risk management april 2011

April 2011 Issue 84 PP255003/06868

www.riskmagazine.com.au

WHY THERE’S NO SET PATH TO THE CRO’S CHAIR

RISK PEOPLE:WESTFIELD’S EAMONN CUNNINGHAM ON RISK

OWNERSHIP AND THE NEED FOR COMMON SENSE

NEWS REPORT:WHAT MAKES A GOOD CRO?

CRISIS MANAGEMENT EARTHQUAKES AND TSUNAMIS: WHAT’S THE RISK FOR AUSTRALIA

IT SECURITYLOCKING DOWN TECHNOLOGY

BUSINESS CONTINUITYANZ CASE STUDY

Rising upthrough the

risk ranks

FEATURES AND REPORTS

Banking on business continuity 16A business continuity plan is critical in times of unforeseen crisis, as ANZ recently discovered. Craig Donaldson reports

Locking down IT security 18Targeted cyber attacks are on the rise – necessitating tighter security management practices, writes Craig Donaldson

Risk people: Eamonn Cunningham 20As a key driver of Westfi eld Group’s risk management function, Eamonn Cunningham. talks to Benjamin Nice about role clarity, risk ownership and the need for common sense.

REGULARS

Editorial note 05 News review 06 News report 10 OHS roundup 24 Book review 25

C ontents

22

26PREPARING FOR THE WORST

RISKY BUSINESS

Risk April 2011 3

Australasian Business Continuity Summit 2011Sofi tel Sydney Wentworth Hotel 8 - 10 June 2011

The Australasian Business Continuity Summit 2011 is the only business continuity conference in Australia. The Summit is planned by subject matter experts to combine diverse presenters and topical subjects into a program that addresses contemporary issues for practitioner of business continuity and related disciplines. The Summit combines two conference days, Wednesday 8th and Thursday 9th June, followed by Workshops on Friday 10th June.

For more information please contact:T + 61 2 9415 4180 F + 61 2 9411 8585 E [email protected] VISIT www.continuity.net.au www.thebci.org.au

The pathways to a senior risk management position are changing. Craig Donaldson speaks with three leaders in the fi eld about their experiences, the evolution of risk careers and what steps professionals need to take to make the CRO grade

COVER STORY12

CAREERS IN RISK

4 Risk April 2011

F rom the editor

Editor: Sarah O’Carroll

Journalist: Ben Nice

Contributor: Craig Donaldson

Designer: Ken McLaren

Publisher: Fiona Marcar

Design Manager: Anthony Vandenberg

Production Manager: Kirsten Wissel

Cab Member since December 2005

Subscribe todayRisk Magazineis published monthly and is

available by subscription. Please email:

[email protected]

All subscription payments should be sent to:

Locked Bag 2333, Chatswood D/C,

Chatswood, NSW 2067

Advertising enquiries: Marika Biro - (08) 8371 5800

[email protected]

Editorial enquiries: All mail for the editorial department should be sent to:

Risk Magazine, Level 1 Tower 2,

475 Victoria Ave Chatswood, NSW 2067

Copyright is reserved throughout. No part of this publication may be reproduced without the express written permission of the publisher. Contributions are invited, but copies of all work should be kept

as Risk Magazine can accept no responsibility for loss. Risk Magazine and LexisNexis are divisions of Reed International Books Australia Pty Limited, ACN 001 002 357 Level 1 Tower 2, 475 Victoria Ave,

Chatswood, NSW 2067 tel (02) 9422 2203 fax (02) 9422 2946 ISSN 1833-5209 Important Privacy Notice You have both a right of access to the personal information we hold about you and to ask us to correct if

it is inaccurate or out of date. Please direct any queries to: The Privacy Offi cer, LexisNexis Australia or email to [email protected]. © 2009 Reed International Books Australia Pty Ltd (ABN 70 001 002

357) trading as LexisNexis. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., and used under license.

A bout us

“ Having internal audit report to independent board audit committees gave the internal audit profession such a kick up the backside that it caused generational change in the entire profession”

Todd Davies, see Comment on page 8

Sarah O’carroll Editor

oogle Analytics versus readership survey

So in this issue, I’ve decided to go with my gut instinct – with a little help from Google Analytics – and devote our cover to risk careers and what it takes to make it to the CRO position. In our cover story we speak to chief risk offi cers about their experience, the evolution of careers in risk management and what steps risk professionals need to take to make the chief risk offi cer grade.

If I’m off the mark, let me know … but hopefully it has been a calculated risk to look at how Australian risk managers can get to the next level and continue to bring the profession into the spotlight.

GRecently I attended a discussion at Sydney University, where a group of editors came together to discuss what the future holds for magazine editing, including the implications of new technologies and metrics.

One of the points made was whether editors should go with their gut instinct on which stories to cover, or whether they should rely on online data such as Google Analytics and online surveys, which tell them what content readers are clicking on.

It’s a tough one. From our experience here at Risk Management magazine, results are confl icting.

We conducted a readership survey in November, for example, asking readers what they wanted to read about and providing options such as business continuity, crisis management, compliance, insurance and internal audit.

One option, which I thought would have scored higher than it did, was “risk careers”: how interested people are in reading about careers in risk management, what it takes to be successful in risk, the job market and, essentially, how to get to the top of the game.

However, according to the responses from readers, it was one of the least popular options.

But Google Analytics tells a different story.We send out weekly newsletters and track quite meticulously

what stories readers are clicking on every week. The most clicked-on stories this year have been career-related – how to get to the top job and what it takes to make a good CRO, for example. These rated higher than stories on the BP disaster, Toyota’s recall lessons, compliance and secrets to best practice governance.

What’s your take on this quote?

To have your say write to the editor [email protected]

Best comments will be published in the May issue of Risk

Risk April 2011 5

N ews Review

Boards struggle with fraud risk management

Devil’s in cloud-sourcing contract details $600m government fraud bill highlights need for controlFRAUD cost the Federal Government nearly $600 million in 2008/09, with more than 800,000 incidents of fraud recorded by Centrelink, Customs and other government departments.

A government report found that the cost of welfare fraud rose 10 per cent to $489 million, with more than 700,000 incidents of social security fraud reported. In addition, more than 160 public servants misused or stole government credit cards, with $1.85 million in inter-nal fraud attributed to dishonest public servants. The report, prepared by the Australian Institute of Criminology, found that just $139 million, or 23 per cent, of the stolen money was recovered.

New government programs were also subject to fraud, according to the report. The Home Insulation Program, introduced in February 2009, was plagued by on-compliance in relation to approximately 25,000 claims made for work performed under the program. The Building the Education Revolution was also subject to fraud, with 103 complaints made about the initiative.

“These recent examples of fraud and waste in connection with large-scale government programs reinforce the need for fraud control and risk management procedures to be actively enforced within gov-ernment agencies,” said the report.

“Where large-scale new programs are to be introduced, internal controls and risk management policies need to be reviewed in order to ensure that fraud risks are avoided.

“When fraud does occur, there are many avenues of response that may be followed – some obligatory under offi cial policies and laws, and others optional depending on the scale and circumstances of the offence.”

Often, however, the report found that fraud is not reported offi cially and sometimes repeat victimisation occurs – on occasion, by the same offender against the same individual or organisation.

ONE of the common features of many recent frauds appears to be that senior management had a poor understanding of their organisation’s fraud risks, according to an expert in the area.

“One would have thought that with all the focus on risk management, by now executive board members of such organisations would be fully ap-praised of their fraud risks and be managing them in a consistent and effi cient manner,” said Martin Samociuk, founder of consulting fi rm Hibis Group, which specialises in fraud risk management.

“Unfortunately, experience has shown that it is all too common to fi nd that there is a poor under-standing of fraud risks at the board level.”

Samociuk said most organisations assign the responsibility for fraud risk management to business

line managers who assess the risks together with all other operational risks. However, these managers are usually so overburdened with operational risk and audit requirements, which focus on systems and processes and evaluating the effectiveness of controls, that they lose sight of the fact that people commit fraud.

“This can usually be seen in the fraud risk assessment which contains a list of what manag-ers assess as fraud risks when, in fact, they are just describing methods of fraud,” he said. “The confusion arises because the organisation has not defi ned the term ‘fraud risk’, so managers fl ounder trying to fi gure out what it is they are supposed to be assessing.”

Samociuk, who has written a number of books on fraud risk management, said it is unfair and impractical to ask managers to assess fraud risks when they don’t know what a fraud risk is and have no knowledge of the methods that a fraudster might use. “It is like asking a doctor to diagnose a patient without any training,” he said.

“Given the different nature of fraud risks com-pared with other risks, such as credit and market risks or risks resulting from accidental occurrences, fraud risks should be assessed independently of the general risk assessment process.”

Samociuk said a vital element prior to conduct-ing an assessment is to provide adequate resources and training to business line managers so that they understand how fraudsters work and how they seek to bypass controls. That way, the managers will have a reasonable chance of assessing fraud risks and whether or not existing controls are effective.

“An increasing number of fi nancial institutions have realised such resources training has to be provided by fraud prevention professionals rather than by operational risk personnel,” he said.

ORGANISATIONS considering a shift to cloud sourcing should carefully assess the risks associated with cloud-sourcing contracts, according to a recent Gartner report.

