Pacic region; FATCA compliance; mobile banking; shareholder
activism in the US banking industry; and more.
Thanks go to our esteemed editorial partners for their valued
contribution: Accenture Trading, Investments & Optimization Strategy
(ATIOS); Baker & McKenzie; Caldwell Partners; EY; FTI Consulting, Inc.; GRG;
Innisfree M&A Incorporated; Norrbom Vinding; Pay Governance LLC; PwC;
Zurich Insurance Group; the Chartered Institute of Procurement & Supply
(CIPS); the Institute of Chartered Secretaries and Administrators (ICSA);
the Information Systems Audit and Control Association (ISACA); and the
Internet Security Alliance for Europe (ISAFE).

Editor
6

RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

FOREWORD

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016

FEATURE

FEATURE

CYBER S E C U R I T Y
LEGIS L AT I O N I N
THE U S
BY RICHARD SUMMERFIELD

yber security is one of the key issues of

state could have catastrophic consequences for

our time. Cyber attacks and breaches are

millions.

increasingly common, putting a huge amount

More must be done to help turn the tide against

of data at risk of falling into the hands of malicious

cyber criminals and protect data. Companies

actors. From credit card information to social

must do more to protect their networks, data and

security numbers, to medical records, to private

employees from malicious attacks. Third party

email correspondence, companies are storing more

risks must be countered. Training and education

and more data. Consumers furnish online vendors

programmes for employees must be run and

and social media sites with information pertaining to

regularly updated and a culture of compliance

almost every facet of their day to day lives. An attack

established. Companies can and should do more.

on a data centre by an ambitious hacker or nation

In that spirit, more must also be done on a


legislative level. Efforts are underway in a number of

RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

FEATURE

CYBER SECURITY LEGISLATION IN THE US

jurisdictions to increase cyber security regulations

next to nothing to help address the real issues

and offer further protections for users and

facing companies operating in todays business

companies alike.

environment.

In late October 2015, after a number of

The CISA which has been more than four years

considerable delays, the Senate overwhelming

in the planning has received signicant backing

passed the Cybersecurity Information Sharing

from some industry groups and lawmakers in the

Act (CISA) of 2015, a controversial bill intended

US. However, many within the tech industry have

to encourage businesses to share


information about cyber threats with
the government by providing them
immunity from customer lawsuits.
Supporters of the Act claim that
the CISA is desperately needed as
companies and government agencies
look to stave off cyber attacks. Allowing
organisations and the government

More must be done to help turn the


tide against cyber criminals and protect
data. Companies must do more to protect
their networks, data and employees from
malicious attacks.

to share information about internet


threats, both the public and private
sectors will be better placed to react
and respond.
The CISA gained considerable support in the

spoken out against it, including Apple, Twitter, Reddit


and Wikipedia. The Computer and Communications

Senate, where majority leader Mitch McConnell

Industry Association (CCIA), which represents

noted the Act would help protect Americans

tech giants such as Google, Amazon, Facebook

most private and personal information and would

and Microsoft, has urged the Senate to make

do so by defeating cyberattacks through the

improvements to the bill. The CCIA supports the

sharing of information since it contains modern

intended goal of the Act which is to help ght

tools that cybersecurity experts tell us could help

cyber crime and terrorism but not its current form,

prevent future attacks against both the public and

which it says would enshrine in law ineffective cyber

private sectors. Yet despite the optimism among

security policies and infringe on the privacy of users.

lawmakers, the Act has caused unease elsewhere.

CCIA recognises the goal of seeking to develop a

Civil rights groups, for example, feel it will do


www.riskandcompliancemagazine.com

more robust system through which the government


RISK & COMPLIANCE Jan-Mar 2016

FEATURE

CYBER SECURITY LEGISLATION IN THE US

and private sector can readily share data about

Cybersecurity Protection Advancement Act passed

emerging threats, the group noted in an open

the House the following day. The three Acts share

letter. But such a system should not come at the

a number of similar features and the Senates

expense of users privacy, need not be used for

willingness to pass legislation of this nature reects

purposes unrelated to cybersecurity, and must not

a growing appetite in the US to reinforce cyber

enable activities that might actively destabilise the

security provisions. Attacks such as those on Target,

infrastructure the bill aims to protect. The group

Sony, Ashley Madison and others have helped to

believes that the privacy of Americans would be

bring the implications of neglecting cyber security to

greatly eroded by the Acts passage. Similar

the fore.

complaints are common in the UK where the

The CISA provides certain legal protections to

governments Investigatory Powers Bill known

private entities that share cyber threat information

colloquially as the snoopers charter has been

as well as safeguards intended to protect civil

derided by industry experts and the general public.

liberties. Under the terms of the CISA, prior to

There are feelings in the UK tech industry that the

sharing information with the government, the private

Bill will make data encryption harder, and weaken

sector must identify and remove any personal

organisations defences against attack.

information not required to identify the threat and


the federal government must perform an additional

Features

scrub of personal data. The Attorney General and

The CISA provides the private sector with new

Secretary of Homeland Security will draft and issue

liability protection for monitoring its own networks

guidelines detailing the manner in which personal

or those of their customers, sharing or receiving

information is to be removed.

cyber threat indicators and defensive measures, and

The Act would allow companies and government

operating defensive measures for cyber security

agencies to share data about the signatures left by

purposes.

hackers. These signatures will allow organisations to

Following its acceptance in the Senate by a vote

see where attacks came from and what their code

of 74-21 the CISA will now enter into conference

looks like. Developments of this nature may, in the

with the already ratied House Intelligence

long term, prove quite useful.

Committee and Homeland Security Committee

Yet the CISAs impact on cyber security legislation

bills, which have been combined into a single bill.

in the US is still questionable. The impact of CISA is

The Protecting Cyber Networks Act was passed

dependent on the number of entities that participate

by the House on 22 April 2015, and the National

in the information sharing programs, the type of

10 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

FEATURE

CYBER SECURITY LEGISLATION IN THE US

information shared, how widely this information


is disseminated, and what entities do with this
information, says Jared Bomberg, an associate at
Hogan Lovells. Its not yet clear how many entities
will participate or how information will be shared
or utilised. The hope is that CISA paves the way for
a dynamic and robust threat information sharing
programme.

Criticisms
Criticism of the Act has been varied and plentiful.
A number of privacy advocate groups
have voiced their dissatisfaction. The
involvement of the Departments
of Homeland Security, Justice and
Defence, as well as the Ofce of the
Director of National Intelligence, in the
drafting of the Act has angered some
privacy groups. As a result, the Department
of Homeland Security is now required to
notify individuals if their personal data was not
properly removed. Indeed, the main criticism of
the Act is that it fails to protect individuals privacy.
The denition of cybersecurity threat indicators
is a point of contention, as is the standard by which
entities must strip personal information from the
data shared, says Mr Bomberg.
A further concern has been the speed of change
within cyber space. Four years is a long time in the
world of technology and cyber security, and many
features of the CISA close the stable door after
www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 11

CYBER SECURITY LEGISLATION IN THE US

FEATURE

the horse has bolted. Since the Act was initially

undermines that policy goal, and will increase the

proposed in 2011, hackers and cyber criminals have

complexity and difculty of a new information

become more sophisticated and resourceful. Some

sharing programme.

are, of course, backed by nation states.


The proposed legislation would have done
nothing to protect Sony from the attack in 2014,

International concerns
In the wake of the Snowden revelations there is

nor prevented the loss of the security records of 22

considerable consternation among international

million Americans following the hacking of the Ofce

tech users regarding the sharing of data with the US

of Personnel Management. We are talking about

government. Many opponents of the CISA consider it

feel-good legislation, said Senator Ron Wyden,

to be a surveillance bill in cyber security clothing. To

who has long been a critic of the bill because he

that end, an amendment was tacked on which would

maintains it does not do enough to protect the

grant European Union citizens similar privacy rights

privacy of information shared by companies. It

enjoyed by US citizens under the Privacy Act. This

would not have prevented any major hacks.

move was designed to repair relations with Europe

Greg Nojeim, the Centre for Democracy and


Technologys senior counsel and director of the

over the Snowden disclosures.


For multinational companies, the decision to share

Freedom, Security and Technology Project, noted,

data is entirely voluntary. The European Court of

The passage of CISA is a huge step backwards

Justices decision to strike down the safe harbour

for privacy rights in the United States. Now, more

agreement was notable. Safe harbour allowed 5000

personal information will be shared with the NSA

US and EU tech companies to self-certify that they

and with law enforcement agencies, and that

were transferring and processing the data of EU

information will certainly be used for purposes other

citizens in compliance with EU privacy standards.

than enhancing cybersecurity.

Given the ruling in the EU, the passing of the CISA

The language contained within the CISA could

could further strain the relationship between the US

also potentially undermine existing privacy laws.

and Europe over data security and derail attempts to

According to a letter from the Department of

reboot safe harbour.

Homeland Securitys deputy secretary Alejandro


Mayorkas, While the CISA seeks to incentivise
non-federal sharing through a DHS portal, the
bills authorisation to share with any federal

Moving forward
Where cyber security legislation in the US goes
from here is difcult to predict. Although there is an

agency notwithstanding any other provision law


12 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

FEATURE

CYBER SECURITY LEGISLATION IN THE US

appetite for strengthening cyber defences, no clear

issues to continue to be a focus of Congressional

consensus is forming among lawmakers.

Committees rather than the chambers as a whole,

The number of connected devices is due


to explode in the years ahead, thanks to the

he says.
Amendments to the CISA to address any issues

proliferation of the Internet of Things, wearables, the

with the Act seem unlikely, particularly given that the

cloud, and others. Now is the time for a wide-ranging

Senate has already rejected a number of privacy-

piece of cyber security legislation. But Mr Bomberg

related amendments, which will make it difcult

believes that such a Bill looks unlikely at the

to adopt similar positions through the conference

moment. With respect to the other cyber security

committee process. Given the sophistication and

measures in Congress, there are no signs that a

tenacity of the modern cyber criminal, it would be

comprehensive or technology-specic cyber security

prudent for both the public and private sectors to

bill will pass anytime soon. We have not seen

get on the same page. For the sake of organisations

widespread bipartisan agreement on the current

and their customers, the nations lawmakers must

proposals or plans for a vote in either chamber.

&
get their house in order. RC

Barring an unforeseen change, I expect these

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 13

2015
Fraud prevention now goes beyond
compliance and impacts recruitment,
talent retention and growth.

to work for companies involved
in corruption
Anti-bribery/anti-corruption policies
in place but have little impact on
employee behavior

mitigation misplaced

to be ready for cyber attacks

2015 Ernst & Young LLP. All Rights Reserved. APAC No. 12000486. ED 0517. UEN T08LL0859H

FEATURE

FEATURE

ALLYIN G W I T H T H E
ACTIV I S T S I N T H E
BOAR D R O O M
BY FRASER TENNANT

he corporate boardroom is an arena like

Although historically a US phenomenon, in recent

no other. Populated by an organisations

years the issue of activists acquiring inuence in

top echelon, it is the scene of complex

the boardroom has become more prevalent across

deliberations and determinations the sanctity of

the world. Figures compiled by Activist Insight show

which is expected to remain inviolate.

that, beyond the borders of the US, the number of

Accordingly, should a rogue element be introduced

companies targeted by activist campaigns increased

into this rareed environment an activist

from four to 28 in Asia between 2011 and 2015; in

shareholder, say the potential for disruption is

Australia over the same period the jump was two to

obvious. Yet this is a scenario that is increasingly

57; and across Europe the rate (which has been high

coming to pass, with activist shareholders reaching

for a number of years) was 28 targeted companies in

the summit of an organisation by winning proxy

2011 to just under 50 in 2015.

challenges or obtaining settlements that allow them

Over the last three years the number of activist

to designate a member of the board, and sometimes

campaigns has grown dramatically worldwide,

more.

conrms Josh Black, a spokesman for Activist


Insight. Activist investors are now driving many of

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 15

ALLYING WITH THE ACTIVISTS IN THE BOARDROOM

the foremost priorities for public companies, from


buybacks to margin improvements or M&A. If issuers

FEATURE

Preparing for an activist


As Activist Insight attests, in recent years there

are not regularly reviewing these options there is a

has been a substantial increase in the number

high probability that they will be pushed to do so by

of activist shareholders becoming or designating

a shareholder before long, whether current or new

board members a scenario ripe with disruptive

to the share register.

possibilities as boards, by and large, are unprepared

PwCs 2015 Annual Corporate Directors


Survey: Governing for the long-term: Director

for such an eventuality coming to pass.


An activist incursion, according to Dr Alexander

Communication and Shareholder Activism notes

Stein, founder of Dolus Advisors, a US-based

that the shareholder activism environment has

consultancy specialising in human factor dynamics

intensied over the last 12 months evidenced by

in fraud, risk, and corporate governance, is a

an increase in the total number of proxy contests

textbook conict situation: two parties desire (or

and settlements in which activists acquired board

appear to desire) different outcomes. One, the board,

representation and is an issue that is extensively

is established and cohered, settled in its purpose

discussed at board level.

and its relationships; the other is an interloper, to be

Indeed, when an activist arrives at the top


table, boards must be up to speed on the myriad

shunned and feared due to trespass and (assumed)


disruptive or destructive intent.

legal, operational and cultural issues that need

Despite the apparent poison inherent in this

to be considered, as well as having a thorough

us and them scenario, there are, says Dr Stein,

appreciation of the potential impact an activist can

a number of useful precautionary steps that can

have on their organisations long-term strategies and

be taken by boards to help mitigate the chances

alternatives.

of a combative future. The rst is recognising

Whether such an event proves to be a short,

that preventative maintenance is invariably better

medium or long-term concern, the need to

than triage, he suggests. Another is voluntarily

accommodate the views of newcomers can be a

engaging a specialist adviser to deliver a governance

game changer for extant board members and more

audit to evaluate the boards strengths and

often than not, a most unwelcome addition to the

weaknesses, ideally before an activist is at the

agenda.

door. This should include reassessing its mission,


functioning, decision-making processes, governance

16 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

ALLYING WITH THE ACTIVISTS IN THE BOARDROOM

FEATURE

philosophies, structure, policy track record and

campaigns encompassing a range of strategies

rationales for membership.

and methodologies. What has changed recently is

Across the Atlantic, UK activist activity, while

the way activists use the media to campaign and

miniscule in comparison to the US, has nevertheless

win support, reveals Oliver Parry, senior corporate

been on the rise for many years, with activist

governance adviser at the Institute of Directors.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 17

ALLYING WITH THE ACTIVISTS IN THE BOARDROOM

FEATURE

As we saw in the case of Elliott and Alliance Trust

their appearance has on long-held assumption

activist hedge fund Elliot partners forced change

surrounding the sanctity of the boardroom in

at Alliance Trust, one of the UKs largest investment

the main, board deliberations and condentiality

trusts it can ultimately pay off. Companies need

obligations. For company boards long accustomed to

to be willing and able to engage with activists early

doing things their own way with perhaps negligible

on, since a long drawn out and public dispute helps

opposition, the extent of the disruption cannot be

nobody. Simply because they are activists does not

underestimated.

mean they are the devil incarnate.


Boards should not write off everything
activists suggest without considering
their proposals, he adds.
A productive relationship between
company boards and activists is a
necessity and a scenario that the
PwC research backs up. According to
the 2015 PwC Survey, 49 percent of

If activists succeed in getting a seat on the


board, it is in the interests of shareholders
and the rest of the board to work with
them.

directors stated that they had held


extensive board discussions about
activism, up from 43 percent in 2014.
Furthermore, those who had experienced activist

Many activist shareholders have contributed to

interaction rose to 32 percent from 29 percent

their collectively acquired reputations, not just as

during the same period. Interestingly, the survey

disrupters but as agitators, says Dr Stein. Often,

also found that activist interventions in 2014/2015

they are wolves in a hen house, intent on advancing

frequently demanded that boards shift away from

agendas intrinsically misaligned with or indifferent

the companys agreed-upon strategy and become

to the board into whose ranks they have insistently

focused on improving the companys market

muscled. That said, it stands to reason then that a

capitalisation.

defensive and protective board will attempt to do


whatever is necessary to fend off the unwelcome

Challenging the sanctity of the board


One of the initial ways in which an activist
disrupts the established order is through the impact
18 RISK & COMPLIANCE Jan-Mar 2016

attentions of an activist, or as Dr Stein puts it:


Like white corpuscles mobilised by an organisms
autoimmune system to fend off infection.
www.riskandcompliancemagazine.com

ALLYING WITH THE ACTIVISTS IN THE BOARDROOM

As to how this will be achieved, the PwC survey

FEATURE

opportunity, suggests Dr Stein. It can be an

reveals that a substantially greater number of

inection point for a progressive developmental shift,

directors are now focusing their attention on

heralding a reconsideration of standard operating

protecting their companys strategy against activism.

procedures and entrenched policy-making, and

Indeed, 55 percent have indicated that their boards

bringing fresh life and renewed vigour to stagnant

are reviewing strategic vulnerabilities that can be

group-think. The pivot question can be distilled to:

targeted by activists, with more than one-third

is the board sufciently exible to accommodate

having engaged third parties to provide advice on

different perspectives or does it reexively object to

how to handle the issue.

change on principle?

There has been an uptick over the last year in

Taking a pragmatic approach to the situation

the percentage of directors who say their board

may be the best policy. If activists succeed in

has interacted with activists, says Paula Loop,

getting a seat on the board, it is in the interests of

leader of PwCs Center for Board Governance. As a

shareholders and the rest of the board to work with

consequence of this increased engagement, one-

them. There is no point continuing to ght the battle

in-ve directors say their company changed the

against them when they are sitting round the table,

composition of their board as a protective measure.

says Mr Parry. A board should speak with one voice.

Additionally, the PwC survey found that larger

The principle of collective responsibility remains

mega-cap companies are the ones that are more

in UK corporate governance. With activism here to

likely to be taking actions related to activism, at a

stay, boards should accept and embrace it where

rate 20 percent higher than small-cap companies.

they can, rather than ght against it. Interests will not
always be aligned, but there is often some common

Managing the integration process


When a newly-appointed activist joins the board,

ground and, ultimately, both parties must remember


that shareholders come rst.

he or she is of course likely to have a different


perspective from extant board members. Therefore,
managing the initial integration process is a

Activist prevention
Given the multitude of potentially acrimonious

fundamental concern, as is the need to effectively

routes that an activist may have taken to secure a

oversee interactions between the activist and other

place in the boardroom, there is a strong possibility

board members going forward.

that the individual may prove to be a less than

The entrance of a new board member who

suitable t, culturally and analytically.

espouses different perspectives is a potential


www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 19

ALLYING WITH THE ACTIVISTS IN THE BOARDROOM

Companies must rebut proposals to put

FEATURE

as precarious as they come. Activists may look to

individuals on the board who are not a good t, says

advance shareholder resolutions, arrange boycotts

Mr Parry. If necessary, they should rally shareholders

and even instigate disruptive media interest, whilst

in an emergency vote. Shareholders have the nal

the primary concern of the board is to be a duciary

say on board appointments and if an activist wants a

and maintain and improve the nancial wellbeing

seat, they need to win the support of the companys

of the company. With diverse agendas coming into

owners.

play, nding common ground between these largely

Over and above the shareholder vote method


of removing an activist from the board, there

disparate elements is key.


Showcasing the global proliferation of the activist

are a number of legal mechanisms and bylaw

agenda, a survey carried out by FTI Consulting and

amendments that companies can adopt to help

Activist Insight which quizzed 24 activist rms

protect themselves. Concordia Healthcare recently

involved in more than 1200 activist events in 2015

entered into an agreement with a private equity rm

forecasts 2016 as being a busy year for shareholder

which included terms barring the sale or transfer of

activists. Eighty-ve percent stated that they expect

any of its shares to a list of over 60 activist rms,

to be involved in three or more activist campaigns

points out Dr Stein. Concordia also specied the

over the course of the year.

prohibition of the transfer of shares to anyone on

Ultimately, the aim must be to harness the

the SharkWatch 50, which is a compilation of 50

commonalities and build effective partnerships

signicant activist investors.

between the activists in the boardroom and the


boardroom status quo, otherwise the balance

Conclusion
Alliances come and go, and an alliance forged

of power may shift to either extreme, to an


&
uncomfortable and unsustainable degree. RC

between activists and extant board members is

20 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

EXPERT FORUM

E XPERT FORUM

CEO PAY
DISCLOSURE
REQUIREMENTS

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 21

CEO PAY DISCLOSURE REQUIREMENTS

EXPERT FORUM

PANEL EXPERTS
Roger Bivans
Partner
Baker & McKenzie LLP
T: +1 (214) 978 3095
E: roger.bivans@bakermckenzie.com

Arthur H. Kohn
Partner
Cleary Gottlieb Steen & Hamilton LLP
T: +1 (212) 225 2920
E: akohn@cgsh.com

Roger Bivans, a corporate & securities partner in the Dallas ofce


of Baker & McKenzie, advises clients on all aspects of executive
compensation disclosure, including the new CEO pay ratio disclosure
rules under the Dodd-Frank Act. Mr Bivans also represents clients in
domestic and cross-border mergers and acquisitions, capital markets
transactions and securities regulations and corporate governance
matters. He is the President of the Dallas Chapter of the Society of
Corporate Secretaries and Governance Professionals.
Arthur H. Kohn is a partner based in the New York ofce of Cleary
Gottlieb Steen & Hamilton LLP. His practice focuses on compensation
and benets matters, including executive compensation, pension
compliance and investment, employment law and related matters. In
2011, Mr Kohn was selected for the National Association of Corporate
Directors Directorship 100, a list of the most inuential people in
corporate governance and in the boardroom.

John R. Ellerman

John R. Ellerman is a founding partner based in the Dallas ofce


of Pay Governance. Mr Ellerman is an active consultant who advises
the compensation committees of Fortune 500 companies. Several of
Pay Governance LLC
these clients have been served by Mr Ellerman for 15 years or more.
Mr Ellermans clients are principally in the energy services sector;
T: +1 (214) 387 3179
E: john.ellerman@paygovernance.com however, he also has clients and relevant experience in the retailing,
high technology, general manufacturing, casual dining and nancial
services industry.
Partner

Timothy F. Nelson

Timothy F. Nelson advises public and private clients, including


numerous Fortune 500 corporations, on executive compensation and
benets issues. He counsels corporations and individual executives
Skadden, Arps, Slate, Meagher & Flom in the negotiation and preparation of compensation arrangements,
including employment agreements, option plans and termination
LLP and Afliates
agreements. Mr Nelson has represented both purchasers and sellers
T: +1 (617) 573 4817
in a wide variety of corporate transactions, including mergers,
E: timothy.nelson@skadden.com
asset sales, stock purchases and spin-offs. He has advised clients
with respect to potential impact of golden parachute termination
agreements, permissible treatment of employee stock options and
structure of retention and deal bonus arrangements.
Counsel

22 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

CEO PAY DISCLOSURE REQUIREMENTS

R&C: Could you outline the general


principles of the SECs CEO pay disclosure
requirements, and why they are so
important?

EXPERT FORUM

subsidiaries are to be taken into account in


determining the median employee, although the rule
provides exibility in determining precisely how the
median employee is identied. Once identied, the
total compensation of the median employee and

Bivans: The general principle behind the SECs

the CEO is generally determined under the usual

CEO pay disclosure requirements is to identify

SEC executive compensation disclosure rules. This

all elements of a CEOs compensation and place

disclosure rule is important for several reasons. First,

them in context to assist shareholders with

companies will be required to devote substantial

making informed voting decisions on the say-on-

time and expense in order to understand the rule,

pay advisory votes. Over the years, the SEC has

identify and collect the relevant data and determine

signicantly increased the scope of information

how best to disclose the information. This process

required to be reported, including the valuation

will be all the more difcult because the rule is new

of share-based compensation awarded to the

and companies will have to develop new procedures

CEO, the identication and valuation of perks and

and systems in order to comply with it. Second,

deferred compensation, narrative discussion of the

companies must prepare for the potential reaction

policies and elements of compensation, the use

to the pay ratio disclosure from investors and their

of benchmarking to peer companies, the relation

advisers, the press, the companys own employees

between CEO compensation to the performance

and others. Because the rule is new, companies can

of the company and now the relation of the CEOs

only speculate on how these various groups will

compensation to that of a median employee. The

react to the disclosure, complicating any attempt to

disclosure of the CEOs aggregate compensation

prepare for that reaction.

is not new. The new CEO pay ratio rules will now
require companies to identify a median employee

Kohn: The rule is probably not very important

and calculate the median employee compensation

from any perspective most investors, for example,

cost in the same manner as used for the CEO

do not seem interested in the data but the

compensation.

requirements do raise some important issues.


Interestingly, Congress did not state, the legislative

Nelson: Subject to some limited exceptions, all


the employees of the company and its consolidated

history does not suggest and the SEC had trouble


discerning, any specic objective for the new
required disclosure. The SEC concludes that the rules

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 23

CEO PAY DISCLOSURE REQUIREMENTS

EXPERT FORUM

are intended to assist shareholders in evaluating

information statement a table and description

a registrants executive compensation practices,

disclosing the compensation actually paid to the

increase transparency and facilitate shareholder

CEO and the average compensation actually paid

engagement. Some labour unions argue that a high

for the other top executives. This new table will

ratio generally is indicative of awed governance

also include TSR for the company and a peer group

a board of directors that is overpaying senior

over the last ve years. The peer group can be

management relative to the rank and le but

the CD&A-disclosed compensation peers. Also,

also probably see the requirements as a way to

companies will be required to provide a description

embarrass some companies and executives, and to

of the relationship between compensation and

highlight the issue of increasing income inequality.

TSR. The new CEO Pay Ratio Disclosure requires

Many companies see the requirements as creating

companies to disclose the median of the annual

unnecessary expense, adding to already voluminous

total compensation of all employees excluding

compensation disclosure information that is not

the Principal Executive Ofcer (PEO) as well as the

material to investment decisions and giving rise to

annual total compensation of the CEO, and the ratio

frivolous litigation risks.

of the annual total compensation of the CEO to the


median annual total compensation of all employees.

Ellerman: During 2015, the SEC issued proposed

The ratio may be expressed in one of three ways.

rules and nal rules with respect to several

Assuming that the median employee annual total

provisions of the Dodd-Frank Act, which deal with

compensation is $50,000 and that the annual total

executive compensation. Two areas of the rules

compensation of the CEO is $2.5m, the ratio may

directly address new disclosure requirements

be stated as either 50 to 1, 50:1 or as a narrative

for CEO and top executive compensation the

description, for example, The CEOs annual total

proposed Pay for Performance Disclosure Rules

compensation is 50 times that of the median annual

and the nal CEO Pay Ratio Disclosure. In setting

total compensation of its employees. Companies

forth both sets of rules as mandated by Dodd-

will have the ability to choose a reasonable method

Frank, the SEC has stated that such disclosures

to pick the median employee compensation. This

will provide shareholders with information to

includes the ability to use statistical sampling and

better assess executive pay for purposes of the

any consistently-applied compensation-measuring

shareholder advisory say-on-pay vote. With respect

methodology. The term employee is dened to

to the Pay for Performance Disclosure requirement,

include all employees including all full-time, part-

companies will need to provide in the proxy or

time, seasonal and temporary employees, as well as

24 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

CEO PAY DISCLOSURE REQUIREMENTS

EXPERT FORUM

all non-US employees. The company will have the

and the alignment of the CEOs pay to company

ability to exclude a de minimis amount of non-US

performance, and it is their belief that the disclosure

employees, up to 5 percent of total employees.

requirement which was added to Dodd-Frank


at the last minute is nothing more than attempt

R&C: What are the main areas of


contention for companies subject to the
new rules?

to embarrass large public company CEOs and a


further attempt to drive down CEO pay in corporate
America. Another point of contention is the cost
to corporate America to comply with the new

Kohn: The main areas of contention are the

disclosure requirement. The SEC has estimated that

unnecessary expense and the potential for misuse of

the aggregate cost for US companies to calculate

the data. While the cost to generate the ratio might

and report the CEO pay ratio in year one will be

be assumed to be trivial, in many cases it will not

an approximate $1.3bn. Most public companies

be. Many companies will have to supplement their IT

devote more than 25 pages of the current proxy to

systems to permit the pay data for their worldwide

executive compensation disclosure, and this new

employees to be aggregated, in order to determine

requirement will only add to the administrative

the median compensation level. Computing the

burden at a considerable expense. Finally, many

median pay level requires that kind of aggregation,

companies and their investors believe that the

whereas computing the average does not. Though

new disclosure rule will add nothing to improve

the SEC has specically noted that the ratio cannot

the shareholders knowledge about the companys

be meaningfully compared across companies, such

executive compensation programme and will not be

comparisons will be made by the press and others

useful to the say-on-pay advisory vote.

to make points that are based on the faulty premise


that comparisons provide some insight.

Bivans: The CEO pay ratio rules are controversial


in that many commentators do not believe that

Ellerman: The most contentious issue with

the ratio provides meaningful information to

respect to the CEO Pay Ratio Disclosure is the

shareholders and that the ratio would be misused by

purpose of the pay ratio disclosure and what it

the media and analysts to create false comparisons

reveals, if anything, about a companys executive

between companies. The main area of contention is

compensation programme. In the minds of many, the

that the process for identifying the median employee

pay ratio statistic will yield nothing meaningful about

remains deeply awed. While the SEC rules permit

the companys executive compensation programme

companies to exercise reasonable discretion, minor

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 25

EXPERT FORUM

CEO PAY DISCLOSURE REQUIREMENTS

changes in the methodology can result in large

built into the rule requires companies to make

variations in the result. For example, part-time

decisions regarding the methodology by which the

employees and seasonal employees can signicantly

median employee will be identied. These decisions

affect the data pool and produce a misleading result.

will almost certainly affect the pay ratio which is

A company with high usage of seasonal employees

ultimately disclosed, but unless the company is

during the summer months would produce a

willing to run several calculations, those effects will

signicantly different result than a company with

not be known. Companies also understand that the

high usage of employees during the winter


months. Similarly, the compensation of
non-US employees as calculated by the
SEC rules can vary signicantly depending
on whether a jurisdiction has a public or
private retirement benets system, among
other factors.

With respect to data privacy,


multinational companies must
understand the rules in each
jurisdiction where the company has
employees.

Nelson: Stated briey, companies are


concerned with the cost of complying
with the rules and the unpredictability of
both the results of the calculation and the

Timothy F. Nelson,
Skadden, Arps, Slate, Meagher & Flom LLP

public reaction to the disclosure. Many


companies and other observers continue to feel

disclosure could pose a public relations challenge

that the pay ratio disclosure rule has little to do with

which will be further complicated by the exibility

providing investors with useful information regarding

built in to the rule.

the company and should be repealed. Since that


seems unlikely, at least in the near term, companies
are beginning to focus on the logistical challenges
inherent in collecting the data which will be required
in order to comply with the rule. Companies need to

R&C: Do the foreign data privacy laws


and non-US de minimis exemptions
provide much relief to multinational
companies?

establish a process to collect compensation data,


which will be expensive and will divert resources
away from other tasks. Additionally, the exibility
26 RISK & COMPLIANCE Jan-Mar 2016

Nelson: Relief is really the wrong word in the


context of the data privacy exception, because
www.riskandcompliancemagazine.com

CEO PAY DISCLOSURE REQUIREMENTS

EXPERT FORUM

for multinational corporations a lot of work will be

many signicant respects. For example, the foreign

required, whether or not the exception ultimately

data privacy law exemption requires the company

applies. With respect to data privacy, multinational

to exercise reasonable efforts to obtain or process

companies must understand the rules in each

the information necessary for compliance. As part

jurisdiction where the company has employees.

of its reasonable efforts, the company must seek

This needs to happen soon, because if there is a

an exemption or other relief under the applicable

data privacy issue, the pay ratio rule requires the

jurisdictions governing data privacy laws. The nal

company to make reasonable efforts to seek an

rules do not specify how the company must seek

exemption for relief from the rule to permit the

an exemption. For example, most data privacy

collection of the data. Failing that, the rule then

laws include an employee consent exemption.

requires the company to obtain a legal opinion

Must companies send requests for consent to all

to be led as an exhibit with the ling containing

employees? The rules are not clear. Further, the

the pay ratio disclosure to the effect that, rstly,

rules require the company to obtain and le a legal

collection of the information would violate the local

opinion but do not address the issue of liability to the

data privacy rules and, secondly, an exemption

companys shareholders. A company may very well

was sought and not obtained. So a multinational

nd itself in a situation where it has been advised by

company will be incurring legal fees and interacting

counsel that collecting the necessary compensation

with local counsel and local regulators even before

data would violate local data privacy laws but that

using the data privacy exception. The de minimis

such counsel is not willing to have its legal opinion

exception could provide some companies which

led as an SEC document. The company would

have either a small number of non-US employees

nd itself between a rock and a hard place. The

or non-US jurisdictions with small numbers of

de minimis exemption provides some additional

employees, in each case less than 5 percent of

relief to a company if it nds itself unable to use

the total workforce with the ability to exclude

the foreign data privacy law exemption so long as

employees without interaction with lawyers and

the number of employees in that jurisdiction do not

regulators, although even then the company may

exceed 5 percent of the companys total number

wish to consider the impact of the exclusion on the

of employees worldwide. But since employees

pay ratio that will ultimately be disclosed.

excluded under the foreign data privacy law


exemption count against the 5 percent de minimis

Bivans: The two exemptions provide some relief


to multinational companies but miss the mark in
www.riskandcompliancemagazine.com

exemption, it makes a company wonder whether it


should go through the time and expense of relying
RISK & COMPLIANCE Jan-Mar 2016 27

CEO PAY DISCLOSURE REQUIREMENTS

EXPERT FORUM

on the foreign data privacy exemption unless the


number of employees in that jurisdiction already
exceed 5 percent of the total. As you work through
the permutations, you begin to see that the de
minimis exemption is really quite limited.
Kohn: The foreign data privacy law exemption
requires issuers to apply for relief from foreign
regulators and to obtain a legal opinion that using
the data will violate foreign law, which in most cases
will be impractical. It is unlikely that using the de
minimis exemption will materially impact the costs
of compliance for most companies.

R&C: What, in your opinion, are the longterm advantages and disadvantages of
the CEO pay-ratio rules, as far as investors
and the market are concerned?
Kohn: While the ratio of CEO to median
employee pay does not provide any real insight
into governance, in my view, the relative pay
levels among the senior executive team can
sometimes provide meaningful insight. Perhaps the
requirements will spur compensation committees
to engage with shareholders about the more
meaningful issue of relative pay levels among
senior executives. If it does, that could be a long
term advantage for companies, investors and
the market. A potentially problematic long term
consequence of the requirement relates to changes
28 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

CEO PAY DISCLOSURE REQUIREMENTS

EXPERT FORUM

in the composition of corporate workforces, in the


US and globally. The existence of slow but important
trends away from traditional employer/employee
relationships and towards the increased use of
outsourcing, leased employees and independent
contractors, has been widely noted. The SECs CEO
pay ratio rules generally permit the exclusion of nonemployees in determining the ratio. While I do not
expect companies to move towards such alternative
service-provider relationships specically because
of the exclusion of non-employees from the CEO
pay ratio disclosure requirements, I would not be
surprised if the rules become a minor factor that
helps sustain and perhaps accelerate the existing
trends in that direction.
Bivans: Other than for a handful of public pension
fund and social investors, the disclosure of the
CEO pay ratio will have little effect on investors
and the market. Some may argue that disclosure
of the ratio may help the Board and shareholders
assess the potential effect on employee morale.
The problem with that is that employees have
known the CEOs compensation for years and are
readily able to compare the CEOs compensation to
their own. If there is a negative effect on employee
morale, it is likely it is already present. The real
disadvantage is that the media and other pundits
will attempt to create charts comparing the ratios of
different companies, which may have used different
methodologies and have different employee
www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 29

CEO PAY DISCLOSURE REQUIREMENTS

EXPERT FORUM

pools. As a result, these charts will be inherently

disclosure requirement will heighten the awareness

misleading.

of CEO pay. Of particular concern is the likely press


coverage of the new CEO pay ratio disclosures

Nelson: Arguably the rules provide an additional

among large and prominent companies and the

data point which could act as a restraint on

interest in comparing CEO pay ratio statistics among

excessive executive pay, especially at companies

competing companies in the same geographic or

where there are other executive compensation

industry sectors. Although we would discourage the

issues, such as failed say-on-pay or a pay for

use of company to company comparisons, there

performance disconnect. That being said, it remains

will be the temptation for many to draw attention

to be seen whether there will be any real advantages

to the differences among companies. Our advice to

to investors from the pay ratio disclosures. I suspect

companies is to engage in thoughtful and meaningful

that among other things the exibility built into

communication of the CEO pay ratio statistic to

the rules, as well as the differing circumstances

shareholders through the proxy. This communication

that exist among public companies, will make it

should be a careful explanation of how the company

very difcult to draw useful conclusions from the

determined the median employees annual

disclosure.

compensation and how the median value was


calculated, whether statistical sampling was used,

R&C: What impact do you believe the


new requirements will have on workplace
morale and job satisfaction levels? What
steps can companies take to mitigate
the potential downside of pay ratio
disclosure?

what assumptions were made, and so on.


