StrategicRISK May 2011

European risk and corporate governance solutions

www.strategic-risk.eu

[ May 2011 ]

Issue 70 €25

NEWS & ANALYSIS » Benefi ts of a healthy workforce » Egypt’s road to recovery » Risk managers’ cyber fears »

VIEWPOINTS[ PEOPLE ] Nicola Harvey of Christie’s and Coca-Cola

Hellenic’s Adam Greene share their views on the

risk management career path

RISKS[ THREATS ] Breaking a UN sanction could mean a he� y

fi ne and having your profi ts seized. And the risks are

likely to escalate as political volatility rises

GOVERNANCE[ COMPLIANCE ] Everything risk managers are expected

to know about the Bribery Act as it is fi nally enforced

THEORY & PRACTICE[ BEST PRACTICE ] Cyber the� is a fast-growing threat.

Here are 10 things that risk managers need to do now

The mistakes that almost caused a meltdown and what it means for risk managers everywhere

Trouble at the topSuccess can breed

behaviour that

creates risk

Risk fi nancingThe options

for transferring

natural catastrophe

exposures

NUCLEAR FALLOUT

www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 1

LEADER [ MAY 2011 ]

Editor Nathan Skinner

Editor-in-chief Sue Copeman

Market analyst Andrew Leslie

Group production editor Áine Kelly

Deputy chief sub-editor Laura Sharp

Group sales director Tom Sinclair

Business development manager

Donna Penfold +44 (0)20 7618 3426

Redesign Joe McAllister

Production designer Nikki Easton

Group production manager

Tricia McBride

Senior production controller

Gareth Kime

Head of events Debbie Kidman

Events logistics manager

Katherine Ball

Publisher William Sanders

+44 (0)20 7618 3452

Managing director Tim Whitehouse

Cover image Jamie Sneddon

Email: fi rstname.surname@

newsquestspecialistmedia.com

ISSN 1470-8167

Published by

Newsquest Specialist Media Ltd

30 Cannon Street, London EC4M 6YJ

tel: +44 (0)20 7618 3456

fax: +44 (0)20 7618 3420 (editorial)

+44 (0)20 7618 3400 (advertising)

email: strategic.risk@newsquest

specialistmedia.com

StrategicRISK is published eight times a year

by Newsquest Specialist Media Ltd., and

produced in association with Airmic (the

Association of Insurance and Risk Managers).

The mission of StrategicRISK is to deliver the

latest risk and corporate governance

solutions to key decision-takers in UK and

European companies.

StrategicRISK is BPA audited with a net

average circulation of 10,046, June 2010.

For all subscription enquiries please

contact: Newsquest Specialist Media, PO Box

6009, Thatcham, Berkshire, RG19 4TT, UK

tel: +44 (0)1635 588868

email: [email protected]

Annual subscription (incl P&P)

£249 €399 $499

Two-year subscription

£449 €649 $849

Three-year subscription

£427 €663 $821

Printed by Warners Midlands Plc

© Newsquest Specialist Media Ltd 2011

Issue 70 May 2011 www.strategic-risk.eu

WELCOME

Nathan Skinner, EDITOR,

STRATEGIC RISK

Making connections

R ISK INTERCONNECTIVITY – THE LINK BETWEEN ONE RISK AND ITS

eff ect on a host of others. It’s one of the hardest things for risk managers to come

to terms with. But as organisations increasingly try to prepare for the consequences of

risk (rather than infl uencing whether or not they arise in the fi rst place), it is even more

important for them to understand how one thing aff ects another.

Trying to map every single risk linkage throughout an entire organisation is a life’s

work in itself, but off ering insights into the knock-on eff ects of certain developments in

conjunction with other company risks can provide a useful strategic advantage.

Understanding the direct and indirect links between risks can help companies seize

opportunities. Take the rising signifi cance of climate change and the link with water

security. A lack of access to water can have a huge number of eff ects and the repercussions

can reverberate globally. Extreme stress on clean water supplies can lead to food crises, for

example, or the spread of disease. Or it can contribute to political instability. But of

particular economic signifi cance is the use of large quantities of water in the production

of oil. If suffi cient water is not available, oil production will decrease and operations will

be interrupted, which could signifi cantly aff ect global oil supply and prices.

These new challenges are stimulating innovative business ideas. General Electric

(GE) has been quick to use its engineering expertise to help the oil industry reduce

water use. Saudi Arabia, one of the Middle East’s fastest-growing economies, faces a

growing demand for water to feed its massive oil production, but water is scarce.

Therefore, the Kingdom has mandated that 11% of its water should come from treated

waste supplies and so GE is turning its attention to water reuse technology.

That’s just one example of the link between risks. To learn more, search ‘risk

interconnectivity’ at strategic-risk.eu for our infographic mapping the connections

between 37 diff erent global risks. Or download a copy at goo.gl/ep2kL. SR

[CONTACT THE EDITOR] Email [email protected] or follow me at twitter.com/StrategicRISK

01_Leader_SRMay11.indd 1 27/04/2011 16:32

CONTENTS [ MAY 2011 ]

2 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu

Risks

[ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

22 Breaching the boundaries

The number of sanctions in place make

sticking to the rules a minefi eld. How do

risk managers get to grips with the issue?

24 RISK FINANCING: Catastrophes

Even if you escape the direct eff ects of a

disaster, you could still be impacted

26 Trouble around every corner

We are living in interesting times indeed,

but what do risk managers make of it all?

28 RISK ATLAS: Cyber crime

An infected web page is found every 4.5

seconds. Which countries are playing host

to the world’s malware?

Governance

[ ETHICS ][ COMPLIANCE ][ REPORTING ]

31 Taking responsibility

The Environmental Liability Directive

focuses on the repercussions of polluting,

and why you need to protect yourself

34 It could be you …

The new Bribery Act will make directors of

companies liable for the corrupt practices

of their companies – this time it’s personal

Theory & Practice

[ INSIGHT ][ CASE STUDIES ][ BEST PRACTICE ]

36 The building blocks of risk

When a business grows, how do you scale

up the risk management side of things?

37 How to manage environmental damage

Six steps to ensure that your company’s

exposure to eco-damage is minimised

38 Strengthen your defences

against cyber attacks

Your business’s prized intellectual property

may be at risk from hackers or rivals

News & Analysis

[ THE LATEST BUSINESS ROUND-UP ]

4 The Best of the Web

The biggest stories online, including a

cyber defence service launch, Middle East

water security and violence in Syria

6 Risk Indicator

The companies fi ghting the malaise of

employee absenteeism, the biggest US

sanctions settlements and the Fukushima

threat put into frightening perspective

8-10 News Analysis

How quickly can democracy in Egypt lead

to wellbeing in the country?; The growing

wave of cyber crime that is costing billions

12 COVER STORY: News Feature

The disasterous events of 11 March in

Japan and subsequent nuclear fears must

teach us not to just be prepared, but to be

very prepared

Viewpoints

[ PEOPLE ][ OPINION ][ COMMUNITY ]

15 Ahead of the pack

Coca-Cola Hellenic’s group risk manager

Adam Greene tells us how he looks beyond

the statistics to the psychological factors

infl uencing risk

17 Ripples from Japan spread worldwide

There are few electronics-based businesses

that do not source some products from

Japan, and the knock-on eff ects of the

disaster will continue to be felt

18 The gentle art of persuasion

Christie’s group director of risk Nicola

Harvey on the sometimes misunderstood

and isolating life of the risk manager

40 Headspace

Igor Mikhaylov of Russia’s Mobile

TeleSystems answers our questions about

his loves, his fears, and what it feels like to

go skiing near a Chechen warzone

Soci

e

risks

Slow US recovery

Hig

her ri

sk tr

ansf

er c

osts

Recession recovery problems

Economic

Keepin

g pace with

techn

ological chan

ge

Pro

tect

ion

ism

Inflation

Data the� and leakage

Mal

icio

us h

acki

ng

Intern

et breakdow

n

Technology

risks

Fraud

Geopolitical

risks

Political turmoil

War in the M

id

hing sanctions

ption

Business espionage £7bn

Cy

UK

£27

Terrorism

Globalrisk

register

2622

Who to avoid: failing to

stick to international

sanctions can have

serious implications for

a company

Geopolitical

risks

Political

War in

s

Don’t look now: we ask

30 European risk

managers about the

biggest risks aff ecting

their businesses

‘Being a risk manager can be quite an isolating role – lots of people don’t really understand

what you do’

Nicola Harvey,

chairman, Airmic, and

group director of risk,

Christie’s

>> see Viewpoints

page 18

Nic

ola

s R

igh

ett

i/P

an

os

Pic

ture

s

NEWS MATRIX [ THE LATEST BUSINESS ROUND-UP ]


Top 10 essential online stories

01

04

06 070501 CYBER RISK

New cyber defencesDetica, a BAE Systems company, has

released a cyber defence service to

prevent sophisticated cyber threats.

The technology utilises techniques

pioneered in national security defence

and organised cyber crime prevention,

and was previously only available to

government and a few private

companies.

The system will off er a “unique

behavioural analysis, based on

massive-scale cloud technology to

detect signs of potential

compromise”. A team of expert cyber

analysts will also be supporting the

system, ensuring that previously

‘unseen and unchecked’ attacks on

existing network defences are

investigated.

Detica’s technical director, Henry

Harrison, said: “We see too many

companies still believing that traditional

defences are enough to protect them

from cyber attacks. Businesses need to

decide whether they’re going to try to

do something to fi ght back against

these threats, or whether they want to

resign themselves to being, in eff ect,

‘open source’ organisations.”

web. goo.gl/ha1SL

02 CORRUPTION

Bulgaria should boost eff orts to fi ght bribery

03 DISASTERS

Asia-Pac cats to cost €566mCyclone Yasi, the Christchurch earthquake and the

Japanese tsunami will produce insurance claims of about

€566m, estimated Zurich Financial Services Group.

The losses for the fi ve events include the Brisbane

fl oods, Victoria storms and Cyclone Yasi that hit Australia,

the Christchurch earthquake in New Zealand and the

recent earthquake and tsunami in Japan.

The estimate is preliminary, said Zurich. A full loss

assessment and the ultimate cost will take time to complete.

web. goo.gl/8MJDE

04 ENVIRONMENT

Middle-East water security fears could impact oil pricesExtreme water security risks across the Middle East and North

Africa (MENA) may lead to increases in global oil prices and

heightened political tensions in the future, a new study suggests.

Maplecro� ’s study rated the MENA region as having the least

secure water supplies in the world, with 15 ‘extreme risk’

countries located in the troubled region.

Mauritania, Kuwait, Jordan, Egypt, Israel, Niger, Iraq, Oman,

UAE and Syria form the top 10 at risk countries, respectively.

Six of the 12 members of the Organisation of the Petroleum

Exporting Countries are in the highest risk category, while a

further two are rated ‘high risk’. Collectively, these countries

produced approximately 45% of all global oil in 2009.

A lack of access to water can have a large number of direct

and indirect eff ects and the repercussions can reverberate

globally, said Maplecro� . Large quantities of water are needed in

the production of oil, so if suffi cient water is not available

productivity will decrease and operations will be interrupted,

which could signifi cantly aff ect global oil supply and prices.

web. goo.gl/fmBSe

Bulgaria should do more to prevent, report,

detect and prosecute foreign bribery cases,

according to a new report by the Organisation

for Economic Co-operation and Development

(OECD) Working Group on Bribery.

The OECD recently completed an

evaluation of Bulgaria’s enforcement of the

anti-bribery convention. Bulgaria should also

raise awareness of bribery off ences, provide

more training and substantially amend and

enforce its laws better, argued the OECD.

Bulgaria has one conviction for foreign

bribery and is involved in an investigation in

a second case.

web. goo.gl/amrD6

02

03

Re

ute

rs

10

08 09

Re

ute

rs


05 LEGAL

Bribery Act guidance here

Online Contents

Most read storiesUK guidance for the Bribery Act

web. goo.gl/4jBIk

Bribery Act training web. goo.gl/vJzgu

Court ruling could cost banks £4.5bn

web. goo.gl/z2Ee9

Tohoku quake could cost insurers £16bn

web. goo.gl/mUfYh

2011 StrategicRISK ReportDownload your PDF of the 2011 StrategicRISK Report, which brings

together the views of 30 leading

European risk managers.

web. goo.gl/NdGTV

Infographic: Cyber crime Notwithstanding the recent wave of

politically inspired cyber attacks

against and in aid of the WikiLeaks

whistleblowing website, fi nancial gain is still the usual motivator

for cyber crime. Here’s our graphic

explaining how a sophisticated cyber

crime ring works.

web. goo.gl/6JV1B

07 INTERNATIONAL RISKS

Violence in Syria intensifi es

Armed units from Syria’s Presidential Guard and Mukhabarat

(military intelligence service) have began large-scale killings of Sunni

protestors, according to political risk analysts.

As the crackdown on unrest in Sunni strongholds intensifi ed,

credible source reports indicated that soldiers who have refused to

shoot civilians have been executed, said Exclusive Analysis in a special

incident update.

Armed security forces also closed the border with Jordan. The

Syrian state media has continually portrayed the uprisings as a

foreign-sponsored insurgency, and confi rmed that troops searching

vehicles on the border have found weapons and ammunition being

smuggled into the country in cars.

web. goo.gl/m8NzA

10 INSURANCE

Ferma welcomes liberalisation of Brazil’s insurance market

The Ministry of Justice

released its fi nal guidance on

the Bribery Act, detailing what

it considers to be “adequate

procedures”, as well as what

constitutes hospitality and

facilitation payments.

The Act could result in an

unlimited fi ne for a fi rm

failing to prevent bribery.

The guidance

contains some interesting

developments since the dra�

last year, said Ernst & Young’s

head of fraud investigation

practice, John Smart.

“There are six key

principles of adequate

procedures, consistent with

the earlier consultation

document, but two of them

have been changed.”

web. goo.gl/b5IOf

Ferma has welcomed a decision by

the Brazilian government to liberalise

its insurance market following concerns

from risk managers, insurers and

brokers.

A new resolution will allow insurers

to transfer up to 20% of reinsurance

treaties to foreign-based companies that

are linked or belonging to the same

fi nancial conglomerate.

But Ferma believes the concession is

only a step in the right direction, and is

now calling for more measures to liberalise

the market.

web. goo.gl/KZJ3J

08 REPUTATION

Rolls-Royce tops brand poll

09 REGULATION DAMAGE

Bank reforms won’t damage competition

Rolls-Royce Aerospace is the most

reputable company in the UK, according

to the Reputation Institute’s 2011 UK

RepTrak Pulse Study.

