Risk Management 87

CARBON TAX PAGE 16

http://www.riskmagazine.com.au

http://www.curasoftware.com.au

http://www.CSAust.com/Certificate

2 | risk | August 2011

contents / issue 87

28 24Hack attack!A recent spate of hacking scandals has brought home the importance of secure It facilities. Risk Management explores the issues

16 | Low carbon – high risk Whether it’s a good or bad idea, the carbon tax is going ahead. How can businesses minimise the risk involved?

cover story

Cutting-edge softwareFrom revolutionising audit to thinking in ‘the cloud’ – experts reveal what lies in store for risk and compliance software

» riskmagazine.com.au

Latest news, views, jobs and

more

Get risk Management

online at

http://www.thebci.org.au

http://www.saiglobal.com/compliance/solutions/anti-bribery.htm


contents / issue 87

34 | Damage controlA reputation is hard to build – and easy to destroy. Alex Harris looks at the damage that can be done in times of crisis and how best to repair damaged reputations

38 | insurancethe recent spate of natural disasters in Australia and overseas aren’t just disrupting business – they’re also exposing holes in organisations’ insurance cover

News & Views08 | round-upRisk and compliance news from around the country and the world

12 | Analysistodd Davies assesses the News of the World phone hacking scandal from an internal audit perspective

14 | OpinionWhat’s the difference between a risk manager and risk adviser? Peter Moore from Risk Point pinpoints the key distinctions and why they need to be made

sector Focus44 | Mortgagesthe Australian property market is in the doldrums after surviving the travails of the gFC: what are the biggest risks to the money men financing home lending?

careers46 | is risk the new sexy job? In the uK at least the answer seems to be in the affirmative

34

44

http://www.yourmoneymag.com.au

news / round-up

August 2011 | risk | 5

http://www.compliance.org.au


editorial

Printed on paper produced from 100% sustainable forestry, grown and managed specifically for the paper pulp industry

copy & FeaturesEditor sarah O’Carrollcoordinating Editor Kevin Eddyproduction Editors sushil suresh, Carolin Wun

art & productiondEsign production managEr Angie gilliesdEsign Plump and spry

sales & MarKetinGsEnior account managEr Paul Desmondcommunications ExEcutivE Lisa NarrowaymarkEting ExEcutivE Kerry BuckleymarkEting coordinator Anna KeanetraFFic managEr Abby Cayanan

corporatedirEctors Claire Preen, Mike shipleychiEF opErating oFFicEr george Walmsleypublishing dirEctor Justin KennedychiEF inFormation oFFicEr Colin Chanhuman rEsourcEs managEr Julia Bookallil

Editorial enquiriesKevin Eddy tel: +61 2 8437 4700 [email protected]

Advertising enquiriessenior Account ManagerPaul Desmond tel: +61 2 8437 [email protected]

subscriptionstel: +61 2 8437 4731 • fax: +61 2 9439 [email protected]

key Media www.keymedia.com.auKey Media Pty Ltd, Regional head office, Level 10, 1 Chandos St, St Leonards, NSW 2065, Australiatel: +61 2 8437 4700 fax: +61 2 9439 4599Offices in Singapore, Torontowww.riskmagazine.com.au

Copyright is reserved throughout. No part of this publication can be reproduced in whole or part without the express permission of the editor. Contributions are invited, but copies of work should be kept, as Risk Management magazine can accept no responsibility for loss

Welcome to the new look risk Management magazine.You’ll notice a few changes in this month’s issue. Not only have we freshened up the look of Risk Management, we’ve also doubled the number of pages to 48, so that we can bring you more of the latest news and hottest topics affecting you, as well as a strong focus on the biggest risks in the corporate, public and not-for-profit sectors, and insights into the people managing those risks.

A new-look magazine isn’t the only change affecting us at present, though. The government’s carbon price scheme has been launched – to a wide range of reactions. Some organisations are supportive, some are dead against it; however, what’s clear is that the tax will affect all of us in some way, shape or form – not just the “Dirty 500” – and that we all must prepare for its impact.

Also in this issue, we look at what disaster can do to a business – whether natural, through negligence or self-inflicted. Charles Beelaerts asks whether you’re adequately insured in case of a catastrophic business disruption; Alex Harris considers the impact on reputation of being splashed across the headlines à la News Corporation; and we poke holes in IT systems to find out if they’re secure enough.

We’ve also surveyed the leading thinkers in compliance and risk technology, asking how software will change in the future.

Top that off with the latest industry news, views and analysis, and it all adds up to a bigger, better Risk Management magazine.

Low carbon – high risk?

Want to [email protected]

connect

RISKmanagement

news / round-up




Australian banks are not regarded as systemically important to the global financial system, a Basel report has found.

As part of an international framework to protect the global financial system, the Basel Committee on Banking supervision has named 28 global banks which it regards as vital to the stability of the global financial system. These systemically significant financial institutions, known as G-Sifis, will be required to carry an extra layer of capital to safeguard against their failure and thus prevent a repeat of the financial crisis.

Banks will be graded on a set of criteria including: size, interconnectedness, cross-border activity, complexity and the availability of competitors to pick up their business in a crisis.

the Basel Committee didn’t name the 28 banks, but some of the banks which are likely to make the top of the list include: JPMorgan, Citigroup, Bank of America, Barclays, HsBC, Royal Bank of scotland, BNP Paribas and Deutsche Bank.

Further down the list will be banks such as goldman sachs, uBs, Credit suisse and Morgan stanley. the largest Italian, French, Japanese and spanish banks are also expected to be hit by the surcharge system.

The European Commission should start with “implementation and robust enforcement” of existing EU corporate governance rules on risk management, rather than creating new ones, according to the Federation of European Risk Management Associations (FERMA).

In response to the European Commission’s Green Paper on EU corporate governance, FERMA stated that parts of the paper dealing with board duty on risk management and risk disclosure overlap the EU 8th Company Law Directive which has yet to be fully harmonized and, as a result, application of

these existing rules may not be equally stringent across the EU.

“Dealing with this issue should take priority. Member States’ implementation should be further analysed before the Commission takes any further action to regulate this duty,” it said.

FERMA’s response also said that it is opposed to “any moves to require companies to publish more information on their risk appetite,” as it “may harm companies’ competitive position, will not improve their risk management culture and will not provide more assurance to stakeholders that risks are under control.”

$14trn: the new Us debt ceiling set by the Us Government on 1 August to avoid defaulting on loans and potential economic catastrophe

eu

Fact:

BanKinG

australian banks escape Basel listNo more corporate

governance rules: risk managers

kEy POinTs frOM fErMA’s rEsPOnsE TO THE GrEEn PAPEr:

• The principles of good corporate governance should apply to all companies, but factors such as size, complexity and risk profile suggest there should be a proportionate approach.

• EU corporate governance measures should be voluntary for unlisted companies. Disclosure requirements should be different for companies that do not raise capital on the stock markets.

• Listed companies should “comply or explain”. Those that do not comply with relevant governance codes should explain the reasons for their divergence.

news / round-up


risk management has gained a more critical role at the CEO table, a recent study has shown.

Increasing volatility and complexity of the economic and financial environment have elevated the importance of risk management as a key management function. As a result, executives globally have moved corporate risk management up the corporate agenda as a key to competitive advantage.

The Accenture report, Risk Management as a Source of Competitive Advantage and High Performance, found that 85% of executives believe that risk has become a driver of competitive advantage for their company. This is compared to a 2009 survey in which 85% of executives believed that risk management should only be “aligned” with the business strategy but did not actually drive it.

Furthermore, the 2011 study found that nearly half (49%) of executives believe that corporate risk management will enhance the likelihood of long-term profitable growth for their company, and 48% said it will support sustainable future profitability.

Seventy-nine per cent of the executives said the person responsible for risk management in their organisation now reports directly to the CEO. The number of organisations with chief risk officers has also increased from 33% two years ago, to 45% today. Furthermore, CEOs increasingly “own” the responsibility for risk management – up 10% in two years.

strateGy

45% of investment managers are focusing on tackling risk in the organisation, according to a report by KPMg. the report found that investment managers are putting growth and risk management at the top of the agenda over the next six months source: KPMg

Risk management drives competitive advantage

Australian manufacturers with export interests to specific US states may be subject to state laws and potentially liable for significant claims even if they have no actual us presence.

In two recent landmark cases, the united states supreme Court has affirmed the general rule that us state courts will have jurisdiction over international exporters selling goods alleged to have caused personal injury if the exporter is found to have “continuous and systematic” business dealings with the state or if the exporter specifically targets relevant sales to a particular us state.

David Miller, partner at Colin, Biggers &

Paisley law firm, said the ruling raises a number of questions for Australian firms with foreign interests.

“the rulings in J McIntyre Machinery Ltd v Nicastro and goodyear Dunlop tires Operations sA v Brown mean Australian exporters targeting the us generally may be exempt from the application of state laws provided they have no other business connections with a particular state. However, companies clearly targeting export to specific states may be liable under state law,” he said. “It will all depend on the facts underlying the commercial dealings – you cannot divorce the legal analysis from the facts.”

international

australiaN exporters remaiN exposed to risk oF us lawsuits

news / round-up


The Us banking regulator, the Federal Reserve, has ordered the Royal Bank of Scotland Group (RBS Group) to improve its risk management practices at their US branches.

The issuance of the “cease and desist order” by the Federal Reserve requires RBS to address deficiencies in its oversight of its US operations, specifically in the areas of risk management practices and compliance with the Bank Secrecy Act and anti-money laundering requirements.

The bank has been given 60 days to “strengthen board and senior management oversight of the corporate governance, management, risk management, and operations of the US operations on an enterprise-wide and business line basis.”

The order is to ensure that the RBS Group maintains effective corporate governance and oversight over its US operations.

This will include the establishment and maintenance of robust risk management and compliance programs on a consolidated basis, effective supervision of senior management, enhancements to IT systems, a review of the reporting system and an evaluation of staffing needs.

Governance

risks emerging from the natural environment are dominating australian business leaders’ concerns, recent research has shown.

climate change, storms, flooding and the knock-on effects of other natural disasters proved to be the leading risk for businesses in the coming decade, with a further concern being that no single risk exists in isolation and most risks are interconnected.

“Environmental issues were the standout risk, in terms of both likelihood and severity. these were strongly interconnected with societal risks such as water and food supply, as well as to economic risks such as infrastructure fragility and energy price volatility,” said anton roux, director of programs, adc Forum

who published the research with kpmg. “this highlights the need for australia to be proactive in planning for risks. Extreme events need to be regarded as more ‘normal’ and be included in scenario planning.”

major trading partner weakness was perceived as the most likely economic risk as Japan recovers from its earthquake and tsunami, china experiences slowing growth and the us struggles with an uncertain outlook. the report, the australia report 2011: risks and opportunities, also found that asset price collapse was rated the most severe economic risk, reflecting concern about overseas asset pricing and uncertainty about the outlook for australian property, especially the residential sector.

environMent

kNock-oN risks aNd climate chaNge domiNate risk coNcerNs

One in 10 global companies has spent more than $250m on improving their risk management over the past two years, and half of all companies have spent more than $25msource: Accenture

Fact:

RBS ordered to review risk in the US


“Building and enhancing

confidence among investors is a key priority for ASIC”

former directors of Opes Prime stockbroking Ltd (OPsL), Lirim (Laurie) Emini and Anthony Blumberg, have been jailed following an AsIC investigation into the stockbroker’s 2008 collapse.

Emini, the company’s former CEO, was sentenced to 24 months imprisonment and ordered to serve 12 months before being released on a recognisance release order. Former director Blumberg was sentenced to 12 months’ imprisonment. Blumberg will serve six months before being released on a recognisance release order.

AsIC Chairman, greg Medcraft, welcomed Justice Beach’s decision, noting that the regulator would continue to focus on deterring and dealing with illegal behaviour.

“Building and enhancing confidence among investors is a key priority for AsIC,” said Medcraft, who

Fraud

opes prime directors jailedwelcomed the decision. “this includes taking action against directors who don’t fulfil their responsibilities.”