Nelson: There has been much discussion
regarding how CEO pay ratio disclosure will impact
the morale of employees who learn that the CEOs
annual compensation far exceeds their own. This
concern may be exaggerated, as employees already

Ellerman: In todays workplace environment,

know their own compensation and have access to

most employees are aware of their companys

CEO compensation disclosures under the existing

executive pay levels and the total pay of the CEO

SEC compensation rules. Accordingly, we would

through the annual proxy disclosure of executive

recommend that companies also prepare for the

compensation. Although most employees do not

employee relations impact resulting from the

place much emphasis on or express public opinion

disclosure of the compensation of the companys

about the CEOs total compensation, the new

median employee. For instance, how might this

30 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

EXPERT FORUM

CEO PAY DISCLOSURE REQUIREMENTS

newly disclosed information impact high performing

Kohn: I think that few employees will be surprised

key employees who are being paid below the

at the CEO pay ratio data or react to it. That intuition

median? What impact could this disclosure have on

is supported by at least some recent survey data

ongoing or upcoming union negotiations? Managing

suggesting that rank and le employees do not

the impact of the median employees compensation

consider the fairness of their pay packages by

may well require a well thought out, organisation-

reference to what the CEO earns. A potentially

wide communications strategy, necessarily


involving employees who themselves may
be upset by the disclosure. Clearly, an
early understanding of what the disclosure
will look like will be useful to prepare for
this potential impact.
Bivans: The disclosure of a CEO
pay ratio will likely have no effect on

Our advice to companies is to


engage in thoughtful and meaningful
communication of the CEO pay ratio
statistic to shareholders through the
proxy.

workplace morale as employees have


known the CEOs compensation for years.
That is nothing new. What will become

John R. Ellerman,
Pay Governance LLC

problematic is that half of all employees


will now suddenly realise that they are
being paid less than the median. It is a normal

more problematic consequence of the requirement

element of human psychology for people to believe

from a morale and job satisfaction perspective

that they live in Lake Woebegone where everyone

arises from the computation and disclosure of

is above average. The negative effect on employee

the median employee pay level, putting aside

morale will not fall from the CEOs compensation,

entirely the comparison of the median pay number

which has been a matter of public record for years.

to the CEOs pay level. Companies may nd that

The negative effect will be when employees realise

signicant numbers of their employees only now

that they are below average. Companies will have a

come to realise that their pay is below average

challenge to manage that difcult issue.

at the company, and are surprised and unhappy


with that circumstance. That realisation may create
a ratcheting-up effect as many employees who

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 31

EXPERT FORUM

CEO PAY DISCLOSURE REQUIREMENTS

are close to the average negotiate to be paid at

impact that the decisions along the way will have on

least as well as the average. I expect that there

that disclosure.

will be pressure on human resource executives


Kohn: The rules generally provide substantial

to proactively communicate and explain their


companys pay structures in a way that addresses

exibility in determining the median employee.

those reactions.

Companies may use statistical sampling, estimates


of pay, or other reasonable methods so long as they

R&C: Could you explain what steps


companies can take to identify their
median employee? What kinds of
challenges are likely to arise
during this process?
Nelson: Initially, the task is going to be
one of data collection. That task could
itself present a number of challenges,
especially if there are non-US employees
involved. Who can determine where the
data is held and who understands the

are consistently applied, and provided that some


disclosure concerning the methodology will be
required. Companies may choose any date in the

Companies will need to decide


whether the additional time and
resources necessary to calculate both
numbers are worth the perceived
benet.

compensation programmes under which


the compensation is provided? Are there
legal impediments to the transfer of the

Roger Bivans,
Baker & McKenzie LLP

data outside of the local jurisdiction? How


will the currency conversion be done?
What format is the data held in and is it compatible

last three months of its scal year to determine the

with the companys systems in the US? These types

covered employee population. The data aggregation

of challenges are very likely to arise at every stage

exercise is likely for many companies to be the

in the process and will require a team that is both

most challenging part of the process. I understand

empowered to make decisions, and which is mindful

that various types of professional services rms are

of the ultimate disclosure requirement and the

preparing to assist companies in that effort.

32 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

CEO PAY DISCLOSURE REQUIREMENTS

Bivans: It is not likely that companies have

EXPERT FORUM

ratio without the cost-of-living adjustments applied.

the accounting staff and resources to calculate

The advantage is that the cost-of-living adjusted

the total compensation of each employee in

numbers will be presented rst and presumably

accordance with the same methodology used to

would be the numbers the media uses when

prepare the Summary Compensation Table for

creating the inevitable lists purporting to compare

named executive ofcers. The likely methodology

the ratios of different companies. Companies will

will be for companies to analyse base or annual

need to decide whether the additional time and

cash compensation to determine the median

resources necessary to calculate both numbers are

employee and then analyse that employees total

worth the perceived benet.

compensation to determine the number. Challenges


may arise if a company does not use a single

Nelson: In most cases we do not think the ability

database to manage payroll. Companies may have

to make cost-of-living adjustments will be useful

grown by acquisition and have several different

to companies. First of all, there is more disclosure

payroll systems that may not be able to export the

required the cost-of-living adjustment must be

data into single spreadsheet. In that case, companies

described, further complicating the disclosure

may consider statistical sampling or another

as a whole. In addition, the rule still requires the

reasonable method to create a more manageable

disclosure to include the pay ratio without the cost-

data pool.

of-living adjustment. So the company will be making


the unadjusted disclosure in any event. Given those

R&C: Should a company apply costof-living adjustments to employee


compensation? What difculties will arise
if a company decides to do so?

requirements, it is hard to see how in most cases a


company will materially benet from using the costof-living adjustment.
Kohn: Companies may generally calculate the

Bivans: While at rst companies may be attracted

ratio using cost-of-living adjustments for non-US

to the idea of applying cost-of-living adjustments

employees, and for many companies, using cost-

in situations where there are a large number of

of-living adjustments will have a signicant impact

employees in a low cost-of-living jurisdiction, or if

on the pay ratio and perhaps impact the inevitable

the CEO sits in a high cost-of-living jurisdiction, the

if misguided comparisons between companies.

benets may be quickly outweighed when they are

Companies that use this alternative are nevertheless

required to disclose the median compensation and

required to calculate and disclose the CEO pay ratio

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 33

EXPERT FORUM

CEO PAY DISCLOSURE REQUIREMENTS

on an unadjusted basis, but the headline number

company. In that case, the necessary data wont be

that will presumably be picked up by the press and

located in the payroll records as the workers may

others will be the ratio that reects the cost-of-living

be paid through the companys vendor accounts

adjustments.

payable system. Companies will need to analyse


their stafng practices to identify the pool of data to

R&C: How will the use of stafng


agencies, independent contractors and
freelancers affect the analysis?

be analysed.
Nelson: Individuals who are retained as
independent contractors or leased employees, but

Kohn: Independent contractors, leased employees

who are employed by independent third parties

and other non-employee service providers are

which third party determines their compensation

excluded from the ratio. For some companies,

are not employees for purposes of the pay ratio

that exclusion could have a material impact on

disclosure rules and therefore are disregarded for

their disclosed ratio. The law concerning the

the pay ratio disclosure. It is worth noting that this

categorisation of personal service providers as either

exclusion does not address independent contractors

employees or otherwise in various contexts and for

who work for themselves, rather than being retained

different legal purposes is evolving in the US and

by an independent third party. It seems logical that

in other jurisdictions. For some companies, there

such individuals would also be excluded from the

could be substantial uncertainty concerning the

calculation, but we are waiting to see whether

standards for classifying persons as non-employees

clarication will be provided by the SEC on that

for purposes of calculating the ratio.

question, which is an important one, given the


prevalence of individual consultants, unafliated with

Bivans: One challenge that may arise is where

a third party employer.

the company uses a large number of contractors or


leased employees. The rules provide relief where
the company pays a fee to a management company

R&C: Should multinational companies


use statistical sampling?

or employee leasing agency that supplies workers


to the company and determines their compensation.

Nelson: The individual circumstances of certain

The rules are silent where a company uses a large

companies may make the use of statistical sampling

number of freelancers or temporary contract

an attractive alternative to use to identify the pool

workers that it sources without using a stafng

of employees from which the median employee

34 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

EXPERT FORUM

CEO PAY DISCLOSURE REQUIREMENTS

will be determined, as is permitted by the rules.

Kohn: The rules give companies substantial

We would remind companies that if such an

exibility in conducting statistical sampling to

approach is taken, there will have to be disclosure

determine the median employee, including the

accompanying the pay ratio disclosure which

ability to determine a reasonably appropriate sample

describes the methodology used in the statistical

size. The approach will likely make the process less

sampling. Each company will have to balance the

expensive for many companies. While there is a

advantage gained in time and resource usage by the

requirement to disclose the material assumptions

use of statistical sampling versus the impact on the

and other aspects of the statistical sampling

simplicity and clarity of the disclosure as a


whole. Investors could react negatively to
what they perceive as an overly complex
method of determining the median
employee, which could raise suspicion that
the company is attempting to manipulate
the outcome.

For some companies, there could be


substantial uncertainty concerning
the standards for classifying persons
as non-employees for purposes of
calculating the ratio.

Bivans: The answer depends on


how integrated the companys payroll
databases are. If the company can
determine the median employee with

Arthur H. Kohn,
Cleary Gottlieb Steen & Hamilton LLP

relative ease, then statistical sampling


would not be necessary, particularly in cases where

approach, which could add to litigation risks, I think

the employees cash compensation is relatively

that sampling will likely be an attractive alternative

similar to the total compensation. Where there

for many companies.

are multiple payroll databases to analyse or large


variations between total compensation and cash
compensation, then companies may want to explore
statistical sampling or another reasonable method of
identifying the median employee.

www.riskandcompliancemagazine.com

R&C: With two years to go until the


expected date of compliance, what
advice would you give companies in
terms of managing the countdown? What
steps should they take now to establish

RISK & COMPLIANCE Jan-Mar 2016 35

EXPERT FORUM

CEO PAY DISCLOSURE REQUIREMENTS

necessary processes and keep related


costs in check?
Bivans: The rst step will be to assess the

this exibility does not solve the computing problem,


which can be substantial for large global companies.
Nelson: The best advice would be to start now.

companys payroll records and workforce

Before the disclosure can be done, the data will need

composition to determine how the data will be

to be collected. And before the data can be collected,

gathered and processed. This exercise will require a

companies are going to need to understand where

multidisciplinary team of HR, IT, legal and accounting.

the raw data resides within their organisations and

If the company intends to rely on the foreign data

what impediments such as legal and logistical

privacy law exemption, it will need to engage counsel

there are to collecting it and understanding it. There

soon to begin considering the issues, seeking

could be legal issues, IT obstacles to overcome and

exemptions where available and determining the

any number of other challenges which may not be

form and scope of any legal opinion to be led. If

evident until the process is commenced. Participation

multiple payroll systems are involved, IT may need

by employees from different functions within the

to assist to determine the best method of exporting

company will be a necessity, so resource allocation

the data in a common format and validating the

will be an additional challenge. It will also be

technology, software and integrity of the data. If

important for the company to have as much time as

the company intends to use statistical sampling or

possible to be able to prepare for potential reactions

another reasonable method, it may need to engage a

to the disclosure. The CEO will want to know what

statistician or similar consultant to help it develop the

the disclosure will look like, as will the compensation

appropriate methodology. In other words, there is a

committee, the investor relations staff and the head

lot of work to be done now that should not wait until

of HR.

the transition period has expired.


Kohn: Companies that utilise multiple payroll
systems should begin to consider how they can

R&C: What nal piece of advice can you


offer to companies on managing the full
range of pay disclosure requirements?

merge the data from those different systems in order


to identify the median level of pay of their employee

Ellerman: Our advice to corporate clients is

population. The SEC has given businesses reasonable

for the company to make every effort to comply

exibility in dening pay for this purpose, though

with all shareholder reporting requirements with


thorough, thoughtful and comprehensive disclosures

36 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

CEO PAY DISCLOSURE REQUIREMENTS

EXPERT FORUM

about the companys executive compensation

looking at the methodology with hindsight, a well

programme. Todays corporate proxy statement

documented approach similar to that used by the

contains considerable information and data about

SECs Division of Economic and Risk Analysis could

a companys executive compensation programme,

provide signicant relief when trying to solve for

and it is to the shareholders benet to make

the troublesome data collection and analysis issues

this information as clear as possible. For many

by excluding certain pools of employees from the

companies, this means using tables, schedules and

calculation. Finally, the SEC rules do not preclude

graphs to augment their disclosures beyond the

a company from including supplemental data. If a

tables required by the SEC. We do not advocate

company does not feel that the prescriptive SEC

splashy and superuous charts and graphs, but we

rules produce a meaningful result, the company is

do nd certain disclosures to be more meaningful if

always free to provide a supplemental ratio so long

reported in a table or schedule format. We further

as it is not materially misleading and its methodology

encourage our clients to use executive summaries

is clearly explained. For example, a company with a

for purposes of highlighting key policies and practices

large number of part-time or seasonal employees

about company compensation programmes and

may want to consider preparing a supplemental ratio

company performance as a meaningful way to

that annualises their compensation on a full-time

enhance disclosure. The new disclosures may result

equivalent basis to achieve an apples-to-apples

in an additional four or ve pages of disclosure in

comparison. In the end, once the company has

future proxies, and companies should begin next

control over its payroll data, compliance with the

year in drafting potential additional disclosures in

disclosure rule should not be too troublesome. How

anticipation of the new requirements.

it manages the feeling of employees who suddenly


discover they are below average in compensation is

Bivans: Companies should not let the tail wag the

a different matter.

dog. Companies need to be able to structure their


compensation programmes to motivate and reward

Nelson: We would encourage companies to

positive behaviour and to do so under the maze of

strive for simplicity in the manner in which the ratio

employee laws facing a multinational company. Some

is calculated, which will lend itself to simplicity in

companies with difculty qualifying for the various

the disclosure surrounding the calculation. The

exemptions may want to do a statistical analysis

use of exceptions and the utilisation of a complex

to determine if another reasonable method can

methodology for determining the median employee

be used to bridge the gap. While the SEC would be

will require explanatory disclosure. Returning to the

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 37

EXPERT FORUM

CEO PAY DISCLOSURE REQUIREMENTS

public relations consequences of the disclosure,

criticisms surrounding the methodology is well worth

there is a risk that an overly complex calculation

striving to avoid.

methodology itself could yield criticism from


employees and investors, who could view the

Kohn: First, reach out to appropriate

complexity as a nefarious effort to manipulate the

constituencies, including particularly large

outcome. In such a circumstance, a company could

shareholders, to ensure that they understand the

nd itself under re for not only the ratio itself, but

compensation committees priorities and strategies.

also for the methodology. I would suggest that a

Second, spend the time and effort to ensure that

scenario where investors have follow up questions or

disclosure is carefully tailored to minimise litigation


&
risks RC

38 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

NEW R U L E S C O N C E R N I N G
THE C L AW B AC K O F
INCEN T I V E -B A S E D
COMP E N S AT I O N F O R
US LIS T E D C O M PA N I E S
BY ARTHUR H. KOHN AND MARY ALCOCK
> CLEARY GOTTLIEB STEEN & HAMILTON LLP

n 1 July 2015, the Securities and Exchange

achieved was misunderstood because of incorrect

Commission proposed rules requiring

nancial reporting.

companies listing securities on a securities

Many companies already have in place clawback

exchange to adopt and enforce clawback policies.

policies and others have been anticipating the SECs

These policies will dictate the rules for recovery

rules for some time, since they were mandated

of excess incentive-based compensation paid

by the 2010 Dodd Frank Wall Street Reform and

to executive ofcers in the event of accounting

Consumer Protection Act. Since the new rules are

restatements. Generally, compensation is subject

limited to the accounting restatement context, they

to clawback if it was paid on the basis of the

are, in an important respect, narrower than the

achievement of a nancial or shareholder return

policies that many companies have already adopted.

target, and the degree to which the target was

There are a number of noteworthy aspects of the


proposed rules. Firstly, the proposed rules would

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 39

NEW RULES CONCERNING THE CLAWBACK OF INCENTIVE-BASED... PERSPECTIVES

implement a no fault approach to clawbacks.

clawback of erroneously paid compensation. That

That is, the proposed rules would apply to all

part of the rules could have meaningfully adverse

individuals who served as an executive ofcer at

consequences to companies and shareholders in

any time during the performance period related

some circumstances.

to the incentive-based compensation in question,

The proposed rules provide that a companys

even if the person had no responsibility for the

policy must require recovery of erroneously

circumstances giving rise to the accounting

awarded compensation, except to the extent

restatement and even if the person is


not serving as an executive ofcer at
the time recovery is required.
Secondly, the proposed rules
generally would not apply to options,
restricted stock and RSU awards that
are subject only to time-based vesting
requirements (or other targets that are
neither nancial metrics nor based
on shareholder return). An exception

The most important aspect of the


proposed rules is the very limited extent
to which they give directors discretion
to exercise business judgment about the
timing and manner of pursuing clawback
of erroneously paid compensation.

comes into play, and the clawback


policy would be required to apply, if the
number of options, restricted stock or RSU awards

that the compensation committee, or a majority

that were granted was based on the achievement

of independent directors serving on the board,

of nancial or shareholder return targets. While

determines that recovery would be impracticable

we do not expect a signicant shift toward time-

either because it would impose undue costs on the

vested awards as a result of the implementation

company or it would violate home country law. For

of the clawback policy requirement, clawback

this purpose, only the direct expense paid by the

considerations could impact granting practices at

company to a third party to assist in enforcing the

the margins.

policy (i.e., for the most part, out-of-pocket legal

Perhaps the most important aspect of the

fees) may be taken into account in determining

proposed rules is the very limited extent to which

whether undue costs would be incurred. In addition,

they give directors discretion to exercise business

before a company can conclude that recovery would

judgment about the timing and manner of pursuing

impose undue costs, it must make a reasonable

40 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

NEW RULES CONCERNING THE CLAWBACK OF INCENTIVE-BASED... PERSPECTIVES

attempt to recover the excess compensation and


provide documentation evidencing the reasonable
attempt to the securities exchange. Before a
company can conclude that recovery would violate
home country law, it must provide an opinion of
home country counsel to the securities exchange
stating that recovery would result in a violation of a
law that was adopted prior to the publication date of
the proposed rules.
There is no exception for de minimis amounts.
The proposed rules provide that the company may
exercise discretion in determining the means of
recovery, such as by cancelling unvested equity,
offsetting amounts otherwise payable to the
executive ofcer, or reducing current compensation
owing or future incentive compensation, if those
means are available and provided that it acts
reasonably promptly. However, if repayment by
the current or former executive ofcer is the only
available means for recovery, the directors have very
little choice other than to pursue a prompt recovery.
This aspect of the proposal provides much too
little deference to the directors of a company to
determine when recovery is in the best interest of
the company and its shareholders. Shareholders and
corporate law entrust the directors of a company
with substantial discretion to manage the business
of the company, and there is no overriding policy
or other reason that such discretion should be so
severely constrained in connection with the very

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 41

NEW RULES CONCERNING THE CLAWBACK OF INCENTIVE-BASED... PERSPECTIVES

narrow issue of clawback determinations resulting

class action might be to wait for the plaintiffs to

from an accounting restatement.

quantify their asserted damages.

Most specically, a company should be permitted

More generally, a companys board of directors

to exercise its discretion to delay enforcement of

is in the best position to understand the facts and

the recovery policy when the risks arising from

circumstances that might make an attempted

immediate enforcement would be likely to result

recovery of compensation at a particular time

in harm to the company that would exceed the

prudent, or not. Comparing the potential harm of an

potential benet of recovery. That assessment of risk

inexible mandate to the regulatory and policy risks

should be independent of the legal cost of recovery

of providing directors with customary discretion

efforts. For example, a board of directors should

in these matters leads clearly to the conclusion

be permitted to exercise judgment and discretion

that the SECs rules should defer to the good faith

to cause a company to delay enforcement of its

judgment of directors as to the timing of pursuing a

recovery policy when the directors reasonably

&
recovery. RC

determine that an attempt to enforce the policy may


have a materially adverse impact on the companys
defence of a securities class action claim arising
from the accounting restatement. An adverse impact

Arthur H. Kohn

could arise in that context for various reasons,

Partner

including because the cooperation of an executive


ofcer, or former executive ofcer, may be critical in
defending the claim, but the persons cooperation

Cleary Gottlieb Steen & Hamilton LLP


T: +1 (212) 225 2920
E: akohn@cgsh.com

may be called into question if the company pursues


a recovery claim against him. An adverse impact
could also arise if a company is required to quantify
the extent to which the accounting restatement
impacted its stock price for purposes of its clawback

Mary Alcock
Counsel
Cleary Gottlieb Steen & Hamilton LLP
T: +1 (212) 225 2998
E: malcock@cgsh.com

claim, when its litigation strategy in defending the

42 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

ADDR E S S
BOAR D C U LT U R E
TO MI T I G AT E R I S K
BY SIMON OSBORNE
> ICSA

roving a direct correlation between poor

banking crash unforeseen at the time, yet with

boardroom culture and business failure

hindsight the point is not what if the deal with ABN

is not an exact science, but increasingly

Amro had been made a few years earlier?, but how

commentators are concluding that there is a link

he managed to convince people to pursue his dream

between the tone that is set at the top and how well

of banking supremacy in the rst place.

a company fares. So how does boardroom culture


affect organisations, and what is the risk of failure if
the culture at the top stinks?
When things go wrong, it is often the chairman or

Constructive challenge is key


RBS is a good example of what can go wrong
when a CEO is not sufciently held to account by

chief executive ofcer who falls on their sword, but

the board. Presiding over the largest annual loss in

they may not be entirely to blame. Fred Goodwin,

UK corporate history is not just a question of bad

former CEO of RBS, has been pilloried by the media

timing. Rumour has it that Mr Goodwins personality

and almost exclusively blamed for the entire UK

was such that nobody felt able to challenge his

banking crisis, but the board went along with him

opinion and if they did their voice was drowned out

and the majority of shareholders signed off on

by the sheer force of his personality. The success of

the proposals that were put to them. True, market

a board is undermined when directors are unwilling

conditions were considered favourable and the

to listen to others, so it is essential that all board

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 43

ADDRESS BOARD CULTURE TO MITIGATE RISK

PERSPECTIVES

members practice the art of listening and participate


in genuine conversations to ensure that a measured
approach can be taken. A good boardroom should
be a place of constructive challenge, not a shrine to
the cult of personality.
The same could be said of the UK charity group
Kids Company. Had the charitys founder Camila
Batmanghelidjh not been such a force of nature,
it is doubtful that the government, celebrities and
members of the public would have bankrolled the
organisation to the extent that they did without
hard evidence to back up its claims. As Miles
Goslett wrote in the Spectator last year charm is
no substitute for transparency... if youre too well
connected for anyone to criticise you, if youre
always pulling strings, you risk losing transparency
and therefore accountability however well
intentioned you are.
The trouble with organisations that live in the
shadow of one person is that their boards become
ineffective. The key to avoiding this is to ensure that
there is a sufciently robust boardroom culture in
place to keep large egos in check, a proper sense
of what will benet the organisation, an appropriate
organisational culture and the entrenchment of
this culture throughout the organisation. It is the
chairmans role to lead the board, control any
dominant personalities, and ensure an appropriate
culture in the boardroom.
When the culture at the top is questionable,
however, there is a major risk that people further
44 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

ADDRESS BOARD CULTURE TO MITIGATE RISK

down the chain will act inappropriately. There was

poor execution and the failure of management to

very little incentive for people to act ethically or

sufciently focus the effort, energy and attention of

prudently in the run up to the banking crisis as the

the entire organisation on the achievement of the

message that they often received from the top said

strategy and each persons contribution to it. Active

that anything goes as long as we turn a prot.

monitoring and evaluation of strategic priorities in

For people to feel able to raise this type of issue,

terms of their implementation is key. A boardroom

however, there needs to be open


dialogue between the board and the
rest of the organisation. There should
be a strong whistleblowing procedure
in place so that employees feel able
to report that matters are not quite
right without fear of losing their jobs.
Culture is led from the top and boards
need to be fully aware of how the
culture that they have established is

Culture is led from the top and boards


need to be fully aware of how the
culture that they have established is
being disseminated throughout their
organisation.

being disseminated throughout their


organisation. This is a critical point. It
is all very well agreeing on a particular
set of values and culture at board level, but they will

culture that facilitates active listening and is not

not inuence the culture of the company as a whole

dominated by more vocal directors can also improve

unless they are spread throughout the organisation.

performance.

Furthermore, there should be no incentives which


will drive behaviours in contradiction of that culture.

Diversity of thought is crucial

Establish effective boardroom culture

be improved by ensuring that there is genuine

Boardroom performance and culture can also


The Keys to Success: Nurturing Effective

diversity of thought. Most people now hold the

Boardroom Culture study in the Ivey Business

view that diverse boards perform better. The Oxford

Journal in 2013 found that only 10 percent of

Economics Global Diversity report says that diversity

organisational failures are due to bad strategic

can be key to competitive advantage and others feel

choices. Yet it found 90 percent are the result of


www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 45

ADDRESS BOARD CULTURE TO MITIGATE RISK

that the only way to satisfy diverse customers is to


include their perspectives inside the company.
Ideally, diversity should bring a rich mix of

PERSPECTIVES

Poor boardroom culture can also lead to a


mismatch between the skills on boards and the
organisational challenges and priorities they face.

experiences and outlooks into the boardroom. This

Digital, talent management and brand are becoming

can have a signicant impact on risk management,

issues for companies, yet many directors have a

governance, employee engagement and customer

nance background rather than a technological, HR

satisfaction. It can also help companies to remain

or strategic marketing one. Quite often our board

adaptive and innovative, and can be an essential

evaluation team picks up comments about too

driver of organisational culture.

many accountants on the board. When you consider

Diversity has, to some extent, been hijacked by

the increasing dominance of technology and the

the gender diversity debate, but replacing white,

advantage it brings to trading, productivity and risk

Oxbridge-educated, middle-aged men with women

management, a shortage of people with genuine

of a similar prole does not necessarily lead to

understanding of technology is a concern. This is the

diversity of thought, nor will it improve board

sort of issue that can be highlighted by a properly

performance.

run, independent board evaluation.

Thus far there has been an unconscious bias to

Unless companies are prepared to embed a

recruit board members similar in personality and

proper culture, one that is reected throughout

experience to existing directors. Companies need

the organisation starting with the boardroom,

to look to the nomination committee. If it wants to

and unless they are prepared to make diversity a

attract diverse talent, the nomination committee

strategic priority and to proactively invest in it, their

needs to request a diverse range of prospective

chances of success in the long term may be limited.

candidates from executive search rms, and

Businesses sell to people and people are diverse. It

executive search rms need to look further aeld,

&
is as simple as that. RC

outside the usual list of safe candidates that they


know the board will be comfortable with. The
composition of the nomination committee may also
need to be reviewed. Why not appoint all NEDs to
that committee so as to gain a more diverse outlook
and approach and to safeguard against overlooking

Simon Osborne
Chief Executive Ofcer
Institute of Chartered Secretaries and
Administrators (ICSA)

the potential contribution of a more diverse set of

T: +44 (0)20 7612 7001

candidates?

E: ceo@icsa.org.uk

46 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

MINI-ROUNDTABLE

M INI-ROUNDTABLE

EVOLVING
ROLE OF THE
CEO

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 47

EVOLVING ROLE OF THE CEO

MINI-ROUNDTABLE

PANEL EXPERTS
Matthew Andrews

Jodie Emery

Managing Director, Europe

Managing Partner

Caldwell Partners

Caldwell Partners

T: +44 (0)20 3167 2500

T: +1 (203) 324 6400

E: mandrews@caldwellpartners.com

E: jemery@caldwellpartners.com

Matthew Andrews is the managing director, Europe and


a key member of Caldwell Partners Insurance Practice.
Drawing on over 20 years as an insurance industry and search
professional, he has a close understanding of the issues
facing leaders in all sectors of the global insurance industry.
In addition to his numerous chief executive ofcer and other
board level appointments, his background in insurance enables
him to handle senior underwriting and broking roles. He has
worked with the boards of many insurers and brokers in the
appointment of non-executive directors.

Jodie Emery is currently the leader of Caldwells Private


Equity practice, executing searches for both funds and portfolio
companies, assisting with talent assessment, and managing
executive level and board of directors search for life sciences
and healthcare services companies across the spectrum. Ms
Emery earned a BS from Hastings College and an MS in health
care management from Colorado State University. She is an
astute recruiter with strong ties to the investment community
and healthcare with a wealth of knowledge gained from 20
years of operating experience including senior management
and multiple CEO roles.

Glenn Buggy

Peter Reed

Partner

Managing Partner

Caldwell Partners

Caldwell Partners

T: +1 (203) 348 9590

T: +1 (203) 348 9597

E: gbuggy@caldwellpartners.com

E: preed@caldwellpartners.com

Glenn Buggy is the Leader of Caldwells Legal, Risk &


Regulatory Oversight Practice and a Senior Partner in the
Asset & Wealth Management Practice. Mr Buggy has 20 years
of retained executive search experience, having worked in
leadership positions within the nancial services practice of
another global executive search rm. Prior to his career in
executive search, he was a nancial analyst and consultant
within a global investment and nancial services rm, and
a lawyer working with national nancial services clients.
He received his BA from The American University, School
of International Service and his JD from Villanova University
School of Law.

48 RISK & COMPLIANCE Jan-Mar 2016

Peter Reed, leader of Caldwell Partners Insurance Practice, is


a disciplined and focused recruiter with a wealth of expertise
gained from a career devoted exclusively to the insurance
industry. He represents domestic and global companies across
all sectors of the industry, and has extensive experience
working with a variety of private equity rms that have
strategic investments in either startup or turnaround insurance
companies. He is a graduate of Hamilton College and remains
involved in alumni activities, notably as past president of the
Hamilton College Mens Lacrosse Booster Club.

www.riskandcompliancemagazine.com

MINI-ROUNDTABLE

EVOLVING ROLE OF THE CEO

RC: In what way is the role of the CEO


evolving in todays business environment?
What factors are driving this evolution?

for your company and show your companys heart.


The old elevator pitch has been edited further and
CEOs must get the message out to everyone in the
company rst and make certain that their culture

Emery: Social media is one of the biggest changes

matches their branding and that everyone in the

in the business world and today the demand to

company understands and works together to be

always be on is unlike any time in the past. The old

on message. Now is the time to deeply understand,

days of prepping for prime time are long gone and

study and adjust your culture, and this starts with

CEOs have got to be prepared to think, speak and

researching inside and out, and correcting any

act faster than ever before with a good


bet that whatever they do will be tweeted,
videoed or recorded. Todays CEO must
be very well versed in all aspects of social
media and be prepared to handle every
meeting as if they were on stage with
likes and dislikes ranking them in real
time on every move. Today more than

Communication is key and a steady


constant message repeated over
and over is the way to spark the
memory banks of employees, clients,
competitors and collaborators.

ever before, communication is key and


a steady constant message repeated
over and over is the way to spark the
memory banks of employees, clients,

Jodie Emery,
Caldwell Partners

competitors and collaborators. Media


and instant judgement are here to stay, and using

misperceptions. Then, look at your brand and adjust

both to your advantage will make the difference,

to make it pop when being compared to competitors

along with positioning and crisp sharp marketing

and customers. One of the things that stands out

assistance, utilising the latest technology and

most to me is the notion that CEOs dont have

exquisite branding to remain top of mind with all of

to sell inside their companies. From the moment

the above. There has never been a better time to be

anyone opens the front door, you are presenting

a commercial thinking CEO. The marketing team is

your company, and it is literally shocking to see

experiencing prime time as they craft differentiation

some of the most hip and hot companies greet


visitors with disregard, barely there service and

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 49

MINI-ROUNDTABLE

EVOLVING ROLE OF THE CEO

enough to get by. The people visiting your ofce are

engaged you will learn more about your culture

potential employees, collaborators and customers.

and how to enhance it. Equally, your team will learn

They should have a welcome of epic proportions no

more about you and your passion, and you will

matter what they are there to do. Even people who

create an environment which includes heart, which

are turned down for opportunities should


leave your company thinking you are the
most welcoming place they have ever
visited. Almost no one does this and it is
so simple. People talk and talk, and talk
framing what they are saying about you.
All employees should be taught to feature
their company on every visit inside or out.

Attracting, developing and retaining the


best talent in an ever-changing business
landscape is a major challenge. Managing
the talents expectations and millennial
values and mindset is another.

They are wearing your brand and to wear


it well requires training, communication
Peter Reed,
Caldwell Partners

and cultural awareness that they too are


always on. All of the most successful
companies have a drum beat in their
culture and they live it by getting their employees to

is the biggest driver a business can have. Reward

buy it rst and then sell it to others. If your message

and showcase performers as an additional message

isnt clear, x it. And as the CEO, be the example

to the troops that this is the type of behaviour

you want people to emulate. Be there in every facet

you are looking for from each of them. Consistent

of the business; be the number one cheerleader in

messaging over and over of enthusiasm, energy and

your company. You are the most visible person in

empowerment will energise your team and yourself.

the company, so be a vision rather than preach a

While you want your senior team to give a consistent

sermon. Show your employees how you want them

message, you also want to take the lead yourself

to act. Another issue we see often is the lack of

as CEO. The passion you can share with your team

enthusiasm as a leader. Praise your people and tell

cannot be delegated; the emotion has to come from

them you have faith in them. Do both as often as

the top.

you think of it and make sure you think of it often.


You cannot do this if you are not engaged in your
business and your culture. You will nd that by being
50 RISK & COMPLIANCE Jan-Mar 2016

RC: What do you consider to be main


challenges facing CEOs?
www.riskandcompliancemagazine.com

MINI-ROUNDTABLE

EVOLVING ROLE OF THE CEO

Reed: Talent, growth, globalisation and technology.