The report, which measures customer

perceptions of top UK companies on a

‘pulse’ scale of 0-100, ranked Rolls-Royce

top, with a score of 86.89, ahead of Dyson,

Alliance, Mothercare and Next.

Despite recent controversy – one of

their engines exploded mid-air – the

company received an extremely high

score in the area of products and services,

with 93.37.

The UK’s Independent Commission on

Banking (ICB) released a report on the

future of Britain’s banks to a mixed

response. As predicted, its key suggestion

was that big banks’ retail wings should

be ring-fenced from their investment

operations. The report also recommended

that banks hold more core capital –

around 10% of their loans.

The report failed to suggest a radical

division of ‘universal’ banks into

independent retail and investment banks,

and was criticised for recommending

vague and disappointing changes.

Pointing to the importance of

keeping Britain competitive for business,

ICB chairman Sir John Vickers refuted

such claims, insisting: “I absolutely reject

any notion that we bottled it.”

web. goo.gl/ocDCl

Re

ute

rs

Re

ute

rs

06 EMAIL

Data breach exposes customer info

Attacks on major US email

marketing fi rm, Epsilon, have le�

customers’ private data exposed.

UK retail giant Marks &

Spencers, which lost customer data

in the breach, released a statement

assuring customers that it does

“take privacy very seriously” but

added that customers should be

prepared for spam and phishing

attacks.

The breach came as part of a

much wider attack on the US

email company, in which the

private data of millions of

customers of some of the world’s

most recognised companies

– including JP Morgan Chase,

Hilton Hotels, Citigroup and

Capital One – were stolen.

web. goo.gl/au08o


RISK INDICATOR [ VISUALISING DATA AND TRENDS ]

HEALTH MANAGEMENT

Running a healthycompany

A S COMPANIES BECOME

increasingly aware of the economic

benefi ts of a healthy workforce, more

and more employers are investing in

healthcare risk management plans.

Case studies show that health risk

management systems have brought

signifi cant returns to those companies that

have implemented them, and while these

may take time to show, the fi nancial

benefi ts of reduced sick leave and absence

within a workforce are signifi cant.

However, many businesses simply do

not account for the impact of absences: a

2010 Investor in People report revealed that

only a quarter of UK employers calculated

the cost of absence to the business, despite

reports that employers spend up to 10% of

their annual pay bill managing the direct

and indirect fallout of high absence rates.

Though it may require short-term outlay,

the benefi ts of improved employee health

are, as Dame Carol Black’s 2008 government

report suggested, resoundingly clear. While

employers will not want to be accused of

failure to provide care or, conversely,

nannying their staff , getting the balance

right can bring long-term dividends,

regardless of the size or nature of the fi rm.

BT case studyThe telecommunications giant saved £3m in March

2003 alone. By setting up fl exible working hours, the

company retained 98% of those who took maternity

or extended leave, saving in retraining costs.

Companies are switching on to the benefi ts of adopting a proactive healthcare risk management plan


THE BIG NUMBER

SETTLEMENTS

Top fi ve[ US SANCTIONS SETTLEMENTS ]

OVERHEARD

“Soundbites”

1. Credit Suisse – $536m

The US Treasury’s Offi ce of Foreign

Assets Control settled for a record

sum in December 2009 a� er

helping clients to violate sanctions

agreements against Iran, Sudan

and Cuba.

2. ABN AMRO – $500m

ABN admitted systematically

violating US sanctions against Iran,

Libya, Cuba and the Sudan between

1995 and 2005. It settled in May 2010.

3. Lloyds TSB – $350m

Found guilty of violating US

trade sanctions against Iran by

facilitating customer transactions,

Lloyds settled in January 2009.

4. Barclays – $298m

Found guilty of breaking trade

sanctions against Iran, Cuba, Libya,

Myanmar and Sudan, Barclays

settled in August 2010.

5. UBS – $100m

Over eight years, UBS transferred

$4-$5bn to countries under US

sanctions and settled in 2004.

Source: various media

‘Where is the line between being

pragmatic and being paranoid?’

Igor Mikhaylov Mobile Telesystems

>> see Headspace pages 40

‘The chemical imbalances in your

brain that occur if you skip

breakfast can aff ect how you

make decisions.’

Adam Greene Coca-Cola Hellenic

>> see Viewpoints pages 15-17

‘‘The world feels like a smaller

place, and threats to supply lines

are always a concern because we

rely on things being done

effi ciently and smoothly.’

Chris McGloin Invensys

>> see Risks page 24-25

20km This is the radius of the

exclusion zone around

Japan’s Fukushima Daiichi

plant that authorities have

begun enforcing.

The damaged nuclear

reactor has continued to

emit harmful particles a� er

the earthquake and tsunami

caused damage on 11 March.

The plant’s operators expect

it to be around nine months

before they bring the

damaged reactors to a cold

shut down.

Eighty thousand people

live in the aff ected zone.

Residents will be allowed to

enter to visit their houses,

but they will have to wear

protective suits and be

decontaminated when

they leave.

JAPAN EARTHQUAKE

Fukushima crisis second only to Chernobyl in severity

J APAN’S FUKUSHIMA NUCLEAR CRISIS

is the second worst of its kind, topped

only by the 1986 Chernobyl disaster, says

leading nuclear expert Wolfgang Weiss.

Weiss, chairman of the UN Scientifi c

Committee on the Eff ects of Atomic

Radiation, said it was “not as dramatic as

Chernobyl, but it is certainly much much

more serious than in Three Mile Island.”

The claim comes a month a� er the crisis

fi rst hit, with the exact consequences still

unknown. Weiss noted that “the information

we are getting is far from pointing out an

accurate picture … measurements are

patchy and unclear”.

The Japanese authorities began by rating

the severity of the incident at level 5 out of a

possible 7 – a level previously only ever

achieved by Chernobyl. But it was later

upgraded to level 7, in recognition that

dangerous amounts of radiation had escaped

the plant, causing a serious risk to the public.

Although nuclear technicians are

battling to contain the crisis, the emergence

of traces of nuclear material originating

from Fukushima as far away as Glasgow

suggest the threat is still very real.

FALLOUT FACTSK

FINANCIAL COSTS

• Chernobyl cost 18bn rubles ($600bn)b

• Fukushima costs are around $50bn b

• The Three Mile disaster cost around $1bn b

EXCLUSION ZONE b

• 30km Chernobyl b

• 20km Fukushima b

• 15km Three Mile b

Sources: The Battle of Chernobyl, Execution Noble and American Scientist

Although they are rare, the consequences of industrial disasters can be

devastating. Considering the history of industrial disasters and the nature of

the industry, most companies can claim strong health and safety records,

ensuring that casualties and damage remain at a minimum. Yet, although the

accident rate has reduced in recent years, it takes only one incident to

irrevocably destroy a company and an industry’s reputation and, along with

them, potentially many lives.

DATABASE

The worst industrial accidents in Europe

Prestige oil spill: £3bnThe Prestige spilt 20 million gallons of crude oil into the ocean, damaging thousand of kilometres of Galician coastline around France, Spain and Portugal in November 2002.

Piper Alpha: £1.7bnAn explosion and consequent fi re on this North Sea oil rig in July 1988 resulted in 167 deaths.

AZF factory disaster: £1.5bnIn September 2001, a factory producing ammonium nitrate in Toulouse, France, exploded, killing 29 people and injuring thousands.

Re

ute

rs

NEWS ANALYSIS [ CONTEXT & INSIGHT ]

8 Strategic RISK [ MAY 2011 ] www.strategicrisk.co.uk

Cost of revolution: A drop in

tourism could provoke further

unrest but analysts are

optimistic about future stability

Re

ute

rsI NSPIRED BY THE JASMINE

Revolution in Tunisia, a wave of

revolutionary fervour has swept across the

Middle East and North Africa.

Some of these uprisings have proved

successful, others have faltered,

underscoring the huge dangers of

protesting against totalitarian regimes. For

countries across the region, Egypt serves as

a paragon of hope for stability.

Despite important political and

social progress, however, economic

conditions remain unstable in Egypt.

A signifi cant drop in tourism and

employment rates, combined with

increasing commodity and food price

infl ation (up 11.5% on last year) threaten

further unrest if, as Tunisian fi nance

minister Jaloul Ayed said at the US-Islamic

forum, “democracy doesn’t translate soon

into well-being”.

Yet the tone is one of cautious optimism

amongst economists and risk analysts.

Beazley’s head of political risk and

contingency, Adrian Lewers, told

StrategicRISK that Egypt is on a “positive

trend line”.

“The rate at which Egypt has resolved its

situation has been quite astonishing. We

must recognise that there will be wobbles

along the way, but there are strong prospects

for stability and democratic government.”

Climate for investmentMoves towards stability are gathering

momentum since the General Authority for

Investment (GAFI) chairman Osama Saleh’s

announcement of measures to attract

foreign investors and encourage domestic

business expansion.

This follows the announcement of a

fi ve-year 500m Egyptian pound (€58m)

investment in Egyptian healthcare by

GlaxoSmithKline and a proposed review of

Egypt’s gas export contracts – intended to

raise €1.7bn-€2.25bn in extra revenues.

Despite an International Monetary Fund

report this week that revealed a contraction

POLITICAL RISK

Egypt shows us the way forwardPublic and investor confi dence is growing in Egypt following the arrest of the Mubaraks, a corruption investigation and measures to foster business expansion. But its neighbours face a more troubled future

America’s assets in the Middle East,” said

Skinner. “Unlike Gaddafi in Libya, Bashar

carries substantial political and economic

weight in the Middle East and North

Africa region.”

If foreign investors pull out of Syria,

companies with remaining assets in the

country will be faced with a struggle to

mitigate increasingly likely losses.

“The main risk for companies is

physical damage to assets, and all they can

really do is to try to protect them.,” Lewers

said. “There might be insurers willing to

discuss terms, but it will be expensive.”

As in Yemen and Bahrain, the violent

suppression may be intended as a political

quick fi x, but it will cost potentially Syria

billions in lost business and international

alienation. SR

‘The rate at which Egypt has resolved its situation has been quite astonishing. There will be wobbles along the way, but there are strong prospects for stability’

Adrian Lewers, Beazley

of GDP to 1%, the mood in Egypt remains

buoyant. With the arrest of Hosni Mubarak

and his sons and a wide-reaching corruption

investigation, both public and investor

confi dence is growing.

Analyst for political risk consultancy

Maplecro� , Anthony Skinner, told

StrategicRISK that while investors will take

a “wait and see attitude”, the move away

from Mubarak’s regime will off er companies

“fewer risks of complicity in corrupt

government, an improved corporate profi le

and potentially strong benefi ts”.

An online poll conducted by Egypt’s

most popular political website revealed that

75% of Egyptians maintained a ‘cautious

optimism’ for their country’s future.

Turbulent outlook for SyriaYet, while Egypt staggers towards a

transparent and democratic future, much of

the Arab world can only look on in envy as

unrest in Yemen, Bahrain and Syria escalates.

In Syria, there are reports of large-scale

killings of Sunni protestors by the

Presidential Guard and Mukhabarat

(military intelligence). While Syria’s

president Bashar al-Assad had intended to

quadruple foreign investment by 2015 to

$55bn (€62m), the violent suppression of

Syrian citizens could scare western tourists

and businesses away from the region and

increase the intensity of uprisings.

But international intervention,

particularly from the USA, is unlikely. “If

the Obama administration puts pressure

on Syria, then they are likely to use

Hezbollah to pressure Israel along with

TOUGH DECISIONS.

Go ahead and make the

All products are written by insurance company subsidiaries or affiliates of Chartis Inc. Coverage may

not be available in all jurisdictions and is subject to actual policy language. For additional information,

please visit our website at www.chartisinsurance.com.

D&O insurance that will be there for you.

The risks faced by directors, officers

and companies are constantly changing.

That’s why we’ve enhanced our Directors

and Officers liability insurance to safeguard

individuals’ personal assets and protect the

organisations they serve in today’s changing risk

landscape. It’s market-leading coverage built on

40 years of D&O experience. Learn more and

find out if your current insurance is doing enough.

Europe: www.chartisinsurance.com/BusinessGuard

UK: www.chartisinsurance.com/uk/d&o

NEWS ANALYSIS [ CONTEXT & INSIGHT ]

10 Strategic RISK [ MAY 2011 ] www.strategicrisk.co.uk

The Risk Index

‘China is one of the countries suff ering most from hacking’A Chinese government report,

The Internet in China, states

142 Chinese public security departments

dealt with this many computer crime cases in 1998, according to offi cial

sources

48,000 The number of offi cial computer crime

cases in China in 2009

18m The number of Chinese computers

infected by the Confi cker virus every

month

42,000 The number of Chinese websites

distorted by hackers

Source: The Internet in China, a report by China’s State Council Information Offi ce

C OMPUTER CRIMES (AKA CYBER RISKS)

are a major concern in China. It’s at the

point where an offi cial report from the

Chinese authorities (which are not known for

their transparency) has stated that cyber

crime is growing and is being taken seriously.

“Online fraud, online the� and other

forms of crime that encroach on the

property of others are increasing rapidly,”

said the government white paper The

Internet in China. “Crimes such as producing

and spreading computer viruses, and

computer and network hacking are

increasing.”

But China is not the only country with

a serious internet security problem (see

Risk Atlas, page 28). A recent report from

Detica, commissioned by the UK

government, estimated that cyber crime

costs the UK economy £27bn (€30.5bn) a

year. The lion’s share of this fi gure (£21bn)

is stolen from the private sector. It’s

unsurprising that recent research by

StrategicRISK, which involved in-depth

interviews with 30 leading European risk

managers, highlighted cyber crime as one

of the interviewees’ biggest concerns.

Those companies that rely on the

internet to do business are most vulnerable

to cyber attacks by criminals, competitors or

disenchanted employees. Intellectual

property the� or industrial espionage –

which Detica says costs UK businesses £9bn a

year – is also a big worry for risk managers.

“We put a great deal of eff ort into

security, training and communication about

information leaks, because much of the

value of our business is tied up in knowledge

– and it’s not the kind of knowledge you can

put patents or copyrights on,” one risk

manager told StrategicRISK.

