European risk and corporate governance solutions www.strategic-risk.eu [ May 2011 ] Issue 70 €25 NEWS & ANALYSIS » Benefits of a healthy workforce » Egypt’s road to recovery » Risk managers’ cyber fears » VIEWPOINTS [ PEOPLE ] Nicola Harvey of Christie’s and Coca-Cola Hellenic’s Adam Greene share their views on the risk management career path RISKS [ THREATS ] Breaking a UN sanction could mean a hey fine and having your profits seized. And the risks are likely to escalate as political volatility rises GOVERNANCE [ COMPLIANCE ] Everything risk managers are expected to know about the Bribery Act as it is finally enforced THEORY & PRACTICE [ BEST PRACTICE ] Cyber the is a fast-growing threat. Here are 10 things that risk managers need to do now The mistakes that almost caused a meltdown and what it means for risk managers everywhere Trouble at the top Success can breed behaviour that creates risk Risk financing The options for transferring natural catastrophe exposures NUCLEAR FALLOUT
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
European risk and corporate governance solutions
www.strategic-risk.eu
[ May 2011 ]
Issue 70 €25
NEWS & ANALYSIS » Benefi ts of a healthy workforce » Egypt’s road to recovery » Risk managers’ cyber fears »
VIEWPOINTS[ PEOPLE ] Nicola Harvey of Christie’s and Coca-Cola
Hellenic’s Adam Greene share their views on the
risk management career path
RISKS[ THREATS ] Breaking a UN sanction could mean a he� y
fi ne and having your profi ts seized. And the risks are
likely to escalate as political volatility rises
GOVERNANCE[ COMPLIANCE ] Everything risk managers are expected
to know about the Bribery Act as it is fi nally enforced
THEORY & PRACTICE[ BEST PRACTICE ] Cyber the� is a fast-growing threat.
Here are 10 things that risk managers need to do now
The mistakes that almost caused a meltdown and what it means for risk managers everywhere
Trouble at the topSuccess can breed
behaviour that
creates risk
Risk fi nancingThe options
for transferring
natural catastrophe
exposures
NUCLEAR FALLOUT
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 1
UAE and Syria form the top 10 at risk countries, respectively.
Six of the 12 members of the Organisation of the Petroleum
Exporting Countries are in the highest risk category, while a
further two are rated ‘high risk’. Collectively, these countries
produced approximately 45% of all global oil in 2009.
A lack of access to water can have a large number of direct
and indirect eff ects and the repercussions can reverberate
globally, said Maplecro� . Large quantities of water are needed in
the production of oil, so if suffi cient water is not available
productivity will decrease and operations will be interrupted,
which could signifi cantly aff ect global oil supply and prices.
web. goo.gl/fmBSe
Bulgaria should do more to prevent, report,
detect and prosecute foreign bribery cases,
according to a new report by the Organisation
for Economic Co-operation and Development
(OECD) Working Group on Bribery.
The OECD recently completed an
evaluation of Bulgaria’s enforcement of the
anti-bribery convention. Bulgaria should also
raise awareness of bribery off ences, provide
more training and substantially amend and
enforce its laws better, argued the OECD.
Bulgaria has one conviction for foreign
bribery and is involved in an investigation in
a second case.
web. goo.gl/amrD6
02
03
Re
ute
rs
10
08 09
Re
ute
rs
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 5
05 LEGAL
Bribery Act guidance here
Online Contents
Most read storiesUK guidance for the Bribery Act
web. goo.gl/4jBIk
Bribery Act training web. goo.gl/vJzgu
Court ruling could cost banks £4.5bn
web. goo.gl/z2Ee9
Tohoku quake could cost insurers £16bn
web. goo.gl/mUfYh
2011 StrategicRISK ReportDownload your PDF of the 2011 StrategicRISK Report, which brings
together the views of 30 leading
European risk managers.
web. goo.gl/NdGTV
Infographic: Cyber crime Notwithstanding the recent wave of
politically inspired cyber attacks
against and in aid of the WikiLeaks
whistleblowing website, fi nancial gain is still the usual motivator
for cyber crime. Here’s our graphic
explaining how a sophisticated cyber
crime ring works.
web. goo.gl/6JV1B
07 INTERNATIONAL RISKS
Violence in Syria intensifi es
Armed units from Syria’s Presidential Guard and Mukhabarat
(military intelligence service) have began large-scale killings of Sunni
protestors, according to political risk analysts.
As the crackdown on unrest in Sunni strongholds intensifi ed,
credible source reports indicated that soldiers who have refused to
shoot civilians have been executed, said Exclusive Analysis in a special
incident update.
Armed security forces also closed the border with Jordan. The
Syrian state media has continually portrayed the uprisings as a
foreign-sponsored insurgency, and confi rmed that troops searching
vehicles on the border have found weapons and ammunition being
smuggled into the country in cars.
web. goo.gl/m8NzA
10 INSURANCE
Ferma welcomes liberalisation of Brazil’s insurance market
The Ministry of Justice
released its fi nal guidance on
the Bribery Act, detailing what
it considers to be “adequate
procedures”, as well as what
constitutes hospitality and
facilitation payments.
The Act could result in an
unlimited fi ne for a fi rm
failing to prevent bribery.
The guidance
contains some interesting
developments since the dra�
last year, said Ernst & Young’s
head of fraud investigation
practice, John Smart.
“There are six key
principles of adequate
procedures, consistent with
the earlier consultation
document, but two of them
have been changed.”
web. goo.gl/b5IOf
Ferma has welcomed a decision by
the Brazilian government to liberalise
its insurance market following concerns
from risk managers, insurers and
brokers.
A new resolution will allow insurers
to transfer up to 20% of reinsurance
treaties to foreign-based companies that
are linked or belonging to the same
fi nancial conglomerate.
But Ferma believes the concession is
only a step in the right direction, and is
now calling for more measures to liberalise
the market.
web. goo.gl/KZJ3J
08 REPUTATION
Rolls-Royce tops brand poll
09 REGULATION DAMAGE
Bank reforms won’t damage competition
Rolls-Royce Aerospace is the most
reputable company in the UK, according
to the Reputation Institute’s 2011 UK
RepTrak Pulse Study.
The report, which measures customer
perceptions of top UK companies on a
‘pulse’ scale of 0-100, ranked Rolls-Royce
top, with a score of 86.89, ahead of Dyson,
Alliance, Mothercare and Next.
Despite recent controversy – one of
their engines exploded mid-air – the
company received an extremely high
score in the area of products and services,
with 93.37.
The UK’s Independent Commission on
Banking (ICB) released a report on the
future of Britain’s banks to a mixed
response. As predicted, its key suggestion
was that big banks’ retail wings should
be ring-fenced from their investment
operations. The report also recommended
that banks hold more core capital –
around 10% of their loans.
The report failed to suggest a radical
division of ‘universal’ banks into
independent retail and investment banks,
and was criticised for recommending
vague and disappointing changes.
Pointing to the importance of
keeping Britain competitive for business,
ICB chairman Sir John Vickers refuted
such claims, insisting: “I absolutely reject
any notion that we bottled it.”
web. goo.gl/ocDCl
Re
ute
rs
Re
ute
rs
06 EMAIL
Data breach exposes customer info
Attacks on major US email
marketing fi rm, Epsilon, have le�
customers’ private data exposed.
UK retail giant Marks &
Spencers, which lost customer data
in the breach, released a statement
assuring customers that it does
“take privacy very seriously” but
added that customers should be
prepared for spam and phishing
attacks.
The breach came as part of a
much wider attack on the US
email company, in which the
private data of millions of
customers of some of the world’s
most recognised companies
– including JP Morgan Chase,
Hilton Hotels, Citigroup and
Capital One – were stolen.
web. goo.gl/au08o
6 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
RISK INDICATOR [ VISUALISING DATA AND TRENDS ]
HEALTH MANAGEMENT
Running a healthycompany
A S COMPANIES BECOME
increasingly aware of the economic
benefi ts of a healthy workforce, more
and more employers are investing in
healthcare risk management plans.
Case studies show that health risk
management systems have brought
signifi cant returns to those companies that
have implemented them, and while these
may take time to show, the fi nancial
benefi ts of reduced sick leave and absence
within a workforce are signifi cant.
However, many businesses simply do
not account for the impact of absences: a
2010 Investor in People report revealed that
only a quarter of UK employers calculated
the cost of absence to the business, despite
reports that employers spend up to 10% of
their annual pay bill managing the direct
and indirect fallout of high absence rates.
Though it may require short-term outlay,
the benefi ts of improved employee health
are, as Dame Carol Black’s 2008 government
report suggested, resoundingly clear. While
employers will not want to be accused of
failure to provide care or, conversely,
nannying their staff , getting the balance
right can bring long-term dividends,
regardless of the size or nature of the fi rm.
BT case studyThe telecommunications giant saved £3m in March
2003 alone. By setting up fl exible working hours, the
company retained 98% of those who took maternity
or extended leave, saving in retraining costs.
Companies are switching on to the benefi ts of adopting a proactive healthcare risk management plan
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 7
THE BIG NUMBER
SETTLEMENTS
Top fi ve[ US SANCTIONS SETTLEMENTS ]
OVERHEARD
“Soundbites”
1. Credit Suisse – $536m
The US Treasury’s Offi ce of Foreign
Assets Control settled for a record
sum in December 2009 a� er
helping clients to violate sanctions
agreements against Iran, Sudan
and Cuba.
2. ABN AMRO – $500m
ABN admitted systematically
violating US sanctions against Iran,
Libya, Cuba and the Sudan between
1995 and 2005. It settled in May 2010.
3. Lloyds TSB – $350m
Found guilty of violating US
trade sanctions against Iran by
facilitating customer transactions,
Lloyds settled in January 2009.
4. Barclays – $298m
Found guilty of breaking trade
sanctions against Iran, Cuba, Libya,
Myanmar and Sudan, Barclays
settled in August 2010.
5. UBS – $100m
Over eight years, UBS transferred
$4-$5bn to countries under US
sanctions and settled in 2004.
Source: various media
‘Where is the line between being
pragmatic and being paranoid?’
Igor Mikhaylov Mobile Telesystems
>> see Headspace pages 40
‘The chemical imbalances in your
brain that occur if you skip
breakfast can aff ect how you
make decisions.’
Adam Greene Coca-Cola Hellenic
>> see Viewpoints pages 15-17
‘‘The world feels like a smaller
place, and threats to supply lines
are always a concern because we
rely on things being done
effi ciently and smoothly.’
Chris McGloin Invensys
>> see Risks page 24-25
20km This is the radius of the
exclusion zone around
Japan’s Fukushima Daiichi
plant that authorities have
begun enforcing.
The damaged nuclear
reactor has continued to
emit harmful particles a� er
the earthquake and tsunami
caused damage on 11 March.
The plant’s operators expect
it to be around nine months
before they bring the
damaged reactors to a cold
shut down.
Eighty thousand people
live in the aff ected zone.
Residents will be allowed to
enter to visit their houses,
but they will have to wear
protective suits and be
decontaminated when
they leave.
JAPAN EARTHQUAKE
Fukushima crisis second only to Chernobyl in severity
J APAN’S FUKUSHIMA NUCLEAR CRISIS
is the second worst of its kind, topped
only by the 1986 Chernobyl disaster, says
leading nuclear expert Wolfgang Weiss.
Weiss, chairman of the UN Scientifi c
Committee on the Eff ects of Atomic
Radiation, said it was “not as dramatic as
Chernobyl, but it is certainly much much
more serious than in Three Mile Island.”
The claim comes a month a� er the crisis
fi rst hit, with the exact consequences still
unknown. Weiss noted that “the information
we are getting is far from pointing out an
accurate picture … measurements are
patchy and unclear”.
The Japanese authorities began by rating
the severity of the incident at level 5 out of a
possible 7 – a level previously only ever
achieved by Chernobyl. But it was later
upgraded to level 7, in recognition that
dangerous amounts of radiation had escaped
the plant, causing a serious risk to the public.
Although nuclear technicians are
battling to contain the crisis, the emergence
of traces of nuclear material originating
from Fukushima as far away as Glasgow
suggest the threat is still very real.
FALLOUT FACTSK
FINANCIAL COSTS
• Chernobyl cost 18bn rubles ($600bn)b
• Fukushima costs are around $50bn b
• The Three Mile disaster cost around $1bn b
EXCLUSION ZONE b
• 30km Chernobyl b
• 20km Fukushima b
• 15km Three Mile b
Sources: The Battle of Chernobyl, Execution Noble and American Scientist
Although they are rare, the consequences of industrial disasters can be
devastating. Considering the history of industrial disasters and the nature of
the industry, most companies can claim strong health and safety records,
ensuring that casualties and damage remain at a minimum. Yet, although the
accident rate has reduced in recent years, it takes only one incident to
irrevocably destroy a company and an industry’s reputation and, along with
them, potentially many lives.
DATABASE
The worst industrial accidents in Europe
Prestige oil spill: £3bnThe Prestige spilt 20 million gallons of crude oil into the ocean, damaging thousand of kilometres of Galician coastline around France, Spain and Portugal in November 2002.
Piper Alpha: £1.7bnAn explosion and consequent fi re on this North Sea oil rig in July 1988 resulted in 167 deaths.
