April 2011 Issue 84
CRISIS MANAGEMENT EARTHQUAKES AND TSUNAMIS: WHAT’S THE RISK FOR AUSTRALIA IT SECURITY LOCKING DOWN TECHNOLOGY
BUSINESS CONTINUITY ANZ CASE STUDY
WHAT MAKES A GOOD CRO?
Rising up through the risk ranks WHY THERE’S NO SET PATH TO THE CRO’S CHAIR
RISK PEOPLE: WESTFIELD’S EAMONN CUNNINGHAM ON RISK OWNERSHIP AND THE NEED FOR COMMON SENSE
C ontents CAREERS IN RISK
12 COVER STORY
The pathways to a senior risk management position are changing. Craig Donaldson speaks with three leaders in the ﬁeld about their experiences, the evolution of risk careers and what steps professionals need to take to make the CRO grade
FEATURES AND REPORTS
Risk people: Eamonn Cunningham
Banking on business continuity
As a key driver of Westﬁeld Group’s risk management function, Eamonn Cunningham. talks to Benjamin Nice about role clarity, risk ownership and the need for common sense.
A business continuity plan is critical in times of unforeseen crisis, as ANZ recently discovered. Craig Donaldson reports
Locking down IT security
Targeted cyber attacks are on the rise – necessitating tighter security management practices, writes Craig Donaldson
REGULARS Editorial note News review News report OHS roundup Book review
05 06 10 24 25
PREPARING FOR THE WORST
Australasian Business Continuity Summit 2011 Soﬁtel Sydney Wentworth Hotel 8 - 10 June 2011
The Australasian Business Continuity Summit 2011 is the only business continuity conference in Australia. The Summit is planned by subject matter experts to combine diverse presenters and topical subjects into a program that addresses contemporary issues for practitioner of business continuity and related disciplines. The Summit combines two conference days, Wednesday 8th and Thursday 9th June, followed by Workshops on Friday 10th June. For more information please contact:
T + 61 2 9415 4180 F + 61 2 9411 8585 E email@example.com VISIT www.continuity.net.au www.thebci.org.au Risk April 2011 3
F rom the editor
Sarah O’carroll Editor
oogle Analytics versus readership survey
G What’s your take on this quote? To have your say write to the editor firstname.lastname@example.org Best comments will be published in the May issue of Risk
Recently I attended a discussion at Sydney University, where a group of editors came together to discuss what the future holds for magazine editing, including the implications of new technologies and metrics. One of the points made was whether editors should go with their gut instinct on which stories to cover, or whether they should rely on online data such as Google Analytics and online surveys, which tell them what content readers are clicking on. It’s a tough one. From our experience here at Risk Management magazine, results are conﬂicting. We conducted a readership survey in November, for example, asking readers what they wanted to read about and providing options such as business continuity, crisis management, compliance, insurance and internal audit. One option, which I thought would have scored higher than it did, was “risk careers”: how interested people are in reading about careers in risk management, what it takes to be successful in risk, the job market and, essentially, how to get to the top of the game. However, according to the responses from readers, it was one of the least popular options. But Google Analytics tells a different story. We send out weekly newsletters and track quite meticulously what stories readers are clicking on every week. The most clicked-on stories this year have been career-related – how to get to the top job and what it takes to make a good CRO, for example. These rated higher than stories on the BP disaster, Toyota’s recall lessons, compliance and secrets to best practice governance.
So in this issue, I’ve decided to go with my gut instinct – with a little help from Google Analytics – and devote our cover to risk careers and what it takes to make it to the CRO position. In our cover story we speak to chief risk ofﬁcers about their experience, the evolution of careers in risk management and what steps risk professionals need to take to make the chief risk ofﬁcer grade. If I’m off the mark, let me know … but hopefully it has been a calculated risk to look at how Australian risk managers can get to the next level and continue to bring the profession into the spotlight.
“Having internal audit report to independent board audit committees gave the internal audit profession such a kick up the backside that it caused generational change in the entire profession” Todd Davies, see Comment on page 8
A bout us Editor: Sarah O’Carroll Journalist: Ben Nice Contributor: Craig Donaldson Designer: Ken McLaren Publisher: Fiona Marcar Design Manager: Anthony Vandenberg Production Manager: Kirsten Wissel
Cab Member since December 2005
Subscribe today Risk Magazineis published monthly and is available by subscription. Please email: email@example.com All subscription payments should be sent to: Locked Bag 2333, Chatswood D/C, Chatswood, NSW 2067
Advertising enquiries: Marika Biro - (08) 8371 5800 firstname.lastname@example.org Editorial enquiries: All mail for the editorial department should be sent to: Risk Magazine, Level 1 Tower 2, 475 Victoria Ave Chatswood, NSW 2067
Copyright is reserved throughout. No part of this publication may be reproduced without the express written permission of the publisher. Contributions are invited, but copies of all work should be kept as Risk Magazine can accept no responsibility for loss. Risk Magazine and LexisNexis are divisions of Reed International Books Australia Pty Limited, ACN 001 002 357 Level 1 Tower 2, 475 Victoria Ave, Chatswood, NSW 2067 tel (02) 9422 2203 fax (02) 9422 2946 ISSN 1833-5209 Important Privacy Notice You have both a right of access to the personal information we hold about you and to ask us to correct if it is inaccurate or out of date. Please direct any queries to: The Privacy Ofﬁcer, LexisNexis Australia or email to email@example.com. © 2009 Reed International Books Australia Pty Ltd (ABN 70 001 002 357) trading as LexisNexis. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., and used under license.
4 Risk April 2011
N ews Review
Boards struggle with fraud risk management ONE of the common features of many recent frauds appears to be that senior management had a poor understanding of their organisation’s fraud risks, according to an expert in the area. “One would have thought that with all the focus on risk management, by now executive board members of such organisations would be fully appraised of their fraud risks and be managing them in a consistent and efﬁcient manner,” said Martin Samociuk, founder of consulting ﬁrm Hibis Group, which specialises in fraud risk management. “Unfortunately, experience has shown that it is all too common to ﬁnd that there is a poor understanding of fraud risks at the board level.” Samociuk said most organisations assign the responsibility for fraud risk management to business
“Experience has shown that it is all too common to ﬁnd that there is a poor understanding of fraud risks at the board level” Martin Samociuk, founder, Hibis Group
line managers who assess the risks together with all other operational risks. However, these managers are usually so overburdened with operational risk and audit requirements, which focus on systems and processes and evaluating the effectiveness of controls, that they lose sight of the fact that people commit fraud. “This can usually be seen in the fraud risk assessment which contains a list of what managers assess as fraud risks when, in fact, they are just describing methods of fraud,” he said. “The confusion arises because the organisation has not deﬁned the term ‘fraud risk’, so managers ﬂounder trying to ﬁgure out what it is they are supposed to be assessing.” Samociuk, who has written a number of books on fraud risk management, said it is unfair and impractical to ask managers to assess fraud risks when they don’t know what a fraud risk is and have no knowledge of the methods that a fraudster might use. “It is like asking a doctor to diagnose a patient without any training,” he said. “Given the different nature of fraud risks compared with other risks, such as credit and market risks or risks resulting from accidental occurrences, fraud risks should be assessed independently of the general risk assessment process.”
Devil’s in cloud-sourcing contract details ORGANISATIONS considering a shift to cloud sourcing should carefully assess the risks associated with cloud-sourcing contracts, according to a recent Gartner report. Such contracts are not mature for all markets, and areas such as data-handling policies and procedures can have a negative impact on a business case, potentially creating compliance issues and cost increases, leading to the need for speciﬁc risk mitigation activities. Another common risk in cloud-sourcing contracts is that terms generally favour the vendor, according to the report, Four Risky Issues When Contracting for Cloud Services. Organisations need to understand that they are one of many customers and that contract customisation breaks the model of industrialised service delivery, said the report. To manage cloud-services contracts successfully, it said organisations need to manage user expectations. “It’s essential that organisations planning to contract for cloud services do a deep risk analysis on the impact and probability of their risks, and they should also plan mitigation for the most critical issues,” said Alexa Bona, research vicepresident at Gartner. “This might cost additional money, but it is worth the effort. Risk should be continuously evaluated, because contracts can change – sometimes without notiﬁcation.” Another common risk in cloud-
sourcing contracts is that they can be opaque and easily changed. Contracts from cloud-service providers are not long documents, and the report noted that certain details are often critical to the quality of service and the price (such as SLAs) for uptime or performance, service and support terms, and even the description of the core functionality of the offering. The report said organisations need to ensure that they understand the complete structure of their cloud-sourcing contract, including the terms detailed outside of the main contract. A fourth risk in cloud-sourcing contracts is that they do not have clear service commitments, and the reported noted that, usually, cloud-service providers limit their area of responsibility to what is in their own network, as they cannot control the public network. When deciding whether to invest in cloud offerings, Gartner said buyers should understand what they can do if the service fails or performs badly. “Cloud-service providers will need to address these structural shortcomings to achieve wider acceptance of their standard contracts and to beneﬁt from the economies of scale that come with that acceptance,” said Frank Ridder, research vice-president at Gartner. “CIOs and sourcing executives have a duty to understand key areas of risk for their organisations.”