Both men were charged for dishonestly and recklessly using their positions as directors of OPsL in order to secure bank finance.

austrac’s cEo John schmidt.

austrac now has 62 exchange instruments with foreign counterparts – 61 to exchange financial intelligence and one to exchange regulatory information.

austrac exchaNges more FiNaNcial iNtelligeNce

aMl/ctF

austrac has agreed to exchange financial intelligence with norway and the british virgin islands. the regulator signed memoranda of understanding with the intelligence units (Fius) of both countries in a further effort to fight money laundering, terrorism financing and other serious crimes.‘the ability to exchange financial intelligence with counterpart Fius also significantly supports australia’s law enforcement efforts and is integral to protecting the integrity of Australia’s financial system,” said

http://www.methodware.com


news analysis / internal audit

The News of the World scandal is causing ripple effects around the world, with commentators in Australia and abroad beginning to ask questions about News Corp’s corporate governance. They are also starting to ask questions on the role of independent directors, audit committees, risk management and internal audit which could have broader implications outside the media sector.

challeNges with News corp’s corporate goVerNaNceIt’s no secret in Australia that News Corp’s governance has been controversial for some time, although usually for the likes of poison pills rather than risk and assurance.

However, now in light of the phone hacking scandal, international commentators are beginning to ask about News Corp’s audit committee, the composition of it and whether internal audit was truly independent of management. While these are all

Could the internal audit team at News Corp have identifiedand clamped down on the illegal activities of the journalists? Todd Davies doesn’t think so

viewpoint

important issues for any director to consider, in our view, the focus needs to be on the newsroom itself.

how do you audit a Newsroom?People might be surprised to hear this – but I’m standing behind News Corp on this. Well, I’m standing behind their internal audit team anyway. I’ve met many of their people. I like them all. I trust them and respect them and a lot of what they do. Many of their practices are upper quartile and are an exemplar of modern practice. So the reality is, if they’ve got problems, we’ve probably all got problems.

The bigger issue is how you audit a newsroom. It’s very different to the usual audit procedures. We can audit back-office functions – accounts payable, accounts receivable, treasury. We can chase the money trails and see where they lead. We can audit logistics, distribution and supply chain. We can audit IT systems, business

what’s the story?could iNterNal audit haVe saVed the News oF the world?In July 2011, it emerged that phones of private citizens had been hacked by the News of the World in the UK. Several things make it extraordinary:• editors and senior management were aware of the widespread practice• questions being raised on the effectiveness of the government’s role in

regulating the media and to what extent they are ‘in bed’ with News Corp• News of the World was closed after 168 years. This is truly extraordinary• News Corp will no longer be buying BSkyB – which they’d invested many

years in getting ready.• the UK government has launched a public inquiry into phone hacking

and police bribery• this story has gone global, and is front and centre in the business media

about the future of News Corp as well as mainstream media about the hacking scandal itself

• senior News Corp executives and public servants have resigned• those in the corporate governance space are now starting to wade in, in

Australia and abroad

news analysis / internal audit


continuity and the like. But auditing a newsroom is hard.

The challenge with newsrooms is that journalists need to protect their sources, in the same way that auditors need to protect their whistle blowers. They have a long-established culture, a code of ethics – and a barrage of case law to support it.

There’s been no shortage of controversial cases on this in Australia where media companies have allowed journalists to protect their sources. As such, it’s really hard to get to the heart of the matter as an outsider. Or even as the editor.

You may be able to get a sense of the culture by spending time in the newsrooms. Some titles are methodical and measured. Some are like lunatic asylums with people hanging from the rafters. You might be able to let the people upstairs know that you don’t like the culture in the lunatic asylum and that the editor of a certain title may need some coaching in Management 101. We’ve all done this.

In a newsroom, you end up auditing their payroll, overtime and contributors. You also go through their expenses so that they know someone is watching. The reality, however, is this is about as effective as having the occasional patrol car drive down a troubled street. It’s a deterrent at best, but unlikely to find much.

If there was a scandal like this happening, it’s almost impossible to know unless you go looking for it specifically. No doubt all media companies will go looking for this specific circumstance now, but it will be after the fact. If anything was an issue you can almost guarantee it’s now been shut down.

how do you audit your equiValeNt oF a Newsroom?Internal audit capabilities are still focused on back-office functions. While they understand the core business, they struggle to get at the heart of it. Internal audit functions in news organisations spend a lot of time auditing in the newsrooms, but they

don’t always get to the heart of what’s happening in those newsrooms. Internal audit functions in health organisations spend time auditing in hospitals, but they don’t get to the heart of what’s happening in clinical governance, in patient care or the culture in the wards. Internal audit functions in manufacturing companies spend time auditing factories, but it’s hard to get to the heart of the culture on the shop floor. Even being on the floor most of the time, things pass right by us.

These are not isolated examples. Every company has it’s equivalent of a newsroom – something we audit, but only scratch the surface of. The big question for audit committees and heads of internal audit coming out of the News Corp scandal is the scope and capabilities of the internal audit and whether they’re getting to the heart of matters or just doing a superficial patrol. n

todd davies is former head of audit and risk of Fairfax and a former member of the asx corporate governance council

http://www.rmia.org.au


m

opinion / risK ManaGeMent

compounded when there are many different combinations of words used to describe such support roles: ‘Manager, Risk and Compliance’, ‘Security Risk Officer’, ‘Health and Safety Risk Officer’, ‘Chief Risk Officer’, and so on. Who does what?

Organisations are challenged due to the general understanding that a ‘manager’ of a process or function – finance, information technology, engineering, asset management, human resources, and so on – is responsible for outcomes in the department or business processes for which they are accountable.

The actual managers of risk are those people whose roles involve taking risks and adding value to their organisations, not the support roles which espouse the use of neat models, diagrams and processes to assist the risk takers. A person who has neither worked in a senior strategic management role, nor run a business or enterprise has very little experience in actual risk taking, and therefore ‘risk management’. This problem is compounded when the ‘risk manager’ works in the public service or local government sector where often the tenure of their position is guaranteed (or at least secure) and where the person has no experience in business risk-taking.

sage adVice?Then there is the role of the risk advisor: a person who advises organisations on the risk management

Is there a difference between arisk manager and a risk advisor? Peter Moore discusses

what’s iN a

Many organisations employ a person with the title of risk manager. The Risk Management Institution of Australasia (RMIA) often refers to people employed to support the risk management process as risk managers.

But what is the relationship between the actual risk manager – the person who takes and manages risk – and the support roles assisting this function?

wheN is a maNager Not a maNager?The risk manager role as currently framed is not what I would call an actual ‘risk manager’. This role supports the actual risk takers in the business: those people in the organisation who are responsible for managing risk in the delivery of their business objectives. When organisations employ support functions and give those roles the title of risk manager, confusion reigns and a lack of clarity is generated around who does what.

Applying the title risk manager to a role that supports risk management generates a false understanding that such people are actually responsible for managing business or organisational risk. The problem is

Name?


opinion / risK ManaGeMent

function, processes and activities. An advisor is normally a person with deeper knowledge in a specific area, ie, a specialist. A risk advisor may be an internal role, or one who is contracted to the organisation to provide specialised skills and advice.

In the context of the external, independent advisor, it is the specialised skills and impartiality that adds value to the client who pays for such advice. The person who fills this role is the consultant. A consultant is usually an expert or a professional in a specific field and has a wide knowledge of the subject matter. A consultant usually works for a consultancy firm or is self-employed, and engages with multiple clients.

The independent consultant is a true risk manager, as they manage their own business with all the risks associated with the uncertainty of cash flow, management of resources to support the business, (time, capital, staff ) and strategic decision-making to ensure their services meet market demand. This is carried out whilst considering market and competitive forces, as well as monitoring trends to ensure relevance of their role in the broader risk management profession whilst also ensuring the success of their own enterprise or business.

The role of risk advisor (particularly consultant) is the most well-equipped to provide strategic risk management advice to business as they have the skills and experience in making such decisions. In addition, they are required to hold specialist risk management skills in order to “add value to their clients’ business” (one of the key principles of AS/NZS ISO 31000:2009, Risk management – principles and guidelines).

This role also assists the board of a company to define and establish its risk appetite and risk tolerance position as the independent risk advisor performs this function in their own business. An employee in an organisation with the title of risk manager may know very little about risk appetite, as they generally are not involved in strategic decision-making and therefore do not risk their organisation’s financial capital. The advice they provide to their executive team or board is based on their reading and understanding of the risk management literature (including the risk management standard), formal education, skills acquired on the job and past experience.

In fact, risk advisors are generally more experienced in taking and managing risk than internal risk managers. They are generally more experienced in advising boards and executive teams in establishing risk appetite and integrating risk management into the

strategic decision-making processes in the business. Such advice can add more value for a business than creating risk management processes, which are often not applied by managers in organisations who do not fully understand risk management.

As the risk management discipline struggles with the growing pains of establishing its identity in organisations and developing recognition amongst its peers (accountants, actuaries, company secretaries, finance managers, solicitors) it needs help from professional bodies in terms of clearly defining roles.

The challenge for risk management to be recognised as a profession will be an ongoing one: not least for risk management practitioners who are playing a part in providing organisations with skills, knowledge, processes and support mechanisms to allow managers to take and manage risks in order to obtain appropriate returns for risk and to achieve organisational objectives. A broad rather than narrow view of the risk management profession is what is required to build recognition of all participants in the diverse activities of risk management.

My challenge to professional bodies is for them to adopt an inclusive approach to the broad and valuable contribution made by all their members and to foster a cohesive and united approach to the development of risk management.

The challenge for practitioners is to gain a greater understanding and acceptance of the respective roles described herein which all contribute towards effective risk management as a management discipline. n

“The actual managers of risk are those people whose roles involve taking risks and adding

value to their organisations, not the support roles…” – peter moore

peter moore is principal consultant and director at risk point (www.riskpoint.com.au)

carBoN ecoNomy:

lowhigh


risk prospect

cover story / carBon tax



carBoN ecoNomy: t

Businesses should prepare now for a carbon-constrained economy, to reduce the risks and maximise opportunities,writes Sarah O’Carroll

The terminology surrounding carbon risk is slowly becoming engrained in the language of risk managers. More and more companies are appointing sustainability managers to oversee risk procedures to address the full range of issues relating to climate change.

This will become even more prevalent over the next 12 months, as companies begin to assess the business, legal and financial risks posed by Prime Minister Julia Gillard’s Carbon Price Mechanism (CPM) – more commonly known and much-maligned as the “carbon tax”.

Whether or not the carbon tax is a good or bad idea, or if it will indeed, without a strong binding global agreement, have any impact on the environment is a contentious issue. And whether or not the carbon tax could pass an overall cost-benefit analysis is being debated in the political arena.

But at the moment, the Government is standing firm, insisting the proposed carbon tax, due to come into effect on 1 July 2012, is the only way to cut pollution, drive investment and ensure Australia can compete and remain prosperous in the future.

So that means businesses have less than one year to develop and implement a comprehensive strategy that identifies opportunities and reduces risks in the carbon-constrained business environment.

the Need For preparatioN“The carbon liability will put a premium on sound governance, data integrity, accurate reporting and credible disclosure processes,” says Dr Nick Wood, KPMG associate director for climate change and sustainability. “All businesses will need to assess the cost implications and identify and exploit opportunities to reduce costs.

The carbon tax in a nutshell

the australian government has introduced a price on carbon under the clean Energy Future plan, making polluting activities more expensive. the intention is to provide businesses with an incentive to create new, cleaner ways of operating and ultimately move australia towards a low-carbon economy.

although the proposed carbon price will only be paid by the top 500 polluters and will cover electricity generation, some business transport, waste and other industrial processes, these increased costs will have a knock-on effect on many other industries and companies.

The carbon price will be fixed for three years from 2012 to 2015 (indexed annually by 2.5%). From 1 July 2015 a floating market-based Emissions Trading Scheme (ETS) will commence whereby the government sets the emissions level cap for australia and the market determines the price of permits.

“A low carbon economy has consequences for all Australian businesses and presents opportunities for those able to understand and act. Knowing how to access renewable or business innovation funding, or jobs and competitiveness programs may provide real competitive advantages and growth opportunities,” he says.

John McVeigh, managing director of MYR consulting in Perth, says that a lot of the risks facing business are based on the uncertainties around the scheme.

risk prospect



“Uncertain direct and indirect costs associated with reporting and compliance with the scheme; uncertain trajectory on future pricing; uncertain effect on the wider economy of this scheme; and uncertain long-term commitment and levels of compensation to be provided by government under the scheme,” he says.

Aside from the big 500 polluters, the proposed carbon pricing scheme will not have a direct material impact on most Australian companies. However, risk managers will have to assess all the possible ways it will increase the cost of doing business in Australia and thus impact investment decisions.

