StrategicRISK April edition by Nathan Skinner

VIEWPOINTS [ PEOPLE ] Martin Sijmons, the risk manager for Swedish truck and lorry builder, Scania, explains how he ﬁrst got into risk management and why he’s still in it now

RISKS [ THREATS ] With Putin back at the helm, is there any chance that Russia will tackle some of its age-old problems?

European risk and corporate governance solutions

www.strategic-risk.eu [ April 2012 ] Issue 77 €25

GOVERNANCE [ ETHICS ] Most governments have responded to the ﬁnancial crisis by revisiting their regulatory regimes. What does this mean for risk managers?

THEORY & PRACTICE NEWS & ANALYSIS » Tensions rise in post-revolution Libya » Lessons from the Costa Concordia tragedy

THIS MEANS CYBER WAR

[ BEST PRACTICE ] Prosecutions for health and safety violations are on the rise. Here’s a ﬁve step guide

RISK innovation A spotlight on Italian risk management excellence

Several new fronts are opening up in the ﬁfth domain of warfare – cyberspace. Large organisations aren’t doing enough to protect valuable secrets and must bolster their defences against cyber assault Risk Atlas Medical health risks worldwide visualised. Where are the risk hotspots? Special Report What you need to know about cyber risk exposures and how to manage them

FC_SRApr12.indd 1

16/03/2012 16:30

“We make communication work seamlessly across six continents. Zurich does the same with our insurance.” Andrew M. Miller, President & CEO Polycom, Inc.

A single property insurance solution designed to help reduce coverage gaps and overlaps. Polycom, a global leader in telepresence solutions, needed a ﬁnancially strong carrier that could make complex insurance coverage easier. Zurich seamlessly provided locally compliant policies across six continents.* It’s an example of how Zurich delivers the help businesses need when it matters most. To learn more, visit www.zurich.com/polycom

Zurich Insurance plc, a public limited company incorporated in Ireland Registration No. 13460. Registered Office: Zurich House, Ballsbridge Park, Dublin 4, Ireland. UK branch registered in England and Wales Registration No. BR7985. UK Branch Head Office: The Zurich Centre, 3000 Parkway, Whiteley, Fareham, Hampshire PO15 7JZ. Authorised by the Central Bank of Ireland and subject to limited regulation by the Financial Services Authority. Details about the extent of our regulation by the Financial Services Authority are available from us on request. * Zurich provides insurance in association with its global network of 180 countries and territories. Countries and territories as defined by the International Standards Office (ISO).

SR_Ad_Page_ID.indd 1

14/03/2012 10:10

LEADER [ APRIL 2012 ]

Issue 77 April 2012

Nathan Skinner, EDITOR, STRATEGIC RISK

www.strategic-risk.eu WELCOME

Editor Nathan Skinner Editor-in-chief Sue Copeman European editor Andrew Leslie Group production editor Áine Kelly Deputy chief sub-editor Laura Sharp Senior sub-editor Graeme Osborn Group sales director Tom Sinclair Production designer Nikki Easton Group production manager Tricia McBride Senior production controller Gareth Kime Head of events Debbie Kidman Events logistics manager Katherine Ball Publisher William Sanders +44 (0)20 7618 3452 Managing director Tim Whitehouse Cover illustration Jamie Sneddon

Looking at defence in depth F OLLOWING UP ON A HIGHLY SUCCESSFUL STRATEGICRISK 100 EVENT we held in February, much of this edition focuses on the question of cyber risk.