Risk managers recognise that data

the� is not purely an IT issue. It’s clearly

necessary to monitor the people handling

the information, including those joining

and leaving an organisation. Yet several

risk managers admit that their security

systems are not up to scratch.

As one risk manager puts it: “The

biggest possible source of leakage of

information walks out of your offi ces and

factories every day – it’s your people.” SR

TECHNOLOGY

Companies lose £21bn a year to cyber crime

‘Much of the value of our businessis tied up in knowledge – and it’s not the kind of knowledge you can put patents or copyrights on’

While China battles with an internet crime wave that even its government must recognise, data the� is a key concern for European risk managers

KNOWLEDGE Bank fraud on the rise

The UK’s National Fraud Authority revealed that online banking

fraud increased by £60m (€67.7m) from last year, a rise of 14%.

According to the Offi ce of Fair Trading, 39% of those who

were scammed did so through money transfers, with 7%

losing over £4,000

Web of deceit: China’s

internet user population

has reached 298 million as

computer and network

hacking continues to rise

Co

rbis

NEWS FEATURE [ COVER STORY ]


State of emergency: despite

intense eff orts to avoid meltdown

in the Fukushima plant, Japan had

to raise the threat level to seven


‘People are frightened of anything that they can’t see, or that they can’t understand’Alexia Ash Exclusive Analysis

Jam

ie S

ne

dd

on

NUCLEAR RISKS

Braced for impactThe natural disaster in Japan has shown just how vital preparation and planning is, but for complete cover, companies and organisations must expect the unexpected

E VEN FOR A COUNTRY FAMOUSLY WELL PREPARED for natural disasters, it was the nightmare scenario: at 14:46

on 11 March, a massive, magnitude 9 earthquake barreled through the seabed off Japan’s north-east coast, creating a tsunami that devastated the coastal zone. Among the resulting chaos, there was one question that became more and more urgent: what about the nuclear power stations?

Despite initial reassurances, within hours a state of emergency was declared at the Fukushima nuclear facility, and suddenly the global media was locked on. But despite everything that has happened at the Fukushima nuclear complex, there are reasons to be reassured; in many ways the reactors did exactly what they were designed to do.

When the quake hit, all the operating reactors ‘tripped’, safely halting the nuclear fi ssion process. But because the fuel continued to produce large amounts of heat, the battle was on the keep it cool and avoid a catastrophic meltdown. This has been far from easy, and a month after the quake, on 12 April, the Japanese authorities raised the threat level to seven – the same status as Chernobyl.

Damage controlDespite the seriousness of the evolving crisis, however, leaks seem to have been minimal, with only the equivalent of 10% of the radioactive material released during the Ukrainian disaster in 1986 being detected in Japan.

In fact, because the disaster was so massive and the leaks – at least so far – have had minimal health and environmental impacts, the prominent UK journalist and activist George Monbiot wrote in The Guardian recently that the disaster has convinced him nuclear power is the safest way to combat climate change.

But his response was unusual and the situation is still developing. Initially, by far the most common reaction was panic, with embassies issuing warnings and hundreds of ex-pats fl eeing Tokyo. There were reports of private jets being hired by bankers who didn’t care how much they cost, they just wanted out.

“I think a lot of the reaction we saw initially in the aftermath will be reconsidered when the – literal and metaphorical – smoke clears,” Exclusive Analysis risk analyst Alexia Ash says.

“We will see what we are seeing already in places like Iran, where they fi rst said they would be reconsidering nuclear power and now seem to be moving forward with it again.

“[In Fukushima] we had a situation where there were six reactors built in the 1970s and they have withstood the most powerful earthquake to hit Japan for decades. That is a reason to argue that nuclear power is safer than we thought, especially if we continue to see no serious health impacts.”

What Fukushima has shown us is that sometimes averting a disaster is not enough. The information war must be won and the gap closed between the public consciousness of real and perceived risk.

“People are frightened of anything they can’t see, or that they can’t understand,” Ash says. “One of the problems [at Fukushima] was lack of information. A lot of the people who could have provided information were very busy dealing with the situation at the reactors … If there is a lesson, it is that there really needs to be a dedicated team in place to provide up-to-date information to avoid panic.”

Ultimately, though, the new uncertainty around nuclear power may have a longer-term impact on Japan than the problems at the plant.

Looking ahead According to Exclusive Analysis, Japan’s heavy dependence on nuclear power, its total lack of hydrocarbon resources and the strength of the nuclear lobby all point against a wholesale move away from nuclear power, which may have a knock-on eff ect on the global price of other fuels.

“Although the situation does remain serious at Fukushima, the problems in power generation [created by the nuclear shutdown] could be more of a problem,” Ash says.

But other problems caused by the earthquake have been all too ‘real’. Establishing a 12-mile exclusion zone around

Fukushima, along with widespread quake and tsunami damage – over 80,000 buildings have been damaged and nearly 5,000 destroyed – has caused the widespread shutdown of large parts of Japan, something that brings lessons for all risk managers.

“This really was a wide-area incident; a huge number of interconnecting aspects of society were aff ected and that’s something we

NEWS FEATURE [ COVER STORY ]


need to prepare for,” Airmic chairman John Hurrell says.

“In the UK we’ve seen similar, if far less serious, events in recent years and we should take that on board when we look at risk. We’ve had large-scale fl oods, we had the Bunsfi eld fi re and two winters where large parts of the country have been iced out. Who knows what’s on the horizon? There could be a pandemic, more fl oods.

“The core point to take away is that each time any of these events has occurred, it has exceeded our planning by some order of magnitude. It’s time to think the unthinkable and see where that leaves us.”

Japan is widely considered one of the most well-prepared and methodical societies on Earth, and yet it could not prepare for the unexpected events of 11 March.

“We need to remember that the good data we have about world events is only 100, maybe 200 years old, and that’s nothing in terms of the lifespan of the Earth,” Hurrell says.

“How many organisations plan for a situation where it isn’t only their business aff ected? What we are seeing are situations where everything is out. Japan is revealing just how complex modern supply lines are. A lot of businesses didn’t even know that they had a connection with Japan somewhere down the line until it went down. Very few people are looking at more than three degrees of separation.”

Ultimately, perhaps, businesses need to be robust. “The assumption has been that in many cases everything has to be working perfectly for things to work,” Ash says.

“What happens, say, when your staff can’t get to work because there is no transport?” Hurrell asks. “When the schools are shut and they have to stay at home with their kids? As soon

as you widen the circle you’re looking at, things get very complex.“We also need to ask: how relevant is our insurance? How

will it protect us if everything is out? Can it cope? What if everyone else is claiming? What happens when everything is up in the air?” SR

‘It’s time to think the unthinkable and see where that leaves us’John Hurrell Airmic

The main lesson from the ongoing situation in Japan is not so

much ‘be prepared’, as ‘be more prepared’.

All businesses have some contingencies in place to survive

upheaval of various kinds. But recently, entirely unpredictable

events such as those in Japan have clearly demonstrated that

these may not be enough, and shrewd risk managers should be

looking again at potential vulnerabilities right across their

supply chains, human resources, fi nance, transport and

technology.

Nuclear power operators are obsessed with safety and yet

at Fukushima emergency cooling pumps and generators

repeatedly failed. A fi re engine brought in to help ran out of

fuel. Ask yourself: are your back-ups enough?

In the teeth of a problem, Fukushima has shown that good

communication is key, both internally to keep coherence and

focus within the business, and externally to ensure the public

has clear, accurate information about what is happening. This

has multiple benefi ts:

• minimising the spread of fear and panic, which

can dramatically exacerbate problems;

• enrolling staff and public support in any mitigation

strategies; and

• reputation management.

If possible, a dedicated team should be available to manage

communications, deal with public and media

questions and have the authority and access to get

whatever information they need. It is essential this team

is present across social media as well, as Japan has shown

how sites like Twitter and Facebook were key in disseminating

information.

You can always be more prepared

»

RISK LESSONS

Viewpoints [ PEOPLE ][ OPINION ][ COMMUNITY ]


> In my opinion Japan ............. 17Japan’s earthquake and tsunami and nuclear crisis have had widespread repercussions

> Q&A Nicola Harvey ............... 18Christie’s global risk director

PROFILE

Ahead of the packUnderstanding the behaviour of groups making decisions is at the core of Coca-Cola Hellenic Adam Greene’s strategy, which he believes every employee can and should put into operation

Jon

as S

ved

be

rg

VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]


A DAM GREENE’S METEORIC RISE UP THE RISK management career ladder is a combination of hard work

and a fondness for challenging conventional wisdom. Just six years after graduating from university he was chief risk offi cer (CRO) of Thames Water. And since late 2008 he has worked for Coca-Cola Hellenic in Athens as group risk and insurance manager, spending most of his time on business and project risk management.

In his eyes, though, there are a number of things risk managers need to do diff erently if they want to survive. Paying more attention to the psychological factors that infl uence risk rather than obsessing over statistical information is paramount, he says. If this does not happen, he thinks the future for risk management looks bleak.

“When you look at the professional risk management environment, it is moving down the lines of economic rationality, implying the perfect risk decision option has been identifi ed and is achievable, with measurement and statistics forming a large part of that,” Greene says. “But you fi nd that economic rationality does not adequately describe the everyday rationality used by decision-makers who assess and decide using personal emotions.”

Another danger he foresees is that, as the profession develops increasingly esoteric tools and techniques, the process of risk management is becoming externalised. Instead of every employee managing risk as a matter of course, specialist risk managers are invited to analyse and treat risk.

This, Greene argues, removes responsibility from everyone else. “What I try to do is enable decision-makers in our company to make better decisions and understand the infl uences that they unconsciously carry with them — their biases and heuristics.”

Greene’s interest in the behavioural side of risk management was fi rst inspired in academia. He began his professional career as a project manager with construction company Bovis. “The lifestyle of a project manager was a little hectic and full of stress. I decided I needed a fresh challenge,” he recalls.

In 1999, Greene joined Loughborough University to study for a PhD in risk management, which was sponsored by the Engineering and Physical Sciences Council. “Originally I was employed to build a full project lifecycle map, right the way from conception of a need to disposal of an asset. That really didn’t grab my interest too much so I decided to look at the behavioural side of decision-making.”

Depends what you had for breakfastHis curiosity led him deep into the fi eld of individual and group decision-making. “I started to look at what infl uences people’s decisions. You can come up with an almost endless list, which includes obscure things like have you had breakfast – because the chemical imbalances in your brain that occur if you skip breakfast can aff ect how you make decisions – to the colour of the room you’re in or the background noise that you’re experiencing.”

“There’s also the more obvious infl uences, such as whether you are penalised for failure or rewarded for taking risk. That direct motivation can aff ect decisions and how you perceive your environment.”

Decision-making in a group is even more complex, Greene says. And this can have serious consequences for business risk management, where focus groups are widely used as a means of risk identifi cation and assessment.“We say that risk management should occur in a group because a group is naturally better at

making decisions by virtue of there being a range of shared opinions, perceptions and preferences.”

While this is true, risk workshop facilitators need to be aware of the range of infl uences that can aff ect how a group of people make a decision. “The language of a dominant character within a group can really alter perceptions,” Greene says. “If you walk into a group as the leader and you describe your environment as ‘chaotic’, you set a certain state of mind and perception is driven by that. So the group looks at the situation as chaotic. But if the

leader walks in with confi dence, then the confi dence of the group is emboldened and it will make a diff erent type of decision.”

Performance anxietyEven more worryingly, Greene notes, individuals who have no experience of the discussion matter tend to make up stories just to be seen as contributing. “There’s usually a lot of pressure in a group to be seen as an active participant and not to be the wallfl ower — particularly in a work setting.”

Groups are prepared to accept higher levels of uncertainty and risk compared with individuals on their own, Greene adds. “One theory for that is the diff usion of responsibility. That’s true, but it’s also the case that the more vocal people in the group tend to be the

‘Whether you are penalised for failure or rewarded for taking risk can aff ect decisions’Adam Greene Coca-Cola Hellenic

1. The media

The media can increase the sense of threat,

and decide what we should be worrying

about. Foreign criminals, teenage gangs, and

avian fl u are treated diff erently in diff erent

news outlets.

2. How risk is explained

The statistical tools used to explain data in

scientifi c journals can infl uence how it is

interpreted, and how the public and media

react to it.

3. Personal experience

If an individual has had negative experiences,

they are much more likely to expect those

things to happen to them again.

4. Entertainment

The success of particular fi lms – like disaster

movies – can infl uence how people perceive

the risk of certain activities, such as air travel.

5. How you see the world

How you perceive risk is shaped by your views.

For example, a le� wing person is unlikely to

view industrial action as a ‘risk’ in the same way

as a more rightwing person. A success-driven

person will be more afraid of failure than

someone more laid-back.

PERCEPTIONS

Jon

as S

ved

be

rg

Factors infl uencing risk decisions


more positive ones and therefore more likely to take a greater risk. As they are more vocal they pull the group in that direction.”

In 2002, after he fi nished his PhD, Greene stepped on to the fi rst rung of the risk management career ladder, working for Thames Water as a risk engineer. “I had to quickly realign my thinking,” he says. “At university, especially on a PhD, you have the luxury of a lot of time to do blue-sky thinking. If you apply it verbatim in a non-academic environment you become unstuck. So you have to go through a process of realignment.”

But his PhD did help Greene to look at problems in a diff erent light. “I spent a lot of time working with groups and individuals to understand how they deal with complex decisions. That made me a better facilitator of the decision-making process,” he says. Before leaving Thames in 2008, he was promoted to group level as CRO.

So how does he account for his speedy rise to the top? “Fortune plays a part. You have to be in the right place at the right time. But you do need sponsors. Without someone who is prepared to say, ‘I think this chap is capable of doing more’, you can easily blend into the background. You have to make a name for yourself and establish your credentials. You have to be able to substantiate what you’re saying. Make it clear that you are here to help and that you can contribute something meaningful so that you can support other people. You need to be able to empathise with them too. To show that you care, that you can help and that you add value.”

Greene acknowledges that business risk management needs a structure and a framework. “The organisation needs intelligence in what its operations are facing from a risk perspective. And we need to be able to aggregate and capture, assess and present that in a meaningful way. But in every step of that process, it is about enabling decision-makers to make better decisions for themselves.”

So what do risk managers need to do to help people throughout their organisations make better decisions? First, Greene says, they need to understand behavioural infl uences and develop strong facilitation techniques. “I talk to departments about the decision-making theory, what to look out for in terms of biases and infl uences, and how to guard against them.”