According to John Marren, director of global risk at CSL, these developments against the backdrop of an extremely high Australian dollar and other fiscal constraints will present some financial challenges for organisations.

“The Government will need to carefully structure the finer details of its policy and closely monitor its implementation to identify any possible market distortions and to ensure individual participants within industry segments are not being unfairly disadvantaged,” he says. “While our assessments showed limited exposure to indirect price increases as a result of a carbon pricing scheme, CSL will continue to monitor supply chain costs and the compounding effects of economic policy and fiscal constraints.”

Preparation will be essential for the smooth transition to a low carbon economy, according to Origin managing director, Grant King.

“For some time, Origin has anticipated a scheme of this nature and we are therefore well placed to operate under a carbon pricing regime,” he says.

Commenting on the carbon tax, King says that Origin has supported the view that an emissions trading scheme is the most effective way to reduce carbon emissions but believes the main concern for business will be how the costs are passed on and how Australia will remain internationally competitive.

“It should be a key aim of the review processes that the transition to a lower carbon future be at the lowest

possible cost and not threaten the competitiveness of the Australian economy and that the price of doing so is passed efficiently through to consumers,” he says.

risks oF price exploitatioNThe extent to which the carbon costs can be passed on will have a significant impact on the profitability of organisations. Supply-chain risks will be the major concern of most businesses – particularly those further down the supply chain that may be impacted by the carbon costs that the big 500 polluters pass on, and have little control over.

To mitigate this risk, new powers will be given to the Australian Competition and Consumer Commission (ACCC) to guard against any “price exploitation”– affected companies exaggerating the impact on their prices of carbon costs. It will be similar to the role given to the ACCC in 2000 when GST was introduced.

Michael Corrigan, partner at Clayton Utz, says that for the ACCC to have any real teeth in this area it will require some legislative changes. As it stands the ACCC will not receive any new legislative powers in this area but will issue pricing guidelines and monitor the impact of the carbon permits on prices.

“The old ‘price exploitation’ provisions that accompanied the introduction of the GST in 2000 expired some years ago and were removed from the Competition and Consumer Act,” he says. “What will amount to ‘price exploitation’ in this area will likely be a

While businesses need to explore the risks in the traditional sense of the word they must also consider the risk of missing out on the many opportunities created by the carbon tax, such as the raft of stimulus packages being offered under the government’s climate change plan: securing a clean Energy Future.

“We are advising businesses to develop their response immediately. this will give business the maximum time to think through the complexity of options and ensure opportunities are maximised,” says mathew nelson, Ernst & Young’s oceania leader.

Financial incentives will be available to companies to better manage their carbon emissions and their exposure to carbon-based risks.

according to greg combet of the department of climate change and Energy Efficiency, some of these incentives include:

the Jobs and competitiveness program will assist organisations that release a lot of pollution but have difficulty passing on the cost of a carbon price due to international competition;the steel transformation plan will deliver funding to eligible steel manufacturing businesses to support investment, innovation and productivity in the steel industry; the clean technology investment program (ctip) and the clean technology Food and Foundries investment program (ctFFp) totalling $1 billion will deliver transitional assistance to manufacturing businesses.

the government is also establishing an Energy security Fund to further ensure energy security and may also offer loans to the owners of coal-fired electricity generators in certain circumstances.

opportunities and incentives

“Origin has anticipated a scheme of this nature, and we are well-placed to operate under a carbon

pricing regime” – graNt kiNg, origiN



matter of degree and require some judgment, which may be complex in some cases.”

When the GST was introduced, guarding against “price exploitation” meant ensuring that affected traders did not use the tax as an excuse to unfairly increase their prices. The ACCC took an active role, issuing guidelines, monitoring pricing, naming and shaming some companies and publicising its powers.

According to Corrigan, applying this test to the purchase of carbon permits may be more complicated because the impact on prices will vary according to a number of factors, including: the relative carbon intensity of particular goods and services; the extent to which a liable entity receives compensation or assistance under the Carbon Price Mechanism; and the capacity of any particular producer to reduce emissions, and therefore liability under the Carbon Price Mechanism, or source potential credits to meet scheme obligations.

“In 2000 the ACCC was successful, as few exploitation concerns arose with the GST. However, the Act was toughened at that time and the ACCC was able to threaten fines of up to $10m for price exploitation and to issue notices that required companies to prove that they were not unfairly exploiting the adjustment to prices,” says Corrigan. “Without these sorts of tough measures with the carbon permit scheme, it will be unclear how effective the ACCC’s role may be in this area.”

iNcreased market scrutiNyCompanies will have to manage the risk of increased market scrutiny. Under the ASX Listing Rules, once a listed company becomes aware of any information that would reasonably be expected to have a material effect on the price of its listed securities, it is required to immediately disclose that information to the Australian Securities Exchange.

The carbon tax has thus presented a somewhat confusing picture for compliance officers with respect to the way in which companies must disclose to the market the likely effect the tax will have on their operations.

Clayton Utz partner Geoff Hoffman also compares it to the introduction of the GST but says the continuous disclosure implications of the Clean Energy Future package are much greater, for a number of reasons.

Firstly, he says, the impact of the Clean Energy Future package will vary widely between different industries and financial years.

Another difference between the announcement of the Clean Energy Future package and the introduction of the GST in 2000 is the regulatory environment.

“Back in 2000, securities class actions were virtually unknown in Australia. Eleven years on, there is an industry devoted to finding mistakes and omissions in

opportunities and incentives

http://www.riskwizard.com



“The implementation of an effective compliance and education program will be an important part of an officer’s defence in such a case,” states Allens Arthur Robinson’s climate change report. “This is in addition to the obvious benefit of a compliance program – which is to minimise the risk of any breach by a company of its carbon pricing scheme obligations in the first place.”

eNterprise-wide risk assessmeNtFor an enterprise-wide risk assessment, many strategic, operational and project ramifications of climate change need to be factored in, according to McVeigh.

“The first question is to get a baseline on potential impacts on demand for the business outputs, where it operates, and where it seeks to develop its business,” he says. “There are a number of approaches to undertaking this, but often experts such as CSIRO are engaged to undertake specific modelling on the specific business impacts and areas in which the company’s assets are located and operated.”

It is from this baseline that a strategy can be further developed, strategic risks considered, operational risks assessed and appropriate planning for protective measures and better contingency planning begun.

CSL’s Marren has conducted an enterprise-wide assessment of the risks posed to the company by climate change, including regulatory risks posed by the Government’s carbon pricing mechanism.

Overall, it was determined that climate change does not pose any significant risks to CSL’s operations over the next 25 years as disclosed in their submissions to the Carbon Disclosure Project and their Annual Report.

“Climate change risk assessment has been integrated into CSL’s enterprise-wide risk management framework and will therefore continue to be monitored and reviewed as part of the Company’s risk management process,” says Marren.

Many companies do not foresee themselves being subject to any extra carbon costs under the Government’s scheme. CSL is an example of a company which is a modest emitter of greenhouse gases.

stock market announcements – and making a profit from them,” says Hoffman.

“Back in 2000, ASIC didn’t have the power to issue on-the-spot fines to companies it suspected of having failed to meet their continuous disclosure obligations. Back in 2000, company directors didn’t face personal liability for their companies’ continuous disclosure breaches.

“In 2011, directors and management will be taking a far more proactive approach towards assessing the effect of the Clean Energy Future package on their business. If that effect is financially material, they will then be sharing that knowledge with the market.”

Some companies have already provided detailed cost estimates of the proposed tax and – although it’s still early days – it is something most large companies will have to consider doing within the next year.

The key ASX Listing Rule is 3.1, which states that a company must immediately disclose information that “a reasonable person would expect to have a material effect on the price or value” of the company’s shares.

And according to Hoffman, a reasonable person would likely take the view that, in the current political situation, there is a reasonable chance that the current package will be passed in its current form.

Furthermore, directors will also run the risk of being liable under the carbon pricing scheme – and may be exposed to personal liability if the company fails to comply with legislation.

“There is an industry finding mistakes in stock market announcements – and making a profit

from them,” – geoFF hoFFmaN, claytoN utz

10 steps towards carbon risk managementTo help in planning for the implementation of the fixed price period commencing 1 July 2012, business should consider undertaking the following tasks, if not already completed:

1 Establish a governance committee or equivalent to ensure issues are effectively managed across the business and roles and responsibilities are clear

2 validate the quality of your emissions data and build your forward emissions profile into your strategic plan to provide a sound basis for strategic decision-making

3 identify your direct obligations

4 review supply-chain implications and consider the impact of carbon on upstream suppliers and downstream customer

5 trade-exposed, emissions-intensive industries to gather data for the implementation of EitE (emissions-intensive trade-exposed) assistance arrangements if not already completed



“In Australia, we operate two biopharmaceutical manufacturing facilities, which together were responsible for direct emissions approximately 12 kilotonnes of CO2-e in 2009/10. This is well under the carbon pricing threshold being proposed by the Australian Government [25 kilotonnes of direct CO2-e per facility],” says Marren.

The Government’s determination of exactly who is responsible for the emissions could further reduce CSL’s responsibility for carbon emissions.

“Our emissions assessable for carbon pricing will be further reduced if gas retailers become responsible for their customers’ natural gas emissions. Regardless, CSL does not anticipate being subjected to a carbon price under the Australian Government’s proposals,” he says.

Many businesses believe that the carbon tax will negatively impact their ability to compete in international markets.

According to Yvo de Boer, KPMG’s special advisor on climate change and former executive secretary of the United Nations Framework for the Convention on Climate Change, the proposed carbon pricing mechanism aligns Australia with its major trading partners.

“Australia’s Climate Change Plan, together with its provisions for an international trading scheme, is a sensible approach to a complex issue,” he says. “Regardless of which side of the environmental debate one sits, an increasing number of business leaders realise the risk of not acting on the opportunities for business as this global change unfolds.”

risk maNagemeNt toolsTransitioning to a low-carbon, clean-energy economy with new management, reporting and assurance requirements will require new risk management systems and processes for most Australian businesses.

Managing carbon permits is a new activity for most organisations and therefore appropriate governance structures, policies, procedures and systems need to be put in place to manage the process.

For example, the Clean Energy Future Package proposes to treat carbon permits created under the Carbon Price Mechanism as “financial products”, bringing with it its own set of consequences. A new class of financial derivative will become an integral part of an organisation’s risk management tool kit. Therefore, the risks imposed by the tax will spread between the risk and financial departments.

A raft of risk management products will be in demand from organisations so they can effectively manage the risks associated with these developments.

“Buying permits (and in later years, trading permits and hedging strategies) will be complex and therefore planning should start now to ensure that adequate systems are in place for the 1 July 2012 start date,” states a Deloitte report. “Organisations need to prepare now to incorporate the assets, liabilities and risks associated with managing carbon in their financial and risk management processes.” n

all organisations need to be ready for two transition steps as a result of the carbon pricing scheme:• assessing the direct and indirect impact of the fixed

carbon price from 1 July 2012 and• preparing for the introduction of an Emissions trading

scheme with international linkages from 1 July 2015source: deloitte

preparing for the carbon tax

6 develop marginal abatement cost curves to assess the internal cost of reducing emissions to establish a hierarchy of investment under:A the fixed price of $23/tonneb a range of scenarios for

flexible price period, using the price collars as guidance

7 determine asset valuations and perform fully costed impairment tests

8 develop a carbon strategy that covers internal abatement and purchasing credits based on your marginal abatement cost curve assessments; use modelling tools to optimise a risk weighted carbon portfolio; consider tax and accounting treatment for new carbon commodities

9 Evaluate options to migrate greenhouse gas data into your mainstream financial systems; plan to gather and review emissions data in close to real-time to help assess carbon assets and liabilities accurately

10 identify the various grant schemes where you could be eligible to receive funding, and be prepared to apply

source: Ernst & Young


opinion / carBon tax

carbon pricing has many risk management issues. These range from managing the impact of the tax now and into the future to the risks of pursuing innovation strategies. One certainty is that, once the tax and

ensuing schemes as announced in the Climate Change Policy Package (carbon tax) go live, prepared businesses will better manage any risk from the tax and its ultimate end game – an emissions trading scheme.

Shifting to a carbon economy begs the following questions, amongst others:

• Does your business or industry have a cost point in your economic chain to impose carbon-related costs onto your customers?

• Are you assessing energy efficiency opportunities to find sustainability in your supply chain?