Samociuk said a vital element prior to conducting an assessment is to provide adequate resources and training to business line managers so that they understand how fraudsters work and how they seek to bypass controls. That way, the managers will have a reasonable chance of assessing fraud risks and whether or not existing controls are effective. “An increasing number of ﬁnancial institutions have realised such resources training has to be provided by fraud prevention professionals rather than by operational risk personnel,” he said.
$600m government fraud bill highlights need for control FRAUD cost the Federal Government nearly $600 million in 2008/09, with more than 800,000 incidents of fraud recorded by Centrelink, Customs and other government departments. A government report found that the cost of welfare fraud rose 10 per cent to $489 million, with more than 700,000 incidents of social security fraud reported. In addition, more than 160 public servants misused or stole government credit cards, with $1.85 million in internal fraud attributed to dishonest public servants. The report, prepared by the Australian Institute of Criminology, found that just $139 million, or 23 per cent, of the stolen money was recovered. New government programs were also subject to fraud, according to the report. The Home Insulation Program, introduced in February 2009, was plagued by on-compliance in relation to approximately 25,000 claims made for work performed under the program. The Building the Education Revolution was also subject to fraud, with 103 complaints made about the initiative. “These recent examples of fraud and waste in connection with large-scale government programs reinforce the need for fraud control and risk management procedures to be actively enforced within government agencies,” said the report. “Where large-scale new programs are to be introduced, internal controls and risk management policies need to be reviewed in order to ensure that fraud risks are avoided. “When fraud does occur, there are many avenues of response that may be followed – some obligatory under ofﬁcial policies and laws, and others optional depending on the scale and circumstances of the offence.” Often, however, the report found that fraud is not reported ofﬁcially and sometimes repeat victimisation occurs – on occasion, by the same offender against the same individual or organisation.
Risk April 2011 5
N ews Review
Internal audit: coming to grips with risk management RISK management is a top priority for board members and executives, making it vital for internal auditors to increase their focus in this area, particularly the identiﬁcation of potential future risks as well as risks tied to the business strategy, recent research has revealed. However, even as risk management consumes more time of internal auditors, the survey of more than 600 participants from around the world – including chief audit executives, internal audit directors and managers from public, private and non-proﬁt organisations – found they still don’t feel prepared to meet increased demands. Conducted by Protiviti, the survey found that the areas in most need of improvement with regards to risk management and governance process were understanding emerging risks and evaluating and changing risk appetite levels. Gary Anderson, managing director of Protiviti and board director of the Institute of Internal Auditors (IIA) Australia, said many companies are still struggling with how to identify emerging risks in the context of their business models. “I think auditors, along with management, are fairly challenged in this area,” he said. “When it comes to deﬁning appetite for risk, many organisations are only at the very rudimentary stage of trying to
quantify and describe this. Similarly, audit is still at a fairly rudimentary level in assessing the robustness of how that’s put together.” Anderson believes internal auditors need to stay very close to management and challenge and support management in understanding what the emerging risks are for the business. “They have to explore different ways of providing assurance to the board and executive management on how those risks are addressed,” he said. “That does require reaching out to other colleagues, researching what other industry participants are doing, and being prepared to engage widely and apply some deep thought to your own situation.” The Protiviti research also revealed that building expertise in technologyenabled auditing, including continuous auditing and computer-assisted audit tools, remains a top priority for internal audit professionals. This is particularly relevant for internal audit professionals in Australia, according to Anderson. “The profession has really struggled for many years now to build a sustainable base of IT skills in the internal audit area,” he said. Bob Hirth, executive vice-president and head of global internal audit for Protiviti, said developing expertise and successfully implementing automated
“When it comes to deﬁning appetite for risk, many organisations are only at the very rudimentary stage of trying to quantify and describe this” Gary Anderson, managing director, Protiviti, and board director, IIA
auditing tools and processes will enable internal auditors to focus on higher-level initiatives such as emerging risks. These include new regulation, changes in the business model, changes in industry dynamics, and industry competition, said Hirth, as well as risks tied to the company’s strategy. The survey showed that, with regard to “soft” skills, dealing with confrontation and public speaking were rated as the two areas in most need of improvement for internal auditors. These skills have ranked among the top areas for development for the past three years, indicating that internal auditors are assuming more strategic roles and working closely with most departments in their organisations. “A strong internal audit function is critical to operating successfully and maintaining a state of effective internal control in a heightened regulatory and risk management environment,” said Hirth.
Specialist skills needed for GRC future THERE will be an increased need for specialists in governance, risk and compliance (GRC) in coming years, with no one profession owning the space, according to Bryan Whiteﬁeld, director of Risk Management Partners. The GRC leader of the future will come from any one of a range of management or professional disciplines, with a personal bent towards their professional background, he said. To be across the discipline of GRC “you would need to be someone with an MBA on steroids”, he said. “You need to understand strategy, ﬁnance, safety, project and change management, organisational behaviour as well as having a great understanding of the business you’re in. On top of that, you need to show strong leadership across all of them.” Whiteﬁeld advises leaders in the GRC space to manage their own personal bent and ensure they give all aspects of the challenge adequate weighting. “By all means, build your skills in various areas or pursue something broad like an MBA. The more you know, the more you will learn the more you don’t know, nor could possibly know in one lifetime,” he said. “Organisations have risen and fallen on the back of some very bright ideas by a few special people with 6 Risk April 2011
“You would need to be someone with an MBA on steroids” Bryan Whiteﬁeld, director, Risk Management Partners unique skills. Imagine how hard it would be to know what they know and complement their skills along the way, so the organisation only has the rise and avoids the fall. Inevitably you will need to supplement your skills with those from other specialist disciplines.” Whiteﬁeld recommends resisting the segregation of governance, risk and compliance. “They are integral parts,” he said. “If you don’t believe me, have a look at the ASX [Corporate] Governance Principles and tell me which ones don’t have a risk management or compliance element to them. Every one of the principles deserves attention.” According to Whiteﬁeld, the challenge for a GRC professional is knowing how to prioritise their time and the resources available. For governance professionals, he recommends prioritising these based on risk and
opportunity, but for risk professionals, he suggests taking a big-picture view and to avoid getting caught up in Principle 7 – “Recognise and manage risk”. Whiteﬁeld also said to insist on segregation of GRC from audit. “This has been one of my greatest bugbears. The role of audit is to provide conﬁdence that the GRC arrangements are appropriate and effective,” he said. “How can an auditor have any involvement in developing the GRC framework, or populating it, and then turn around and pass a critical eye over it to see if it is functioning well?” Audit’s job is to provide assurance, said Whiteﬁeld, and staff will always see audit as a bit of a watchdog. “We don’t want staff hiding anything. A GRC section – no matter what you call it – that is independent of audit has a much greater potential for encouraging open dialogue and debate concerning risks and opportunities,” he said. “Later these can be further debated with audit, who rightfully should challenge the appropriateness of frameworks and the decisions emanating from its application across the organisation. Both are incredibly important roles and neither should be undervalued or trivialised by pouring them into the one bucket.”
N ews Review
New UK bribery law casts wider corruption net AUSTRALIAN companies that carry on a business in the UK will be subject to a new anti-bribery regime that extends beyond ﬁnancial reward to include inducements such as entertainment, privileges and gifts. The UK Bribery Act 2010, which commences on 1 July 2011, casts a wider net in that it reverses the burden of proof, so someone can be successfully charged with bribery even if they had no idea of the activity. Under the new law, it will be a criminal offence to give, promise or offer a bribe and to request, agree to receive or accept a bribe – either in the UK or abroad. The law also covers bribery of a foreign public ofﬁcial. Under the Act, bribery is constituted as any action that might “improperly inﬂuence” someone in order to obtain business or an advantage in the conduct of business, and extends to foreign employees, subsidiaries or agents in other countries who make “facilitation payments” without company permission. The new law will apply to all UK-registered companies as well as companies registered anywhere else in the world but which do business in the UK, according to Will Kenyon, a London-based partner in the forensic services group of PricewaterhouseCoopers. “One of the key tricky issues for everybody trying to interpret the Act is what is a bribe and where do you draw the line? Discussions have focused on what is an appropriate level of corporate hospitality, promotional expenditure or gifts and entertainment,” said Kenyon. There has also been debate around the level of due diligence that might be required to ensure that adequate anti-bribery procedures are in place for third parties, he says. “So if you have sales agents or other intermediaries who are either out there selling for you, or helping you to interact with government or other third parties in any way, shape or form, those third parties can create vicarious liability for your organisation if they pay bribes in effect on your behalf.” Companies that come under the Act will need to improve their communication, training, policies and monitoring and control procedures to make sure that employees understand what is expected of them and that they know where to turn for more information when needed, said Kenyon. “For large multinationals there is potentially quite a lot to do, and my concern is that some may well have waited and they now only have three months in which to try to put something in place. I think that is good grounds for urgent action, but not for panic, because this is a long-term thing,” he said. While a business can avoid conviction if it can show that it has adequate procedures in place to prevent bribery, a recent guidance document published by the UK Government states that the question of whether an organisation has adequate procedures in place to prevent bribery is a matter that can only be resolved by the courts. “In other words, we’re back to square one,” says Ian McDougall, vice-president and legal director for LexisNexis International. Fundamentally, the new Act creates a mens rea (“guilty mind”) offence; that of “intending” to “induce” “improper” performance of some kind.