Such contracts are not mature for all markets, and areas such as data-han-dling policies and procedures can have a negative impact on a business case, potentially creating compliance issues and cost increases, leading to the need for specifi c risk mitigation activities.

Another common risk in cloud-sourc-ing contracts is that terms generally fa-vour the vendor, according to the report, Four Risky Issues When Contracting for Cloud Services. Organisations need to understand that they are one of many customers and that contract customisa-tion breaks the model of industrialised service delivery, said the report.

To manage cloud-services contracts successfully, it said organisations need to manage user expectations. “It’s es-sential that organisations planning to contract for cloud services do a deep risk analysis on the impact and prob-ability of their risks, and they should also plan mitigation for the most critical issues,” said Alexa Bona, research vice-president at Gartner.

“This might cost additional money, but it is worth the effort. Risk should be continuously evaluated, because con-tracts can change – sometimes without notifi cation.”

Another common risk in cloud-

sourcing contracts is that they can be opaque and easily changed. Contracts from cloud-service providers are not long documents, and the report noted that certain details are often critical to the quality of service and the price (such as SLAs) for uptime or performance, service and support terms, and even the description of the core functionality of the offering.

The report said organisations need to ensure that they understand the com-plete structure of their cloud-sourcing contract, including the terms detailed outside of the main contract.

A fourth risk in cloud-sourcing contracts is that they do not have clear service commitments, and the reported noted that, usually, cloud-service provid-ers limit their area of responsibility to what is in their own network, as they cannot control the public network.

When deciding whether to invest in cloud offerings, Gartner said buyers should understand what they can do if the service fails or performs badly. “Cloud-service providers will need to address these structural shortcomings to achieve wider acceptance of their standard contracts and to benefi t from the economies of scale that come with that acceptance,” said Frank Ridder, research vice-president at Gartner.

“CIOs and sourcing executives have a duty to understand key areas of risk for their organisations.”

“Experience has shown that it is all too common to fi nd that there is a poor understanding of fraud risks at the board level”Martin Samociuk, founder, Hibis Group

6 Risk April 2011

N ews Review

Internal audit: coming to grips with risk managementRISK management is a top priority for board members and executives, making it vital for internal auditors to increase their focus in this area, particularly the identifi cation of potential future risks as well as risks tied to the business strategy, recent research has revealed.

However, even as risk management consumes more time of internal auditors, the survey of more than 600 participants from around the world – including chief audit executives, internal audit directors and managers from public, private and non-profi t organisations – found they still don’t feel prepared to meet increased demands.

Conducted by Protiviti, the survey found that the areas in most need of improvement with regards to risk man agement and governance process were understanding emerging risks and evaluating and changing risk appetite levels.

Gary Anderson, managing director of Protiviti and board director of the Institute of Internal Auditors (IIA) Australia, said many companies are still struggling with how to identify emerging risks in the context of their business models. “I think auditors, along with management, are fairly challenged in this area,” he said.

“When it comes to defi ning appetite for risk, many organisations are only at the very rudimentary stage of trying to

quantify and describe this. Similarly, audit is still at a fairly rudimentary level in assessing the robustness of how that’s put together.”

Anderson believes internal auditors need to stay very close to management and challenge and support manage-ment in understanding what the emerging risks are for the business. “They have to explore different ways of providing assurance to the board and executive management on how those risks are addressed,” he said.

“That does require reaching out to other colleagues, researching what other industry participants are doing, and being prepared to engage widely and apply some deep thought to your own situation.”

The Protiviti research also revealed that building expertise in technology-enabled auditing, including continuous auditing and computer-assisted audit tools, remains a top priority for internal audit professionals. This is particularly relevant for internal audit professionals in Australia, according to Anderson. “The profession has really struggled for many years now to build a sustainable base of IT skills in the internal audit area,” he said.

Bob Hirth, executive vice-president and head of global internal audit for Protiviti, said developing expertise and successfully implementing automated

“When it comes to defi ning

appetite for risk, many

organisations are only at the

very rudimentary

stage of trying to quantify

and describe this”

Gary Anderson, managing director, Protiviti, and board

director, IIA

Specialist skills needed for GRC futureTHERE will be an increased need for specialists in governance, risk and compliance (GRC) in coming years, with no one profession owning the space, according to Bryan Whitefi eld, director of Risk Management Partners. The GRC leader of the future will come from any one of a range of management or professional disciplines, with a personal bent towards their professional background, he said.

To be across the discipline of GRC “you would need to be someone with an MBA on steroids”, he said. “You need to understand strategy, fi nance, safety, project and change management, organi sational behaviour as well as having a great understanding of the business you’re in. On top of that, you need to show strong leadership across all of them.”

Whitefi eld advises leaders in the GRC space to manage their own personal bent and ensure they give all aspects of the challenge adequate weighting. “By all means, build your skills in various areas or pursue something broad like an MBA. The more you know, the more you will learn the more you don’t know, nor could possibly know in one lifetime,” he said.

“Organisations have risen and fallen on the back of some very bright ideas by a few special people with

unique skills. Imagine how hard it would be to know what they know and complement their skills along the way, so the organisation only has the rise and avoids the fall. Inevitably you will need to supplement your skills with those from other specialist disciplines.”

Whitefi eld recommends resisting the segregation of governance, risk and compliance. “They are integral parts,” he said. “If you don’t believe me, have a look at the ASX [Corporate] Governance Principles and tell me which ones don’t have a risk management or compliance element to them. Every one of the principles deserves attention.”

According to Whitefi eld, the challenge for a GRC professional is knowing how to prioritise their time and the resources available. For governance professionals, he recommends prioritising these based on risk and

opportunity, but for risk professionals, he suggests taking a big-picture view and to avoid getting caught up in Principle 7 – “Recognise and manage risk”.

Whitefi eld also said to insist on segregation of GRC from audit. “This has been one of my greatest bugbears. The role of audit is to provide confi dence that the GRC arrangements are appropriate and effective,” he said. “How can an auditor have any involvement in developing the GRC framework, or populating it, and then turn around and pass a critical eye over it to see if it is functioning well?”

Audit’s job is to provide assurance, said Whitefi eld, and staff will always see audit as a bit of a watchdog. “We don’t want staff hiding anything. A GRC section – no matter what you call it – that is independent of audit has a much greater potential for encouraging open dialogue and debate concerning risks and opportunities,” he said.

“Later these can be further debated with audit, who rightfully should challenge the appropriateness of frameworks and the decisions emanating from its application across the organisation. Both are incredibly important roles and neither should be undervalued or trivialised by pouring them into the one bucket.”

“You would need to be someone with an MBA

on steroids”Bryan Whitefi eld, director,

Risk Management Partners

auditing tools and processes will enable internal auditors to focus on higher-level initiatives such as emerging risks. These include new regulation, changes in the business model, changes in industry dynamics, and industry competition, said Hirth, as well as risks tied to the company’s strategy.

The survey showed that, with regard to “soft” skills, dealing with confrontation and public speaking were rated as the two areas in most need of improvement for internal auditors. These skills have ranked among the top areas for development for the past three years, indicating that internal auditors are assuming more strategic roles and working closely with most departments in their organisations.

“A strong internal audit function is critical to operating successfully and maintaining a state of effective internal control in a heightened regulatory and risk management environment,” said Hirth.

Risk April 2011 7

N ews Review

New UK bribery law casts wider corruption netAUSTRALIAN companies that carry on a business in the UK will be subject to a new anti-bribery regime that extends beyond fi nancial reward to include inducements such as entertainment, privileges and gifts. The UK Bribery Act 2010, which commences on 1 July 2011, casts a wider net in that it reverses the burden of proof, so someone can be successfully charged with bribery even if they had no idea of the activity.

Under the new law, it will be a criminal offence to give, promise or offer a bribe and to request, agree to receive or accept a bribe – either in the UK or abroad. The law also covers bribery of a foreign public offi cial.

Under the Act, bribery is constituted as any action that might “improperly infl uence” someone in order to obtain business or an advantage in the conduct of business, and extends to foreign employees, subsidiaries or agents in other countries who make “facilitation payments” without company permission.

The new law will apply to all UK-registered companies as well as companies registered anywhere else in the world but which do business in the UK, according to Will Kenyon, a London-based partner in the forensic services group of PricewaterhouseCoopers.

“One of the key tricky issues for everybody trying to interpret the Act is what is a bribe and where do you draw the line? Discussions have focused on what is an appropriate level of corporate hospitality, promotional expenditure or gifts and entertainment,” said Kenyon.

There has also been debate around the level of due diligence that might be required to ensure that adequate anti-bribery procedures are in place for third parties, he says. “So if you have sales agents or other intermediaries who are either out there selling for you, or helping you to interact with government or other third parties in any way, shape or form, those third parties can create vicarious liability for your organisa-tion if they pay bribes in effect on your behalf.”

Companies that come under the Act will need to improve their communication, training, policies and monitoring and control procedures to make sure that employees understand what is expected of them and that they know where to turn for more information when needed, said Kenyon.

“For large multinationals there is potentially quite a lot to do, and my concern is that some may well have waited and they now only have three months in which to try to put something in place. I think that is good grounds for urgent action, but not for panic, because this is a long-term thing,” he said.

While a business can avoid conviction if it can show that it has adequate procedures in place to prevent bribery, a recent guidance document published by the UK Government states that the question of whether an organisation has adequate procedures in place to prevent bribery is a matter that can only be resolved by the courts.