• What about the strategic “big picture”? • How well does your firm promote nurture and seize

innovation? The key to this tax working as intended is innovation

throughout all industry and business sectors. If, as is likely, the tax becomes law, it will not just be the dirtiest 500 that will need to assess the difference between paying the tax, passing it on, closing down or innovating their business processes to minimise the tax payable and in turn being more competitive.

Winners in a carbon economy will accelerate their capacity to innovate. The question lobbyists must ask is

The winners in a carbon economy will be the ones who accelerate their capacity to innovate, says Ulysses Chioatto

strategic risk:

carBoN priciNg aNd BeyoNd

whether Government has considered the lag time of innovating any business process into implementation.

who is weariNg a ‘dirty 500’ guerNsey?We do not know who the 500 dirtiest of the dirty firms that will be forced to pay the carbon tax are, but we know that power stations, mines, heavy industry and state government authorities are in the crosshairs of the government’s sights. According to reports, 135 of these operate in NSW/ACT, 110 Queensland, 85 Victoria, 75 Western Australia, 25 South Australia, 20 Tasmania, less than 10 in the Northern Territory and 45 across states. The Government does not want to name and shame the 500, citing breach of ‘confidentiality’ under the National Greenhouse and Energy Reporting Act (NGER).

A clue to the 500’s identity is the Department of Climate Change and Energy Efficiency ‘NGER’ list (early 2011), based on emissions from 2009-10, of 300 companies that emitted over 87,500 tonnes of CO2 – both at their sites and via secondary power and energy use. The top eight listed include, from the top, Macquarie Generation (with 23.4m tonnes), Delta Electricity, Bluescope, BHP Billiton, Rio Tinto, Anglo American, Qantas and Virgin Blue. All of these firms will get a dirty 500 guernsey. In managing its tax risk Qantas is already on record that it will raise fares to soak up its liability.

Under the tax, companies that produce over 25,000 tonnes of carbon per annum will pay $23 a tonne, or a minimum of $575,000, before free permits and compensation. The NGER list only has 234 companies listed that exceed the tax’s 25,000 tonne limit for “own-premises” emissions. The missing 266 firms highlights a loophole: not only that the NGER list is limited but to be in the 500 you must produce over 25,000 tonnes per site, which means those that exceed the 25k benchmark but operate around various sites will escape the net.

The NGER list is divided into “Scope 1” and “Scope 2” emissions. Scope 1 relates to in-house emissions, Scope 2 relates to energy used onsite, but generated elsewhere. Companies on the NGER list like Mars, McCain and Harvey Norman may be exempt by operating via multiple factories and stores. Fifty-plus firms exceed the carbon tax threshold (87,500 tonnes) but do not trigger it for inclusion on the 500 to pay the tax as they are not Scope 1 emitters: their emissions are in total across both Scope 1 and 2.

The missing 266 companies not on the NGER list but part of the 500 are found in Minister Combet’s press release identifying 190 waste disposal companies. The NGER list does not include landfill, garbage and recycling firms, except for Transpacific Industries. The


opinion / carBon tax

last 76 dirty 500 are council tips run by local government.

assessiNg the risksNo one is safe. All companies must investigate the effects of higher energy prices and secondary supply chain costs on their businesses, and plan to manage the costs. The cost to most businesses will be direct energy cost increases of about 20% from 1 July next year. The exact increase depends on their electricity source.

All companies must understand their market and legal ability to pass through costs to customers, and their competitive strategy for passing on part or all of these costs. They must also consider their ability to reduce energy costs through better internal management, as there will be some increases in goods and services that they use, due to the carbon content in those inputs. This is on top of increases of over 50% in electricity prices over the last three years and another 20%-plus in the next two years, due to cost recovery of electricity network investments. Oil prices have also increased so expect further gas prices to escalate rapidly over the next three years due to international parity pricing of gas directly to the LNG market.

Strategic considerations – rare to be sure – include communicating your actions to proactively develop opportunities arising from a clean energy future to all stakeholders. Communication is not to be overlooked or taken lightly: as Professor Tim Flannery, chief commissioner of the Climate Commission, told me at a

recent forum I organised “the challenge for climate issues is communicating a complex set of concerns”.

eNViroNmeNtal ethics Brave souls willing to assess long-term risks will include social responsibility into the risk assessment mix, with consideration of future laws and policies that address the environmental ethics around emission trading schemes. Key amongst these are situations where highly-industrialised firms are allowed to take credit for sponsoring emission prevention/reduction in developing countries while continuing to emit carbon. Although this may be the easiest, cheapest and quickest way for highly-industrialised firms to make their targets by simply buying the emission allowances off firms in developing countries, is it the right thing to do?

Boards must ask management to work on assessing operational and strategic risks for boards to set their appetite in a low carbon economy (See box opposite).

iNNoVatioN aNd risk maNagemeNt The distinction between invention and innovation is that invention is the first occurrence of an idea for a new product or process, while innovation is the first attempt to carry it out into practice.

There is usually a considerable time lag between the invention and innovation that reflects the difference in requirements for working out ideas and implementing them. The question on every company director’s mind should be “how do we seize opportunities from a low carbon economy?”.

Firms must identify these basic ingredients that I believe are common to firms that achieve success through innovation and well-judged risk-taking:• imperative to innovate• culture of accountability and responsibility for

delivering results• environment where organisational learning is

systemic and systematic• clear and simple risk management processes that are

embedded in decision making• decision-making culture where the expectation is to

challenge and be challenged about assumptions• emphasis on developing the capability and capacity to

innovate and take well-managed risks• systematic and reliable mechanism for change

Capital and return on investment are also critical concerns. Planning should include the level of capital to be set aside over the next three to 10 years to implement the cost-effective opportunities and innovation projects identified, as well as developing carbon/energy abatement curves to direct action in prioritising cost effective initiatives and innovation projects. n

ulysses chioatto

OPErATiOnAL risks• assessing effects of the carbon

price and managing the pass-through costs to our benefit from suppliers and pass on the costs to customers

• contractual issues to resolve• Demonstrating to clients/

customers efforts to minimise any cost exposure through the supply chain (or justify pass-through costs).

• compliance with all mandated reporting requirements

• making a ‘carbon impact statement’ to the ASX and financial investors.

• are information-management systems able to efficiently and accurately report externally and internally on cost reductions?

sTrATEGiC risks• clear carbon-management

strategy: can we demonstrate a strategic, cost effective approach to managing our carbon/energy exposure?

• Three, five and ten-year plans and defined projects to reduce our carbon footprint and energy costs

• Identifying the significant risks or opportunities emerging for our business in moving to a lower carbon economy

• know where we want to position ourselves publicly on the issue

• know if our customers require different products/services from us to meet their needs for carbon mitigation

• know if our customer’s demand for our products/services will change – short- and long-term

carbon pricing: the risks

hackattack

Feature / it security


attack


TA recent spate of hacking scandals hasbrought home the importance of secureIT facilities. Risk Managementexplores the issues

security set: how to best protect your data

1 backing up data should be regarded as the primary means

of defence against hackers. any data that could allow a hacker to disrupt the business should be restored.

2 the frequency of backing up should depend on the type of

data being stored. traditionally it’s nightly back-ups of incrementals and a weekly back-up of everything. it also depends on what sort of disaster a business is planning for. this might require a business to explore hiring some space or equipment, or storing their data in a cloud.

3 protect end-points like workstations by using

anti-malware software.

4 make sure the business has access to updates for

microsoft or apple, which will update software automatically.

5 Ensure your business has formal guidelines in place that

can be accessed by all staff. the guidelines should set out use of it assets and how to avoid scams. guidelines can also ensure people don’t give out passwords.

6 don’t allow staff members to download software of their

choice – any additional software programs should be approved by an it manager or equivalent company representative. also, don’t rely on out-of-date software – sanitise input in sQl forms to ensure you’re not open to attacks.

7 there are also threats to individual machines from

phishing attacks. threats to an individual can snowball if the business isn’t aware.

There are some things in business that can’t be planned or budgeted for, but the Distribute IT hacking scandal should pave the way for more stringent security measures on a company’s data.

On a quiet Saturday night in June 2011, hackers permanently deleted files and websites belonging to more than 4,800 accounts – or half the company’s customer base – in what has been described as one of the most vicious and targeted attacks on an Australian web hosting business.

The sophisticated and calculated nature of the security breach serves as a harsh reminder that all businesses need to ensure their IT integrity is appropriately protected, and have a detailed plan in place in the event of an attack.

SAI Global channel manager of ICT risk and assurance, Brahman Thiyagalingham,

says every organisation is unique, and each organisation’s appetite for technological risk is different. He believes the security controls that an organisation should implement, manage and improve upon should be based on a thorough risk assessment and be governed using a process of continual improvement.

“Many organisations in the same space as Distribute IT have turned to the Specification for Information Security Management Systems (ISMS) detailed in the ISO/IEC 27001 standard. This standard requires organisations to take a risk-based approach to information security and apply controls to manage risk within acceptable levels. The security controls an organisation should consider for implementation are detailed in the Annexure of the ISMS standard ISO/IEC 27001,” he says.


Feature / it security


Thiyagalingham says the threat environment is constantly changing, and despite the unpredictability, organisations should pay attention to the “insider threat”. This means threats that can be caused not just by a malicious user but also by accident, misconfiguration of controls and sometimes a general lack of awareness.

He says the biggest mistake many companies still make is not identifying and valuing their core assets – whether that is people, processes or technology. By failing to identify these assets and place a value on them, organisations are unable to perform thorough risk assessments and therefore may not always have the appropriate security controls in place.

“Without proper risk assessment in place organisations are also unable to put in place adequate continuity and recovery processes should an unfortunate incident occur. Other areas that can lead to a compromise in security include not providing adequate training and awareness to their staff, inadequate or no incident response procedures and not knowing what contractual obligations they need to comply with in serving particular customers,” he says.

He believes cybercrime laws should be no different to the other criminal laws in existence, arguing it is illegal to deliberately break into and destroy another person’s property in the traditional sense.

distribute it hasn’t been the only business to be the intended target of a malicious and sophisticated security breach this year. the sony playstation network has also been a victim to attack – not once, but twice, with australian customers impacted by the breach.

the network was originally hacked on 18 april but details

were not released for several days as sony examined the nature of what data was stolen. the network was unavailable for some time while it was realised the hackers had extracted 77 million user records. according to sophos’ sean richmond, that’s when encryption will prevent access to the stolen data.

“there was concern at the time around credit card details and whether that information had been accessed. there was other password information that wasn’t encrypted,” he says.

along with names, birth dates and passwords, a database of customer credit card numbers was stolen but it was protected by encryption.

double trouble: the horror of hacking

“The same laws should be applicable in the cyber world as well. It is for this reason that cyber security measures take into consideration non-repudiation (being able to prove who did what) and accountability (pinpointing a specific account or individual) for specific malicious acts in the cyber world.”

maNdatory disclosureSecurity specialist Sophos provides encryption products in the corporate enterprise education space, with clients ranging from small to large corporates, to government bodies. Sophos’ senior technology consultant, Sean Richmond, says the Distribute IT hacking scandal was a particularly malicious one, with the hackers going after the data that would allow them to reestablish the business. He says the issue was that not only was there a serious security breach, but the perpetrators managed to delete the entire contents on the company’s servers.

“A large amount of data was destroyed. It’s not a common thing. Most of the time with breaches data is stolen or copied but destroying everything is not a common occurrence,” he says.

Fortunately for Distribute IT, shortly after the scale of the breach was made public, Netregistry announced that it would acquire the assets of Distribute IT and provide assistance to affected customers.

At the time, Netregistry chief executive, Larry Block, expressed sympathy to Distribute IT staff, management and customers. “Distribute IT had a very solid reputation – that comes from doing a good job for a long time. Without that, I’ve no doubt that this situation would be a lot worse. I want to remind customers of that excellence and ask for their patience and support as we work through the requirements to return services to all customers as rapidly as possible,” he says.

Even so, the case has led many in the IT security industry to question the rigour of existing cybercrime laws in Australia. Some say the parameters of the laws are sufficient: however, the one critical piece of

“It’s not always the pierced and tattooed guys working in a basement causing all the breaches” – seaN richmoNd


long weekends should signal time spent with family and friends and forgetting about work

responsibilities for an extra day. but, as proprietor of castellan Financial consulting, bruce brammell doesn’t switch off, and when email alerts ceased on the recent June long weekend, concern set in.

the services of distribute it had been acquired to host the organisation’s email. on the tuesday after the long weekend, brammell contacted the web

hosting company and left a message, and the situation got progressively worse thereafter. by thursday, he had made a decision to set up a new email address elsewhere, conscious of the fact client communication and business volumes were at risk.