As well as the News Feature (starting on page 12) exploring the hacker threat to corporate secrets, you’ll ﬁnd a Special Report (pages 25-28) on the key risk management implications of cyber threats, and can read about some of the top discussion points at our invitation-only SR100 event in Theory and Practice (page 34). One overriding theme that emerges whenever strategies for dealing with cyber risk are discussed is the beneﬁt of “defence in depth”. Rather than defeating attackers with

Email: ﬁrstname.surname@ newsquestspecialistmedia.com ISSN 1470-8167 Published by Newsquest Specialist Media Ltd 30 Cannon Street, London EC4M 6YJ tel: +44 (0)20 7618 3456 fax: +44 (0)20 7618 3420 (editorial) +44 (0)20 7618 3400 (advertising) email: strategic.risk@newsquest specialistmedia.com StrategicRISK is published eight times a year by Newsquest Specialist Media Ltd., and produced in association with Airmic (the Association of Insurance and Risk Managers). The mission of StrategicRISK is to deliver the latest risk and corporate governance solutions to key decision-takers in UK and European companies. StrategicRISK is BPA audited with a net average circulation of 10,046, June 2010.

a single, strong defensive line, defence in depth relies

The most secure system in the world might be insufficient against a smear campaign or denial of service attack

on the tendency of an attacker to lose momentum (or enthusiasm) over time. There are plenty of examples of this being successful in wartime. A defender yields lightly protected territory to wear out an attacker. Defensive counter-attacks are then mounted on the attacker’s weak points. One of the earliest and most

famous demonstrations came at the Battle of Cannae in 216 BC when Hannibal used the manoeuvre to encircle and destroy 10 Roman legions. In computer security, defence in depth means using multiple layered techniques to defeat intruders. Anti-virus software, for example, can be installed on individual computers even though there’s already a system-wide ﬁrewall. Or you can mix and match security products from vendors to protect against multiple types of threat.

For all subscription enquiries please contact: Newsquest Specialist Media, PO Box 6009, Thatcham, Berkshire, RG19 4TT, UK tel: +44 (0)1635 588868 email: customerservice@strategicrisk.eu Annual subscription (incl P&P) £249 €399 $499 Two-year subscription £449 €649 $849 Three-year subscription £427 €663 $821 Printed by Warners Midlands Plc © Newsquest Specialist Media Ltd 2012

Of course, protecting your company’s assets from outsiders intent on theft is only one front in this cyber war. The most secure system in the world might be insufficient against an online smear campaign or a denial of service attack by online activists (like Anonymous) who take objection to your company’s conduct. As with many other reputational issues, perhaps the question you should be asking yourself is: why weren’t we doing the right thing in the ﬁrst place? SR [CONTACT THE EDITOR] Email nathan.skinner@strategic-risk.eu or follow me at twitter.com/StrategicRISK

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

01_Leader_SRApr12.indd 1

15/03/2012 17:22

CONTENTS [ APRIL 2012 ]

Rife corruption in Putin’s Russia is a major issue for foreign companies doing business there

Governments and their love of legislation may not be enough to slay the recessionary monster

News & Analysis

Risks

[ THE LATEST BUSINESS ROUND-UP ]

[ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

8-11 12 Special Report

Cyber risks Contents

26 28

Worms and virtual warfare Cyber attacks – such as that on Iran’s nuclear facilities – are a growing risk for businesses Keeping it conﬁdential The increasing number of hacking attacks has made data protection a top priority Anti-social media Social media offers companies opportunities – but there is a downside as some have found

[ ETHICS ][ COMPLIANCE ][ REPORTING ]

This special report has been produced with input from Chartis: Shanil Williams, VP financial lines shanil.williams@chartisinsurance.com Steve Bonnington, VP financial lines steve.bonnington@chartisinsurance.com

16/03/2012 17:18

SPECIAL REPORT

Cyber risks 25-28 An in-depth look at all things cyber, from worldwide digital espionage to hacking attacks and intellectual property the

Taming the monster The recessionary beast refuses to die and goverments are under pressure to act – but fast-tracking legislation to please the public may not be the best mode of attack

[ PEOPLE ][ OPINION ][ COMMUNITY ]