“The higher the proﬁle, the more likely you are to be in the crosshairs” Ian McDougall, vice-president and legal director, LexisNexis International
“When combined with the guidance document advice, it is clear that identical acts may or may not be offences, depending on circumstance and proving mens rea,” he said. According to McDougall, ethics has been a topic of debate since the time of Plato. “I’m not quite sure this Act takes us any further forward in our understanding of what is or is not ethical behaviour. It just says, ‘let the courts decide’.” However, he believes it is the big ﬁsh or utterly ﬂagrant behaviour that the
authorities will be after. “Therefore, it is clear that companies need to establish clear policies,” he said, while programs of awareness also “need to be commenced, and probably a program of auditing established for compliance purposes”. McDougall also advises risk management professionals to factor their company’s proﬁle into risk assessments. “The higher the proﬁle, the more likely you are to be in the crosshairs,” he said. “In addition, establish a set of criteria which can help judge what might be higher-risk activities, with higher-risk individuals, so that ‘alarm bells’ can ring where appropriate.”
Defences against the Bribery Act Companies that are subject to the UK Bribery Act 2010 can avoid being convicted of the offence of failing to prevent bribery if they can demonstrate “adequate procedures” are in place to prevent bribery. These include: 1. Proportionality 2. Top-level commitment 3. Risk assessment 4. Due diligence 5. Communication 6. Monitoring and review For more information, see the UK Ministry of Justice’s Bribery Act 2010: Guidance about commercial organisations preventing bribery, and Quick start guide, both at www.justice.gov.uk.
Risk April 2011 7
N ews Review
BP managers ignored major hazard risks
Comment Time to mandate internal audit? The Institute of Internal Auditors (IIA) has been campaigning for regulatory change in Australia for more than 10 years. Much of what it has been saying has fallen on deaf ears. Australia has one of the highest public exposures to listed shares as a result of mandatory superannuation. While prudent fund managers should be underweight in poorly governed companies, this doesn’t happen in practice. If a company share price spikes and the company hits the S&P/ASX 200, your super fund just bought the stock, even if governance is shocking. Australian regulation has fallen behind in some respects, resulting in laggards in the S&P/ASX lists, and owned by your super funds. To be fair, there are some areas where Australian regulation leads. Having internal audit report to independent board audit committees gave the internal audit profession such a kick up the backside that it caused generational change in the entire profession. Other countries would beneﬁt from this. Similarly, the requirements for boards and management to focus on whether the organisation really understands the material business risks they face, rather than just saying that they comply with the relevant risk standards, has been a great thing for Australia’s competitiveness internationally. But alas, these are only suggestions. They are not mandatory. Companies can weasel out of them or ignore them entirely. Even worse, some of the fundamentals have been skipped over, particularly internal audit, which is a cornerstone of most governance frameworks elsewhere. While internal audit is mandated for listed companies in the United States and throughout Asia, in Australia it is not. Likewise, while the UK and South Africa have disclosure triggers on internal audit, Australian companies have nothing. This results in many companies outside the S&P/ ASX 50 not having an internal audit function, let alone one that is effective or risk-focused. IIA has put together a policy agenda for reform. It contains ﬁve principles, two of which are yet to be pushed by the ASX or ASX Corporate Governance Council. The principles are: internal audit is fundamental to good governance; and internal audit should operate at a consistently high standard. IIA Australia’s policy principles and recommendations are helpful for most mid-cap companies, but many have not implemented them. They do this at their peril. Lagging performance on risk and assurance will force regulators to step in. Indeed, if they had done so sooner, your superannuation balances would be looking a lot healthier, as would mine. Todd Davies specialises in leading practices in internal audit and assurance. He was formerly the technical and policy director of IIA Australia. For more information, visit www. todddavies.com.au.
8 Risk April 2011
JUST hours before the explosion that rocked the Deepwater Horizon rig, senior managers from BP and rig owner Transocean conducted a site visit but failed to notice the warning signs because they focused more on occupational safety rather than process safety, a recent report has found. At the joint inquiry into the disaster, the senior health and safety manager for BP drilling operations in the Gulf of Mexico said that occupational safety (or personal safety) was their prerogative, while process safety was a matter for engineering authorities.
managers who are visiting a worksite, but too often safety is understood to be a matter of “slips, trips and falls”, rather than the major hazards that can lead to major accidents, said Hopkins in the paper, Management Walk-Arounds: Lessons from the Gulf of Mexico Oil Well Blowout. The difference between occupational and processes safety corresponds to a distinction between conventional safety risks that result in relatively highfrequency, low-consequence events, and major hazard risks that give rise to low-frequency, high-consequence
“One-sided concentration on occupational or personal safety has been a contributor to many process safety accidents” Professor Andrew Hopkins, Australian National University
of companies in mainland China considered the withdrawal of stimulus funding as the factor most affecting their business in 2011
“They were not at all focused on major hazard risk and made no efforts to ascertain how well it was being managed [e.g. how effectively the reduced pressure test was being carried out] or whether people were following procedures that were designed to protect against major hazard risk [e.g. monitoring mud ﬂows],” said the Australian National University’s Professor Andrew Hopkins in the National Research Centre for Occupational Health and Safety Regulation paper. “These matters lay outside the scope of their informal auditing activities. This one-sided concentration on occupational or personal safety has been identiﬁed as a contributor to many previous process safety accidents, including the BP Texas City reﬁnery disaster of 2005.” Safety is often a focus for senior
events (such as explosions), he said. “It is important to recognise that, because process safety disasters are rare, they do not contribute to workforce injury statistics on an annual basis,” he said. “However, BP evaluated its own safety performance and that of its contractors on the basis of LTI rate and TRI rate. For important practical purposes, then, safety for BP and for Transocean personnel was synonymous with occupational safety.” In order to avoid such traps, said Hopkins, one very important activity is to talk to employees in a way that elicits from them information about what might be going wrong. “Very often they are the ones who know best that something is amiss,” he said. “But just as importantly, senior executives need to engage in their own informal auditing, making sure to sample the detail.”
N ews Review
Post GFC blues raise financial risk concerns OVER the past 12 months businesses have grown increasingly concerned about ﬁnancial and economic-based risks, according to an Aon survey. Risks that increased in importance throughout 2010/11 related to liquidity, market environment, capital availability/ structure, credit and sales, reﬂecting a growing concern around economic and ﬁnancial issues amongst businesses. “In 2010, the major banks were still tightening their lending capacity and the United States and European countries remained in an economic downturn,” said Steve Nevett, chairman, Paciﬁc region, Aon Risk Solutions. This ﬁnancial pressure saw
concern around ﬁnancial risks increase signiﬁcantly in terms of their importance in Aon’s annual Australasian Risk Management Benchmarking Survey. “Whilst the Australian economy remained relatively strong throughout the aftermath of the global ﬁnancial crisis, Australian businesses are looking forward optimistically but continue to see risk management as an increasingly important part of corporate strategy,” Nevett said. The survey, which is based on risk management information sourced from 446 major Australian and New Zealand corporate and public sector organisations, also found that the median Total Cost of Insurable Risk (TCOIR) across
all organisations for 2010 was $4.76 per $1,000 of revenue or approximately 0.5 per cent of revenue – which represents a decrease of 8 per cent from 2009. Prior to 2009 the median TCOIR declined consistently for 5 years (from $11.97 per $1,000 revenue in 2003 to $4.52 per $1,000 of revenue in 2008). TCOIR then rose to $5.20 in 2009 which was largely due to decreasing revenue levels in the Australian economy. Aon anticipates a slight increase to overall TCOIR in 2011 due to premium increases and a high proportion of TCOIR spend coming from risk transfer costs.
Most viewed on the
web 1. The three pillars of good corporate governance 2. What management looks for in a CRO 3. Internal auditors dropping compliance ball 4. Earthquakes and tsunamis: what’s the risk for Australia 5. Improvement in risk controls needed 6. Internal audit: coming to grips with risk management 7. BP managers ignored major hazard risks 8. Boards struggle with fraud risk management 9. Specialist skills needed for GRC future 10. Risk management in practice: reputation
Caution urged over Chinese credit risk Risk management strategies and trends Over the past ten years there has been a signiﬁcant shift towards a structured enterprise-wide or executive approach to the identiﬁcation and evaluation of risk, according to Aon’s annual Australasian Risk Management Benchmarking Survey. It found that the Board and CEO are increasingly taking responsibility for formulating risk strategies while the chief risk ofﬁcer, risk manager and operational/divisional heads are undertaking the development and implementation of risk management policies. Over the past eight years organisations have been increasingly bringing risk functions in-house, however, outsourcing continues to occur where speciﬁc expertise and knowledge is required. Furthermore, the survey found the most frequently cited beneﬁts of investing in risk management were improved internal controls and improved standards of governance.