“they eventually said they’d help move the addresses but on the same day netregistry bought the assets of the business. so, then we couldn’t get access to passwords for a further 48 hours. all in all, it was about three weeks before we were back to operating normally,” he says.

brammell says the most disappointing aspect of the scandal – aside from the loss of tens of thousands of dollars in

lost time and business – was the faith he placed in the web host provider, who he signed with on the basis of a referral.

“as an smE, you have to have some knowledge of everything from human resources, marketing and brand, law, accounts and billing and just about everything you don’t get into business for. but you expect a company you’re paying hundreds of dollars a year to back up your data. how much due diligence did i do on distribute it? not much. i’m not an it expert – you put a level of trust in these providers,” he says.

castellan Financial consulting’s data is now held offsite with another web hosting provider who specialises in

financial planning software and customer relationship management systems. brammell says while the service costs his business a large amount of money, he’s confident in its ability and security system.

soured by the impact of the hacking scandal, his advice to other businesses is to diversify their it risk. ideally, he says, organisations should have two email addresses with different providers.

“it will cost more money upfront but it’s money well spent. secondly, i’d advise them if an attack with their provider does happen, act quickly. as each hour and day rolls past, it’s time wasted,” he says.

case study: Bruce Brammell, castellan Financial consulting

According to Richmond, the profile of a hacker doesn’t reflect the stereotype. He says there are casual hackers in operation, and given the amount of money that’s to be made now, it’s difficult to determine whether it’s someone making an intentional breach or a person simply finding out how things work.

“It’s not always the pierced and tattooed guys sitting in a basement somewhere … that stereotypical lone hacker is there but they’re not the ones causing the huge breaches. This type of activity is now just as much about getting large amounts of compromised computers spamming out to five million people with the message of the day,” he says. n

legislation absent is mandatory disclosure. If this were to be introduced, web hosting companies would be legally obliged to advise their customers that information has been leaked in the event of a security breach.

Mandatory disclosure exists in the United States at different levels, depending on the state. In the United Kingdom, there’s an additional requirement to report personally identifiable information that’s been hacked, in accordance with the Data Protection Act.

Distribute IT is a unique case in the sense that the data was completely erased. There’s no indication of it being leaked anywhere, and according to Richmond, the critical lesson for businesses is to keep adequate back-up management of data files.

“Distribute IT were victimised, but from a risk perspective they didn’t have the ability to restore from offsite or offline, which meant they didn’t have the ability to rebuild the servers, which is very strange. In most organisations you keep an offsite back-up. You might send the data offsite or offline every week,” he says.

Richmond says data encryption prevents the deletion of data from online repositories. If a file is encrypted they shouldn’t be able to read it – they could access the file but not the information contained in the file.

The Distribute IT case raises questions around how potential hackers choose their targets. In most cases, they will have an idea of the parameters of getting into an organisation through Structured Query Language (SQL) injected attacks, affording them the ability to input fields that cause the database to break or display data it’s not meant to. “They’re testing to see if they will get a result,” he says.


the leadiNg edgeThe pace of technological change isgetting faster and faster. Kevin Eddyasks industry leaders how complianceand risk software is taking advantage ofthis – and how it will develop in future

where will compliance software go in the next few years?To predict where compliance software is heading we need to look at a company’s need to demonstrate its resilience to the unexpected.

This means greater synergy between BCM and GRC. GRC clearly has board awareness, yet BCM tends to be neglected: this in itself creates a risk within organisations because BCM and GRC tend to work in silos with their preferred software vendors. GRC tends to get more funding than BCM, and hence has larger budgets to invest in feature-rich software than their BCM counterparts, who tend to rely on Excel, Word or software limited to their restricted budget.

BCM is there to protect the business and ensure damage limitation: it plays a vital role and needs to be embedded and accepted throughout the organisation as crucial to demonstrating resilience. We see the future for BCM aligning with the compliance and risk elements of the organisation, thus giving the board a single holistic view. This integration of BCM and GRC will change the current silo structures that exist within organisations that also run separate siloed applications, which in most cases do not talk to each other.

Currently, most compliance vendors focus on either GRC or BCM: this will have to change. The latest risk

Jude JacoBs, ceo, enterprise data corporation

BriNgiNg silos togetherwhat are the emerging priorities for organisations?With the recent worldwide events of earthquakes, floods and other natural disasters, organisations’ priorities are quickly changing to ‘how can we be better prepared’?

The emerging priorities are based on ‘war time’ modes of simplicity, as opposed to ‘peace time’ due diligence. This trend is also driving simplicity and integration between governance risk and compliance (GRC) and business continuity management (BCM).

It’s no longer a matter of ‘what if’ something happens, but more of a ‘when it happens, what do we do?’. This means organisations will have to take GRC and BCM to a higher level – an umbrella under something like ‘business resilience’.

Feature / soFtware


the leadiNg edgestandard (ISO 31000) and the BCM 50/50 standard recognises this, but it will take time for organisations to comply as it calls on both ‘war time’ and ‘peace time’ focus, currently run by separate areas within the business. Seeing integration of BCM under the GRC umbrella is a trend that will continue.

how will emerging technologies impact software?New cloud technology software will play a very important role in reducing the cost of ownership. However, organisations are still being held hostage with software forcing business process changes that can be very disruptive. Secondly, the cost of software modification can be prohibitive.

Worse still, if you can afford software modifications, when the time comes to upgrade you are held hostage again as upgrades are no longer seamless as the modifications hamper the upgrades. This vicious circle continues, only gets worse with time and the investment required in maintenance and upgrades eventually spirals out of control.

To solve this problem you will see new technology in the way of ‘Platform as a Service’ (PaaS). This is part of the cloud infrastructure, however, not to be misinterpreted with ‘Infrastructure as a Service’ (IaaS). PaaS software architecture is designed to remove the

barriers mentioned above, by allowing organisations to:• modify applications without writing a single line of

code • modify applications without impacting upgrades • retain business processes as the software is flexible to

adapt to existing business processesIt’s still a new area, and won’t be mainstream for

another five years or so, but companies are already looking at it.

what will be the key innovations needed?Mobile apps in the business sphere is the future. Decision makers now see that these tools increase productivity, reduce paperwork, and increase revenue in ways other devices simply cannot.

We are seeing organisations request that their management ditch their laptops in favour of mobile devices such as the iPad – and even go as far as moving to smartphones like the iPhone and Android-based devices.

More and more business applications are going to be written for mobile devices. The recent disasters in Queensland, Christchurch and Japan have highlighted information flow, and better mobile apps would have brought significant benefits in the rescue operations. I would go as far as to say that more lives would have been saved.


tony stephenson, director, icoMply

reVolutioNisiNg auditwhat are the emerging priorities that organisations need to monitor and manage?Regulation is going to be the key driver. Directors are rapidly coming to the realisation that if something’s going on in their company which they don’t fix, they’re liable, and there’s a compelling need for them to undertake audit. They might translate those audits internally as policies and procedures, but the driver is the regulation that underpins all of those activities.

The regulators, too, have an obligation to ensure that the regulations are complied with. If you take the live cattle export debacle that recently took place, all of the bodies that had a stake in the success of that export process failed to properly monitor what was happening to address those issues. That only came to light when a media organisation went in. There’s a great need for regulators to be more proactive in ensuring that regulations are complied with. The problem is that they

don’t have many tools that are capable of providing visibility to the regulators and all the stakeholders. Software has that capability to link them all together.

You have different industry stakeholders – regulators, peak industry bodies that have their own codes of conduct for members, auditing organisations. The ideal would be for everyone to feed in compliance results and audits into a centralised repository that regulators and the peak industry body can access. Each party sees the outputs relevant to them: a given auditor can see the work they’ve done, but not the work of others because they don’t have the approvals. Some industries already do this: this would have been an answer to the cattle export thing, where the regulator can log in and see that audits are up-to-date.

how will software change in the coming years?There is a need for systems that are more encompassing and enable better communication. Take, say, a bread bun manufacturer. Who buys from them? Coles, Woolies,

GeorGe pantazis, principal consultant, pan soFtware

cloudy thiNkiNg aNd iNtegratioNhow will emerging technologies impact software?In the 1960s and 1970s, software was housed in large buildings, costing millions of dollars. In the 1980s and 1990s, a paradigm shift occurred with the PC revolution where software could be installed on individual machines. However, cost benefits with this model were never realised as it introduced its own unique complications and difficulties (remember the ‘Blue Screen of Death’?).

Today we are in the midst of another paradigm shift: it’s called the cloud. You, the user, only require a web browser to access software sitting on the webor ‘somewhere in the cloud’. The jury is still out with this model, as large government departments and corporates are still hesitant to allow critical data to be housed outside of their network. However, this mindset is changing.

The Royal Melbourne Institute of Technology recently announced the move of 740,000 student email accounts to the cloud; in the UK, Westminster Hospital will give patients access to their cloud-based medical records; and, in the US, the Obama administration has announced its cloud computing policy, intended to cut the cost of infrastructure and reduce the environmental impact of government computing systems. Welcome to the cloud computing revolution.

what will be the key innovations that we need to see? One word – integration. Software needs to help break down the silos which exist in organisations. Although business units may function in isolation, risks certainly don’t!

Having the Compliance department use its own compliance software, the Risk Management department using its own risk management software, and the health and safety team using its own incident management software only helps to promote a siloed mentality. Having software that truly integrates across an organisation will help create a risk-intelligent culture. That shift is paramount if an organisation is to truly gain a true picture of enterprise risk facing the organisation.

Having software that truly integrates across an organisation will help create a risk-intelligent culture

Feature / soFtware

Feature / soFtware


Red Rooster, McDonalds? All of those firms descend on the bun manufacturer to do their annual compliance audits for food safety. The manufacturer gets inundated with several audits that cause downtime, that look at the same things but with different glasses on.

The alternative is a relatively new concept of shared or co-audited business. If there was an accreditation method for the auditors, and the tools/software they use, along with agreement between the parties, a single audit would suffice for different customers, that would cut down on wasted cost, downtime, and provide a uniform process going forward. A system that will provide access for all the players/parties is where the industry needs to go.

There are signs of it happening. There’s a crowd in the US who are starting to promote the concept of shared assessment, but it’s going to happen in a much bigger way. It’s starting – in industries we work with, you’re at least getting all the information being deposited in one place, and if you don’t have a system like that then you don’t have a hope of sharing the data.

what will be the key innovations that we need to see?One impact of the advance of technology is that it will be possible for audits to be done continually.

For example, you could have an iPhone app; it can fire off compliance requirements at random. You don’t have to have a three-day audit once a year; instead, you have a couple of questions a week, so you can continually monitor the business. The audit requests can come bundled with compliance information, too. You can click on a button and watch a YouTube video about the compliance requirements, and then upload the evidence that it’s being done correctly.

That ability to monitor 24/7, as opposed to rocking up on a given day, is a good thing from a business point of view – you don’t have people slacking off after the audit’s done, or have people cramming two weeks before the audit’s due. If the questions are coming regularly, people are more alert to what they need to do correctly.

http://www.icomply.com.au

Feature / soFtware


John corMican and luKe phillips, coMputershare Governance services

moBile tech aNd multimediawhat are the emerging priorities that organisations need to monitor and manage?An organisation’s risk, governance and compliance strategy is strongly influenced by the legislative and regulatory landscape it occupies. But each organisation also faces its own unique challenges arising from its lifecycle stage. Challenges also arise by the nature of the business itself – companies are faced with maintaining any number of subsidiaries and joint ventures, tax, licences, registrations and other business filings, in multiple jurisdictions.

Managing such a variety of issues can be a juggling act, and if you are doing so from a remote head office, it’s almost impossible not to miss something. To help mitigate the risks of this complex environment, companies need to be continually improving governance policies and monitoring so they can understand their business and its risks.

As a result of compliance and risk becoming increasingly distributed, it is expected the role of intelligent information management systems will help companies cope with these challenges. Application software needs to be flexible enough to meet client

needs, and be responsive to legislative change. Practically, this requires utilising wide area networks or development of web-hosted or cloud solutions.

For companies setting their five-year plans, particularly in relation to IT strategy, they can expect continuous change in the enterprise hardware segment. With the meteoric rise of tablet computing, together with the staggering adoption rate of smartphones, business users’ expectations for how, when and where they are able to work have well and truly shifted from the office or home to ‘anywhere’ and ‘now’. The evolution of mobile devices will continue to empower risk management and compliance professionals like never before.