Buggy: Global macro-trends provide a double

Attracting, developing and retaining the best talent

edged sword for corporate leadership. On one

in an ever-changing business landscape is a major

hand, technology and customer access provide

challenge. Managing the talents expectations and

unparalleled opportunity for growth. Companies

millennial values and mindset is another. Growth

can reach more informed people than previously,

and protability are key, and the pursuit of such is

creating both opportunities and distractions. The CEO

pushing companies into new markets the risks

who can best distinguish between the two will have

and challenges inherent are broad and varied and

the edge in whatever their business might be. Global

encompass political, economic, regulatory and

CEOs have spent much of the past 10 years trying

reputational complexities. Being astute and culturally

to connect markets and predict global trends. That

aware and facile when it comes to all of these

worked well for much of the period, but the past two

variables and making decisions in the best


interest of a company is a signicant and
constantly evolving challenge. Traditional
business models are being disrupted
every day by new technology platforms
or applications. Finding ways to transform
business models in order to better
leverage these new technologies allows

Our experience suggests that our client


CEOs are executing a number of strategies
to account for the regional economic
realities around the globe.

businesses to make better, more wellinformed decisions but its an expensive


endeavour.

RC: In your experience, how


successfully are CEOs tackling the
challenges posed by megatrends such
as advances in technology, demographic
changes and worldwide economic
uctuations?

Glenn Buggy,
Caldwell Partners

or three years have created such unbelievable global


unrest, it is difcult to paint a comprehensive global
tapestry that makes sense. Our experience suggests
that our client CEOs are executing a number of
strategies to account for the regional economic
realities around the globe.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 51

MINI-ROUNDTABLE

EVOLVING ROLE OF THE CEO

Emery: This is a challenging time to be a CEO. The

opportunities with new and unique ways to do

market can turn on a dime with a terrorist event, a

things. The in the weeds review of the routine

changing government, a hacking event. All of these

and the people who make it happen will allow for

events happen in real time for todays CEO and

outside of the box thinking and the opportunity

often it can be a challenge to stay focused. One

to change the way you do business. Its amazing

of the meaningful things a CEO can do is discuss

how impactful it can be to have a conversation with

events with their team town hall style, as well

the people levels below and ask how they would

as in one-on-one meetings. Again, the need for

improve processes. The same is true with customers

communication has never been more critical than in

and partners; listen and you will have ideas that

our fast changing and challenging world.


Continuous guarding of your business
and your information systems is a must.
It is time to have backup plans for your
backup plans and that includes your
technology, your reaction to a threat to
your business through potential hacking,
as well as what you will do with each
and every function during an emergency.

Senior roles in technology, cyber,


risk, regulation and other positions
have changed the composition of the
senior management team, and this will
continue to change.

With technology terrorists possibly


corrupting your systems, disseminating
condential information or shutting down

Matthew Andrews,
Caldwell Partners

your entire network, CEOs must have a


plan for all possibilities. This includes reviewing a

you would not have if you stay in the pattern of just

worst case scenario for every key function in your

hearing from the senior people on your team. The

company and planning for the event you hope to

most innovative CEOs listen constantly and study

never have. During this process you can also look

emerging trends and opportunities in order to evolve

at every step and review the necessity and the

continuously. Another positive way to remain current

opportunity to streamline or automate which will

and utilise megatrends and technology is to have a

improve your business functions during planning.

board of directors with multiple skill sets and large

The best CEOs we meet gure ways to disrupt the

contact bases to help you transform your business.

usual and customary practices and create business


52 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

EVOLVING ROLE OF THE CEO

RC: In your opinion, have talent and


skills shortages had an impact on the
CEO role? What can CEOs do to maximise
the human capital at their disposal? And
how important is it to utilise specialist
knowledge within any company?

MINI-ROUNDTABLE

CEO. This is not merely a matter of accommodating


the specialists. It is also vital to ensure that the
techies understand their role in the business and
can relate to the wider management team. And vice
versa. People with different skill sets are motivated
differently. The effective CEO will employ different
management styles with different colleagues.

Andrews: In addition to the traditionally


competitive areas top level nance executives,
sales and operations there are now skill shortages
in areas no one could have predicted when the
current generation of business leaders was being
trained. Senior roles in technology, cyber, risk,

RC: What additional pressures is the


regulatory environment placing on CEOs?
What does tighter regulation mean for
a companys business operations and
compliance considerations?

regulation and other positions have changed the


composition of the senior management team, and

Buggy: Having spent a great deal of time

this will continue to change. For CEOs, the challenge

observing the effects of increasingly intertwined

is to anticipate that change and to manage it. At the

global regulations, Id say the short answer is that

executive management level, there is an increase in

for regulated industries, it has taken a complete

senior executives being encouraged by their boards

rst position on the desks of its CEOs. In particular,

to take on external board directorships. The attitude

nancial services are directed by regulatory

has shifted from if they have time to consider

requirements, and a rm that does not take those

sitting on external boards, they are not working hard

rules and regulations seriously is destined for

enough to seeing how another business works

disaster. Business operations have been turned on

brings a valuable perspective to our business and is

their heads by regulatory requirements that mandate

a powerful retention tool. Most companies involve

accountability and tracking. The compliance

the application of specialist knowledge in one form

requirements within the nancial services industry

or another either technical knowledge or high

are forcing businesses to decide if it is even worth

level sales or marketing skills. Often the integration

making the effort. Costs, and an ever changing

of such specialists into the broader management of

regulatory environment, create a difcult eld

the business is among the greatest challenges of the

on which to play. Compliance has also become a


technology play. There are too many man hours

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 53

EVOLVING ROLE OF THE CEO

required to implement regulatory requirements, so

MINI-ROUNDTABLE

Andrews: With greater scrutiny comes greater

the only way to keep ones head above water is to

regulatory responsibility, more risk and shorter

provide more automation and solutions.

longevity. Being a CEO is no longer the fun it used to


be. In fact, more and more senior executives, faced

RC: How would you characterise the role


of the CEO in todays increasingly global
economy? How important is international
experience to the evolving CEO role?

with the prospect of fullling their lifelong ambition


to be a CEO, are deciding against it altogether. Why
voluntarily take on all that responsibility, regulatory
burden and risk when there are so many more
attractive options? The top of the tree looks like a

Reed: Globalisation has had an interesting impact


on the role of the CEO, creating a need for broader

very different place for most people than it did when


they started their careers.

perspective and thinking, cultural awareness, and


a certain level of adaptability. Communicating,

Reed: In terms of overarching trends, I believe

collaborating and negotiating with key internal and

there will be more focus and scrutiny put on a few

external stakeholders in different countries has

areas in terms of the selection of, and ongoing

taken on increased importance, as has recruiting

performance of, CEOs track record of driving

and retaining the right talent to manage growth

protable growth and geographic expansion, the

and protability in the international markets.

ability to execute in and lead through difcult times,

Having a CEO and a senior management team with

operating excellence, decision-making ability, track

meaningful international experience that reects the

record of attracting and developing a strong team,

reach and makeup of the organisations customer

and the ability to challenge traditional thinking and

base is, accordingly, more important than ever.

&
drive innovation. RC

RC: How do you envisage the role of the


CEO developing going forward? Are there
any overarching trends you expect to
see?

54 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

KEY E T H I C A L C H A L L E N G E S
FOR L E A D E R S H I P I N 2 0 1 6
BY FRANK C. BUCARO
> FRANK C. BUCARO AND ASSOCIATES, INC

rust issues, leadership missteps and ethics

The bottom line is that moral credibility needs to

problems threaten any organisation, impact

be modelled and observed by all with consistency,

market value and cause irreversible damage

communicated beyond words, and authoritative in

and looks like these will continue to be issues


in 2016. So, what are the related challenges for

attitude to be truly real.


When one thinks of truly effective leaders, no

leaders? How does one develop moral credibility?

matter in what industry or eld, being credible,

How is it manifested on the job?

sincere and trustworthy are among those critical

Moral credibility needs to reect the qualities of

attributes that separate them from other leaders.

character, trust, empowerment, positive self esteem


and, of course, ethics. Moral credibility is the sum
total of ones consistent behaviour in the face of
challenging decisions and situations that has, as
its focus, trust. Moral credibility is modelling and
instilling a balanced approach to discernment that
is not based on an emotional reaction to a situation.
www.riskandcompliancemagazine.com

The need to train in the process of


thinking ethically
The process of thinking ethically is different from
the process of thinking legally.
The process of thinking legally tends to be more
like viewing employees, as empty vessels that
RISK & COMPLIANCE Jan-Mar 2016 55

PERSPECTIVES

KEY ETHICAL CHALLENGES FOR LEADERSHIP IN 2016

need to be lled up with needed information to

Shouldnt your ethics and leadership training

full the goal of being compliant. This is necessary,

programmes invest time, energy and inclusion of

as not everyone understands the legal details and

entitlement as an ethics issue that needs to be dealt

ramications of a law. This is a focus on the letter

with as a priority? Remember that people listen with

of the law and its obedience. Knowledge and its

their eyes and not their ears. Its not what leaders

retention are the primary focus.

say that people listen to, but rather what they do.

The intrinsic approach to deeper thinking focused


on ethics, values, character and moral
decision making is based on the
spirit of a law. The focus is not just to
educate but empower people to make
the right decision based on ethics
theory, tools and techniques. These are
necessary to internalise and implement

Its not what leaders say that people


listen to, but rather what they do.

ethical thinking in an inherently focused


way. Wisdom, its intrinsic importance
and relevance are the primary focus.
Would a company let someone who is
not trained in compliance, train others
in compliance? What about the process of thinking
ethically? Would a company let someone not trained
in ethics teach the process of thinking ethically?

Does your corporate purpose foster


ethical leadership?
Ethical leaders focus on corporate purpose
by engaging people on all levels in dialogue,

The entitlement quagmire


When one thinks one is entitled to something, how

discernment and process, and multi-faceted,


consistent, ethics training options in order to re-

does that change the dynamic of ethical leadership?

emphasise the corporations common purpose for

Is anyone entitled to anything at all? In fact, yes

and with all employees. Rewarding those who have

one is entitled to respect, being treated fairly,

lived out the purpose, mission and values afrms

being a key consideration in decision making that

that all employees need to be values advocates for

affects their job, and being treated honestly with

the company.

transparency and inclusion.


56 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

KEY ETHICAL CHALLENGES FOR LEADERSHIP IN 2016

Is what you do, in line with your


companys values and goals?
Have you accepted and internalised your

PERSPECTIVES

Will the right thing by the customer be done no


matter the cost? Are you truly empowered and
encouraged to make the right decision regarding

companys objectives and values? How are

customer relationship building? Is this decision sales

the values on which objectives are based,

based or relationship based?

communicated? How are they reinforced and is it

These questions are simple, yet so much about

continual? Do you truly understand, agree and live

what you believe, what youve been trained to do

those values based objectives?

and why, need to consistently be the focus of how


you do your business.

Will the decision result in right thing


being done for the customer?
www.riskandcompliancemagazine.com

In summary, leaders need to set the tone for the


work environment that is positive, inclusive and
RISK & COMPLIANCE Jan-Mar 2016 57

KEY ETHICAL CHALLENGES FOR LEADERSHIP IN 2016

PERSPECTIVES

empowering. Leaders need to model the behaviour

objectives, please consider inclusion of these

they want others to emulate and therefore be the

&
challenges. RC

change they want others to embrace. Lastly, leaders


need to consistently live the values they preach
and promote; then and only then can they expect
others to do the same. These are continual reality
checks to make sure that what you profess is what

Frank C. Bucaro
Values-Based Leadership Expert
Frank C. Bucaro and Associates, Inc.
T: +1 (630) 483 2276
E: frank@frankbucaro.com

you actually do. As you plan your 2016 training

58 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

GERM A N D & O P O L I C I E S A S
A DEC E P T I V E PAC KAG E F O R
THE S U P E RV I S O RY BOA R D ?
BY BURKHARD FASSBACH AND NIKLAS RAHLMEYER
> HENDRICKS & CO / FIELDFISHER LLP

eceptive packaging is the term commonly

of a corporations compensation claims against

used to denote product packaging that

executive board members. This duty results from

is intentionally designed to mislead the

its supervisory and monitoring functions. Pursuant

customer with respect to its contents. Whether

to the ndings in the claims review report, the

German supervisory board members are adequately

company presumably had enforceable liability

insured under the conventional D&O policy shall be

claims. In cases where such a claim exists, the

explored by way of an exemplary scenario drawn

supervisory board must, as a general rule, pursue

from experience.

these claims. In the example given, it did so by ling

The supervisory board of a machine engineering


company needed to assess the validity of claims

complaints demanding millions from the defendants.


As the defence against claims is an essential

against the former chairman of the executive

promise embodied in the D&O policy, the former

board on the grounds of awed project planning.

chair of the executive board, with the assistance

According to precedent set by the German Federal

of the D&O insurer, opposed the claim. To that end,

Supreme Court, the supervisory board is subject to

the insurer provided the defendant chairman with

the duty to independently investigate the viability

counsel and coordinated the defence strategy with

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 59

GERMAN D&O POLICIES AS A DECEPTIVE PACKAGE FOR THE...

PERSPECTIVES

the latter. As part of this strategy, the former CEO

for the benet of the impleaded supervisory board

proceeded to counterattack and served a third-

members. Together with the insurer they will select

party notice on the chair of the supervisory board,

counsel and obtain a cover note from the insurer

accompanied by the demand to join litigation on the

regarding the attorneys fees. Nota bene, the insurer

defendants side.

is identical with the one that previously approved the

As the monitoring of management rests


with the supervisory board, any mistake made

third-party notice initiated by the executive board


member.

by management is theoretically
susceptible to being converted into
a mistake by the supervisory board.
Thus, the third-party notice was
substantiated in the following way: The
impleaded chair of the supervisory
board was well aware of the
background and motives underlying the

Ultimately, impleaded supervisory


board members will have to settle their
attorneys bills out of their own pockets.

decisions that the executive board has


made and he has backed and endorsed
these decisions. Should the plaintiff
prevail against the defendant, then, in
their internal relationship, the defendant would be

The impleaded supervisory board member will

entitled to a recourse claim for contribution against

most likely want to oppose the key allegations

the impleaded chair of the supervisory board. A

that the supervisory board was adequately and

third-party notice is essential to preserving this

comprehensively informed of the decisions resulting

potential claim.

in damage and fully endorsed them. In the above

By reason of such third-party practice, the

example, a workable means to achieve that goal was

supervisory board and its members as the initial

the intervention on the side of the plaintiff company

hunters become, as the saying goes, the hunted.

(and not on the side of the defendants former chair

To be sure, even in the case of a conventional

of the executive board, as was demanded in the

D&O company policy under which executive and

third-party notice).

supervisory board members are jointly insured, the


serving of the third-party notice triggers the policy
60 RISK & COMPLIANCE Jan-Mar 2016

Consequently, it all boiled down to the dispositive


question whether the chairman of the supervisory
www.riskandcompliancemagazine.com

GERMAN D&O POLICIES AS A DECEPTIVE PACKAGE FOR THE...

PERSPECTIVES

board was insured under the conventional D&O

legal fees, at least on a temporary basis. But then,

company policy for his endeavour to intervene in

why would a supervisory board member want D&O

the litigation on the part of the plaintiff company or

insurance in the rst place?

whether the policy under the specic circumstances


of the case turned out to be nothing more than a
deceptive package. More often than
not, the litmus test produces
the following: the D&O
insurers deny coverage
on the simple grounds
that the intervention
on the side of the

The above-portrayed third-party notice


increasingly shapes the practice in German D&O
damage scenarios. This reveals the resulting
conict of interest. The D&O insurer would
have to simultaneously represent
the conicting interests of
the defendant executive
board members and
the impleaded

plaintiff company is

supervisory

not a defence measure,

board members.

thereby precluding

According to

coverage according

precedent set by

to the insurance contract

the German Federal

terms. Ultimately, impleaded

Supreme Court, an

supervisory board members will have to

insurer shall protect

settle their attorneys bills out of their own

the interests of the

pockets. Where the amounts in controversy


are high, the affected supervisory board
members will have to bear considerable
costs, particularly as lawyers specialised

insured person in
the same way
a lawyer
retained by

on executive and supervisory board

that person

member liability law bill on an

would do.

hourly basis. There is nothing

Thus,

else for the supervisory


board members to do
but to hope that the
company will assume the
www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 61

GERMAN D&O POLICIES AS A DECEPTIVE PACKAGE FOR THE...

PERSPECTIVES

the only viable solution is to separate the parties and

Burkhard Fassbach

their representatives.

Attorney-at-Law

In order to overcome the conicts of interest and


gaps in coverage, every German company ought
to consider taking out separate D&O coverage

Hendricks & Co
T: +49 (0)151 4671 7029
E: fassbach@fassbach.de

for their supervisory boards with an independent


insurer (Two Tier Trigger Policy or Twin Tower). This

Niklas Rahlmeyer

insurer must be one that is not participating in the

Attorney-at-Law

coverage concept the company has taken out. The


brokers independence, too, is crucial. A separate
D&O insurance for the supervisory board reinforces

Fieldsher LLP
T: +49 (0)211 987 092 0
E: niklas.rahlmeyer@eldsher.com

its independence at the level of pursuing claims and


should therefore be contemplated as a mandate of
&
effective corporate governance. RC

62 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

MINI-ROUNDTABLE

M INI-ROUNDTABLE

COMMODITY
PRICE RISK
MANAGEMENT

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 63

MINI-ROUNDTABLE

PANEL EXPERTS
Ogan Kose

Rory Skrebowski

Global ATIOS Lead

Americas ATIOS Lead

Accenture

Accenture

T: +44 (0)7795 566 788

T: +44 (0)7768 302 370

E: ogan.kose@accenture.com

E: rory.o.skrebowski@accenture.com

Ogan Kose is a managing director within Accentures Global


Strategy Practice and leads its Trading, Investments and
Optimisation Strategy (ATIOS) group globally with a primary
emphasis on nancial structuring, investment valuation,
trading, risk management and commercial optimisation.
At Accenture, Mr Kose has worked with major resources
and products industry players in the US, Europe, Africa and
APAC. He is also an adviser to the board of one of the largest
integrated utility companies in Europe. Mr Kose previously
worked for Enron Corporation in underwriting/corporate
structure setup, risk management and derivatives trading
groups.

Rory Skrebowski is a director in Accenture Trading,


Investments and Optimization Strategy (ATIOS). Mr Skrebowski
focuses on commodity trading, mergers and acquisitions, JVs,
growth strategy and quantitative analysis. During his time at
Accenture, Mr Skrebowski has worked globally with senior
executives across multiple industries including energy, mining,
utilities and products. Mr Skrebowski has led numerous
strategy transformation projects, market entry and growth
strategy development projects. He holds a BSc in Economics
from the University of Nottingham, where his dissertation was
on energy pricing in pre-liberalised and competitive markets.

Miguel Gonzalez-Torreira

Xavier Veillard

Europe, Middle East and Africa ATIOS Lead

Asia ATIOS Lead

Accenture

Accenture

T: +44 (0)7855 620 160

T: +65 9654 2819

E: m.gonzalez-torreira@accenture.com

E: xavier.veillard@accenture.com

Miguel Gonzalez-Torreira is a managing director within


Accenture Trading, Investments and Optimization Strategy
(ATIOS). Dr Gonzalez has worked with senior executives
of energy, utilities, petrochemicals and products industry
players in the US, and the EMEA region. His primary focus
area is in commodity trading, risk management and value
chain optimisation, helping clients dening their operating
models and identifying strategic and operational synergies
across production, supply, trading, procurement, pricing and
marketing of commodity products. Dr Gonzalez has authored
several publications on capital projects in the energy and
utilities industry, commodity procurement and commercial
optimisation.

64 RISK & COMPLIANCE Jan-Mar 2016

Xavier Veillard is the Asia Pacic Director of Accenture


Trading, Investments and Optimization Strategy (ATIOS), which
is part of Accenture Strategy. Mr Veillard has worked with
natural resources ministries in EMEA and Asia Pacic countries
and senior executives from global oil & gas corporations,
trading rms and independent oil eld services providers
advising on market liberalization, portfolio strategy, investments
execution and asset-backed trading. Mr Veillard has authored
a number of publications and articles on the energy industry
covering renewables, clean technologies, coal and oil & gas
sectors.

www.riskandcompliancemagazine.com

MINI-ROUNDTABLE

COMMODITY PRICE RISK MANAGEMENT

RC: Broadly speaking, how would


you describe the commodity price risk
challenges facing companies today? How
important is it for companies to have
sound knowledge of the commodities
markets?

on the bottom line, on strategic goals and on the


operating model.
Gonzalez-Torreira: Companies, especially in
the soft commodity consumer space, want more
information about where their exposure lies. While

Kose: Commodity price volatility has


made and broken entire companies over
the last few years. Regardless we still see
companies that are totally unprepared
for the strategic challenges which can
be posed by movements in underlying

Many companies are trying to


understand the fundamental drivers
shaping their business.

commodity prices. While the S&P 500


has an annualised volatility of around
20 percent, in 2014 for example, the
magnitude of annualised average volatility
of corn was 40 percent and wheat was

Rory Skrebowski,
Accenture

65 percent, highlighting the signicant


price risks which need to be managed by buyers,

many manufacturers or consumer goods companies

traders or sellers of commodities. Executives want

have well dened cost models for their products,

to be more focused on understanding the drivers

by taking it further and developing commodity

which shape prices in these markets and how this

cost models they realise new possibilities. This has

translates into bottom line performance. The three

come in the form of more efcient hedging of the

key areas of focus for us are gaining information

commodities they buy and an increased visibility of

about where a companys exposure lies, gaining

their aggregated commodity exposure from what

insight into what shapes these markets and the

were previously disparate procurement categories.

volatility to which a company could be exposed,


and understanding the impact of commodity prices

Skrebowski: We also see that many companies


are trying to understand the fundamental drivers
shaping their business. Forecasting models which

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 65

MINI-ROUNDTABLE

COMMODITY PRICE RISK MANAGEMENT

previously were highly accurate are now being

Gonzalez-Torreira: Additionally, some of the

shaped by unexpected trends for example,

worlds leading physical commodities still have

OPEC not defending oil prices, high cost


oil being nancially unviable, power
markets becoming more interlinked
and deregulated, and so on. Sometimes
executives are so caught up in the day-today operations of their business that they
havent yet formulated an approach to
these market shifts.

We are increasingly seeing new


exchanges set up and innovative new
nancial and physical products being
introduced.

RC: In what ways have global


patterns of trade shifted in recent
years? How should companies
go about rethinking the way in
which they manage commodity
risk in an uncertain market?

Xavier Veillard,
Accenture

limited liquidity on nancial markets. Coupled with


volatility, this maintains complex or limited markets

Kose: Global patterns of trade have not changed

to trade in. As a result, market players still need

fundamentally in the last few years. We still see

to carefully manage their approach to contracting,

many of the same trade ows we did in the late

pricing and risk management to ensure adverse

2000s boom. What has changed, however, is the

volatility or liquidity movements do not penalise their

speed at which impacts ripple through the market.

sales or purchases.

An increasingly connected world, using digital


information and communication tools, means that

Veillard: In South East Asia, new trading markets

sentiment and demand signals can lter through to

are developing. We are increasingly seeing new

market prices incredibly rapidly. Companies need to

exchanges set up and innovative new nancial

be agile in their ability to respond and tap into these

and physical products being introduced. While the

information ows so that they can take advantage of

movement of goods is frequently following familiar

them.

paths, there have been disruptions. Indonesian coal


is now displacing a lot of Australian production, US

66 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

MINI-ROUNDTABLE

COMMODITY PRICE RISK MANAGEMENT

LNG re-exports or re-directs are starting to arrive

example, with consumer goods companies we

in South East Asia, and China has both increased

sometimes see that energy is treated purely as an

domestic commodity production and reduced its

operating cost and direct exposure is not proactively

demand. This is having a sizeable impact on the

managed through pricing and risk management.

markets. The other thing we see in this region is

Similarly, a number of industrials fail to manage their

these new and increasingly liquid trading markets.

indirect exposures, where, for example, a company

There is some scepticism about these markets

that buys a lot of nished glass products may not

being used by purely nancial players and regulators

quantify the embedded natural gas price exposure

are often on the lookout for what they see as

it is facing. It is only through understanding the

speculation, which we believe has limited liquidity

companys real exposure to market volatility that

growth. However, what it has provided is additional

a company can develop clarity on how much this

price benchmarks which are now increasingly used

volatility truly impacts its business model in terms of

in contracts or to provide spot markets for


distressed stock disposal. The Shanghai
rebar market is a good example of a new
and innovative market lling a space not
occupied by western markets.

RC: What steps should


companies take in terms of
establishing a robust commodity
price risk management policy? Do
they need to consider issues such
as corporate governance aspects
and regulatory standards?

A company that wants to manage


commodity price risk needs
information.

Ogan Kose,
Accenture

margin at risk. Having strong corporate governance


Kose: A company that wants to manage

is critical to ensure that there is a clear strategy

commodity price risk needs information. This

about how price risk should be managed and what

means rigorously understanding and quantifying the

safeguards must be in place to protect margin,

sources of direct and indirect commodity exposures

such as a robust compliance and risk policies,

related to industrial and commercial activities. For

so that adverse price movements do not put an

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 67

MINI-ROUNDTABLE

COMMODITY PRICE RISK MANAGEMENT

unmanageable strain on the companys balance


sheet.

Kose: One of the key challenges we often observe


is the role that established risk management
concepts are expected to play in managing risk. For

Gonzalez-Torreira: Regulation is an area of

example, value at risk is neither predictive of future

particular interest at the moment as there is a

movements, nor relevant to tail-event outcomes,

general view that the commodity sector is under-

yet often the dashboards which we see presented

regulated compared to the now more heavily

to the c-suite give a huge amount of prominence to

regulated credit and nancial derivative markets.

this measure, without educating senior management

We believe commodity players need to have active

on the nature of the risks held in a portfolio. Risk

compliance teams ready for a future


wave of regulation which is coming soon.
Companies need to be proactive in their
readiness for regulatory change. The
banking industry shows us how best to
create an environment where regulatory
compliance is a source of value and
competitive advantage, rather than an

The banking industry shows us how


best to create an environment where
regulatory compliance is a source of
value and competitive advantage.

administrative burden. This is because the


leading rms in an industry will be looked
to in order to shape how regulation and
governance should be applied elsewhere.

Miguel Gonzalez-Torreira,
Accenture

For the banking industry, this has created


a set of regulatory winners and losers and we expect

needs to be presented in other more relevant terms,

that the commodity industries will be no different.

such as operating margin at risk, as well as providing


calculations of tail event and scenario outcomes,

RC: What role do established risk


management concepts, tools and market
intelligence play in a volatile commodities
market? What are the advantages and
disadvantages of adding commodities to a
diversied portfolio?
68 RISK & COMPLIANCE Jan-Mar 2016

like, for example, customised stress-tests based


on macroeconomic scenarios, including currency
exchange rates, interest rates, growth rates, and so
on. This, combined with more rigorous education
of executive risk committees, helps to break
through the difculty of making less tangible risks
www.riskandcompliancemagazine.com

COMMODITY PRICE RISK MANAGEMENT

transparent. This approach to risks management

MINI-ROUNDTABLE

Gonzalez-Torreira: Hedging strategies are

requires signicant market data analytics and

really about how a company wishes to deal with

intelligence with a strong integration of this data

market risk and it is often during the process of

to internal risk management models and reporting

developing a hedging strategy that a company rst

dashboards. In the past couple of years, there has

gets to understand what its risk appetite really is.

been a signicant increase in the desire to harness

Hedging strategies are critical for a company to

the new opportunities that Big Data and the worlds

achieve stability of its planned yearly margin as per

digitisation provides for improving risk management

expectations of shareholders. However, we often

and analytics capabilities.

see that the value that an effective hedging strategy


can bring to a company is often misunderstood

Skrebowski: Using commodities as an asset-

by executives. At the point of creating a hedging

class for investment within a portfolio can often

strategy, it is important to calculate and explain

provide a meaningful source of diversication as

the value a company places on commodity price

commodities correlations do not 100 percent align

certainty and therefore reduction of costs resulting

to equities or xed income. However, there are

from market risk. And it is also prudent at this

signicant differences within commodities. While

stage to identify whether commodity price risk

gold prices would typically provide a hedge against

management can be a source of competitive

equities, the crude oil price often closely correlates

advantage, as an incremental income stream

with equities as it links to demand from economic

or through enabling new and innovative pricing

output. Overall, a measure of rolling correlations

solutions to be offered to customers.

between all asset-classes in the portfolio, including


commodities, and a dynamic reallocation of assets
as per changes in correlations, is a critical need for
managing diversied portfolios.

RC: How important are hedging


strategies for companies looking to
manage the risk of commodity market
swings? In your experience, do companies
make full use of this process?

RC: To what extent are geopolitical


risks a concern? How might this impact
commodity markets, and what risk
management options are available?
Veillard: Commodity markets have always had
a geopolitical component to them and these risks
need to be understood as part of the tail events
which should be analysed. We recommend that
companies develop sets of scenarios which take

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 69

COMMODITY PRICE RISK MANAGEMENT

MINI-ROUNDTABLE

these into account, but without xating on trying

are coming in and which could cause signicant

to identify the events so much as the potential

challenges. One is simple arbitrage automation.

outcomes. For example, having a deeply developed

The bread and butter work of simple arbitrages

understanding of how events in Ukraine or Syria

will be increasingly automated, not just in regard

will unfold is less valuable than knowing how your

to the high-frequency trading of derivatives, but

portfolio would deal with commodity price spikes

also in terms of automated agents scanning broker

and troughs, trade embargoes or shipping route

screens and highlighting trades. This in turn will put

disruption. The scenario modelling which companies

a squeeze on margins available for these types of

should be doing should focus on the potential

trades. Another competitive change is that, as banks

outcomes, not the specic events.

shed their commodity teams, the number of people


trained in commodity risk management grows. This

RC: What trends and developments do


you expect to see in the commodity price
risk management space in the coming
months and years? What new risks
might companies face, and how can they
prepare now to mitigate them?

is making it ever cheaper to hire people to trade


even small commodity positions. In turn this means
that margins will be under pressure and it is in the
illiquid space where prots will be made. Finally, we
see procurement departments increasingly taking
the lead on consolidating spend data and driving
for savings in commodity spend. Companies not

Skrebowski: In the commodity risk management


space there are several competitive changes which

70 RISK & COMPLIANCE Jan-Mar 2016

consolidating spend across their business lines will


&
struggle to remain competitive. RC

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

ACHIE V I N G S U P P LY
CHAIN R E S I L I E N C E A M I D
INCRE A S I N G G LO B A L R I S K
BY DAVID NOBLE
> CHARTERED INSTITUTE OF PROCUREMENT & SUPPLY

upply chain risks can often feel remote

developments which are threatening to redraw the

and barely visible to even the most trained

supply chain map. Three main events in Q3 the

eye. However, in todays environment, risks

cross-border presence of IS throughout the Middle

affecting supply chains feature daily on our television

East, the re-introduction of border controls within

screens. The European migrant crisis and conicts

Europes Schengen zone and the easing of US

in the Middle East mean that the risks are getting

sanctions on Iran and Cuba are starting to shift

closer and are feeling more acute than ever.

the global ow of products and services into new,

According to the CIPS Risk Index, global supply

unknown territory.

chain risk remained stubbornly high in Q3 2015, at


79.1. This is only slightly down from the record high
of 82.4 recorded two years ago and considerably
higher than the pre-nancial crisis level of just 40.4
in Q4 2003.
This sustained rise in risk is mainly due to the
deepening and interconnected nature of geopolitical
www.riskandcompliancemagazine.com

Return of internal European borders


hinders trade
Some 20 years after its introduction, the
borderless vision for Europes Schengen Area took
a backward step in Q3 as national governments
acted to control the movement of refugees eeing
RISK & COMPLIANCE Jan-Mar 2016 71

ACHIEVING SUPPLY CHAIN RESILIENCE AMID INCREASING GLOBAL... PERSPECTIVES

to the continent from Syria, Iraq and North Africa.

experiencing a 10 percent cost increase from their

Hungary fenced off its border with Serbia and

logistics partners.

Croatia, while neighbouring Slovenia started work on


a fence with Croatia on 11 November. These changes
are having a direct impact on supply chains, with
border crossings taking as long as 90 minutes in the

MENA supply chains move from land to


sea
Supply chain risk in the Middle East rose marginally

countries involved, while livestock transportation

in Q3 2015, remaining close to the all-time record for

from Serbia to Croatia was halted entirely for several

the region. The spread of IS and associated terrorist

days in October. Perhaps the greatest impact of

groups has made the safe passage of goods across

the migrant crisis and border closures has been

land borders increasingly difcult. Tunisia, Bahrain

on Austria and Germany, both of which rely on the

and Kuwait all had their risk ratings elevated in Q3

affected countries for heavy automotive industries.

following terrorist attacks and political repression.

German companies have reported that they are

Supply chain managers in countries like Turkey are


increasingly resorting to slower and more expensive

72 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

ACHIEVING SUPPLY CHAIN RESILIENCE AMID INCREASING GLOBAL... PERSPECTIVES

sea freight services as a short term solution which

rest of the world catch up after 55 years of relative

threatens to have an impact on costs further up the

isolation.

chain or the quality of goods being produced at the


end of it.

Preparing for unknowns

The end of sanctions opens up new


opportunities

interconnected world, enjoying its benets for the

For a long time we have taken for granted our

On the other hand, it was not all bad news for

most part. We are currently seeing the ip side of the


coin. Supply chain managers will need their wits and

supply chains in Q3 with new supply


chain routes opening up through
Iran and into Cuba as decades-old
international sanctions come to an end.
The end of sanctions against Iran
could alleviate supply chain risk levels
in the Middle East, as the worlds 28th
largest economy opens up. The impact

The end of sanctions against Iran could


alleviate supply chain risk levels in the
Middle East.

on supply chain risk is predicted to


be rapid but fragile. Regional logistical
infrastructure will quickly integrate Iran
into global supply chains, but with the
US able to re-introduce sanctions in just 65 days,

skills about them if these uncertain times are to be

the situation could reverse just as quickly. With a

expertly navigated.

business culture reliant on personal relationships

Dealing with evolving global supply chain risk

and dominated by state and religious institutions,

requires extensive skills. An ability to interrogate and

supply chain managers venturing into Iran for the

innovate to provide solutions for businesses and

rst time will require new personal relationships and

customers will be paramount if we are to keep global

robust contingency plans in equal measure.

supply chains owing.