AZF factory disaster: £1.5bnIn September 2001, a factory producing ammonium nitrate in Toulouse, France, exploded, killing 29 people and injuring thousands.
Re
ute
rs
NEWS ANALYSIS [ CONTEXT & INSIGHT ]
8 Strategic RISK [ MAY 2011 ] www.strategicrisk.co.uk
Cost of revolution: A drop in
tourism could provoke further
unrest but analysts are
optimistic about future stability
Re
ute
rsI NSPIRED BY THE JASMINE
Revolution in Tunisia, a wave of
revolutionary fervour has swept across the
Middle East and North Africa.
Some of these uprisings have proved
successful, others have faltered,
underscoring the huge dangers of
protesting against totalitarian regimes. For
countries across the region, Egypt serves as
a paragon of hope for stability.
Despite important political and
social progress, however, economic
conditions remain unstable in Egypt.
A signifi cant drop in tourism and
employment rates, combined with
increasing commodity and food price
infl ation (up 11.5% on last year) threaten
further unrest if, as Tunisian fi nance
minister Jaloul Ayed said at the US-Islamic
forum, “democracy doesn’t translate soon
into well-being”.
Yet the tone is one of cautious optimism
amongst economists and risk analysts.
Beazley’s head of political risk and
contingency, Adrian Lewers, told
StrategicRISK that Egypt is on a “positive
trend line”.
“The rate at which Egypt has resolved its
situation has been quite astonishing. We
must recognise that there will be wobbles
along the way, but there are strong prospects
for stability and democratic government.”
Climate for investmentMoves towards stability are gathering
momentum since the General Authority for
Investment (GAFI) chairman Osama Saleh’s
announcement of measures to attract
foreign investors and encourage domestic
business expansion.
This follows the announcement of a
fi ve-year 500m Egyptian pound (€58m)
investment in Egyptian healthcare by
GlaxoSmithKline and a proposed review of
Egypt’s gas export contracts – intended to
raise €1.7bn-€2.25bn in extra revenues.
Despite an International Monetary Fund
report this week that revealed a contraction
POLITICAL RISK
Egypt shows us the way forwardPublic and investor confi dence is growing in Egypt following the arrest of the Mubaraks, a corruption investigation and measures to foster business expansion. But its neighbours face a more troubled future
America’s assets in the Middle East,” said
Skinner. “Unlike Gaddafi in Libya, Bashar
carries substantial political and economic
weight in the Middle East and North
Africa region.”
If foreign investors pull out of Syria,
companies with remaining assets in the
country will be faced with a struggle to
mitigate increasingly likely losses.
“The main risk for companies is
physical damage to assets, and all they can
really do is to try to protect them.,” Lewers
said. “There might be insurers willing to
discuss terms, but it will be expensive.”
As in Yemen and Bahrain, the violent
suppression may be intended as a political
quick fi x, but it will cost potentially Syria
billions in lost business and international
alienation. SR
‘The rate at which Egypt has resolved its situation has been quite astonishing. There will be wobbles along the way, but there are strong prospects for stability’
Adrian Lewers, Beazley
of GDP to 1%, the mood in Egypt remains
buoyant. With the arrest of Hosni Mubarak
and his sons and a wide-reaching corruption
investigation, both public and investor
confi dence is growing.
Analyst for political risk consultancy
Maplecro� , Anthony Skinner, told
StrategicRISK that while investors will take
a “wait and see attitude”, the move away
from Mubarak’s regime will off er companies
“fewer risks of complicity in corrupt
government, an improved corporate profi le
and potentially strong benefi ts”.
An online poll conducted by Egypt’s
most popular political website revealed that
75% of Egyptians maintained a ‘cautious
optimism’ for their country’s future.
Turbulent outlook for SyriaYet, while Egypt staggers towards a
transparent and democratic future, much of
the Arab world can only look on in envy as
unrest in Yemen, Bahrain and Syria escalates.
In Syria, there are reports of large-scale
killings of Sunni protestors by the
Presidential Guard and Mukhabarat
(military intelligence). While Syria’s
president Bashar al-Assad had intended to
quadruple foreign investment by 2015 to
$55bn (€62m), the violent suppression of
Syrian citizens could scare western tourists
and businesses away from the region and
increase the intensity of uprisings.
But international intervention,
particularly from the USA, is unlikely. “If
the Obama administration puts pressure
on Syria, then they are likely to use
Hezbollah to pressure Israel along with
TOUGH DECISIONS.
Go ahead and make the
All products are written by insurance company subsidiaries or affiliates of Chartis Inc. Coverage may
not be available in all jurisdictions and is subject to actual policy language. For additional information,
please visit our website at www.chartisinsurance.com.
D&O insurance that will be there for you.
The risks faced by directors, officers
and companies are constantly changing.
That’s why we’ve enhanced our Directors
and Officers liability insurance to safeguard
individuals’ personal assets and protect the
organisations they serve in today’s changing risk
landscape. It’s market-leading coverage built on
40 years of D&O experience. Learn more and
find out if your current insurance is doing enough.
Europe: www.chartisinsurance.com/BusinessGuard
UK: www.chartisinsurance.com/uk/d&o
NEWS ANALYSIS [ CONTEXT & INSIGHT ]
10 Strategic RISK [ MAY 2011 ] www.strategicrisk.co.uk
The Risk Index
‘China is one of the countries suff ering most from hacking’A Chinese government report,
The Internet in China, states
142 Chinese public security departments
dealt with this many computer crime cases in 1998, according to offi cial
sources
48,000 The number of offi cial computer crime
cases in China in 2009
18m The number of Chinese computers
infected by the Confi cker virus every
month
42,000 The number of Chinese websites
distorted by hackers
Source: The Internet in China, a report by China’s State Council Information Offi ce
C OMPUTER CRIMES (AKA CYBER RISKS)
are a major concern in China. It’s at the
point where an offi cial report from the
Chinese authorities (which are not known for
their transparency) has stated that cyber
crime is growing and is being taken seriously.
“Online fraud, online the� and other
forms of crime that encroach on the
property of others are increasing rapidly,”
said the government white paper The
Internet in China. “Crimes such as producing
and spreading computer viruses, and
computer and network hacking are
increasing.”
But China is not the only country with
a serious internet security problem (see
Risk Atlas, page 28). A recent report from
Detica, commissioned by the UK
government, estimated that cyber crime
costs the UK economy £27bn (€30.5bn) a
year. The lion’s share of this fi gure (£21bn)
is stolen from the private sector. It’s
unsurprising that recent research by
StrategicRISK, which involved in-depth
interviews with 30 leading European risk
managers, highlighted cyber crime as one
of the interviewees’ biggest concerns.
Those companies that rely on the
internet to do business are most vulnerable
to cyber attacks by criminals, competitors or
disenchanted employees. Intellectual
property the� or industrial espionage –
which Detica says costs UK businesses £9bn a
year – is also a big worry for risk managers.
“We put a great deal of eff ort into
security, training and communication about
information leaks, because much of the
value of our business is tied up in knowledge
– and it’s not the kind of knowledge you can
put patents or copyrights on,” one risk
manager told StrategicRISK.
Risk managers recognise that data
the� is not purely an IT issue. It’s clearly
necessary to monitor the people handling
the information, including those joining
and leaving an organisation. Yet several
risk managers admit that their security
systems are not up to scratch.
As one risk manager puts it: “The
biggest possible source of leakage of
information walks out of your offi ces and
factories every day – it’s your people.” SR
TECHNOLOGY
Companies lose £21bn a year to cyber crime
‘Much of the value of our businessis tied up in knowledge – and it’s not the kind of knowledge you can put patents or copyrights on’
While China battles with an internet crime wave that even its government must recognise, data the� is a key concern for European risk managers
KNOWLEDGE Bank fraud on the rise
The UK’s National Fraud Authority revealed that online banking
fraud increased by £60m (€67.7m) from last year, a rise of 14%.
According to the Offi ce of Fair Trading, 39% of those who
were scammed did so through money transfers, with 7%
losing over £4,000
Web of deceit: China’s
internet user population
has reached 298 million as
computer and network
hacking continues to rise
Co
rbis
NEWS FEATURE [ COVER STORY ]
12 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
State of emergency: despite
intense eff orts to avoid meltdown
in the Fukushima plant, Japan had
to raise the threat level to seven
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 13
‘People are frightened of anything that they can’t see, or that they can’t understand’Alexia Ash Exclusive Analysis
Jam
ie S
ne
dd
on
NUCLEAR RISKS
Braced for impactThe natural disaster in Japan has shown just how vital preparation and planning is, but for complete cover, companies and organisations must expect the unexpected
E VEN FOR A COUNTRY FAMOUSLY WELL PREPARED for natural disasters, it was the nightmare scenario: at 14:46
on 11 March, a massive, magnitude 9 earthquake barreled through the seabed off Japan’s north-east coast, creating a tsunami that devastated the coastal zone. Among the resulting chaos, there was one question that became more and more urgent: what about the nuclear power stations?
Despite initial reassurances, within hours a state of emergency was declared at the Fukushima nuclear facility, and suddenly the global media was locked on. But despite everything that has happened at the Fukushima nuclear complex, there are reasons to be reassured; in many ways the reactors did exactly what they were designed to do.
When the quake hit, all the operating reactors ‘tripped’, safely halting the nuclear fi ssion process. But because the fuel continued to produce large amounts of heat, the battle was on the keep it cool and avoid a catastrophic meltdown. This has been far from easy, and a month after the quake, on 12 April, the Japanese authorities raised the threat level to seven – the same status as Chernobyl.
Damage controlDespite the seriousness of the evolving crisis, however, leaks seem to have been minimal, with only the equivalent of 10% of the radioactive material released during the Ukrainian disaster in 1986 being detected in Japan.
In fact, because the disaster was so massive and the leaks – at least so far – have had minimal health and environmental impacts, the prominent UK journalist and activist George Monbiot wrote in The Guardian recently that the disaster has convinced him nuclear power is the safest way to combat climate change.
But his response was unusual and the situation is still developing. Initially, by far the most common reaction was panic, with embassies issuing warnings and hundreds of ex-pats fl eeing Tokyo. There were reports of private jets being hired by bankers who didn’t care how much they cost, they just wanted out.
“I think a lot of the reaction we saw initially in the aftermath will be reconsidered when the – literal and metaphorical – smoke clears,” Exclusive Analysis risk analyst Alexia Ash says.
“We will see what we are seeing already in places like Iran, where they fi rst said they would be reconsidering nuclear power and now seem to be moving forward with it again.
“[In Fukushima] we had a situation where there were six reactors built in the 1970s and they have withstood the most powerful earthquake to hit Japan for decades. That is a reason to argue that nuclear power is safer than we thought, especially if we continue to see no serious health impacts.”
What Fukushima has shown us is that sometimes averting a disaster is not enough. The information war must be won and the gap closed between the public consciousness of real and perceived risk.
“People are frightened of anything they can’t see, or that they can’t understand,” Ash says. “One of the problems [at Fukushima] was lack of information. A lot of the people who could have provided information were very busy dealing with the situation at the reactors … If there is a lesson, it is that there really needs to be a dedicated team in place to provide up-to-date information to avoid panic.”
Ultimately, though, the new uncertainty around nuclear power may have a longer-term impact on Japan than the problems at the plant.
Looking ahead According to Exclusive Analysis, Japan’s heavy dependence on nuclear power, its total lack of hydrocarbon resources and the strength of the nuclear lobby all point against a wholesale move away from nuclear power, which may have a knock-on eff ect on the global price of other fuels.
“Although the situation does remain serious at Fukushima, the problems in power generation [created by the nuclear shutdown] could be more of a problem,” Ash says.
But other problems caused by the earthquake have been all too ‘real’. Establishing a 12-mile exclusion zone around
Fukushima, along with widespread quake and tsunami damage – over 80,000 buildings have been damaged and nearly 5,000 destroyed – has caused the widespread shutdown of large parts of Japan, something that brings lessons for all risk managers.
“This really was a wide-area incident; a huge number of interconnecting aspects of society were aff ected and that’s something we
NEWS FEATURE [ COVER STORY ]
14 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
need to prepare for,” Airmic chairman John Hurrell says.
“In the UK we’ve seen similar, if far less serious, events in recent years and we should take that on board when we look at risk. We’ve had large-scale fl oods, we had the Bunsfi eld fi re and two winters where large parts of the country have been iced out. Who knows what’s on the horizon? There could be a pandemic, more fl oods.
“The core point to take away is that each time any of these events has occurred, it has exceeded our planning by some order of magnitude. It’s time to think the unthinkable and see where that leaves us.”
Japan is widely considered one of the most well-prepared and methodical societies on Earth, and yet it could not prepare for the unexpected events of 11 March.
“We need to remember that the good data we have about world events is only 100, maybe 200 years old, and that’s nothing in terms of the lifespan of the Earth,” Hurrell says.
“How many organisations plan for a situation where it isn’t only their business aff ected? What we are seeing are situations where everything is out. Japan is revealing just how complex modern supply lines are. A lot of businesses didn’t even know that they had a connection with Japan somewhere down the line until it went down. Very few people are looking at more than three degrees of separation.”
Ultimately, perhaps, businesses need to be robust. “The assumption has been that in many cases everything has to be working perfectly for things to work,” Ash says.