The future promises more of this, as next generation high speed wireless data interfaces enable significantly higher data transfer speeds for emerging devices. Imagine authoring and uploading multiple reports for the board via your dedicated board portal, while sitting in the back of a taxi and simultaneously presenting via video to the board, which sits in a room on the other side of the world.

While it is possible with modern software systems to manage risk and compliance with alerts and prompts, what will improve is useability and access. Over the next five years the applications running on your devices are

KiM wilson, ManaGinG director, and tarun philip, sales and MarKetinG director, ticKit systeMs

ease oF use aNd iNtuitiVe iNterFaceswhat are the emerging priorities that organisations will need to manage?Australia has really taken the lead in the compliance and risk space, very often setting the trends. We’ve been highly involved in setting standards worldwide.

However, the priorities that businesses and organisations have will always be the same: ensuring they operate within the letter of the law, and ensuring that they’re doing the right thing by shareholders, employees and the world at large. Recent events such as the phone hacking at News Corporation proves that if you’re not compliant or if there’s even a hint of illegal activity, it can do huge damage to your organisation, irrespective of how big you are. Regulatory compliance has to be rated as one of the top three risks in any organisation, especially financial services and the not-for-profit sector. After all, non-compliance can

result in loss of the funding agreement for not-for-profits – and if they lose that, they cannot operate.

More organisations, especially smaller ones, are becoming aware of compliance and becoming more proactive in managing risks. That’s to do with a combination of factors: the GFC, an increasing awareness of liability on the part of board members and more active regulators.

There’s a greater sense of cooperation between regulators and companies, too – moving away from the concept of policing to a more collaborative approach.

how are software and systems evolving to meet and lead these priorities?Organisations are looking for easier and more intuitive solutions: solutions that people would like to use and that bring the most relevant information. Speed of deployment is important too: firms don’t want months-long projects to roll systems out. They’re also looking for solutions that can be deployed to large numbers of people quickly without large training overheads.

Feature / soFtware


likely to dramatically improve productivity and efficiency for executives and professionals as data entry becomes automated, reporting tools deliver richer value at the presentation layer, and information is shared quickly, securely and simultaneously throughout the organisation. Consider coordinating it all from your iPad as you go about your daily activities, with a risk dashboard feeding you live data, and knowing you will be alerted of changes outside of agreed thresholds.

how will emerging technologies impact software?For most organisations the challenge is to collect and maintain information across multiple PCs, network drives and servers – locally and internationally. Although the cost of storage will continue to get cheaper, the cloud presents both an opportunity and a risk. It is also foreseeable that specialised tools enable new ways of communicating by becoming more integrated with mainstream devices, such as providing on-the-fly translation and instant text to speech, all with natural language delivery.

Finally, the adoption of mobile devices has the potential to improve information collection at the micro level. Consider the situation where a local manager gathers direct feedback on the ground and transfers it to head office directly via an application or video feed. This

could have considerable impact on remote and dangerous industries, such as mining, where the physical distance between ground employees and head office can be significant.

what will be the key innovations needed?Current consumer appetite for next-generation devices that integrate form with function are already impacting the enterprise. New integrated and collaborative products and services will help to embed risk and compliance deeper into the organisation. In particular, social engagement and communication will follow from the consumer world into the corporate space, and social media will see its way into business software. Expect software developers to leverage technology from the exploding app markets, enabling users to build useful and functional programs that focus on the user interface.

Whatever the case, governance, compliance and risk management professionals will pursue technology that improves communication and transparency, as organisations seek to monitor, measure and report risk, identify threats and capitalise on emerging opportunities. The good news is that the tools to help solve these challenges are already here and will become increasingly intuitive and provide access to information anywhere in the world. n

What’s been really interesting is that a lot of technologies you might use at home – Facebook, travel booking websites and so on – are really easy to use. Business software has taken a little while longer to grasp that concept, and has been significantly behind, so there’s a catch-up game going on. Some of those technologies are coming through, be it customisable dashboards, drag and drop functionality, and activity feeds. That’s all inspired by other advances in the computing space, and that will be a continuing trend. In the next year or so, smartphones and tablets are going to

be a very big trend, too. Boardrooms are already using tablet devices, and there’s a trend towards directors/senior managers wanting to see dashboard-style information on a tablet.

Specific business areas will see particular applications: for example, Incident management is likely to benefit from the integration of location-based services. Social media is a bit of a question mark in terms of its direct relevance, and there’s a level of reticence from risk managers about social media. The question is how to work with it and integrate it with compliance – and obviously it brings a whole set of emerging risks you need to manage.

Finally, organisations are no longer looking for solutions that are completely customised: they’ve realised that the cost of these are prohibitive; it’s also to their detriment as they may be delayed getting the next update, causing costs to go up. We’re seeing a trend towards configurability – where you can change certain things in the software, but it’s not completely customised for you and no one else.

If you’re not compliant or if there’s even a hint of illegal activity, it can do huge damage to your organisation


DDo you know what the reputation of your organisation is? Where are its reputational risks? How do you manage those? How would you manage a reputational crisis?

Yes, this is a test, and you have just failed. Few, if any, companies treat reputation as a strategic

issue with the overarching goal of achieving, maintaining and protecting a certain reputation at any cost. Yet every company should. Similarly, few line managers know precisely their division’s role in enhancing and defending the company’s reputation. Every single one should.

Reputational value is as essential to a company as profit, but you’d be hard-pressed to name one company that measures management performance against KPIs for reputational risk management.

Research has shown us time and again that companies with strong positive reputations attract better talent, may be perceived as providing better quality products or higher value customer service, and can often charge higher prices. However, measuring the bottom-line value ascribed to a good reputation is significantly more difficult – until it is damaged.

Reputational damage can result in a very tangible and immediate drop in share value, a loss of sales, of government contracts, of customers or staff. The company may lose the right to operate in certain jurisdictions. In some cases, the reputational losses can be so great the company will cease to exist.

damagecoNtrol

dire coNsequeNcesTake Arthur Andersen as an example. Founded in 1913, by the late 1990s the accounting firm employed 85,000 people. By 2000, it was one of the world’s leading accounting firms. Then there was the collapse of Enron due to accounting fraud. As Enron’s auditor, the reputational losses were insurmountable – as a direct result, Arthur Anderson does not exist today.

Reputation management is usually relegated to the public relations department as a branding issue. It shouldn’t be. It is front and centre a board-level risk management and strategy issue.

It is the one function that involves every aspect of the business; every single employee.

Do not confuse brand strength with reputation. Where a corporation does so, and seeks to trade on the brand while making errors of judgment that could result in a negative impact on its reputation, the reputational risks become exponentially greater.

BP – one of the biggest, strongest brands in the world – is now one of the most maligned corporations for precisely this reason. Officially standing for British Petroleum, BP became the acronym for its advertising slogan Beyond Petroleum, with BP selling itself as the greenest, kindest, nicest oil company in the business. Today, BP is more likely to stand for Biggest Polluter.

It still has one of the strongest recognisable brands in the world, but it now also has one of the worst

A reputation is hard to build – and easy todestroy. Alex Harris looks at the damage thatcan be done in times of crisis and how best to manage the significant risk this constitutes

Feature / reputational risK


damagecoNtrol

reputations in terms of safety, environmental care, and PR spin in the face of a crisis.

puBlic persoNaReputational risk is widely defined as the gap between stakeholder expectations of corporate behaviour and our experience of it.

It is one thing to create wealth for shareholders, but never underestimate the power of your stakeholders and their expectations of your organisation. Those expectations can be difficult to manage for several reasons: • The harder companies push the public relations spin

to build up community perceptions over time of just how great thou art, the harder it is to overcome

Measuring the bottom-line value ascribed to a good reputation is difficult – until it is damaged


reputational damage in the event of crisis as stakeholder expectations exceed corporate capacity to meet those expectations

• Stakeholder expectations are a moving target; they change over time as societal values change. What was acceptable corporate behaviour 20, 10 or two years ago, in many instances isn’t today

• Companies are no longer in charge of the message. Consumer-generated media – blogging and social media sites – take on a mantle of credibility and enjoy expedited viral distribution not extended to the company by an angry public in the event of reputational damage.While risk managers address hazards, the public

responds to factors that prompt outrage. According to the International Public Relations Association, outrage is the combination of factors that drive fear, anger or distress about an event or behaviour.

News Corp is today discovering the meaning of public outrage over Britain’s News of the World phone hacking scandal. Unrelated business units, newspapers in other countries that may well have never erred in adherence to a high standard of ethics, the entire company and indeed all media companies, are now tainted and under scrutiny in multiple jurisdictions.

Already, News Corp has had to close News of the World, its most profitable Sunday paper in Britain, and bow out of the BSkyB takeover, which was the biggest deal in the corporation’s history.

reputatioN maNagemeNtYou can insure against fire, employee fraud and faulty products. You can manage liquidity and foreign exchange risks. You can create or purchase financial instruments that protect the company from almost all

risks and can recover from almost all disasters, but few companies approach reputational risks with the same rigour – until they suffer a reputational disaster.

While some companies have crisis response plans, these tend to: • focus on major single events • be outdated • be unrehearsed • assume the crisis will occur in normal working hours

when all its key executives and trained operatives will be available. Crises rarely do. Almost all crisis response plans tend to focus on

major events of the physical kind, rather than reputational crises such as those faced by Arthur Anderson in 2001, and by News Corp and Tiger Airways today.

Reputational crises are most often not the major ‘non-escalating’ single contained event planned for, but the minor failure, the small oversight; something one would describe as a situation rather than a crisis. But through ignorance of reputational risk or mismanagement it becomes a major and escalating reputational crisis requiring skilful management.

The kicker is that in all the cases mentioned above and others, the situation was avoidable.

Tiger Airways did not suffer a major crash with hundreds dead, yet its business may be grounded beyond the CASA-mandated month. While it scrambles to meet the regulatory requirements of improving pilot training and safety procedures, the real and lasting damage is reputational. Who will fly with them now?

Protecting corporate reputation through a crisis is critical, but not all corporations have a handle on the nature of prospective reputational crises. Most boards

Rescuing your reputation

Do your best to understand what the public’s concerns are and will be, and address those concerns directly. show you care, but more importantly, care.

Preparation is vital. Ensure your executives receive regular media training and rehearse key messages, particularly in the event of crisis, so they don’t stumble or freeze with cameras and microphones in their face. the pressure in crisis circumstances can be extreme.

Do not run from the press. accept interviews, answer questions, take the criticism, accept responsibility. silence, denial and cover-up have no place in reputation management.

Apologise early and often, even if what your company did does not seem to you to be so bad. it is to others. it is not what you think that matters.

Be sure that any information you release to the media or the public is utterly truthful. if something you say is false, your corporate and personal credibility will be damaged irreparably.

In the event your company has a misstep and finds itself on the wrong side of public opinion:


Feature / reputational risK

On 6 April 2011, the paper’s chief reporter, Neville Thurlbeck, and its former assistant editor Ian Edmondson were arrested on suspicion of conspiring to intercept mobile phone messages. Despite claiming for five years that the hacking of 2006 was confined to a sole reporter, News Corp was forced to admit that the practice was rife at the News of the World, and it then offered payment of compensation to victims. No one was fired; still no executive accepted responsibility.

This is what the public wants. Public accountability; some backbone; someone to step up and admit responsibility with genuine contrition and honesty. Yet, in the three months between April and July 2011, News Corp tried to contain the damage with the very people responsible for it.

News Corp’s fall from grace is relevant to all businesses across all industries. Here is a media-savvy company, completely at sea with the concept of reputation management.

It is entirely possible that News Corp, as we know it, will not survive the full frontal assault of public outrage that continues to grow in Britain, the US and Australia. The succession plan Rupert Murdoch had for the group with James Murdoch’s April promotion will not come to pass: I suspect that, if News Corp remains intact, it will not be managed by a Murdoch.

Some people assume that bad things only happen to big companies, but reputational crises are indiscriminate. Whether yours is a multinational company in New York or a privately-owned company in regional Australia, or anywhere in between, how your company behaves, specifically in relation to expectations of it, over time and in response to a crisis, is paramount.

Companies face reputational risks all the time – product recalls, plant closures and staff cuts, tainted products, having senior staff with criminal links, cover-ups of wrongdoing, a company leader making a poor personal decision and so on.