“In other words, we’re back to square one,” says Ian McDougall, vice-president and legal director for LexisNexis International. Fundamentally, the new Act creates a mens rea (“guilty mind”) offence; that of “intending” to “induce” “improper” performance of some kind.

“The higher the profi le, the more

likely you are to be in the crosshairs”

Ian McDougall, vice-president and

legal director, LexisNexis

International

Defences against the Bribery ActCompanies that are subject to the UK Bribery Act 2010 can avoid being convicted of the offence of failing to prevent bribery if they can demonstrate “adequate procedures” are in place to prevent bribery. These include:1. Proportionality2. Top-level commitment3. Risk assessment4. Due diligence5. Communication6. Monitoring and review

For more information, see the UK Ministry of Justice’s Bribery Act 2010: Guidance about commercial organisations preventing bribery, and Quick start guide, both at www.justice.gov.uk.

“When combined with the guidance document advice, it is clear that identical acts may or may not be offences, de -pending on circumstance and proving mens rea,” he said.

According to McDougall, ethics has been a topic of debate since the time of Plato. “I’m not quite sure this Act takes us any further forward in our understanding of what is or is not ethical behaviour. It just says, ‘let the courts decide’.”

However, he believes it is the big fi sh or utterly fl agrant behaviour that the

authorities will be after. “Therefore, it is clear that companies need to establish clear policies,” he said, while programs of awareness also “need to be commenced, and probably a program of auditing established for compliance purposes”.

McDougall also advises risk management professionals to factor their company’s profi le into risk assessments. “The higher the profi le, the more likely you are to be in the crosshairs,” he said.

“In addition, establish a set of criteria which can help judge what might be higher-risk activities, with higher-risk individuals, so that ‘alarm bells’ can ring where appropriate.”

8 Risk April 2011

N ews Review

The Institute of Internal Auditors (IIA) has been campaigning for regulatory change in Australia for more than 10 years. Much of what it has been saying has fallen on deaf ears.

Australia has one of the highest public exposures to listed shares as a result of mandatory superannuation. While prudent fund managers should be underweight in poorly governed companies, this doesn’t happen in practice. If a company share price spikes and the company hits the S&P/ASX 200, your super fund just bought the stock, even if governance is shocking.

Australian regulation has fallen behind in some respects, resulting in laggards in the S&P/ASX lists, and owned by your super funds. To be fair, there are some areas where Australian regulation leads. Having internal audit report to independent board audit committees gave the internal audit profession such a kick up the backside that it caused gener-ational change in the entire profession. Other countries would benefi t from this.

Similarly, the requirements for boards and management to focus on whether the organisation really understands the material business risks they face, rather than just saying that they comply with the relevant risk standards, has been a great thing for Australia’s competitiveness internationally.

But alas, these are only suggestions. They are not mandatory. Companies can weasel out of them or ignore them entirely. Even worse, some of the fundamentals have been skipped over, particularly internal audit, which is a cornerstone of most governance frameworks elsewhere.

While internal audit is mandated for listed companies in the United States and throughout Asia, in Australia it is not. Likewise, while the UK and South Africa have disclosure triggers on internal audit, Australian companies have nothing. This results in many companies outside the S&P/ASX 50 not having an internal audit function, let alone one that is effective or risk-focused.

IIA has put together a policy agenda for reform. It contains fi ve principles, two of which are yet to be pushed by the ASX or ASX Corporate Governance Council. The principles are: internal audit is fundamental to good governance; and internal audit should operate at a consistently high standard.

IIA Australia’s policy principles and recommen-dations are helpful for most mid-cap companies, but many have not implemented them. They do this at their peril. Lagging performance on risk and assurance will force regulators to step in. Indeed, if they had done so sooner, your superannuation balances would be looking a lot healthier, as would mine.

Todd Davies specialises in leading practices in internal audit and assurance. He was formerly the technical and policy director of IIA Australia. For more information, visit www.todddavies.com.au.

Comment

Time to mandate internal audit?

BP managers ignored major hazard risks

JUST hours before the explosion that rocked the Deepwater Horizon rig, senior managers from BP and rig owner Transocean conducted a site visit but failed to notice the warning signs because they focused more on occupational safety rather than process safety, a recent report has found.

At the joint inquiry into the disaster, the senior health and safety manager for BP drilling operations in the Gulf of Mexico said that occupational safety (or personal safety) was their prerogative, while process safety was a matter for engineering authorities.

“They were not at all focused on major hazard risk and made no efforts to ascertain how well it was being managed [e.g. how effectively the reduced pressure test was being carried out] or whether people were following procedures that were designed to protect against major hazard risk [e.g. monitoring mud fl ows],” said the Australian National University’s Professor Andrew Hopkins in the National Research Centre for Occupational Health and Safety Regulation paper.

“These matters lay outside the scope of their informal auditing activities. This one-sided concentration on occupational or personal safety has been identifi ed as a contributor to many previous process safety accidents, including the BP Texas City refi nery disaster of 2005.”

Safety is often a focus for senior

managers who are visiting a worksite, but too often safety is understood to be a matter of “slips, trips and falls”, rather than the major hazards that can lead to major accidents, said Hopkins in the paper, Management Walk-Arounds: Lessons from the Gulf of Mexico Oil Well Blowout.

The difference between occupational and processes safety corresponds to a distinction between conventional safety risks that result in relatively high-frequency, low-consequence events, and major hazard risks that give rise to low-frequency, high-consequence

events (such as explosions), he said.“It is important to recognise that,

because process safety disasters are rare, they do not contribute to workforce injury statistics on an annual basis,” he said. “However, BP evaluated its own safety performance and that of its contractors on the basis of LTI rate and TRI rate. For important practical purposes, then, safety for BP and for Transocean personnel was synonymous with occupational safety.”

In order to avoid such traps, said Hopkins, one very important activity is to talk to employees in a way that elicits from them information about what might be going wrong.

“Very often they are the ones who know best that something is amiss,” he said. “But just as importantly, senior executives need to engage in their own informal auditing, making sure to sample the detail.”

37%of companies in mainland China considered the withdrawal of

stimulus funding as the factor most

affecting their business in 2011

“One-sided concentration on occupational or personal safety has been a contributor to many process safety accidents”Professor Andrew Hopkins, Australian National University

Risk April 2011 9

N ews Review

Caution urged over Chinese credit risk

Most viewed on theweb1. The three pillars of good corporate

governance 2. What management looks for in a CRO 3. Internal auditors dropping compliance ball 4. Earthquakes and tsunamis: what’s the risk

for Australia5. Improvement in risk controls needed 6. Internal audit: coming to grips with risk

management 7. BP managers ignored major hazard risks 8. Boards struggle with fraud risk management 9. Specialist skills needed for GRC future 10. Risk management in practice: reputation

Risk management strategies and trends

Post GFC blues raise financial risk concernsOVER the past 12 months busi-nesses have grown increasingly concerned about fi nancial and economic-based risks, according to an Aon survey.

Risks that increased in importance throughout 2010/11 related to liquidity, market environment, capital availability/structure, credit and sales, refl ecting a growing concern around economic and fi nancial issues amongst businesses.

“In 2010, the major banks were still tightening their lending capacity and the United States and European countries remained in an economic downturn,” said Steve Nevett, chairman, Pacifi c region, Aon Risk Solutions.

This fi nancial pressure saw

concern around fi nancial risks increase signifi cantly in terms of their importance in Aon’s annual Australasian Risk Management Benchmarking Survey.

“Whilst the Australian economy remained relatively strong throughout the aftermath of the global fi nancial crisis, Australian businesses are looking forward optimistically but continue to see risk management as an increasingly important part of corporate strategy,” Nevett said.

The survey, which is based on risk management information sourced from 446 major Australian and New Zealand corporate and public sector organisations, also found that the median Total Cost of Insurable Risk (TCOIR) across

all organisations for 2010 was $4.76 per $1,000 of revenue or approximately 0.5 per cent of revenue – which represents a decrease of 8 per cent from 2009.

Prior to 2009 the median TCOIR declined consistently for 5 years (from $11.97 per $1,000 revenue in 2003 to $4.52 per $1,000 of revenue in 2008).

TCOIR then rose to $5.20 in 2009 which was largely due to decreasing revenue levels in the Australian economy.

Aon anticipates a slight increase to overall TCOIR in 2011 due to premium increases and a high proportion of TCOIR spend coming from risk transfer costs.

Over the past ten years there has been a signifi cant shift towards a structured enterprise-wide or executive approach to the identifi cation and evaluation of risk, according to Aon’s annual Australasian Risk Management Benchmarking Survey.

It found that the Board and CEO are increasingly taking responsibility for formulating risk strategies while the chief risk offi cer, risk manager and operational/divisional heads are undertaking the development and implementation of risk management policies.

Over the past eight years organisations have been increasingly bringing risk functions in-house, however, outsourcing continues to occur where specifi c expertise and knowledge is required.

Furthermore, the survey found the most frequently cited benefi ts of investing in risk

management were improved internal controls and improved standards of governance.

A WITHDRAWAL of stimulus incen-tives and a tightening in bank lending in China are likely to impact corporate credit from 2011, as a recent research report has found that Australian companies with trade agreements in mainland China may seek increased protection from possible deteriorating payments.