“What happens, say, when your staff can’t get to work because there is no transport?” Hurrell asks. “When the schools are shut and they have to stay at home with their kids? As soon
as you widen the circle you’re looking at, things get very complex.“We also need to ask: how relevant is our insurance? How
will it protect us if everything is out? Can it cope? What if everyone else is claiming? What happens when everything is up in the air?” SR
‘It’s time to think the unthinkable and see where that leaves us’John Hurrell Airmic
The main lesson from the ongoing situation in Japan is not so
much ‘be prepared’, as ‘be more prepared’.
All businesses have some contingencies in place to survive
upheaval of various kinds. But recently, entirely unpredictable
events such as those in Japan have clearly demonstrated that
these may not be enough, and shrewd risk managers should be
looking again at potential vulnerabilities right across their
supply chains, human resources, fi nance, transport and
technology.
Nuclear power operators are obsessed with safety and yet
at Fukushima emergency cooling pumps and generators
repeatedly failed. A fi re engine brought in to help ran out of
fuel. Ask yourself: are your back-ups enough?
In the teeth of a problem, Fukushima has shown that good
communication is key, both internally to keep coherence and
focus within the business, and externally to ensure the public
has clear, accurate information about what is happening. This
has multiple benefi ts:
• minimising the spread of fear and panic, which
can dramatically exacerbate problems;
• enrolling staff and public support in any mitigation
strategies; and
• reputation management.
If possible, a dedicated team should be available to manage
communications, deal with public and media
questions and have the authority and access to get
whatever information they need. It is essential this team
is present across social media as well, as Japan has shown
how sites like Twitter and Facebook were key in disseminating
information.
You can always be more prepared
»
RISK LESSONS
Viewpoints [ PEOPLE ][ OPINION ][ COMMUNITY ]
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 15
> In my opinion Japan ............. 17Japan’s earthquake and tsunami and nuclear crisis have had widespread repercussions
> Q&A Nicola Harvey ............... 18Christie’s global risk director
PROFILE
Ahead of the packUnderstanding the behaviour of groups making decisions is at the core of Coca-Cola Hellenic Adam Greene’s strategy, which he believes every employee can and should put into operation
Jon
as S
ved
be
rg
VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]
16 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
A DAM GREENE’S METEORIC RISE UP THE RISK management career ladder is a combination of hard work
and a fondness for challenging conventional wisdom. Just six years after graduating from university he was chief risk offi cer (CRO) of Thames Water. And since late 2008 he has worked for Coca-Cola Hellenic in Athens as group risk and insurance manager, spending most of his time on business and project risk management.
In his eyes, though, there are a number of things risk managers need to do diff erently if they want to survive. Paying more attention to the psychological factors that infl uence risk rather than obsessing over statistical information is paramount, he says. If this does not happen, he thinks the future for risk management looks bleak.
“When you look at the professional risk management environment, it is moving down the lines of economic rationality, implying the perfect risk decision option has been identifi ed and is achievable, with measurement and statistics forming a large part of that,” Greene says. “But you fi nd that economic rationality does not adequately describe the everyday rationality used by decision-makers who assess and decide using personal emotions.”
Another danger he foresees is that, as the profession develops increasingly esoteric tools and techniques, the process of risk management is becoming externalised. Instead of every employee managing risk as a matter of course, specialist risk managers are invited to analyse and treat risk.
This, Greene argues, removes responsibility from everyone else. “What I try to do is enable decision-makers in our company to make better decisions and understand the infl uences that they unconsciously carry with them — their biases and heuristics.”
Greene’s interest in the behavioural side of risk management was fi rst inspired in academia. He began his professional career as a project manager with construction company Bovis. “The lifestyle of a project manager was a little hectic and full of stress. I decided I needed a fresh challenge,” he recalls.
In 1999, Greene joined Loughborough University to study for a PhD in risk management, which was sponsored by the Engineering and Physical Sciences Council. “Originally I was employed to build a full project lifecycle map, right the way from conception of a need to disposal of an asset. That really didn’t grab my interest too much so I decided to look at the behavioural side of decision-making.”
Depends what you had for breakfastHis curiosity led him deep into the fi eld of individual and group decision-making. “I started to look at what infl uences people’s decisions. You can come up with an almost endless list, which includes obscure things like have you had breakfast – because the chemical imbalances in your brain that occur if you skip breakfast can aff ect how you make decisions – to the colour of the room you’re in or the background noise that you’re experiencing.”
“There’s also the more obvious infl uences, such as whether you are penalised for failure or rewarded for taking risk. That direct motivation can aff ect decisions and how you perceive your environment.”
Decision-making in a group is even more complex, Greene says. And this can have serious consequences for business risk management, where focus groups are widely used as a means of risk identifi cation and assessment.“We say that risk management should occur in a group because a group is naturally better at
making decisions by virtue of there being a range of shared opinions, perceptions and preferences.”
While this is true, risk workshop facilitators need to be aware of the range of infl uences that can aff ect how a group of people make a decision. “The language of a dominant character within a group can really alter perceptions,” Greene says. “If you walk into a group as the leader and you describe your environment as ‘chaotic’, you set a certain state of mind and perception is driven by that. So the group looks at the situation as chaotic. But if the
leader walks in with confi dence, then the confi dence of the group is emboldened and it will make a diff erent type of decision.”
Performance anxietyEven more worryingly, Greene notes, individuals who have no experience of the discussion matter tend to make up stories just to be seen as contributing. “There’s usually a lot of pressure in a group to be seen as an active participant and not to be the wallfl ower — particularly in a work setting.”
Groups are prepared to accept higher levels of uncertainty and risk compared with individuals on their own, Greene adds. “One theory for that is the diff usion of responsibility. That’s true, but it’s also the case that the more vocal people in the group tend to be the
‘Whether you are penalised for failure or rewarded for taking risk can aff ect decisions’Adam Greene Coca-Cola Hellenic
1. The media
The media can increase the sense of threat,
and decide what we should be worrying
about. Foreign criminals, teenage gangs, and
avian fl u are treated diff erently in diff erent
news outlets.
2. How risk is explained
The statistical tools used to explain data in
scientifi c journals can infl uence how it is
interpreted, and how the public and media
react to it.
3. Personal experience
If an individual has had negative experiences,
they are much more likely to expect those
things to happen to them again.
4. Entertainment
The success of particular fi lms – like disaster
movies – can infl uence how people perceive
the risk of certain activities, such as air travel.
5. How you see the world
How you perceive risk is shaped by your views.
For example, a le� wing person is unlikely to
view industrial action as a ‘risk’ in the same way
as a more rightwing person. A success-driven
person will be more afraid of failure than
someone more laid-back.
PERCEPTIONS
Jon
as S
ved
be
rg
Factors infl uencing risk decisions
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 17
more positive ones and therefore more likely to take a greater risk. As they are more vocal they pull the group in that direction.”
In 2002, after he fi nished his PhD, Greene stepped on to the fi rst rung of the risk management career ladder, working for Thames Water as a risk engineer. “I had to quickly realign my thinking,” he says. “At university, especially on a PhD, you have the luxury of a lot of time to do blue-sky thinking. If you apply it verbatim in a non-academic environment you become unstuck. So you have to go through a process of realignment.”
But his PhD did help Greene to look at problems in a diff erent light. “I spent a lot of time working with groups and individuals to understand how they deal with complex decisions. That made me a better facilitator of the decision-making process,” he says. Before leaving Thames in 2008, he was promoted to group level as CRO.
So how does he account for his speedy rise to the top? “Fortune plays a part. You have to be in the right place at the right time. But you do need sponsors. Without someone who is prepared to say, ‘I think this chap is capable of doing more’, you can easily blend into the background. You have to make a name for yourself and establish your credentials. You have to be able to substantiate what you’re saying. Make it clear that you are here to help and that you can contribute something meaningful so that you can support other people. You need to be able to empathise with them too. To show that you care, that you can help and that you add value.”
Greene acknowledges that business risk management needs a structure and a framework. “The organisation needs intelligence in what its operations are facing from a risk perspective. And we need to be able to aggregate and capture, assess and present that in a meaningful way. But in every step of that process, it is about enabling decision-makers to make better decisions for themselves.”
So what do risk managers need to do to help people throughout their organisations make better decisions? First, Greene says, they need to understand behavioural infl uences and develop strong facilitation techniques. “I talk to departments about the decision-making theory, what to look out for in terms of biases and infl uences, and how to guard against them.”
In hands of those who use it“We are in 28 diff erent territories, so I travel a lot. When I arrived at Coca-Cola Hellenic, the business risk assessment consisted of an annual trip to visit each of the territories. Now we have established a more robust business risk management process. Each of the territories has ownership over the process.”
Because it’s impractical for Greene to visit every single facility each year, he relies on a network of risk advisers to facilitate risk workshops. “We have a set of defi ned risk assessment criteria that we use to aggregate risk across the group,” he says. “We ground the process fi rmly and put it into the hands of the people who use it. The core process remains the same across every region: we identify the objectives, assess the risks and manage them.”
Greene applies the same process to project delivery. “We are in the process of moving the business over on to a new technology platform. It’s an enormous and incredibly complex task, which we are delivering very well with no business interruption.”
Success is a virtue of not only a strong risk management process but also a strong “risk intuition” within his organisation, says Greene. “People are very aware of risk and opportunity, as well as how to deal with it and manage it.” SR
Setbacks in motor and electronics not only damage Japan’s exports but have global knock-on eff ects
IN MY OPINION
Ripples from Japan spread worldwide
Sue Copeman, EDITOR-IN-CHIEF,
STRATEGIC RISK
W HAT DO CONSTRUCTION AND MINING EQUIPMENT LEADER Caterpillar, technological giant Intel and international auto manufacturer
General Motors have in common? They’ve all been aff ected – along with many other companies around the world – by an event that occurred thousands of miles away.
Japan’s earthquake, tsunami and potential nuclear crisis have had widespread repercussions for the international business community. Despite the fact that the area directly aff ected was relatively small in terms of Japan’s industrial output, the knock-on eff ects have been huge, although it is hoped that they will be short-lived.
The catastrophe highlights that, in the current global economy, the days are over when a disaster in one country only aff ected surrounding national businesses. A natural catastrophe can have unexpected consequences beyond local property damage, such as transport, power and other infrastructure issues, which reverberate in other national sectors and their global operations and markets.
The immediate eff ects for companies in Japan have been well publicised. Particularly aff ected, as much if not more by national fuel shortages and power outages as by the direct damage, are two of Japan’s key sectors, the motor and electronics industries. This has been a major blow in a country whose economy is largely reliant on its exports, and Japanese companies’ European operations and customers are sharing in the fallout.
Disrupted national production of vehicles and key components led to a world shortage, resulting in halted or decreased operations worldwide. Motor manufacturers whose operations both in Japan and internationally have been disrupted include Fuji, Honda, Mazda, Nissan, Suzuki and Toyota. The roll-on eff ect has extended to European vehicle manufacturers that buy parts from Japan, such as Mercedes, Opel, PSA Peugeot Citroën and Volkswagen.
An equal if not greater impact has been experienced by the electronics sector. Reportedly, Japan produces around 40% of the world’s technology components including chips, memory for digital phones, cameras and PCs, glass for fl at screens, capacitors and transistors. It’s a formidable list and many of the manufacturers involved are well-established brand names in Europe. They include Canon, Panasonic, Sony and Toshiba. Less well known as brand names but nonetheless highly important in the electronics supply chain are leading chip maker Renesas Electronics and Shin-Etsu Chemical, the world’s leading maker of silicon wafers, used in integrated circuits for electronic devices.
In the highly competitive world technology market there are few electronics- based businesses that do not source some products from Japan – and all the companies mentioned above have been aff ected by the Japanese disaster, with far-reaching results. For example, not only has production from Sony’s plants in Japan been aff ected by the catastrophe: mobile phone group Sony Ericsson, Sony’s joint venture with the Swedish company Telefonaktiebolaget LM Ericsson, has been forced to consider sourcing alternative supplies outside Japan. SR
15_19_Viewpoints_SRMay11.indd 17 27/04/2011 15:29
VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]
18 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
One of the biggest challenges for us is that people here aren’t corporately institutionalised. Christie’s is all about the fi ne art and the history of the art and our clients. Added to that, we are not regulated so it’s diffi cult to get the attention and traction for risk management.
What skills have been really useful in your career?Technical skills are always important. But risk managers need to have good communication skills. Having come up through the insurance route, I have noticed that communication skills in the insurance industry are not always that good. Everyone likes to cover their backs by putting as much down on paper as possible.
That means it’s quite hard because boards just want to see a summary of the issues. They expect you to do your job. They don’t want a 20-page report to sign off ; they want a succinct list of key issues. And they want to know what my recommendation is. Written verbal communications are really important. Use simple language and don’t over-complicate things.
Who do you report to in your organisation?I sit within legal and risk so at the moment I report to the general counsel, but we’re in the process of restructuring. I think that’s quite a good home for risk management, because this way it is not seen as a purely insurance function but as a broader function, which is
Former broker Nicola Harvey was headhunted to manage risk for a client and moved on to Cable & Wireless and what is now Lloyd’s TSB. Now in her third year at fi ne art auctioneers Christie’s, she has to market her function in a culture where corporate process takes second place to precious objects
IN MY OPINION
Nicola Harvey, CHAIRMAN, AIRMIC AND GROUP DIRECTOR OF RISK, CHRISTIE’S
The gentle art of persuasion
What’s the best thing about working for Christie’s?The art. I’m not a connoisseur or an expert at all. But I do love the art. It’s a lovely, interesting place to work. Every day, it’s like walking through a museum. And the uniqueness of the industry means it’s a fascinating business.