Very often, it is not the original situation or crisis that brings the company down, but how the company responds. Silence, denial and cover-up – the three most recommended PR responses – are the three greatest risk factors in a reputational crisis. The more of each applied, the greater the reputational damage caused.

Effective crisis communication can make a big difference to a company under siege, but the key issue is to manage reputation as a strategic objective. n

assume the public relations department has this under control. Few PR departments do. PR tends to be ‘good news’ focused and ill-prepared for managing bad news. Many public relations consultants will advise clients to say or do nothing, promising the bad news will go away.

Communication and human behaviour are the expected failure points in crisis response, as indeed they are in the case of News Corp’s ongoing reputational crisis response.

This issue has been simmering since the 2006 arrest of the News of the World royal editor on charges of phone tapping. Questions were asked about the paper’s journalistic practices then, as the net of victims was shown to be considerably larger than just the Royals. Far from responding as the public expected, News Corp executives deflected criticism to “rogue” elements, covered up the full extent of corporate knowledge of the hacking practices, and more recently, James and Rupert Murdoch initially refused to attend parliament to answer questions. They have since capitulated, but the damage was done.

The company did not respond to the 2006 allegations with the gravity and humility required then; it is only just beginning to do so now, with Rupert Murdoch’s soft interview with the Wall Street Journal on 14 July (his first public comments on the matter) and subsequent full-page advertisements apologising.

With no further arrests between 2006 and 2011, the bad news had appeared to go away. But far from stopping the behaviour, the hacking into voice mail accounts, tapping of phone calls and paying police for information increased and flourished.

In December 2010, lawyers for actor Sienna Miller received information that showed her, her friends and family were victims of phone hacking by News of the World journalists.

Reputational crises are most often not the major ‘non-escalating’ single contained event planned for, but the minor failure, the small oversight …

alex harris is the author of reputation at risk, a freelance writer and speaker on reputational risk, corporate social responsibility and business ethics, and editor of reputation report (www.reputationreport.com.au)

Feature / insurance


The recent spate of natural disasters in Australia and overseas aren’t just disrupting business, they’re also exposing holes in the insurance cover oforganisations. Charles Beelaerts investigates

Feature / insurance


recent natural disasters around the world and within Australia have been sufficiently significant to place continuing upward pressure on an insurance market already on the brink of hardening.

Over the last two years, Australia has been affected by a series of

natural disasters including storms, cyclones, bushfires and floods. According to Aon Risk Solutions the cost of the recent floods in Queensland, Victoria and New South Wales is expected to reach $20bn – making it the most expensive natural disaster in Australia’s history.

Internationally, the last 18 months have seen major earthquakes in Chile, Haiti, New Zealand and Japan, with all except Haiti occurring in countries with above average insurance presence. According to risk and insurance advisor Jardine Lloyd Thompson, Swiss Re estimated the damage bill from the Christchurch earthquake to be US$6bn–US$12bn, while the World Bank has estimated total economic losses from the Japanese earthquake and tsunami to be as high as US$235bn. An estimate of this magnitude ranks the Japanese disaster as the costliest on record.

NeVer kNowiNgly uNderiNsuredAs a consequence of these disasters, many businesses have found that they have been underinsured – or that they had no insurance cover at all. In some cases this was intentional, but in other cases companies found that they were not covered for all contingencies.

The disasters that have taken place not only impact on property and regular business functioning. Organisations should also consider the broader impact on other assets such as stock in the course of transit, like marine cargo, motor fleets, plant and crop insurance. Richard van Velzen, executive director at Jardine Lloyd Thompson, has seen “many instances where underinsurance, or no insurance, in these peripheral areas has had an equally devastating impact on insureds that have not paid as much attention to them as they ought”.

Van Velzen adds that companies also need to consider the impact on their debtors affected by natural disasters: “If an organisation is exposed to a large client or a large number of clients situated in vulnerable regions, then they run the risk of incurring bad debts or protracted payments,” he says.

Chris Nelson, regional head of global specialties at insurance broker the Willis Group, says that business interruption periods is one of the current hot topics.

“Insureds have found that coverage in these areas has been insufficient following some recent disasters,” says Nelson. This is because periods have been estimated on a single event, such as loss to their premises, but they perhaps have not factored in a localised disaster where resources are slim and when, for instance in Christchurch, site access may not be obtainable.

Nelson adds that indemnity periods start from the day the loss occurs, not from when repairs or replacements commence, and comments that factors to consider include:• time to demolish• agreed plans• consent• access to sites• reinstatement• specialist plant• replace staff, and • regain full production/customers

Paul Venning, national general manager for corporate at Aon Risk Solutions, points out that an area where standard insurance policies are generally not responsive is where the interruption to the business did not result from property damaged at the insured’s site.

“Typically, these losses result from situations like difficulty in access, or suppliers and customers being impacted, but no direct damage to the insured’s property. It is vital then to identify the exposures that exist in respect to these contingences.”

Flood damage has been the source of a good deal of grief in Australia recently and a problem with insuring for it is that it is not often a standard inclusion in insurance policies. Nicholas Scofield, general manager for corporate affairs at Allianz Insurance, says that the nature of flood is that it is a risk that is only suffered by a very small proportion of businesses or households.

“If you do not have flood insurance as part of your property damage cover, then if your business is interrupted and you cannot trade because of a flood, your business interruption insurance will generally not respond,” he warns.

suFFicieNt coVerIn addition to ensuring a company has the right types of insurance for their business needs, it is important that the amount of insurance remains adequate at all times.

QBE Australia’s chief risk officer, Jason Brown, says that it’s important that physical assets are properly valued and reflect replacement costs, that all types of assets are included in the insurance values, and that the limits of the insurance policy will be sufficient to meet

Feature / insurance


the legal obligations and other liabilities that the business could incur.

The risk of not having sufficient cover is that you may be faced with catastrophic loss and bankruptcy. Scofield cites an Allianz survey some years ago that showed if small businesses had a major insurable event at the time, around 50% of them would not have survived it.

“They would not be able to continue to trade: even though they have property insurance and they might have cover to replace machinery, stock and their building, they did not have business interruption insurance and for that reason they would not be able to trade for a few months,” he says.

Venning recommends scenario testing as a means of ascertaining any gaps in insurance coverage.

“If you need cover for uninsured events and the cost is high it is prudent to look at a higher limit with larger self retentions – to the extent that you can carry these retentions,” he comments. “The position to be avoided is discovering areas of under– or no insurance after the event.”

He adds that to recover from a natural disaster, it is just as vital for an enterprise to have a well-developed and tested business continuity plan as it is for them to have insurance.

Exactly how much coverage is adequate will depend on an organisation’s exposure to disasters; the preparedness and confidence an organisation has in its property risk mitigation and business continuity plans; an organisation’s risk tolerance; competition in the insurance market place; and the recognition that the purchase of insurance is the final stage in a considered risk financing strategy.

In relation to property risk mitigation and business continuity planning, van Velzen cites a client in the food industry in far north Queensland who made a conscious decision to diversify risk by investing in other states and locations, thereby reducing their dependency on exposed locations. They have also invested in racking and forklifts to raise produce well above flood levels, as well as an additional mobile electricity generation plant to provide them with the capacity to refrigerate stock in the event of a long-term power failure.

There are some companies carrying varying levels of uninsured loss flowing from the recent natural catastrophes, mainly associated with supply chain exposures that have not been adequately insured.

“Assuming companies had their property valuations up-to-date then the property losses should not be problematic, but business interruption losses are not as straight forward,” says Venning. “There are elements to these losses that are not universally offered or purchased – particularly in relation to the impact on others in the supply chain that has a flow-on effect.”

It needs to be emphasised that insufficient insurance cover can cause business failure, but even where it does not, it could dramatically impact on the profits of the company and its future viability if an event occurs that a business has no insurance protection for.

most VulNeraBle areas It is difficult to identify any particular type of business that tends to be hit worse by a natural disaster, as losses manifest themselves with great diversity and can impact businesses quite differently. Venning says physical location is the key element when considering riverine flood or cyclone, while storms and bushfires are more random and therefore more difficult to foresee.

Van Velzen identifies companies with little risk diversification as being the hardest hit – for example, a single retail store in the heart of a population greatly impacted by a major event with little access to funds to see them through a shortfall in trade, or those already trading at very low margins.

The nature of a disaster has a strong bearing on company losses. In Queensland some businesses were able to recommence trading after a relatively short delay. On the other hand, the Christchurch earthquakes basically shut down some businesses indefinitely, with parts of the CBD still closed and a large percentage of the population – their customer

• Work closely with your insurer or broker

• start process of renewing your cover early

• be prepared to take longer to complete the renewal process

• recognise that the level of cover you enjoyed previously for certain perils will be more difficult to obtain

• be prepared and allow for cost increases

• think carefully about your risk information – be able to verify the particulars of your structures, including age,

construction, compliance with building codes etc

• Where possible ensure property underwriting surveys are up-to-date and accurate

• consider and demonstrate to insurers that you have measures in place to mitigate the financial impact to your business in the event of catastrophic natural perils. Examples might include documented business continuity plans, considering alternative manufacturing sites, alternative suppliers, and data restoration procedures

how to secure the right insurance for the right price

Feature / insurance


base – never to return. Many retail businesses in or near the CBD have not reopened.

Van Velzen also identifies the speed with which basic infrastructure can be repaired, such as water and electricity supplies, as having an impact on businesses dependent on such services.

“One should not lose sight of the mindset of the owners or managers of affected businesses,” he says. “In certain circumstances, some business owners claim they have rebounded stronger than ever, taking the opportunity of a severe loss or disruption to their business to change an ailing business model. Others in similar circumstances have simply folded, lacking the energy and personal drive to resume business after a major calamity.”

It is important to consider scenarios when considering insurance in the face of natural disasters.

“Businesses face a great number of potential perils and the recent catastrophes have highlighted the potential for weather events to occur outside of our control,” adds Brown. “A business may not be able to trade for months or even years after a significant catastrophe event and it is important that those realistic

disaster scenarios form a part of the thinking when placing insurance.”

iNsuraNce costsThe natural disasters in Australia have placed continuing upward pressure on insurance premiums. In addition catastrophes such as the Japanese and Chilean earthquakes and storms in the US and Europe might also affect Australian insurance premiums.

Insurers are backed by reinsurers – they rely on reinsurers for their capacity to limit their exposure to natural catastrophes.

To recover from a disaster it is vital for an enterprise to have a well-developed and tested business continuity plan

http://www.iia.org.au

Feature / insurance


“They also have what’s known as a catastrophe retention,” says Venning. “This means that, while the bulk of the recent claims were paid by reinsurers, insurers can incur large accumulated losses where multiple events occur in a given year. Reinsurers adjust their prices according to loss experience, and as they operate globally, events around the world can have a local impact.”

There has been a significant increase in the cost of catastrophe reinsurance in the June renewal. Risk adjusted premiums in Australia increased by 15-50%, while in New Zealand they increased by 50-400%. The expectation is that the increase in reinsurance costs will be reflected in increasing property insurance rates, especially for risks located in what is considered to be places more highly exposed to natural perils. Cover for flood and earthquake-related losses may also become more restricted in some areas.

Van Velzen says that two prominent insurers have stated that they are looking for average rate increases of 10-20% across their property portfolios, with one citing a 50% increase in their reinsurance costs as the reason. Scofield comments that the premium for flood cover for an average property in a high risk area can be extremely high and in the case of a house, prohibitive.

the type oF BusiNessThe only class of insurance under pressure so far is property, although the impact may eventually flow on. How this pressure will translate into cost depends to some extent on the category of the business seeking cover.

Where business premises are located in an area classified as a catastrophe zone some underwriters are charging an additional premium – known as premium loading – or introducing a lower sub-limit of liability on a particular catastrophe risk. For example, if a factory in a flood prone area burns down, the insurer might pay out the full limit of liability of $250m. If it is destroyed by flood the insurer will only pay to the maximum designated sub-limit of liability of flood – say, $50m.

There are also inconsistencies in terms of excesses. In many cases, there has not been any change whereas on some accounts there has been a significant increase in excesses. This is likely to reflect the individual risk profile, loss experience and level of risk management in place. Insureds with a very poor claims history can generally expect to pay more.

For very large enterprises, premium volatility can be more challenging. Some manage this by setting up a captive insurance company – a company that provides insurance solely for their organisation. This enables them to retain risk at a comfortable level and also to smooth out the way risk premium is distributed, making costs more predictable.