The easing of relations between Cuba and the

A key thing to note is that, because of the complex

rest of the world, meanwhile, is set to unlock

nature of todays supply chains, negative supply

new agricultural exports, while the countrys

chain events will likely occur, often from causes

telecommunications and nancial links with the

that were not anticipated. Outdated practices and

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 73

ACHIEVING SUPPLY CHAIN RESILIENCE AMID INCREASING GLOBAL... PERSPECTIVES

approaches to supply chain risk management which

positive impact on the people and communities they

relied on piecemeal solutions and one-off initiatives

work with and in.

are no longer sufcient. Instead, supply chain

With todays complex global supply chains, risk

managers need to take a more holistic approach that

cannot be eliminated. Far from it, risks are growing

is based on building a resilient supply chain over the

more common and costly. Having the ability to

long term.

quickly bounce back from problems and continue

Building a resilient supply chain means doing more

business operations as efciently as possible could

than simply striving to head off and avoid negative

be the difference between winning and losing in this

events. It means building in systems and teams with

&
21st century competition. RC

the ability to quickly adjust and recover from any


unanticipated supply chain disruptions that may
occur. By adopting this approach, companies can
position themselves for fewer disruptions, recover
more quickly from problems that occur, and leverage

David Noble
Group Chief Executive Ofcer
Chartered Institute of Procurement &
Supply

their supply chains for increased efciency, agility

T: +44 (0)1780 756 777

and competitiveness. Indeed, they could also have a

E: press@cips.org

74 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

SUPPLY C H A I N
ACCO U N TA B I L I T Y:
NEW D I M E N SI O N S O F
BUSIN E S S A N D L E G A L R I S K
BY JANE C. LUXTON
> CLARK HILL PLC

y now, businesses that operate in the global

what they see as false claims or underperformance

marketplace should be well aware of the

by reporting companies.

expanding collection of name and shame

One area posing specically increased risk relates

regimes that multiple governments have adopted,

to the California Transparency in Supply Chains Act

imposing supply chain transparency obligations

of 2010. This law, which went into effect in 2012,

on companies within their jurisdiction. These

directs companies that have $100m in annual gross

programmes include conict minerals reporting

receipts worldwide and manufacture or sell products

requirements and human trafcking/slavery diligence

in California to disclose on their websites what steps

mandates at the federal and state level in the United

they have taken to eliminate human trafcking and

States and, increasingly, other countries. While

slavery in their supply chains, using a format set

compliance with the basic terms of these legal

forth in the law and elaborated upon in a Resource

obligations is challenging enough, new types of

Guide published in 2015. The only enforcement

business and legal risk are emerging as third parties

authority under this law is injunctive action by the

closely scrutinise and are nding ways to act upon

California Attorney General, which has yet to be


invoked. Seeking sharper teeth, citizen-activists have

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 75

SUPPLY CHAIN ACCOUNTABILITY: NEW DIMENSIONS OF BUSINESS... PERSPECTIVES

now turned to California anti-fraud and consumer

alleging consumer harm from the companies failure

protection laws to bring class action litigation

to disclose the use of slave labour in their production

against companies they believe are not properly

of Thai seafood-based cat food (Wirth v. Mars). These

complying with the Transparency


Act or are otherwise making false or
fraudulent claims related to the use of
forced labour in their supply chains.
These cases, discussed below, bear
close watching; if these claims survive
motions to dismiss, more litigation of
this type is sure to follow.
In Sud v. Costco Wholesale Corp., led

This spate of litigation should spur


businesses that have operations or sales
in California to take a close look at the
representations on their websites.

in federal district court in the Northern


District of California on 19 August 2015,
plaintiff Monica Sud claims, on her own
behalf and that of similarly situated
Californians, that Costco knowingly purchased farm-

complaints are not tied to the Transparency Act, but

raised prawns from certain Thai shing companies

more generally assert that the defendants had a duty

that use forced labour. The complaint alleges that

to disclose the use of slave labour in their supply

Costcos disclosures under the Transparency Act are

chains, and failure to do so constituted a material

false and misleading, including its statement that

misrepresentation, fraud and deceptive advertising.

the company adheres to a Code of Conduct that

The requested remedies include injunctive relief,

prohibits human trafcking and slavery. According

monetary damages and attorneys fees.

to the complaint, these false statements are subject

A third set of cases target Mars, Nestl and Hershey

to private class action relief under California laws

with allegations that these companies use forced

regulating unlawful business practices, misleading

child labour in the production of cocoa products

and deceptive advertising, and unfair and deceptive

in West Africa, contrary to their codes of ethics

practices.

(Hodsdon v. Mars et al.). These class actions were led

Two class action lawsuits were led on 10

28 September 2015, and are pending in the Northern

September 2015, in the Central District of California,

District of California. Like the other suits, these claims

against Mars, Iams, Proctor & Gamble, and Nestl,

allege violations of Californias Unfair Competition

76 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

SUPPLY CHAIN ACCOUNTABILITY: NEW DIMENSIONS OF BUSINESS... PERSPECTIVES

Law, Consumers Legal Remedies Act, and False

protection, unfair business practices and false

Advertising Law and seek damages and attorneys

advertising laws. But California is not the only source

fees.

of concern. Other states may not (or not yet) have a

This spate of litigation should spur businesses

specic supply chain transparency law or the activist

that have operations or sales in California to take a

private Attorney General tradition of California, but

close look at the representations on their websites,

most have consumer protection, false advertising and

labels and advertising, to ensure they are not open

anti-fraud statutes that can be pressed into service

to challenge under the California Transparency in

against businesses that say one thing and do another.

Supply Chains Act and broader California consumer

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 77

SUPPLY CHAIN ACCOUNTABILITY: NEW DIMENSIONS OF BUSINESS... PERSPECTIVES

To be sure, alleging and proving that a company

disclosures. The 2 November 2015 report by

knowingly relied upon forced labour while saying it

Development International, Corporate Compliance

did not are two very different things, but the risk is not

with the California Transparency in Supply Chains Act

simply theoretical. In a slightly different context, the

of 2010, for example, rated the disclosure statements

State of New York recently settled a case against the

of 1504 companies. The results, with close to 50

worlds largest coal producer, after charging it with

pages of individual company specics, indicated that

making false and materially incomplete statements

most companies compliance fell well short of the

in Securities and Exchange Commission lings. The

laws requirements and great variation was observed

companys submissions had said management could

in performance among businesses. The reports

not predict the impact of climate change regulation

appendices provide a rich source of benchmarking

on protability, while at the same time the company

comparisons that should be carefully reviewed by

had publicly released market projections that

market participants.

provided metrics concerning those risks.


Supply chain transparency concerns are not

Similar reports have been released in the area of


conict minerals compliance rankings, and these

conned to the US. The UK recently enacted the

kinds of market pressures are nding their way

Modern Slavery Act of 2015, which went into

into consumer and investor purchasing decisions,

effect 29 October 2015. This law, modelled on the

commercial supply chain relationships and overall

California Transparency in Supply Chains Act, applies

reputational risk considerations. Companies cannot

to companies that conduct any business in the UK

afford to view the proliferating array of supply

and have total gross worldwide revenues of 36m.

chain reporting schemes as individual compliance

Businesses subject to the law must publish an

obligations, but must instead get used to approaching

annual slavery and human trafcking statement

them as multidimensional legal and business risk

identifying their efforts to eradicate slavery and

paradigms requiring the full attention of senior

human trafcking from their business operations and

&
corporate leadership. RC

supply chain. Enforcement of the law involves an


action by the Secretary of State in the courts to force
compliance, with contempt of court and an unlimited
ne backing up the subsequent court order.
Other supply chain accountability risks are less
direct but no less pressing. Watchdog groups are

Jane C. Luxton
Partner
Clark Hill PLC
T: +1 (202) 572 8674
E: jluxton@clarkhill.com

undertaking review and ranking of companies


78 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

WHY I S N T E R M M O R E O F
A TEA M S P O RT AT YO U R
ORGA N I S AT I O N ?
BY GARY W. PATTERSON
> FISCALDOCTOR

fter all the business disappointments,


failures and even frauds, you might
assume enterprise risk management

(ERM) is now greatly valued that everyone


understands ERM must be a team sport, with
monitoring risk being the responsibility of
each player.
Regrettably, it appears most people do not
feel this way, and that increased failures and
frauds will occur before substantial changes
in corporate culture and practice take place.
Avoid or embrace? In fact, numerous
surveys indicate a substantial number of
www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 79

WHY ISNT ERM MORE OF A TEAM SPORT AT YOUR ORGANISATION? PERSPECTIVES

business professionals intend to do as little as

As the decline pile grew, a 3am insight dawned

possible regarding ERM planning. They mistakenly

rather than focusing on symptoms, why not treat

view it as some version of Sarbox hell, where vast

the underlying problem?

amounts of money are expended with seemingly


minimal strategic or operational return.
On the ip side, some respondents
enthusiastically promote the value of
ERM for corporate governance. They
passionately describe ERMs favourable
effects on company cultures, the key
elements of its successful integration,

For individual directors, addressing ERM


can be a lose-lose-lose situation.

and their personal investment of


political capital in the process, so as to
set a visible and positive tone from the
top down.
These respondents are true believers
in the important value ERM can provide. Note,
of course, that most believers were converted

ERM as a team sport


For individual directors, addressing ERM can be a

after surviving a business disaster that a properly

lose-lose-lose situation. Normally, the chief nancial

performed ERM would have solved, mitigated or

ofcer or c-suite functions as the sheriffs who

averted entirely. This, in itself, is plenty of reason to

monitor and address risk decisions. When one of

be an ERM proponent.

these sheriffs suggests a crucial risk, they are likely

However, when asked about ERM, most

to encounter one of the following pushbacks: Firstly,

professionals we approached declined to comment

Just add that issue to your workload, but without

for a number of unique and seemingly valid

expending any money, time or resources. Secondly,

reasons. They seemed to prefer that someone else

We thought you were heading this. Evidently, you

handle ERM. While this may be reasonable when

are not as qualied for this position as we had

considering temperament and technical skills, it

presumed. And nally, This suggestion is wrong

doesnt change the fact that every member of the

about a potential risk in someone elses area. Now

organisation is needed for successful ERM.

you stand to lose a friend, or worse, to make an


enemy.

80 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

WHY ISNT ERM MORE OF A TEAM SPORT AT YOUR ORGANISATION? PERSPECTIVES

How many times does one have to see some

all such decisions are delegated to a designated

version of the above play out before minimising

internal risk expert or to external auditors. Label this

their involvement by delegating risk management

Level 1, indicating complete apathy or a preference

to someone else? So, problem solved? No. Unless

to ignore. (After all, ignorance is bliss?) At the

ERM is treated as a team sport, with your board

opposite end of the scale is full engagement of

fully engaged, the ERM-designee board member

board members, exhibiting a strategic and value-

will ounder when overwhelmed with other issues,

based orientation. Label this Level 10 enthusiastic

when unfamiliar with the risks related to specic

ERM buy-in. Levels two through nine make up the

situations, or when the sheriffs in the c-suite who

vast middle of the ERM curve.

formerly interacted with the ERM designee see the

Secondly, how can you get your board and

political risks of pointing out the 175-pound gorilla

organisation more involved in integrating enterprise

in the room as too costly.

risk management into your companys corporate

This puts your business at risk of a 175-pound

DNA (especially since in real life, there are never

gorilla growing into the proverbial 800-pound gorilla

enough resources vis--vis people, money or time to

or even worse, an 800-pound dead rat. Before

take advantage of all the possible opportunities or

you are able to take cover, your multimillion-dollar

solve all the problems sitting on your desk)? And

business crashes down around you.

where could you nd the right person to assist in


reaching that goal?

Preventing the crash


Weve established the need for ERM at all levels,

External expertise can help you make ERM a team


sport and make your organisation a winner, rather

and gained some insight into why ERM is either

than another business disappointment, failure or

avoided or embraced. Now its time to ask, at what

&
even fraud. RC

level is ERM successfully integrated into the DNA of


your organisation, specically the decision-making
process? Lets break that question into two parts.
First, on a scale of one to 10, where does your
organisation fall? At one end of this scale, there

Gary W. Patterson
Founder
FiscalDoctor
T: +1 (678) 319 4739
E: gary@scaldoctor.com

is little or no full board involvement with ERM and

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 81

PERSPECTIVES

PERSPECTIVES

BELLI N G T H E B L AC K S WA N :
PREPA R I N G FO R E XT R E M E
EVENT S
BY DR JAYANTA GUIN
> AIR WORLDWIDE

efore the 1600s, the black swan wasnt

impossible, catapulting the catastrophe modelling

even considered a rare bird, but something

industry into new prominence.

impossible, since it was assumed that

Since then, each large and unexpected

all swans had white feathers. Or did they? The

catastrophe has prompted a re-examination of

discovery of one swan with black plumage

existing risk management practices. With traditional

introduced an age of doubt, and the black swan

statistical tools unable to capture either the

became a symbol for things once thought impossible

frequency or severity of black swan events, how

that can suddenly y over and upset conventional

should companies prepare for their impact? How

thinking.

can a company place a bell around the black swans

Black swan events also exist in the realm of

neck?

managing insurance risk. After two quiet decades


of tropical cyclone activity in the United States,
for example, in 1992, Hurricane Andrew caused
insured losses previously considered by many to be

Understanding catastrophes
Catastrophe events can be classied as knownknowns, known-unknowns, or unknown-unknowns.
Those events for which there is abundant data

82 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

BELLING THE BLACK SWAN: PREPARING FOR EXTREME EVENTS

PERSPECTIVES

and historical precedence are considered known-

a surprise to most people, but the economic losses

knowns, and they can typically be accounted for

were within expectations for a major

using past experience. Known-unknown events

hurricane.

are rarer and have more severe repercussions.

And while the

Companies employ catastrophe models to prepare


for these events. While there is inherent uncertainty
associated with known-unknowns, a robust model
uses what has occurred in the past to infer what is
possible in the future. Although it is not known
when or exactly where the next inevitable
major earthquake will strike in California,
catastrophe models can account
for the probabilities
associated with a
full spectrum of loss
outcomes.

magnitude

For even more

9 Tohoku

severe events,

earthquake and

knowledge
deteriorates
precipitously
with decreasing
probability of occurrence. Black
swan events belong to this last

tsunami in 2011 caught


most seismologists by
surprise, the level of insured
loss fell well within the range to
which prudent executives manage. What
may be a black swan to society at large may have

category, the unknown-unknowns. Their

limited insurance impact; likewise, some events that

probability and severity are not possible to estimate

cause catastrophic losses may not seem extreme

with any degree of accuracy because they are

from other perspectives.

often unimaginable until they actually occur. But it


is important to note that perspective matters. The
number of fatalities caused by Hurricane Katrina was

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 83

BELLING THE BLACK SWAN: PREPARING FOR EXTREME EVENTS

Managing expectations

PERSPECTIVES

In terms of losses, the value of the assets

Black swan events are unexpected either from

themselves constrains direct damage to physical

an intensity perspective (they are not thought to

assets, but the indirect effects can be near limitless.

be physically plausible) or a loss perspective (the

Often, the exposure for business interruption (BI)

damage inicted was not thought


possible even if the physical event itself
had been contemplated). Knowledge
of the underlying physical processes
at work will always remain imperfect,
so there is signicant uncertainty as
to what is truly an extreme scenario.
For example, there is signicant
uncertainty about the physical

Decisions based on incorrect data and


faulty assumptions can lead to ineffective
risk management practices or a false sense
of security.

processes surrounding climate change.


How it will affect the occurrence of
hurricanes, severe thunderstorms, and
other hazards represents an even higher order of

coverage, particularly contingent BI, is not well

uncertainty. Climate change can surprise us in many

understood by the insurer or the insured, and

ways.

losses can result from various feedback loops. The

Interactions between different physical processes

2011 oods in Thailand have caused an estimated

each of which may be unexceptional individually

US$15bn in insured losses. The automobile and

can also lead to unexpected results. Hurricane

hard-disk industries were particularly hard hit

Katrina triggered the catastrophic failure of the

as manufacturing output came to a standstill at

levee system in New Orleans. The Christchurch,

hundreds of inundated, inaccessible or powerless

New Zealand, earthquakes of 2010 and 2011 caused

factories, revealing the extreme vulnerability of

unexpectedly severe liquefaction. The 1923 Great

global supply chains to natural disasters.

Kanto earthquake, the deadliest in Japans history,


struck almost concurrently with a typhoon that
fanned the res spawned by the earthquake into
vast conagrations.

When losses balloon


Particular political and regulatory environments
can inate losses. For example, documentation since
the 1920s has shown asbestos to be harmful, but not

84 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

BELLING THE BLACK SWAN: PREPARING FOR EXTREME EVENTS

PERSPECTIVES

until a regulatory regime that was sympathetic to the

A Category 5 hurricane hitting the Northeast

public in the 1980s and 90s did widespread litigation

is extremely unlikely but perhaps not entirely

lead to extensive losses for the insurance industry.

unimaginable. Should it be assigned a probability of

Economic and social factors are also sometimes


at play. A long lull in hurricane activity during the

0.0001 percent? 0.00001 percent? No one can say.


Modelling companies are exploring ways to

1970s and 1980s led to complacency in disaster

address currently unmodelled sources of loss that

preparedness. That resulted in less stringent building

can contribute to black swan situations. These

standards and a relaxed attitude toward building

include secondary perils that may not yet be

maintenance that coincided with a construction

modelled; currently unmodelled asset classes within

boom all of which contributed to the high losses

existing models (like losses to insured infrastructure);

caused by Hurricane Hugo in 1989 and Hurricane

and indirect and secondary losses, which can far

Andrew in 1992.

exceed damage to physical assets.

Finally, it should be noted that the misuse of

It is important to remember that knowledge is

risk management models can lead to black swan

imperfect and constantly evolving. No matter how

events. Decisions based on incorrect data and

sophisticated and detailed catastrophe models

faulty assumptions can lead to ineffective risk

become, they will never encompass the entire

management practices or a false sense of security,

realm of what is possible. Ultimately, hazard is

setting the stage for events like the 2008 nancial

unpredictable. While catastrophe models have

crisis. Further, incorrect or misguided interpretation

become essential tools in sound risk management,

of model results for example, focusing on one

it is prudent to be aware of their limitations and

particular loss metric or ignoring the tail of a loss

to be resilient to imperfect models. But when the

distribution can leave companies ill-prepared for

models have been prepared with insight and rigour,

plausible loss scenarios.

&
it becomes more possible to bell a black swan. RC

Catastrophe models use statistical methods,


physical models and scientic and engineering
expertise to provide a wide range of potential
scenarios of what might be experienced in the
future. Because those models are probabilistic,

Dr Jayanta Guin
Executive Vice President
AIR Worldwide (a Verisk Analytics business)
T: +1 (617) 267 6645
E: jguin@air-worldwide.com

black swan events present a particular challenge.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 85

PERSPECTIVES

PERSPECTIVES

THE I RA N N U C L E A R D E A L :
S ANC T I O N S R E L I E F B R I N G S
COMP L I A N C E C H A L L E N G E S
BY BARBARA D. LINNEY & KEVIN J. MILLER
> MILLER & CHEVALIER CHARTERED

he implementation of the Iran nuclear

Agency (IAEA) veries implementation by Iran of its

deal early in 2016 will bring new risks and

nuclear related commitments and sanctions relief

compliance challenges, both for businesses

begins.

that are able to take advantage of new opportunities

Virtually all UN and EU sanctions will be lifted,

in Iran and those that are not. Indeed, signicant

save for those EU sanctions targeting human

differences between the US and EU commitments

rights abuses in Iran. However, while almost all

and the intentions of countries not party to the deal

US secondary sanctions (which principally target

will create a complex business environment for

activities of non-US persons) will be removed, the

global companies.

primary sanctions (which prohibit most trade and

Based upon the pace of Irans compliance with its

transactions with Iran by US persons) will remain

commitments under the Joint Comprehensive Plan

in place. The only sanctions relief for US persons

of Action (JCPOA), Implementation Day is estimated

will come in the form of general and specic

to occur early in 2016. Implementation Day is not

licences issued by the US Ofce of Foreign Assets

specied in the JCPOA but rather is dened as

Control (OFAC) allowing trade in food, carpets and

the day on which the International Atomic Energy

commercial passenger aircraft and related parts

86 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

THE IRAN NUCLEAR DEAL: SANCTIONS RELIEF BRINGS...

PERSPECTIVES

and services. Furthermore, most countries with

would be covered by an OFAC general licence if

autonomous Iranian sanctions regimes, in addition to

entered into by US persons.

UN mandated sanctions, have signalled an intention

Furthermore, high nes meted out to EU banks

to follow the EU approach. Thus, Implementation Day

over the past few years will certainly act as a

will bring a return to the pre-CISADA era of unilateral

deterrent to any EU banks or their customers

US sanctions against Iran.

who may be tempted to look for ways to disguise

At rst blush, this discrepancy may appear to be a


boon for EU rms, which will be in a position to enter

transactions in order to process them through the


US banking system, and enhanced compliance

the Iranian market and trade freely with


Iran without competition from their US
counterparts. However, the lingering US
primary sanctions will continue to pose
risks for EU companies that trade with
Iran.
First, apart from goods and services
currently (or scheduled to be) the

The lingering US primary sanctions will


continue to pose risks for EU companies
that trade with Iran.

subject of general or specic OFAC


licences, re-export of US origin goods
and services to Iran will remain broadly
prohibited. Thus, EU companies must
take care to ensure that their trade with Iran does

programmes implemented by both US and EU banks

not involve unlicensed trade in US origin goods and

in the wake of these enforcement actions will ensure

services. Second, as US banks will remain prohibited

a higher likelihood that banks will identify any such

from processing US dollar transactions related to

attempts.

unlicensed trade with Iran, such transactions must

Foreign subsidiaries of US companies will face a

be avoided in order to avoid blocking of funds by

unique set of risks. Under the JCPOA, the US has

US banks. In this regard, it is important to recognise

committed to licence certain activities of foreign

that lawful transactions by non-US rms that are not

subsidiaries, which, since 2012, have been subject

subject to US law will not be treated by US banks as

to the same constraints on trade and transactions

OFAC-licensed transactions, even if the transaction

with Iran as their US parent companies. OFAC has yet


to signal the scope of this general licence, which it

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 87

PERSPECTIVES

has promised to issue in advance of Implementation

companies will face new compliance challenges

Day, along with the other general licences and

of their own. OFAC has indicated that it intends

interpretative guidance. Therefore, the extent to

to maintain the prohibition against US person

which secondary sanctions relief, which is applicable

facilitation of activities by non-US persons that

to other non-US persons, will apply to foreign

would be impermissible if undertaken by US persons.

entities owned or controlled by US persons remains

This means that US companies whose foreign

unclear. If the general licence, once issued, does

subsidiaries may be authorised to trade with Iran

not put foreign subsidiaries of US companies on the

must avoid participating in, or facilitating, any such

same footing as other non-US companies, foreign

authorised trade that goes beyond the scope of

subsidiaries of US companies will face compliance

trade and transactions in which US persons are

challenges as they attempt to engage in trade with

authorised to participate. Similar challenges will be

Iran that is permitted under applicable local law

faced by individual US persons who are directors,

while remaining subject to certain US restrictions.

ofcers or employees of the foreign subsidiaries or,

Regardless of the scope of sanctions relief for

indeed, any non-US entity.

their foreign subsidiaries, the US parents of such


88 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

THE IRAN NUCLEAR DEAL: SANCTIONS RELIEF BRINGS...

PERSPECTIVES

US companies and individuals who decide to take

All new players in the Iranian market also must

advantage of the new general and specic licences

weigh the risk of re-implementation of sanctions

will require a keen understanding of the applicable

if Iran does not live up to its obligations under the

conditions of the new licences, as well as existing

JCPOA. The JCPOA provides that sanctions will be

exemptions, licences, prohibitions and reporting

suspended, not terminated, on Implementation

requirements. Among other things, US persons

Day, and other provisions of the JCPOA allow

are subject to more restrictions than their EU

certain sanctions to snap back or be reinstated

counterparts on what they can do to plan for getting

if Iran does not live up to its obligations under

back into business in Iran, but can take certain steps

the JCPOA. Permanent sanctions relief will not

consistent with current exemptions and licences.

come until Transition Day i.e., 18 October 2023

Similarly, non-US persons wishing to take advantage

or upon a favourable IAEA report regarding Irans

of the contingent waivers of US secondary sanctions

pursuit of only peaceful nuclear activities. This

issued on Adoption Day must familiarise themselves

means that those that take advantage of sanctions

with the limitations to which the waivers are subject.

relief on Implementation Day will bear the risk

For example, most of the waivers do not cover

of reinstatement of sanctions for as much as

activities involving persons on the US SDN List.

eight years. Furthermore, the US government has

Furthermore, while the JCPOA notes that the US will

indicated that contracts entered into during the

delist many SDNs for the purposes of implementing

period of sanctions relief will not be grandfathered if

the promised secondary sanctions relief, delisted

snapback occurs.

entities falling within the denition of government

Companies doing business in or with Iran also

of Iran contained in OFACs Iranian Transactions

will face signicant corruption risks. Transparency

and Sanctions Regulations will remain subject to the

International ranked Iran at 136th of 175 countries

primary US embargo and shall remain off-limits for

on its 2014 Corruption Perception Index (CPI), which

transactions with US persons, including banks.

ranks countries according to how corrupt their

These discrepancies between the EU and US

public sectors are perceived to be. According to

approaches to sanctions relief, together with

Transparency International, the CPI is a composite

uncertainty regarding the scope of US sanctions

index, drawing on corruption-related data from

relief and the timing of sanctions relief generally,

expert and business surveys carried out by a

almost certainly will result in a spike in inadvertent

variety of independent and reputable institutions.

violations, particularly of US sanctions, and an

Transparency International reports that Iran scored

attendant increase in enforcement actions.

only 20 out of 100 on the surveys, on which scores

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 89

THE IRAN NUCLEAR DEAL: SANCTIONS RELIEF BRINGS...

PERSPECTIVES

ranged from 0 (highly corrupt) to 100 (very clean).

be involved in contemplated transaction, not only

This high level of corruption risk assumes even

with respect to applicable legal opportunities and

greater signicance in the context of an economy in

constraints, but with respect to commercial and

which most business is conducted through agents,

&
political risks as well. RC

distributors and other third parties.


Of course, in addition to these legal risks, those
re-entering the Iranian market must also carefully
manage a host of other commercial risks. On the
political risk front, the possibility of changes in
US policy arising from the 2016 presidential and

Barbara D. Linney
Partner
Miller & Chevalier Chartered
T: +1 (202) 626 5806
E: blinney@milchev.com

congressional elections cannot be discounted


entirely.
For all of these reasons, companies looking to
take advantage of the upcoming sanctions relief
must undertake careful risk analysis based on
thorough due diligence and screening of potential

Kevin J. Miller
Senior Trade & Security Consultant
Miller & Chevalier Chartered
T: +1 (202) 661 6425
E: kmiller@milchev.com

business partners and all parties and banks likely to

90 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

BUY A M E R I C A N V S .
BUY A M E R I C A:
WHAT A D I F F E R E N C E
AN N M A K E S
BY LORI ANN LANG
> PECKAR & ABRAMSON

erhaps one of the most complex areas of

between the Buy American Act and the various Buy

public procurement concerns domestic

America statutes.

preferences for construction materials used

The Buy American Act is the statute that creates

on public projects. The federal government imposes

a national preference for the federal governments

domestic preference requirements when it constructs

procurement of domestic construction materials.

or funds the construction of public projects. There

Under the Buy American Act, the federal government

are different domestic preference requirements

must purchase domestic construction materials for

depending upon whether the contract is a federal

public use unless a waiver has been granted. In order

government contract or contract with federal

for a manufactured good to qualify as domestic, it

assistance. As the penalties for failing to comply with

must be manufactured in the US and the cost of the

domestic preference requirements can be severe

components mined, produced or manufactured in

including an order to rip out and replace non-

the US must exceed 50 percent of the cost of all the

conforming material, contract termination for default,

components.

and suspension and debarment of the contractor it

The Buy American Act is different from Buy

is critical that contractors understand the differences

America. Buy America generally refers to the

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 91

BUY AMERICAN VS. BUY AMERICA: WHAT A DIFFERENCE AN N...

various domestic content restrictions that attach

PERSPECTIVES

Infrastructure projects not made primarily of iron

to US Department of Transportation grants to state

or steel, such as terminals, depots, garages and bus

and local government entities for the construction

shelters, generally are considered to be manufactured

of transportation projects. However, Buy America

end products. To satisfy Buy America, the components

requirements differ given that the Federal Transit

of these structures must be manufactured in the

Administration (FTA), the Federal


Highway Administration (FHWA) and the
Federal Aviation Administration (FAA) all
have different Buy America statutes and
regulations.
FTAs Buy America requirement
provides that, absent a waiver, all iron,
steel and manufactured products used
in a project must be produced in the US.
Construction materials made primarily
of iron or steel must be manufactured in

It is critical that contractors understand


which requirements they are subject to
and importantly whether the construction
material they supply will be treated
as an end product, component or
subcomponent.

the US unless the construction material


is a component or subcomponent of
another manufactured product. All steel and iron

US. A component is any article, material or supply,

manufacturing processes must take place in the US,

whether manufactured or unmanufactured, that is

except metallurgical processes involving renement

directly incorporated into the end product at the nal

of steel additives.

assembly location.

Under the FTA Buy America regulations,

FHWAs Buy America requirements, on the other

manufactured products also must be produced in

hand, provide that all permanently incorporated iron

the US. All of the manufacturing processes must take

and steel, as well as iron and steel manufactured

place in the US and all of the products components

products, must be produced in the US. For iron and

must be of US origin. A component is considered of

steel manufactured products, all manufacturing

US origin if it is manufactured in the US, regardless

processes, including application of coatings, must

of the origin of its subcomponents. In other words,

occur in the US. There is a minimal use exception

subcomponents may be foreign.

that permits the use of foreign iron or steel materials


when the cost of the foreign materials does not

92 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

BUY AMERICAN VS. BUY AMERICA: WHAT A DIFFERENCE AN N...

PERSPECTIVES

exceed 0.1 percent of the total contract cost or $2500,

manufactured goods are considered components or

whichever is greater.

subcomponents. However, there is a standing waiver

FHWAs Buy America requirements apply to any iron

that only requires that 60 percent or more of the

or steel components of a manufactured product if the

components and subcomponents in a facility be of

manufactured product is predominantly made of steel

US origin and that nal assembly of the facility be in

or iron. A product is manufactured predominantly of

the US. Thus, contractors can supply up to 40 percent

iron or steel when the product consists of at least 90

foreign components and subcomponents and still

percent iron or steel content when delivered to the

comply with FAAs Buy America requirements.

project site for installation.


FAAs Buy America requirements
for Airport Improvement Program
projects require that all steel
and manufactured goods be
produced in the US. The

While at rst glance, the Buy American Act and the


Buy America statutes appear to be similar
and generally use the same terminology,
there are considerable
differences between them.
In order to ensure

requirements make no

compliance,

distinction between

it is critical

whether the

that

steel or

contractors
understand which
requirements they are subject
to and importantly whether the
construction material they supply
will be treated as an end product,
&
component or subcomponent. RC

Lori Ann Lange


Partner
Peckar & Abramson
T: +1 (202) 293 8815
E: llange@pecklaw.com

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 93

MINI-ROUNDTABLE

M INI-ROUNDTABLE

THE ROLE OF THE


BOARD IN TACKLING
CYBER RISKS

94 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

THE ROLE OF THE BOARD IN TACKLING CYBER RISKS

MINI-ROUNDTABLE

PANEL EXPERTS
George Melides
Head of Management Liability, EMEA
Zurich Global Corporate EMEA
T: +44 (0)20 7648 3008
E: george.melides@zurich.com
George Melides is the Head of Management Liability for
Europe, Middle East and Africa at Zurich Global Corporate
EMEA. His areas of expertise include all Management Liability
products (D&O, EPL, Crime, Pension Trustee) and extend to
Financial Institutions and Professional Indemnity. Mr Melides
has over 12 years experience in Financial Lines products
for UK and international companies gained through a variety
of underwriting and broking roles. He holds an MSc in Risk
Management & Insurance from City University Business School
and is a member of the Institute of Risk Management.

Jrme Goss
Head IT / Tech & Commercial Companies Financial Lines France
Head Security & Privacy Europe, Middle East and Africa (EMEA) Zurich GCiEMEA
T: +331 43 18 74 82
E: jerome.gosse@zurich.com
Jrme Goss has been the Head IT / Tech & Commercial
Companies within the Zurich France Financial Lines
Department since 1 January 2014. He is also responsible for
the Cyber Security & Privacy underwriting unit for Zurich Global
Corporate in Europe, Middle East and Africa. Mr Goss joined
Zurich in 2011 as a Professional Indemnity / Cyber underwriter.
He was in charge of developing the European Zurich Security
& Privacy proposition. Previously, Mr Goss was a broker with
Marsh for 7 years, in the claims and nancial lines department
(Finpro), in Toronto, Canada and Paris, France. He holds a
Master degree in digital law and information technologies.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 95

MINI-ROUNDTABLE

THE ROLE OF THE BOARD IN TACKLING CYBER RISKS

RC: In your experience, how do


boards generally view their companys
potential exposure to cyber risk? Is it
still widely considered an issue for the IT
department?

Melides: Recent incidents, particularly those


we have seen in the last 12 months such as Target
and Sony, or even with nancial institutions like JP
Morgan, indicate that the risk is developing and no
industry is immune to that risk. This is an area of
exposure that can affect any kind of corporation

Goss: Directors and ofcers used to believe

holding signicant amounts of personal or customer

cyber risk is only about IT security but this is

data. The surge in cyber attacks is also a sign that

wrong. Cyber risk is a global issue for organisations.

something is broke or at least potentially broken

Perceptions are changing and we are seeing

in enterprise security. It is an element that needs

stronger involvement from boards in terms of

to be reviewed, continuously monitored and

cyber risk management. This is mainly due to highly

safeguarded.

publicised incidents like Sony, Target and Orange. A


study by the World Economic Forum suggests that
cyber risk is within the top 10 most important risks
faced by every organisation. Additionally, when we
talk about cyber risk, most of the time we only think

RC: What kinds of nancial loss and


reputational damage might a company
suffer if it falls victim to a security
breach?

about companies that handle a massive amount


of personal data, but thats just a portion of cyber

Goss: If a company falls victim to a cyber

risk. Companies also need to consider the extent

incident, it will likely incur many costs some

to which their activities are dependent on their IT

of which are insurable, and others that are not.

system. If there is a failure of the IT system, what

To identify the issues at hand, the company may

will happen to the company? Will it be unable to

need the assistance of an external IT forensics

manufacture products? Will it be unable to provide

team. It may then need to address its mandatory

services to clients? IT systems already control just

legal obligations, and perhaps engage an external

about everything, and this will only increase with the

law rm to assist. Beyond that, it may need to set

Internet of Things. If something goes wrong with an

up a call centre to assist and inform customers.

IT system that connects and controls everything, the

A severe cyber incident may also result in loss of

nancial consequences for the company could be

revenues, such as a retailers website being down,

huge.

and additional expenses in trying to resume normal


activities. These nancial aspects can generally be

96 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

THE ROLE OF THE BOARD IN TACKLING CYBER RISKS

insured, but what is very important in easing the


damage to a companys reputation is addressing
the loss of customer condence following a cyber

MINI-ROUNDTABLE

RC: How should boards go about


establishing clear strategies, policies and
procedures for addressing cyber risks?

breach, as there may now be a reluctance to provide


personal information to an entity that has suffered

Goss: The board must demonstrate its

an attack. If personal information is disclosed be

involvement in cyber security, spreading a message

it nancial or medical, for example there may

about the culture of cyber security best practices

be class actions against the company, bringing

and resilience within its organisation. The board

signicant legal costs and a potential settlement

should ensure that global cyber security prevention

gure. Both Target and Home Depot announced

and response initiatives are established at a global

huge multi-million dollar settlements


with MasterCard and Visa for the losses
incurred by their customers following the
breach. Regulatory authorities may also
investigate a data breach and issue nes
if, for example, the company was negligent
and failed to encrypt data or was late to
notify authorities following the breach.

The surge in cyber attacks is also a


sign that something is broke or at
least potentially broken in enterprise
security.

Melides: Direct costs following a data


breach incident may include safeguarding
assets for security and training or

George Melides,
Zurich

hiring additional people who have sole


responsibility for this. Damage to reputation can

level and then implemented within the organisation.

have a long-term effect on revenue due to a loss of

Self assessment and controls raised by the internal

customer condence. Due to this nancial impact,

audit team will form part of this process. But it is not

in some countries shareholders may feel that the

just about technology security, rewalls, viruses and

directors have not fullled their duciary duties, and

internal procedures; every employee needs to have

there may be shareholder litigation in the form of

a strong focus on cyber security and data protection.

derivative action against the D&Os and then further

Best in class procedures and guidelines mean little

securities class action litigation.


www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 97

THE ROLE OF THE BOARD IN TACKLING CYBER RISKS

if an employee does not respect them. The human


factor is critical, and the board needs to be play an

MINI-ROUNDTABLE

assign specic roles and responsibilities


for cascading company-wide procedures?

active role in mitigating this exposure.