SPONSORED BY

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

Foregone conclusion When giants like Ikea decide against Russia expansion due to systemic corruption, how can smaller companies make it work? RISK ATLAS: Global health From stomach bugs to diphtheria, our map plots where employees are most at risk of illness. Plus tips on travelling more safely

Governance

[ CYBER RISKS ]

25_28_SpecialReport_SRApr12.indd 25

Viewpoints

CYBER RISKS

HE GROWTH OF THE INTERNET HAS CREATED A NEW business and personal environment. Communication – and reaction – is almost instantaneous. Programs allow customers’ details to be stored immediately. Social networking allows businesses to reach a far wider audience than their existing business base and potential readers of advertisements. This new environment has evolved very quickly, and it is still developing. Unfortunately, so are the associated threats and risks. The most common risk businesses face is data theft. As internet banking and e-trading have become accepted activities, corporations have had to protect the information their customers entrust to them. But data breaches have become common, raising questions over website security. European countries have developed their own rules and penalties but inevitably the European Commission is wading in with a proposed new regime across member states. Far less easy for legislators to tackle is the issue of social networking and how freely employees can express themselves as regards their employer and colleagues. Different countries take different views. In the USA, for example, it seems that the right of employees to criticise their employers in some cases is defended more rigorously than it is in some European countries. But other, possibly more dangerous, threats are emerging. Cyber espionage – theft of conﬁdential corporate information – appears to be increasing. The use of viruses to attack the systems that companies use to run their businesses may also be growing. The frightening aspect of such activity is that it may not be easily detectible, and associated losses could be huge. The theft of a strategic plan or R&D results – or tampering with systems that run an integral part of production – could annihilate proﬁts. In a virtual world, companies have to accept that any breach of IT security is likely to have a major impact on their reputation. In the future, it may be that those companies that can demonstrate superlative security are the winners.

News Matrix Five arrested in FBI hacker bust; risk of a Mid-East war grows to 60%; and the least law-abiding states Risk Indicator Just how did hacker group Anonymous access ﬁve million emails belonging to private intelligence company Statfor? News Analysis Surviving in the public eye; Libya’s new future risks running into the sands COVER STORY: War of the cyberworld Businesses need to bolster their defences if they hope to win the ﬁght against the hactivists – it’s a war out there

19 36

The seven deadly sins of risk management From complacency over your business model to relying on the past to predict the future, there are many common pitfalls for a risk manager to avoid Am I insured for that? Martin Sijmons of Scania says insurance can be a lonely place, but a major loss will certainly remind people of its importance The Viking spirit Did our editor manage to complete the annual ice-skating challenge this year? Headspace Prysmian’s Alessandro De Felice offers his secret recipe for the perfect espresso

Theory & Practice [ INSIGHT ][ CASE STUDIES ][ BEST PRACTICE ]

Protect against health and safety prosecution Directors can be prosecuted for health and safety offences even when no injury has occurred. Learn how to protect yourself Four steps to beating the cyber spies The top risk management minds of the SR100 met to discuss how companies really view and handle cyber risk Innovate to mitigate effects How must local authorities develop risk management in the face of spending cuts

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

02_Contents_SRApr12.indd 2

16/03/2012 17:25

Know more. Achieve more. Creating the world’s largest cruise ship requires a trusted partner. That’s why Royal Caribbean International® trusts in the expertise of Allianz Global Corporate & Specialty – covering the most complex business risks worldwide. www.agcs.allianz.com

With you from A-Z Jason Liberty, Vice President Royal Caribbean International® Corporate and Revenue Planning & Insurance

SR_Ad_Page_ID.indd 1

14/03/2012 10:36

NEWS MATRIX [ THE LATEST BUSINESS ROUND-UP ]