Despite an improvement in both credit sales and overdue payments in China in 2010, food and agricul-tural exporters in particular need to be mindful of the need to protect against the potential for increased payments risk, according to Chris Doubé, general manager of Coface Australia, which conducted the research report.

Given the increasing level of eco-nomic interdependence between China and Australia, Doubé said the report highlighted the need for increased vigilance by companies.

The Survey of Corporate Credit Risk Management in China Report revealed credit sales in China achieved a compound annual growth rate of 16 per cent between 2008 and 2010, and overdue payments in domestic sales have dropped 26 per cent since 2008.

Regardless of this improvement in 2010, companies in mainland China are less confi dent about a continued improvement in payment behaviour.

Some 37 per cent of respondents considered the withdrawal of stimulus funding as the factor most affecting their business in 2011, while 31 per cent believe tighter monetary policy and bank lending will have the greatest impact.

More pointedly, 41 per cent ex-pected the overdue payments situation may take more than three years to improve, while 33 per cent expected it would never improve.

Australian businesses may see an impact as a result of this uncertainty, said Christophe Souquet, Coface risk director for the Asian Pacifi c and inter-national expert in corporate credit risk management.

Aspects of the Australian market can be considered a proxy for the health of the Chinese economy and therefore may experience a shift in credit sales as a result, he said.

“Preparing for potential risks in

business, particularly for organisations operating across borders, is essential,” he said.

“Understanding the risks and op-portunities across international markets will provide Australian companies the knowledge to successfully expand operations.”

China is Australia’s largest source of imports and exports, according to the Department of Foreign Affairs and Trade.

Australia exported $3.4 billion in agricultural goods to China in 2009, making up 8.1 per cent of total exports; while trading in canola, live animals, fi sh, edible products, wine and meat recorded particularly strong growth.

“Preparing for potential risks in business, particularly for organisations operating across borders, is essential”Christophe Souquet, risk director, Asia Pacifi c, Coface

Candidates must tick a number of boxes to be considered for a chief risk offi cer role – starting with a well-rounded set of skills

F or most companies, the decision to appoint a chief risk offi cer (CRO), or an equivalent senior risk executive, is driven by several factors. However, once the decision

has been made to establish the role, there are some points management should consider when evaluating CRO candidates, according to a recent report from Protiviti.

Finding the right chief risk officerThe fi rst point is the actual role and expectations, as defi ned by management and the board. A key consideration is whether the role will focus on strategic issues (such as establishing/communicating risk appetite and risk management philosophy, implementing an appropriate infrastructure for managing and monitoring risk, and integrating risk management with strategy-setting and business planning) or have a tactical approach (on issues such as compliance management, insurance procurement, fraud prevention and asset protection, and/or environmental, health and safety matters). “While we believe a strategic role is preferable in many situations, both approaches occur in practice,” stated the Protiviti report.

Another important consideration is experience requirements. If a business is looking for someone to serve as a peer with

operating unit and other leaders, it should identify executives with at least 15 years of experience, according to the report. Industry experience and a demonstrated ability to work effectively to address issues in a comparable organisation are vital attributes, while previous experience in risk management and fi nance is a plus, along with competency in the C-suite/reporting to boards and expertise in the risk of greatest importance to the business.

Critical thinking skills are also highly valued. “The CRO should be able to think strategically, work with operating units to disaggregate business plans and transactions into component risks the organisation is taking on, and recommend how to improve proposed plans and transactions by mitigating the risks,” said the report.

Interpersonal skills are also key, as exceptional verbal and written communication and negotiation skills will support a CRO in interacting effectively with others, including regulators. “CROs should be able to organise and motivate others – many of whom may be in more senior positions,” said the report.

Keen business acumen is critical, too, as a CRO needs to be both a trusted adviser and a control authority who can articulate risk/reward trade-offs. Sound business and fi nancial

N ews Report

10 Risk April 2011

judgement combined with problem-solving abilities are vital prerequisites, while an increasing use of models or quantitative analytics makes the need for core analytical skills crucial, according to the report.

Also important is strong process orientation, as CROs are often responsible for assisting organisations to develop and maintain a comprehensive and sustainable process for key business risks that might impact the achievement of objectives and performance goals, the report noted. “This requires a strong view of processes and how they interface with the company’s core management activities. Often this capability is overlooked, as organisations favour technical-oriented candidates over those with process or policy experience.”

The report also identifi ed the ability to be cool under pressure as important. “CROs must be objective, be able to call issues how they see them and, if necessary, communicate what may be a contrarian message. Successful CROs should be concise and direct under fi re in their communications,” said the report, which added that they must have the courage to speak to their convictions and not be intimidated by organisational hierarchy and position.

Soft skills for risk managers Risk managers who can demonstrate a mastery of “softer” skills are one step ahead of their peers when it comes to unlocking the door to the most senior risk management roles, according to an industry study.

It found that risk managers who set themselves apart by their sheer passion and energy for the business and its objectives, and who can navigate politically charged corporate environments, achieve the most success.

Enhanced communication skills are also crucial, with the study fi nding that risk managers must be able

to communicate relevantly, helpfully and frequently and understand how to engage with many different audiences. Doing so builds board-level commitment and secures buy-in and successfully fosters a risk management culture at all levels in the organisation.

“As in all other areas of business, true success comes from more than the technical skills. Risk managers have to deliver the full package – not just the risk management strategy, but the political nous and skill to secure high-level support for the risk agenda,” said Paul Howard, chairman of the Association of Insurance and Risk Managers, which supported the study.

Risk April 2011 11

“As in all other areas

of business, true success comes from

more than the technical

skills”Paul Howard, chairman,

Association of Insurance and Risk Managers

C over Story

Rising up through the risk ranks

Risk April 2011 13

The pathways to a senior risk management position are changing. Craig Donaldson speaks with three leaders in the fi eld about their experiences, the evolution of risk careers and what steps professionals need to take to make the CRO grade

Risk management professionals come from a variety of backgrounds. While there is no traditional career path, such

as you might fi nd with accountants or lawyers, the skill set required by senior risk managers is no less. Risk management is a fast-evolving and increasingly complex discipline that requires a broad range of skills, especially at the chief risk offi cer (CRO) level.

Jason Brown, CRO at QBE Australia, says there is no defi ned career path for the role of chief risk offi cer. In its early form, the CRO was often the CFO, risk manager or compliance manager. However, as the role

The best legal opportunitiessydney: 02 9233 7977 melbourne: 03 9938 8700 [email protected] www.nclegal.com.au

SENIOR OPERATIONAL RISK ANALYST SYDNEY�� !"#��$��%&$'(()*

RISK OFFICERNEWCASTLE+�� %&$'((,'

COMPLIANCE OFFICERSYDNEY!�� -�� /14��$�� $�� 5�� %&$'(,*,

6��%��&�� ;*'<�='((�>=>>��

THE BEST IN-HOUSE OPPORT NITIES

C over Story

Risk management job market trendsWhile there is still reasonable demand for risk management professionals, the market is defi nitely fl atter than 2010, according to Jacob Smith, associate director – risk, compliance and legal, Robert Walters. He notes that demand for anti-money laundering professionals has weakened, with Basel III on the horizon as the next potential growth area.

“Demand will be dependent on economic infl uences; that is, increased banking activity and therefore recruitment, along with new risk and regulatory obligations,” says Smith, who notes that there is still a strong focus on capital management post-GFC.

He advises risk management professionals to work on their technical understanding of their organisation’s products. “If you have a strong understanding of risk and regulation, then understanding the underlying details of the products your employer provides will allow you to address the inherent risk in the business better, and also allow you to better converse with the relevant stakeholders in the business,” he says.

Barry Maurer, director of Compliance and Risk Management Recruitment, agrees that the market is “not as dynamic as it was”. However, new qualities that are in demand include a certain level of commerciality and business/product knowledge, as well as infl uencing skills.

“They’re the qualities that are now determining who’s more successful. So it’s less about mandated risk and more about the business. The trend is towards the business valuing. The future growth in risk management is going to be created by demand from the business rather than demand from the regulator,” says Maurer.

Continued on p14

14 Risk April 2011

has evolved to become more strategic, diverse and complex, Brown says there has been an increasing tendency for the CRO to come from fi nance, legal or actuarial backgrounds.

“The exact make-up of the CRO in each organisation largely refl ects what the role entails within that particular entity and industry. In mature organisations, the CRO takes on a broad role of overseeing the enterprise risks of the business, maximising the risk and reward trade-off, as well as serving as an independent counsel to the CEO,” he says.

“It’s generally the skills and experience required for the role that determines the appointment, rather than any particular career path per se.”

James Myerscough, the acting head of risk and compliance for AMP, agrees that there is no standard career path for a CRO, saying that instead there is a range of ways people reach such a position.

Some may have an actuarial background or experience in either a particular business line or operational risk function. “As a senior risk offi cer it is important to have both the technical and business knowledge in order to fulfi l the role ade quately,” he explains.

Another key skill for this role is that of strong communicator and infl uencer. “Your

ability to persuasively interact with senior management and the board, clearly explaining complex technical issues, is vital,” he says.

“You need to be able to infl uence people and this skill can be lacking in people who have a pure technical background.

Finally, you need leadership skills. Inevitably, a CRO will be managing people and so they need to be able to inspire those people with a clear vision of the future.”