Rates for corporate clients are following a similar pattern, varying from rollover terms to a rise of 10%, while in the commercial sector insureds are seeing normal business is subject to between 5-10% price variance (either plus or minus) on expiring premium terms.

One factor keeping pricing down is the continuing influx of new insurers into Australia. Those entering from areas hit with fewer claims are able to offer competitive rates that negate attempts by some local insurers to increase their premiums.

keepiNg costs to a miNimumWhile the trend is towards higher premiums, there are steps all companies can take to mitigate any increases.

When the market is fluctuating and changes are likely to be for the worse, insurers tend to become much more thorough when they’re doing their reviews. They are also likely to take longer to make their decisions – for instance, there may be a higher level of sign off, with applications having to go back to head office for approval. All of this takes time and you need to be conscious of that. Any creep in agreed time lines could work against you.

Larger corporations should also allow time to develop a meaningful relationship with their insurers.

“If the need arises for complex negotiations, it’s likely to have a much better outcome if you’re more than just a name,” says Venning. “Your insurers will also be in a better position to meet your needs if they know you, your business and how your business operates.”

aN appropriate limitMarkets harden for a number of reasons but it’s fair to say that there are specific triggers for change. If you

In Australia, there has been a significant increase in the cost of catastrophe reinsurance in the June renewal

Feature / insurance

key points• the insurance market place

has been bruised by a spate of natural disasters, both in australia and internationally.

• many companies have found they have been underinsured or in some cases have no insurance at all. this is especially so with regard to business interruption insurance.

• Flood insurance is not usually a standard inclusion in property damage insurance.

• it is important that insurance is kept up-to-date through regular reviews.

• approximately 50% of companies do not survive a catastrophe because they do not have adequate business interruption insurance.

• the level of cover needed depends on a range of factors including exposure to disaster risk.

• similarly, a range of businesses are vulnerable to disasters and it is difficult to single them out except to say that those with little risk diversification are hardest hit.

• reinsurance costs increased markedly in australia as a result of the June renewal and more so in new Zealand.

• There has been an influx of new insurers in australia recently, which to some extent counterbalances increased cost pressures.

• it is important to have quality risk management procedures in place when seeking favourable renewal terms.

think about our own region you need look no further than New Zealand and the tragic earthquakes they suffered in 2010 and 2011.

As a result insurers looking to restrict their own exposure to earthquake in New Zealand will do this by withdrawing capacity from the region and charging more premium for the risks they continue to cover.

Insureds can lessen the impact of premium increases by understanding their true exposure to earthquake. This type of analysis is readily available and can give real insight to how much damage would actually occur in an earthquake.

By reducing the amount of earthquake cover purchased insureds can reduce their overall premiums. The same philosophy would equally apply to other natural catastrophe events such as flood and windstorm.

aN appropriate excessNot every insurer is asking for a higher excess but, in a hardening market, it is better to be prepared.

Insureds need to take the time to understand their real risk tolerance: “When you’re buying car insurance, for instance, you might be tempted to choose a high excess in order to bring down the monthly payments, but if you have an accident and can’t pay that excess the insurance is worthless,” says Venning.

“You need to choose your excess on the basis of what you can realistically afford, and corporations should do the same thing. If a corporation has no headroom in their balance sheet when something goes seriously wrong the effects could be far reaching and very damaging in terms of reputation and even share price.”

While a good relationship with one insurer works well for large organisations smaller companies are more likely to benefit by exploiting the competitive marketplace. However, gathering and comparing quotes takes time; once again, leaving insurance renewals until the last minute could prove expensive.

It can pay to understand what insurers are looking for. “An insurance contract is based on mutual trust – that the insurer will pay if something goes wrong and that the insured is taking reasonable steps to prevent things from going wrong,” says Venning. “If you demonstrate that you have quality risk management procedures in place, show that you’re taking all reasonable steps to minimise risk and are transparent about how you run your business, you will always be in the best position to get a good price.” n

sector Focus / MortGaGes


shaky

the non-BanK lender’s view

steVe sampsoN, head oF distriButioN – leNdiNg, proVideNt capital1. Not adhering to responsible lending or consumer credit guidelinesWith the recent implementation of National Consumer Credit

Protection (NCCP) regulations, there are clear guidelines which are designed to ensure the consumer is protected against ‘shonky’ lenders or brokers, and that loan products are ‘tested’ against the consumer needs. More than 40% of home loans are introduced to lenders by mortgage brokers: if the mortgage broker is not compliant with responsible lending, then the lender can indeed be tainted by the actions or inactions of the broker.

2. customer identificationIdentity fraud is rife. The cost of identity theft to Australians is reported to be $3.5bn per annum according to the NSW Crimes Commission and one in four Australians have been affected by identity theft. This is a major risk for the industry.

3. control of property valuationsAllowing borrowers or intermediaries to present their own instructions to a valuer is riddled with strife. It can open up an avenue for desperate attempts by parties to secure mortgage funds, particularly in markets that are not performing well or in situations involving ‘off-the-plan’ purchases.

4. dealing with licensed/authorised intermediariesLenders, under NCCP, can only deal with intermediaries that are licensed or are a credit representative of a licencee. Each accreditation to deal with the lender must be fully investigated.

5. Borrowers not telling the truthNot divulging full information on loan applications, such as the number of dependents, current debts or credit defaults. These affect credit decision-making.

oN grouNd?The Australian property market is in the doldrums after surviving thetravails of the GFC: what are the biggest risks to the money men financing home lending? Risk Management canvassed leadersfrom various parts of the industry to find out

sector Focus / MortGaGes


the BroKer’s view

deaN rushtoN, chieF operatiNg oFFicer, loaNmarket1. Barriers to entryThe average age of the broker industry is increasing and we are at risk of slowly losing touch with the next generation of homebuyer. We

need to get more youth into the industry, and develop ways to market our industry as a genuine career path.

2. Bank controlsBanks having increasing control of broker market share and aggregator ownership is a major concern.

Clients originally used brokers because they assisted in driving competition and saw us as ‘keeping the banks honest’. If we allow that sentiment to die, we have done our industry and the Australian population a disservice.

3. economic viabilityCommission cuts and extended clawbacks are making mortgage broking business less profitable. Larger businesses are downsizing: many brokers are ‘going it alone’ again, and moving back to home offices to reduce costs. If this trend continues, it will become harder to earn a living, resulting in fewer people coming into the industry.

4. trail book recycling and lead generationToo many brokers have been relying on refinancing and dealing with their large trail books (existing customers) during the GFC period. We need fresh customer bases to be a priority. Large numbers of new clients, on top of providing great service to existing clients, need to be a priority again. Only with new customers will our industry take steps towards improving market share.

5. over-diversificationMany brokers who struggle to attract new clients to their customer base have been allured to the ‘mega-multi-skilling’ ideals of many suppliers, and have launched into diversification strategies to earn more money from every client and provide a broader service.

Whilst this is a great idea, it can go too far. We now have brokers selling financial advice, mortgages, insurance, property and equipment finance – and pertaining to be a specialist in all areas. Where will this end? Have we gone too far? Have we been ‘sold’ on more income-producing strategies because we were vulnerable throughout the GFC? I don’t think we know yet. However, as a mortgage broking industry we need to remember what our core service is. n

the aGGreGator’s view

mark haroN, priNcipal, coNNectiVe 1. lack of credit growthToday’s contracted lending market, has led to the four major Australian banks now fighting for each other’s customers via price wars and big budget marketing campaigns.

While at first glance this would seem to benefit Australian borrowers, it may actually work to their disadvantage in the longer term because the non-bank sector can’t afford to discount to match the majors. The likely end result will be a less competitive market.

2. government legislation Through legislative intervention, the Gillard government is implementing measures such as banning exit fees in order to stimulate competition. The unfortunate reality is that this particular measure will actually have an opposing effect as it increases the costs for non-banks who rely on exit fees in order to remain competitive on rates.

3. third party conflictWith over 40% of all mortgages being written through the third party channel, banks are concerned they don’t have as much control over their own businesses so they are attempting to mitigate the risks by buying the broker channel. This is evidenced by CBA buying into Aussie Homeloans, NAB acquiring Challenger (these two acquisitions represent over 40% of all brokers) and Macquarie owning parts of AFG and another aggregator.

4. industry regulationWhile regulation of the finance industry under the recently-implemented NCCP Act is positive for the sector, the costs associated with implementing it remains an issue. Further, the impact of lost productivity as lenders and brokers adjust can’t be underestimated.

While it’s important that the sector operates under a set of governing rules and obligations, it’s equally vital that it isn’t overburdened with bureaucracy.

5. gFc2The financial woes of Europe, led by Portugal, Italy, Greece and Spain (PIGS) could cause major disruption to international funding markets. Any further tightening of credit markets will likely cause major issues locally, from failed businesses to a possible collapse in the housing market. Most major lenders have worked to mitigate the associated risks by adjusting their balance sheets, having raised cash through deposits.


news / careers

demand for risk, compliance and audit professionals on the rise

hiring of risk, compliance and audit professionals is expected to increase in the coming few months, according to the latest quarterly market update released by recruitment consultancy

Robert Walters.According to the update, corporate/wholesale

banking teams will lead the demand for compliance professionals, due to the continued interest from foreign banks looking to enter the Australian market. In addition, organisations will also look to expand their equities compliance and investment banking risk management/audit teams.

Mark Reece of Robert Walters said the strong demand for specific skillsets will mean the market will remain candidate-short in the areas of corporate/

investment banking compliance, technical credit risk, equities compliance, regulatory compliance and investment banking audit/operational risk.

“These professionals will be most in demand due to the nature of the organisations who will be doing the hiring, particularly those new businesses entering the Australian market needing assistance with the licensing process and the implementation of compliance frameworks,” he said.

“As a result, they should also be able to command higher salaries, especially those with strong local regulatory knowledge relating to licensing and Australian equities.”

The update also reports that hiring may begin to stabilise towards the end of the quarter with the approach of bonus rounds for local banks. n


http://careers.vintagroup.com


news / careers

risk: the new ‘sexy’ job in banking

risk is the new “sexy” job in the UK, says a report in the UK’s Financial Times.

In the aftermath of the GFC, banks’ attitude to hiring has changed, with more and more banks hiring for positions within

the risk management team. Roles such as traders or investment bankers are no longer in such demand. And with increased scrutiny on executive pay, bankers’ bonuses and the uncertainty around the industry’s future, the once highly-paid roles are no longer so attractive.

“The first year [after the crisis] was one of survival, the second rebuilding and now institutions are thinking about what the model will look like in five years,” Simon Hayes at recruitment consultancy Odgers Berndtson told the Financial Times. “But they are quite circumspect and there is still a high degree of uncertainty about what they will and won’t be able to do. Why would they rush out and hire unless they are sure they have to?”

As a result of this, banks are looking to hire well-trained risk professionals to help navigate the changing business environment.

“Banks want to protect their market share but they are realising it is a harder environment in which to make money,” said Hayes.

UK headhunters have noted that one area in which banks cannot afford to cut back on is risk and regulation. This has been evidenced through recent hiring activity.

The role of chief risk officer, for example – once seen as something of a technical outpost within large institutions – is now very much in the spotlight.

To fill these roles, banks want to hire more rounded individuals who do not just have the required technical knowledge but are sufficiently strong managers to challenge decisions taken by the most senior executives.Generally, risk officer roles now come with a seat on the main board – a perk that was almost unheard of before the financial crisis – and so are commanding much higher salaries.

According to the report, some headhunters estimate that risk officers have benefited from salary rises of between 40 and 80% in the past couple of years.

Furthermore, other previously lower profile areas of risk management are also gaining in importance. Managing market risk – or banks’ exposure to certain types of investments – has typically been a more desirable and highly paid area, but headhunters say that overseeing the operational challenges of day-to-day business is now becoming more popular.

Another technical area becoming more desirable since the crisis is transaction banking – the segment of the industry that provides services such as cash management, trade finance, securities custody and card payments.

While not traditionally viewed as one of the most exciting business areas, transaction banking services provides a stable and steady income stream. Its reliable fees and comparatively low levels of required capital mean it can yield high profits.

“It is less cyclical, there are a smaller number of global players and they have opportunities to differentiate themselves,” said Hayes. n

http://www.taylorroot.com.au

risk BusiNess directory


http://www.riskwizard.com

http://www.tickitondemand.com.au


http://www.hcamag.com

Risk Management 87

Documents

risk manager

risk point

risk adviser

issues16 low carbon

compliance news

aulatest news

contents issue

months issue