Goss: Many different actors within an
Melides: In many countries, boards today

organisation must be involved in the prevention,

have a duciary duty to provide protection and

mitigation and reaction to a cyber incident. Of

oversight against the dangers of a cyber attack.

course, the IT department may lead the way, but

They need to understand their responsibilities in

every company should involve its legal department,

making sure they can safeguard and protect not

its data privacy ofcial, HR and communications

only the assets of the company, but also their own


data and their customers data. This
is a huge responsibility, and the roles
and obligations of individuals within the
organisation should be clearly identied.
It is important to have a chief security
ofcer, perhaps with a full team, to ensure
the right internal controls are in place
to address specic steps and response

Boards today need to understand their


responsibilities in making sure they
can safeguard and protect not only the
assets of the company, but also their
own data and their customers data.

actions in the event of a cyber attack.


Every employee in an organisation must
understand where a breach might come

Jrme Goss,
Zurich

from and remain vigilant. They also need


to know how to act and who to involve.
Policies and procedures should be clear, simple and

departments if a situation threatens the companys

straightforward so that everyone can understand

reputation. Although there will be many different

them.

actors, they should be coordinated by one or


two people within the organisation. The chief

RC: Do many boards still struggle to


determine the resources required to
address cyber risk? How important is to

98 RISK & COMPLIANCE Jan-Mar 2016

information security ofcer or the chief risk ofcer,


for example, may have a key role to play in ensuring
that everyone is communicating. Companies need

www.riskandcompliancemagazine.com

THE ROLE OF THE BOARD IN TACKLING CYBER RISKS

MINI-ROUNDTABLE

to assign specic roles and responsibilities to a

insurance is really the last step in the cyber risk

person or department within an organisation for two

management process; companies should begin by

reasons: rst, so that everyone knows exactly what

identifying the companys most important assets

they are supposed to do, and second, so that every

and protecting them, mitigaing exposure via non-

risk is covered and addressed. Knowing how to

insurance risk management tools.

respond to a crisis is vital.


Melides: Developing cyber related insurance

RC: Are more boards looking to mitigate


potential cyber-related liabilities through
insurance solutions? Is there a growing
awareness of what the cyber insurance
market has to offer? In what ways is
coverage evolving?

policies is one way to address the issue, but not the


only way. What is clear from recent cases is that
the problem cannot be tackled with a single policy.
Because of the nature and complexity of a cyber
attack, and the impact it can have on a company,
a number of different products and solutions
are required. Some of the risks are insurable

Goss: Today we are seeing a rise in cyber

while others are simply not, and companies

insurance purchases driven by boards of directors.

have to rely purely on their internal controls and

This has been a notable development over the last

processes. Additionally, we need to accept to there

12 months. Boards are concerned about the press

is no perfect security. There is also no perfect

coverage generated by cyber attacks against other

insurance solution. It is about having the right mix

companies, and they have a growing awareness of

of technology, the right set of partners on both the

their personal responsibilities, so they are seeking to

technology and the insurance sides, and the right

put a cyber insurance policy in place to help them

information and training to make sure that the

respond to a potential issue down the line. Once a

company stays off the front page of the newspapers.

company has identied the risks, it can be difcult


to assess an existing insurance policy for gaps in
cyber exposure. In addition, since there are many
differences between standalone cyber policies, it
can be a challenge to determine exactly what is

RC: How likely is it for cyber risk to give


rise to personal liability for directors? Is
a cyber insurance solution adequate to
address that exposure?

covered. For instance, damage to reputation is not


covered, nor is stock price devaluation. So there

Melides: Cyber insurance policies for D&Os are

is some room for improvement there. That said,

crucial, as any personal liability will not be covered

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 99

THE ROLE OF THE BOARD IN TACKLING CYBER RISKS

MINI-ROUNDTABLE

by a standalone cyber policy. Some of the cyber

designed to raise awareness. In our experience,

incidents that surfaced in the last couple of years

more and more directors want to benet from this

gave rise to a number of derivative suits. Boards in

type of training. In terms of an immediate response

many countries need to understand that they do

strategy, it comes down to cyber resilience. Every

have a duciary duty and they must full that duty.

company will suffer a cyber incident at some point,

They must also make sure that they are providing the

so the big question is whether the company has

right level of monitoring and oversight of cyber risk

sufciently prepared its response. The key is to

so that the risk of a data breach can be determined.

detect the incident and respond in an efcient way.

If they fail to full that duciary duty, third parties

Crisis management plans must be implemented

such as shareholders, regulators or customers

within the organisation and tested at least once

could take some form of action against them, by

a year to ensure the process works. Business

way of a derivative suit, a securities class action

continuity planning helps the organisation to survive

or a collective action from customers. The costs

a cyber incident and continue its activities. Such

associated with such actions would not be covered

planning may extend beyond the company walls to

under a cyber insurance solution. An appropriate

incorporate suppliers and outsourcers too. In terms

level of D&O insurance is needed given the prospect

of board involvement, it is important that senior

of such litigation. Allegations of negligence linked to

management is involved in crisis planning to mitigate

managing cyber risk or a cyber incident have led to

the impact on the company as much as possible.

the resignation of D&Os in some cases.


Melides: Although board understanding has not

RC: Do you believe there is sufcient


boardroom understanding about what
to do if the company does suffer a
cyber attack? What immediate response
strategies should be deployed to deal
with the nancial and reputational impact
of a cyber event?

reached the desired level, awareness is improving.


Most boards know cyber threats are a real risk and
that can affect their business. The issue is climbing
the boardroom agenda, with a concerted effort
to implement ongoing and continuous training
about what to do and how to create clear policies
to address the issue. Around the world, regulatory
bodies are doing more to assist companies that

Goss: There is certainly scope to improve the

face a cyber event. The SEC, for example, has issued

understanding of cyber exposure at board level. This

specic guidance in terms of the steps they expect

can be done with cyber risk training and courses

companies to take following a cyber event. Progress

100 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

THE ROLE OF THE BOARD IN TACKLING CYBER RISKS

MINI-ROUNDTABLE

continues, and we are certainly in a better position

insurance to deal with non-material damage arising

now than we were ve years ago.

from a cyber incident. At the moment, there is big


gap in risk management for many companies.

RC: How do you except board-level


cyber risk management to develop over
the coming months and years?

Melides: More boards understand the types of


cyber attacks, events and incidents that continue to
evolve .They need to make sure that internal control

Goss: In the years ahead, D&Os will understand

frameworks also evolve, through continual updating

the potentially devastating impact a cyber incident

and enhancement. They also need to understand

can have on their organisation, and well as

that the complexity of a cyber attack precludes

themselves, and will be more involved in the cyber

any one-stop insurance solution. They will need a

risk management process. Cyber insurance may be

combination of internal controls and procedures

considered the next D&O insurance, in that every

alongside insurance to provide a strong enough

company will eventually buy cyber insurance, either

framework to safeguard overall operations if a cyber

as a standalone policy or as part of a traditional

incident cannot be completely avoided. This is very

policy. It will be must-have coverage for every

much a live issue and it is not going away. Expect

company. Presently, companies have property

it to become a staple subject on the boardroom

insurance to limit their loss in the event of a re;

agenda, discussed whenever boards meet, whether

in the future it will make as much sense to have

&
on a monthly or bi-monthly basis. RC

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 101

PERSPECTIVES

PERSPECTIVES

MANDAT O RY R E G U L AT I O N S
FOR CY B E R SE C U R I T Y:
DO TH E Y W O R K ?
BY RICHARD KNOWLTON
> INTERNET SECURITY ALLIANCE FOR EUROPE (ISAFE)

n February 2013, the EU Commission and the US

developed this framework through an intensive

government both issued proposals for the future

consultation process, using facilities on university

management of cyber threats.

campuses across the country to get the private and

These two sets of proposals represent quite

different approaches to the development of


standards and regulations for cyber security.
In the US, the government used a non-regulatory
body in the Commerce Department the National

public sectors together to discuss their proposals.


In the EU, the European Commission (EC) published
a draft Network Information Security (NIS) Directive,
which will shortly pass into law.
The NIS Directive mandates minimum cyber

Institute of Standards and Technology (NIST)

security standards for organisations that operate

to produce a Framework for Improving Critical

critical infrastructure. Outside EU ofcial circles there

Infrastructure Cybersecurity. The framework

was little preliminary discussion of the terms of the

encourages organisations, regardless of their size,

NIS Directive. Since its publication, there has been

exposure to cyber risk or sophistication in cyber

an irregular series of meetings in Brussels in a so-

security, to apply the principles and best practices

called Platform Process, involving representatives

of risk management to improve the security and

of market operators and public administrations in

resilience of the national critical infrastructure. NIST

Europe.

102 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

MANDATORY REGULATIONS FOR CYBER SECURITY: DO THEY WORK? PERSPECTIVES

Very few major European multinationals have

In the US, almost 85 percent of the countrys critical

taken part in the platform discussions, preferring to

infrastructure is privately owned or operated, or a

work either through sectoral NGOs or through their

combination of the two. Meanwhile in Europe, the

national governments.

state is much more involved in owning, operating or


inuencing the critical national infrastructure.

Differing approaches in the EU and US


In general terms, we can see two models for cyber
security. The US approach is voluntary, collaborative

These two different approaches raise an important


question what is the role of mandatory regulation in
reducing cyber risk?

and based on risk management principles. The


European model is prescriptive and backed by
legislation.
Of course, the two models do reect different

The traditional regulatory approach


Most countries have developed their regulatory
frameworks over 200 years or so. At its heart,

approaches to the roles of the public and private

government sets regulations and standards, enforced

sectors.

with the threat of legal action and nancial sanctions.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 103

MANDATORY REGULATIONS FOR CYBER SECURITY: DO THEY WORK? PERSPECTIVES

The model is so well-entrenched that we rarely

Unfortunately, cyber security is not like consumer

question it. However, in our view it is not helpful in

product safety. A static standards approach cannot

the specic case of managing cyber threats.

mitigate threats that are constantly evolving. What


we need instead is a highly exible system that

The nature of the problem

motivates continued and cost-effective improvement.

First, the fundamental problem in cyber security


is not that companies are negligent in
failing to invest in appropriate security
measures.
The key point is that the technology
itself is under attack, from actors who
have almost all the advantages on their
side not least because their attacks
are highly protable, with a negligible

We have to recognise that the problem


with cyber threat management is economic
there is seldom a clear business case for
investing in cyber security.

chance of getting caught.


Governments, business and
consumers are all on the same side
against vast criminal syndicates, and
against nation states and their surrogates.

Resources
A third point is that compliance with regulations is

Basic assumptions of the regulatory model

time and resource-intensive just when one of the

The second issue lies in the fact that government

most serious problems in cyber threat management

is not much better than anybody else at managing

is a lack of resources, including specialist technical

cyber threats. Even the most sensitive parts of the

personnel.

US government have fallen victim to devastatingly


successful hacks.
Meanwhile, the traditional regulatory model

Compliance diverts our scarce resources from


actual security. It is not only ineffective, but actually
counterproductive to the security effort.

essentially seeks to identify a static list of required


minimum standards that will assure a good outcome
if companies comply with them.

The global nature of the threat


Finally, the cyber security threat is a global
problem. Even if the US or EU were able to develop

104 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

MANDATORY REGULATIONS FOR CYBER SECURITY: DO THEY WORK? PERSPECTIVES

perfect regulatory systems, they would apply only in

to recognise that the problem with cyber threat

the US or EU.

management is economic there is seldom a clear

And they might bring a business risk too. If


compliance in the EU or US brings signicant extra

business case for investing in cyber security.


If we want to promote a forward-thinking risk

costs, companies may consider moving their

management approach to cyber security, we

operations abroad, in search of more competitive

have to offer positive economic incentives for the

commercial environments.

management and constant upgrading of cyber


systems.

A social contract approach


So what would be a helpful approach? We are

We therefore favour the US private-public


collaborative approach, which includes incentives

certainly not opposed, in principle, to setting base-

such as reduced insurance premiums and automatic

line standards what we might call basic cyber

qualication to tender for government contracts.

hygiene standards like ensuring that hospital staff

Meanwhile, we should base our approach on

carry out basic measures like washing their hands to

voluntary, risk-based standards, guidelines and

prevent the spread of a virus.

practices to help organisations manage cyber risks.

The UKs Cyber Essentials programme is a good

We should provide a template that organisations,

example. It denes a set of simple controls to provide

regulators and customers can all use to create, guide,

organisations with basic protection from the most

assess or improve comprehensive cyber security

common forms of cyber threats.

programmes.

Such standards have their value, of course. But

Most of all, we should base our approach on

ensuring that nurses wash their hands is not enough

business needs, without placing additional regulatory

to stop future viral epidemics.

&
requirements on businesses. RC

In cyber security, we are facing an unprecedented


onslaught. It is clear that we need a new and
systematic approach built on a model of close
collaboration between the private and public sectors.
This new model needs a much more dynamic

Richard Knowlton
Chief Executive
Internet Security Alliance for Europe
(ISAFE)

motivator than traditional regulation, compliance-

T: +44 (0)750 010 3164

monitoring and the threat of legal action. We have

E: rknowlton@isa4europe.org

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 105

PERSPECTIVES

PERSPECTIVES

TAKIN G T H E R I S K
OUT O F T H E D I G I TA L
R EVO LU T I O N
BY MATTHEW EDDOLLS
> CORESTREAM

isk, governance and compliance three

and activities will have a digital risk ofcer or an

simple words that carry astounding weight

equivalent.

and meaning for any business, anywhere in

So what does that mean exactly? With the

the world. Today many businesses recognise the

superset of technology now available to businesses

challenge of having risk management, governance

and consumers alike, organisations have strived

policies and compliance procedures in place,

to share information, branding, content via

yet ve years ago few would have foreseen the

multiple social channels and much more online.

latest requirement on the horizon digital risk

Paper and print is diminishing as we place more

management.

and more in the digital sphere. What this does is

As our worlds of BYOD, the IoT and an always on,

create an enormous bank of digital content and

always connected society permeates every corner of

in all likelihood, a disparate bank of digital assets

the globe the risk for businesses, and multinationals

depending upon the geography of an organisations

in particular, has grown exponentially. So much so

ofces. What might be deemed appropriate content

that Gartner predicts that by 2017, one-third of large

and branding in the US and UK, for example,

enterprises engaging in digital business models

may be entirely different for Asia Pacic or South

106 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

TAKING THE RISK OUT OF THE DIGITAL REVOLUTION

PERSPECTIVES

America. So how do senior executives, responsible

asset spend. Multinationals in particular will often

for meeting multiple legislative and regulatory

have countries or regions producing duplicate or

requirements, monitor and manage their digital

overlapping content. With an accurate understanding

assets?

of the global digital estate the DRO will enable

As Paul Proctor, vice president and analyst at

decisions based upon not only the risk prole of

Gartner says, Digital risk ofcers


(DRO) will require a mix of business
acumen and understanding with
sufcient technical knowledge to
assess and make recommendations
for appropriately addressing digital
business risk. Creating a role or
responsibility for digital assets within
an organisation is a smart approach
but how does one individual or perhaps

The accurate understanding of the entire


digital estate through effective data
capture and governance will then provide
insights for better and more impactful
decisions.

a team monitor these assets across a


multinational organisation?
Businesses need to consider a variety
of different regulations across different regions

assets, but also the value they deliver. Avoiding

for example, the forthcoming amends to the data

unnecessary spend where value may be sub-

protection act, the assessment of technological risk

optimal, or where assets have become stale due to

of systems used to manage digital engagement or

lack of updates. The accurate understanding of the

even the representation of a brand. All of these and

entire digital estate through effective data capture

more require regular assessment and monitoring so

and governance will then provide insights for better

that if or when a DRO or risk management team is

and more impactful decisions but also create savings

questioned about the organisations digital assets

and drive savvier purchasing decisions. Ultimately,

they can easily report back to the regulatory body

ensuring the DRO role pays for itself.

or auditors, demonstrating that the organisation


complies appropriately.
The other major benet a DRO role brings to an

So while the predictions of the new DRO role


abound, what can businesses that have not yet
made the hire do now?

organisation is the ability to drive value from digital


www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 107

TAKING THE RISK OUT OF THE DIGITAL REVOLUTION

Empower your knowledge base. The majority of

PERSPECTIVES

these individuals can and should provide a cohesive

businesses, especially multinationals, will be blessed

view of the organisations digital assets and

with a group of knowledgeable employees (or

legislative/regulatory requirements in each location.

consultants) such as lawyers, security executives,


risk ofcers and senior executives. When combined,

108 RISK & COMPLIANCE Jan-Mar 2016

Think global, act local. By auditing the businesses


across every location and recording the different

www.riskandcompliancemagazine.com

PERSPECTIVES

TAKING THE RISK OUT OF THE DIGITAL REVOLUTION

digital assets produced and stored, the risk

information to compare value therefore optimising

management team can start to gain a clear view

the risk and reward balance.

of any challenges or areas for concern as well

Overall, remember those producing digital assets

as agging future challenges in a reliable risk

never envisioned that they would one day have to

management system.

comply with the growing regulatory demands that

Set realistic expectations. Regulatory and

modern businesses now face. If you want to be

legislative organisations will expect organisations to

successful in motivating your entire organisation

recognise the importance of their digital assets but

into being compliant remember to keep things

the acknowledgement that digital risk management

simple, educate and collaborate. By getting all

is still in its infancy means that you could be ahead

employees to appreciate the associated benets of

of the curve.

risk management youll be more likely to succeed

Be proactive. Proactively prevent issues dont


wait for the proverbial to hit the fan. By having a

in implementing and maintaining your digital assets.


&
RC

robust risk management policy and procedures in


place youll be able to detect, report and address
issues that are important. After all, prevention is
better than having to continually re ght problems.
Digital risk management requires digital solutions.
By creating a clear data collection and reporting
process based around a suitable toolset, youll

Matthew Eddolls
Director and Head of Risk Change
CoreStream
T: +44 (0)20 7100 4378
E: matt.eddolls@corestream.co.uk

be able to prole the risk of assets and use the

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 109

PERSPECTIVES

PERSPECTIVES

THREE AC T I O N S YO U C A N
TAKE N O W T O P R E PA R E
YOUR P R O G RA M M E F O R
THE I N T E R N E T O F T H I N G S
BY ED MOYLE
> ISACA

hether we like it or not, the Internet of

coming into the environment meaning, because

Things (IoT) is here and its here to stay.

they can come in non-centrally and piecemeal,

Whether our organisations are public or

there may not be an opportunity to systematically

private, whether we are a service provider or an

evaluate questions like the risk they pose and the

end user, and regardless of the organisations size

impact on compliance posture. Additionally, there

or industry, connected devices are transforming the

can be questions about responsibility for those

landscape of how we do business and how we live

devices. Consider, for example, the question of

our lives, both personally and professionally.

who owns connected devices from a support and

For those of us in the risk and compliance world,

administration standpoint. Whos responsible, for

this can have some serious implications. First, for

example, for patching the IP-connected television

many organisations, individuals that make decisions

in the conference room when a vulnerability is

about risk, security, compliance and governance may

discovered that makes that device a potential

not be aware of the scope of connected devices

target? Who monitors the network-connected

110 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

THREE ACTIONS YOU CAN TAKE NOW TO PREPARE YOUR...

PERSPECTIVES

smoke detector to ensure that an attacker hasnt

remote locality installs a connected thermostat

compromised it for the purpose of using it as a

that happens to be on the same network as a

launch pad to move laterally through the network?

point of sale? You can imagine the impact that a

In many organisations, the answer is


unclear or worse yet, its nobody.
As a proof point of this fact, our 2015
IT Risk/Reward Barometer found that
about half (49 percent) of the business
and IT professionals surveyed indicated
that key stakeholders (such as IT) are
not currently aware of all connected
devices that enter the organisation. This

Whether we are a service provider


or an end user, and regardless of the
organisations size or industry, connected
devices are transforming the landscape of
how we do business.

means that those who generally have


accountability for ensuring that devices
remained protected and updated
arent in the loop about new arrivals. This lack of

situation like this would have on, for example, the

visibility can be problematic because technical risk

annual assessment that a larger retail might need to

can result when devices go unmaintained and

undertake to demonstrate DSS compliance.

that maintenance is less likely to get done when


ownership of administrative tasks is unclear. How
likely is it that an attack could happen? The same

What can be done?


The IoT can have a signicant impact. To maintain

survey also found that 73 percent of those surveyed

the posture that weve worked so hard to build, it

thought there was either a medium or high likelihood

behoves us to pay attention to it and put some plans

of a connected IoT device being compromised by an

together now that help us ensure our goals are met

attacker.

despite these shifts. Fortunately, there are things we

In addition to technical risks, there can also be

can do to prepare. The steps below are a few things

an impact on compliance posture. Consider, for

you might consider doing now to help prepare for

example, a retail organisation that is under the scope

IoT. This is not intended to be an exhaustive list and

of the Payment Card Industry Data Security Standard

these are not the only steps that you can take. In

(PCI DSS). What happens to that organisations scope

fact, in some cases (depending on culture, budget,

of compliance if a retail store, eld ofce or other

and other organisation-specic factors), there might

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 111

THREE ACTIONS YOU CAN TAKE NOW TO PREPARE YOUR...

PERSPECTIVES

be things that are even more effective. That said, we

instead of signed off on by an appropriate level

have highlighted these measures because they are

of management, it might not ever have been

free, will have an impact right away, and have value

explicitly discussed and decided upon, or perhaps

to you and your program regardless of the approach

circumstances have changed since it was last

your organisation takes with respect to the IoT.

discussed. Preparation for an IoT world can be a


good time to clarify what the risk appetite is and,

Revisit inventory, data collection and


discovery
Most people have heard the phrase know thyself.

in so doing, make sure that it is signed off on at the


appropriate level. Why does risk tolerance matter
specically for the IoT? Keep in mind two things:

Its an unfortunate fact that most organisations

rstly, there could be a rapid inux of devices when

dont and that is particularly true when it comes

adoption picks up and, secondly, shadow adoption

to keeping a comprehensive and accurate inventory

might limit the amount of time the organisation

of systems, technology and business processes. The

has to make risk decisions as usage is discovered.

IoT will throw this into stark relief. Why? Because it

Having a dened, articulated and approved

will be much harder to identify, track and address

understanding of acceptable risk helps streamline

new devices if existing inventories are already a

the risk-based decisions that might need to be made

mess. Having a strong inventory now and building

down the road.

out ways (through manual or automated processes)


to keep it updated as new devices are added
means that youre in a better position to evaluate
new devices as theyre introduced. Organisations
must keep in mind that this isnt a one-person effort.
They must enlist those who have a stake in gathering
this information and who would be responsible for
doing the work (for example, IT, technology auditors,
technical risk teams) to provide input and resources,
and help innovate the right strategy to get it done.

Clarify risk tolerances (risk appetite)


In many organisations, risk appetite isnt as clear
as many of us might like it might be informal
112 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

THREE ACTIONS YOU CAN TAKE NOW TO PREPARE YOUR...

Clarify ownership, policies and


responsibility
Many of the potential issues that can result from

PERSPECTIVES

preparation can include obtaining resources, making


any technology changes or investments, developing
or acquiring subject matter expertise and obtaining

the IoT such as challenges in maintaining the

tools. Documenting it in writing unambiguously is

devices that might come into scope are issues

also helpful as it reduces confusion down the road

that result in large part from lack of clarity around

and lets everyone know who is responsible for which

roles and responsibilities. Assigning ownership of

tasks.

tasks such as discovery, maintenance and security

As should be evident by this point, these steps

hygiene in advance of discovering signicant usage

arent rocket science. Putting the work in now can

is advantageous. The organisations that need to do

provide a lot of value and minimise work down the

that work might require additional budget or staff to

&
road. RC

do that work looping them in now, unambiguously


discussing who does what and formalising those
roles in writing, gives all parties time to prepare. This

Ed Moyle
Director of Emerging Business and
Technology
ISACA
T: +1 (847) 660.5549
E: emoyle@isaca.org

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 113

PERSPECTIVES

PERSPECTIVES

SOFTWA R E A N D CY B E R
SECUR I T Y: T H E N E W
KEYS T O C O R P O RAT E
GOVE R N A N C E I N T H E
AUTO I N D U S T RY
BY FRENCH CALDWELL
> METRICSTREAM

olkswagen is still reeling from an emissions

inside these vehicles, which played a starring role in

software scandal that will likely cost billions

both stories.

of dollars, and will have lasting repercussions

Indeed, with more and more car manufacturers

for Germanys economy, as well as the global

having embarked on digital strategies, IT software

automotive industry. This in the same year that

is now essential to the way modern cars perform

certain Jeep and Fiat models were found to be

and how they stay on the road. IT compliance and

vulnerable to hackers, meaning their cars could be

cyber security therefore have become integral

stopped or controlled remotely, a terrifying prospect

to the overall safety and compliance of modern

for car owners and manufacturers alike. 2015 hasnt

vehicles completely at odds with how the industry

been the best year for the automobile industry, nor

has functioned for the last century. Often focused

the IT and engineering teams programming the tech

on health and safety, the environment, and quality


controls; product compliance has traditionally been

114 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

SOFTWARE AND CYBER SECURITY: THE NEW KEYS TO...

PERSPECTIVES

the province of engineers. For car manufacturers

software inside a heart monitor or pacemaker was to

today, working closely with IT and security

stop beating, the results could be catastrophic. Apply

professionals to ensure the integrity


and security of their products is now of
paramount importance. The compliance
scandals weve seen this year suggest
that there is still a huge disconnect
between these teams for many
manufacturers.
Although serious for many reasons,
the VW sandal was fundamentally an

IT compliance and cyber security


therefore have become integral to the
overall safety and compliance of modern
vehicles.

environmental and consumer issue.


However, it might not just be nes and
penalties at stake in the future, but also
the life and limb of passengers. Tech
already plays a huge role in how brakes and airbags

this logic to mass transport or connected cities and

are deployed in modern cars; imagine if shortcuts

were talking about disaster scenarios and loss of life

were taken here or on the IT systems associated

on a huge scale.

with navigation on driverless cars. Very quickly the


conversation concerns loss of life rather than the
loss of money.
As technology plays an increasingly important role

What of the auto industry regulators?


So far we have only discussed the role of car
manufacturers but regulatory bodies are also

in our day to day lives, assisting us in making choices

culpable, of course. As is so often the case, car

or in some cases doing so independently, much

industry regulators simply havent been able to keep

more needs to be done to ensure IT compliance

up with changing information technology. With VW,

isnt just seen as a checklist test which simply

their lack of understanding is plain to see for all

needs to be passed. The stakes are far too high

involved.

for that, and the car industry is just one of many

There are, of course, reservations about whether

examples why. Healthcare is also heavily invested

the auto industry regulators had the required IT

in digital strategies, taking advantage of technology

knowledge to ensure their compliance regimes were

to monitor, maintain and improve our health. If the

up to date. In the case of VW, regulators arguably

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 115

SOFTWARE AND CYBER SECURITY: THE NEW KEYS TO...

failed to ensure that the law stayed relevant to

PERSPECTIVES

So what is the end result of poor IT governance

real world driving conditions and new technology

in the auto industry? Consumers cash is being

which, of course, is a huge aw. When laws no

blown out the exhaust. Its like a massive tax that

longer apply to real life, many users nd it difcult to

benets no one the consumer is not getting better

understand why they must comply. For example, a

performance, the public is not getting better health,

2mph speed limit may initially see drivers struggle to

and the manufacturer is investing in testing, not

slow down sufciently and be considered a success.

performance.

However, once it is found to be impossible or near

The sooner engineers, IT professionals, and

enough speeds would increase signicantly and

regulators come together and combat the issue of IT

be accepted as the new normal. In the emissions

compliance in car safety, the better for all involved

case, regulations were measuring outcomes,

&
not least the driver. RC

comparing them to an almost impossible standard


and incentivising engineers to design to the test in
this case cheat. To date, this scandal has had a huge
impact on just VW alone, but when the full details
are revealed, it wouldnt be surprising if this was a
systemic industry problem. When that happens, the

French Caldwell
Chief Evangelist, GRC
MetricStream
T: +1 (925) 451 1468
E: pr@metricstream.com

blame falls squarely at the door of the regulators.

116 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

CYBER ATTAC K O N
JPMOR G A N C H A S E :
HACK I N G A S A
BUSI N E S S M O D E L
BY CHERYL TYLER
> CLT3 CONSULTING, LLC

n a case described as the largest US bank breach

Until now, cyber crime primarily took the form

ever, four men were indicted in early November

of data theft and distributed denial of service

2015 on 23 criminal counts, including computer

(DDoS) attacks, which are sometimes launched

hacking, conspiracy to commit securities fraud and

simultaneously with devastating impact on

other charges.

operations and brand reputation. Data hacks, like

Two of the men, Gery Shalon and Ziv Orenstein, are

those launched recently against retail outlets, the

awaiting extradition from Israel, while an American

federal government, and research institutions,

citizen, Joshua Aaron, is believed to be at large in

exltrate sensitive personal, national and scientic

Russia. A fourth man, Anthony Murgio, was charged

information into the hands of foreign agents or

under a separate indictment for conducting an

nation states.

unlawful bitcoin exchange.

The cyber attack that lifted email and other


personal information from more than 80 million

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 117

CYBER ATTACK ON JPMORGAN CHASE: HACKING AS A BUSINESS...

PERSPECTIVES

customers of JP Morgan Chase was only one part of

manipulation schemes. The group set up 75 shell

a much larger criminal enterprise.

companies to support the ination and sale of

Described by the United States


attorney for the Southern District of
New York, Preet Bharara, It is no longer
hacking for a quick pay-out. Rather, it
is hacking in support of a diversied
criminal conglomerate. It is hacking
to locate victims. It is hacking to spy
on the competition. It is hacking to
maximise prot. In short, it is hacking
as a business model.

No business is too big, or too small, to


suffer a devastating cyber attack. From the
board level down, ensure risk assessment,
readiness and business continuity
planning is in place.

Seven nancial institutions are


among the victims
Dating back as far as 2007, the far-ung criminal

articially valued penny stocks. The alleged criminals

enterprise involved 12 separate companies,

also created a money laundering outlet for illegal

including seven nancial institutions, nancial

pharmaceutical distributors and others engaged

reporting organisations and a market risk rm.

in unlawful internet activities, including a bitcoin

According to investigators, the group attacked

exchange. The group hacked into a market risk

nancial rms through direct hacks, misappropriating

analysis rm, monitoring employee email in order to

user passwords and exploitation of vulnerable

avoid detection for their money processing scheme

network security.

and other activities.

Customer contact information from JP Morgan


Chase, the largest bank in the nation by assets, was
obtained through stolen login information and failure

Cyber intrusion as a business model


There is no doubt that malicious and nation-state

of the bank to initiate two-factor authentication on

cyber attacks are on the rise. But this case speaks to

an older server in its vast network.

something more; notes United States Secret Service

Using consumer information stolen from

Agent Robert Sica, This investigation is indicative

JP Morgan Chase and other companies, the

of the sophistication and complexity of cyber crime

conspirators engaged in large-scale stock

and the transnational criminal organisations that

118 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

are responsible for it. Transnational cyber criminal

devious purposes, to the detriment of a lot of people

organisations operate with impunity regardless of

who were their customers. So, obviously, defences

national borders as these criminal organizations

need to be better.

seek to prot from information stolen through the


unauthorised access to victims networks.
The alleged criminals reaped hundreds of millions

No business is too big, or too small, to suffer a


devastating cyber attack. From the board level down,
ensure risk assessment, readiness and business

of dollars. Of the 23 charges they face, eight carry

continuity planning is in place to reduce damage and

maximum penalties of 20 years in prison.

&
liability when your company becomes a target. RC

Across enterprise, the need for active, responsive


cyber security protocols and processes is
paramount. States Mr Bharara, Companies need
to do a better job of protecting all the information
that they have because, even information like email

Cheryl Tyler
Founder
CLT3 Consulting, LLC
T: +1 (240) 481 7756
E: cheryl.tyler@clt3consulting.com

addresses, and location information, can be used for


www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 119

MINI-ROUNDTABLE

M INI-ROUNDTABLE

COMPLYING WITH
EUROPEAN DATA
PROTECTION LEGISLATION

120 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

COMPLYING WITH EUROPEAN DATA PROTECTION LEGISLATION

MINI-ROUNDTABLE

PANEL EXPERTS
Dr Jochen Lehmann

Alfredo Gallistru

Partner

Partner

GRG

PwC

T: +49 221 3366 0244

T: +39 02 7785 483

E: jlehmann@goerg.de

E: alfredo.gallistru@it.pwc.com

Dr Jochen Lehmann has been a partner at GRG since


2007 and specialises in IT-matters with a particular focus on
data protection and data security matters. He has built up his
expertise in that particular eld of law since he started working
for GRG about 15 years ago. Dr Lehmann is a regular speaker
on the subject of data secrecy and data protection in various
contexts, such as data secrecy and directors liability or data
secrecy and insurance. He is also a member of GRGs IT
group, which is led by four partners including himself, as well as
the rms internal IT advisory board.

Alfredo Gallistru is a partner at PwC Italy. Within the risk


assurance services practice he leads the IT risk assurance
solution set. Mr Gallistru is a certied information systems
auditor (CISA), certied internal auditor (CIA), certied
information security manager (CISM), certied in the
governance of enterprise IT (CGEIT) and certied in risk and
information systems control (CRISC). He is vice president of
the local ISACA Chapter in Milan. Mr Gallistru has more than
20 years of experience in information system auditing, privacy
and information security consulting, compliance review and in
the assessment and implementation of IT governance and IT
controls.

Elsebeth Aaes-Jrgensen
Partner
Norrbom Vinding
T: +45 35 25 39 40
E: eaj@norrbomvinding.com
Elsebeth Aaes-Jrgensen advises on all aspects of
labour and employment law but has a special interest in
data protection, public law in general, including municipal
and administrative law, business immigration, pensions, the
private practice sector as well as litigation in the civil courts,
the Danish Labour Court and industrial tribunals. Ms AaesJrgensen is frequently involved in teaching activities and is
a regular speaker in various contexts on all aspects of labour
and employment law, including data protection. In addition, Ms
Aaes-Jrgensen heads Norrbom Vindings data protection team
and is a member of the International Association of Privacy
Professionals (IAPP) and the Copenhagen Data Protection
Forum.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 121

COMPLYING WITH EUROPEAN DATA PROTECTION LEGISLATION

RC: Could you provide an overview of


the main issues currently surrounding
the data protection landscape in the EU?
Why is there now a need for the Data
Protection Directive to be updated?

MINI-ROUNDTABLE

Data Protection Regulation will set the grounds for


a common mindset, based on standardised and
recognised needs. Moreover, it will encourage a
strengthened risk awareness and response resulting
from the dynamic evolution of the technological
environment. An additional factor is the increased

Aaes-Jrgensen: The hot news right now is of

perception of personal data treatment among

course the political agreement reached on the new

data owners, who now demonstrate an increased

Regulation. The Data Protection Directive entered

awareness.

into force in 1995. The main issues surrounding the


European data protection landscape in 1995 were

Lehmann: There are two main issues in the eld

different compared to the issues we see today. More

of data protection from the European and German

specically, in the last few years the focus on data

perspective, both related to the new directive. The

protection and privacy has grown tremendously due

rst is surely the Schrems-holding of the European

to the rise of social media. In 1996, only around 10

Court of Justice on 6 October 2015. No one currently

percent of the Danish population used the internet

knows what is going to happen to the transatlantic

today more than 90 percent of the population has

exchange of personal data. Both the German

access to the internet at home. Private information

authorities and the Article 29 Working Group have

is accessible in a way never seen before. By

said that they would reconsider the situation by

conducting a simple Google search on a persons

February 2016 and will then decide what bearing

name, several pieces of information about that

the Schrems-holding might have on any alternatives.

person will be revealed. The simplicity of collecting

In that context, everybody is waiting for a new

information actualises the right to have incorrect

agreement with the US and how that is going to tie

and irrelevant information deleted and, basically,

up with the forthcoming General Data Protection

the right to be forgotten or have your electronic

Regulation (GDPR). The latter is now eagerly

footprint deleted.

awaited, probably because everyone knows that


the former Data Protection Directive is completely

Gallistru: The European landscape may well

outdated since matters such as social media and

represent a challenge as well as a big opportunity.