A WITHDRAWAL of stimulus incentives and a tightening in bank lending in China are likely to impact corporate credit from 2011, as a recent research report has found that Australian companies with trade agreements in mainland China may seek increased protection from possible deteriorating payments. Despite an improvement in both credit sales and overdue payments in China in 2010, food and agricultural exporters in particular need to be mindful of the need to protect against the potential for increased payments risk, according to Chris Doubé, general manager of Coface Australia, which conducted the research report. Given the increasing level of economic interdependence between China and Australia, Doubé said the report highlighted the need for increased vigilance by companies. The Survey of Corporate Credit Risk Management in China Report revealed credit sales in China achieved a compound annual growth rate of 16 per cent between 2008 and 2010, and overdue payments in domestic sales have dropped 26 per cent since 2008. Regardless of this improvement in 2010, companies in mainland China are less conﬁdent about a continued improvement in payment behaviour. Some 37 per cent of respondents considered the withdrawal of stimulus funding as the factor most affecting their business in 2011, while 31 per cent believe tighter monetary policy and bank lending will have the greatest impact.
More pointedly, 41 per cent expected the overdue payments situation may take more than three years to improve, while 33 per cent expected it would never improve. Australian businesses may see an impact as a result of this uncertainty, said Christophe Souquet, Coface risk director for the Asian Paciﬁc and international expert in corporate credit risk management. Aspects of the Australian market can be considered a proxy for the health of the Chinese economy and therefore may experience a shift in credit sales as a result, he said. “Preparing for potential risks in
business, particularly for organisations operating across borders, is essential,” he said. “Understanding the risks and opportunities across international markets will provide Australian companies the knowledge to successfully expand operations.” China is Australia’s largest source of imports and exports, according to the Department of Foreign Affairs and Trade. Australia exported $3.4 billion in agricultural goods to China in 2009, making up 8.1 per cent of total exports; while trading in canola, live animals, ﬁsh, edible products, wine and meat recorded particularly strong growth.
“Preparing for potential risks in business, particularly for organisations operating across borders, is essential” Christophe Souquet, risk director, Asia Paciﬁc, Coface Risk April 2011 9
N ews Report
Candidates must tick a number of boxes to be considered for a chief risk ofﬁcer role – starting with a well-rounded set of skills
or most companies, the decision to appoint a chief risk ofﬁcer (CRO), or an equivalent senior risk executive, is driven by several factors. However, once the decision has been made to establish the role, there are some points management should consider when evaluating CRO candidates, according to a recent report from Protiviti.
Finding the right chief risk officer The ﬁrst point is the actual role and expectations, as deﬁned by management and the board. A key consideration is whether the role will focus on strategic issues (such as establishing/ communicating risk appetite and risk management philosophy, implementing an appropriate infrastructure for managing and monitoring risk, and integrating risk management with strategysetting and business planning) or have a tactical approach (on issues such as compliance management, insurance procurement, fraud prevention and asset protection, and/or environmental, health and safety matters). “While we believe a strategic role is preferable in many situations, both approaches occur in practice,” stated the Protiviti report. Another important consideration is experience requirements. If a business is looking for someone to serve as a peer with
10 Risk April 2011
operating unit and other leaders, it should identify executives with at least 15 years of experience, according to the report. Industry experience and a demonstrated ability to work effectively to address issues in a comparable organisation are vital attributes, while previous experience in risk management and ﬁnance is a plus, along with competency in the C-suite/ reporting to boards and expertise in the risk of greatest importance to the business. Critical thinking skills are also highly valued. “The CRO should be able to think strategically, work with operating units to disaggregate business plans and transactions into component risks the organisation is taking on, and recommend how to improve proposed plans and transactions by mitigating the risks,” said the report. Interpersonal skills are also key, as exceptional verbal and written communication and negotiation skills will support a CRO in interacting effectively with others, including regulators. “CROs should be able to organise and motivate others – many of whom may be in more senior positions,” said the report. Keen business acumen is critical, too, as a CRO needs to be both a trusted adviser and a control authority who can articulate risk/reward trade-offs. Sound business and ﬁnancial
judgement combined with problem-solving abilities are vital prerequisites, while an increasing use of models or quantitative analytics makes the need for core analytical skills crucial, according to the report. Also important is strong process orientation, as CROs are often responsible for assisting organisations to develop and maintain a comprehensive and sustainable process for key business risks that might impact the achievement of objectives and performance goals, the report noted. “This requires a strong view of processes and how they interface with the company’s core management activities. Often this capability is overlooked, as organisations favour technical-oriented candidates over those with process or policy experience.” The report also identiﬁed the ability to be cool under pressure as important. “CROs must be objective, be able to call issues how they see them and, if necessary, communicate what may be a contrarian message. Successful CROs should be concise and direct under ﬁre in their communications,” said the report, which added that they must have the courage to speak to their convictions and not be intimidated by organisational hierarchy and position.
Soft skills for risk managers Risk managers who can demonstrate a mastery of “softer” skills are one step ahead of their peers when it comes to unlocking the door to the most senior risk management roles, according to an industry study.
It found that risk managers who set themselves apart by their sheer passion and energy for the business and its objectives, and who can navigate politically charged corporate environments, achieve the most success. Enhanced communication skills are also crucial, with the study ﬁnding that risk managers must be able to communicate relevantly, helpfully and frequently and understand how to engage with many different audiences. Doing so builds board-level commitment and secures buy-in and successfully fosters a risk management culture at all levels in the organisation. “As in all other areas of business, true success comes from more than the technical skills. Risk managers have to deliver the full package – not just the risk management strategy, but the political nous and skill to secure high-level support for the risk agenda,” said Paul Paul Howard, chairman, Association of Insurance Howard, chairman of the and Risk Managers Association of Insurance and Risk Managers, which supported the study.
“As in all other areas of business, true success comes from more than the technical skills”
Risk April 2011 11
C over Story
Rising up through the risk ranks
C over Story
The pathways to a senior risk management position are changing. Craig Donaldson speaks with three leaders in the ďŹ eld about their experiences, the evolution of risk careers and what steps professionals need to take to make the CRO grade
Risk management job market trends While there is still reasonable demand for risk management professionals, the market is deďŹ nitely ďŹ‚atter than 2010, according to Jacob Smith, associate director â€“ risk, compliance and legal, Robert Walters. He notes that demand for anti-money laundering professionals has weakened, with Basel III on the horizon as the next potential growth area. â€œDemand will be dependent on economic inďŹ‚uences; that is, increased banking activity and therefore recruitment, along with new risk and regulatory obligations,â€? says Smith, who notes that there is still a strong focus on capital management post-GFC. He advises risk management professionals to work on their technical understanding of their organisationâ€™s products. â€œIf you have a strong understanding of risk and regulation, then understanding the underlying details of the products your employer provides will allow you to address the inherent risk in the business better, and also allow you to better converse with the relevant stakeholders in the business,â€? he says.
isk management professionals come from a variety of backgrounds. While there is no traditional career path, such as you might ďŹ nd with accountants or lawyers, the skill set required by senior risk managers is no less. Risk management is a fast-evolving and increasingly complex discipline that requires a broad range of skills, especially at the chief risk ofďŹ cer (CRO) level. Jason Brown, CRO at QBE Australia, says there is no deďŹ ned career path for the role of chief risk ofďŹ cer. In its early form, the CRO was often the CFO, risk manager or compliance manager. However, as the role
Barry Maurer, director of Compliance and Risk Management Recruitment, agrees that the market is â€œnot as dynamic as it wasâ€?. However, new qualities that are in demand include a certain level of commerciality and business/product knowledge, as well as inďŹ‚uencing skills. â€œTheyâ€™re the qualities that are now determining whoâ€™s more successful. So itâ€™s less about mandated risk and more about the business. The trend is towards the business valuing. The future growth in risk management is going to be created by demand from the business rather than demand from the regulator,â€? says Maurer.
Continued on p14
THE BEST IN-HOUSE OPPORT
SENIOR OPERATIONAL RISK ANALYST SYDNEY
RISK OFFICER NEWCASTLE
COMPLIANCE OFFICER SYDNEY
!"# $ %&$'(()*
/14 $ $ 5 %&$'(,*,
6 % & ;*'<='((>=>> The best legal opportunities
sydney: 02 9233 7977 melbourne: 03 9938 8700 firstname.lastname@example.org www.nclegal.com.au Risk April 2011 13
C over Story
Continued from p13
has evolved to become more strategic, diverse and complex, Brown says there has been an increasing tendency for the CRO to come from ﬁnance, legal or actuarial backgrounds. “The exact make-up of the CRO in each organisation largely reﬂects what the role entails within that particular entity and industry. In mature organisations, the CRO takes on a broad role of overseeing the enterprise risks of the business, maximising the risk and reward trade-off, as well as serving as an independent counsel to the CEO,” he says. “It’s generally the skills and experience required for the role that determines the appointment, rather than any particular career path per se.” James Myerscough, the acting head of risk and compliance for AMP, agrees that there is no standard career path for a CRO, saying that instead there is a range of ways people reach such a position. Some may have an actuarial background or experience in either a particular business line or operational risk function. “As a senior risk ofﬁcer it is important to have both the technical and business knowledge in order to fulﬁl the role adequately,” he explains. Another key skill for this role is that of strong communicator and inﬂuencer. “Your
14 Risk April 2011
“You don’t always deliver good news, and delivering it in a manner that is nonoffensive and fact driven is extremely important” Steven Johnstone, CRO, Transpaciﬁc Industries
ability to persuasively interact with senior management and the board, clearly explaining complex technical issues, is vital,” he says. “You need to be able to inﬂuence people and this skill can be lacking in people who have a pure technical background. Finally, you need leadership skills. Inevitably, a CRO will be managing people and so they need to be able to inspire those people with a clear vision of the future.”