The makings of a CROWorking in a senior risk manage-ment role requires a unique blend of both personal and professional attributes. Steven Johnstone, CRO of Transpacifi c Industries, says the ability to listen and communicate across all levels of an organisation is vital.

“You have to be able to grasp and understand concepts quickly, and assess how internal controls are effectively implemented to either mitigate or manage the risks they have been put in place for,” he says.

“You must also have a willing -ness to challenge. You don’t always deliver good news, and delivering it in a manner that is non-offensive and fact driven is extremely important.”

Johnstone adds that some fi nancial training is important for the CRO role, as a lot of impacts are fi nancial and require analysis across a range of areas.

Brown believes CROs require a combination of independence, credibility, trust and communi-cation. “The role wouldn’t work effectively without any one of these characteristics,” he says.

“There needs to be enough trust within the executive team to come and talk about issues proactively, without fear of overreaction, and that trust also needs to exist between the CRO and CEO who will often have, and should have, very plain and at times robust discussions.”

Brown says there is no point in sugar-coating risk; independence is necessary in order to be able to

“You don’t always

deliver good news, and delivering it in a manner that is non-offensive and fact driven is extremely important”

Steven Johnstone, CRO, Transpacifi c Industries

C over Story

Continued from p13

Risk April 2011 15

take a holistic view of the business and not to become lost in it, as is having the resolve to identify tough issues and address them, and explore other opportunities.

“Finally, there’s credibility and integrity. These are crucial for a CRO to operate effectively within an executive team,” he says.

Challenges for the CROSenior risk management professionals face a number of unique challenges, and one factor that makes them easier to overcome is knowing what drives senior businesspeople, according to Myerscough.

“At times you see ideas ingrained in the minds of business managers that may have consequences from a risk perspective,” he explains.

The challenge is presenting a view that contrasts with a long-standing belief – something that naturally makes people uncomfortable and can become confrontational if not handled appropriately. “This is where your communication skills play an important role,” he says.

“If you understand what is important to the business managers, you can frame your perspective appropriately. But in order to do that you need to put yourself in their shoes rather than stay in your own.

“This is why it is so important in senior risk roles to have a business as well as a technical background, sandwiched between strong communication and infl uencing skills.”

According to Brown, most risk professionals will say the key challenge is embedding risk into the business. This is a little less diffi cult in an insurance environ-ment, he says, as risk is at the very core of writing insurance exposures.

“The biggest challenge is to operate in an ever-changing space that has no boundaries and that operates with signifi cant complex-ity, ambiguity and judgement,” he says.

“You must continually assess and reassess the environment and have the foresight to adapt to new and emerging risks and opportunities – which is one of the factors that make the CRO role one of such diversity and appeal. When you come to work in the morning, you never can tell what might leap out later in the

day. Accepting that as the norm makes life much easier.”

Advice and tipsIt is important for risk management professionals to understand all the potential risks a business may face in order to focus on the key ones. As such, Johnstone recommends risk professionals try to work in as many areas of risk as possible within an organisation, such as operations, health and safety, environment and fi nance. “This will give you a balanced approach to being a solid risk professional,” he says.

“Be seen as a value-add to business leaders and not just a box ticker. Solutions outside the box and an ability to analyse a vast array of risks and control environments will differentiate yourself from the others.

“The greatest opportunity I had was to work with a manager who taught me how to analyse risk and root causes effectively – get this right and you will be on your way quicker than just through the audit path.”

Brown’s advice is to learn as much about how companies operate as you can, and develop a big picture of how different parts of a business interact and connect. “Finding the right mentor can help,” he says.

Going forward, the role of the CRO is likely to require a sound understanding of complex modelling as well as human risk factors, so an interest in these areas would be appropriate, says Brown. “The role of the CRO is defi nitely one of the most interesting and challenging roles within a complex organisation, and it’s defi nitely worth pursuing,” he says.

Myerscough advises aspiring risk professionals to keep learning, take the time to step out of your comfort zone at work, and always take opportunities to raise your profi le. “Be prepared to present your work widely and take opportunities to be part of new initiatives,” he says.

It is also important to make sure you train your successor. “Firstly, it really cements your own knowledge of what you do. Secondly, it is much easier for you and the business to move you upwards and onwards if you leave a strong successor,” advises Myerscough.

C over Story

ADVANCED COMPLIANCE AND CONTINUOUS IMPROVEMENT (3 Days)

Proactively identify regulatory requirements, learn how to establish a compliance framework and discover the benefits of effectively implementing an innovation and continual improvement program into your management system when you attend SAI Global’s NEW nationally-accredited Advanced Compliance and Continuous Improvement training course.

STATEMENT OF ATTAINMENTBSBCOM601B Research compliance requirements and issues

BSBCOM603B Plan and establish compliance management systems

BSBMGT608B

Manage innovation and continuous improvement

NEW COURSE!

Can you research, plan and manage your multiple compliance requirements?

QUALIFICATIONThis course is part of the learning pathway leading

to the BSB60407 Advanced Diploma of Management

(NEW!) and the BSB60607 Advanced Diploma OHS

qualifications.

CONTACT US NOW! Call: 1300 727 444 Email: [email protected] Visit: www.saiglobal.com/riskcompliancetraining

MONITOR, MANAGE AND MAXIMISE YOUR COMPLIANCE SYSTEM TODAY!

Register for any Advanced Compliance and Continuous Improvement class before 30 June 2011 and receive 5% off* the course price when you quote the promotional code ACRM11.

OTHER TRAINING COURSES SAI Global also offers training across OHS, Environmental Management,

Food Safety & Security, IT Governance, Business Improvement, Risk Management & Compliance,

Professional Development and more!

BR

BP

B

T

t

(

q

READER DISCOUNTSAVE 5%*

*For terms and conditions visit www.saiglobal.com/ACRM11

The evolution of the risk professionRisk management has traditionally struggled to gain credibility as a profession. Compared with other disciplines such as law and accounting, risk manage-ment professionals have come from a wide range of backgrounds and are not required to undergo the same rigorous training when it comes to professional development.

In the past, some of the common career avenues into risk were via safety and engineering risk, according to Clim Pacheco, general manager of education for the Risk Management Institution of Australasia. More recently, fi nancial risk, compliance and governance are other pathways into risk, he says.

“People who have other skills in assessing risk and managing risk are now coming to the fore, so there are multiple entry points for different risk professionals. Financial risk is still looked upon as probably the measure that matters most, though risk management is more than that.”

Pacheco observes that there has been a shift towards enterprise risk management and, as such, risk management professionals need a broader skill set. “Traditionally it used to be safety risk, project risk or fi nancial risk, but now you have to consider reputational risk, fraud risk, social media risks and so on. It’s moved beyond just operational risks,” he says.

Banking on business continuity

A business continuity plan is critical in times of unforeseen crisis, as ANZ recently discovered. Craig Donaldson reports

The recent spate of natural disasters has put a renewed focus on business continuity. On a local scale, there was

the cyclone and major fl ooding in Queensland, extensive fl oods in Victoria and the bushfi res south of Perth. While regionally, the earth-quakes that struck Christchurch and Japan, along with the subsequent tsunami and nuclear disaster that country is still reeling from, means business continuity is an issue all organisations need to be concerned about.

ANZ: a strategic approach One organisation that has selectively executed its business continuity planning strategies in recent times is ANZ. As a global bank, ANZ has a robust business continuity management (BCM) program aligned to industry best practice, says senior manager of business continuity management Phil Carter, and this program includes crisis management and communication processes that undergo regular testing and modifi cation where needed.

“I would say that best practice is about continuing to learn from your experiences and making sure you continue to integrate learnings into your strategy,” says Carter. “We talk with other large organisations that are structured in a similar way to share learnings about BCM and participate in the Banking and Finance Sector Group, which hosts a meeting every quarter.”

BCM is a very important part of operating risk in any organisation, and at ANZ, says Carter, the process is fully supported by the management board and forms a signifi cant component of the bank’s annual risk certifi cation process.

“We have spent a lot of time educating all of our staff on the fundamentals of business continuity management, and also test our business continuity and crisis management strategies very regularly. Our tools have been developed to provide a consistent framework globally across ANZ,” he says, adding that

C ase Study

16 Risk April 2011

the bank has a team of dedicated BCM professionals operating across all of its geographic areas.

The plan in action ANZ’s business continuity strategies have been implemented several times over recent months, in response to the natural disasters in Australia and the region. When the earthquake struck Christchurch in February, for example, Carter says ANZ’s fi rst priority was making sure its staff and customers were safe and the bank’s New Zealand business continuity plan (BCP) was activated immediately.

“One of the things we did that was not part of our BCP plan, was to set up an ANZ staff drop-in centre where people could come and receive support, speak to colleagues and also pick up bottles of water,” he says. “This wasn’t part of our original BCP plan, but we felt it was something we needed to do to support our staff, as they didn’t have access to a lot of basics such as clean water and the internet. It was also a great way for us to keep them updated with the latest information.”

According to Carter, the Christchurch earthquake is the biggest disaster ANZ has ever faced in New Zealand, as it affected so many parts of the business. “However, with strong BCP plans in place, we were able to keep our staff and customers informed of our

operations and also get parts of our business up and running to serve our customers as quickly as possible,” he says.

But many unforeseen issues or events happen during a crisis, adds Carter. In the case of the Queensland fl oods, one of the key issues ANZ faced was maintaining customers’ ability to access funds and particularly cash. “We invoked our cash management plan and worked with our two main ATM cash replenishment companies to ensure as many ATMs as possible remained up and running.