What are your biggest risks?The sort of issues we could face are loss or damage to art and property. We take responsibility for the art while it is consigned to us through the auction process. We move it around a lot of the time on exhibition and sometimes things happen to clients’ property. Theft is a possibility. We have to be sure that the property we are selling is not fake; occasionally we don’t get it right. Fires could also be very costly. We have had one or two losses since I’ve been here but nothing huge.
Security is a big issue. We have a lot of former military personnel and police who work for us.They do active risk management on a daily basis – things like physical security, CCTV, guarding the exhibitions, making sure the appropriate precautions are taken in terms of carrying property and moving it between sites, physical fi re protection and access control.
Could you describe your role and responsibilities?The role I have is broad. I sit across the insurance and risk fi nancing function as well as the enterprise risk management (ERM) piece. I get heavily involved in operations like security, legal and IT.
I also look after compliance. A lot of that is legal and to do with anti-money laundering legislation and making sure we comply with import and export regulations. Due to the nature of our business those are the things that aff ect us.
These days I spend more time on ERM and compliance; but generally it goes in fi ts and starts. When there’s an insurance renewal, for example, which usually happens towards the end of the year, I get hauled into that. A lot of our risk and compliance issues occur around the time of the Christie’s auction sale seasons.
How sophisticated is your ERM programme?There are organisations that have properly embedded their risk management, but for many it remains an add-on process that is not completely embedded. Ideally, everybody in an organisation should help to manage risk. A central risk management function can provide support and advice, as well as develop risk processes and monitor compliance.
ERM could always be better embedded in most businesses. I think we are quite good at it but there’s still a fair bit of work to do to get that embedded and really part of the everyday business.
Our corporate structure is quite unique. The group risk team in Lloyd’s was 90 people. That’s a massive risk infrastructure – people understood it. But generally it’s not like that in other organisations.
‘Risk managers need good communication skills. Boards don’t want a 20-page report to sign off ; they want a succinct list of key issues. Use simple language and don’t over-complicate things’
Re
ute
rs
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 19
Communityupdate
Taking a lead
from Ferma,
which recently signed a
transparency deal with
European broker
association Bipar, the
Czech risk management
association Aspar CZ
is working on a deal
of its own. The risk
association is toing
and froing with the
country’s broker
association on adopting
a protocol to increase
transparency and reduce
confl icts of interest.
A new Spanish
insurance
contract law that
enforces the consumer
rights could be good
news for risk managers
in Spain, according to
experts gathered at a
meeting in Madrid
organised by Spanish
risk association IGREA
and law fi rm Hogan
Lovells. The Bill,
designed to defend the
rights of the insured, is
expected to be passed in
the next few months.
Poland’s risk
management
society, Polrisk, held it’s
annual conference in
Warsaw on 12 and
13 April. Polrisk
president Tomasz
Miazek, who is also the
insurance manager at
Telekomunikacja Polska
Group, said that the
association is working
hard on a range of
initiatives designed
to raise the standards
of risk management
in Poland.
probably how it should be seen. But I don’t think there’s a right and a wrong answer.
How is your performance measured?We have annual performance appraisals and regular one-to-one meetings. It is sometimes quite diffi cult to demonstrate value, though. If you’re doing a good job and managing risk eff ectively, bad things should not be happening and then you can’t prove a negative. Being a risk manager can be quite an isolating role because lots of people don’t really understand what you do.
Is it easy for you to attract the right risk management talent? There are lots of insurance people out there. That’s quite easy to access. On the risk side, it’s a lot harder because it’s quite an undefi ned discipline. If you go out and talk to a recruitment agency about risk managers and risk management, they’ll quite often look at the fi nancial services sector. But that’s quite a diff erent breed. It is not operational risk or ERM in the way we’d think about it. There are not very many agencies that understand what we are looking for.
What do you think your next career move will be?I could go into this type of role in a bigger organisation. To a degree it’s easy to skip industries. If you can apply your knowledge and learn the business, you should be able to move between industries.
But there is another step here for me. I’m not really a true chief risk offi cer with a seat in the boardroom the way CROs at fi nancial institutions are. That would be the next step for me. It would mean being fundamentally involved in the strategy of the business and involved in key business decisions.
The other thing that someone in my role could do is to move out into the business. By that I mean move away from doing a risk role altogether and into a business unit. But it’s not a natural thing for a risk manager to do. I think it’s quite hard to move out into the business and that’s why lots of risk managers don’t do it. SR
[READ MORE ONLINE] Read StrategicRISK’s profi le of Hans Læssøe, head of strategic risk for LEGO at goo.gl/DtYWW
Insurance in Latin AmericaHOT ISSUE
The CEA, Europe’s insurance
association, has written to the
Argentine Superintendant of
Insurance and the Argentine
government to express concern about
new reinsurance rules.
The country’s new resolution,
enacted “without proper
consultation” on 11 February,
eff ectively prohibits cross-border
reinsurance, said the CEA.
It means that foreign reinsurers
that have not set up an Argentine
reinsurance subsidiary or branch will
only be able to underwrite risks from
Argentinian insurance companies if
they hold local capital of at least
€3.4m ($5m) (plus additional
solvency, depending on the type of
business) and get regulatory
approval, which will only be granted
per policy on a case-by-case basis.
The CEA said the new regulation is
“highly discriminatory” and will lead
to less capacity and higher premiums
for Argentine policies.
At around the same time,
Ferma called for further measures
to liberalise the insurance market
across the border in Brazil.
While Ferma welcomed new moves
to liberalise intra-company
cessions, it said that overall
the current legislation could
undermine development in Brazil
and suggested that it will increase
costs and concentrate risk
domestically.
W W W. ST R AT EG I C R I S K .CO. U K / AWA R D S 2 0 1 1
Congratulations to our finalists who have been shortlisted for this year’s StrategicRISK European Risk Management Awards
EUROPEAN RISK MANAGER of the year
Annette Schutt Fiig Novo Nordisk Colin Campbell Arcadia Group plc Elaine Heyworth Everything EverywhereIgor V Mikhaylov Mobile TeleSystems OJSCJohn Ludlow IHG
EUROPEAN RISK MANAGEMENT TEAM of the year
Arcadia Group LtdDixons Retail plcCapital Shopping Centres plc Tesco plc Tetra Laval plc
ENTERPRISE RISK MANAGEMENT PROGRAMME of the year
Aeroports de Paris Amlin plcHoerbiger Holding AG SIBUR – ZAO SIBUR HoldingUK Power Networks
BEST RISK COMMUNICATION of the year
Aviva plcLondon Borough of LambethSAPTesco plcZurich Financial Services
MOST INNOVATIVE USE OF IT OR OTHER TECHNOLOGYAon Benfi eld Analytics
Financial Information Systems
Lambeth Council
Science for Humanity
Sonae Sierra
BEST RISK TRAINING PROGRAMMEAmlin plc
BBCSIBUR – ZAO SIBUR Holding
Tesco plc
Yorkshire Water Services Ltd
BEST RISK MANAGEMENT APPROACH IN THE PUBLIC SECTOREaling Council
London Borough of Lambeth
London Borough of Newham
London Underground (Tfl )
Woodleigh Outreach Support Service
RISK MANAGEMENT YOUNG ACHIEVER
of the year
Claire Bromley John Wood Group plc
Daniel Davies Network Rail
Michael Szonyi Zurich Insurance Company
Nicolas Vioix Westfi eld
Rachelle Banham Hertfordshire Constabulary
RISK MANAGEMENT PRODUCT of the yearCapital Shopping Centres plcMaplecro� The Royal Bank of Scotland plcTrimbleWolters Kluwer Financial Services
THE BEST BUSINESS CONTINUITY APPROACH of the yearGategroup London Borough of NewhamRentokil Initial plcSAP AG The Co-operative
The S trategic R I S K European
R isk Management Awards
2011 are sponsored by
Risks [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]
> Risk financing Catastrophes .. 24Japan put natural disasters at the forefront of peoples’ minds
> Risk atlas Cyber crime ..........28Where are all the cyber criminals hiding?
22 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
“THE RISK OF BREAKING SANCTIONS IS VERY SERIOUS – and there are a lot of countries where sanctions apply.
We have to be very careful about who our customers are delivering our products to and make sure that they are selling to reputable companies and not organisations that will sell those products on to others whose customer base may breach sanctions.”
This was one risk manager’s response on being asked to identify key risks for their company in the next year for this year’s StrategicRISK Report (available for download at goo.gl/NdGTV). He believed that the risk of inadvertently breaching sanctions is likely to increase in the next 12 months, particularly in view of the volatile political situation, and civil unrest currently arising in a number of countries that have already increased sanctions and are likely to continue to do so. And his comments illustrate the diffi culty of trying to track end buyers in the customer chain.
Traditionally, banks have been the global watchdog as far as illegal activities such as breach of sanctions and money laundering are concerned. They’ve also tended to be the scapegoats if they turn a blind eye to suspicious transactions – a situation that has concentrated their minds signifi cantly on the problem.
Risk intelligence organisation World-Check’s Andrew Yuille says: “Most things go through banks, so they are a fairly good place to catch on to something that should not be going on. But compliance with sanctions has to be far wider than the banking industry.”
“You have to know who is on the sanctions list to check that they’re not a customer that might present an issue – but by the time an organisation or individual has been sanctioned, it’s almost too late. It’s better to have an early warning system so that you can see who is likely to end up on a sanction list and avoid having them as a client to start off with.”
This might sound like a tall order but in fact regular sanction-busters – those who supply goods to sanctioned organisations – often leave discernable footprints. Suspect customers are unlikely to be on an actual sanctions list, but the associates on which they rely are the ones to watch out for.
Yuille cites the case of a small US business that had bought pipe bending tools from a Chinese business that turned out to be acting for an Iranian concern. Every time the organisation at that address in China was sanctioned it would change its name, a common trait with sanction busters which, along with language translation diffi culties, can cloud transparency for foreign buyers.
Another problem is the number of sanctions now in force. In addition to sanctions imposed by the UN and EU, individual countries take their own approach, targeting countries or businesses that may not be on other sanction lists. It can be a minefi eld for global companies with diff erent production units around the world.
Be alert to suspicions So what’s the best way for risk managers to get to grips with this problem? Due diligence in respect of both suppliers and customers, in the fi rst instance. Airmic’s technical director Paul Hopkin suggests that risk managers employ the same techniques that they use to ensure an ethical supply chain, and to seek assurances from customers regarding the ongoing destination of products.
“There’s a parallel between this and the kind of approach that risk managers take to limit their liability in respect of health and safety,” he says. “For example, component suppliers will specify any constraints on their use to guard against liability claims, so there’s no reason why they shouldn’t also specify constraints on their supply to sanctioned businesses or countries.”
RISK SANCTIONS
Breaching the boundariesSanctions are in place for social, economic and political protection, but they’re not always obvious and failure to spot them can have serious consequences
Political minefi eld: it is
diffi cult for companies to
keep abreast of sanctions
relating to countries such
as North Korea
Case study
It’s not only the big boys
and the banks that get
picked up for breaching
sanctions. The relatively
small UK Weir Group, a
Scottish engineering
company employing
around 9,000 people,
globally admitted
breaking UN sanctions in
its dealings with Iraq
during Saddam Hussein’s
regime. It breached the
Oil-for-Food programme
in place at the time by
paying kickbacks to the
government to secure
lucrative contracts.
The company was fi ned
£3m for the breach and
also had £13.9m of illegal
profi ts confi scated.
Nic
ola
s R
igh
ett
i/P
an
os
Pic
ture
s
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 23
Eritrea Direct or indirect supply, sale or transfer of arms and related material of all types.
Afghanistan Exportation, supply or delivery of any arms and related material to Osama bin
Laden, the Al-Qaeda Organisation, the Taliban and their associates.
Cote de IvoireImport of rough diamonds, except those used solely for scientifi c research to
facilitate the development of technical Ivorian diamond production, provided the
research is approved by the Kimberley Process Committee; and supply and delivery
of arms and related material, except that supplied for the parties or purposes
specifi ed in the relevant UN Security Council’s Resolutions.
Democratic Republic of the Congo Supply and delivery of arms or related material, except to parties and under
conditions specifi ed in the UN Security Council’s Resolution 1771 (2007).
North Korea Direct or indirect supply, sale or transfer of all arms and related material as
specifi ed in the relevant UN Security Council Resolutions; all items as set out in
the lists in the UN documents S/2006/814 and S/2006/815; and exportation of the
above items (other than luxury goods) from North Korea.
Iran Direct or indirect supply, sale or transfer of all items that could contribute to Iran’s
uranium-enrichment and reprocessing activities, heavy water activities or
technology related to nuclear ballistic missiles set out in relevant sections of
Security Council document S/2010/263 and the International Atomic Energy
Agency documents INFCIRC/254/Rev. 9/Part 1 and INFCIRC/254/Rev. 7/Part 2, or
determined as necessary by the Security Council, the cwommittee or the state.