In hands of those who use it“We are in 28 diff erent territories, so I travel a lot. When I arrived at Coca-Cola Hellenic, the business risk assessment consisted of an annual trip to visit each of the territories. Now we have established a more robust business risk management process. Each of the territories has ownership over the process.”

Because it’s impractical for Greene to visit every single facility each year, he relies on a network of risk advisers to facilitate risk workshops. “We have a set of defi ned risk assessment criteria that we use to aggregate risk across the group,” he says. “We ground the process fi rmly and put it into the hands of the people who use it. The core process remains the same across every region: we identify the objectives, assess the risks and manage them.”

Greene applies the same process to project delivery. “We are in the process of moving the business over on to a new technology platform. It’s an enormous and incredibly complex task, which we are delivering very well with no business interruption.”

Success is a virtue of not only a strong risk management process but also a strong “risk intuition” within his organisation, says Greene. “People are very aware of risk and opportunity, as well as how to deal with it and manage it.” SR

Setbacks in motor and electronics not only damage Japan’s exports but have global knock-on eff ects

IN MY OPINION

Ripples from Japan spread worldwide

Sue Copeman, EDITOR-IN-CHIEF,

STRATEGIC RISK

W HAT DO CONSTRUCTION AND MINING EQUIPMENT LEADER Caterpillar, technological giant Intel and international auto manufacturer

General Motors have in common? They’ve all been aff ected – along with many other companies around the world – by an event that occurred thousands of miles away.

Japan’s earthquake, tsunami and potential nuclear crisis have had widespread repercussions for the international business community. Despite the fact that the area directly aff ected was relatively small in terms of Japan’s industrial output, the knock-on eff ects have been huge, although it is hoped that they will be short-lived.

The catastrophe highlights that, in the current global economy, the days are over when a disaster in one country only aff ected surrounding national businesses. A natural catastrophe can have unexpected consequences beyond local property damage, such as transport, power and other infrastructure issues, which reverberate in other national sectors and their global operations and markets.

The immediate eff ects for companies in Japan have been well publicised. Particularly aff ected, as much if not more by national fuel shortages and power outages as by the direct damage, are two of Japan’s key sectors, the motor and electronics industries. This has been a major blow in a country whose economy is largely reliant on its exports, and Japanese companies’ European operations and customers are sharing in the fallout.

Disrupted national production of vehicles and key components led to a world shortage, resulting in halted or decreased operations worldwide. Motor manufacturers whose operations both in Japan and internationally have been disrupted include Fuji, Honda, Mazda, Nissan, Suzuki and Toyota. The roll-on eff ect has extended to European vehicle manufacturers that buy parts from Japan, such as Mercedes, Opel, PSA Peugeot Citroën and Volkswagen.

An equal if not greater impact has been experienced by the electronics sector. Reportedly, Japan produces around 40% of the world’s technology components including chips, memory for digital phones, cameras and PCs, glass for fl at screens, capacitors and transistors. It’s a formidable list and many of the manufacturers involved are well-established brand names in Europe. They include Canon, Panasonic, Sony and Toshiba. Less well known as brand names but nonetheless highly important in the electronics supply chain are leading chip maker Renesas Electronics and Shin-Etsu Chemical, the world’s leading maker of silicon wafers, used in integrated circuits for electronic devices.

In the highly competitive world technology market there are few electronics- based businesses that do not source some products from Japan – and all the companies mentioned above have been aff ected by the Japanese disaster, with far-reaching results. For example, not only has production from Sony’s plants in Japan been aff ected by the catastrophe: mobile phone group Sony Ericsson, Sony’s joint venture with the Swedish company Telefonaktiebolaget LM Ericsson, has been forced to consider sourcing alternative supplies outside Japan. SR

15_19_Viewpoints_SRMay11.indd 17 27/04/2011 15:29



One of the biggest challenges for us is that people here aren’t corporately institutionalised. Christie’s is all about the fi ne art and the history of the art and our clients. Added to that, we are not regulated so it’s diffi cult to get the attention and traction for risk management.

What skills have been really useful in your career?Technical skills are always important. But risk managers need to have good communication skills. Having come up through the insurance route, I have noticed that communication skills in the insurance industry are not always that good. Everyone likes to cover their backs by putting as much down on paper as possible.

That means it’s quite hard because boards just want to see a summary of the issues. They expect you to do your job. They don’t want a 20-page report to sign off ; they want a succinct list of key issues. And they want to know what my recommendation is. Written verbal communications are really important. Use simple language and don’t over-complicate things.

Who do you report to in your organisation?I sit within legal and risk so at the moment I report to the general counsel, but we’re in the process of restructuring. I think that’s quite a good home for risk management, because this way it is not seen as a purely insurance function but as a broader function, which is

Former broker Nicola Harvey was headhunted to manage risk for a client and moved on to Cable & Wireless and what is now Lloyd’s TSB. Now in her third year at fi ne art auctioneers Christie’s, she has to market her function in a culture where corporate process takes second place to precious objects

IN MY OPINION

Nicola Harvey, CHAIRMAN, AIRMIC AND GROUP DIRECTOR OF RISK, CHRISTIE’S

The gentle art of persuasion

What’s the best thing about working for Christie’s?The art. I’m not a connoisseur or an expert at all. But I do love the art. It’s a lovely, interesting place to work. Every day, it’s like walking through a museum. And the uniqueness of the industry means it’s a fascinating business.

What are your biggest risks?The sort of issues we could face are loss or damage to art and property. We take responsibility for the art while it is consigned to us through the auction process. We move it around a lot of the time on exhibition and sometimes things happen to clients’ property. Theft is a possibility. We have to be sure that the property we are selling is not fake; occasionally we don’t get it right. Fires could also be very costly. We have had one or two losses since I’ve been here but nothing huge.

Security is a big issue. We have a lot of former military personnel and police who work for us.They do active risk management on a daily basis – things like physical security, CCTV, guarding the exhibitions, making sure the appropriate precautions are taken in terms of carrying property and moving it between sites, physical fi re protection and access control.

Could you describe your role and responsibilities?The role I have is broad. I sit across the insurance and risk fi nancing function as well as the enterprise risk management (ERM) piece. I get heavily involved in operations like security, legal and IT.

I also look after compliance. A lot of that is legal and to do with anti-money laundering legislation and making sure we comply with import and export regulations. Due to the nature of our business those are the things that aff ect us.

These days I spend more time on ERM and compliance; but generally it goes in fi ts and starts. When there’s an insurance renewal, for example, which usually happens towards the end of the year, I get hauled into that. A lot of our risk and compliance issues occur around the time of the Christie’s auction sale seasons.

How sophisticated is your ERM programme?There are organisations that have properly embedded their risk management, but for many it remains an add-on process that is not completely embedded. Ideally, everybody in an organisation should help to manage risk. A central risk management function can provide support and advice, as well as develop risk processes and monitor compliance.

ERM could always be better embedded in most businesses. I think we are quite good at it but there’s still a fair bit of work to do to get that embedded and really part of the everyday business.

Our corporate structure is quite unique. The group risk team in Lloyd’s was 90 people. That’s a massive risk infrastructure – people understood it. But generally it’s not like that in other organisations.

‘Risk managers need good communication skills. Boards don’t want a 20-page report to sign off ; they want a succinct list of key issues. Use simple language and don’t over-complicate things’

Re

ute

rs


Communityupdate

Taking a lead

from Ferma,

which recently signed a

transparency deal with

European broker

association Bipar, the

Czech risk management

association Aspar CZ

is working on a deal

of its own. The risk

association is toing

and froing with the

country’s broker

association on adopting

a protocol to increase

transparency and reduce

confl icts of interest.

A new Spanish

insurance

contract law that

enforces the consumer

rights could be good

news for risk managers

in Spain, according to

experts gathered at a

meeting in Madrid

organised by Spanish

risk association IGREA

and law fi rm Hogan

Lovells. The Bill,

designed to defend the

rights of the insured, is

expected to be passed in

the next few months.

Poland’s risk

management

society, Polrisk, held it’s

annual conference in

Warsaw on 12 and

13 April. Polrisk

president Tomasz

Miazek, who is also the

insurance manager at

Telekomunikacja Polska

Group, said that the

association is working

hard on a range of

initiatives designed

to raise the standards

of risk management

in Poland.

probably how it should be seen. But I don’t think there’s a right and a wrong answer.

How is your performance measured?We have annual performance appraisals and regular one-to-one meetings. It is sometimes quite diffi cult to demonstrate value, though. If you’re doing a good job and managing risk eff ectively, bad things should not be happening and then you can’t prove a negative. Being a risk manager can be quite an isolating role because lots of people don’t really understand what you do.

Is it easy for you to attract the right risk management talent? There are lots of insurance people out there. That’s quite easy to access. On the risk side, it’s a lot harder because it’s quite an undefi ned discipline. If you go out and talk to a recruitment agency about risk managers and risk management, they’ll quite often look at the fi nancial services sector. But that’s quite a diff erent breed. It is not operational risk or ERM in the way we’d think about it. There are not very many agencies that understand what we are looking for.

What do you think your next career move will be?I could go into this type of role in a bigger organisation. To a degree it’s easy to skip industries. If you can apply your knowledge and learn the business, you should be able to move between industries.

But there is another step here for me. I’m not really a true chief risk offi cer with a seat in the boardroom the way CROs at fi nancial institutions are. That would be the next step for me. It would mean being fundamentally involved in the strategy of the business and involved in key business decisions.

The other thing that someone in my role could do is to move out into the business. By that I mean move away from doing a risk role altogether and into a business unit. But it’s not a natural thing for a risk manager to do. I think it’s quite hard to move out into the business and that’s why lots of risk managers don’t do it. SR

[READ MORE ONLINE] Read StrategicRISK’s profi le of Hans Læssøe, head of strategic risk for LEGO at goo.gl/DtYWW

Insurance in Latin AmericaHOT ISSUE

The CEA, Europe’s insurance

association, has written to the

Argentine Superintendant of

Insurance and the Argentine

government to express concern about

new reinsurance rules.

The country’s new resolution,

enacted “without proper

consultation” on 11 February,

eff ectively prohibits cross-border

reinsurance, said the CEA.

It means that foreign reinsurers

that have not set up an Argentine

reinsurance subsidiary or branch will

only be able to underwrite risks from

Argentinian insurance companies if

they hold local capital of at least

€3.4m ($5m) (plus additional

solvency, depending on the type of

business) and get regulatory

approval, which will only be granted

per policy on a case-by-case basis.

The CEA said the new regulation is

“highly discriminatory” and will lead

to less capacity and higher premiums

for Argentine policies.

At around the same time,

Ferma called for further measures

to liberalise the insurance market

across the border in Brazil.

While Ferma welcomed new moves

to liberalise intra-company

cessions, it said that overall

the current legislation could

undermine development in Brazil

and suggested that it will increase

costs and concentrate risk

domestically.

W W W. ST R AT EG I C R I S K .CO. U K / AWA R D S 2 0 1 1

Join risk professionals

from across Europe as

StrategicRISK reveals

the winners of this

year’s European Risk

Management Awards

DATEWEDNESDAY

25 MAY 2011

TIME12:00PM

NEW VENUEINTERCONTINENTAL

LONDON PARK LANE,

LONDON

W1J 7QY

BOOK NOWPlaces are limited.

To book your place visit

www.strategicrisk.co.uk/awards2011

or contact Katherine Ball on

+44 (0)20 7618 3492 | [email protected]

COST TO ATTENDSingle place: £150.00 + VAT

Table of 10: £1,400.00 +VAT

B O O K N OW P L AC E S A R E L I M I T E D

Congratulations to our finalists who have been shortlisted for this year’s StrategicRISK European Risk Management Awards

EUROPEAN RISK MANAGER of the year

Annette Schutt Fiig Novo Nordisk Colin Campbell Arcadia Group plc Elaine Heyworth Everything EverywhereIgor V Mikhaylov Mobile TeleSystems OJSCJohn Ludlow IHG

EUROPEAN RISK MANAGEMENT TEAM of the year

Arcadia Group LtdDixons Retail plcCapital Shopping Centres plc Tesco plc Tetra Laval plc

ENTERPRISE RISK MANAGEMENT PROGRAMME of the year

Aeroports de Paris Amlin plcHoerbiger Holding AG SIBUR – ZAO SIBUR HoldingUK Power Networks

BEST RISK COMMUNICATION of the year

Aviva plcLondon Borough of LambethSAPTesco plcZurich Financial Services

MOST INNOVATIVE USE OF IT OR OTHER TECHNOLOGYAon Benfi eld Analytics

Financial Information Systems

Lambeth Council

Science for Humanity

Sonae Sierra

BEST RISK TRAINING PROGRAMMEAmlin plc

BBCSIBUR – ZAO SIBUR Holding

Tesco plc

Yorkshire Water Services Ltd

BEST RISK MANAGEMENT APPROACH IN THE PUBLIC SECTOREaling Council

London Borough of Lambeth

London Borough of Newham

London Underground (Tfl )

Woodleigh Outreach Support Service

RISK MANAGEMENT YOUNG ACHIEVER

of the year

Claire Bromley John Wood Group plc

Daniel Davies Network Rail

Michael Szonyi Zurich Insurance Company

Nicolas Vioix Westfi eld

Rachelle Banham Hertfordshire Constabulary

RISK MANAGEMENT PRODUCT of the yearCapital Shopping Centres plcMaplecro� The Royal Bank of Scotland plcTrimbleWolters Kluwer Financial Services

THE BEST BUSINESS CONTINUITY APPROACH of the yearGategroup London Borough of NewhamRentokil Initial plcSAP AG The Co-operative

The S trategic R I S K European

R isk Management Awards

2011 are sponsored by

Risks [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

> Risk financing Catastrophes .. 24Japan put natural disasters at the forefront of peoples’ minds

> Risk atlas Cyber crime ..........28Where are all the cyber criminals hiding?


“THE RISK OF BREAKING SANCTIONS IS VERY SERIOUS – and there are a lot of countries where sanctions apply.

We have to be very careful about who our customers are delivering our products to and make sure that they are selling to reputable companies and not organisations that will sell those products on to others whose customer base may breach sanctions.”