“We maintained the fl exibility to move money between branches where necessary,” says Carter, and during the crisis ANZ also worked with other banks in the area to ensure the community as a whole had access to cash.

Guide to best practice For risk or business continuity professionals looking to develop a best practice approach to business continuity, Carter advises against reinventing the wheel. “We spend a lot of time talking with our colleagues in similarly structured organisations and also looking at best practice guides, such as those developed by the Business Continuity Institute, for guidance,” he says.

“In practice, we’ve been able to refi ne our strategies further to ensure we’re able to continue to service our customers as well as manage the safety of our staff.”

“I would say that best practice is about

continuing to learn from your experiences and

making sure you continue to integrate learnings into

your strategy”Phil Carter, senior manager of business

continuity management, ANZ

C ase Study

Risk April 2011 17

F rom the cyber attack on RSA that placed its two-factor SecurID tokens at risk, through to the breach of systems at

Epsilon, in which millions of individual email addresses were exposed, cyber attacks are becoming increasingly sophisticated.

These attacks are a clear reminder that no business or industry should believe they are not susceptible or vulnerable to a sustained attack, according to Neville Gollan, sales and marketing director for Sense of Security, an

independent provider of IT security and risk management solutions.

“There is substantial evidence that targeted security attacks are on the rise and becoming more sophisticated. In our experience, this is equally true for the private and public sectors,” says Gollan, noting that a Department of Defence spokesman recently highlighted this point and warned that Australia was experiencing

increasingly sophisticated attempts to infi ltrate networks in both the public

and private sectors.In the RSA security breach, for example,

he says social engineering was used to great effect to deliver the payload to escalate the attack. “From there the attackers used tenacity and technical expertise in equal measure to execute their objective,” he says. “In our experience, many organisations are more at risk than they believe they are.”

Gollan says there is certainly room for improvement in the way organisations adopt and implement their security management practices. For some companies, security management practices – including patch management – are a haphazard affair and not part of the company culture. “In today’s environment, this laissez-faire approach to security certainly works in favour of the attacker,” he says.

Common vulnerabilitiesTy Miller, chief technology offi cer for Pure Hacking, a security consultancy specialising in infrastructure protection and IT security management, says internal

IT Security

18 Risk April 2011

“Risk management professionals need to have the support of their

senior executives to ensure security of information assets is part of the

organisation’s culture”Neville Gollan, sales and marketing director,

Sense of Security

ITLocking down

Targeted cyber attacks are on the rise – necessitating tighter security management practices, writes Craig Donaldson

networks often have a lot of vulnerabilities, generally because there isn’t enough network segmentation done inside an organisation.

“So, for example, if I plug into a network and I have access to 5,000 different devices to start performing privilege escalation, I only have to break into one to break into other systems, and it just keeps going. That’s for internal networks,” he says.

“Your other one is web applications. There are a lot of web application attacks involving vulnerabilities that are coming out all the time. Web application tech-nologies are advancing quite quickly, so implementing security around them is generally harder.”

Another reason is that developers generally don’t have extensive security knowledge, says Miller, so when they are developing web applications, they aren’t aware that they need to explicitly protect against attacks.

Gollan also says that web-based applications continue to present many organisations with vulnerability and risk. “When you consider that web-based applications are ubiquitous in today’s business environment and that the information stored in their back-end

databases is typically sensitive or highly confi dential, it is not surprising that the business driver for the cyber criminal is compelling,” he says.

“Security needs to be embedded throughout the entire development life-cycle, and the developers need to be supported through education on secure coding standards and auditing procedures.”

Risk managementThe reality is that information security is a business issue and not an IT one, says Gollan, who notes that a security incident can negatively impact an organisation’s brand and revenue.

“Technology controls only make up part of security best practice; risk management professionals need to have the support of their senior executives to ensure the security of information assets is part of the organisation’s culture,” he says.

According to Miller, risk management often relies or focuses on compliance and standards that are absolutely necessary, but not necessarily up-to-date with the latest realistic attacks. “So risk management professionals might not be focusing on the low hanging fruit that internal attackers might go after,” he says.

IT Security

Risk April 2011 19

Five steps to IT security1. Perform an information risk assessment to establish

how information assets are used by the business, employees, customers and third-party suppliers. This will establish a risk profi le for the business and guide the development of practical information security.

2. Develop an information security management framework to oversee security across the enterprise. Support this with integrated security management practices.

3. Follow the rule of least privilege when assigning access rights to all staff, including security administrators.

4. Educate your staff on information security and acceptable use of the company’s IT assets. Remember, social engineering is real and your employees need to understand the important role that they play in keeping the company’s information assets secure.

5. Embed security principles into all information technology projects, and do it at the design stage.

Source: Sense of Security

www.sopac.org.au

This year IIA-Australia held SOPAC® 2011 in Melbourne and

are proud to say that the SOPAC® conference was a huge

success with over 800 participants. This year SOPAC® had

great speakers, terrific content and challenged internal

auditors in effectively managing emerging risks and meeting

tighter compliance requirements. IIA-Australia also believes

that this year’s program has delivered practical solutions on

how your audit functions can add organisational value.

Next year, SOPAC® will be held in Sydney where the first

chapter was established 60 years ago in 1952. With 2012 also

being the Jubilee Year of IIA-Australia, what better place to

celebrate.

We look forward to seeing you at our diamond jubilee.

Pre-conference registrations now open.

Book now and pay by 30 September 2011 and SAVE!

Q&A with… Q&A with… Eamonn Cunningham, Eamonn Cunningham,

R isk People

20 Risk April 2011

Eamonn Cunningham has been a key driver of Westfi eld’s risk management function. He talks to Benjamin Nice about risk ownership and the need for common sense.

Describe your role at Westfield.My role at Westfi eld Group is chief risk offi cer. I am responsible for making sure that there is an appropriate degree of awareness in all matters of risk throughout the global group on as consistent a basis as possible.

How did your career in risk management come about? I joined Westfi eld from a large accounting fi rm, where I worked as a chartered accountant. I came into the group as the internal audit manager, a position I held for about 18 months. At that stage I became involved in the administrative side of the business and was also the fi nancial controller for one of the property trusts for a period of time. Within the administrative role was the procurement responsibility of insurance and the more I looked at that and what it was trying to do, the more I thought we could do better. So, over time I took Westfi eld – and Westfi eld took me – on a journey through which we evolved our risk management function as we know it today.

How does your role fit into the overall structure of Westfield? Risk management, and indeed the role of chief risk offi cer, is not the replacement of the existing management structure within the business. Some commentators out there think that somehow, in 2011, there’s this requirement to put a chief risk offi cer in place that effectively replaces operations management or senior management. That’s not the way Westfi eld sees it, and that’s certainly not the way I see it.

chief risk officer officer, chief risk officer officer, Westfield GroupWestfield Group

R isk People

Risk April 2011 21

There is a lot of talk about “integrated risk management” at the moment. In light of this, how do you get line managers and the business to own their risk, rather than leaving it to the risk management function?In the risk management space, there’s one fundamental principle that our department constantly hammers home to the business. This is the notion that risk is owned by the business and by the department heads – risk is not owned by the risk management department. We don’t manage risk per se; we introduce into the b usiness a framework through which you identify and assess and then mitigate or control, or sometimes simply accept, the risk in the business. It’s not always about just stopping things from happening.

What is Westfield’s risk philosophy?We are opportunistic, but in a very disciplined way. People will often see us doing this or doing that, but what they don’t see is all the effort put in in-house going over the numbers, checking the what-ifs to make sure that we’ve looked at all the scenarios and fi gured out what could come to pass. It’s an approach that is absolutely consistent with some of the core principles within the company, such as attention to detail – you have to know your numbers backwards.

So, do you think there is some confusion over what risk management should include in some organisations?There must be clarity within businesses as to where the risk management function stops and where the internal audit function of the business starts. Within Westfi eld, we had a really good discussion about that many years ago and there is absolute clarity. In other organisations, I see people clambering for the risk management high ground and there is probably a lot of energy wasted on dealing with that. This is further complicated by other departments that put risk and other functions under the one umbrella, which is dangerous because, then, risk people are sometimes seen as the policeman.

What element of your role do you find most challenging?It’s the aspect of the risk that’s coming over the horizon that we may not have focused on. The challenges are: what is there out there in this ever-changing external landscape and, to a lesser extent, what is the changing internal landscape like in terms of what we are doing and the risks that we expose ourselves to. I constantly remind people that risk is not really a bad thing. Risk triggers reward, but you’ve just got to get the balance right.

What advice would you give to somebody starting out in risk management who aspires to make it to the top?Don’t just focus on technical knowledge, because it’s not as if you’re going into a specialised area such as law, where it’s only important for you to learn about the law.

If you want to be successful in the risk management industry, you need a healthy dose of common sense and, more particularly, your personal skill set is absolutely vital. Someone suggested that it’s even more important to get the personal skill set right than the technical skill set.

Risk management is about infl uencing the business and developing awareness. If you can’t sell your message or get your audience to switch on to the message, then you’ve failed. So, you need to be passionate, you need common sense and you need to speak the language of the people you are dealing with.