Iraq Sale or supply of arms and related material to Iraq, except for those required by
the relevant authority stated in the UN Security Council’s Resolution 1483 (2003).
Lebanon Sale, supply or delivery of arms and related material, except for those authorised
by the Government of Lebanon or by the UN Interim Force in Lebanon.
Liberia Direct or indirect supply, sale or transfer of arms and any related material to all
non-governmental entities and individuals operating in the territory of Liberia.
Somalia Exportation, supply or delivery of any arms and related material, and any goods
related to the manufacture or maintenance of weapons.
Sudan Supply and delivery of arms and related material to any non-governmental
entity or individual, except for the parties or purposes specifi ed in the UN
Security Council’s Resolution 1591 (2005).
Companies and their employees, particularly in the fi nancial industries, shouldn’t turn a blind eye to something suspicious, as this could implicate them in what’s gone on, says Yuille. So risk managers should encourage whistleblowing. Yet history shows that whistleblowers tend to be very badly treated by their employers, so work needs to be done to encourage people.
When employee of Wachovia bank Martin Woods suspected wrongdoing on the part of his employer, his report to them was dismissed as “defensive and undeserved”. He told StrategicRISK that he underwent a sustained campaign of harassment, bullying and fabricated disciplinary proceedings before his allegations were proven well-founded. He now advises companies and individuals on all aspects of fi nancial crime including sanction breaches.
A fi nal word of warning. The USA has introduced a number of sanctions against countries – for example, the Comprehensive Iran Sanctions, Accountability, and Divestment Act (CISADA). There’s a possibility that such legislation could catch external companies that have a footprint in the USA in the same way as the US Foreign Corrupt Practices Act. SR
The UN’s sanctions watch list
EXPERT VIEW
RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]
24 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
RISK FINANCINGCATASTROPHES
Categorising catastrophes
F LOODS IN QUEENSLAND, A MAJOR EARTHQUAKE IN
Christchurch and the Japanese earthquake and tsunami have
meant a tumultuous start to 2011, testing the fortitude of aff ected
populations and businesses, from mining operations in
Queensland to nuclear facilities in north-eastern Japan. They have
underlined the importance of having the right protection in place
and put business continuity plans to the test.
Managing catastrophe risk is one of the biggest challenges
facing many multinational organisations. Identifying the safest
location for your business is fraught with uncertainty, while
inferior construction and unreliable infrastructure can increase
vulnerabilities. Catastrophe risk fi nancing is one way of protecting
multinational fi rms against major losses following a catastrophe.
Even if a business is lucky enough to escape the worst
catastrophes, in today’s globalised world it can be indirectly
impacted, explains Invensys vice-president of risk Chris McGloin.
“What organisations like Invensys have got to do is understand
where their risks are: not just how your own locations can be
disrupted, but the supply chain and the extent of the supply chain.”
He cites the 2010 eruptions of Iceland’s Eyjafj allajökull
volcano, which grounded fl ights across much of Europe, and the
With catastrophic occurrences seemingly on the rise, it’s important that risk managers understand such scenarios and the cover they require
Queensland fl oods, which triggered a drop in the global coal
supply, as events which disrupted the fl ow of goods. “Threats to
supply lines are always a concern because we do rely on things
being done effi ciently and smoothly.”
Learning lessonsIn the Bowen Basin – home to Queensland’s coal mining industry
– several operators declared ‘force majeure’ on their mining
contracts, relieving them of their obligation to deliver to
customers. Up to 50 of the state’s 57 mines were aff ected. While
many were back up and running shortly a� er the fl oods, fl ooded
pits and damage to key infrastructure and ports delayed recovery
times for others, bringing exports to a halt.
Floods, wildfi res and tropical storms are not unusual in
Australia. Neither are earthquakes in New Zealand and Japan.
What has come as something of a surprise is the aggregation of
these events – each of them signifi cant insurance events –
aff ecting highly populated and industrialised areas.
The size of Japan’s magnitude 9 quake and resulting tsunami
is also highly signifi cant, McGloin says. “Natural catastrophes are
an inevitable feature of the global risk landscape and most countries
have experienced major events at some point in their history. The
important thing is to learn the lessons and to be prepared to take
actions to address those risks that are considered to be too great.
Insurance can be very important to provide businesses with access
to capital to recover from such events.”
The large gap between insurance loss estimates in Japan of
between $20bn (€13.6bn) and $45bn and economic loss estimates
of up to $300bn should make businesses wary, particularly that
such a gap could occur in a developed nation with well-understood
catastrophe exposures. While the Japanese government will
assume a proportion of the losses, many are not covered.
Solid fi nancial foundationsSelecting the right insurance partner is of primary importance
when looking to manage the risk from earthquakes, windstorms,
fl oods and man-made catastrophes such as terrorism. While
hazards in the USA, Europe and Japan are well modelled and
understood, understanding in other regions is less sophisticated.
International insurers and brokers can share information on how
to best mitigate exposures in a given location.
First and foremost, an insurer needs a solid fi nancial strength
rating, McGloin thinks. “You want to make sure you buy your cover
from someone with the right sort of security rating or resources. A
lot of the international carriers – if they’ve got broader spread and
bigger resources – are better placed to provide that.”
While many will hope to be covered for losses as a result of
property damage and business interruption, the claims story has not
always been straightforward. In Queensland, some carriers provided
full riverine fl ood and others only fl ash fl ood. There is also confusion
over the number of events and length of each event (with
reinsurance contracts typically limiting one event to 72 hours).
The picture is likely to be equally confusing in Japan, McGloin
says, providing an important learning opportunity for
multinationals in hazard zones. “If you look at an earthquake, a
tsunami and radiation – three diff erent triggers – the same
$235bn
$12bnRecent fl ooding in Australia, according to prime minister Julia Gillard
February’s New Zealand earthquake, according to Swiss Re
The World Bank’s estimate of what the 11 March Japanese earthquake and tsunami may cost the country’s economy – 4% of GDP
Cost of catastrophes
$5.58bn
Source: Offi cial sources
24_25_RiskFinanc_SRMay11.indd 24 27/04/2011 15:30
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 25
questions will arise. You need good engagement with the
underwriters and the brokers to make sure these sorts of scenarios
are understood, and that the buyer and provider have an
understanding of what the cover is really going to give.”
Business interruption has been a key attribute of the
magnitude 6.3 earthquake that rocked Christchurch on 22
February. Firms in the central business district have been forced to
move to temporary premises. In such circumstances, the ability to
access capital for business continuity is of more immediate value
than a traditional indemnity product, thinks Marsh New Zealand’s
country head, Grant Milne. “Some businesses are still waiting for
THE QUESTION ON MANY RISK MANAGERS’ LIPS AT
present is: Is Japan a market-turning event? In the
international catastrophe insurance market, prices
so� ened over the past six years. With Japan likely to
prove the most expensive insurance loss outside the
USA on record, could this push up premiums?
Invensys’s McGloin says his recent discussions with
insurers and brokers suggest it’s too early to say
because “even given the terrible extent of the
catastrophe, it’s not clear how much of that is insured”.
All eyes were on the 1 April Japanese reinsurance
renewals to see if carriers would respond. According
to reinsurance broker Guy Carpenter, companies
renewed unchanged capacity for earthquake pro
rata treaties. However, for earthquake excess of loss
covers renewal rates climbed by 15%-50% and
windstorm cat XL rates grew by 3%-10%. The US
market has also shown some signs of being in
transition, with pricing fl at or up slightly compared
with decreases at the 1 January renewals.
“While the impact fi rst-quarter losses will have
on dedicated reinsurance sector capital for the full
year remains to be seen, many reinsurers’ 2011
natural catastrophe budgets have been exhausted,
and a portion of the sector’s excess capital has been
absorbed,” says Guy Carpenter & Company’s global
head of business intelligence, David Flandro.
Many experts predict the market will respond
with localised increases in catastrophe rates, similar
to the spikes witnessed in Chile and in the energy
sector last year in the a� ermath of the earthquake
and Deepwater Horizon disaster.
WILL CAT COSTS RISE?
1990
Insured catastrophe losses
Number of events 1970-2010
Weather-related nat cats
Earthquake/tsunami
Man-made disasters
Total
19701980
1985
19952000
20052010
1975
Hurricane Andrew
Northridge earthquake
Winterstorm Lothar
Attack on World Trade
Center
Hurricanes Ivan & Charley
Hurricane Katrina
Hurricane Ike & Gustav
an assessor to look at their property. So no money is coming in and
they can’t get their business back up and running. Some insurers
are off ering payments to assist with payroll and payment of bills,
but the full policy payout might be some time away.”
He thinks there is inevitably an uninsured exposure for
businesses aff ected by major catastrophes. “The biggest issue that
exists, and that has been a discussion point from the last earthquake
[the magnitude 7.1 Canterbury earthquake in September 2010] is
very much around the depopulation scenario where people just
leave the area so there’s less demand for businesses’ goods or
services, and that’s an uninsurable risk.” SR
0
$120bn
Source: Willis Re
24_25_RiskFinanc_SRMay11.indd 25 27/04/2011 15:30
RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]
26 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
Soci
etal
ris
ks
Environmental risks
Slow US recov
Exchange ra
Risin
g ener
gy and co
mm
Geopolitical
risks
Political turmoil
War in the M
iddle East
Breaching sanctions
Crime and corruption
Gov
ern
an
ce f
ail
ure
s
Terrorism
Globalrisk
register
Trouble round every corner
F ROM THE PROTESTS IN THE MIDDLE EAST to the rise of cyber crime and the continuing
trials and tribulations of Western economies, these are nothing if not interesting times. StrategicRISK, in association with Marsh Risk Consulting, has released a report analysing European companies’ risks in fi ve categories: economic, environmental, geopolitical, societal and technological.
The report summarises the comments of 30 leading risk management professionals in European companies. While their views varied somewhat, refl ecting diff erent sectoral concerns, the single issue that all voiced was the interconnectivity of risk and its unpredictability.
One example of this is last year’s ash cloud resulting from the Icelandic volcano eruption. Even companies that did not have suppliers in Iceland, and perhaps felt they had little or no exposure to natural catastrophes, did suff er disruption in deliveries. As one risk manager said: “There seems to be an increase in one risk triggering another – and that’s a risk in itself.”
Another risk manager foresaw problems arising from the Australian fl oods. His fi rmhas no direct suppliers in Australia, but the country does supply raw materials to some of its producers and the fl oods may well aff ect the availability of these.
Interconnectivity is probably most apparent in the economic risk category. The ‘butterfl y eff ect’ – that is, a small change in one place in a complex system that can have large eff ects elsewhere – has never been more apparent than in today’s globalised system. The fi nancial markets are particularly interdependent.
A question of timingResearch for this report was undertaken in the fi rst three months of 2011. It was a period when unforeseen political turmoil in some countries was at the forefront of everyone’s minds so, not surprisingly, geopolitical risks shared fi rst place with economic risks in European companies’ concerns.
ENVIRONMENTALMost European businesses
are concerned about the
apparently increasing
frequency and severity of
extreme weather events. Most
large companies consider
their own organisations to be
adequately protected, but
perceive vulnerabilities in
their supply chains that could
disrupt business.
SOCIETALThe perceived behaviour of a
business and its senior
executives can make it the
focus of attention for
demonstrators and adverse
internet comments.
“Our security people are
starting to think about social
networking – instant
messaging and the like,” said
one risk manager.
At a time of heightened global turmoil, we asked Europe’s leading risk managers what they think will most aff ect their businesses
[READ MORE ONLINE] For more information on global risks, download StrategicRISK’s 2011 Risk Report at www.strategic-risk.eu or goo.gl/NdGTV
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 27
very
Hig
her ri
sk tr
ansf
er c
osts
Recession recovery problems
Restrictive regulations
ates
Co
nti
nu
ing
rec
essi
on
mm
odity p
rices
Increased com
petition from
Chin
a
Economicrisks
Keepin
g pace with
techn
ological chan
ge
Pro
tect
ion
ism
Inflation
Data the� and leakage
Mal
icio
us h
acki
ng
Intern
et breakdow
n
Technology
risks
Fraud
Business IP the� £9bn
Business espionage £7bn
Ex
tort
ion
£2b
n
Online fr
aud £1.5bn
Japan
225
%
Ireland 94%
Po
rtug
al 8
3%
Ger
man
y 78%
UK 76%
Spain 63%
USA 58%
Ch
ina 17%
Ru
ssia 9%
Public debt
as a percentage
of GDP
Cyber crime
costs the
UK economy
£27bn per year
However, if comment had been sought six months earlier, it seems likely that the recession would have headed the list.
Similarly, research was just coming to a close when the Japanese earthquake and tsunami struck. Would risk managers have rated the impact of natural catastrophes higher in the risk league if the research had been concluded a month later?
It is natural for commentators to react more strongly to the issues of the moment. With this in mind, it is interesting to see that terrorism and pandemics were not among the top fi ve risks – although governments and health organisations would probably rate them higher.
It is clear that companies need to address the eff ects rather than the unpredictable and often uncontrollable causes of risk. For example, risk management of supply chain disruption– a major risk for most fi rms – needs to be robust, whatever causes the disruption. Companies need to be able to repatriate employees quickly and safely, regardless of where problems arise.