Big Data were virtually unknown and probably

The consistent cross-board implementation of the

unforeseeable in the middle of the 90s.

122 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

COMPLYING WITH EUROPEAN DATA PROTECTION LEGISLATION

RC: What are the key changes found in


the European Data Protection Regulation?
How are these likely to impact European
businesses?

MINI-ROUNDTABLE

the event of a breach, either intentional or due to


negligence. There will also be an impact arising from
the appointment of a data protection ofcer (DPO),
from an organisational perspective, in terms of
recruiting and training, implementing new processes

Aaes-Jrgensen: In our opinion, there


are four key changes that are likely to
impact European businesses. The rst is
the right to be forgotten. The second is
that it be made mandatory for companies
to carry out a Privacy Impact Assessment
(PIA) a process which involves a
number of minimum requirements which
companies must full. The third change is

Everyone knows that the former Data


Protection Directive is completely
outdated since matters such as social
media and Big Data were virtually
unknown in the middle of the 90s.

that the consequences of not complying


with the new Regulation will be very
different from the sanctions known today.

Dr Jochen Lehmann,
GRG

The level of the administrative nes will


be a maximum of 20m or 4 percent of
the companys total worldwide annual turnover,

and information ows, and so on. In addition, there

whichever is higher, for a number of specically

is the provision of data breach notications within

mentioned infringements. The fourth key change

dened deadlines, especially considering the new

is the obligation to delete data the longer data is

technologies to be implemented and potential costs

stored, the greater the risk.

connected with the relevant proceedings, which


will also have an impact. Furthermore, for certain

Gallistru: Changes to the European Data

industries, signicant impacts may arise from the

Protection Regulation have different ramications.

implementation of actions regarding the right to be

We expect that the main impacts will arise from

forgotten and to data portability and the need for

the revision of penalties, with the consequence

privacy by design and default. The positive impact

of higher nancial not just reputational risks in

we expect in the competitive landscape from a


European perspective is in terms of the speed of

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 123

COMPLYING WITH EUROPEAN DATA PROTECTION LEGISLATION

information ows; from a wider perspective, this will


probably depend on consumer perception.

MINI-ROUNDTABLE

Gallistru: The main message we would address


to businesses is the importance of taking the chance
to obtain compliance with the incoming regulation

Lehmann: With regard to German law, the key

to improve processes and risk responses, and more

aspects are the broader application of data breach

generally to consider privacy as part of the added

notication duties and the dramatically increased

value provided to clients. In order to do that, we

possibilities of ning businesses. German law

recommend that companies perform a preliminary

currently allows for nes of up to 300,000 to be

assessment to evaluate organisational and internal

imposed for the infringement of data protection

skills, to identify further gaps and anticipate possible

legislation, plus a skimming of gains


made. Fines could reach up to 100m
under the current draft of the directive.
As to notication duties, German law
applies these only to sensitive data like
bank data and credit card data. However,
this will probably be amended so that
the notication duties apply to all kinds

The central idea of the Regulation


is to simplify things for international
companies by having the same statutory
framework in all EU countries.

of personal data. Also, we might get a 24


hour deadline while the current regime
gives an appropriate time. In general, the
GDPR is drafted in a more general way

Elsebeth Aaes-Jrgensen,
Norrbom Vinding

than the German legislation and some


data protection ofcers fear that this will give more

needs. The involvement of an expert adviser

leeway to businesses when they process personal

combining cross-competencies such as legal,

data.

HR and IT, promoting a more condent, holistic


approach, could assist the effectiveness of the

RC: What advice would you give


businesses in terms of preparing for the
implementation of the Regulation? Will
the new Regulation negate the need for
national implementing legislation?
124 RISK & COMPLIANCE Jan-Mar 2016

initiative. The need for national amendments should


be reduced, as the common guidelines will be
dened across territories. Accordingly, in a medium
to long-term timeframe, we would likely expect local
regulators to revise their role turning to a proactive
www.riskandcompliancemagazine.com

COMPLYING WITH EUROPEAN DATA PROTECTION LEGISLATION

MINI-ROUNDTABLE

and increased involvement in compliance audit,

implementation of national legislation. However, the

resulting in the reinforcement of risk coverage.

intention is to make room for national amendments,


even though the central idea of the Regulation is to

Lehmann: We would encourage parties to take

simplify things for international companies by having

data protection issues seriously from now on, if

the same statutory framework in all EU countries.

that is not already the case. While there is already

Obviously, this concept is jeopardised by making

a tendency toward higher nes in Germany for

more room for national amendments. How many

a failure to comply, the new framework for nes

national deviations we will end up with is yet to

marks the beginning of a new era in which seven

be seen. But with the specic content of the nal

digit nes for data protection infringements might

Regulation now known, it is highly advisable for

become regular occurrences instead of oddities.

companies to form a general view of their privacy

Second, companies entire operations should be

issues in order to be able to avoid any pitfalls and

subject to compliance testing, particularly given that

address any gaps.

no director will want to be responsible for a seven


to nine digit ne. There will still be room for national
rules and for national legislation. This is all the
more true since the rules set forth in the upcoming
General Data Protection Regulation contain some
general rules, meaning that national peculiarities
will surely survive at least until either the European

RC: To what extent has the preliminary


guidance unveiled in January 2015
already impacted on the data protection
community? Has the guidance provided a
avour of the tougher and more complex
regulations to come?

Court of Justice or the Commission specify them.


Having said that, German businesses should wait to

Lehmann: I cannot see that the guidance has

see how the German authorities are going to apply

made a great impact. There are polls stating that

the GDPR, since they might not want to deviate too

a majority of companies have not yet bothered

quickly from the sometimes rather strict approach

to examine the GDPR too closely because the

that they have honed for years, although the

long legislation process gave the impression that

legislation has changed.

there will always be enough time in the future and,


secondly, German legislation is already quite strict.

Aaes-Jrgensen: The new Regulation will be

Instead, the data protection community in Germany

directly applicable in all EU Member States. Thus,

is more concerned with the Schrems-holding and

as a starting point, there will be no room for the

the new national legislation on data retention. Other

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 125

COMPLYING WITH EUROPEAN DATA PROTECTION LEGISLATION

MINI-ROUNDTABLE

topics include problems with the national e-health

appoint DPOs, but the new Regulation changes that.

card and the laws on IT security.

With no tradition for having DPOs, only relatively few


people in the Danish labour market can be expected

Aaes-Jrgensen: Certainly, we have seen an

to be capable of fullling such a position and

increase in companies focus on data protection.

those who are will clearly be in high demand. We

The nes make it clear that insufcient personal data

therefore recommend that companies that have not

practices in companies simply constitute too big of a

yet given any thought as to how to nd a DPO or

risk. Specically, HR managers have begun focusing

train existing employees to be able to take up such a

on how to recruit sufciently capable DPOs. Until

position get going as soon as possible.

now, Danish companies have not been required to

126 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

COMPLYING WITH EUROPEAN DATA PROTECTION LEGISLATION

Gallistru: As far as the Italian market is

MINI-ROUNDTABLE

dealt with data protection in the past and given the

concerned, the preliminary guidance of the

informal but nevertheless strong inuence of the

European Regulation has generated signicant

Article 29 Working Group. However, there seem to

interest and has established the grounds for a

be great differences in how seriously the national

debate among professionals in the space. At the

data protection authorities take data protection

same time, most organisations postponed actions

issues and how easily they impose high nes when

awaiting the nal version of the regulation, taking

companies fail to comply. While the Spanish and

into account that it could still be adjusted and

the French authorities have always been known to

integrated by the various European Data Protection

quickly come up with a signicant ne, other states

authorities contributing to the project. Careful

take a more lenient approach. Germany is somewhat

readers, as well as professional experts, expect

in between on account of applying the rules quite

a much more complex set of regulations than

strictly but being careful with higher nes. This might

the existing Regulation as such, the two year

change if the maximum ne rises to 100m.

timeframe for its adoption is absolutely necessary.


Moreover, the Regulation involves an implicit

Aaes-Jrgensen: With 28 EU Member States and

simplication of privacy compliance for data owners

the same amount of legal traditions, it is clear that

operating at a European level.

harmonisation is not an easy goal to achieve. And it


will take more than the new Regulation to succeed.

RC: In your opinion, is the new


Regulation primed to deliver its stated
aim to harmonise current data protection
laws in place across the EU member
states, or are there clear obstacles to
achieving that objective?

One of the key principles of the new Regulation is


the one stop shop, meaning that companies with
activities in more than one Member State will have
to deal with the data protection authority in one
Member State only. This aim seems promising but it
remains to be seen whether it will work in practice.
The differences in the statutory framework of the EU

Lehmann: There is already a great degree of

Member States are a practical challenge. Another

harmonisation of the basic rules on the protection of

challenge is that the national data protection

data among EU Member States. I cannot remember

authorities will have to communicate sufciently and

feeling that another Member State actually had

efciently to harmonise their different practices.

a completely different set of rules which is not


surprising, given that European legislation has often
www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 127

COMPLYING WITH EUROPEAN DATA PROTECTION LEGISLATION

Gallistru: We believe that the adoption of

MINI-ROUNDTABLE

will probably be the case for telecoms and utilities.

the new Regulation will result in the market

These innovations require organisations to review

adopting a structured and common risk response

their business processes to adequately respond to

at a European market level. This will enable the

the new requirements, including the management

simplication and ne-tuning of various aspects of

of outsourcers. In addition, we must not forget that

Regulation enforcement in the various European

a portion of the changes needed may also involve

Member States. An implicit step that all territories,

non-compliance with previous requirements. As

Italy included, will have to make is extending risk

for penalties, from an Italian perspective, existing

culture awareness, a process facilitated by risk

Italian legislation provides for xed administrative

assurance professionals who will assist data owners

sanctions in addition to possible penal sanctions.

in this phase. Once territories reach and maintain

Under these circumstances, at least with reference

compliance, the European Regulation will help

to larger enterprises, the negative consequences

companies achieve their business objectives more

are now mainly operational and reputational. The

rapidly.

EU revision of penalties could result in businesses


reviewing their risk assessments. Consequently, from

RC: In your opinion, do companies need


to make substantial changes to internal
processes and procedures, in light of the
new Regulation? What penalties could
businesses face if they fall short on
compliance?

a nancial point of view, changes in penalties could


represent a potential issue which must be faced.
It is worth noting that such issues should be dealt
with not just in order to meet some compliance
requirements, but considering the protection of the
organisations value primarily to effectively manage
an important element of the business strategy.

Gallistru: We can expect some signicant


changes to processes and procedures arising

Lehmann: Companies will have to adapt. Data

from the new Regulation, especially regarding the

protection will now be a serious business, given

new role of DPO and data breach notications.

that nine digit nes or the skimming of 5 percent of

As for other elements of change, such as the

annual gains is possible. Data protection has thus

implementation of actions regarding the right

become an important issue and a great responsibility

to be forgotten, the right to data portability and

for directors, since they will face severe liabilities

the need of privacy by design and default, some

if their company fails to comply due to a directors

industries will be more affected than others. This

failure to tale necessary action. Also, businesses

128 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

COMPLYING WITH EUROPEAN DATA PROTECTION LEGISLATION

MINI-ROUNDTABLE

should reassess their position and decide whether

signicant business risk. In addition, reputational risk

existing protection against threats from outside or

must also be taken into consideration.

inside needs an overhaul. That should be a matter


for the board of directors, not the head of IT or the
CIO. Reporting structures regarding data protection
and data security must also be adapted. Not only will
every breach of secrecy have to be reported quickly,
but all other issues should potentially be brought to
the attention of high-level management.

RC: What compliance strategies are


businesses likely to adopt over the
coming months and years? Do you believe
this new Regulation signals positive
change for the EU data protection
community?

Aaes-Jrgensen: Companies that


are already on track with their internal
processes and procedures might only
need minor changes to their routines,
depending on the type of personal data
they are dealing with. It goes without
saying that companies that have had a
relaxed approach to the protection of

Expect some signicant changes


to processes and procedures arising
from the new Regulation, especially
regarding the new role of DPO and data
breach notications.

personal data so far need to scrutinise


their internal processes and procedures
more strictly. However, it should be
stressed that even companies that are

Alfredo Gallistru,
PwC

fully compliant with national legislation


under the current statutory regime will have

Lehmann: If they have not already done so,

to thoroughly scrutinise their processes and

companies will name someone from the board

procedures taking the details of the new Regulation

of directors to take over responsibility, not only

into consideration, in order to make sure that they

because the matter is serious but also because

are still compliant when the new Regulation comes

the responsibility would rest with all the directors if

into force. One of the reasons for this is clearly the

they do not choose someone specically. Moreover,

level of the nes, which are likely to constitute a

any board of directors should see that it alerts


staff to data protection and security matters and

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 129

COMPLYING WITH EUROPEAN DATA PROTECTION LEGISLATION

MINI-ROUNDTABLE

measures. Staff should be given more information

and so on. In the next few years it is likely that

and guidance on the subject, through a variety

companies will feel forced to dedicate substantial

of measures, including more and more precise

resources to compliance on privacy and personal

policies. Additionally, companies should check

data. In that respect, it should be kept in mind that

whether access to data has to be the same for every

when the legislative process of the new Regulation

member of staff or whether there should be more

is completed, companies will only have two years to

restrictions. Finally, closer monitoring of staff and an

meet the new requirements, and during that two-

escalation procedure that makes sure the immediate

year period the national legislation in every single

reporting of every incident will become inevitable.

EU Member State is likely to undergo changes as a

There are concerns that replacing tried and tested

consequence of the new Regulation.

German rules with the new regulation will raise a


lot of questions that have already been answered.

Gallistru: Most organisations have already

For quite some time, there will be less certainty

performed a preliminary evaluation of the impacts of

around what is right and what is wrong. Form the

the new regulation on their business. As soon as the

European point of view, there will after a few years

nal documents are released, such an evaluation will

hopefully be more harmonised rules in all Member

need to evolve in a comprehensive gap assessment,

States, so that handling data protection matters

including an action plan. All professionals involved

inside the EU, as well as with parties outside the EU,

in any capacity in privacy issues should expect a

may become easier.

very intense period of activity. The possible lack


of specialised consultancy resources, particularly

Aaes-Jrgensen: Without doubt, the Regulation

those with the cross-competency skills optimal to

indicates that positive changes are being made in

reach a more efcient compliance, could represent

the EU data protection community, as the Regulation

a barrier to be taken into account. We believe

will be more suitable for meeting the needs of a

that the new regulation will have a highly positive

legal framework matched to current personal data

impact, particularly in the long run. Among the

challenges. However, there are concerns that the

various advantages is the chance to create a larger

level of nes will force companies to pay attention

community of privacy professionals, now able to

to data protection at the expense of other important

discuss and compare their positions in reference to

issues, including environmental, health and safety,

&
a common framework. RC

130 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

CONS E Q U E N C E S A N D
OPTIO N S F O R E U - U S
DATA T RA N S F E R S I N T H E
POST- S C H R E M S W O R L D
BY JOHN A. DRENNAN, NICHOLAS A. OLDHAM, SEBASTIAN D. MLLER
> KING & SPALDING

October 2015, was a particularly signicant

Roughly 4500 companies are registered under it

day for business across the world. On that

with the US Department of Commerce, certifying

day, the European Court of Justice (ECJ)

that they comply with privacy principles similar to

invalidated the EU-US Safe Harbour Framework in

those contained in the EU Data Protection Directive.

Schrems vs. Data Protection Commissioner. For

Following Schrems, any transfer of personal data

nearly a generation, the Safe Harbour Framework

from the EU to the US under the Framework is a

provided a streamlined legal mechanism for

breach of EU data protection law.

transferring EU residents personal data to the US.


www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 131

CONSEQUENCES AND OPTIONS FOR EU-US DATA TRANSFERS IN...

Schrems was brought as a test case. In the wake


of Edward Snowdens disclosures in 2014, Austrian

MINI-ROUNDTABLE

scheme where they conict with such


requirements.

privacy activist Max Schrems challenged the Safe


Harbour Framework in court, alleging that Facebook

Global impact

supported US spying by passing European user data

Going forward, the resolution of individual cases

to the US government. The ECJ agreed with Schrems

made by the Data Protection Agencies (DPAs) of EU

that the Framework violated EU law, reasoning

member states will be governed by Schrems. That

that the national security, public interest and law

fact alone will have serious consequences for data

enforcement requirements of the United States

transfers from the EU to the US.

prevail over the Safe Harbor scheme, so that United


States undertakings are bound to disregard, without
limitation, the protective rules laid down by that

132 RISK & COMPLIANCE Jan-Mar 2016

For example, DPAs in Germany, a country known


for its high level of data protection, have already
indicated that they will prohibit

www.riskandcompliancemagazine.com

CONSEQUENCES AND OPTIONS FOR EU-US DATA TRANSFERS IN...

MINI-ROUNDTABLE

data transfers to the US when the transfers are

EU. Iceland, Liechtenstein and Norway, which are

based solely on the Safe Harbour Framework. They

part of the EEA but not part of the EU, are expected

have also suggested that they will monitor closely

to conform to Schrems soon. And Switzerland

the data ows of subsidiaries of US companies

and Israel, which are members of neither the

that are registered under Safe Harbour. Following

EU nor the EEA, have already revoked their prior

Schrems, German DPAs also called into question

authorisations to transfer personal data from them

other legal mechanisms for data transfer, including

to the United States. These countries were found

Binding Corporate Rules (BCRs), model contract

by the European Commission to have privacy laws

clauses approved by the European Commission, and

that adequately protected the privacy rights of

even individual consent.

individuals. Other countries that benet from EU

But the impact of Schrems goes


far beyond the

www.riskandcompliancemagazine.com

adequacy determinations Argentina, Canada and


New Zealand will likely follow suit.

RISK & COMPLIANCE Jan-Mar 2016 133

CONSEQUENCES AND OPTIONS FOR EU-US DATA TRANSFERS IN...

What now?

MINI-ROUNDTABLE

Another alternative is to modify the companys

Business persons across the globe can be

business practices. This could be done, for example,

forgiven if they are found scratching their heads and

by moving the companys computer servers to the

wondering what to do now. As suggested above,

EU (or another approved country) and processing all

there are several options, but which one, or ones, are

of its EU-based personal data on that server. It could

the best for a particular company is not always clear.

also be done by using computer programs to scrub

For example, there are a number of


legal justications that can play the role
of the Safe Harbour Framework. The
three most frequently discussed are:
(i) relying on designated privacy-rule
exceptions (or derogations); (ii) using
BCRs approved by European DPAs;
and (iii) using European Commission
approved model contractual clauses.

The European Union has reported


recently that it reached an agreement in
principle with the US on a data-sharing
pact to replace the Safe Harbour.

But these options have limitations.


Derogations (e.g., informed consent or
contract performance) are construed
very narrowly and are not normally appropriate for
bulk-data transfers. Informed consent, for instance,

personally identifying information from data prior to

is particularly difcult to obtain when it comes to the

transmitting it.

processing of employees data. And quite aside from

These options also have drawbacks. Not only will

the fact that certain DPAs have raised questions

data localisation arguably lead to a world of data

about their continued viability, BCRs are expensive

silos, it will prevent the company from realising cost

and time-consuming to have approved and to

savings through centralisation. And anonymisation

implement. Model contract clauses are difcult to

the process of stripping data of information

administer and manage, and in some states must be

that allows it to be used to identify individuals is

approved by the government. In short, there is no

neither technically feasible nor desirable for many

obviously attractive alternative to the Safe Harbour.

purposes. Moreover, some European Data Protection


Authorities base their identiability thresholds not
on whether the party in possession of the data is

134 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

CONSEQUENCES AND OPTIONS FOR EU-US DATA TRANSFERS IN...

MINI-ROUNDTABLE

able to identify an individual from the data, but on

John A. Drennan

whether any party can do so.

Counsel

Finally, a government-to-government agreement


often referred to as Safe Harbour 2.0 might be
possible. In fact, the European Union has reported

King & Spalding


T: +1 (202) 626 9605
E: jdrennan@kslaw.com

recently that it reached an agreement in principle


with the US on a data-sharing pact to replace the

Nicholas A. Oldham

Safe Harbour. But exactly what that agreement

Counsel

in principle entails for businesses is unknown,


and there is no deadline by which the EU and the
US must complete an agreement. The Article 29

King & Spalding


T: +1 (202) 626 3740
E: noldham@kslaw.com

Working Party, an independent body that advises the


European Commission, has indicated that EU DPAs

Sebastian D. Mller

will begin enforcement efforts at the end of January

Associate

2016.
Our advice: fasten your seatbelts and call your
&
lawyers its going to be a bumpy ride. RC

www.riskandcompliancemagazine.com

King & Spalding


T: +49 69 257 811 201
E: smueller@kslaw.com

RISK & COMPLIANCE Jan-Mar 2016 135

MINI-ROUNDTABLE

M INI-ROUNDTABLE

MITIGATING AND
MANAGING CORPORATE
FRAUD IN THE
ASIA PACIFIC REGION

136 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

MITIGATING AND MANAGING CORPORATE FRAUD IN THE ASIA...

MINI-ROUNDTABLE

PANEL EXPERTS
Chris Fordham

Rob Locke

Managing Partner, Fraud Investigation &

Oceania Managing Partner,

Dispute Services, Asia-pacic

Fraud Investigation & Dispute Services

EY

EY

T: +852 2846 9008

T: +61 2 8295 6335

E: chris.fordham@hk.ey.com

E: rob.locke@au.ey.com

Chris Fordham is the Managing Partner of EYs Fraud


Investigation & Dispute Services unit for Asia-pacic. He has
been in the accounting profession for 25 years, and has lived in
Hong Kong for 17 years. As a forensic accountant, Mr Fordham
has extensive experience in forensic investigations, anticorruption and anti-money laundering (AML) risk consulting,
as well as acting as an expert witness. He is Chairman and
a Founding Member of the Steering Group of the Forensic
Interest Group established by the Hong Kong Institute of
Certied Public Accountants (HKICPA).

Rob Locke is the Managing Partner of the Oceania Fraud


Investigation and Dispute Services (FIDS) practice and the
leader of FIDS Oceania nancial services practice at EY.
He is a highly experienced forensic professional with more
than 25 years law enforcement, investigation and fraud
risk management experience in both the public and private
sectors. Mr Lockes experience extends across a wide range of
industries and sectors, including nancial services, consumer
and industrial markets, government as well as energy and
natural resources, media, information, communications and
entertainment.

Lawrance Wei Chong Lai

Emmanuel Vignal

Partner, Fraud Investigation & Dispute

Greater China Leader, Fraud Investigation

Services

& Dispute Services

EY

EY

T: +65 6309 8848

T: +86 (21) 2228-5938

E: lawrance.lai@sg.ey.com

E: emmanuel.vignal@cn.ey.com

Lawrance Lai has over 17 years of diverse experience ranging


from corporate nance and restructuring, corporate insolvency,
fraud investigation and litigation support to management
consulting. Mr Lai has worked with Singapore regulators
and authorities as well as corporate clients on various
investigations across the Asia-pacic region. He assisted
multilateral nance institution on several project procurementrelated audits. He has also led numerous US Foreign Corrupt
Practices Act assessments as well as investigations in the
region. He is a frequent speaker at conferences, seminars and
local universities on fraud.

www.riskandcompliancemagazine.com

Emmanuel Vignal is the Leader of EYs Fraud Investigation &


Dispute Services in Greater China. He has 20 year-experience
in fraud investigations, anti-bribery/anti-corruption reviews,
transactions forensics and litigation support, including over
17 in Hong Kong and Shanghai. He is routinely involved in risk
assessments at the Chinese operations of MNCs and in FCPA/
integrity due diligence. Mr Vignal has also worked on numerous
dispute assignments and given evidence on accounting
matters and valuation issues in arbitration proceedings in
London, Hong Kong, Beijing and Tokyo.

RISK & COMPLIANCE Jan-Mar 2016 137

MITIGATING AND MANAGING CORPORATE FRAUD IN THE ASIA...

RC: In your opinion, how is the issue


of fraud perceived in the Asia-Pacic
region? How does this risk compare in an
international context?
Fordham: The countries in Asia-Pacic are on

MINI-ROUNDTABLE

it a lot easier to engage in discussions around fraud,


bribery and corruption at multinational businesses
that interact with government ofcials, even in
purely commercial transactions.
Locke: Demand for fraud services in Oceania

a journey to improved corporate governance and

remains very high. We continue to see a strong

intolerance of unethical practices. Fraud, bribery and

appetite from both corporates and the government

corruption are reported in the newspaper every day

to respond strongly to incidents. We are also seeing

and people have begun to feel that it is all around

a desire to get on the front foot by conducting

them. This is driving a change in attitudes and this

robust risk assessments, training and the use of

change is evidenced by the growth in demand for

forensic data analytics to prevent and detect fraud

fraud services.

and corruption.

Lai: Compared to the international context, AsiaPacic has in the past been perceived to be a riskier
place to do business than some other parts of the
world and this perception has been attributed to

RC: Have there been any recent notable


cases of fraud which exemplify the
challenges facing companies, investors
and regulators operating in the region?

the differing levels of transparency and governance


across the Asia-Pacic region at that time. However

Locke: The nancial services industry has come

in the last decade, we have seen a sea change in

under increased regulatory scrutiny in recent years.

attitudes towards transparency and governance,

Matters such as collusion to x bank bill swap

as well as ever-increasing local regulation and

rates, a number of high prole nancial planning

enforcement.

frauds and broader conduct risk issues have elicited


a range of responses from regulators, including

Vignal: There has been an overall dilution of the

the adoption of more sophisticated monitoring

taboo surrounding the subject of fraud, especially

tools to scrutinise large volumes of data, such as

in countries such as Japan and Korea. In China

transactions and conversations. Regulators are

specically, ofcial communication around the anti-

certainly harnessing available technology to their

corruption campaign and frugality rules have made

benet. Corruption in procurement for higher


risk purchases, such as IT and cloud services,

138 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

MITIGATING AND MANAGING CORPORATE FRAUD IN THE ASIA...

MINI-ROUNDTABLE

has also drawn a range of regulatory responses.

slow to react, generally failing to develop proactive

These include preparedness by law enforcement

measures to counter this emerging threat.

agencies to investigate alleged corruption and a


range of corruption commissions actively
scrutinising and investigating this high risk
area.
Vignal: The level of regulatory
enforcement in the pharmaceutical
sector in China since mid-2013 has been
a game changer in terms of its scope
and the magnitude of nes imposed

In the last decade, we have seen


a sea change in attitudes towards
transparency and governance, as well
as ever-increasing local regulation and
enforcement.

on certain life sciences multinational


companies. This has had a ripple effect
throughout the industry, forcing a new

Lawrance Wei Chong Lai,


EY

paradigm for interactions between


sales representatives and health care
providers. The anti-corruption focus has covered a
number of other industries, with increased scrutiny
on nancial institutions recently. We have also
seen vigorous enforcement of antitrust legislations
against multinational car manufacturers in China,
Korean and US technology companies, milk-formula

RC: Have there been any regulatory


and legislative changes in connection
with corporate fraud in the AsiaPacic market? Have there been any
particular developments concerning
whistleblowers?

producers, and Chinese producers of liquor.


Locke: The increase in regulatory scrutiny
Fordham: Over the last couple of years we have

and enforcement has led to many Asia-Pacic

seen the emergence of a trend of activist short

organisations strengthening their fraud and

sellers specically targeting companies in Asia,

corruption prevention activities. Our 2015 Asia-

often with allegations of corporate fraud, but always

Pacic Fraud Survey found a substantial increase

seemingly aimed at negatively impacting share

compared to our 2013 survey in the introduction

prices for personal gain. Companies have been

of codes of conduct, anti-bribery and corruption

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 139

MITIGATING AND MANAGING CORPORATE FRAUD IN THE ASIA...

MINI-ROUNDTABLE

policies and related training, and clear penalties for

assessment. The SGX also intends to publicise any

breaching policies. However, 50 percent of survey

screening results undertaken and work with the

respondents claimed that these policies were

relevant companies to address short-comings. All

irrelevant, ineffective and, while good in principle, do

these initiatives have the objective of preventing and

not work well in practice. This suggests that there is

containing issues on a timely basis.

still signicant progress to be made in embedding


meaningful and practical policies that will
bring about real cultural change.
Vignal: In China, the main change has
come in the level of enforcement. In late
2014, Chinas Legislature released draft
amendments to Chinas Criminal Law for
public comment. The 9th Amendment to

Asia lags behind in terms of


whistleblower protection. This has had
an impact on the uptake and usage of
whistleblower lines.

Chinas Criminal Law became effective 1


November 2015. Among other changes, it
introduced monetary nes on individuals
convicted of embezzlement and

Chris Fordham,
EY

modies the sentencing standards for


embezzlement and receiving bribes from
sentences linked to specic monetary thresholds

Fordham: We have seen new laws enacted in

across broader, and possibly more arbitrary,

some parts of Asia and discussion initiated about

categories. The amendment also introduced a new

updating old laws in other parts. While home-grown

crime of offering bribes to the relatives of State

local enforcement of anti-corruption laws has

ofcials.

become increasingly rigorous, legislation to punish


overseas bribery is either still absent or poorly

Lai: The new comply or explain requirement

enforced. Asia lags behind in terms of whistleblower

of SGX, in particular, is a measure to raise the

protection. This has had an impact on the uptake and

governance standards of Singapore listed

usage of whistleblower lines. Our 2015 Asia-Pacic

companies. Companies that fail to comply will

Fraud Survey highlighted a very worrying trend with

have to explain deviations publicly for investors

employees willingness to use whistleblower hotlines

140 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

MITIGATING AND MANAGING CORPORATE FRAUD IN THE ASIA...

decreasing by one-third, compared to the results


from our previous survey in 2013. Employees are
increasingly concerned that making whistleblower

MINI-ROUNDTABLE

to reduce fraud arising within their


company? Do you believe there is a need
to further enhance internal controls?

reports could damage their careers and they fear


retaliation from employers or colleagues. Countries

Locke: Australian boards grappling with cyber

in Asia need to urgently address this fear through

risk. There is an increasing realisation that cyber is

laws to better protect whistleblowers and the

an organisational risk requiring an organisational

development of alternative mechanisms to detect

response. This is leading to a movement away from

occupational fraud.

cyber risk mitigation being simply the responsibility


of the CIO and to it being rmly placed on the

Locke: Preparedness to use a whistleblower

enterprise risk agenda. Education is emerging as

scheme has traditionally been high in Australia and

a key tool in the ght against cyber risk, as is the

New Zealand, due in part to protections afforded

reinforcement of risk appetite and closer monitoring

to whistleblowers under a range of legislative

of adherence to that appetite. In terms of broader

instruments. Across Asia-Pacic however, the story

proactive steps to mitigating fraud and corruption,

is different. Preparedness to use a whistleblower

we are increasingly seeing organisations in Oceania

scheme has fallen dramatically from 81 percent

building more substance behind their policies. Not

of our 2013 Asia-Pacic Fraud Survey respondents

so long ago, many organisations simply had an anti-

to just 53 percent of respondents in 2015. The two

bribery and corruption policy. Those organisations

main drivers of this decline appear to be insufcient

now appreciate that an effective programme must

legal protection and a lack of condentiality for

also include robust and regular risk assessment,

whistleblowers once a concern is raised. While it

training, due diligence on business partners and

is difcult to inuence the lawmakers to increase

suppliers, and monitoring of control effectiveness.

protection, much can be done by organisations


to create a robust whistleblower scheme with

Lai: There is an increasing demand for third-party

safeguards built in to protect those who come

due diligence as executives recognise the risks

forward with valuable information concerning

posed by dealing with external parties. Our most

impropriety.

recent Asia-Pacic Fraud Survey found more than


half of respondents think third parties are a risk to

RC: To what extent are boards and


senior executives taking proactive steps
www.riskandcompliancemagazine.com

their business in relation to ABAC compliance.

RISK & COMPLIANCE Jan-Mar 2016 141

MITIGATING AND MANAGING CORPORATE FRAUD IN THE ASIA...

MINI-ROUNDTABLE

Fordham: There is a growing appreciation that

is then reinforced with posters and other literature

data can be used proactively. Big Data and forensic

on fraud risk, along with regular emails from senior

data analytics are increasingly being used effectively

executives about the organisations attitude to

in the nancial services and life sciences industries,

dealing with fraud matters.

but uptake is still low in other sectors across AsiaPacic.

Vignal: Stronger local enforcement of anticorruption or antitrust legislation has created a

RC: Based on your experience, do


companies in the region pay enough
attention to raising employee awareness
and education on identifying fraud-related
red ags?

favourable climate for corporations to engage in


discussions about fraud, bribery and corruption.
Indeed, we have already observed a wider adoption
of ethics policies and guidelines. However, effective
dissemination throughout organisations is still a
challenge with half of Asia-Pacic fraud survey

Fordham: Financial services institutions

respondents saying their code of conduct has little

are investing heavily in growing resources and

impact on how people actually behave. Setting the

capabilities within their nancial crime compliance

tone from the top is important, but ethics messages

teams. Larger organisations now often have regional

may get diluted through the corporate ladder unless

compliance teams made up of hundreds of people.

they are properly echoed to employees by their

Training is also being enhanced and organisations

immediate supervisors. Short, in-person training

are learning that ethics is part of culture, so efforts

sessions, conducted in the local language, resonate

are being made to embed ethics into all aspects of

particularly well, as do brief compliance moments.

companies business.
Lai: Developed countries within the Asean
Locke: There is denitely an increase in the desire

region have better appreciation of the need to

of Oceania organisations to raise awareness. While

train employees to identify fraud-related red ags.

there are still some practical constraints associated

Be that as it may, training and awareness in itself

with geography, dispersal of operations and the

may not sufce. It needs to be complemented with

associated technology challenges, this is leading to

comprehensive fraud, bribery and corruption risk

some innovative solutions. This could be in the form

mitigation strategies.

of web-based training where possible right through


to tool box sessions in more remote operations. This
142 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

MITIGATING AND MANAGING CORPORATE FRAUD IN THE ASIA...

RC: Do companies in the Asia-Pacic


region appreciate the fraud-related
risks that can emerge from third-party
relationships? How are they addressing
this issue in their due diligence
and commercial contracts?
Vignal: Many of our clients have taken
proactive steps to better protect their
assets and reputation against internal
fraud, as well against third-party risks.
Third-party intermediaries, in particular

MINI-ROUNDTABLE

interviews increased human intelligence and


physical verication of assets and purported control
frameworks.

Organisations, particularly in
the nancial services industry, are
increasingly starting to look at
compliance and risk mitigation beyond
their business silos.

in a large country such as China, are a


known source of risk. It is encouraging
to see that multinational companies are
increasingly able to enforce their audit

Rob Locke,
EY

right clauses on distributors, agents


and other service providers, such as travel agents.
Third parties are also now more receptive to the
new normal of being audited by their prospective
business partners or customers. Commercial

RC: Looking ahead, how do you envisage


fraud mitigation processes developing
in the Asia-Pacic region? What general
trends do you expect to see?

leverage is being increasingly exerted to ensure the


suppliers ethical standards align with those of the
customer.

Locke: Organisations, particularly in the nancial


services industry, are increasingly starting to
look at compliance and risk mitigation beyond

Lai: Companies are more cautious about

their business silos. The consolidation of nancial

relationships now and are doing more to understand

crime operating models is now better, enabling

the risks involved. There has been a move from open

organisations to achieve a single view of a customer,

source research which has diminishing returns

for example. This can often lead to better risk

to clients now wanting telephone or face-to-face

mitigation associated with that customer while also


potentially enhancing the customer relationship

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 143

MITIGATING AND MANAGING CORPORATE FRAUD IN THE ASIA...