This was one risk manager’s response on being asked to identify key risks for their company in the next year for this year’s StrategicRISK Report (available for download at goo.gl/NdGTV). He believed that the risk of inadvertently breaching sanctions is likely to increase in the next 12 months, particularly in view of the volatile political situation, and civil unrest currently arising in a number of countries that have already increased sanctions and are likely to continue to do so. And his comments illustrate the diffi culty of trying to track end buyers in the customer chain.

Traditionally, banks have been the global watchdog as far as illegal activities such as breach of sanctions and money laundering are concerned. They’ve also tended to be the scapegoats if they turn a blind eye to suspicious transactions – a situation that has concentrated their minds signifi cantly on the problem.

Risk intelligence organisation World-Check’s Andrew Yuille says: “Most things go through banks, so they are a fairly good place to catch on to something that should not be going on. But compliance with sanctions has to be far wider than the banking industry.”

“You have to know who is on the sanctions list to check that they’re not a customer that might present an issue – but by the time an organisation or individual has been sanctioned, it’s almost too late. It’s better to have an early warning system so that you can see who is likely to end up on a sanction list and avoid having them as a client to start off with.”

This might sound like a tall order but in fact regular sanction-busters – those who supply goods to sanctioned organisations – often leave discernable footprints. Suspect customers are unlikely to be on an actual sanctions list, but the associates on which they rely are the ones to watch out for.

Yuille cites the case of a small US business that had bought pipe bending tools from a Chinese business that turned out to be acting for an Iranian concern. Every time the organisation at that address in China was sanctioned it would change its name, a common trait with sanction busters which, along with language translation diffi culties, can cloud transparency for foreign buyers.

Another problem is the number of sanctions now in force. In addition to sanctions imposed by the UN and EU, individual countries take their own approach, targeting countries or businesses that may not be on other sanction lists. It can be a minefi eld for global companies with diff erent production units around the world.

Be alert to suspicions So what’s the best way for risk managers to get to grips with this problem? Due diligence in respect of both suppliers and customers, in the fi rst instance. Airmic’s technical director Paul Hopkin suggests that risk managers employ the same techniques that they use to ensure an ethical supply chain, and to seek assurances from customers regarding the ongoing destination of products.

“There’s a parallel between this and the kind of approach that risk managers take to limit their liability in respect of health and safety,” he says. “For example, component suppliers will specify any constraints on their use to guard against liability claims, so there’s no reason why they shouldn’t also specify constraints on their supply to sanctioned businesses or countries.”

RISK SANCTIONS

Breaching the boundariesSanctions are in place for social, economic and political protection, but they’re not always obvious and failure to spot them can have serious consequences

Political minefi eld: it is

diffi cult for companies to

keep abreast of sanctions

relating to countries such

as North Korea

Case study

It’s not only the big boys

and the banks that get

picked up for breaching

sanctions. The relatively

small UK Weir Group, a

Scottish engineering

company employing

around 9,000 people,

globally admitted

breaking UN sanctions in

its dealings with Iraq

during Saddam Hussein’s

regime. It breached the

Oil-for-Food programme

in place at the time by

paying kickbacks to the

government to secure

lucrative contracts.

The company was fi ned

£3m for the breach and

also had £13.9m of illegal

profi ts confi scated.

Nic

ola

s R

igh

ett

i/P

an

os

Pic

ture

s


Eritrea Direct or indirect supply, sale or transfer of arms and related material of all types.

Afghanistan Exportation, supply or delivery of any arms and related material to Osama bin

Laden, the Al-Qaeda Organisation, the Taliban and their associates.

Cote de IvoireImport of rough diamonds, except those used solely for scientifi c research to

facilitate the development of technical Ivorian diamond production, provided the

research is approved by the Kimberley Process Committee; and supply and delivery

of arms and related material, except that supplied for the parties or purposes

specifi ed in the relevant UN Security Council’s Resolutions.

Democratic Republic of the Congo Supply and delivery of arms or related material, except to parties and under

conditions specifi ed in the UN Security Council’s Resolution 1771 (2007).

North Korea Direct or indirect supply, sale or transfer of all arms and related material as

specifi ed in the relevant UN Security Council Resolutions; all items as set out in

the lists in the UN documents S/2006/814 and S/2006/815; and exportation of the

above items (other than luxury goods) from North Korea.

Iran Direct or indirect supply, sale or transfer of all items that could contribute to Iran’s

uranium-enrichment and reprocessing activities, heavy water activities or

technology related to nuclear ballistic missiles set out in relevant sections of

Security Council document S/2010/263 and the International Atomic Energy

Agency documents INFCIRC/254/Rev. 9/Part 1 and INFCIRC/254/Rev. 7/Part 2, or

determined as necessary by the Security Council, the cwommittee or the state.

Iraq Sale or supply of arms and related material to Iraq, except for those required by

the relevant authority stated in the UN Security Council’s Resolution 1483 (2003).

Lebanon Sale, supply or delivery of arms and related material, except for those authorised

by the Government of Lebanon or by the UN Interim Force in Lebanon.

Liberia Direct or indirect supply, sale or transfer of arms and any related material to all

non-governmental entities and individuals operating in the territory of Liberia.

Somalia Exportation, supply or delivery of any arms and related material, and any goods

related to the manufacture or maintenance of weapons.

Sudan Supply and delivery of arms and related material to any non-governmental

entity or individual, except for the parties or purposes specifi ed in the UN

Security Council’s Resolution 1591 (2005).

Companies and their employees, particularly in the fi nancial industries, shouldn’t turn a blind eye to something suspicious, as this could implicate them in what’s gone on, says Yuille. So risk managers should encourage whistleblowing. Yet history shows that whistleblowers tend to be very badly treated by their employers, so work needs to be done to encourage people.

When employee of Wachovia bank Martin Woods suspected wrongdoing on the part of his employer, his report to them was dismissed as “defensive and undeserved”. He told StrategicRISK that he underwent a sustained campaign of harassment, bullying and fabricated disciplinary proceedings before his allegations were proven well-founded. He now advises companies and individuals on all aspects of fi nancial crime including sanction breaches.

A fi nal word of warning. The USA has introduced a number of sanctions against countries – for example, the Comprehensive Iran Sanctions, Accountability, and Divestment Act (CISADA). There’s a possibility that such legislation could catch external companies that have a footprint in the USA in the same way as the US Foreign Corrupt Practices Act. SR

The UN’s sanctions watch list

EXPERT VIEW

RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]


RISK FINANCINGCATASTROPHES

Categorising catastrophes

F LOODS IN QUEENSLAND, A MAJOR EARTHQUAKE IN

Christchurch and the Japanese earthquake and tsunami have

meant a tumultuous start to 2011, testing the fortitude of aff ected

populations and businesses, from mining operations in

Queensland to nuclear facilities in north-eastern Japan. They have

underlined the importance of having the right protection in place

and put business continuity plans to the test.

Managing catastrophe risk is one of the biggest challenges

facing many multinational organisations. Identifying the safest

location for your business is fraught with uncertainty, while

inferior construction and unreliable infrastructure can increase

vulnerabilities. Catastrophe risk fi nancing is one way of protecting

multinational fi rms against major losses following a catastrophe.

Even if a business is lucky enough to escape the worst

catastrophes, in today’s globalised world it can be indirectly

impacted, explains Invensys vice-president of risk Chris McGloin.

“What organisations like Invensys have got to do is understand

where their risks are: not just how your own locations can be

disrupted, but the supply chain and the extent of the supply chain.”

He cites the 2010 eruptions of Iceland’s Eyjafj allajökull

volcano, which grounded fl ights across much of Europe, and the

With catastrophic occurrences seemingly on the rise, it’s important that risk managers understand such scenarios and the cover they require

Queensland fl oods, which triggered a drop in the global coal

supply, as events which disrupted the fl ow of goods. “Threats to

supply lines are always a concern because we do rely on things

being done effi ciently and smoothly.”

Learning lessonsIn the Bowen Basin – home to Queensland’s coal mining industry

– several operators declared ‘force majeure’ on their mining

contracts, relieving them of their obligation to deliver to

customers. Up to 50 of the state’s 57 mines were aff ected. While

many were back up and running shortly a� er the fl oods, fl ooded

pits and damage to key infrastructure and ports delayed recovery

times for others, bringing exports to a halt.

Floods, wildfi res and tropical storms are not unusual in

Australia. Neither are earthquakes in New Zealand and Japan.

What has come as something of a surprise is the aggregation of

these events – each of them signifi cant insurance events –

aff ecting highly populated and industrialised areas.

The size of Japan’s magnitude 9 quake and resulting tsunami

is also highly signifi cant, McGloin says. “Natural catastrophes are

an inevitable feature of the global risk landscape and most countries

have experienced major events at some point in their history. The

important thing is to learn the lessons and to be prepared to take

actions to address those risks that are considered to be too great.

Insurance can be very important to provide businesses with access

to capital to recover from such events.”

The large gap between insurance loss estimates in Japan of

between $20bn (€13.6bn) and $45bn and economic loss estimates

of up to $300bn should make businesses wary, particularly that

such a gap could occur in a developed nation with well-understood

catastrophe exposures. While the Japanese government will

assume a proportion of the losses, many are not covered.

Solid fi nancial foundationsSelecting the right insurance partner is of primary importance

when looking to manage the risk from earthquakes, windstorms,

fl oods and man-made catastrophes such as terrorism. While

hazards in the USA, Europe and Japan are well modelled and

understood, understanding in other regions is less sophisticated.

International insurers and brokers can share information on how

to best mitigate exposures in a given location.

First and foremost, an insurer needs a solid fi nancial strength

rating, McGloin thinks. “You want to make sure you buy your cover

from someone with the right sort of security rating or resources. A

lot of the international carriers – if they’ve got broader spread and

bigger resources – are better placed to provide that.”

While many will hope to be covered for losses as a result of

property damage and business interruption, the claims story has not

always been straightforward. In Queensland, some carriers provided

full riverine fl ood and others only fl ash fl ood. There is also confusion

over the number of events and length of each event (with

reinsurance contracts typically limiting one event to 72 hours).

The picture is likely to be equally confusing in Japan, McGloin

says, providing an important learning opportunity for

multinationals in hazard zones. “If you look at an earthquake, a

tsunami and radiation – three diff erent triggers – the same

$235bn

$12bnRecent fl ooding in Australia, according to prime minister Julia Gillard

February’s New Zealand earthquake, according to Swiss Re

The World Bank’s estimate of what the 11 March Japanese earthquake and tsunami may cost the country’s economy – 4% of GDP

Cost of catastrophes

$5.58bn

Source: Offi cial sources

24_25_RiskFinanc_SRMay11.indd 24 27/04/2011 15:30


questions will arise. You need good engagement with the

underwriters and the brokers to make sure these sorts of scenarios

are understood, and that the buyer and provider have an

understanding of what the cover is really going to give.”

Business interruption has been a key attribute of the

magnitude 6.3 earthquake that rocked Christchurch on 22

February. Firms in the central business district have been forced to

move to temporary premises. In such circumstances, the ability to

access capital for business continuity is of more immediate value

than a traditional indemnity product, thinks Marsh New Zealand’s

country head, Grant Milne. “Some businesses are still waiting for

THE QUESTION ON MANY RISK MANAGERS’ LIPS AT

present is: Is Japan a market-turning event? In the

international catastrophe insurance market, prices

so� ened over the past six years. With Japan likely to

prove the most expensive insurance loss outside the

USA on record, could this push up premiums?

Invensys’s McGloin says his recent discussions with

insurers and brokers suggest it’s too early to say

because “even given the terrible extent of the

catastrophe, it’s not clear how much of that is insured”.

All eyes were on the 1 April Japanese reinsurance

renewals to see if carriers would respond. According

to reinsurance broker Guy Carpenter, companies

renewed unchanged capacity for earthquake pro

rata treaties. However, for earthquake excess of loss

covers renewal rates climbed by 15%-50% and

windstorm cat XL rates grew by 3%-10%. The US

market has also shown some signs of being in

transition, with pricing fl at or up slightly compared

with decreases at the 1 January renewals.

“While the impact fi rst-quarter losses will have

on dedicated reinsurance sector capital for the full

year remains to be seen, many reinsurers’ 2011

natural catastrophe budgets have been exhausted,

and a portion of the sector’s excess capital has been

absorbed,” says Guy Carpenter & Company’s global

head of business intelligence, David Flandro.

Many experts predict the market will respond

with localised increases in catastrophe rates, similar

to the spikes witnessed in Chile and in the energy

sector last year in the a� ermath of the earthquake

and Deepwater Horizon disaster.

WILL CAT COSTS RISE?

1990

Insured catastrophe losses

Number of events 1970-2010

Weather-related nat cats

Earthquake/tsunami

Man-made disasters

Total

19701980

1985

19952000

20052010

1975

Hurricane Andrew

Northridge earthquake

Winterstorm Lothar

Attack on World Trade

Center

Hurricanes Ivan & Charley

Hurricane Katrina

Hurricane Ike & Gustav

an assessor to look at their property. So no money is coming in and

they can’t get their business back up and running. Some insurers

are off ering payments to assist with payroll and payment of bills,

but the full policy payout might be some time away.”

He thinks there is inevitably an uninsured exposure for

businesses aff ected by major catastrophes. “The biggest issue that

exists, and that has been a discussion point from the last earthquake

[the magnitude 7.1 Canterbury earthquake in September 2010] is

very much around the depopulation scenario where people just

leave the area so there’s less demand for businesses’ goods or

services, and that’s an uninsurable risk.” SR

0

$120bn

Source: Willis Re

24_25_RiskFinanc_SRMay11.indd 25 27/04/2011 15:30



Soci

etal

ris

ks

Environmental risks

Slow US recov

Exchange ra

Risin

g ener

gy and co

mm

Geopolitical

risks

Political turmoil

War in the M

iddle East

Breaching sanctions

Crime and corruption

Gov

ern

an

ce f

ail

ure

s

Terrorism

Globalrisk

register

Trouble round every corner

F ROM THE PROTESTS IN THE MIDDLE EAST to the rise of cyber crime and the continuing

trials and tribulations of Western economies, these are nothing if not interesting times. StrategicRISK, in association with Marsh Risk Consulting, has released a report analysing European companies’ risks in fi ve categories: economic, environmental, geopolitical, societal and technological.

The report summarises the comments of 30 leading risk management professionals in European companies. While their views varied somewhat, refl ecting diff erent sectoral concerns, the single issue that all voiced was the interconnectivity of risk and its unpredictability.