How has today’s risk environment aff ected the role of risk managers? Some of our commentators volunteered views. “The good news for risk management is that its relative importance in the eyes of the board has increased,” was one comment.
Another respondent stressed that risk managers cannot aff ord to operate in silos. “We have to help our business managers think more about what the knock-on eff ect might be of their decisions, how things may happen in conjunction with other risks the company may be running, and the ultimate major impact that might result – without getting in the way of the company’s ability to do business.” SR
CYBER CRIMECyber crime heads the list
of technological concerns.
The main loser from cyber
crime is business, according
to a Detica report for the
UK government. UK business
loses an estimated £21bn
per year as a result of
intellectual property
the� and damage, said
the report.
PUBLIC DEBTIn European countries with
very high public debt, some
companies regard higher
interest rates and taxation
as inevitable.
They are concerned
that this, coupled with
continuing recession,
will impede their ability
to invest and grow in
these areas.
1 Economic recession
2 Political turmoil
3 Climate change
4 Data the� and leakage
5 Regulation
6 Security of IT systems
7 Energy and commodity prices
8 Crime and corruption
9 Exchange rates
10 Civil unrest
Top 10 risks
INSIGHT
RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]
28 Strategic RISK [ MAY 2011 ] www.strategic-risk.eu
Iran
In October 2010, a computer virus called
Stuxnet disrupted nuclear facilities in Iran. Stuxnet represented a signifi cant leap forward in malware in that it specifi cally attacked so� ware used in industrial infrastructure. There are rumours that Stuxnet may have also caused the failure of India’s INSAT-4B satellite in July 2010.
Belgium
In May 2008, Belgium accused the Chinese
government of cyber-espionage, claiming that hacking attacks against the Belgian government had originated in China. Separately, Belgian minister of foreign aff airs Steven Vanackere said that his ministry had been the subject of cyber-espionage by Chinese agents.
Georgia
As tensions rose over South Ossetia in
August 2008, Russian and Georgian hackers launched attacks against each other. This included distributed denial of service attacks and the defacement of the Georgian Ministry of Foreign Aff airs website using pictures of Georgian president Mikheil Saakashvili and Adolf Hitler.
South Korea
In September 2008, Seoul accused
adversaries North Korea of stealing documents from military offi cers using spyware and a female agent. The spyware attack saw malicious email attachments designed to steal documents from infected computers.
India
Government offi cials in New Delhi were said
to have confi rmed that Chinese hackers targeted the Ministry of External Aff airs and the National Informatics Centre, which provides the network backbone for central and state government. The unnamed offi cials claimed that this was China’s way of gaining “an asymmetrical advantage” over a potential adversary.
Source: Various media and Sophos 2009 Security Threat Report
Rank Country
1 USA 37%
2 China 27.7%
3 Russia 9.1%
4 Germany 2.3%
5 South Korea 2.1%
6 Ukraine 1.8%
7 UK 1.7%
8 Turkey 1.5%
9 Czech Republic 1.3%
10 Thailand 1.2%
RISK ATLASCYBER CRIME
Hacking into insecurities
O N 2 NOVEMBER 1988, 22-YEAR-OLD CORNELL UNIVERSITY
student Robert Morris released an internet worm capable of
exploiting vulnerabilities in UNIX operating systems, infecting an
estimated 10% of the internet. Over 20 years on, the scale of
computer crime has grown astronomically. Internet attacks today
are organised and designed to steal information from consumers
and corporations.
The scale of global cyber criminal operations has reached such
proportions that internet security fi rm Sophos discovers one new
infected webpage every 4.5 seconds – 24 hours a day, 365 days a
year. In addition, Sophos is sent some 20,000 new samples of
suspect code every single day.
The USA, China and Russia account for almost three-quarters
of the world’s websites that spread malware, according to research
by Sophos. The US tops the chart, with just under three in every
eight infected webpages based there. China, which was
responsible for hosting more than half (51.4%) of all the world’s
malware in 2007, has now almost halved its contribution to the
problem.
The Czech Republic is a new entrant on the list and hosts
over 1% of all the world’s malware. Poland, France, Canada and
the Netherlands were in positions six, eight, nine and 10,
respectively in 2007, but now have too few malicious websites
to appear on the chart.
No one is immuneA number of well-known organisations have fallen foul of
malware, including thousands of websites belonging to Fortune
500 companies and government agencies, which were infected in
January 2008.
Traditionally done through emails, cyber criminals now
primarily use the web to infect computers, o� en driven by
political motivations. Immediately before releasing a series of
leaked diplomatic cables, Sweden-based WikiLeaks (the
whistleblowing website) suff ered several distributed denial of
service (DDOS) attacks, which succeeded in putting the website
temporarily offl ine.
In an apparent act of revenge, sites that had refused to
support WikiLeaks were targeted in return, with Mastercard briefl y
being forced offl ine and Amazon also targeted. The ‘hacktivist’
group Anonymous, which had previously mostly confi ned its
actions to anti-pirate organisations and the Church of Scientology,
was widely believed to have had a hand in these attacks, dubbed
‘Operation Payback’. SR
Cyber crime is becoming increasingly sophisticated, and increasingly malicious
Rank Country
1 USA 65.9%
2 UK 10.4%
3 Nigeria 5.8%
4 China 3.1%
5 Canada 2.4%
6 Malaysia 1%
7 Spain 1%
8 Ghana 1%
9 Cameroon 1%
10 Australia 1%
Top malware
hosting countries
Where internet
criminals reside
NB: Figures from US-based organisations
www.strategic-risk.eu [ MAY 2011 ] Strategic RISK 29
10
5
3
7
281
4
69
1
2
3
4
5
6
7
8
9
10
Key More than 30%
21%-30%
9%-20%
1%-8%
Less than 1%
IN ASSOCIATION WITH
Evelyn Rieger is a senior underwriter
at Allianz
No certain safety
IT networks are essential to company
management on all levels, including for
example, R&D, production, purchasing and
sales of goods, and provision of services.
Processes, performance and results of a
company therefore heavily depend on
reliable IT systems, and any disruption of
those systems can have a major impact.
IT risks such as malicious code
attacks, user errors, wrong command
input, and non-availability of systems can
result in signifi cant additional
expenditures and even business
interruption (BI). Today, corporations
use electronic data exchange for
communication – internally and externally
– so what happens if a company causes
damage to another during this process?
Far too o� en, these scenarios are
underestimated and companies deem
themselves secure by the use of fi rewalls
and data back-ups, but total security is not
achievable. Why is that? Data is invisible,
and so are data claims at fi rst. We all know
the pictures of collapsed bridges and
fl ooded landscapes – but the loss of data
doesn’t conjure up any images at all.
Attainable security is limited and
needs to be supported by prudent risk
management. However, management,
mitigation and avoidance of risk also raise
the question of how to handle the
remaining risk; whether this is borne by
the company itself or whether it is
transferred to a third party – the insurer
– to protect the company’s balance sheet.
Therefore both corporations and insurers
are faced with the question of insurability
of IT risks.
Traditional insurance pays for lost
profi t and standing charges as well as
additional costs following a property
damage. However, in many cases, BI and
additional costs caused by IT faults occur
without property damage (human error,
misconduct, cyber crime, malicious code).
Protection against such scenarios is
becoming increasingly important.
EXPERT VIEW
Source: Internet Crime Complaint Centre and Sophos
We take time to listen and engage with clients, markets and colleagues
so that we can understand aims and objectives, put strategies in place
AT JLT SPECIALTY LIMITED WE DON’T RELY ON OFF-THE-SHELF SOLUTIONS
JLT Specialty Limited. Lloyd’s Broker. Authorised and Regulated by the Financial Services Authority. A member of the Jardine Lloyd Thompson Group. Registered Office: 6 Crutched Friars, London EC3N 2PH.Registered in England No. 01536540. VAT No. 244 2321 96. www.jltgroup.com.
Governance [ ETHICS ][ COMPLIANCE ][ REPORTING ]
> New rules Bribery ................... 34The much-anticipated Bribery Act will come into force on 1 July 2011. Here’s what you need to do to comply
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 31
ENVIRONMENTAL LIABILITY
Taking responsibilityThe Environmental Liability Directive is creating waves throughout Europe, but some have concerns that its ethos remains misunderstood
W HEN IT COMES TO ENVIRONMENTAL LIABILITY, there is a tendency to focus too much attention purely
on the Environmental Liability Directive (ELD). “It is important to look at other environmental laws as well,” says ACE’s UK environmental practice leader, Wayne Harrington. While the ELD has provided a lot of regulation clarity, the UK, for example, already had a well-established tradition of environmental regulation before the ELD came along. In other parts of Europe, however, the ELD has introduced a new set of regulations altogether.
What the ELD does do well is focus a lot more attention on the consequences of environmental damage, says Harrington. It is a recognition that perhaps the traditional laws did not go far enough. Environmental claimants no longer have to prove fault or negligence. Instead, the new regime is based on strict liability, so it is easier for stakeholders and the public to hold polluters accountable. Furthermore, the ELD introduces new legal concepts for environmental damage, including compensatory and complementary remediation. »
Re
ute
rs
Fish kill: the cause of this
incident in Lousiana has
not yet been determined,
but the area the fi sh were
discovered in was impacted
by the BP oil spill
GOVERNANCE [ ETHICS ][ COMPLIANCE ][ REPORTING ]
32 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
However, there is some confusion about how these potentially subjective concepts will be defi ned in reality. And how much they are likely to cost. For example, a pollution incident could fundamentally damage the environment but it may not be hugely expensive to put right. On the other hand, how does one put a price on the extinction of a species or the destruction of a natural habitat altogether?
The risks posed by a company to the environment may be the same wherever it has operations but the consequences of pollution are diff erent depending on the jurisdiction – enforcement is in the hands of the local environmental authority, which means there are huge diff erences between each member state (see map above). Every place in Europe has legal nuances or types of legal defences that are either permitted or not. So far there have not been many cases to provide clarifi cation of these matters.
Resourcing is another issue that regulators are struggling with. As public bodies reduce staff numbers, it is diffi cult for them to enforce rules as strongly as before. There could also be trepidation from governments to enforce environmental rules too strictly because of the tough economic climate. As witnessed
in Hungary recently with the toxic sludge spill, governments don’t wish to put a company out of business.
Protect yourselfFortunately, companies are more aware of their environmental responsibilities than ever before. But the trend in the corporate sector towards behaving more ethically and responsibly is slow.
“While companies may be more aware of environmental risk, they remain confused over the consequences,” says Harrington. “It is diffi cult for companies to understand clearly what the regulators will do if they are caught polluting. Or they may not be aware of what to do if they are caught or how to protect themselves fi nancially against those consequences. Companies that pose a risk to the environment should be cash reserving adequately.”
A lot of companies cannot aff ord to assess their environmental risks, let alone pay a premium to transfer it. Others choose not to. In Scandinavia, the corporate insurance manager for truck, bus and engine maker, Scania, decided to seek an alternative form of insurance protection. “We don’t buy a specifi c environmental insurance policy,” says Martin Sijmons. “We prefer to extend the coverage of our
»
SPAIN AND PORTUGAL
A dam breach at the Boliden mine near Seville in 1998
led to one of the country’s worst environmental
incidents. It has since adopted the most stringent
approach to the implementation of the ELD. Portugal
introduced mandatory fi nancial protection against
environmental risks in January 2010.
FRANCE
France transposed the ELD in August 2008, but there is
no legal obligation to buy fi nancial security against
environmental risks. Companies are realising that their
exposure and therefore their insurance needs have
increased, says ACE continental Europe manager of
environmental risk Dorothée Prunier.
GERMANY
Environmental law is mostly governed by federal
acts. But administering and enforcing the law is
le� to the 16 states. It is one of the hardest
markets to fi nd environmental insurance in due t
this patchwork of regulation.
UK
The ELD has added a substantial layer of liability.
Previously, people were only concerned with
traditional remediation costs, such as removal of
pollution; now complimentary and compensatory
remediation costs can be levied as well.
Inse
t il
lust
rati
on
s: J
on
ath
an
Ed
wa
rds
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 33
general liability policy to include sudden and accidental pollution.” He says the emphasis is on risk avoidance rather than risk transfer.
New prominenceThe goal for the insurance industry is to eventually see environmental insurance viewed in the same league as other major classes, such as property or directors’ and offi cers’ (D&O) insurance. Harrington hopes it will become a major new class of insurance but he knows this will take time.
Risk managers need to be aware of their risks and the potential consequences that can occur if something goes wrong. Large corporates have picked up the issues quicker than most, but some don’t have a choice in the matter as they are subject to fi nancial reporting requirements that dictate they have to disclose their environmental risks. Others have a less impressive stance.
But, in the current economic climate companies may be unable to pay if the consequences of environmental pollution are severe. For these businesses, preparing appropriately in advance could be the diff erence between life and death. SR
‘While companies may be more aware of environmental risk they remain confused over the consequences’Wayne Harrington ACE
Mandatory insurance for Europe?
Following the Hungarian toxic
sludge disaster and the
Deepwater Horizon Gulf oil
spill, the European Commission
has been encouraged to
reconsider its position on
mandatory insurance protection
for environmental liabilities.
The Commission is currently
considering a EU-wide
compulsory scheme for all
oil companies.