MINI-ROUNDTABLE

through minimising the number of contact points

becoming increasingly common and valuable. As

and events needed to on-board and continue

many corporations are facing slower than expected

to service. Organisations are also increasingly

growth, acquisitions will provide an avenue for

challenging themselves to understand which risk

expansion and a key challenge will be to properly

functions are core to their operations


and what might be outsourced to allow
them to focus on the core risks that
really matter. This rise of the outsourced
managed service for non-core risk
management activities will likely be an
increasing trend over the next ve years.

Acquisitions will provide an avenue


for expansion and a key challenge will
be to properly assess integrity risk at
the due diligence stage

Fordham: Forensic data analytics,


when used properly, can become more
predictive and make compliance more

Emmanuel Vignal,
EY

sustainable. We also expect to see more


exercising of rights to audit third parties.
Awareness and proactive actions to prevent and

assess integrity risk at the due diligence stage and

detect cyber threats are still inadequate, but we

ensure that compliance is part of the integration

expect 2016 to be a year of change in this regard.

strategy.

Finally, compliance teams across Asia-Pacic


will need assistance to look ahead at emerging

Lai: In parallel with the increasing anti-corruption

compliance trends such as new legislation around

campaigns and enforcement actions conducted

human trafcking and slave labour that will impact

by many countries in Asia-Pacic, we expect

their organisation in the very near future.

regulators in the region will have high expectations


of nancial institutions increasing vigilance over

Vignal: Looking at third-party risks, we expect

the proceeds of bribery and corruption. Regulators

more frequent due diligence checks beyond the

will ask the nancial services industry for more

simple, initial checks which are carried out prior to

robust internal controls and processes to scrutinise

a relationship commencing. Periodic due diligence

suspicious funds and high-risk customers in relation

refreshers throughout the life of the relationship are

to potentially unethical practices. These robust

144 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

MITIGATING AND MANAGING CORPORATE FRAUD IN THE ASIA...

MINI-ROUNDTABLE

controls and processes will mostly be reected in

and anti-corruption controls at the governance and

enhanced due diligence focusing on related persons

policy level, but also to increase resources in people

to customers, stronger KYC reviews, and on-going

and technology in the operational control process.

monitoring in fund movements. Financial institutions

&
RC

are not only expected to enhance their anti-bribery

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 145

PERSPECTIVES

PERSPECTIVES

LENIE N CY AG R E E M E N T S
IN BRA Z I L
BY ANDRE FONSECA
> KLA KOURY LOPES ADVOGADOS

he Brazilian Anticorruption Law (BAC), besides

Moreover, the legal entity must also express an

other benets, states that the relevant

interest in collaborating with the investigation of the

authorities may enter into agreements

harmful act, completely cease its involvement in the

(leniency agreements) with legal entities which have

practice investigated as of the date of submission

practiced illicit acts and have effectively cooperated

of the proposed agreement, admit its participation

with the investigations and with the administrative

in the illicit act and nally cooperate fully, and on a

proceedings.

permanent basis, with the investigation.

In sum, a leniency agreement may be entered

The CGU has the authority to execute leniency

into by the investigated legal entity and the Ofce

agreements within the scope of the Federal

of Comptroller-General (CGU) so long as the

Executive Branch and in cases where harmful

cooperation results in the identication of other

acts are committed against the foreign public

individuals or legal entities involved in the illicit

administration.

conduct, and by the receipt by the authorities of

The proposal has to be made up to the end of

information and documents proving the harmful act

the administrative proceeding, kept condential

was committed.

and access to its contents must be restricted, with

146 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

LENIENCY AGREEMENTS IN BRAZIL

the exception of disclosure or sharing through the

leniency agreement at any time prior to signing.

express authorisation of the proponent and consent

If the agreement is not executed, the documents

of CGU.

submitted will be returned to the proposing legal

Rejection of the proposed leniency agreement


cannot result in recognition of the practice of
the harmful act under investigation, in respect

entity and such documents may not be used for


purposes of assigning liability.
Upon completion, the leniency agreement may

of which no disclosures may be made. The

result in the waiver of extraordinary publication of

proposing legal entity may withdraw the proposed

the administrative sanction decision, the potential

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 147

PERSPECTIVES

LENIENCY AGREEMENTS IN BRAZIL

reduction of penalties up to two-thirds the amount

This situation led criminal experts to not

of the applicable ne, and the possible exemption

recommend the adoption of such agreements, since

of the prohibition on receiving incentives, subsidies,

they might backre against the legal entity directly or

grants, donations or loans from public agencies

through individuals that represent them.

or bodies and public nancial institutions or those


controlled by the government.

Federal District Attorney Deltan Dallagnol, the


prosecutor behind Brazils Petrobras investigation,

It is also worth mentioning that the


effects of the leniency agreement will
be extended to legal entities which are
part of the same economic group, as
long as these other legal entities also
take part in the agreement.
In view of such provisions, leniency
agreements received some criticism

The proposed amendment as it is will


fail to reach its goal because it does not
tackle some pending grey areas.

from legal professionals, specically


because they did not include the
participation of the District Attorneys
(DA) ofce and did not provide for any
immunity of prosecution in connection to other

also commented on the matter, noting, besides that,

related laws (of civil, administrative or criminal

even if they are lucky and reach a good agreement,

nature).

all the evidence they give to CGU internal

For instance, individuals that are duly identied

information, emails, papers, regarding the crime

as allegedly liable for the harmful acts and are legal

we can get that information, that evidence and we

representatives and/or employees of the company

can use it for criminal purposes against executives

which signs the agreement might still be subject to

and for civil purposes against the company. So they

criminal prosecution after the legal entity admitted

will have no guarantee that they will be protected in

committing the illicit acts. The company itself might

both areas.

also be held liable under the similar provisions of

Because of all that, Brazilian legislators have

the Improbity Law and receive penalties such as

proposed an amendment to the BAC, which was

debarment.

approved by the Senate and is currently to be


voted on by the House of Representatives. It adds

148 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

LENIENCY AGREEMENTS IN BRAZIL

paragraph 11 to article 16 of the law and sets forth

PERSPECTIVES

If these issues are not addressed, there is still

that the execution of the leniency agreement will

room for discussion and legal insecurity if you take

be conditioned to the appraisal of the DAs Ofce,

into account that, on one hand, the Improbity Law

which will take into account the legality, morality,

expressly forbids any transaction or settlement in

reasonableness and proportionality of its content.

connection to a civil lawsuit and, on the other hand,

It seems, however, that the proposed amendment


as it is will fail to reach its goal because it does
not tackle some pending grey areas. It is true that the

the DAs Ofce has a duty to criminally prosecute


individuals for acts of corruption.
In view of the above, in addition to solely granting

wording of the Bill refers the DAs Ofce participating

the DAs Ofce the opportunity to participate and

in the leniency agreement process. It is essential,

have a strong voice in a leniency agreement, the

however, that this provision goes beyond putting an

amendment should provide the means and legal

end to an alleged political battle for power between

tools to allow the DAs Ofce to make leniency

the CGU and DAs in leading the prosecution of anti-

agreements an efcient instrument in protecting

corruption cases.

individuals and companies who effectively

Most importantly, to ensure the participation of the


DAs ofce in the settlement, the provisions should
expressly provide for guarantees to which a legal

collaborate with the authorities and not merely a


peace offering in a clash of egos.
Only then will legality, morality, reasonableness

entity or an individual would be entitled, should

and proportionality be met, in accordance with the

they decided to execute a settlement having met its

&
Rule of Law. RC

requirements.
In order to comply with this need to protect
defendants rights, fortuitous benets that might
be obtained such as immunity from criminal
prosecution or reduced penalties for individuals
and an exemption of other civil or administrative
measures that might be taken against legal entities
for related matters, like the ones set forth in the

Andre Fonseca
Partner
KLA Koury Lopes Advogados
T: +55 11 3799 8107
E: andregif@klalaw.com.br

Improbity Law should be specically mentioned.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 149

PERSPECTIVES

PERSPECTIVES

HOW T O LO S E F R I E N D S
AND A L I E N AT E C L I E N T S
IN E-D I S C LO S U R E
BY SAIDA JOSEPH
> EPIQ SYSTEMS

arren Buffet, the sage of Omaha, and


one of the most successful men in the
world, points to one of the rst self-help

books, How to Win Friends and Inuence People,


as a major inuence in his life. First published in the
1930s, Dale Carnegies book lists 30 behavioural
guidelines on how to be a likable, persuasive and
inuential leader in business. Successful leadership
comes down to practicing empathy, and the edisclosure sector is no exception. The high-pressure
world of e-disclosure is fraught with technological
hurdles, legal shifts and turns, and multiple, complex
work streams, all under tight deadlines such a
rocky environment can easily give way to strained
relationships.
150 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

HOW TO LOSE FRIENDS AND ALIENATE CLIENTS IN E-DISCLOSURE

PERSPECTIVES

Thats why putting clients at ease is paramount.

matters rapidly move and change. What may be

Just as How to Win Friends and Inuence People

appropriate at the beginning of the process may

lists key behaviours for how to be successful in life

change as claims are struck out or as certain

and business, there are a number of behaviours that

custodians become less or more important.

will not lead to success in e-disclosure, as outlined

Have regular check-ins with the client to discuss

below.

achievement objectives and then adjust your

Failure to ask What are you trying to achieve?


This question should be asked early and often. The

approach accordingly.
Failure to discuss the production at the beginning.

rst interaction between the e-disclosure provider

Far too often the ultimate goal of the exercise is

and the client should be scoping out the needs and

lost. Is the collection, processing and review of data

requirements of the matter, and asking the client,

aimed at nding relevant documents for disclosure

What are you trying to achieve?


This question should then
be repeated
at regular
intervals
as

to opponents and the court? Or is the information


to be produced to a regulator? Is the production
for internal investigative purposes? What form will
the production take? What time constraints are the
clients working under? The way in which documents
are collected can be altered by the production
specications; the way in which documents are
reviewed, including the coding decisions and the
overarching workow, can be altered according
to the production requirements. It is essential to
discuss the production at the beginning of the
process and then work backwards from there.
Failure to recommend technology. Existing and
new technology can save clients a lot of time and
money, so it is important to recommend relevant
technologies when appropriate. Near duplicate
document identication and email threading are
just two examples of technologies that can make
a review of data more efcient, cost effective and
consistent. New tools are always being developed,

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 151

HOW TO LOSE FRIENDS AND ALIENATE CLIENTS IN E-DISCLOSURE

PERSPECTIVES

and e-disclosure providers should communicate the

will enable all parties to be prepared for the meeting,

latest technological advances to their clients and

thus using the available time most effectively.


Failure to document phone calls. Failure to

identify where they would be useful.


Using language that is too technical. Some savvy

document calls can lead to confusion and mistakes

technologists may have a tendency to use an excess

during the course of the project, so it is essential

of technical jargon when emailing or speaking to

that all calls with clients, no matter how brief, are

clients. But the whole reason the


client has engaged an expert partner
is because theyre not experts
themselves. Too much technical
verbiage will only further complicate
matters. Keep the language simple and
easy to understand.
Lack of responsiveness. Legal

e-disclosure providers should


communicate the latest technological
advances to their clients and identify
where they would be useful.

projects change constantly as new


issues come to light, opponents or
courts make new requests and the
focus of the team may change. Clients
are often working under extremely tight deadlines.

logged and that instructions are noted and followed.

Even if the response is only, I have received your

Similarly, any guidance given by the e-disclosure

email/request/query and I will be able to respond

provider should also be documented. Its imperative

within the hour, this goes a long way in building

that all team members understand every aspect of

trust with the client. Offering timeframes for when

the project even down to verbal instruction given

clients can expect responses is also integral to good

to one team member.

communication.
Failure to prepare written agendas for meetings.

Over promising and under delivering. In order to


build a successful partnership, honesty is key. E-

Far too often, meetings are scheduled with little

disclosure partners should be honest about whats

thought as to the purpose of the meeting, what

feasible and work with their clients to set rm

material will be covered and in what order topics will

deadlines. It is important to be truthful about how

be discussed. Time is of the essence for most clients,

long each element may take in the process, whether

and it needs to be used efciently. Written agendas

thats machine time, human quality control time or

152 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

HOW TO LOSE FRIENDS AND ALIENATE CLIENTS IN E-DISCLOSURE

PERSPECTIVES

multiple demands on resources and infrastructure. In

and transparency. By applying the lessons of How

order to establish an efcient working process and

to Win Friends and Inuence People, it is important

build a successful partnership, completion timelines

to put yourself in your clients shoes and treat

should be realistic.

them the way you would like to be treated. A little

Providing numbers which need further analysis.


E-disclosure exercises are fast-moving and subject

empathy can go a long way in ensuring a smoother


&
e-disclosure experience. RC

to sudden change. Along with using simple language,


tabulating numbers for the client and explaining
what they mean goes a long way in building
successful communication with your clients.
The secret to success in e-disclosure. Success
in e-disclosure comes down to people following
good communication practices, asking the right

Saida Joseph
Senior Director
Epiq Systems
E: sjoseph@epiqsystems.co.uk

questions and following simple rules for honesty

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 153

PERSPECTIVES

PERSPECTIVES

FATCA: T H E C H A L L E N G E S
OF CO M P LY I N G A N D
THE H A R B I N G E R O F T H E
COMM O N R E P O RT I N G
STANDA R D
BY TROY THIBODEAU
> SOVOS COMPLIANCE

s FATCAs global implementation ramps up,

throughout the next year. It is worth noting there

it has encountered its fair share of ups and

could be a connection in the timing of the exchanges

downs along the way. For instance, recently,

and the successful execution of these CAAs, but only

the IRS announced it has had successful exchanges

time will tell as FATCA continues to grow in reach and

of information while concurrently announcing a year

reporting requirements.

extension to the 30 September 2015 reporting due

What can be said with certainty is that what

date, much to the relief of countries with signicant

happens in the coming year will not only help ll in

global operations and reporting obligations.

the blanks on where and how the exchanges are to

Almost simultaneously, the IRS also entered into


its rst Competent Authority Arrangements (CAAs)

happen, but also complete the process of executing


FATCA on a worldwide scale.

with eight countries, a number that is likely to grow


154 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

FATCA: THE CHALLENGES OF COMPLYING AND THE HARBINGER...

IRS reaches competent authority


arrangements with eight countries
On 24 September 2015, the US entered into its

PERSPECTIVES

fact that the CAAs are being put in place spotlights


the fact that some countries are closer to exchanging
information with the US than others.

rst CAAs with Australia and the


United Kingdom. Similar agreements
were subsequently put in place with
the Czech Republic, India, Hungary,
Liechtenstein, the Republic of Mauritius
and New Zealand. These agreements
give effect to the mutual promise laid
forth in the Model IGA to establish
an agreed upon framework for each

The mere fact that the CAAs are being


put in place spotlights the fact that
some countries are closer to exchanging
information with the US than others.

nations competent authority to


exchange information with the other.
In particular, these arrangements
articulate the necessary rules and
procedures for each country to fully administer
the automatic exchange obligations of reportable
information. At rst glance, the impact of these

US extends some FATCA deadlines to


begin exchanging information
That being said, 30 September 2015 was supposed

arrangements might seem small to businesses

to be a monumental day for the implementation

gearing up to FATCA. For instance, for many, it is

of FATCA because it was the rst time that partner

likely not signicant to know the exact requirements

jurisdictions were required to provide the information

that the Republic of Mauritius needs to take should it

about reportable accounts that they had obtained

decide to report in a non-Latin domestic alphabet.

from their Foreign Financial Institution (FFIs). However,

However, what these arrangements actually

the IRS recognised that many of these partner

signify is that the US and its partner jurisdictions are

jurisdictions were still behind in the process of getting

slowly making progress to completely full FATCAs

various FATCA requirements in place and were not

obligations. While it may not be worthwhile to go over

going to be able meet this 30 September deadline.

the minutiae of every detail, since it is unlikely to


affect internal operations in any major way, the mere

This left open the possibility of FFIs in those


jurisdictions being subject to the 30 percent
withholding even though they had done their part and

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 155

FATCA: THE CHALLENGES OF COMPLYING AND THE HARBINGER...

PERSPECTIVES

reported on time because these deadline extensions

IRS sharing this information it has collected? In its

were only made for countries, not the FFIs that still

same announcement, the IRS stated that it will only

were required to report to local tax authorities on

engage in information exchanges with those foreign

time.

jurisdictions that have met the IRSs stringent

In response, the IRS issued Notice 2015-66,

safeguard, privacy, and technical standards.

providing relief for FFIs in partner jurisdictions whose

Presumably, those countries are some of the 34

IGA had not yet taken effect by granting them a one

countries that the IRS has deemed appropriate to

year extension so long as the partner jurisdiction not

exchange information, (see IRS Rev. Proc. 2015-50).

only demonstrates a resolve to bring the IGA into

However, currently only eight of those countries,

force, but also to exchange this years information,

mentioned above, have a Competent Authority

next year. FFIs in countries where the IGA is in

Arrangement, which may or may not be necessary

effect will also be treated as compliant as long as

based on that countrys IGA, and six of those eight

the partner jurisdiction makes a similar assurance.

CAAs were posted on the IRSs website after the

However, for them, there is no full calendar year

announcement on 2 October. Nonetheless, this may

extension.

not be relevant because Australia announced that it

Once again, it is worth remembering that the

had exchanged information on 23 September, a day

extension has no effect on an FFIs deadline to report

before it was announced that Australia had signed a

information to its own jurisdiction. Several partner

CAA with the United States.

jurisdictions have already announced a delay of


FATCA reporting for 2015.

Either way, what is clear is that the IRS has begun


sending and receiving information with certain
jurisdictions around the original 30 September

Countries begin sending some FATCA


information to the IRS
However, on 2 October 2015, the IRS announced

deadline. This is quite a milestone, even if there


is more work needed with the remaining partner
countries. Over the coming year, in order to get

that it had actually exchanged nancial information

ready for the second 30 September 2016 deadline,

with, in its own words, certain foreign tax

the IRS will likely take what has worked recently and

administrations. These reciprocal exchanges have

apply that across the board to get other remaining

only been with Model 1A countries so far.

jurisdictions up to speed and compliant so they can

While the announcement is a welcome sign that

meet the next deadline to collect information on

the FATCA implementation is moving forward, one

reportable accounts and send this information to the

question that presents itself is: with whom is the

IRS on time.

156 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

What can be said with certainty is that what

Moreover, even though many jurisdictions have

happens in the coming year will not only help to

signed on to participate in both FATCA and CRS, the

ll in the blanks on where and how the exchanges

US has stated that at this point they have no plans to

are to happen, but also to complete the process of

join CRS. This means that processes FFIs have put in

executing FATCA on a worldwide scale.

place for FATCA may not be usable for CRS, and extra
other extensive operational and reporting changes

FATCA complications foreshadow CRS


potential challenges
The problems with forcing FATCA along also

will need to be made to be compliant with CRS and


report accurately.
One thing remains certain though: global reporting

highlights just how much more complex the Common

has started, it will denitely expand in scope and

Reporting Standard (CRS) implementation will be

&
complexity, and it is here to stay. RC

when this larger reporting regime takes effect starting


in 2017. With over 90 jurisdictions reporting to one
another and each one enacting its own rules and
reporting requirements, FFIs will be swamped with
CRS reporting obligations the likes of which they have
never seen before and that pale in comparison to

Troy Thibodeau
Chief Marketing Ofcer
Sovos Compliance
T: +1 (763) 235 5765
E: tthibodeau@convey.com

what is required under FATCA and CDOT.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 157

PERSPECTIVES

PERSPECTIVES

IRS O N T H E H O R I Z O N :
PARTN E R S H I P A U D I T
R EFOR M I N TH E U N I T E D
STATE S
BY KATHLEEN SAUNDERS GREGOR AND BRITTANY CVETANOVICH
> ROPES & GRAY LLP

n recent years, the number of large businesses

(both Democrat and Republican) have proposed

organising partnerships has increased

legislation to reduce or eliminate such impediments.

dramatically and Congress and others have

On 2 November, president Obama signed the

expressed concern about the IRSs ability to

Bipartisan Budget Act of 2015 (BBA) into law,

effectively audit these often complex organisations.

effecting sweeping changes to the rules governing

In testimony before the Senate Permanent

audits of entities treated as partnerships for US

Subcommittee on Investigations, the GAO identied

federal income tax purposes. The new rules are

administrative challenges and associated costs of

expected to increase partnership audit rates by

conducting partnership audits as a reason the IRS

simplifying how the IRS conducts audits and collects

audits relatively few partnerships with assets in

tax. Most notably, this includes imposing, by default,

excess of $100m. In response to such concerns, the

an entity-level tax on the audited partnership.

Obama administration and members of Congress


158 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

IRS ON THE HORIZON: PARTNERSHIP AUDIT REFORM IN THE...

Although the legislation provides an overall

PERSPECTIVES

proceedings, permitting partners to opt out of the

framework for partnership audits, it leaves many

partnerships settlements with the IRS and allowing

questions in this complex area unanswered,

partners to participate in judicial proceedings.

including how the new rules may apply to non-US

Effective for tax years beginning after 31

partners and partnerships. And while


the legislation directs the US Treasury
to iron out critical details in regulations,
there is no specic deadline for the
delivery of such additional guidance
making it unclear whether (or when)
clarifying guidance will follow.

It is the partnerships primary


responsibility to ensure that tax, interest
and penalties are paid.

The problems with existing


partnership audit rules
Under existing US rules, partnerships
could be subject to any of three
different audit regimes, depending largely on the

December 2017, the BBA repeals the TEFRA rules (as

number and structure of their partners. The most

well as another regime for certain large partnerships)

common set of provisions, the TEFRA rules, require

and creates a new audit regime applicable to all

partnership-level proceedings, followed by the IRS

partnerships. Under the new rules, any adjustment

passing audit adjustments through to each (direct

to items of partnership income, gain, loss, deduction

or indirect) taxable partner through a complicated

or credit, and any partners distributive share thereof,

computational adjustment process. Particularly

is determined at the partnership level. In addition,

in the case of tiered partnership structures where

the new rules give partnerships some exibility

partnership adjustments often spread across

in determining how (and against whom) audit

hundreds or thousands of partners, IRS resources

adjustment-related tax is calculated and ultimately

expended in collection efforts could theoretically

assessed, but with the common thread that it is the

exceed the tax to be collected. Other cumbersome

partnerships primary responsibility to ensure that

rules add to the complexity of (and time necessary

tax, interest and penalties are paid.

for) performing and completing partnership audits,


such as requiring notice to many partners of
www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 159

IRS ON THE HORIZON: PARTNERSHIP AUDIT REFORM IN THE...

Highlights of the new regime:


partnerships new role in tax collection
Congress addresses issues related to the

PERSPECTIVES

in the year that an audit (or any judicial review) is


completed. The partnership is also directly liable for
any related penalties and interest. The default rule is

collection of partnership audit adjustments in the

likely to lead to more tax owed than the aggregate

BBA by requiring an audited partnership to pay tax

tax the partners would otherwise pay. This is

(at potentially inated rates) or to effectively assist

particularly the case where an adjustment is a mere

in the collection effort by calculating which of their

reallocation of income: the imputed underpayment

partners is required to pay the resulting tax.

takes into account increases, but not decreases, in

Default rule: partnership pays tax at maximum


statutory rate. As a default, the imputed

allocable share.
Alternative 1: partnership demonstrates reductions

underpayment the tax deciency arising from

in imputed underpayment. The legislation directs the

a partnership-level adjustment with respect to an

Treasury to establish procedures pursuant to which

audited partnership tax year is calculated using

a partnerships imputed underpayment may be

the maximum statutory income tax rate and is

reduced if its partners voluntarily le amended tax

assessed against and collected from the partnership

returns (and pay any tax due) for the audited year

160 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

IRS ON THE HORIZON: PARTNERSHIP AUDIT REFORM IN THE...

PERSPECTIVES

or if the partnership demonstrates that adjustments

in technical corrections by Congress, or perhaps

would be taxed at lower rates (or not at all) in the

by regulations. But the uncertainty may keep

hands of its partners. For example, the imputed

partnerships from committing to select this option.

underpayment may be reduced by the portion of

Notably, changes in partner interests between

an adjustment allocable to a non-US investor not

the audited year and a subsequent adjustment,

subject to US tax, a US tax-exempt investor, or a

or changes in particular partners tax proles,

corporation (taxed at lower rates), or the portion

could cause signicant variations in each of these

allocable to individuals as capital gain (also taxed

methods.

at lower rates). Unfortunately, in the absence of


regulations, the requirements for obtaining any such
reduction is unclear.

Procedural changes: simplication of the


IRSs task but at expense of partners?

Alternative 2: partnership elects to shift liability

Although the BBA reduces some procedural

back to partners. Partnership-level assessment may

impediments to partnership audits faced by the

be avoided altogether if a partnership elects to issue

IRS, from a partners perspective these xes

a statement to each audited-year partner showing

can be seen as giving partnerships signicant

that partners allocable share of adjustments.

power and autonomy to resolve audits and court

Each partner would then take any adjustment into

proceedings without the partners participation or

account on the return for the year the statement is

even awareness. For example, under the TEFRA

received (not the return for the audited year), and

rules, the IRS is largely responsible for identifying

would pay penalties and interest directly. Because

a qualied partnership representative (the tax

the tax would be based on the tax rates applicable

matters partner) at the outset of a partnership

to their own situation, the tax may be lower overall.

audit, but in practice doing so could be both difcult

However, under this alternative, interest is calculated

and time consuming. In response, under the BBA

at an increased rate (2 percent higher than the

a partnership must designate a person to serve

normal rate).

as partnership representative, but in any case

While this option could be the simplest way to

where such designation is not in effect, the IRS may

reduce the total amount of tax paid, it may come at

simply appoint one. Notably, however, a partnership

a cost: the rules now are unclear whether choosing

representative is not required to be a partner, has

this option effectively forecloses the partnership

sole authority to act on behalf of the partnership in

from challenging the audit results in court. This

an audit proceeding, and binds both the partnership

is, one hopes, an oversight, and may be handled

and the partners with its actions in the audit all

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 161

IRS ON THE HORIZON: PARTNERSHIP AUDIT REFORM IN THE...

PERSPECTIVES

giving the partnership more exibility and control

needed to reduce or eliminate any partnership-level

over audit proceedings than under prior law.

tax liability. Some partners may seek to replicate

Similarly, the BBA relieves the IRS of the potentially

current-law rights that will be lost under the new

costly and time-consuming tasks of identifying

rules through contractual protections. In addition,

a partnerships direct and indirect (e.g., through

acquisitive transactions involving partnerships

multiple tiers of partnerships) taxable partners

will require particular attention to indemnication

for purposes of passing through partnership

provisions, as well as contractual provisions

adjustments, providing notice of partnership

addressing cooperation on tax matters.

proceedings to partners, or calculating each

Thanks to the delayed effective date the BBAs

partners share of adjustments. But from a partners

new partnership audit regime applies for partnership

perspective, these changes may leave partners

taxable years beginning after 31 December 2017

unaware of partnership audit proceedings or

partners, partnership sponsors and other interested

adjustments, eliminate rights to participated in

parties are afforded much needed time to consider

partnership audits or related judicial proceedings

the potential impact of the new rules on new and

and standing to bring a judicial action if the

existing partnerships and partnership agreements.

partnership representative does not challenge an

&
RC

assessment.

What to do while we wait for


clarication?
The BBAs broad sweep and uncertain scope can
be expected to result in changes to the governing
documents of both new and existing partnership
arrangements, even prior to the effective date of

Kathleen (Kat) Saunders Gregor


Partner
Ropes & Gray, LLP
T: +1 (617) 951 7064
E: kathleen.gregor@ropesgray.com

the new law. These changes are expected to include


negotiation over which regime the partnership
will select for handling audit adjustments (or
notice and consent rights to partners before a
partnership makes a selection), how the burden of
any partnership-level tax should be shared and the

Brittany Cvetanovich
Associate
Ropes & Gray, LLP
T: +1 (312) 845 1211
E: brittany.cvetanovich@ropesgray.com

extent to which partners will provide information


162 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

PERSPECTIVES

PERSPECTIVES

TOP W O R L D W I D E B A N K S
FAIL T O D E L I V E R A W O R L D
CL ASS M O B I L E E X P E R I E N C E
BY TODD DECAPUA
> HEWLETT PACKARD ENTERPRISE

e live in a day and age where, needless

and revealed that more than half performed horribly

to say, the mobile device has completely

when viewed in real world mobile conditions, often

transformed the way we live our life.

failing to load in three seconds, many taking even

From interacting with one another, to interacting

longer or simply failing altogether.

with our favorite celebrity or retailer, our mobile

In the modern context mobile and online access

devices are our rst choice. So, when it came to

is incredibly important for banks. In a recent security

doing an analysis of the web performance of the

scan of more than 2000 mobile applications, more

conglomerates out there, we chose to analyse the

than 600 companies were exposed to the most

institutions that are the keepers of all that makes the

common vulnerabilities. Performance of applications

world go round banks.

can be improved by at least 40 percent by following

Surprisingly, the majority of banks we studied

23 known front-end application optimisation rules.

failed to deliver a satisfactory mobile experience to

The importance of a banks mobile app cannot be

their customers. The recent study included the top

understated; nearly half of mobile users 48 percent

300 banking websites when accessed via mobile


www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 163

TOP WORLDWIDE BANKS FAIL TO DELIVER A WORLD CLASS...

PERSPECTIVES

are less likely to use your app again if it does not


perform well.
Banks and traditional nancial institutions are
also facing disruption and competition from many
non-traditional sources. Consider how retailers, as
well as search and consumer product companies,
are all entering into the market. Apple Pay, Google
Wallet and Amazon all have the potential to disrupt
traditional nancial services. The reality is that
traditional nancial institutions must now compete
on many different fronts. This is where delivering a
compelling and engaging mobile user experience
has the potential to be a differentiator. To keep your
customers and win new customers, user experience
must be world class.
In this competitive landscape, banks must be
aware of how they are performing. They must also
be cognisant of the sort of experience they are
delivering to their users. Ignorance is not bliss. The
difference between winning and losing today is
often dened by milliseconds. Your end users have
incredible expectations, and they are the ones
picking winners and losers. Regardless of business
drivers being operating efciencies, double-digit
annual growth rates, or innovation of products and
capabilities to end-users; you need to know how you
perform.
Since June 2015, we have conducted several digital
research projects into the state of web and mobile
performance and can share a few of our key ndings
related to the top 300 worldwide banks. First, we
164 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

TOP WORLDWIDE BANKS FAIL TO DELIVER A WORLD CLASS...

PERSPECTIVES

evaluated overall web and mobile performance and

Every organisation measures and reports on results

assigned a letter grade (A-F) for performance.

delivered from their products and services differently,

The majority of institutions (105


or 35 percent) scored a D with
a transaction response time of
11.92 seconds on average 3G good
network connection.
If we assume that banks would
target a response time of less
than three seconds, then only

End users have incredible expectations,


and they are the ones picking winners and
losers.

a handful of institutions were


successful. In fact, with an average
response time of over eight
seconds many banks are failing
their users. Our research evaluated 23 different web

so knowing what is most important to you and your

and mobile performance rules, such as page size.

end users is a good starting point, enabling you to

In our study, the best sites were 80 percent smaller

&
manage results delivered to all stakeholders. RC

and more efcient. This had a huge impact on their


performance, especially on mobile devices.
Many studies have shown the direct correlation
of transaction response time to that of several
factors impacting shareholder value; such as: bounce

Todd DeCapua
Chief Technology Evangelist
Hewlett Packard Enterprise
T: +1 (302) 384 3553
E: td@hpe.com

rate, conversion rate, cart size and page views.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 165

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

H OT TOPIC

SHAREHOLDER ACTIVISM
IN THE US BANKING
INDUSTRY

166 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

Tim Main
Senior Managing Director
Evercore
T: +1 (212) 849 3520
E: tim.main@evercore.com

Jason Frankl
Senior Managing Director
FTI Consulting
T: +1 (202) 312 9216
E: jason.frankl@fticonsulting.com

Arthur B. Crozier
Chairman
Innisfree M&A Incorporated
T: +1 (212) 750 5837
E: acrozier@innisfreema.com

HOT TOPIC

Tim Main is a senior managing director in Evercores corporate


advisory business, focused on banking and specialty nance
institutions. Prior to joining Evercore in 2011, Mr Main spent 23
years at JPMorgan Chase and was most recently Head of North
American FIG and Co-Head of Global FIG. Prior to running FIG,
he ran JPMorgans Equity Capital Markets group. At Evercore, Mr
Main has worked on several signicant advisory assignments in
the depository/specialty nance sector, including advising M&T on
the acquisition of Hudson City and multiple transactions by Ally
Financial.
Jason Frankl is a senior managing director and leads FTI Consultings
Activism and M&A Solutions practice. His practice includes working
with companies that are the subject of shareholder activism and/or
hostile M&A activity where he develops and implements strategies
that are designed to maximise shareholder value. Most recently, Mr
Frankl and his colleagues supported Allergan in its successful defence
involving Pershing Square and Valeant Pharmaceuticals, and Perrigo in
its successful defence involving Mylans hostile takeover bid. Prior to
joining FTI Consulting in 2004, Mr Frankl was counsel to the NASDAQ
Stock Market where he drafted and interpreted NASDAQs modern
corporate governance rules, among other things.
Arthur B. Crozier is chairman of Innisfree M&A Incorporated
of New York and of Lake Isle M&A Incorporated, Innisfrees
wholly-owned UK subsidiary. Mr Croziers practice includes the
representation of US and international clients in a wide variety of
transactions and proxy contests, as well as annual and special
meetings. In addition, he counsels an international roster of clients
on corporate governance and executive compensation issues. Mr
Crozier has written numerous articles and spoken extensively on
the subjects of corporate governance, executive compensation,
proxy contests, hedge fund activism and international voting
practices.

David C. Ingles

David C. Ingles serves as co-head of Skaddens Financial


Institutions Group. Mr Ingles has a diverse corporate practice
representing clients on mergers, acquisitions and divestitures,
Skadden, Arps, Slate, Meagher & Flom LLP corporate nance transactions and general corporate matters
involving nancial institutions. He has advised public and private
and Afliates
nancial institutions in negotiated and contested mergers and
T: +1 (212) 735 2697
acquisitions, proxy contests, joint ventures, spin-offs, equity
E: david.ingles@skadden.com
and debt offerings, and other complex corporate transactions.
Mr Ingles also regularly advises private equity rms and others
seeking to invest in nancial institutions.
Partner

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 167

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

R&C: Could you provide an overview of


shareholder activism in the US banking
industry? What overarching trends have
you seen in this space during the last 1218 months?