The makings of a CRO Working in a senior risk management role requires a unique blend of both personal and professional attributes. Steven Johnstone, CRO of Transpaciﬁc Industries, says the ability to listen and communicate across all levels of an organisation is vital. “You have to be able to grasp and understand concepts quickly, and assess how internal controls are effectively implemented to either mitigate or manage the risks they have been put in place for,” he says.
“You must also have a willingness to challenge. You don’t always deliver good news, and delivering it in a manner that is non-offensive and fact driven is extremely important.” Johnstone adds that some ﬁnancial training is important for the CRO role, as a lot of impacts are ﬁnancial and require analysis across a range of areas. Brown believes CROs require a combination of independence, credibility, trust and communication. “The role wouldn’t work effectively without any one of these characteristics,” he says. “There needs to be enough trust within the executive team to come and talk about issues proactively, without fear of overreaction, and that trust also needs to exist between the CRO and CEO who will often have, and should have, very plain and at times robust discussions.” Brown says there is no point in sugar-coating risk; independence is necessary in order to be able to
C over Story
take a holistic view of the business and not to become lost in it, as is having the resolve to identify tough issues and address them, and explore other opportunities. “Finally, there’s credibility and integrity. These are crucial for a CRO to operate effectively within an executive team,” he says.
Challenges for the CRO Senior risk management professionals face a number of unique challenges, and one factor that makes them easier to overcome is knowing what drives senior businesspeople, according to Myerscough. “At times you see ideas ingrained in the minds of business managers that may have consequences from a risk perspective,” he explains.
The challenge is presenting a view that contrasts with a long-standing belief – something that naturally makes people uncomfortable and can become confrontational if not handled appropriately. “This is where your communication skills play an important role,” he says. “If you understand what is important to the business managers, you can frame your perspective appropriately. But in order to do that you need to put yourself in their shoes rather than stay in your own. “This is why it is so important in senior risk roles to have a business as well as a technical background, sandwiched between strong communication and inﬂuencing skills.” According to Brown, most risk professionals will say the key challenge is embedding risk into the business. This is a little less difﬁcult in an insurance environment, he says, as risk is at the very core of writing insurance exposures. “The biggest challenge is to operate in an ever-changing space that has no boundaries and that operates with signiﬁcant complexity, ambiguity and judgement,” he says. “You must continually assess and reassess the environment and have the foresight to adapt to new and emerging risks and opportunities – which is one of the factors that make the CRO role one of such diversity and appeal. When you come to work in the morning, you never can tell what might leap out later in the
day. Accepting that as the norm makes life much easier.”
Advice and tips It is important for risk management professionals to understand all the potential risks a business may face in order to focus on the key ones. As such, Johnstone recommends risk professionals try to work in as many areas of risk as possible within an organisation, such as operations, health and safety, environment and ﬁnance. “This will give you a balanced approach to being a solid risk professional,” he says.
“Be seen as a value-add to business leaders and not just a box ticker. Solutions outside the box and an ability to analyse a vast array of risks and control environments will differentiate yourself from the others. “The greatest opportunity I had was to work with a manager who taught me how to analyse risk and root causes effectively – get this right and you will be on your way quicker than just through the audit path.” Brown’s advice is to learn as much about how companies operate as you can, and develop a big picture of how different parts of a business interact and connect. “Finding the right mentor can help,” he says. Going forward, the role of the CRO is likely to require a sound understanding of complex modelling as well as human risk factors, so an interest in these areas would be appropriate, says Brown. “The role of the CRO is deﬁnitely one of the most interesting and challenging roles within a complex organisation, and it’s deﬁnitely worth pursuing,” he says. Myerscough advises aspiring risk professionals to keep learning, take the time to step out of your comfort zone at work, and always take opportunities to raise your proﬁle. “Be prepared to present your work widely and take opportunities to be part of new initiatives,” he says. It is also important to make sure you train your successor. “Firstly, it really cements your own knowledge of what you do. Secondly, it is much easier for you and the business to move you upwards and onwards if you leave a strong successor,” advises Myerscough.
The evolution of the risk profession Risk management has traditionally struggled to gain credibility as a profession. Compared with other disciplines such as law and accounting, risk management professionals have come from a wide range of backgrounds and are not required to undergo the same rigorous training when it comes to professional development. In the past, some of the common career avenues into risk were via safety and engineering risk, according to Clim Pacheco, general manager of education for the Risk Management Institution of Australasia. More recently, ﬁnancial risk, compliance and governance are other pathways into risk, he says. “People who have other skills in assessing risk and managing risk are now coming to the fore, so there are multiple entry points for different risk professionals. Financial risk is still looked upon as probably the measure that matters most, though risk management is more than that.” Pacheco observes that there has been a shift towards enterprise risk management and, as such, risk management professionals need a broader skill set. “Traditionally it used to be safety risk, project risk or ﬁnancial risk, but now you have to consider reputational risk, fraud risk, social media risks and so on. It’s moved beyond just operational risks,” he says.
Can you research, plan and manage your multiple compliance requirements?
ADVANCED COMPLIANCE AND CONTINUOUS IMPROVEMENT (3 Days)
Proactively identify regulatory requirements, learn how to establish a compliance framework and discover the beneﬁts of effectively implementing an innovation and continual improvement program into your management system when you attend SAI Global’s NEW nationally-accredited Advanced Compliance and Continuous Improvement training course. STATEMENT OF ATTAINMENT
B BSBCOM601B RResearch compliance requirements and issues BBSBCOM603B PPlan and establish compliance management systems BBSBMGT608B Manage innovation and continuous improvement
TThis course is part of the learning pathway leading tto the BSB60407 Advanced Diploma of Management (NEW!) ( and the BSB60607 Advanced Diploma OHS qualiﬁcations. q
MONITOR, MANAGE AND MAXIMISE YOUR COMPLIANCE SYSTEM TODAY! Register for any Advanced Compliance and Continuous Improvement class before 30 June 2011 and receive 5% off* the course price when you quote the promotional code ACRM11.
RE DISCADER OUNT
SAVE 5 %*
OTHER TRAINING COURSES SAI Global also offers training across OHS, Environmental Management, Food Safety & Security, IT Governance, Business Improvement, Risk Management & Compliance, Professional Development and more! *For terms and conditions visit www.saiglobal.com/ACRM11
CONTACT US NOW!
Call: 1300 727 444 Email: email@example.com Visit: www.saiglobal.com/riskcompliancetraining
Risk April 2011 15
C ase Study
A business continuity plan is critical in times of unforeseen crisis, as ANZ recently discovered. Craig Donaldson reports
Banking on business continuity he recent spate of natural disasters has put a renewed focus on business continuity. On a local scale, there was the cyclone and major ﬂooding in Queensland, extensive ﬂoods in Victoria and the bushﬁres south of Perth. While regionally, the earthquakes that struck Christchurch and Japan, along with the subsequent tsunami and nuclear disaster that country is still reeling from, means business continuity is an issue all organisations need to be concerned about.
ANZ: a strategic approach One organisation that has selectively executed its business continuity planning strategies in recent times is ANZ. As a global bank, ANZ has a robust business continuity management (BCM) program aligned to industry best practice, says senior manager of business continuity management Phil Carter, and this program includes crisis management and communication processes that undergo regular testing and modiﬁcation where needed.
“I would say that best practice is about continuing to learn from your experiences and making sure you continue to integrate learnings into your strategy,” says Carter. “We talk with other large organisations that are structured in a similar way to share learnings about BCM and participate in the Banking and Finance Sector Group, which hosts a meeting every quarter.” BCM is a very important part of operating risk in any organisation, and at ANZ, says Carter, the process is fully supported by the management board and forms a signiﬁcant component of the bank’s annual risk certiﬁcation process. “We have spent a lot of time educating all of our staff on the fundamentals of business continuity management, and also test our business continuity and crisis management strategies very regularly. Our tools have been developed to provide a consistent framework globally across ANZ,” he says, adding that 16 Risk April 2011
C ase Study
the bank has a team of dedicated BCM professionals operating across all of its geographic areas.
The plan in action ANZ’s business continuity strategies have been implemented several times over recent months, in response to the natural disasters in Australia and the region. When the earthquake struck Christchurch in February, for example, Carter says ANZ’s ﬁrst priority was making sure its staff and customers were safe and the bank’s New Zealand business continuity plan (BCP) was activated immediately.