As it stands, fi nancial
protection is compulsory in
only European countries.
Ferma, representing the interest
of risk managers in Europe, is
against the idea and any type
of mandatory insurance for
large risks.
“We do not think there
should be mandatory
insurance,” says chairman
of Ferma’s environmental
liability working group,
Pierre Sonigo.
“We feel there are suffi cient
solutions for the oil industry in
the commercial insurance
market, so there is no need to
make it mandatory. As a
principle, we are against
mandatory insurance, because
we think this increases prices
and removes competition.
Other options, such as
self-insurance, disappear for
risk managers if the government
imposes mandatory insurance
protection, says Sonigo.
“The EU wants to add
security by creating guaranteed
security schemes to pay for
environmental damage,
because it is the government
that ultimately will have to
pay. But this is not the way to
do it.”
SPOTLIGHT
SCANDINAVIA
Not all companies choose to buy a specifi c environmental insurance policy. “We would like to
prevent rather than insure,” says Swedish truck maker Scania’s corporate insurance manager
Martin Sijmons. He doesn’t think the products exist for his company’s requirements. “We have to
buy environmental cover in some markets, like Spain. But the ELD has not had much of an impact
in Sweden.”
EASTERN EUROPE
Environmental liability in Eastern Europe is “a bit of a mess”, says
chair of the environmental working group for Ferma Pierre Sonigo.
Insurers aren’t touching the risks there, he says, because there are
a host of facilities with poor safety records and environmental
problems. But it is a concern that is likely to receive renewed
attention following the toxic spill in Hungary on 4 October 2010.
o
[READ MORE ONLINE] For more information on environmental liability, download StrategicRISK’s 2011 Environmental Liability Guide at www.strategic-risk.eu or goo.gl/UX0vA
GOVERNANCE [ ETHICS ][ COMPLIANCE ][ REPORTING ]
34 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
BRIBERY
It could be you …The Bribery Act, coming into force in July, widens the defi nition of bribery and holds directors responsible for failing to prevent it – even when it takes place abroad. Don’t get caught out
T OM WILSON, THE CHIEF EXECUTIVE OF A HEALTH equipment supplier, is attending a board meeting in the
City when police arrest him. He is relieved to hear the charge: they are trying to pin liability on him for the actions of a company agent in Mozambique. This agent has paid fi nancial gifts to Mozambican customs offi cials to smooth deliveries of the fi rm’s equipment through the notoriously sluggish warehouses of Maputo.
Wilson says: “What does it concern me that an agent paid a bribe to an offi cial somewhere I have never been, and in a place where these kinds of payments are made all the time by companies trying to keep ahead of the game?”
But he and countless other directors will have to think again, because such an arrest will become a real concern after the beginning of July 2011, when the UK Bribery Act comes into force. The act is signifi cant for company directors because they can be held accountable for management lapses amounting to ‘commercial failure to prevent bribery’.
One of a series of international laws designed to combat cross-border corruption, the new act follows in the wake of the 1977 US Foreign Corrupt Practices Act (FCPA), which makes it possible to prosecute companies in the US courts for paying bribes to foreign offi cials, even if the off ence took place abroad.
A tough act to followEnforcement of the FCPA is tough, as Paris-based telecoms fi rm Alcatel-Lucent found this year when it paid $45m (€31.2m) to the Securities and Exchange Commission (SEC) and $92m to the US Department of Justice to settle charges that it bribed foreign government offi cials to win contracts in Latin America and Asia.
The Bribery Act will catch situations where someone ‘off ers, promises or gives a fi nancial or other advantage to another person’ with a view to inducing them to ‘perform improperly a relevant function or duty’. Obvious examples in a business context include payments to government offi cials to obtain contracts, or to secure a reduction in customs or tax duty.
The new law covers payments to both public offi cials and representatives of private companies in the UK and abroad. The inclusion of private sector bribe recipients means that it goes further than the FCPA, which only covers bribes to foreign offi cials.
Bribes may be paid both directly and indirectly, for example, through a company’s agents and commercial representatives. This is an essential principle that is also in the FCPA and is important because most foreign bribery cases involve payments made through intermediaries.
In the past, it was commonplace for companies to avoid blame for bribes paid by their agents using part of their commissions. The UK authorities were already trying to put an end to the practice.
In September 2009, engineering company Mabey & Johnson was fi ned €6.6m for bribes paid through commercial agents in Ghana and Jamaica. This case was brought under the old corruption rules in the UK, so prosecutors are likely to make the most of their new powers since the new law specifi cally outlaws such third-party payments.
It also prohibits ‘facilitation payments’ – small payments to offi cials to speed up routine actions such as customs clearances – which are not illegal under the FCPA, so smaller as well as larger payments will now count as bribes.
Applying to companies incorporated in any part of the UK, the off ence of failure of commercial organisations to prevent bribery applies whether the company’s acts or omissions take place in the UK or elsewhere, giving the UK very wide jurisdiction. The penalties for individuals include a fi ne or imprisonment or both; the potential penalty for a company convicted of bribery, or failure to prevent bribery, is an unlimited fi ne. But the act protects companies that have taken risk assessment and compliance seriously.
Failure of compliance systems has long been the target of anti-bribery rules. SEC director of enforcement Robert Khuzami
Key points
01: The Bribery Act
makes directors
accountable for
commercial failure to
prevent bribery
02: Facilitation payments
are prohibited, as is
using an intermediary
to pay bribes
03: Penalties for
individuals failing to
prevent bribery are
imprisonment or a
fi ne, and companies
can receive an
unlimited fi ne
04: Corruption is known
to be prevalent in
the emerging
markets of Russia,
China and India
Pa
no
s P
ictu
res
www.strategic-risk.eu [ MAY 2011 ] StrategicRISK 35
said of the Alcatel case that “it was the product of a lax corporate control environment at the company”. There is a defence in the new law for companies that have ‘adequate procedures’ to prevent bribery. If an individual employee pays a bribe, such companies will be able to argue that this was a personal aberration, and not the result of a systemic failure.
What exactly constitutes ‘adequate procedures’ to prevent bribery is not defi ned by the act, but new guidance has been issued by the Ministry of Justice. Ernst & Young consultant John Smart says: “The tone of the document will be a welcome relief for some as it advocates proportionality and reasonableness in its guidance in parts of the act rather than strict interpretations and enforcement.”
All corners of the globeCertainly those companies implementing a management plan along the lines recommended (see box, right) will be well prepared for the act. One of the biggest challenges facing companies will be assessing each territory where they operate.
As our map on indicative risk across the world shows, the 10 most corrupt countries – including Nigeria and the Democratic Republic of Congo – come as little surprise. But there remains an extreme and high risk of corruption across the most of the globe. This includes the world’s fastest-growing developing countries: Brazil,
How to manage bribery
1. Ensure senior management articulate their personal
commitment to high standards of business integrity.
2. Back this up with eff ective training and communication
at every level of the business.
3. Compliance programmes that look good but are not
backed up in practice will count against the company if
it ever comes under investigation.
4. Risk assess each territory where the company operates.
5. Specifi c transactions – for example, negotiating for
planning permission or importing expensive technical
equipment – should also be individually risk assessed.
6. Subject new business contacts, prospective joint
venture partners, or commercial agents to rigorous
integrity with due diligence.
7. Split gi� s and hospitality into three categories:
generally acceptable (pens and mugs), acceptable
subject to senior management approval (corporate
entertainment), and never acceptable (bribes).
8. The act does not apply retrospectively and it may be
some time before the fi rst cases are brought. Monitor
any developments as it beds down to ensure good
practice is up to date.
PRACTICAL GUIDE
China and India – jurisdictions ambitious companies cannot ignore. The Chinese government has made eff orts to tackle the problem, pursuing a concerted anti-corruption drive. However, corruption is prevalent in activities linked to government agencies such as public procurement, where the potential for gain is often the greatest.
High-risk sectors include construction, natural resources, banking and fi nance, and healthcare. Maplecroft chief executive Professor Alyson Warhurst says: “Monitoring corruption risks and government enforcement in supply chains, as well as ensuring compliance and preventative mechanisms are in place within one’s own operations, would seem prudent.” SR
Nigeria: ambitious
companies must be alert
to the corruption that
continues to grow in
their target countries
[READ MORE ONLINE] Download the Bribery Act guidance at www.strategic-risk.eu or goo.gl/rGpor
Theory & Practice [ INSIGHT ][ CASE STUDIES ][ BEST PRACTICE ]
36 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
are seen to impede growth. A� er the £28bn
merger of Bank of Scotland and Halifax
Building Society, the entrepreneurial zeal
of Halifax came to dominate. It created an
organisation in which head of regulatory
risk Paul Moore could be told by one
employee that “we’ll never hit our sales
targets and sell ethically”. Moore reported
the failure of risk management to the board,
and soon a� er was made redundant with no
remedial action taken.
The culture can lead to “opinion
shopping”, where the business will look for
someone, anyone, to support destructive or
dishonest behaviour. Thus Lehman Brothers
reported its “Repo 105” loans as sales a� er
an opinion off ered by external UK counsel.
US counsel had already rejected this course
of action. A� er Lehman’s bankruptcy the
RISK MANAGEMENT
The building blocks of riskSuccess breeds success, so the saying goes. But successful companies can also breed behaviour that creates risk to the business. And if it goes unchecked, such behaviour can lead to spectacular failure
court appointed examiner called the decision
“actionable balance sheet manipulation”.
3 IT WORKED LAST TIME
The concentration of infl uence in a
small group of managers who have delivered
success can create a single-strategy company
that gradually becomes exposed to massive
risk from rare events. Northern Rock wrote
mortgages for customers who were acquired
by brokers. Its growth targets demanded that
it borrowed wholesale money to lend as new
mortgages. It securitised the loans and sold
them to other banks. The bank was
incentivised to off er ever-riskier products
(125% mortgages) with fewer checks
(self-certifi ed mortgages). It became a giant
one-way bet based on inter-bank wholesale
lending remaining available.
4 WHATEVER WORKS CULTURE
Success driven by strong management
can lead to failure driven by the same force.
At Bear Stearns, ‘Ace’ Greenberg hired
recruits who were ‘PSDs’: poor, smart and
with a deep desire to get rich. These PSDs
not only set the tone but could push
through day-to-day decisions with
devastating results, because they enjoyed
the confi dence of the management. This
eventually led to a trader, Ralph Cioffi ,
creating a fund that was leveraged 35 times
and blew up. His response? Create another
fund, leveraged 100 times. When that also
blew up, he tried to salvage it by creating a
listed company to contain the toxic debt.
5 YOU RECRUIT TO WIN, NOT TO
MANAGE RISK
Dr Doug Hirschhorn, who trains traders for
investment banks, is surprised that only
10% of the banks he works for give potential
recruits a personality test. So many take on
the sort of behaviour displayed by traders:
a tendency to over-trade, a lack of
appreciation of real-time risk/reward
outcomes, and an inability to accept that
losses are sometimes inevitable.
Allied with traders’ expertise in hiding
these problems, and formal risk
management practices are impossible to
either teach or to implement. “A lot of
behaviour is driven by how many people
are watching,” Hirschhorn warns. SR
Tim Philips is the author of Fit to Bust, published by Kogan Page and available at bookstores and online
The concentration of infl uence in a small group of managers can create a single-strategy company that gradually becomes exposed to massive risk
T AKE A SNAPSHOT OF SUCCESS,
fast forward a few years, and you
discover how ephemeral it can be. On the
10th anniversary of the publication of Built to
Last, for example, seven of the 18 companies
selected by Jim Collins and Jerry Porras as
exemplars of their principles either no longer
existed or had experienced a major failure.
Success, while better than failure,
creates its own risks. Some of those risks are
based on the inevitable failure of successful
companies to scale their risk management
processes and systems to cope with a bigger
and broader business. Many, though, stem
from the response of employees, managers
and investors to success. Here is a small
selection of those risky behaviours.
1 DELIVERING THE NUMBERS
BECOMES THE STRATEGY
Success creates infl ated expectations of
quarterly sales numbers. “Organisations
become so focused on meeting next
quarter’s earnings-per-share targets that
manipulation is going on,” says Dean
Kreymeyer, executive director of the
Institute for Corporate Ethics.
WorldCom is the best example. When
internal auditor Cynthia Cooper questioned
the numbers, management warned her to
“stay away” from her investigation. She
worked secretly to expose the fi nancial
engineering that departmental heads were
incentivised to put in place to make their
numbers. For example, $771m of unused
network was reallocated as “construction in
progress”. When one departmental head
refused to change his reported numbers to
the satisfaction of his manager, general
accounting did it for him – behind his back.
2 BANISHING NEGATIVITY
Success can weaken the position of the
risk management function if its processes
isto
cko
ho
to.c
om
/sci
ba
k
I F A COMPANY CAUSES
large-scale pollution, it can be
extremely costly. Clearing up
pollution takes time and money. You
only have to look at how much BP
had to fork out to clean up a� er the
disaster in the Gulf of Mexico last
year (around €25bn) as proof.
All sorts of stakeholders have an
interest in the environment, so it’s
hard for fi rms to duck their duties. The
environment is also highly regulated
now – the European Environmental
Liability Directive (ELD), for instance,
has introduced new rules.
Here are some things that
companies can do to ensure issues
get resolved more effi ciently.