HOT TOPIC

of certain business lines such as investment banking


to return capital to shareholders.
Crozier: There has been an increase in activity at
banks generally in the last 12 to 18 months. There
are a number of activists that have long targeted

Main: Historically, activist activity in the

smaller banks and they have been picking up

US banking industry has been relatively light

their efforts generally, as well as targeting larger

compared to other industries. The industry is

banks, such as Webster Financial, which has a

heavily regulated and highly complex operationally,

market cap of $3.4bn. We believe the pick-up in

limiting the potential methods for an activist to

activity is largely attributable to the expected wave

create shareholder value. Traditionally, activity

of consolidation in the sector. Larger banks are

was concentrated in a few dedicated funds

not immune from activist pressure. Trian Partners

which agitated for the sale of smaller banks to

targeted Bank of New York Mellon and succeeded

generate outsized returns via M&A vs. operational

in gaining a seat on the board. The presence of a

enhancements or capital restructuring. As US

Trian director, however, did not prevent another

banks remain mired in a challenging operating

activist, Marcato Capital, from launching an activist

environment, characterised by low interest rates,

campaign at the bank. Responding to a different

erce competition and heightened regulatory costs,

form of investor activism, Bank of America decided

there has been a strong return of bank M&A among

to submit its recent decision to recombine the

the smaller institutions and with it, an increase

ofces of chairman and CEO to a shareholder vote

in activist activity targeting underperforming,

due to shareholder dissatisfaction that the change

many times sub-scale banks. Additionally, in the

was not included on the agenda at the 2015 Annual

new too big to fail environment of higher capital

Meeting of Stockholders. In a related sector, activism

requirements and increased regulatory costs

has escalated dramatically at business development

for larger institutions, there have been select

companies due to lagging stock price performance

opportunities to target larger banks that could

and allegations of excessive fees.

enhance protability by divesting underperforming


or capital intensive subsidiaries, or reducing the size

Frankl: We have noticed a denite increase in


the number of activist campaigns targeting US
nancial institutions, which includes US banks. Due

168 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

to increased regulatory burdens, smaller banks have

of activism in the industry likely is not sufciently

become more attractive to activists pushing a sell

large to reach many meaningful conclusions about

the company agenda. Since 2014, there have been

observable trends, we believe activism generally is

signicantly more campaigns targeted against banks

on the rise in the industry and will continue to be,

with less than $1bn in market cap in the nancial

and we believe activist shareholders have had and

sector than their large cap counterparts. A vast

will continue to have increasing success in agitating

majority of these new campaigns have related to

target banks for a sale as the market for bank

closed end funds, BDCs and smaller banks, although

mergers and acquisitions continues to become more

large banks have not been sheltered completely.

robust.

Trian settled for a board seat at Bank of New York


Mellon in late 2014. Months later, in early 2015,
another activist targeted BNY Mellon, calling for
a change in CEO. Both BNY Mellon and Citi Group
were also subjected to successful proxy access
campaigns in 2015, as well as Bank of America

R&C: How does shareholder activism in


the banking sector compare to activity in
other sectors? Have you seen a denite
increase in activism targeting nancial
institutions and if so, why?

which prevailed in a bid to separate the chairman


and CEO roles.

Frankl: Due to the highly regulated nature of


the banking industry, the opportunity for activist

Ingles: Shareholder activism in the banking

activity is narrower than in other industries. Some

industry has become the subject of widespread

generalist funds have agitated for a variety of

media coverage and is increasingly becoming a

economic changes including the spinning-off or

focus of bank management and boards of directors.

sale of underperforming business lines or increased

Much of the activist activity that we have seen in the

dividends, most of which are not specic to the

industry has involved a handful of investment funds

banking industry at all. Most of the small to mid-size

focused on opportunities in the sector and that are

banks that activists target have fairly straightforward

dedicated exclusively or primarily to investments

balance sheets as compared to larger banks, making

in the banking industry. From time to time we also

it less likely that an activist would push for more

have seen situations involving more high-prole

classic economic activism outside of calling for a

activist investors, such as Nelson Peltz, who now has

sale of the bank. This leaves corporate governance

a representative on the board of Bank of New York

activism or proxy access campaigns as the most

Mellon. While the number of observable instances

common type of activism in that realm of the

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 169

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

banking industry. Lastly, we are seeing increased

increased costs over a larger asset base, driving

activist activity in less regulated nancial institutions

consolidation.

such as BDCs and closed end funds, as well as REITs.


Ingles: Our view has been that activist investors
Main: The banking sector is distinct from other
industries in a variety of ways but the most relevant

generally have fewer options in their playbook when


targeting a bank than when targeting companies

factors impacting the level of activism


are that the sector is heavily regulated
with myriad safety and soundness and
capital requirements. As a result, capital
returns, operational risks and balance
sheet exibility face substantial regulatory
scrutiny, and control investments
representing greater than 10 percent

Activist investors generally have


fewer options in their playbook when
targeting a bank than when targeting
companies in other industries.

ownership are subject to regulatory


approval. Additionally, the business model
is highly complex, limiting opportunities
for easier wins from operational and

David C. Ingles,
Skadden, Arps, Slate, Meagher & Flom LLP

capital structure improvements. For these


reasons, most bank activists have pushed for a sale

in other industries, due to the relative simplicity

vs. targeting other value enhancing strategies they

of the business model of most community and

might in another industry. Since bank M&A in recent

regional banking institutions as well as the industrys

years has been concentrated with smaller banks,

complex regulatory framework, which affects both

where buyers are more abundant and regulatory

the operational and nancial exibility of the bank

scrutiny less stringent, so has activist activity in

itself as well as the degree to which one or more

the sector. There has been a distinct increase in

investors are legally permitted to take actions that

activism as remaining independent becomes more

affect control of a banking institution. These factors

challenging for sub-scale institutions. With revenue

limit the opportunities available to the activist to

under pressure and costs increasing, one of the

propose many of the value-enhancing transactions

only ways to earn appropriate returns is to spread

or initiatives that it might seek to implement in the


ordinary course, such as splitting up the company

170 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

or disposing of non-core businesses, utilising

likely driving the increase in activism. For example,

excess capital more protably, or returning it to

activist investors Basswood and PL Capital pressured

shareholders, effecting a leveraged recapitalisation,

Metro Bancorp to sell to FNB last summer.

or even in some cases reducing the companys


expense base. However, despite these limitations,
we do believe we are seeing more instances
of shareholder activism in the banking industry
recently, and we believe the major reason for this is

R&C: Have any particular activist


campaigns in the US banking arena
caught your eye? What lessons can we
draw from their outcome?

that the main end-game of activism in the banking


industry agitating for a sale of the institution has
become more viable.

Crozier: The Bank of New York Mellon and Bank


of America experiences demonstrate that no bank
is immune due to size or complexity and that banks

Crozier: As a general matter, activism in the

are vulnerable on a variety of fronts. At Bank of

banking sector has been subdued compared to that

New York Mellon, the agreement to seat a director

witnessed in other sectors. This is thanks, in large

from one of the most prominent activist investors,

part, to the layers of regulation on a state and federal

Trian Partners led by Nelson Pelz, did not prevent

level that can signicantly hamper an activists ability

another activist, Marcato Capital Management led

to achieve a board seat, the essential objective for

by Mick McGuire, a former lieutenant of Bill Ackman

an activist seeking real change at a bank. In addition,

at Pershing Square, from also targeting the bank

the usual activist playbook in other sectors, such as

subsequent to the settlement with Trian. At Bank

breaking up the company, or undertaking large buy-

of America, the level of discontent by shareholders

backs or dividend programmes, arent applicable

because they were not given the opportunity to

to small and mid-sized banks. Consequently, even

vote on the combination of the chairman and

if an activists publicly expressed agenda is to cut

CEO roles demonstrates the increasing shift to a

expenses, improve efciency or other operational

shareholder-centric model of corporate governance

objectives, the real goal is usually to seek the sale

in which institutional shareholders zealously

of the bank at a premium, since that is the only way

guard their perceived prerogatives. This shift is

to make a meaningful prot on their investment in a

equally applicable to banks as in other sectors.

short-term investment horizon. The expected wave

When given the chance to vote on the issue at the

of consolidation in the sector to increase scale due

September Special Meeting, however, stockholders

to Dodd-Frank and increased regulation generally is

overwhelmingly approved the change.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 171

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

Ingles: All activist campaigns are by denition

was particularly interesting, considering Astorias

unique in some way, given the different players and

preference for independence. Basswood achieved

facts in any given case, so it is difcult to focus on

similar successes previously, but with substantially

any one case as emblematic of any characteristics

smaller banks. This campaign could serve as a

or trends for activism in the banking industry

bellwether for activism at larger underperforming

generally. Some recent cases involving relatively

banks as M&A returns to this market cap spectrum.

larger banking institutions have resulted in publicly-

The Astoria transaction demonstrates these larger

announced sale or merger transactions, with varying

institutions may be subject to the same activist

degrees of receptivity to those deals in the market.

playbook formerly reserved for smaller banks.

These recent cases point to the increasing viability of


a sale or merger proposal as an activist tactic in the

Frankl: The May 2013 board meeting was an

banking industry, and they also sound a warning to

eventful one for JP Morgan. A collection of corporate

bank managements and boards across the industry

governance activists suggested the company require

that preparedness for shareholder activism should

an independent director to take the position as

be a top-of-mind concern for them as they manage

chairman of the board, however the activists were

their institutions through persistently difcult

ultimately refuted and Jamie Dimon maintained his

regulatory, industry and economic conditions.

position as CEO and chairman. Another notable


settlement involved Trian attaining a seat on the

Main: Basswood Capital Managements activist

BNY Mellon board, which appeared to ultimately

position in Astoria Financial. Basswood, a well-

result in the announcement of a signicant stock

respected bank investor with a track record of

buyback. This type of activism is far less common

inducing underperforming banks to sell, announced

than corporate governance activism in the nancial

an approximate 9 percent stake in Astoria Financial

sector. The greatest takeaways are that corporate

in early August of 2015. Astoria Financial, a $15bn

governance activists have done a pretty good job of

asset New York City-based bank, was a rumoured

getting substantial media attention by concentrating

sale candidate given its attractive markets and low

their efforts on industries, such as banking, which

levels of protability, but was focused on remaining

may suffer from lingering PR issues from the

independent. By late fall of 2015, approximately three

nancial crisis.

months after the announcement of Basswoods


stake, Astoria sold to New York Community Bancorp.
The speed in which Basswood prompted a sale
172 RISK & COMPLIANCE Jan-Mar 2016

R&C: If a bank operating in the US nds


itself subject to shareholder activism,
www.riskandcompliancemagazine.com

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

what general steps should it take to


address the issue? What role should the
board play in these circumstances?

HOT TOPIC

review by and direction from the companys board


of directors. Banks that are the subject of an activist
campaign generally will want to have a plan in place
to review and analyse the proposals being put forth

Ingles: The proper course of action for the bank

by the activist investor and to respond directly to

in any given case will depend on the facts and

the activist regarding its proposals, as well as, if the

circumstances of the case, but the best course

activist campaign is public, to address the activist

of action for any institution is to begin preparing

campaign publicly and with the companys various

today by taking steps that may have the effect

constituencies.

of addressing typical activist investor


concerns before an activist investor gets
involved or takes its case public. But once
an activist investor has taken a position
in the companys stock and has begun
publicly or privately agitating for change
within the institution in some manner,
the company generally will need to take
steps to address this development,

Corporate governance activists have


done a pretty good job of getting
substantial media attention by
concentrating their efforts on industries,
such as banking.

including at the board of directors, even


if the company ultimately concludes that
the best course of action would not be

Jason Frankl,
FTI Consulting

to engage in an active dialogue with the


activist or not to implement any of the
actions being proposed by the activist. Because the
activist agenda generally is to improve shareholder

Frankl: Even with the best shareholder

value by implementing one or more suggested

engagement, activist aggression is not always

proposals, this agenda typically will implicate the

preventable. If private conversations with activists

companys nancial performance, its business

fail to achieve a mutually agreeable result and the

model or its strategic direction and consideration

activist does initiate a campaign, senior management

of strategic alternatives, all of which are matters for

and the board of directors must immediately assess


their options in order to best position the company

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 173

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

to convey its message. The board plays a key role in


this type of defence, as they must, in essence, show
their work to the investment community. In any
type of activist campaign, ultimately shareholders
are voting on whether change in the boardroom is
necessary. It is vital that the investment community
understand the reasons behind the decisions made,
so they have condence in the procedures and
credibility of the current board and conclude that
change is not necessary.
Crozier: As a general matter, banks confronted
by an activist need to take the same steps as
other companies. Namely, they should track the
trading in the stock to determine if other activists
are coming in to the stock and forming a wolf
pack, candidly assess existing shareholders
views to determine the likely outcome of a proxy
contest, develop an outreach programme to key
investors and inuencers to ensure that the banks
strategy to deliver shareholder value is credible
and understood, and take appropriate actions that
respond to the activists concerns, without appearing
to be defensive and simply reactive. Directors
increasingly play an important role, particularly in
outreach to index and quantitative investors who do
not have in-depth knowledge of the bank. Many of
those investors want to be assured that shareholder
concerns are taken seriously at the board level.
Directors also play an important part in discussion
with the proxy advisory rms in the case of a proxy
174 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

contest. In addition, a bank should also reach out to


its regulators as soon as possible to notify them of
the activist and its proposals and should seek advice
from counsel as to the impact of the regulatory
scheme on the activists and its ability to achieve its
goals.
Main: In reacting to activism, banks are not
unique, and an activists outreach should not be
ignored. The CFO or CEO should return an inbound
call, and primarily listen to ascertain the thesis.
Thereafter, to adequately prepare for a potential
contest or negotiation, the company should identify
an internal working team, with a focused leader to
synthesise information from the full adviser team
and empowered to make decisions. Management
should receive regular updates and participate
in pivotal decisions, but retain latitude to run the
business because driving shareholder returns
and operational efciencies can mitigate most
critiques. Its also critical to deliver consistent and
effective messaging, including concise articulation
of the corporate strategy and crafted to actively
rebut criticisms, and maintain regular shareholder
dialogue including active managers and corporate
governance and proxy voting professionals at
passive asset managers. The board should be
briefed regularly, often weekly, consulted on
key decisions including whether to pursue a
settlement and participate in a proxy contest by

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 175

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

communicating with shareholders and advisory

underperformance relative to peers and, as a

rms.

corollary, suggest the bank should assess strategic


alternatives to maximise shareholder value. This

R&C: In your opinion, how important is it


for banks to prepare detailed contingency
plans before they are targeted by
activists? What areas of their business
do they need to continually assess for
potential weaknesses?

tactic is effectively asking the bank to sell for a


premium. As such, banks should be consistently
conducting a review of their competitive positioning
and strategic alternatives, understanding how
their operational performance stacks-up versus
peers, both currently and in the future, as well as
evaluating the M&A landscape to justify whether

Main: It is critical for a bank to continually review


its business from the outside looking in and develop

their independent strategy is a superior proposition


for shareholders.

a contingency response plan for possible activist


agitation. Most boards conduct regular strategic

Frankl: It is important for banks, particularly

reviews, however they often exclude ideas that are

large banks, to understand how voting decisions

more evident to outsiders. In this regard, boards

are made by its institutional investors, including

should proactively and objectively analyse the

pension funds and unions, especially when it relates

viability of any alternative relative to the status

to corporate governance issues. Ongoing monitoring

quo from a shareholders perspective as a matter

of shareholder positions, whether large or small

of good corporate governance. Doing so places

is, critical. This should be accompanied by routine

the company in a position of strength. Ideally, no

perception audits. It is also important for the board

board or management team should be blindsided

to periodically view the bank, as well as its related

by a proposal that has not already been internally

nancial services businesses, through an activists

vetted, even if Regulation FD precludes an initial

eyes. This self-assessment should include a review

substantive comment. Often external parties think

of all public disclosures and statements made to

more creatively and boards should be open to fresh

investors and the media to evaluate consistency and

perspectives and not shy away simply to avoid

follow-through. The board should also periodically

the appearance of weakness receipt of credit is

review activist campaigns to better understand the

less important, whereas driving shareholder value

areas being explored by activists at competitors, and

is paramount. The typical bank activist campaign

whether the bank may have similar vulnerabilities. In

attempts to target an institutions nancial or market

cases where vulnerabilities are found, detailed plans

176 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

should be created to address those vulnerabilities.

this performance and plan to and building stronger

If that is not possible in the near term, proactive

relationships with its signicant investors. Doing

communications plans should be created to enable

so can result in the institution already having

investors to understand its business purpose. Banks

considered any plan or course of action that

also need to know which activists are targeting

may be proposed by an activist if and when one

their industry. They should not only know the track

surfaces. Of course, this may include analysing

records of those activists, but also the


playbook, governance history and returns
generated by those entities where these
activists successfully attained a board
seat. Considerations should include an
assessment of all issues the targets
experienced after the activist obtained
board representation, particularly in the

External parties think more creatively


and boards should be open to fresh
perspectives and not shy away simply
to avoid the appearance of weakness.

legal and reputational areas.


Ingles: The best preparedness plan
for activism for any banking institution

Tim Main,
Evercore

is to develop a strong business model


and strategic plan on a standalone
basis, before any activist investors surface, so as

the possibility of a merger or sale as one strategic

to ensure that the institution is being managed in

alternative available to the institution, including the

a way that seeks to maximise its value and returns

value reasonably achievable in such a transaction

to its owners. Companies can be proactive in

and the risks and contingencies associated with

addressing the likely agenda of any activist investor

negotiating, announcing and completing such a

by continually analysing and seeking to improve

transaction. Banks also should have in place a plan

operational performance and share price, by

to more directly anticipate, identify and respond

developing and implementing a long-term strategic

to activist investors when they surface, including

plan, including regularly reviewing and analysing the

a programme to monitor activity in its stock and a

companys strategic alternatives for enhancing value

contingency plan for coordinating a team both within

to shareholders, and by regularly communicating

the institution and among its outside advisers to

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 177

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

review any activist proposals and to respond to them

HOT TOPIC

Crozier: An effective shareholder communications

including publicly if appropriate in an effective

programme which demonstrates that the board

manner.

and management team is executing on a well


thought-out, credible strategy to deliver robust

Crozier: To assess and mitigate their vulnerability

shareholder value, even if not on a short-term

to an activist campaign, it is vital for banks to

investment horizon, is critical to deterring an activist

prepare a detailed contingency plan that ideally

in the rst place and to fending off any activist that

starts before the activist appears. Among other

does appear. In the banking industry, transparency

things, the contingency plan needs to


identify the issues an activist is likely
to target and lay out the alternatives to
address those issues to the fullest extent
possible. In any activist situation, the
credibility of the management and board
is key to a successful outcome, so it is
important to ensure that shareholders
feel that the banks leaders are aware of

To assess and mitigate their


vulnerability to an activist campaign, it
is vital for banks to prepare a detailed
contingency plan that ideally starts
before the activist appears.

any issues that impede shareholder value


creation and are taking effective steps to

Arthur B. Crozier,
Innisfree M&A Incorporated

address those issues, even if the ultimate


resolution is long-term. No company can
build that level of credibility if it starts the necessary

is critical for any such strategy to be viewed as

communication and engagement only after a proxy

credible. Similarly, accountability is critical to

contest has begun.

maintaining credibility if the strategy fails in whole or


in part.

R&C: In todays market, where there


is a clear drive toward transparency
and accountability across the nancial
services sector, what is your advice
to banks on maintaining an effective
shareholder communications strategy?
178 RISK & COMPLIANCE Jan-Mar 2016

Ingles: We consistently advise that regular


periodic communication with shareholders regarding
the companys nancial position and outlook and its
strategic direction is a recommended best practice
for public companies in all industries, not just banks.
www.riskandcompliancemagazine.com

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

Ensuring that the institutions largest investors

that an activist might exploit. The company can

understand the companys nancial condition, its

also create goodwill with its key holders by

business model, its strategic direction and outlook

adopting certain governance or other policies that

and risks involved in managing towards those goals,

can carry favour in a proxy contest should one

and that those investors also have an opportunity

arise. An honest assessment of the companys

to engage in a dialogue with managers about these

performance on several dimensions, including TSR,

matters, can be the best way to address the types of

operating performance and balance sheet relative

concerns that activist investors typically raise if and

to expectations is important to understanding

when they surface.

how the company is perceived and measured by


shareholders. Utilising this information as a basis for

Frankl: Banks need to pay even closer attention


to shareholder engagement and sentiment than

shareholder communications will help to maintain an


effective dialogue with the investment community.

most industries. Fortunately, many banks do an


excellent job of maintaining a great dialogue with
shareholders; however, often more can be done.
Independent feedback through anonymous surveys
to institutions and other large investors is a great
way to receive credible and unltered feedback on

R&C: Looking ahead, do you expect to


see more shareholder activism targeting
the US banking industry? What do you
believe banks need to do in response to
this growing trend?

whether the banks messaging is being received as


intended. This feedback should be presented directly
to the board.

Frankl: Activism targeted towards smaller to


mid-size banks will persist as it has throughout the
recent past. As long as activists can nd weaknesses

Main: Given the level of regulatory scrutiny in

in business operations and strategies, or an opening

the banking sector, transparency and accountability

to push for the sale of a smaller bank, this pattern

have become paramount across the industry.

will continue. To respond to this, these banks and

In this environment, an effective shareholder

nancial institutions need to be diligent in monitoring

engagement strategy that features a consistent

who they speak with at conferences, all participants

message to shareholders and analysts is critical

on investor conference calls and also which activists

to maintaining an open dialogue with investors. By

are active in the industry. Our independent survey of

capturing and responding to investor feedback,

activist investors, done in conjunction with Activist

management teams can potentially avoid blindspots

Insight, has shown that most will begin researching

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 179

SHAREHOLDER ACTIVISM IN THE US BANKING INDUSTRY

HOT TOPIC

possible targets up to a year before making an

activist can exploit, but banks are by no means off

investment. Furthermore, investors in our survey

limits to an approach.

overwhelmingly believed that assets allocated to


shareholder activism would continue to increase.

Crozier: Now that hedge fund activism is an asset

Concurrently, 86 percent of the funds we surveyed

class, no industry or company can be considered

expect to engage in new capital raising over the next

completely immune from activism. We expect to

12 months in order to put these funds to work and

see increasing activism in the banking industry, in

generate competitive returns for investors.

particular. The prospect of signicant short-term


prots from M&A activity in the sector will be a

Main: Broadly, we continue to see an increase in

powerful lure for activists that have not previously

the ow of funds into the hands of activist investors

been involved in nancial institutions. Banks need to

given this has become an asset class of its own over

be aware that they are vulnerable and identify the

the years. Activist returns have outpaced the MSCI

specic areas of vulnerability. They need to engage

since 2008, which has attracted new investors over

effectively with their shareholders by communicating

the last few years at an approximate 25 percent

a well thought-out, credible strategy to deliver robust

CAGR from 2010 through mid-2015 and is estimated

shareholder value, albeit not necessarily in the short-

at over $130bn in publicly-identiable AUM.

term, and demonstrate that they listen and respond

Specically, the banking sector is highly competitive

to the concerns of their shareholders.

and outsized returns are generally driven through


M&A, particularly in this challenging operating

Ingles: We do believe that we will see increasing

environment where many smaller banks dont earn

incidences of shareholder activism in the sector in

their cost of capital. As such, activism has increased

the future. And we believe banks should seek to pre-

as M&A remains a key investment thesis in both

empt any activity in their own institutions by taking

perceived buyer and perceived seller bank stocks.

the preparatory steps outlined above to address

Banks should prepare for an approach similar to

typical activists concerns before an activist surfaces

companies in other sectors utilising best practices.

and to be best prepared to mobilise to respond to

As a regulated industry, an approach can be more

&
any activist campaign that arises. RC

difcult and tactics are more limited in what an

180 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. a c c e n t u r e. c o m

Accenture Trading, Investments &


Optimization Strategy
Accenture Trading, Investments &
Optimization Strategy (ATIOS) is the premiere
global strategy consulting arm of Accenture
Strategy, offering specialist industry knowledge
powerful and agile strategies, designed to make
the most of todays challenging and dynamic
commodity markets. ATIOS covers three
critical capability areas: Portfolio Strategy and
Transactions, Commodity Trading Strategy and
Risk Analytics, and Value Chain Optimisation.
ATIOS focus on sustainable risk and earnings
management, built with execution in mind, and
are accelerated using a proprietary suite of
assets and tools. ATIOS is a global group that

KEY CONTACTS

and global breadth to help organisations craft


Ogan Kose
Global ATIOS Lead
London, UK
T: +44 (0)7795 566 788
E: ogan.kose@accenture.com

Miguel Gonzalez-Torreira
Europe, Middle East and Africa ATIOS Lead
London, UK
T: +44 (0)7855 620 160
E: m.gonzalez-torreira@accenture.com

work across multiple industries and geographies


to provide an integrated service to help clients
address their most challenging issues.

Rory Skrebowski
Americas ATIOS Lead
London, UK
T: +44 (0)7768 302 370
E: rory.o.skrebowski@accenture.com

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 181

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. b a k e r m c k e n z i e. c o m

Baker & McKenzie


Baker & McKenzie is continuously ranked as
the #1 cross-border M&A rm by deal count.
With more than 1600 corporate and securities
lawyers in 77 ofces globally, we have one of the
in the world and we do more cross-border deals
than any other global law rm. Our clients trust
the unparalleled experience and on-the-ground
insight we bring to cross-border transactions,
and value our depth in developed and emerging
economies. As a trusted adviser for successful
companies doing business globally, we provide
ongoing guidance on managing capital, people,
products and processes in global markets.

KEY CONTACTS

largest and most active transactional practices


Amar Budarapu
Partner
Dallas, TX, US
T: +1 (214) 978 3060
E: amar.budarapu@bakermckenzie.com

Roger Bivans
Partner
Dallas, TX, US
T: +1 (214) 978 3095
E: roger.bivans@bakermckenzie.com

Carol Stubbleeld
Partner
New York, NY, US
T: +1 (212) 626 4729
E: carol.stubbleeld@bakermckenzie.com

182 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. c a l d w e l l p a r t n e r s. c o m

Caldwell Partners
Caldwell Partners is one of the worlds
premier providers of executive search and has
been for more than 40 years. As one of the
most trusted advisers in executive search, we
searches for board directors, chief and senior
executives, and selected functional experts. We
have assembled an elite team of partners with
hands-on experience and extensive industry
knowledge across all major industries at the very
highest levels of management and operations.
Our search teams are successful in working
across a broad range of sectors, from early
stage privately funded rms and foundations, to
global organisations, institutions and all levels of

KEY CONTACTS

have a sterling reputation built on successful


Glenn Buggy
Partner
Stamford, CT, US
T: +1 (203) 348 9590
E: gbuggy@caldwellpartners.com

Jodie Emery
Managing Partner
Stamford, CT, US
T: +1 (203) 324 6400
E: jemery@caldwellpartners.com

government.
Peter Reed
Managing Partner
Stamford, CT, US
T: +1 (203) 348 9597
E: preed@caldwellpartners.com

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 183

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. e y. c o m

EY
EY is a global leader in assurance, tax,
transaction and advisory services. The insights
and quality services we deliver help build
trust and condence in the capital markets
outstanding leaders who team to deliver on
our promises to all of our stakeholders. In so
doing, we play a critical role in building a better
working world for our people, for our clients
and for our communities. EY refers to the global
organisation, and may refer to one or more,
of the member rms of Ernst & Young Global
Limited, each of which is a separate legal entity.

KEY CONTACTS

and in economies the world over. We develop


Chris Fordham
Managing Partner, Fraud Investigation &
Dispute Services, Asia Pacic
Hong Kong, China
T: +852 2846 9008
E chris.fordham@hk.ey.com
Rob Locke
Oceania Managing Partner, Fraud
Investigation & Dispute Services
Sydney, Australia
T: +61 2 8295 6335
E: rob.locke@au.ey.com
Emmanuel Vignal
Greater China Leader, Fraud Investigation
& Dispute Services
Shanghai, China
T: +86 (21) 2228 5938
E: emmanuel.vignal@cn.ey.com

184 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. f t i c o n s u l t i n g . c o m

FTI Consulting, Inc.


FTI Consulting, Inc. is a global business
advisory rm dedicated to helping organisations
protect and enhance enterprise value in
an increasingly complex legal, regulatory
professionals, who are located in all major
business centres throughout the world, work
closely with clients to anticipate, illuminate
and overcome complex business challenges
in areas such as investigations, litigation,
mergers and acquisitions, regulatory issues,
reputation management and restructuring. More
information can be found at www.fticonsulting.

KEY CONTACT

and economic environment. FTI Consulting


Jason Frankl
Senior Managing Director
Washington, DC, US
T: +1 (202) 312 9216
E: jason.frankl@fticonsulting.com

com.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 185

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. g o e r g . d e

GRG
GRG is one of Germanys leading business law
rms. As an independent law rm with more
than 250 lawyers at six ofces in Berlin, Cologne,
Essen, Frankfurt am Main, Hamburg and Munich,
GRGs size and structure enable us to provide
a highly efcient service for large and small
matters alike and not only in Germany. IT
matters represent one of the core competencies
of GRG, its IT practice being comprised of
several experts in different areas of that eld
who work in several ofces and get together
regularly to maintain cutting-edge expertise.

186 RISK & COMPLIANCE Jan-Mar 2016

KEY CONTACT

we advise on the core areas of business law.


Dr Jochen Lehmann
Partner
Cologne, Germany
T: +49 221 3366 0244
E: jlehmann@goerg.de

www.riskandcompliancemagazine.com

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. i n n i s f r e e m a . c o m

Innisfree M&A Incorporated


Innisfree M&A Incorporated (New York)
and its wholly-owned subsidiary Lake Isle M&A
Incorporated (London) provide clients with
sound tactical and strategic advice and resultstender and exchange offers, mergers, rights
offerings, restructurings and other corporate
actions friendly or contested, domestic or
cross-border. In addition, we provide consulting
services on strategic management issues,
such as corporate governance, executive
compensation and investor relations. With an
experienced professional staff in New York,

KEY CONTACT

oriented implementation in proxy solicitations,


Arthur B. Crozier
Chairman
New York, NY, US
T: +1 (212) 750 5837
E: acrozier@innisfreema.com

London, and Pittsburgh, we have represented


hundreds of companies in over 20 countries.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 187

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. n o r r b o m v i n d i n g . c o m

Norrbom Vinding
Norrbom Vinding is a boutique labour and
employment law rm advising on all aspects
of labour and employment law and acting
exclusively for the management/employer
lawyers are among those who pioneered and
developed labour and employment law as a
separate discipline for private practice lawyers
in Denmark in the 1980s, and the rms unique
expertise thus builds on more than 30 years
experience within the area. Today, Norrbom
Vinding is the largest labour and employment
practice in Denmark and Scandinavia. Norrbom
Vinding is the Danish member of Ius Laboris,
Global HR Lawyers.

KEY CONTACTS

side. The core group of Norrbom Vindings


Elsebeth Aaes-Jrgensen
Partner
Copenhagen, Denmark
T: +45 35 25 39 40
E: eaj@norrbomvinding.com

Jens Harkov Hansen


Associate (CIPP/E)
Copenhagen, Denmark
T: +45 35 25 39 40
E: jhh@norrbomvinding.com

Sren Eeg Hansen


Associate
Copenhagen, Denmark
T: +45 35 25 39 40
E: seh@norrbomvinding.com

188 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. p a y g o v e r n a n c e. c o m

Pay Governance LLC


Pay Governance LLC is an independent rm
that serves as a trusted advisor on executive
compensation matters. Our work helps to ensure
that our clients executive rewards programs
supportive of appropriate corporate governance
practices.

www.riskandcompliancemagazine.com

KEY CONTACT

are strongly aligned with performance and


John R. Ellerman
Partner
Dallas, TX ,US
T: +1 (214) 387 3179
E: john.ellerman@paygovernance.com

RISK & COMPLIANCE Jan-Mar 2016 189

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. p w c. c o m

PwC
PwC in Italy provides professional audit,
advisory, tax and legal advice to businesses
with the aim of creating value. PwC is a
network across 157 countries with over 208,000
PwC network supports Italian companies in
their process of internationalisation, whether
it is developing new business, looking for
competitive suppliers, seeking investors
interested in their assets or identifying
favourable opportunities for relocation. PwC
has a proactive and multi-disciplinary team
focused on markets that are priorities for Italian

KEY CONTACT

professionals, including 4000 in PwC Italy. The


Alfredo Gallistru
Partner
Milan, Italy
T: +39 02 7785 483
E: alfredo.gallistru@it.pwc.com

businesses.

190 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

EDITORIAL PARTNERS

E D I T O R I A L PA RT N E R

w w w. zu r i c h . c o m

Zurich Insurance Group (Zurich)


Zurich Insurance Group (Zurich) is a leading
multi-line insurer that serves its customers
in global and local markets. With more than
55,000 employees, it provides a wide range of
and services. Zurichs customers include
individuals, small businesses and mid-sized
and large companies, including multinational
corporations, in more than 170 countries. The
Group is headquartered in Zurich, Switzerland,
where it was founded in 1872. The holding
company, Zurich Insurance Group Ltd (ZURN),
is listed on the SIX Swiss Exchange and has a
level I American Depositary Receipt (ZURVY)

KEY CONTACTS

general insurance and life insurance products


George Melides
Head of Management Liability, EMEA
London, UK
T: +44 (0)20 7648 3008
E: george.melides@zurich.com

Jrme Goss
Head IT / Tech & Commercial Companies
Financial Lines France
Paris, France

programme, which is traded over-the-counter

T: +33 1 4318 7482

on OTCQX. Further information about Zurich is

E: jerome.gosse@zurich.com

available at www.zurich.com.

www.riskandcompliancemagazine.com

RISK & COMPLIANCE Jan-Mar 2016 191

EDITORIAL PARTNERS

ORGANISATION

ORGANISATION

Chartered Institute of
Procurement & Supply

ICSA

The Chartered Institute of Procurement & Supply (CIPS)


exists to promote and develop high standards of professional
skill, ability and integrity among all those engaged in purchasing
and supply chain management. CIPS assists individuals,
organisations and the profession as a whole. As an inuential
professional body, CIPS helps all kinds of organisations achieve
all-round excellence in procurement and supply management.
We do this by offering a range of products and services to
equip you with the knowledge, training, and practical skills
you need to derive maximum benet from your procurement
practices.
David Noble
Group Chief Executive Ofcer
Stamford, Lincolnshire
T: +44 (0)1780 756 777
E: press@cips.org

ICSA is the professional body for governance. We have


members in all sectors and are required by our Royal Charter
to lead effective governance and efcient administration of
commerce, industry and public affairs. With more than 120
years experience, we work with regulators and policy makers
to champion high standards of governance and provide
qualications, training and guidance.
Simon Osborne
Chief Executive Ofcer
London, UK
T: +44 (0)20 7612 7001
E: ceo@icsa.org.uk
www.icsa.org.uk

www.cips.org

192 RISK & COMPLIANCE Jan-Mar 2016

www.riskandcompliancemagazine.com

EDITORIAL PARTNERS

ORGANISATION

ORGANISATION

ISACA

Internet Security Alliance for


Europe

As an independent, nonprot, global association, ISACA


engages in the development, adoption and use of globally
accepted, industry-leading knowledge and practices for
information systems. Previously known as the Information
Systems Audit and Control Association, ISACA now goes by
its acronym only, to reect the broad range of IT governance
professionals it serves. ISACA provides practical guidance,
benchmarks and other effective tools for all enterprises that
use information systems. Through its comprehensive guidance
and services, ISACA denes the roles of information systems
governance, security, audit and assurance professionals
worldwide.
Ed Moyle
Director of Emerging Business and Technology
Boston, MA, US
T: +1 (847) 660.5549
E: emoyle@isaca.org
www.isaca.org

www.riskandcompliancemagazine.com

Internet Security Alliance for Europe (ISAFE) is a


non-prot association, bringing together leading European
companies from multiple industry sectors and different EU
member states. Our sponsor companies make up our board.
They must be based in the EU. Non-EU companies which do
business in Europe may join ISAFE, but they may not serve on
the Board. ISAFE is afliated to the Internet Security Alliance
(ISA) in Washington and shares its mission and broad goals.
However, the ISAFE Board designs its own programmes and our
staff are all EU citizens, accessing ISA resources as needed.
Richard Knowlton
Chief Executive
London, UK
T: +44 (0)750 010 3164
E: rknowlton@isa4europe.org
www.isa4europe.org

RISK & COMPLIANCE Jan-Mar 2016 193

risk &
& compliance

RC

JAN-MAR 2016
www.riskandcompliancemagazine.com