“One of the things we did that was not part of our BCP plan, was to set up an ANZ staff drop-in centre where people could come and receive support, speak to colleagues and also pick up bottles of water,” he says. “This wasn’t part of our original BCP plan, but we felt it was something we needed to do to support our staff, as they didn’t have access to a lot of basics such as clean water and the internet. It was also a great way for us to keep them updated with the latest information.” According to Carter, the Christchurch earthquake is the biggest disaster ANZ has ever faced in New Zealand, as it affected so many parts of the business. “However, with strong BCP plans in place, we were able to keep our staff and customers informed of our
operations and also get parts of our business up and running to serve our customers as quickly as possible,” he says. But many unforeseen issues or events happen during a crisis, adds Carter. In the case of the Queensland ﬂoods, one of the key issues ANZ faced was maintaining customers’ ability to access funds and particularly cash. “We invoked our cash management plan and worked with our two main ATM cash replenishment companies to ensure as many ATMs as possible remained up and running. “We maintained the ﬂexibility to move money between branches where necessary,” says Carter, and during the crisis ANZ also worked with other banks in the area to ensure the community as a whole had access to cash.
Guide to best practice For risk or business continuity professionals looking to develop a best practice approach to business continuity, Carter advises against reinventing the wheel. “We spend a lot of time talking with our colleagues in similarly structured organisations and also looking at best practice guides, such as those developed by the Business Continuity Institute, for guidance,” he says. “In practice, we’ve been able to reﬁne our strategies further to ensure we’re able to continue to service our customers as well as manage the safety of our staff.”
“I would say that best practice is about continuing to learn from your experiences and making sure you continue to integrate learnings into your strategy” Phil Carter, senior manager of business continuity management, ANZ
Risk April 2011 17
down IT Targeted cyber attacks are on the rise – necessitating tighter security management practices, writes Craig Donaldson
rom the cyber attack on RSA that placed its two-factor SecurID tokens at risk, through to the breach of systems at Epsilon, in which millions of individual email addresses were exposed, cyber attacks are becoming increasingly sophisticated. These attacks are a clear reminder that no business or industry should believe they are not susceptible or vulnerable to a sustained attack, according to Neville Gollan, sales and marketing director for Sense of Security, an independent provider of IT security and risk management solutions. “There is substantial evidence that targeted security attacks are on the rise and becoming more sophisticated. In our experience, this is equally true for the private and public sectors,” says Gollan, noting that a Department of Defence spokesman recently highlighted this point and warned that Australia was experiencing increasingly sophisticated attempts to inﬁltrate networks in both the public and private sectors. In the RSA security breach, for example, he says social engineering was used to great effect to deliver the payload to escalate the attack. “From there the attackers used tenacity and technical expertise in equal measure to execute their objective,” he says. “In our experience, many organisations are more at risk than they believe they are.” Gollan says there is certainly room for improvement in the way organisations adopt and implement their security management practices. For some companies, security management practices – including patch management – are a haphazard affair and not part of the company culture. “In today’s environment, this laissez-faire approach to security certainly works in favour of the attacker,” he says.
“Risk management professionals need to have the support of their senior executives to ensure security of information assets is part of the organisation’s culture” Neville Gollan, sales and marketing director, Sense of Security
18 Risk April 2011
Common vulnerabilities Ty Miller, chief technology ofﬁcer for Pure Hacking, a security consultancy specialising in infrastructure protection and IT security management, says internal
networks often have a lot of vulnerabilities, generally because there isn’t enough network segmentation done inside an organisation.
“So, for example, if I plug into a network and I have access to 5,000 different devices to start performing privilege escalation, I only have to break into one to break into other systems, and it just keeps going. That’s for internal networks,” he says. “Your other one is web applications. There are a lot of web application attacks involving vulnerabilities that are coming out all the time. Web application technologies are advancing quite quickly, so implementing security around them is generally harder.” Another reason is that developers generally don’t have extensive security knowledge, says Miller, so when they are developing web applications, they aren’t aware that they need to explicitly protect against attacks. Gollan also says that web-based applications continue to present many organisations with vulnerability and risk. “When you consider that web-based applications are ubiquitous in today’s business environment and that the information stored in their back-end
databases is typically sensitive or highly conﬁdential, it is not surprising that the business driver for the cyber criminal is compelling,” he says. “Security needs to be embedded throughout the entire development lifecycle, and the developers need to be supported through education on secure coding standards and auditing procedures.”
Risk management The reality is that information security is a business issue and not an IT one, says Gollan, who notes that a security incident can negatively impact an organisation’s brand and revenue.
“Technology controls only make up part of security best practice; risk management professionals need to have the support of their senior executives to ensure the security of information assets is part of the organisation’s culture,” he says. According to Miller, risk management often relies or focuses on compliance and standards that are absolutely necessary, but not necessarily up-to-date with the latest realistic attacks. “So risk management professionals might not be focusing on the low hanging fruit that internal attackers might go after,” he says.
Five steps to IT security 1. Perform an information risk assessment to establish how information assets are used by the business, employees, customers and third-party suppliers. This will establish a risk proﬁle for the business and guide the development of practical information security. 2. Develop an information security management framework to oversee security across the enterprise. Support this with integrated security management practices. 3. Follow the rule of least privilege when assigning access rights to all staff, including security administrators. 4. Educate your staff on information security and acceptable use of the company’s IT assets. Remember, social engineering is real and your employees need to understand the important role that they play in keeping the company’s information assets secure. 5. Embed security principles into all information technology projects, and do it at the design stage. Source: Sense of Security
This year IIA-Australia held SOPAC® 2011 in Melbourne and are proud to say that the SOPAC® conference was a huge success with over 800 participants. This year SOPAC® had great speakers, terrific content and challenged internal auditors in effectively managing emerging risks and meeting tighter compliance requirements. IIA-Australia also believes that this year’s program has delivered practical solutions on how your audit functions can add organisational value. Next year, SOPAC® will be held in Sydney where the first chapter was established 60 years ago in 1952. With 2012 also being the Jubilee Year of IIA-Australia, what better place to celebrate. We look forward to seeing you at our diamond jubilee. Pre-conference registrations now open. Book now and pay by 30 September 2011 and SAVE!
www.sopac.org.au Risk April 2011 19
R isk People
Q&A with… Eamonn Cunningham, chief risk officer officer, Westfield Group Eamonn Cunningham has been a key driver of Westﬁeld’s risk management function. He talks to Benjamin Nice about risk ownership and the need for common sense.
Describe your role at Westfield. My role at Westﬁeld Group is chief risk ofﬁcer. I am responsible for making sure that there is an appropriate degree of awareness in all matters of risk throughout the global group on as consistent a basis as possible.
How did your career in risk management come about? I joined Westﬁeld from a large accounting ﬁrm, where I worked as a chartered accountant. I came into the group as the internal audit manager, a position I held for about 18 months. At that stage I became involved in the administrative side of the business and was also the ﬁnancial controller for one of the property trusts for a period of time. Within the administrative role was the procurement responsibility of insurance and the more I looked at that and what it was trying to do, the more I thought we could do better. So, over time I took Westﬁeld – and Westﬁeld took me – on a journey through which we evolved our risk management function as we know it today.
How does your role fit into the overall structure of Westfield? Risk management, and indeed the role of chief risk ofﬁcer, is not the replacement of the existing management structure within the business. Some commentators out there think that somehow, in 2011, there’s this requirement to put a chief risk ofﬁcer in place that effectively replaces operations management or senior management. That’s not the way Westﬁeld sees it, and that’s certainly not the way I see it.
20 Risk April 2011
R isk People
There is a lot of talk about “integrated risk management” at the moment. In light of this, how do you get line managers and the business to own their risk, rather than leaving it to the risk management function? In the risk management space, there’s one fundamental principle that our department constantly hammers home to the business. This is the notion that risk is owned by the business and by the department heads – risk is not owned by the risk management department. We don’t manage risk per se; we introduce into the business a framework through which you identify and assess and then mitigate or control, or sometimes simply accept, the risk in the business. It’s not always about just stopping things from happening.
What is Westfield’s risk philosophy? We are opportunistic, but in a very disciplined way. People will often see us doing this or doing that, but what they don’t see is all the effort put in in-house going over the numbers, checking the what-ifs to make sure that we’ve looked at all the scenarios and ﬁgured out what could come to pass. It’s an approach that is absolutely consistent with some of the core principles within the company, such as attention to detail – you have to know your numbers backwards.
So, do you think there is some confusion over what risk management should include in some organisations? There must be clarity within businesses as to where the risk management function stops and where the internal audit function of the business starts. Within Westﬁeld, we had a really good discussion about that many years ago and there is absolute clarity. In other organisations, I see people clambering for the risk management high ground and there is probably a lot of energy wasted on dealing with that. This is further complicated by other departments that put risk and other functions under the one umbrella, which is dangerous because, then, risk people are sometimes seen as the policeman.
“In other organisations, I see people clambering for the risk management high ground and there is probably a lot of energy wasted on dealing with that” Given the recent natural disasters in the Asia-Pacific region, how does Westfield cope with the increasing threat posed by such risks? Westﬁeld was incredibly fortunate in Queensland in relation to the ﬂood activity. Our centres were located in areas that weren’t as badly impacted as other parts of Queensland, especially Brisbane. Most of our centres are in and around the Gold Coast area or metro Brisbane. I think it’s fair to say that some of the foresight that we had in the past helped us. On one occasion, we incurred considerable cost to one of our centres. As a result of this, we identiﬁed certain ﬂoodrelated issues and put in ﬂood mitigation measures, which helped us this time around.
In New Zealand, we have a shopping mall in Christchurch and it has borne the brunt of two earthquakes. When we look back at our response, the property damage was absolutely minimal, and there was no personal injury involved. But in true Westﬁeld fashion, we always do a selfexamination and look at what lessons we learnt from each situation.