One example of this is last year’s ash cloud resulting from the Icelandic volcano eruption. Even companies that did not have suppliers in Iceland, and perhaps felt they had little or no exposure to natural catastrophes, did suff er disruption in deliveries. As one risk manager said: “There seems to be an increase in one risk triggering another – and that’s a risk in itself.”

Another risk manager foresaw problems arising from the Australian fl oods. His fi rmhas no direct suppliers in Australia, but the country does supply raw materials to some of its producers and the fl oods may well aff ect the availability of these.

Interconnectivity is probably most apparent in the economic risk category. The ‘butterfl y eff ect’ – that is, a small change in one place in a complex system that can have large eff ects elsewhere – has never been more apparent than in today’s globalised system. The fi nancial markets are particularly interdependent.

A question of timingResearch for this report was undertaken in the fi rst three months of 2011. It was a period when unforeseen political turmoil in some countries was at the forefront of everyone’s minds so, not surprisingly, geopolitical risks shared fi rst place with economic risks in European companies’ concerns.

ENVIRONMENTALMost European businesses

are concerned about the

apparently increasing

frequency and severity of

extreme weather events. Most

large companies consider

their own organisations to be

adequately protected, but

perceive vulnerabilities in

their supply chains that could

disrupt business.

SOCIETALThe perceived behaviour of a

business and its senior

executives can make it the

focus of attention for

demonstrators and adverse

internet comments.

“Our security people are

starting to think about social

networking – instant

messaging and the like,” said

one risk manager.

At a time of heightened global turmoil, we asked Europe’s leading risk managers what they think will most aff ect their businesses

[READ MORE ONLINE] For more information on global risks, download StrategicRISK’s 2011 Risk Report at www.strategic-risk.eu or goo.gl/NdGTV


very

Hig

her ri

sk tr

ansf

er c

osts

Recession recovery problems

Restrictive regulations

ates

Co

nti

nu

ing

rec

essi

on

mm

odity p

rices

Increased com

petition from

Chin

a

Economicrisks

Keepin

g pace with

techn

ological chan

ge

Pro

tect

ion

ism

Inflation

Data the� and leakage

Mal

icio

us h

acki

ng

Intern

et breakdow

n

Technology

risks

Fraud

Business IP the� £9bn

Business espionage £7bn

Ex

tort

ion

£2b

n

Online fr

aud £1.5bn

Japan

225

%

Ireland 94%

Po

rtug

al 8

3%

Ger

man

y 78%

UK 76%

Spain 63%

USA 58%

Ch

ina 17%

Ru

ssia 9%

Public debt

as a percentage

of GDP

Cyber crime

costs the

UK economy

£27bn per year

However, if comment had been sought six months earlier, it seems likely that the recession would have headed the list.

Similarly, research was just coming to a close when the Japanese earthquake and tsunami struck. Would risk managers have rated the impact of natural catastrophes higher in the risk league if the research had been concluded a month later?

It is natural for commentators to react more strongly to the issues of the moment. With this in mind, it is interesting to see that terrorism and pandemics were not among the top fi ve risks – although governments and health organisations would probably rate them higher.

It is clear that companies need to address the eff ects rather than the unpredictable and often uncontrollable causes of risk. For example, risk management of supply chain disruption– a major risk for most fi rms – needs to be robust, whatever causes the disruption. Companies need to be able to repatriate employees quickly and safely, regardless of where problems arise.

How has today’s risk environment aff ected the role of risk managers? Some of our commentators volunteered views. “The good news for risk management is that its relative importance in the eyes of the board has increased,” was one comment.

Another respondent stressed that risk managers cannot aff ord to operate in silos. “We have to help our business managers think more about what the knock-on eff ect might be of their decisions, how things may happen in conjunction with other risks the company may be running, and the ultimate major impact that might result – without getting in the way of the company’s ability to do business.” SR

CYBER CRIMECyber crime heads the list

of technological concerns.

The main loser from cyber

crime is business, according

to a Detica report for the

UK government. UK business

loses an estimated £21bn

per year as a result of

intellectual property

the� and damage, said

the report.

PUBLIC DEBTIn European countries with

very high public debt, some

companies regard higher

interest rates and taxation

as inevitable.

They are concerned

that this, coupled with

continuing recession,

will impede their ability

to invest and grow in

these areas.

1 Economic recession

2 Political turmoil

3 Climate change

4 Data the� and leakage

5 Regulation

6 Security of IT systems

7 Energy and commodity prices

8 Crime and corruption

9 Exchange rates

10 Civil unrest

Top 10 risks

INSIGHT


28 Strategic RISK [ MAY 2011 ] www.strategic-risk.eu

Iran

In October 2010, a computer virus called

Stuxnet disrupted nuclear facilities in Iran. Stuxnet represented a signifi cant leap forward in malware in that it specifi cally attacked so� ware used in industrial infrastructure. There are rumours that Stuxnet may have also caused the failure of India’s INSAT-4B satellite in July 2010.

Belgium

In May 2008, Belgium accused the Chinese

government of cyber-espionage, claiming that hacking attacks against the Belgian government had originated in China. Separately, Belgian minister of foreign aff airs Steven Vanackere said that his ministry had been the subject of cyber-espionage by Chinese agents.

Georgia

As tensions rose over South Ossetia in

August 2008, Russian and Georgian hackers launched attacks against each other. This included distributed denial of service attacks and the defacement of the Georgian Ministry of Foreign Aff airs website using pictures of Georgian president Mikheil Saakashvili and Adolf Hitler.

South Korea

In September 2008, Seoul accused

adversaries North Korea of stealing documents from military offi cers using spyware and a female agent. The spyware attack saw malicious email attachments designed to steal documents from infected computers.

India

Government offi cials in New Delhi were said

to have confi rmed that Chinese hackers targeted the Ministry of External Aff airs and the National Informatics Centre, which provides the network backbone for central and state government. The unnamed offi cials claimed that this was China’s way of gaining “an asymmetrical advantage” over a potential adversary.

Source: Various media and Sophos 2009 Security Threat Report

Rank Country

1 USA 37%

2 China 27.7%

3 Russia 9.1%

4 Germany 2.3%

5 South Korea 2.1%

6 Ukraine 1.8%

7 UK 1.7%

8 Turkey 1.5%

9 Czech Republic 1.3%

10 Thailand 1.2%

RISK ATLASCYBER CRIME

Hacking into insecurities

O N 2 NOVEMBER 1988, 22-YEAR-OLD CORNELL UNIVERSITY

student Robert Morris released an internet worm capable of

exploiting vulnerabilities in UNIX operating systems, infecting an

estimated 10% of the internet. Over 20 years on, the scale of

computer crime has grown astronomically. Internet attacks today

are organised and designed to steal information from consumers

and corporations.

The scale of global cyber criminal operations has reached such

proportions that internet security fi rm Sophos discovers one new

infected webpage every 4.5 seconds – 24 hours a day, 365 days a

year. In addition, Sophos is sent some 20,000 new samples of

suspect code every single day.

The USA, China and Russia account for almost three-quarters

of the world’s websites that spread malware, according to research

by Sophos. The US tops the chart, with just under three in every

eight infected webpages based there. China, which was

responsible for hosting more than half (51.4%) of all the world’s

malware in 2007, has now almost halved its contribution to the

problem.

The Czech Republic is a new entrant on the list and hosts

over 1% of all the world’s malware. Poland, France, Canada and

the Netherlands were in positions six, eight, nine and 10,

respectively in 2007, but now have too few malicious websites

to appear on the chart.

No one is immuneA number of well-known organisations have fallen foul of

malware, including thousands of websites belonging to Fortune

500 companies and government agencies, which were infected in

January 2008.

Traditionally done through emails, cyber criminals now

primarily use the web to infect computers, o� en driven by

political motivations. Immediately before releasing a series of

leaked diplomatic cables, Sweden-based WikiLeaks (the

whistleblowing website) suff ered several distributed denial of

service (DDOS) attacks, which succeeded in putting the website

temporarily offl ine.

In an apparent act of revenge, sites that had refused to

support WikiLeaks were targeted in return, with Mastercard briefl y

being forced offl ine and Amazon also targeted. The ‘hacktivist’

group Anonymous, which had previously mostly confi ned its

actions to anti-pirate organisations and the Church of Scientology,

was widely believed to have had a hand in these attacks, dubbed

‘Operation Payback’. SR

Cyber crime is becoming increasingly sophisticated, and increasingly malicious

Rank Country

1 USA 65.9%

2 UK 10.4%

3 Nigeria 5.8%

4 China 3.1%

5 Canada 2.4%

6 Malaysia 1%

7 Spain 1%

8 Ghana 1%

9 Cameroon 1%

10 Australia 1%

Top malware

hosting countries

Where internet

criminals reside

NB: Figures from US-based organisations

www.strategic-risk.eu [ MAY 2011 ] Strategic RISK 29

10

5

3

7

281

4

69

1

2

3

4

5

6

7

8

9

10

Key More than 30%

21%-30%

9%-20%

1%-8%

Less than 1%

IN ASSOCIATION WITH

Evelyn Rieger is a senior underwriter

at Allianz

No certain safety

IT networks are essential to company

management on all levels, including for

example, R&D, production, purchasing and

sales of goods, and provision of services.

Processes, performance and results of a

company therefore heavily depend on

reliable IT systems, and any disruption of

those systems can have a major impact.

IT risks such as malicious code

attacks, user errors, wrong command

input, and non-availability of systems can

result in signifi cant additional

expenditures and even business

interruption (BI). Today, corporations

use electronic data exchange for

communication – internally and externally

– so what happens if a company causes

damage to another during this process?

Far too o� en, these scenarios are

underestimated and companies deem

themselves secure by the use of fi rewalls

and data back-ups, but total security is not

achievable. Why is that? Data is invisible,

and so are data claims at fi rst. We all know

the pictures of collapsed bridges and

fl ooded landscapes – but the loss of data

doesn’t conjure up any images at all.

Attainable security is limited and

needs to be supported by prudent risk

management. However, management,

mitigation and avoidance of risk also raise

the question of how to handle the

remaining risk; whether this is borne by

the company itself or whether it is

transferred to a third party – the insurer

– to protect the company’s balance sheet.

Therefore both corporations and insurers

are faced with the question of insurability

of IT risks.

Traditional insurance pays for lost

profi t and standing charges as well as

additional costs following a property

damage. However, in many cases, BI and

additional costs caused by IT faults occur

without property damage (human error,

misconduct, cyber crime, malicious code).

Protection against such scenarios is

becoming increasingly important.

EXPERT VIEW

Source: Internet Crime Complaint Centre and Sophos

We take time to listen and engage with clients, markets and colleagues

so that we can understand aims and objectives, put strategies in place

and successfully deliver them.

To learn more about our services email [email protected]

or call +44 (0)20 7528 4133

AT JLT SPECIALTY LIMITED WE DON’T RELY ON OFF-THE-SHELF SOLUTIONS

JLT Specialty Limited. Lloyd’s Broker. Authorised and Regulated by the Financial Services Authority. A member of the Jardine Lloyd Thompson Group. Registered Office: 6 Crutched Friars, London EC3N 2PH.Registered in England No. 01536540. VAT No. 244 2321 96. www.jltgroup.com.

Governance [ ETHICS ][ COMPLIANCE ][ REPORTING ]

> New rules Bribery ................... 34The much-anticipated Bribery Act will come into force on 1 July 2011. Here’s what you need to do to comply


ENVIRONMENTAL LIABILITY

Taking responsibilityThe Environmental Liability Directive is creating waves throughout Europe, but some have concerns that its ethos remains misunderstood

W HEN IT COMES TO ENVIRONMENTAL LIABILITY, there is a tendency to focus too much attention purely

on the Environmental Liability Directive (ELD). “It is important to look at other environmental laws as well,” says ACE’s UK environmental practice leader, Wayne Harrington. While the ELD has provided a lot of regulation clarity, the UK, for example, already had a well-established tradition of environmental regulation before the ELD came along. In other parts of Europe, however, the ELD has introduced a new set of regulations altogether.

What the ELD does do well is focus a lot more attention on the consequences of environmental damage, says Harrington. It is a recognition that perhaps the traditional laws did not go far enough. Environmental claimants no longer have to prove fault or negligence. Instead, the new regime is based on strict liability, so it is easier for stakeholders and the public to hold polluters accountable. Furthermore, the ELD introduces new legal concepts for environmental damage, including compensatory and complementary remediation. »

Re

ute

rs

Fish kill: the cause of this

incident in Lousiana has

not yet been determined,

but the area the fi sh were

discovered in was impacted

by the BP oil spill

GOVERNANCE [ ETHICS ][ COMPLIANCE ][ REPORTING ]


However, there is some confusion about how these potentially subjective concepts will be defi ned in reality. And how much they are likely to cost. For example, a pollution incident could fundamentally damage the environment but it may not be hugely expensive to put right. On the other hand, how does one put a price on the extinction of a species or the destruction of a natural habitat altogether?

The risks posed by a company to the environment may be the same wherever it has operations but the consequences of pollution are diff erent depending on the jurisdiction – enforcement is in the hands of the local environmental authority, which means there are huge diff erences between each member state (see map above). Every place in Europe has legal nuances or types of legal defences that are either permitted or not. So far there have not been many cases to provide clarifi cation of these matters.

Resourcing is another issue that regulators are struggling with. As public bodies reduce staff numbers, it is diffi cult for them to enforce rules as strongly as before. There could also be trepidation from governments to enforce environmental rules too strictly because of the tough economic climate. As witnessed

in Hungary recently with the toxic sludge spill, governments don’t wish to put a company out of business.

Protect yourselfFortunately, companies are more aware of their environmental responsibilities than ever before. But the trend in the corporate sector towards behaving more ethically and responsibly is slow.

“While companies may be more aware of environmental risk, they remain confused over the consequences,” says Harrington. “It is diffi cult for companies to understand clearly what the regulators will do if they are caught polluting. Or they may not be aware of what to do if they are caught or how to protect themselves fi nancially against those consequences. Companies that pose a risk to the environment should be cash reserving adequately.”

A lot of companies cannot aff ord to assess their environmental risks, let alone pay a premium to transfer it. Others choose not to. In Scandinavia, the corporate insurance manager for truck, bus and engine maker, Scania, decided to seek an alternative form of insurance protection. “We don’t buy a specifi c environmental insurance policy,” says Martin Sijmons. “We prefer to extend the coverage of our

»

SPAIN AND PORTUGAL

A dam breach at the Boliden mine near Seville in 1998

led to one of the country’s worst environmental

incidents. It has since adopted the most stringent

approach to the implementation of the ELD. Portugal

introduced mandatory fi nancial protection against

environmental risks in January 2010.