What do you see as the key future trends in risk management?The key trends are in and around getting greater recognition for this part of the business as a form of practice, as opposed to just looking at the risk dimension of the role. What I mean by that is the way that the risk function is regarded and that what is said is listened to, as opposed to tapping the risk management function on the shoulder in the event of a crisis and only responding to events, or simply asking them to arrange issues such as insurance. Risk needs to be recognised as a fully fl edged discipline within the corporate business ... just like other elements of management. Generally speaking, I think it’s still got a little distance to go in terms of earning its spurs.

“In other organisations, I see people clambering for the risk management high

ground and there is probably a lot of energy wasted on

dealing with that”

Given the recent natural disasters in the Asia-Pacific region, how does Westfield cope with the increasing threat posed by such risks? Westfi eld was incredibly fortunate in Queensland in relation to the fl ood activity. Our centres were located in areas that weren’t as badly impacted as other parts of Queensland, especially Brisbane. Most of our centres are in and around the Gold Coast area or metro Brisbane. I think it’s fair to say that some of the foresight that we had in the past helped us. On one occasion, we incurred considerable cost to one of our centres. As a result of this, we identifi ed certain fl ood-related issues and put in fl ood mitigation measures, which helped us this time around.

In New Zealand, we have a shopping mall in Christchurch and it has borne the brunt of two earthquakes. When we look back at our response, the property damage was absolutely minimal, and there was no personal injury involved. But in true Westfi eld fashion, we always do a self-examination and look at what lessons we learnt from each situation.

How does working within Westfield’s risk team differ to other organisations or companies that you know of?In terms of discussions I’ve had with peers, one of the key aspects is the title of the role of chief risk offi cer. In some organisations you will ask a person what their title is and they will say, ‘I’m the chief risk offi cer’, even though their primary responsibility is to purchase insurance. Perhaps they should more properly describe themselves as an insurance manager. It’s a matter of getting it right. Some risk managers I talk to feel the tyranny of having to deal with internal confl icts in and around the risk space. Fortunately, I don’t have those concerns here.

Preparing for the worst

Earthquakes and tsunamis on the scale Japan has recently experienced are rare – but they do happen. And, according to experts, Australian businesses can’t afford to be complacent about the possibility of natural disasters closer to home

A s Japan reels from a major earthquake and tsunami and struggles to contain a nuclear disaster, subsequent media

coverage has highlighted the reality that major natural disasters do occur and can often have a devastating impact.

According to experts, the Japanese disaster has many Australian organisations considering the likelihood and potential implications of natural disasters closer to home.

Clive Collins, senior seismologist at Geoscience Australia, a Federal Government agency that monitors, analyses and alerts for potentially tsunamigenic earthquakes, says the earthquake hazard in Australia is different to that in countries such as New Zealand and Japan.

Australia is located within the interior of the Indo-Australian tectonic plate, explains Collins, while New Zealand and Japan lie along the boundary between the Pacifi c and Indo-Australian plates, where movement and interaction between the plates can cause large earthquakes.

“There are far fewer earthquakes within the interiors of plates, but their locations are not as well defi ned, as they are not restricted to the major boundary faults. The return periods between large earthquakes are also very long, so there is often no historical record on which to base a hazard assessment,” he explains.

It is for this reason, he says, that defi ning the earthquake hazard in intra-plate regions such as Australia poses special challenges. “There have been over 20 earthquakes in Australia with a magnitude greater than six since records began, and there is evidence preserved in the landscape of many more.”

Western Australia has had the highest number of large earthquakes, including a magnitude 7.2 in 1941. The other main areas of activity are the Flinders and Mount Lofty ranges in South Australia, and a broad area of eastern Australia from Tasmania to the Hunter Valley in NSW. However, Collins says

no area of Australia is immune from earthquakes.

Professor James Goff and Associate Professor Dale Dominey-Howes, who head the Australian Tsunami Research Centre at the University of NSW, agree that the risk of earthquake and tsunami is lower in Australia, but they underscore that Australian businesses cannot afford to be complacent about such risks.

“How well prepared is Australia for something like the tsunami that hit Japan? The straight answer is, we’re not,” says Dominey-Howes. “If a similar event struck Australia, we’d be in serious trouble.

“While Australia is better prepared than we were fi ve years ago, we’ve still got some way to go. For example, we have an early warning system in place now, which is great for regional distant tsunamis, but is of no use whatsoever for locally generated ones.”

If part of the continental shelf collapsed, an underwater landslide triggering a local tsunami would hit the coast within about fi ve minutes and “there’d be no warning at all”, says Dominey-Howes. “So the authorities would be unable to issue early warning messages and, of course, local

areas would be unable to effect any kind of evacuation.”

Both Dominey-Howes and Goff believe that it is important to put major natural disasters into context and to understand what risks are unique to Australia. If Cyclone Yasi, for example, had made direct landfall over either Townsville or Cairns, Dominey-Howes says there would be much more discussion about the impact of such a severe cyclone on a major urban centre.

“The fact the cyclone affected a relatively sparsely populated area means we got away by a hair’s whisker from quite a catastrophic event,” he says.

Goff says the Japanese event has clearly “woken a few people up” and there is an increased amount of interest in knowing the risks of similar disasters.

“Clearly, if you’ve got coastal infrastructure sitting on the north-west coast of Australia, then you’re going to be a lot more interested in the potential risk of tsunamis than if you’ve got a cattle station in the middle of Alice Springs,” he says.

Major tsunamis in the Asia-Pacifi c aren’t exactly a rare event, says Goff, who points to the 2004 Indian Ocean earthquake and tsunami that killed more than 230,000 people in 14 countries.

“How well prepared is Australia for something

like the tsunami that hit Japan?

The straight answer is, we’re not”

Dale Dominey-Howes, co-director, Australian

Tsunami Research Centre, UNSW

C risis Management

22 Risk April 2011

“These events are happening. They have happened in the past and they will happen in the future,” he says.

“But ask a bunch of risk managers about the likelihood of an event that would have led to what’s currently happening in Japan and, of course, everyone would’ve said, ‘Bugger all’. In my reading of things, these kinds of events are indeed

extreme and rare, but we cannot afford to be complacent.”

In the event of a tsunamiThe Australian Government hosts the Joint Australian Tsunami Warning Centre (JATWC), which is operated 24 hours a day, seven days a week by Geoscience Australia and the Bureau of Meteorology. Geoscience Australia monitors, analyses and alerts for potentially

tsunamigenic earthquakes, while the Bureau of Meteorology monitors sea-level variations after the alerted earthquake and provides tsunami warnings for Australia, with a chosen threat level based on pre-computed tsunami propagation models, explains Collins.

These warnings are disseminated to emergency managers, harbour masters, the media and the public, and trigger action at a local level depending on the level of threat, which may include the use of the Emergency Alert SMS and telephone call system. Collins says tsunami warnings from the JATWC are typically published within 20 minutes after the initial rupture of the earthquake.

“The need for the many mitigation strategies adopted by Japan, such as high seawalls and community drills, are not likely to ever be necessary in Australia, as there are no offshore subduction zones creating a near-fi eld tsunami threat,” he says.

C risis Management

Risk April 2011 23

The rma is the premier association forfinancial risk management professionals

Dedicated to advancing the use of sound risk principles in an enterprise approach

to risk management, the RMA exists to benefit professionals and institutions

engaged in Operation, Credit, Market and Compliance Risk.

Through an array of event programs and educational resources, the RMA aims to further the ability

of its members to identify, assess and manage the impacts of risks on their businesses and customers.

The RMA provides an independant forum for: thought leadership; the promotion of industry best

practise; an awareness of market trends and developments; endorsement of ethical standards and

professional conduct; recognition for financial risk management professionals.

RMA Australia represents members at a national level and its initiatives reach over 1,500 individual

members and risk related practitioners across the financial services market.

Globally the RMA represents 3,000 institutions and has over 18,000 individual members in the US,

Canada, UK, Hong Kong, Singapore, and Australia.

CREDIT RISK OPERATIONAL RISK MARKET RISK COMPLIANCE RISK

RMA Australia, PO Box 576, Crows Nest NSW 1585

Tel: 02 9431 8689 Email: [email protected]

For more information on the

benefits of RMA membership

www.rmaaustralia.org

Online resourcesThe following sites provide advice about tsunamis and how to prepare for them:

Emergency Management in Australia – Attorney-General’s Departmentwww.ema.gov.au, then click on Publications

International Tsunami Information Centrehttp://itic.ioc-unesco.org

Intergovernmental Oceanographic Commission Tsunami Programmewww.ioc-tsunami.org

O HS Roundup

24 Risk April 2011

WHILE companies can put any number of safety policies in place, “it’s all rubbish” without a strong organisational culture of safety, according to Ross Hughes, CFO of Western Australia’s Water Corporation.

In building such a culture within The Water Corporation, he said leadership has been an important focus.

“We all have different approaches to risk, our own safety, how to manage effectively, what constitutes ‘safe’, et cetera,” said Hughes.

“So our journey has been on the leadership side as much as anything – especially honouring those who make a difference in safety, even if it means our core service work must be stopped for a time during an incident to ensure utmost safety.”

Hughes also says it’s important to learn from each other and respect each other on this journey.