How does working within Westfield’s risk team differ to other organisations or companies that you know of? In terms of discussions I’ve had with peers, one of the key aspects is the title of the role of chief risk ofﬁcer. In some organisations you will ask a person what their title is and they will say, ‘I’m the chief risk ofﬁcer’, even though their primary responsibility is to purchase insurance. Perhaps they should more properly describe themselves as an insurance manager. It’s a matter of getting it right. Some risk managers I talk to feel the tyranny of having to deal with internal conﬂicts in and around the risk space. Fortunately, I don’t have those concerns here.
What element of your role do you find most challenging? It’s the aspect of the risk that’s coming over the horizon that we may not have focused on. The challenges are: what is there out there in this ever-changing external landscape and, to a lesser extent, what is the changing internal landscape like in terms of what we are doing and the risks that we expose ourselves to. I constantly remind people that risk is not really a bad thing. Risk triggers reward, but you’ve just got to get the balance right.
What advice would you give to somebody starting out in risk management who aspires to make it to the top? Don’t just focus on technical knowledge, because it’s not as if you’re going into a specialised area such as law, where it’s only important for you to learn about the law.
If you want to be successful in the risk management industry, you need a healthy dose of common sense and, more particularly, your personal skill set is absolutely vital. Someone suggested that it’s even more important to get the personal skill set right than the technical skill set. Risk management is about inﬂuencing the business and developing awareness. If you can’t sell your message or get your audience to switch on to the message, then you’ve failed. So, you need to be passionate, you need common sense and you need to speak the language of the people you are dealing with.
What do you see as the key future trends in risk management? The key trends are in and around getting greater recognition for this part of the business as a form of practice, as opposed to just looking at the risk dimension of the role. What I mean by that is the way that the risk function is regarded and that what is said is listened to, as opposed to tapping the risk management function on the shoulder in the event of a crisis and only responding to events, or simply asking them to arrange issues such as insurance. Risk needs to be recognised as a fully ﬂedged discipline within the corporate business ... just like other elements of management. Generally speaking, I think it’s still got a little distance to go in terms of earning its spurs.
Risk April 2011 21
C risis Management
Earthquakes and tsunamis on the scale Japan has recently experienced are rare – but they do happen. And, according to experts, Australian businesses can’t afford to be complacent about the possibility of natural disasters closer to home
Preparing for the worst s Japan reels from a major earthquake and tsunami and struggles to contain a nuclear disaster, subsequent media coverage has highlighted the reality that major natural disasters do occur and can often have a devastating impact. According to experts, the Japanese disaster has many Australian organisations considering the likelihood and potential implications of natural disasters closer to home. Clive Collins, senior seismologist at Geoscience Australia, a Federal Government agency that monitors, analyses and alerts for potentially tsunamigenic earthquakes, says the earthquake hazard in Australia is different to that in countries such as New Zealand a nd Japan. Australia is located within the interior of the Indo-Australian tectonic plate, explains Collins, while New Zealand and Japan lie along the boundary between the Paciﬁc and Indo-Australian plates, where movement and interaction between the plates can cause large earthquakes. “There are far fewer earthquakes within the interiors of plates, but their locations are not as well deﬁned, as they are not restricted to the major boundary faults. The return periods between large earthquakes are also very long, so there is often no historical record on which to base a hazard assessment,” he explains. It is for this reason, he says, that deﬁning the earthquake hazard in intra-plate regions such as Australia poses special challenges. “There have been over 20 earthquakes in Australia with a magnitude greater than six since records began, and there is evidence preserved in the landscape of many more.” Western Australia has had the highest number of large earthquakes, including a magnitude 7.2 in 1941. The other main areas of activity are the Flinders and Mount Lofty ranges in South Australia, and a broad area of eastern Australia from Tasmania to the Hunter Valley in NSW. However, Collins says
22 Risk April 2011
“How well prepared is Australia for something like the tsunami that hit Japan? The straight answer is, we’re not” Dale Dominey-Howes, co-director, Australian Tsunami Research Centre, UNSW
no area of Australia is immune from earthquakes. Professor James Goff and Associate Professor Dale Dominey-Howes, who head the Australian Tsunami Research Centre at the University of NSW, agree that the risk of earthquake and tsunami is lower in Australia, but they underscore that Australian businesses cannot afford to be complacent about such risks. “How well prepared is Australia for something like the tsunami that hit Japan? The straight answer is, we’re not,” says Dominey-Howes. “If a similar event struck Australia, we’d be in serious trouble. “While Australia is better prepared than we were ﬁve years ago, we’ve still got some way to go. For example, we have an early warning system in place now, which is great for regional distant tsunamis, but is of no use whatsoever for locally generated ones.” If part of the continental shelf collapsed, an underwater landslide triggering a local tsunami would hit the coast within about ﬁve minutes and “there’d be no warning at all”, says DomineyHowes. “So the authorities would be unable to issue early warning messages and, of course, local
areas would be unable to effect any kind of evacuation.” Both Dominey-Howes and Goff believe that it is important to put major natural disasters into context and to understand what risks are unique to Australia. If Cyclone Yasi, for example, had made direct landfall over either Townsville or Cairns, DomineyHowes says there would be much more discussion about the impact of such a severe cyclone on a major urban centre. “The fact the cyclone affected a relatively sparsely populated area means we got away by a hair’s whisker from quite a catastrophic event,” he says. Goff says the Japanese event has clearly “woken a few people up” and there is an increased amount of interest in knowing the risks of similar disasters. “Clearly, if you’ve got coastal infrastructure sitting on the north-west coast of Australia, then you’re going to be a lot more interested in the potential risk of tsunamis than if you’ve got a cattle station in the middle of Alice Springs,” he says. Major tsunamis in the AsiaPaciﬁc aren’t exactly a rare event, says Goff, who points to the 2004 Indian Ocean earthquake and tsunami that killed more than 230,000 people in 14 countries.
C risis Management
tsunamigenic earthquakes, while the Bureau of Meteorology monitors sea-level variations after the alerted earthquake and provides tsunami warnings for Australia, with a chosen threat level based on pre-computed tsunami propagation models, explains Collins.
These warnings are disseminated to emergency managers, harbour masters, the media and the public, and trigger action at a local level depending on the level of threat, which may include the use of the Emergency Alert SMS and telephone call system. Collins says tsunami warnings from the JATWC are typically published within 20 minutes after the initial rupture of the earthquake. “The need for the many mitigation strategies adopted by Japan, such as high seawalls and community drills, are not likely to ever be necessary in Australia, as there are no offshore subduction zones creating a near-ﬁeld tsunami threat,” he says.
Online resources “These events are happening. They have happened in the past and they will happen in the future,” he says. “But ask a bunch of risk managers about the likelihood of an event that would have led to what’s currently happening in Japan and, of course, everyone would’ve said, ‘Bugger all’. In my reading of things, these kinds of events are indeed
extreme and rare, but we cannot afford to be complacent.”
In the event of a tsunami The Australian Government hosts the Joint Australian Tsunami Warning Centre (JATWC), which is operated 24 hours a day, seven days a week by Geoscience Australia and the Bureau of Meteorology. Geoscience Australia monitors, analyses and alerts for potentially
CREDIT RISK OPERATIONAL RISK MARKET RISK COMPLIANCE RISK
The following sites provide advice about tsunamis and how to prepare for them: Emergency Management in Australia – Attorney-General’s Department www.ema.gov.au, then click on Publications International Tsunami Information Centre http://itic.ioc-unesco.org Intergovernmental Oceanographic Commission Tsunami Programme www.ioc-tsunami.org
Dedicated to advancing the use of sound risk principles in an enterprise approach to risk management, the RMA exists to benefit professionals and institutions engaged in Operation, Credit, Market and Compliance Risk. Through an array of event programs and educational resources, the RMA aims to further the ability of its members to identify, assess and manage the impacts of risks on their businesses and customers.
The rma is the premier association for financial risk management professionals The RMA provides an independant forum for: thought leadership; the promotion of industry best practise; an awareness of market trends and developments; endorsement of ethical standards and professional conduct; recognition for ﬁnancial risk management professionals. RMA Australia represents members at a national level and its initiatives reach over 1,500 individual members and risk related practitioners across the ﬁnancial services market. Globally the RMA represents 3,000 institutions and has over 18,000 individual members in the US, Canada, UK, Hong Kong, Singapore, and Australia. For more information on the benefits of RMA membership
RMA Australia, PO Box 576, Crows Nest NSW 1585 Tel: 02 9431 8689 Email: firstname.lastname@example.org
www.rmaaustralia.org Risk April 2011 23
O HS Roundup
Converting executives to safety WHILE companies can put any number of safety policies in place, “it’s all rubbish” without a strong organisational culture of safety, according to Ross Hughes, CFO of Western Australia’s Water Corporation. In building such a culture within The Water Corporation, he said leadership has been an important focus. “We all have different approaches to risk, our own safety, how to manage effectively, what constitutes ‘safe’, et cetera,” said Hughes. “So our journey has been on the leadership side as much as anything – especially honouring those who make a difference in safety, even if it means our core service work must be stopped for a time during an incident to ensure utmost safety.” Hughes also says it’s important to learn from each other and respect each other on this journey. “We all have incredibly diverse and valuable skills and backgrounds, but don’t always listen to each other as we charge down tunnels we call our mandates,” he said. “A fundamental for me as CFO and the leader of
our risk and governance activity as well, is that not all risks can be eliminated and not all risks can be funded at the same time. Like all business activities, safety is always a balance, focused on protecting, rewarding and fulﬁlling our people as best we can.” Hughes said he has a good understanding of the Water Corporation’s safety objectives, and in working with the organisation’s OHS manager, Cathy Grasso, she appreciates understanding the language of executive and ﬁnance better. “I hope my colleague has beneﬁted from a greater appreciation for what issues are critical to the CFO, top management and the board [as well as] how safety is not the only risk that needs to be funded and how to develop key risk mitigations better.” Hughes believes it’s important that the OHS manager builds personal respectful dialogues with all general managers and, similarly, that CFOs take the time to sit down with risk, OHS and other managers to do the same.