1 HAVE EFFECTIVE
ENVIRONMENTAL RISK
MANAGEMENT PLANS
First things fi rst: companies should
have site-specifi c contingency plans
and emergency response procedures
to prevent signifi cant environmental
damage occurring in the fi rst place.
2 ESTABLISH THE
ENVIRONMENTAL BASELINE
FOR EACH SITE OF OPERATION
You cannot manage what you do not
measure. Companies should defi ne, as
comprehensively as possible, the
quality and status of the ecology and
habitats that existed around their
sites before the disaster.
Eff ectively defi ning this baseline
involves an economic evaluation of
the natural environment surrounding
and in close proximity to the site of
operation.
Once a baseline of environmental
quality has been established to the
satisfaction of the environmental
regulator, then the extent of
remediation, restoration and
compensation that will be required to
return the ecosystems and habitats to
their prior condition can be defi ned.
3 AGREE THIS WITH
THE REGULATOR
Agreement with the regulator will
then be required on the extent of
remediation and restoration
considered necessary.
Preferably a baseline would
have been established, documented
and agreed with the regulator prior
to any environmental damage
occurring.
If not, the regulator may infer a
scope of restoration required based
on a speculative view of the
environmental quality prior to the
event and, as such, the cost of the
loss could be highly uncertain.
4 DEFINE THE “VALUE” OF THE
ENVIRONMENT
The environment’s ‘value’ is based on
the resources it provides. This can
include direct value (wood,
agriculture, food, water etc.) and
indirect value (walking, leisure and
public space).
5 ESTABLISH A MAXIMUM
PROBABLE LOSS ESTIMATE
This is an estimate of the scale
of liabilities associated with
environmental damage, based on
maximum probable loss analyses for
each site. Research has shown that
the new ELD requirements for
‘complementary’ and ‘compensatory’
remediation could increase the costs of
remediation 40 times.
The maximum probable loss
estimates should be based on scientifi c
evidence concerning the species,
ecosystems and habitats at risk,
and the potential loss scenarios that
could be envisaged for the site and
operations. This will include an
estimate of the extent of ecology and
habitat destruction that it is possible
to envisage and the possibility for
wider damage.
It’s also worth considering
that remedial action may not be
compatible with the baseline status,
in that the precise replacement and
restocking of species, communities,
habitats and ecosystems may not be
possible on a like-for-like basis.
6 CONSIDER WHETHER
INSURANCE IS NECESSARY
Review requirements of fi nancial
security and environmental insurance
associated with the potential to cause
environmental damage at individual
sites of operation, based on nature
and scale of activity.
The maximum probable loss will
help to inform this decision-making
process with regards to issues such as
the appropriate limit of indemnity to
be gained should environmental
insurance be considered necessary.
The implementation of the ELD in
certain parts of Europe has included a
mandatory requirement for operators
of high-risk activities to hold fi nancial
security. Insurance is one of the most
popular methods of fi nancial security.
Cliff Warman is the environmental practice leader for the EMEA region at Marsh
ENVIRONMENTAL CLAIMS
How to manage environmental damageA few steps can go a long way towards minimising harm to the environment and dealing with clean-ups quickly
KNOWLEDGE Life a� er Chernobyl
Almost 25 years on, the Chernobyl exclusion zone still exists.
Yet where humans fl ed, wildlife now thrives. Many species,
including rare ones such as the lynx and eagle owl, inhabit the
area, and trees have re-grown. But some environmentalists
remain sceptical. “The trees are having a terrible time knowing
which way is up,” James Morris, a USC biologist, said.
Secure the value you create
How to reduce the
fi nancial impact of an earthquake
‘ Seismic Matters’. Our Free White Paper outlines a new engineering-based approach to minimising risk and loss. Download it now at www.fmglobal.co.uk/touchpoints
[READ MORE ONLINE] For more information on environmental liability, download StrategicRISK’s 2011 Environmental Liability Guide at www.strategic-risk.eu or goo.gl/UX0vA
THEORY & PRACTICE [ INSIGHT ][ CASE STUDIES ][ BEST PRACTICE ]
38 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
I T’S YOUR COMPANY’S MOST
valuable asset: a technological
breakthrough, a unique database, a
list of important clients, a project
under development. Whatever it may
be, it has taken years or decades of
work and investment. Yet it can be
taken in a moment by cyber criminals.
Commercial cyber crime is
growing at an exponential rate around
the world. In the UK, the combined
loss to businesses of intellectual
property the� and industrial
espionage alone is £9.2bn a year,
although “the real impact of cyber
crime is likely to be much greater”,
says a government-commissioned
study by Detica.
Commercially useful ideas,
designs, methodologies and trade
secrets are all on cyber criminals’ hit
list. “If a product is attractive to
somebody on the outside, it’s under
threat,” says Stuart Poole-Robb, chief
executive of risk specialist KCS Group.
No business with saleable
intellectual property is safe, says Will
Thomson, director of Cardiff -based
4Secure. “Companies ask ‘why would
anybody come a� er us?’” he says. “I tell
them to look at what they’ve got that
somebody else might want.”
The utilities, medical,
pharmaceutical, media, so� ware,
fi nancial, electronics and
telecommunications sectors are
particularly at risk. But the fact is that
any intellectual property-rich
organisation where transaction
volumes are high may be considered
a target for highly professional,
IT-savvy cyber criminals working
from anywhere in the world.
And although industry
professionals say there’s no single
solution – “all organisations are
diff erent” points out Thomson – there
are several simple measures that can
and should be taken.
1 VALUE YOUR ASSETS
Start by conducting an audit of
all the company’s intellectual property
and assessing its external value. KCS
Group managing director Massimo
Cotrozzi says: “Many companies have
no idea what their level of risk is.”
Typically, even those that do attempt
to put a price on intellectual assets
they think are at risk from cyber
crime o� en make the mistake of
under-valuing those they may not
consider important, but which others
will for diff erent reasons.
2 DRAW UP A BUDGET
Draw up a protection budget that
bears a sensible relationship to the
value of the property. “Many
companies have ridiculously low
budgets that are not comparable
with the importance of the business
involved,” Cotrozzi says. “Obviously
it makes no sense to protect a £1bn
formula with a £100 bit of so� ware.”
3 GET TECH SAVVY
Don’t think the company is
safe just because it’s got all the
latest fi rewalls and other so� ware.
“Anti-virus so� ware can’t defend
itself against viruses it doesn’t know
about,” Poole-Robb explains. “The
best gateway into a company is an
email address.”
The big danger may not be
inward traffi c anyway. As Thomson
says, “companies focus too much on
what’s coming in instead of on what’s
going out.”
4 ERASE SENSITIVE DATA
Recovery specialist Kroll Ontrack
says that more than half of all fi rms
leave commercially useful information
on old computers and hard drives. A
Ponemon Institute study, sponsored by
Symantec, in March 2011 said: “The
average data breach incident cost UK
organisations £1.9m, or £71 per record.”
5 PROTECT YOUR DATA
Push data protection disciplines
throughout the company, for instance,
by forbidding employees from using
obvious passwords because hackers
always work their way through a
disciplined system based on our
human foibles. And don’t leave
passwords in obvious places.
6 STICK TO THE CODE
Too few companies have strict
codes of online conduct backed up by
eff ective enforcement, says 4Secure’s
Thomson. “Employees always try to
circumvent the system,” he says. Much
cyber stealing can start from Hotmail,
Gmail, fl ash fi les and other documents
downloaded onto the desktop.
7 CHECK YOUR STAFF
Run short-term or contract staff
through a security check. It’s not
uncommon for a cyber criminal to get
through the door as a replacement
cleaner or employee. “Checks on
short-term workers are usually
inadequate,” Poole-Robb says.
8 NEED-TO-KNOW
Throw a ‘security perimeter’
around the company. Intellectual
property should be assigned levels of
importance according to its external
value and made available on a
need-to-know basis. Thus only
designated employees should take
designated data into an unsecured
wider perimeter.
9 MOBILE PROTECTION
Develop a mobile phone policy.
Mobiles o� en contain important data,
but are o� en badly protected.
10 TREAT DATA WITH CARE
The most sensitive data
should be treated like pure gold. The
biggest private equity fi rms only
release details about a major
investment in a fully protected room
where nothing can be downloaded,
copied or removed. SR
CYBER CRIME
Strengthen your defences against cyber attacksYou might think your intellectual property is safe, but cyber crime is a fast-growing threat. Here are 10 steps you can take to protect your company’s deepest secrets
Derailed: China has been accused
of stealing Japan’s high-speed
train technology. Kawasaki of
Japan is one of the companies
whose designs and innovations
are said to have been cloned
Re
ute
rs
Airmic Annual Conference6 – 8 June 2011Bournemouth
Together Leading in Risk TM
www.airmicconference2011.com
Can you afford to miss it?The Airmic conference is the UK risk management and insurance gathering of the year... more than 650 risk professionals coming together for two days of talks, lectures, training sessions and workshops. Plus, of course, plenty of social opportunities to share ideas, meet old friends and make new ones.
We look forward to welcoming you.
Embracing New Horizons
VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]
40 StrategicRISK [ MAY 2011 ] www.strategic-risk.eu
WHAT’S INSIDE YOUR HEAD?
HeadspaceIgor Mikhaylov of Russia’s Mobile TeleSystems is willing to throw routine out of the window for new challenges
What are you thinking about right now? The recent natural disasters in Japan. Sometimes, after tragedies such as this, there is a buying fever for personal protective equipment or food and water. It’s not possible for companies to serve that kind of peak in demand. And natural disasters can’t always be predicted. If you want to prepare for these disasters, you need to manage risk in advance. But where’s the line between being pragmatic and being paranoid?
What is your greatest fear? Losing people who I love. The most important thing is to live life properly and make the most of it.
What was your most embarrassing moment? It was during a school performance when I was young. It was such a successful performance that we were asked to perform in front of the whole school, our parents and teachers. But I hadn’t rehearsed properly so I felt nervous and couldn’t remember the script. I decided to lay parts of the script on the stage so I could read them during the performance. But I messed up because I paid too much attention to where the script was rather than focusing on my act.
What is your most treasured possession? It’s diffi cult because I don’t attach much importance to material things. But I could say my electric piano.
What makes you happy? I’m happy when I reach my targets, especially ones that seem unachievable. I’m happy to dare to solve problems that others refuse to do. I enjoy learning about new technologies and diff erent applications of existing technology. I’m amazed by complex architecture, aerospace engineering, hybrid technologies, composite materials and hydroponics (growing plants in water without soil) – as well as many other advances in life.
What makes you unhappy? Boring routines. At work, if operations become tiresome because they stay the same for a long time it makes me unhappy. Politics make me unhappy, particularly when it conceals inhumanity.
Who is your greatest hero? I try to follow the example set by some remarkable and distinguished relatives of mine. They are my heroes because they played such important roles in society, science, economics and business. My grandfather worked for Unesco as a department head where he was involved in several large projects. He once directed an exhibition in Moscow and was a member of a delegation that hosted the Queen of England. My father is a professor and distinguished scientist of geophysics. And my brother works in the oil and gas industry.
What’s the biggest risk you’ve ever taken? As a student I travelled very far to a Russian downhill ski resort. It was a spur of the moment decision and I hadn’t
really done my research about skiing there. When I arrived I realised the ski hill was on the edge of a Chechen warzone.
There were no tourists there because of the risk of being kidnapped. The locals all carried guns.
What is the worst job you’ve ever done?
Early in my career I was responsible for pricing strategy for radio networks. I was
asked to prepare a presentation that I knew wasn’t necessary because everyone already knew the information. Afterwards the audience told me it was a waste of time.
What is your greatest achievement? Graduating from Moscow Institute of Physics and Technology. The Nobel Prize for
Physics was recently awarded to two scientists from here. In 2010, I won a
Risk Management Award in Russia from RusRISK.
What is the most important lesson you’ve learned? Never give up. Only ever set yourself diffi cult targets. Never
agree to do something if you don’t believe in the end result. SR
‘I realised the ski hill was on the edge of a war
zone. There were no tourists because
of the risk of being kidnapped and all the locals carried guns’
Illustration by Richard Phipps
Igor Mikhaylov is head of the risk management division at Mobile TeleSystems, Russia
BWise offers you an industry leading software solution to get in control of all your Governance, Risk and Compliance (GRC) challenges, such as strategic-, enterprise-, and op-erational risks. With our unique process-based approach, BWise turns GRC into a formidable driver of cost reduction and process optimization.
Visit www.bwise-grc.co.uk to request a complimentary copy of the Gartner independent report.
BWise named Leader in Enterprise GRC Platforms by independent research firm*
Take controlStay ahead
www.bwise-grc.co.uk *Gartner’s Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms, Q3 2010
These days, there’s no such thing as a local incident. If you lose production in India, you can
lose market share across Europe. That’s why FM Global takes a different approach. We base your
property insurance on the site assessment of our engineers, not the calculations of actuaries. We
work with you to look at critical sites in your supply chain. And we don’t just insure against loss,
we help you to prevent it. You can actually save up to 85% of the cost of fl ooding, with the right
precautions. So your business can stay in business. Speak to your FM Global representative or
contact your broker, and visit www.fmglobal.co.uk/touchpoints to read our latest White Papers.