FRANCE

France transposed the ELD in August 2008, but there is

no legal obligation to buy fi nancial security against

environmental risks. Companies are realising that their

exposure and therefore their insurance needs have

increased, says ACE continental Europe manager of

environmental risk Dorothée Prunier.

GERMANY

Environmental law is mostly governed by federal

acts. But administering and enforcing the law is

le� to the 16 states. It is one of the hardest

markets to fi nd environmental insurance in due t

this patchwork of regulation.

UK

The ELD has added a substantial layer of liability.

Previously, people were only concerned with

traditional remediation costs, such as removal of

pollution; now complimentary and compensatory

remediation costs can be levied as well.

Inse

t il

lust

rati

on

s: J

on

ath

an

Ed

wa

rds


general liability policy to include sudden and accidental pollution.” He says the emphasis is on risk avoidance rather than risk transfer.

New prominenceThe goal for the insurance industry is to eventually see environmental insurance viewed in the same league as other major classes, such as property or directors’ and offi cers’ (D&O) insurance. Harrington hopes it will become a major new class of insurance but he knows this will take time.

Risk managers need to be aware of their risks and the potential consequences that can occur if something goes wrong. Large corporates have picked up the issues quicker than most, but some don’t have a choice in the matter as they are subject to fi nancial reporting requirements that dictate they have to disclose their environmental risks. Others have a less impressive stance.

But, in the current economic climate companies may be unable to pay if the consequences of environmental pollution are severe. For these businesses, preparing appropriately in advance could be the diff erence between life and death. SR

‘While companies may be more aware of environmental risk they remain confused over the consequences’Wayne Harrington ACE

Mandatory insurance for Europe?

Following the Hungarian toxic

sludge disaster and the

Deepwater Horizon Gulf oil

spill, the European Commission

has been encouraged to

reconsider its position on

mandatory insurance protection

for environmental liabilities.

The Commission is currently

considering a EU-wide

compulsory scheme for all

oil companies.

As it stands, fi nancial

protection is compulsory in

only European countries.

Ferma, representing the interest

of risk managers in Europe, is

against the idea and any type

of mandatory insurance for

large risks.

“We do not think there

should be mandatory

insurance,” says chairman

of Ferma’s environmental

liability working group,

Pierre Sonigo.

“We feel there are suffi cient

solutions for the oil industry in

the commercial insurance

market, so there is no need to

make it mandatory. As a

principle, we are against

mandatory insurance, because

we think this increases prices

and removes competition.

Other options, such as

self-insurance, disappear for

risk managers if the government

imposes mandatory insurance

protection, says Sonigo.

“The EU wants to add

security by creating guaranteed

security schemes to pay for

environmental damage,

because it is the government

that ultimately will have to

pay. But this is not the way to

do it.”

SPOTLIGHT

SCANDINAVIA

Not all companies choose to buy a specifi c environmental insurance policy. “We would like to

prevent rather than insure,” says Swedish truck maker Scania’s corporate insurance manager

Martin Sijmons. He doesn’t think the products exist for his company’s requirements. “We have to

buy environmental cover in some markets, like Spain. But the ELD has not had much of an impact

in Sweden.”

EASTERN EUROPE

Environmental liability in Eastern Europe is “a bit of a mess”, says

chair of the environmental working group for Ferma Pierre Sonigo.

Insurers aren’t touching the risks there, he says, because there are

a host of facilities with poor safety records and environmental

problems. But it is a concern that is likely to receive renewed

attention following the toxic spill in Hungary on 4 October 2010.

o

[READ MORE ONLINE] For more information on environmental liability, download StrategicRISK’s 2011 Environmental Liability Guide at www.strategic-risk.eu or goo.gl/UX0vA

GOVERNANCE [ ETHICS ][ COMPLIANCE ][ REPORTING ]


BRIBERY

It could be you …The Bribery Act, coming into force in July, widens the defi nition of bribery and holds directors responsible for failing to prevent it – even when it takes place abroad. Don’t get caught out

T OM WILSON, THE CHIEF EXECUTIVE OF A HEALTH equipment supplier, is attending a board meeting in the

City when police arrest him. He is relieved to hear the charge: they are trying to pin liability on him for the actions of a company agent in Mozambique. This agent has paid fi nancial gifts to Mozambican customs offi cials to smooth deliveries of the fi rm’s equipment through the notoriously sluggish warehouses of Maputo.

Wilson says: “What does it concern me that an agent paid a bribe to an offi cial somewhere I have never been, and in a place where these kinds of payments are made all the time by companies trying to keep ahead of the game?”

But he and countless other directors will have to think again, because such an arrest will become a real concern after the beginning of July 2011, when the UK Bribery Act comes into force. The act is signifi cant for company directors because they can be held accountable for management lapses amounting to ‘commercial failure to prevent bribery’.

One of a series of international laws designed to combat cross-border corruption, the new act follows in the wake of the 1977 US Foreign Corrupt Practices Act (FCPA), which makes it possible to prosecute companies in the US courts for paying bribes to foreign offi cials, even if the off ence took place abroad.

A tough act to followEnforcement of the FCPA is tough, as Paris-based telecoms fi rm Alcatel-Lucent found this year when it paid $45m (€31.2m) to the Securities and Exchange Commission (SEC) and $92m to the US Department of Justice to settle charges that it bribed foreign government offi cials to win contracts in Latin America and Asia.

The Bribery Act will catch situations where someone ‘off ers, promises or gives a fi nancial or other advantage to another person’ with a view to inducing them to ‘perform improperly a relevant function or duty’. Obvious examples in a business context include payments to government offi cials to obtain contracts, or to secure a reduction in customs or tax duty.

The new law covers payments to both public offi cials and representatives of private companies in the UK and abroad. The inclusion of private sector bribe recipients means that it goes further than the FCPA, which only covers bribes to foreign offi cials.

Bribes may be paid both directly and indirectly, for example, through a company’s agents and commercial representatives. This is an essential principle that is also in the FCPA and is important because most foreign bribery cases involve payments made through intermediaries.

In the past, it was commonplace for companies to avoid blame for bribes paid by their agents using part of their commissions. The UK authorities were already trying to put an end to the practice.

In September 2009, engineering company Mabey & Johnson was fi ned €6.6m for bribes paid through commercial agents in Ghana and Jamaica. This case was brought under the old corruption rules in the UK, so prosecutors are likely to make the most of their new powers since the new law specifi cally outlaws such third-party payments.

It also prohibits ‘facilitation payments’ – small payments to offi cials to speed up routine actions such as customs clearances – which are not illegal under the FCPA, so smaller as well as larger payments will now count as bribes.

Applying to companies incorporated in any part of the UK, the off ence of failure of commercial organisations to prevent bribery applies whether the company’s acts or omissions take place in the UK or elsewhere, giving the UK very wide jurisdiction. The penalties for individuals include a fi ne or imprisonment or both; the potential penalty for a company convicted of bribery, or failure to prevent bribery, is an unlimited fi ne. But the act protects companies that have taken risk assessment and compliance seriously.

Failure of compliance systems has long been the target of anti-bribery rules. SEC director of enforcement Robert Khuzami

Key points

01: The Bribery Act

makes directors

accountable for

commercial failure to

prevent bribery

02: Facilitation payments

are prohibited, as is

using an intermediary

to pay bribes

03: Penalties for

individuals failing to

prevent bribery are

imprisonment or a

fi ne, and companies

can receive an

unlimited fi ne

04: Corruption is known

to be prevalent in

the emerging

markets of Russia,

China and India

Pa

no

s P

ictu

res


said of the Alcatel case that “it was the product of a lax corporate control environment at the company”. There is a defence in the new law for companies that have ‘adequate procedures’ to prevent bribery. If an individual employee pays a bribe, such companies will be able to argue that this was a personal aberration, and not the result of a systemic failure.

What exactly constitutes ‘adequate procedures’ to prevent bribery is not defi ned by the act, but new guidance has been issued by the Ministry of Justice. Ernst & Young consultant John Smart says: “The tone of the document will be a welcome relief for some as it advocates proportionality and reasonableness in its guidance in parts of the act rather than strict interpretations and enforcement.”

All corners of the globeCertainly those companies implementing a management plan along the lines recommended (see box, right) will be well prepared for the act. One of the biggest challenges facing companies will be assessing each territory where they operate.

As our map on indicative risk across the world shows, the 10 most corrupt countries – including Nigeria and the Democratic Republic of Congo – come as little surprise. But there remains an extreme and high risk of corruption across the most of the globe. This includes the world’s fastest-growing developing countries: Brazil,

How to manage bribery

1. Ensure senior management articulate their personal

commitment to high standards of business integrity.

2. Back this up with eff ective training and communication

at every level of the business.

3. Compliance programmes that look good but are not

backed up in practice will count against the company if

it ever comes under investigation.

4. Risk assess each territory where the company operates.

5. Specifi c transactions – for example, negotiating for

planning permission or importing expensive technical

equipment – should also be individually risk assessed.

6. Subject new business contacts, prospective joint

venture partners, or commercial agents to rigorous

integrity with due diligence.

7. Split gi� s and hospitality into three categories:

generally acceptable (pens and mugs), acceptable

subject to senior management approval (corporate

entertainment), and never acceptable (bribes).

8. The act does not apply retrospectively and it may be

some time before the fi rst cases are brought. Monitor

any developments as it beds down to ensure good

practice is up to date.

PRACTICAL GUIDE

China and India – jurisdictions ambitious companies cannot ignore. The Chinese government has made eff orts to tackle the problem, pursuing a concerted anti-corruption drive. However, corruption is prevalent in activities linked to government agencies such as public procurement, where the potential for gain is often the greatest.

High-risk sectors include construction, natural resources, banking and fi nance, and healthcare. Maplecroft chief executive Professor Alyson Warhurst says: “Monitoring corruption risks and government enforcement in supply chains, as well as ensuring compliance and preventative mechanisms are in place within one’s own operations, would seem prudent.” SR

Nigeria: ambitious

companies must be alert

to the corruption that

continues to grow in

their target countries

[READ MORE ONLINE] Download the Bribery Act guidance at www.strategic-risk.eu or goo.gl/rGpor

Theory & Practice [ INSIGHT ][ CASE STUDIES ][ BEST PRACTICE ]


are seen to impede growth. A� er the £28bn

merger of Bank of Scotland and Halifax

Building Society, the entrepreneurial zeal

of Halifax came to dominate. It created an

organisation in which head of regulatory

risk Paul Moore could be told by one

employee that “we’ll never hit our sales

targets and sell ethically”. Moore reported

the failure of risk management to the board,

and soon a� er was made redundant with no

remedial action taken.

The culture can lead to “opinion

shopping”, where the business will look for

someone, anyone, to support destructive or

dishonest behaviour. Thus Lehman Brothers

reported its “Repo 105” loans as sales a� er

an opinion off ered by external UK counsel.

US counsel had already rejected this course

of action. A� er Lehman’s bankruptcy the

RISK MANAGEMENT

The building blocks of riskSuccess breeds success, so the saying goes. But successful companies can also breed behaviour that creates risk to the business. And if it goes unchecked, such behaviour can lead to spectacular failure

court appointed examiner called the decision

“actionable balance sheet manipulation”.

3 IT WORKED LAST TIME

The concentration of infl uence in a

small group of managers who have delivered

success can create a single-strategy company

that gradually becomes exposed to massive

risk from rare events. Northern Rock wrote

mortgages for customers who were acquired

by brokers. Its growth targets demanded that

it borrowed wholesale money to lend as new

mortgages. It securitised the loans and sold

them to other banks. The bank was

incentivised to off er ever-riskier products

(125% mortgages) with fewer checks

(self-certifi ed mortgages). It became a giant

one-way bet based on inter-bank wholesale

lending remaining available.

4 WHATEVER WORKS CULTURE

Success driven by strong management

can lead to failure driven by the same force.

At Bear Stearns, ‘Ace’ Greenberg hired

recruits who were ‘PSDs’: poor, smart and

with a deep desire to get rich. These PSDs

not only set the tone but could push

through day-to-day decisions with

devastating results, because they enjoyed

the confi dence of the management. This

eventually led to a trader, Ralph Cioffi ,

creating a fund that was leveraged 35 times

and blew up. His response? Create another

fund, leveraged 100 times. When that also

blew up, he tried to salvage it by creating a

listed company to contain the toxic debt.

5 YOU RECRUIT TO WIN, NOT TO

MANAGE RISK

Dr Doug Hirschhorn, who trains traders for

investment banks, is surprised that only

10% of the banks he works for give potential

recruits a personality test. So many take on

the sort of behaviour displayed by traders:

a tendency to over-trade, a lack of

appreciation of real-time risk/reward

outcomes, and an inability to accept that

losses are sometimes inevitable.

Allied with traders’ expertise in hiding

these problems, and formal risk

management practices are impossible to

either teach or to implement. “A lot of

behaviour is driven by how many people

are watching,” Hirschhorn warns. SR

Tim Philips is the author of Fit to Bust, published by Kogan Page and available at bookstores and online

The concentration of infl uence in a small group of managers can create a single-strategy company that gradually becomes exposed to massive risk

T AKE A SNAPSHOT OF SUCCESS,

fast forward a few years, and you

discover how ephemeral it can be. On the

10th anniversary of the publication of Built to

Last, for example, seven of the 18 companies

selected by Jim Collins and Jerry Porras as

exemplars of their principles either no longer

existed or had experienced a major failure.

Success, while better than failure,

creates its own risks. Some of those risks are

based on the inevitable failure of successful

companies to scale their risk management

processes and systems to cope with a bigger

and broader business. Many, though, stem

from the response of employees, managers

and investors to success. Here is a small

selection of those risky behaviours.

1 DELIVERING THE NUMBERS

BECOMES THE STRATEGY

Success creates infl ated expectations of

quarterly sales numbers. “Organisations

become so focused on meeting next

quarter’s earnings-per-share targets that

manipulation is going on,” says Dean

Kreymeyer, executive director of the

Institute for Corporate Ethics.

WorldCom is the best example. When

internal auditor Cynthia Cooper questioned

the numbers, management warned her to

“stay away” from her investigation. She

worked secretly to expose the fi nancial

engineering that departmental heads were

incentivised to put in place to make their

numbers. For example, $771m of unused

network was reallocated as “construction in

progress”. When one departmental head

refused to change his reported numbers to

the satisfaction of his manager, general

accounting did it for him – behind his back.