Bad jobs harmful to mental health THE impact on mental health of a badly paid, poorly supported, or short-term job can be as harmful as no job at all, according to a recent research report. Because being in work is associated with better mental health than unemployment, government policies have tended to focus on the risks posed by joblessness, without necessarily considering the impact the quality of a job may have, according to the report authors. Published online in Occupational and Environmental Medicine, the research report, The psychosocial quality of work determines whether employment has beneﬁts for mental health: results from a longitudinal national household panel survey, is based on a survey of 7,155 people of working age in Australia. If in work, the “psychosocial” quality of their job was graded according to measures relating to demands and complexity, level of control and perceived job security, while respondents were also asked if they felt they received a fair wage for the work they did. The research showed that those who were unemployed had poorer mental health overall than those in work. It also indicated that employment is associated with better physical and mental health, and the mental health of those out of work tends to improve when they ﬁnd a job, according to the report from the Australian National University’s Centre
for Mental Health, National Centre for Epidemiology and Population Health and the Australian Demographic & Social Research Institute. But after taking into account a range of factors with the potential to inﬂuence the results, such as educational attainment and marital status, the mental health of those who were jobless was comparable to, or often better than, that of people in poor-quality jobs. Those in the poorest-quality jobs experienced the sharpest decline in mental health over time, and there was a direct linear association between the number of unfavourable working conditions experienced and mental health. The research also found that the health beneﬁts of ﬁnding a job after a period of being out of work depended on the quality of the position.
Rio Tinto cuts injury frequency rate by 18 per cent RIO TINTO reduced its all injury frequency rate (AIFR) by almost 20 per cent in 2010, due to an increased focus on risk management, compliance and continuous improvement, according to the company’s 2010 annual report. Rio Tinto measures its progress toward its goal of zero injuries through an AIFR (which includes data for employees and contractors) per 200,000 hours worked. At the end of 2010, the AIFR was 0.66 – an improvement of 18 per cent over 2009 – while the lost time injury frequency rate also improved to 0.36 per 200,000 hours worked in 2010. “We use signiﬁcant potential incident reporting and remedial action closure measures to promote identiﬁcation, investigation, management and sharing of lessons learnt from minor 24 Risk April 2011
and near-miss events with potentially fatal consequences,” said the report, which added that these metrics are linked to remuneration. Higher-consequence, lowerfrequency safety events are managed
through targeted process safety reviews and the use of a semiquantitative risk assessment (SQRA) process and, according to the report, the risk reduction resulting from the SQRA process is used as a group-
wide leading indicator for safety performance. To drive improved performance at sites with the most injuries or persistent and signiﬁcant safety challenges, Rio Tinto has also developed a site safety acceleration process. “The process is built on the principles of diagnosing the root causes of poor safety performance and, through the engagement of leaders and employees, developing site-speciﬁc practical interventions that lead to sustainable safety improvements,” said the report. The company has also established a framework that deﬁnes its expectations and the processes to assure implementation of systems and standards during the development of major projects, the report noted.
B ook Review
The Failure of Risk Management: Why It’s Broken and How to Fix It Douglas W. Hubbard, John Wiley & Sons
ith dark clouds and lightning strikes illustrating the front cover, Douglas W. Hubbard’s book looks more like a horror story than a guide to risk management. But while the image of the gathering storm is ominous, it is what’s inside the book that will unnerve even the most conﬁdent of risk management professionals. Slamming best practice as “ineffective risk management methods” that are “passed from company to company like a bad virus with a long incubation period”, Hubbard does not mince his words, and packs a punch when it comes to areas of bad practice. Hubbard argues that “if risks cannot be appropriately evaluated, then risk management itself becomes the biggest risk”, and backs it up by
using real examples to reveal areas of concern in current approaches to the subject of risk. After treating readers to a brief insight into the history of risk management, Hubbard then breaks down the key methods that should be employed when assessing risk: • Expert intuition – the “gut feeling” • Expert audit – involves processes such as checklists and also uses stratiﬁcation methods • Simple stratiﬁcation methods – colour-code/pointscale ratings used to assess likelihood of risk • Weighted scores – more elaborate scoring methods with numerous risk indicators that can be added up to a “weighted risk score” • Traditional ﬁnancial analysis – taking into account aspects such as best- and worst-case scenarios • Calculus of preferences – these techniques are based on expert judgements and the consistencies of these judgements
• Probabilistic models – the most sophisticated method of assessing risk, looking at probabilities and the “odds” by taking into account both quantitative and qualitative information Mastermind of “applied information economics” and author of the bestselling How to Measure Anything: Finding the Value of Intangibles in Business, Hubbard’s style is interesting and enjoyable, while the book is easy to navigate and is broken down into three main sections: An introduction to the crisis; Why it’s broken; and How to ﬁx it. Covering a wide variety of topics, Hubbard challenges conventional wisdom by pinpointing, in particular, the shortcomings of risk management approaches commonly advocated by project management methodologies, and then offers alternative solutions. The Failure of Risk Management is a timely and relevant read that offers valuable insights to all managers, analysts and practitioners responsible for mitigating risk.
Compliance and Risk roles – Australia taylorroot.com.au Compliance Manager
Specialist funds manager seeks an experienced compliance and operational risk professional to manage identiﬁed departments and key business relationships. Funds management background preferred. Competitive salary and excellent career prospects on offer. $125,000
Senior Compliance Manager
Global ﬁnancial services organisation seeks a senior compliance manager for its investment banking division to develop compliance strategies and solutions. We are seeking strong regulatory experience and regional exposure would be preferable. $Market rate
Compliance Analyst, AVP
Global consumer banking business seeks a compliance ofﬁcer for the wealth group. You will manage all regulatory and policy obligations and provide advice on products, marketing materials and reputational risk. The ideal candidate will have a background in retail banking. c.$150,000
To discuss Compliance and Risk roles, please contact Amanda Atherton in Sydney on +61 (0)2 9236 9000, Neil Williams in Melbourne on +61 (0)3 8610 8400 or email email@example.com or firstname.lastname@example.org THE SR GROUP . BREWER MORRIS . CARTER MURRAY . FRAZER JONES . PARKER WELLS . SR SEARCH . TAYLOR ROOT LONDON . DUBAI . HONG KONG . SINGAPORE . SYDNEY . MELBOURNE
Risk April 2011 25
R isky Business
A look at the months alternative ve risk stories stor ries Sorry, you gave who a bonus for safety? 2010 certainly won’t go down in BP’s history as one of its better years, after leaking 775 million litres of oil into the Gulf of Mexico … still, an accident is only an accident, right? Well, the company that owned the BP drilling platform that caused the infamous disaster certainly seems to think so, and appears to have let bygones be bygones. Describing 2010 as the company’s “best year” for safety, Transocean this month gave its executives pay rises, bonuses and stock options, and a good deal of back-slapping and selfcongratulation for good measure. After all, only nine of the 11 people killed in the explosion on the Deepwater Horizon platform were Transocean employees, and a further insigniﬁcant 17 were injured. No biggie, then. Oh, apart from the devastated shorelines, the immeasurable damage to wildlife and the effect the leak had on the area’s already struggling tourist industry. Not a bad year’s work, hey? Let’s hope 2011 is as successful and safe!
Photos too confusing for investors Retail investors might not be the brightest bunch after all. It turns out that a number of investors have gotten themselves all mixed up and in n a daze because their prospectuses contained ned too many photos on the front cover. In an effort to spoon-feed the professionals, onals, the Australian Securities and Investments Commission wants to scrap unnecessary images or marketing arketing messages on the front cover of these company mpany documents to avoid any further confusion. The proposed overhaul of the current format ormat would aim to make the literature more serious, and would ld also limit each front cover to one main issue or message – just in case two or three topics were too much for the readerss to handle. The changes would also include a focuss on producing clear, concise and effective content, and reducing educing the length of prospectuses where possible. So let’s get this straight: simplify, reduce e the length, scrap confusing pictures and only include one message on the front cover? Risky Business would like to know if people eople should be investing, or indeed reading at all.
Risk Business Directory
26 Risk April 2011
Published on Apr 19, 2011
Australia's leading publication for risk management professionals. This issue: why there's no set path to the CRO's chair, Westfields Eamon...