“We all have incredibly diverse and valuable skills and backgrounds, but don’t always listen to each other as we charge down tunnels we call our mandates,” he said. “A fundamental for me as CFO and the leader of

our risk and governance activity as well, is that not all risks can be eliminated and not all risks can be funded at the same time. Like all business activities, safety is always a balance, focused on protecting, rewarding and fulfi lling our people as best we can.”

Hughes said he has a good understanding of the Water Corporation’s safety objectives, and in working with the organisation’s OHS manager,

Cathy Grasso, she appreciates under-standing the language of executive and fi nance better.

“I hope my colleague has benefi ted from a greater appreciation for what issues are critical to the CFO, top management and the board [as well as] how safety is not the only risk that needs to be funded and how to develop key risk mitigations better.”

Hughes believes it’s important that the OHS manager builds personal respectful dialogues with all general managers and, similarly, that CFOs take the time to sit down with risk, OHS and other managers to do the same.

THE impact on mental health of a badly paid, poorly supported, or short-term job can be as harmful as no job at all, according to a recent research report.

Because being in work is associated with better mental health than unemployment, government policies have tended to focus on the risks posed by joblessness, without necessarily considering the impact the quality of a job may have, according to the report authors.

Published online in Occupational and Environmental Medicine, the research report, The psychosocial quality of work determines whether employment has benefi ts for mental health: results from a longitudinal national household panel survey, is based on a survey of 7,155 people of working age in Australia.

If in work, the “psychosocial” quality of their job was graded according to measures relating to demands and complexity, level of control and perceived job security, while respondents were also asked if they felt they received a fair wage for the work they did.

The research showed that those who were unemployed had poorer mental health overall than those in work. It also indicated that employ-ment is associated with better physical and mental health, and the mental health of those out of work tends to improve when they fi nd a job, according to the report from the Australian National University’s Centre

for Mental Health, National Centre for Epidemiology and Population Health and the Australian Demographic & Social Research Institute.

But after taking into account a range of factors with the potential to infl uence the results, such as educational attainment and marital status, the mental health of those who were jobless was comparable to, or often better than, that of people in poor-quality jobs.

Those in the poorest-quality jobs experienced the sharpest decline in mental health over time, and there was a direct linear association between the number of unfavourable working conditions experienced and mental health.

The research also found that the health benefi ts of fi nding a job after a period of being out of work depended on the quality of the position.

RIO TINTO reduced its all injury frequency rate (AIFR) by almost 20 per cent in 2010, due to an increased focus on risk management, compliance and continuous improvement, according to the company’s 2010 annual report.

Rio Tinto measures its progress toward its goal of zero injuries through an AIFR (which includes data for employees and contractors) per 200,000 hours worked.

At the end of 2010, the AIFR was 0.66 – an improvement of 18 per cent over 2009 – while the lost time injury frequency rate also improved to 0.36 per 200,000 hours worked in 2010.

“We use signifi cant potential incident reporting and remedial action closure measures to promote identifi cation, investigation, management and sharing of lessons learnt from minor

and near-miss events with potentially fatal consequences,” said the report, which added that these metrics are linked to remuneration.

Higher-consequence, lower-frequency safety events are managed

through targeted process safety reviews and the use of a semi-quantitative risk assessment (SQRA) process and, according to the report, the risk reduction resulting from the SQRA process is used as a group-

wide leading indicator for safety performance. To drive improved performance at sites with the most injuries or persistent and signifi cant safety challenges, Rio Tinto has also developed a site safety acceleration process.

“The process is built on the principles of diagnosing the root causes of poor safety performance and, through the engagement of leaders and employees, developing site-specifi c practical interventions that lead to sustainable safety improvements,” said the report.

The company has also established a framework that defi nes its expectations and the processes to assure implementation of systems and standards during the development of major projects, the report noted.

Converting executives to safety Bad jobs harmful to mental health

Rio Tinto cuts injury frequency rate by 18 per cent

B ook Review

Risk April 2011 25

Compliance and Risk roles – Australia

taylorroot.com.au

THE SR GROUP . BREWER MORRIS . CARTER MURRAY . FRAZER JONES . PARKER WELLS . SR SEARCH . TAYLOR ROOT LONDON . DUBAI . HONG KONG . SINGAPORE . SYDNEY . MELBOURNE

Compliance Manager MelbourneSpecialist funds manager seeks an experienced compliance and operational risk professional to manage identifi ed departments and key business relationships. Funds management background preferred. Competitive salary and excellent career prospects on offer. $125,000

Senior Compliance Manager Asia PacGlobal fi nancial services organisation seeks a senior compliance manager for its investment banking division to develop compliance strategies and solutions. We are seeking strong regulatory experience and regional exposure would be preferable. $Market rate

Compliance Analyst, AVP Sydney Global consumer banking business seeks a compliance offi cer for the wealth group. You will manage all regulatory and policy obligations and provide advice on products, marketing materials and reputational risk. The ideal candidate will have a background in retail banking. c.$150,000

To discuss Compliance and Risk roles, please contact Amanda Atherton in Sydney on +61 (0)2 9236 9000, Neil Williams in Melbourne on +61 (0)3 8610 8400 or email [email protected] or [email protected]

The Failure of Risk Management: Why It’s Broken and How to Fix ItDouglas W. Hubbard, John Wiley & Sons

W ith dark clouds and lightning strikes illustrating the front cover, Douglas W.

Hubbard’s book looks more like a horror story than a guide to risk management.

But while the image of the gathering storm is ominous, it is what’s inside the book that will unnerve even the most confi dent of risk management professionals.

Slamming best practice as “ineffective risk management methods” that are “passed from company to company like a bad virus with a long incubation period”, Hubbard does not mince his words, and packs a punch when it comes to areas of bad practice.

Hubbard argues that “if risks cannot be appropriately evaluated, then risk management itself becomes the biggest risk”, and backs it up by

using real examples to reveal areas of concern in current approaches to the subject of risk.

After treating readers to a brief insight into the history of risk management, Hubbard then breaks down the key methods that should be employed when assessing risk:

• Expert intuition – the “gut feeling” • Expert audit – involves processes

such as checklists and also uses stratifi cation methods

• Simple stratifi cation methods – colour-code/point-scale ratings used to assess likelihood of risk

• Weighted scores – more elaborate scoring methods with numerous risk indicators that can be added up to a “weighted risk score”

• Traditional fi nancial analysis – taking into account aspects such as best- and worst-case scenarios

• Calculus of preferences – these techniques are based on expert judgements and the consistencies of these judgements

• Probabilistic models – the most sophisticated method of assessing risk, looking at probabilities and the “odds” by taking into account both quantitative and qualitative information

Mastermind of “applied information economics” and author of the best-selling How to Measure Anything: Finding the Value of Intangibles in Business, Hubbard’s style is interesting and enjoyable, while the book is easy to navigate and is broken down into three main sections: An introduction to the crisis; Why it’s broken; and How to fi x it.

Covering a wide variety of topics, Hubbard challenges conventional wisdom by pinpointing, in particular, the shortcomings of risk management approaches commonly advocated by project management methodologies, and then offers alternative solutions.

The Failure of Risk Management is a timely and relevant read that offers valuable insights to all managers, analysts and practitioners responsible for mitigating risk.

R isky Business

26 Risk April 2011

A look at the months alternative risk stories

Sorry, you gave who a bonus for safety?

Retail investors might not be the brightest bunch after all.

It turns out that a number of investors have gotten themselves all mixed up and in a daze because their prospectuses contained too many photos on the front cover.

In an effort to spoon-feed the professionals, the Australian Securities and Investments Commission wants to scrap unnecessary images or marketing messages on the front cover of these company documents to avoid any further confusion.

The proposed overhaul of the current format would aim to make the literature more serious, and would also limit each front cover to one main issue or message – just in case two or three topics were too much for the readers to handle.

The changes would also include a focus on producing clear, concise and effective content, and reducing the length of prospectuses where possible.

So let’s get this straight: simplify, reduce the length, scrap confusing pictures and only include one message on the front cover?

Risky Business would like to know if people should be investing, or indeed reading at all.

2010 certainly won’t go down in BP’s history as one of its better years, after leaking 775 million litres of oil into the Gulf of Mexico … still, an accident is only an accident, right?

Well, the company that owned the BP drilling platform that caused the infamous disaster certainly seems

to think so, and appears to have let by-gones be bygones.

Describing 2010 as the company’s “best year” for safety, Transocean this month gave its executives pay rises, bonuses and stock options, and a good deal of back-slapping and self-

congratulation for good measure. After all, only nine of the 11

people killed in the explosion on the Deepwater Horizon platform were

Transocean employees, and a further insignifi cant 17 were injured. No biggie, then. Oh, apart from the devastated shorelines, the immeasur-

able damage to wildlife and the effect the leak had on the area’s already struggling tourist industry.

Not a bad year’s work, hey? Let’s hope 2011 is as successful and safe!

Risk Business Directory

www.riskmanagementmagazine.com.au/Directory/Compliance-Risk-Software

ve risk storrrrrriiiiiiiiiiiiiiiiiiiiiiiiiiiiieeeeeeeeeeeeeeeeeeees

nned

onals, Commissionarketing

mpany documents

ormat would aim told also limit each – just in case two ors to handle. s on producing

educing the length

e the length, one message

eople should

Photos too confusing for investors

risk management april 2011

Documents

risk ownership

worstrisky business

risk ranksfeatures

risk4 risk

craig donaldson risk

evolution of risk careers

business continuity

business continuity