2 BANISHING NEGATIVITY

Success can weaken the position of the

risk management function if its processes

isto

cko

ho

to.c

om

/sci

ba

k

I F A COMPANY CAUSES

large-scale pollution, it can be

extremely costly. Clearing up

pollution takes time and money. You

only have to look at how much BP

had to fork out to clean up a� er the

disaster in the Gulf of Mexico last

year (around €25bn) as proof.

All sorts of stakeholders have an

interest in the environment, so it’s

hard for fi rms to duck their duties. The

environment is also highly regulated

now – the European Environmental

Liability Directive (ELD), for instance,

has introduced new rules.

Here are some things that

companies can do to ensure issues

get resolved more effi ciently.

1 HAVE EFFECTIVE

ENVIRONMENTAL RISK

MANAGEMENT PLANS

First things fi rst: companies should

have site-specifi c contingency plans

and emergency response procedures

to prevent signifi cant environmental

damage occurring in the fi rst place.

2 ESTABLISH THE

ENVIRONMENTAL BASELINE

FOR EACH SITE OF OPERATION

You cannot manage what you do not

measure. Companies should defi ne, as

comprehensively as possible, the

quality and status of the ecology and

habitats that existed around their

sites before the disaster.

Eff ectively defi ning this baseline

involves an economic evaluation of

the natural environment surrounding

and in close proximity to the site of

operation.

Once a baseline of environmental

quality has been established to the

satisfaction of the environmental

regulator, then the extent of

remediation, restoration and

compensation that will be required to

return the ecosystems and habitats to

their prior condition can be defi ned.

3 AGREE THIS WITH

THE REGULATOR

Agreement with the regulator will

then be required on the extent of

remediation and restoration

considered necessary.

Preferably a baseline would

have been established, documented

and agreed with the regulator prior

to any environmental damage

occurring.

If not, the regulator may infer a

scope of restoration required based

on a speculative view of the

environmental quality prior to the

event and, as such, the cost of the

loss could be highly uncertain.

4 DEFINE THE “VALUE” OF THE

ENVIRONMENT

The environment’s ‘value’ is based on

the resources it provides. This can

include direct value (wood,

agriculture, food, water etc.) and

indirect value (walking, leisure and

public space).

5 ESTABLISH A MAXIMUM

PROBABLE LOSS ESTIMATE

This is an estimate of the scale

of liabilities associated with

environmental damage, based on

maximum probable loss analyses for

each site. Research has shown that

the new ELD requirements for

‘complementary’ and ‘compensatory’

remediation could increase the costs of

remediation 40 times.

The maximum probable loss

estimates should be based on scientifi c

evidence concerning the species,

ecosystems and habitats at risk,

and the potential loss scenarios that

could be envisaged for the site and

operations. This will include an

estimate of the extent of ecology and

habitat destruction that it is possible

to envisage and the possibility for

wider damage.

It’s also worth considering

that remedial action may not be

compatible with the baseline status,

in that the precise replacement and

restocking of species, communities,

habitats and ecosystems may not be

possible on a like-for-like basis.

6 CONSIDER WHETHER

INSURANCE IS NECESSARY

Review requirements of fi nancial

security and environmental insurance

associated with the potential to cause

environmental damage at individual

sites of operation, based on nature

and scale of activity.

The maximum probable loss will

help to inform this decision-making

process with regards to issues such as

the appropriate limit of indemnity to

be gained should environmental

insurance be considered necessary.

The implementation of the ELD in

certain parts of Europe has included a

mandatory requirement for operators

of high-risk activities to hold fi nancial

security. Insurance is one of the most

popular methods of fi nancial security.

Cliff Warman is the environmental practice leader for the EMEA region at Marsh

ENVIRONMENTAL CLAIMS

How to manage environmental damageA few steps can go a long way towards minimising harm to the environment and dealing with clean-ups quickly

KNOWLEDGE Life a� er Chernobyl

Almost 25 years on, the Chernobyl exclusion zone still exists.

Yet where humans fl ed, wildlife now thrives. Many species,

including rare ones such as the lynx and eagle owl, inhabit the

area, and trees have re-grown. But some environmentalists

remain sceptical. “The trees are having a terrible time knowing

which way is up,” James Morris, a USC biologist, said.

Secure the value you create

How to reduce the

fi nancial impact of an earthquake

‘ Seismic Matters’. Our Free White Paper outlines a new engineering-based approach to minimising risk and loss. Download it now at www.fmglobal.co.uk/touchpoints

[READ MORE ONLINE] For more information on environmental liability, download StrategicRISK’s 2011 Environmental Liability Guide at www.strategic-risk.eu or goo.gl/UX0vA

THEORY & PRACTICE [ INSIGHT ][ CASE STUDIES ][ BEST PRACTICE ]


I T’S YOUR COMPANY’S MOST

valuable asset: a technological

breakthrough, a unique database, a

list of important clients, a project

under development. Whatever it may

be, it has taken years or decades of

work and investment. Yet it can be

taken in a moment by cyber criminals.

Commercial cyber crime is

growing at an exponential rate around

the world. In the UK, the combined

loss to businesses of intellectual

property the� and industrial

espionage alone is £9.2bn a year,

although “the real impact of cyber

crime is likely to be much greater”,

says a government-commissioned

study by Detica.

Commercially useful ideas,

designs, methodologies and trade

secrets are all on cyber criminals’ hit

list. “If a product is attractive to

somebody on the outside, it’s under

threat,” says Stuart Poole-Robb, chief

executive of risk specialist KCS Group.

No business with saleable

intellectual property is safe, says Will

Thomson, director of Cardiff -based

4Secure. “Companies ask ‘why would

anybody come a� er us?’” he says. “I tell

them to look at what they’ve got that

somebody else might want.”

The utilities, medical,

pharmaceutical, media, so� ware,

fi nancial, electronics and

telecommunications sectors are

particularly at risk. But the fact is that

any intellectual property-rich

organisation where transaction

volumes are high may be considered

a target for highly professional,

IT-savvy cyber criminals working

from anywhere in the world.

And although industry

professionals say there’s no single

solution – “all organisations are

diff erent” points out Thomson – there

are several simple measures that can

and should be taken.

1 VALUE YOUR ASSETS

Start by conducting an audit of

all the company’s intellectual property

and assessing its external value. KCS

Group managing director Massimo

Cotrozzi says: “Many companies have

no idea what their level of risk is.”

Typically, even those that do attempt

to put a price on intellectual assets

they think are at risk from cyber

crime o� en make the mistake of

under-valuing those they may not

consider important, but which others

will for diff erent reasons.

2 DRAW UP A BUDGET

Draw up a protection budget that

bears a sensible relationship to the

value of the property. “Many

companies have ridiculously low

budgets that are not comparable

with the importance of the business

involved,” Cotrozzi says. “Obviously

it makes no sense to protect a £1bn

formula with a £100 bit of so� ware.”

3 GET TECH SAVVY

Don’t think the company is

safe just because it’s got all the

latest fi rewalls and other so� ware.

“Anti-virus so� ware can’t defend

itself against viruses it doesn’t know

about,” Poole-Robb explains. “The

best gateway into a company is an

email address.”

The big danger may not be

inward traffi c anyway. As Thomson

says, “companies focus too much on

what’s coming in instead of on what’s

going out.”

4 ERASE SENSITIVE DATA

Recovery specialist Kroll Ontrack

says that more than half of all fi rms

leave commercially useful information

on old computers and hard drives. A

Ponemon Institute study, sponsored by

Symantec, in March 2011 said: “The

average data breach incident cost UK

organisations £1.9m, or £71 per record.”

5 PROTECT YOUR DATA

Push data protection disciplines

throughout the company, for instance,

by forbidding employees from using

obvious passwords because hackers

always work their way through a

disciplined system based on our

human foibles. And don’t leave

passwords in obvious places.

6 STICK TO THE CODE

Too few companies have strict

codes of online conduct backed up by

eff ective enforcement, says 4Secure’s

Thomson. “Employees always try to

circumvent the system,” he says. Much

cyber stealing can start from Hotmail,

Gmail, fl ash fi les and other documents

downloaded onto the desktop.

7 CHECK YOUR STAFF

Run short-term or contract staff

through a security check. It’s not

uncommon for a cyber criminal to get

through the door as a replacement

cleaner or employee. “Checks on

short-term workers are usually

inadequate,” Poole-Robb says.

8 NEED-TO-KNOW

Throw a ‘security perimeter’

around the company. Intellectual

property should be assigned levels of

importance according to its external

value and made available on a

need-to-know basis. Thus only

designated employees should take

designated data into an unsecured

wider perimeter.

9 MOBILE PROTECTION

Develop a mobile phone policy.

Mobiles o� en contain important data,

but are o� en badly protected.

10 TREAT DATA WITH CARE

The most sensitive data

should be treated like pure gold. The

biggest private equity fi rms only

release details about a major

investment in a fully protected room

where nothing can be downloaded,

copied or removed. SR

CYBER CRIME

Strengthen your defences against cyber attacksYou might think your intellectual property is safe, but cyber crime is a fast-growing threat. Here are 10 steps you can take to protect your company’s deepest secrets

Derailed: China has been accused

of stealing Japan’s high-speed

train technology. Kawasaki of

Japan is one of the companies

whose designs and innovations

are said to have been cloned

Re

ute

rs

Airmic Annual Conference6 – 8 June 2011Bournemouth

Together Leading in Risk TM

www.airmicconference2011.com

Can you afford to miss it?The Airmic conference is the UK risk management and insurance gathering of the year... more than 650 risk professionals coming together for two days of talks, lectures, training sessions and workshops. Plus, of course, plenty of social opportunities to share ideas, meet old friends and make new ones.

We look forward to welcoming you.

Embracing New Horizons



WHAT’S INSIDE YOUR HEAD?

HeadspaceIgor Mikhaylov of Russia’s Mobile TeleSystems is willing to throw routine out of the window for new challenges

What are you thinking about right now? The recent natural disasters in Japan. Sometimes, after tragedies such as this, there is a buying fever for personal protective equipment or food and water. It’s not possible for companies to serve that kind of peak in demand. And natural disasters can’t always be predicted. If you want to prepare for these disasters, you need to manage risk in advance. But where’s the line between being pragmatic and being paranoid?

What is your greatest fear? Losing people who I love. The most important thing is to live life properly and make the most of it.

What was your most embarrassing moment? It was during a school performance when I was young. It was such a successful performance that we were asked to perform in front of the whole school, our parents and teachers. But I hadn’t rehearsed properly so I felt nervous and couldn’t remember the script. I decided to lay parts of the script on the stage so I could read them during the performance. But I messed up because I paid too much attention to where the script was rather than focusing on my act.

What is your most treasured possession? It’s diffi cult because I don’t attach much importance to material things. But I could say my electric piano.

What makes you happy? I’m happy when I reach my targets, especially ones that seem unachievable. I’m happy to dare to solve problems that others refuse to do. I enjoy learning about new technologies and diff erent applications of existing technology. I’m amazed by complex architecture, aerospace engineering, hybrid technologies, composite materials and hydroponics (growing plants in water without soil) – as well as many other advances in life.

What makes you unhappy? Boring routines. At work, if operations become tiresome because they stay the same for a long time it makes me unhappy. Politics make me unhappy, particularly when it conceals inhumanity.

Who is your greatest hero? I try to follow the example set by some remarkable and distinguished relatives of mine. They are my heroes because they played such important roles in society, science, economics and business. My grandfather worked for Unesco as a department head where he was involved in several large projects. He once directed an exhibition in Moscow and was a member of a delegation that hosted the Queen of England. My father is a professor and distinguished scientist of geophysics. And my brother works in the oil and gas industry.

What’s the biggest risk you’ve ever taken? As a student I travelled very far to a Russian downhill ski resort. It was a spur of the moment decision and I hadn’t

really done my research about skiing there. When I arrived I realised the ski hill was on the edge of a Chechen warzone.

There were no tourists there because of the risk of being kidnapped. The locals all carried guns.

What is the worst job you’ve ever done?

Early in my career I was responsible for pricing strategy for radio networks. I was

asked to prepare a presentation that I knew wasn’t necessary because everyone already knew the information. Afterwards the audience told me it was a waste of time.

What is your greatest achievement? Graduating from Moscow Institute of Physics and Technology. The Nobel Prize for

Physics was recently awarded to two scientists from here. In 2010, I won a

Risk Management Award in Russia from RusRISK.

What is the most important lesson you’ve learned? Never give up. Only ever set yourself diffi cult targets. Never

agree to do something if you don’t believe in the end result. SR

‘I realised the ski hill was on the edge of a war

zone. There were no tourists because

of the risk of being kidnapped and all the locals carried guns’

Illustration by Richard Phipps

Igor Mikhaylov is head of the risk management division at Mobile TeleSystems, Russia

BWise offers you an industry leading software solution to get in control of all your Governance, Risk and Compliance (GRC) challenges, such as strategic-, enterprise-, and op-erational risks. With our unique process-based approach, BWise turns GRC into a formidable driver of cost reduction and process optimization.

Visit www.bwise-grc.co.uk to request a complimentary copy of the Gartner independent report.

BWise named Leader in Enterprise GRC Platforms by independent research firm*

Take controlStay ahead

www.bwise-grc.co.uk *Gartner’s Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms, Q3 2010

These days, there’s no such thing as a local incident. If you lose production in India, you can

lose market share across Europe. That’s why FM Global takes a different approach. We base your

property insurance on the site assessment of our engineers, not the calculations of actuaries. We

work with you to look at critical sites in your supply chain. And we don’t just insure against loss,

we help you to prevent it. You can actually save up to 85% of the cost of fl ooding, with the right

precautions. So your business can stay in business. Speak to your FM Global representative or

contact your broker, and visit www.fmglobal.co.uk/touchpoints to read our latest White Papers.

Secure the value you create

“Severe floods in India. Several

UK manufacturers are

reported to have gone under”

© 2011 FM Global. All rights reserved. In the United Kingdom, FM Global is the communicative name for FM Insurance Company Limited which is regulated by the Financial Services Authority.

StrategicRISK May 2011

Documents

european risk

latest risk

consequences of risk

recovery risk managers

single risk linkage

editor nathan skinnereditor

mission of strategicrisk

corporate governance