Top 10 essential online stories 10 08 04

01 PRACTICES

07 05

Oil industry’s poor risk management

02 06

Oil companies are facing an increasingly volatile risk landscape and need better risk management practices, warned management consulting ﬁrm Oliver Wyman. Risk management has not yet been embraced properly by oilers, but it could maximise their commercial potential and help overcome major challenges. For now, though, inconsistent and insufficient risk strategies are holding back the oil giants and could easily have catastrophic consequences far beyond the company itself. Oliver Wyman said oil companies should implement a four-step risk management programme to: deﬁne risk appetite; prioritise risks; aggregate risks; and link risks to strategic decision making. Marsh’s Global Energy Practice chairman, Jim Pierce, said: “Taking a more strategic approach to risk management is a vital step in the evolution of oil companies, if they are to maintain their competitiveness and contribute to their countries’ continued economic success.” web. goo.gl/MjNrC

Rex Features

04 CYBER ATTACK

02 ENERGY

Oil-rich Eastern Libya could declare autonomy Eastern Libya is likely to declare itself an autonomous entity within a federal Libya, according to specialist intelligence company Exclusive Analysis. Political and military leaders from the Libyan region of Cyrenaica indicated they would meet to declare the region a self-governing entity with its own parliament. Such a move would have a severe effect on energy companies operating in Libya, as well as infrastructure contractors, including in the aviation, power and water sectors. East Libyans, who by deﬁnition are 25% of Libya’s population, are likely to seek control over oil ﬁelds in their region, which makes up for 66% of the country’s entire production. web. goo.gl/JQHuD

03 INSURANCE

Latin American market grew nearly 20% in 2010

Five arrested in major hacker bust by FBI Three members of hacking group Lulzsec were arrested and two more charged with conspiracy on 6 March, based on information provided by Lulzsec’s leader, who has been secretly working for the FBI. Hector Xavier Monsegur organised the international team of hackers but became a co-operating witness a er the FBI unmasked him last June. Monsegur pleaded guilty on 15 August to 12 hacking-related charges. His co-operation led to the arrest of Lulzsec’s remaining top ranking members. Lulzsec is an offshoot of the hackers’ network Anonymous, which recently stole and published millions of conﬁdential emails from security company Stratfor. web. goo.gl/6YyyS 05 LEGAL CHALLENGE

The insurance sector in Latin America is on the rise, according to the 10th Latin American insurance market report by Mapfre. Analysing 19 Latin American countries, the report conﬁrmed a 19.3% rise in premium volumes in 2010 compared to the previous year, reaching €91.37bn. All markets except Venezuela reportedly achieved a nominal increase in premium volumes. The greatest growth was experienced by Peru with 42%, Brazil with 39.4%, Chile with 36.6% and Uruguay with 35.1%. Brazil is still the largest market in the region with a 42.5% share, while the report reﬂects that the eight largest insurance markets accumulated 95.1% of premiums. This growth, the report pointed out, was favoured by the appreciation of most local currencies against the euro. web. goo.gl/o5kpj

NY ruling applauded RIMS (the Risk and Insurance Management Society) commended the New York Court of Appeals for upholding a ruling that requires insurance producers to disclose sources of compensation. In January last year, the New York Insurance Department issued its ﬁnal rule, known as Regulation 194, requiring brokers to disclose all the compensation they receive as a result of the sale of insurance. Immediately, some trade associations challenged the ruling claiming that the state’s insurance superintendent acted outside his authority. It was this challenge that the Court of Appeals struck down. web. goo.gl/1wMLY

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

04_05_NewsMatrix_SRApr12.indd 4

15/03/2012 17:05

LINKS TO THE WEBSITE About goo.gl Type the goo.gl address into your web browser to access our recommended articles from strategic-risk.eu

Index ranks the least law abiding states Myanmar, South Sudan and Turkmenistan are among the countries offering the least legal protection for foreign companies and investors, a new study by Maplecro found. The Rule of Law index rated 197 states on their judicial independence and efficiency and measured the extent to which regulations and policies are implemented in a transparent manner. Multinational companies and investors should be aware of the “extreme risk” they are exposed to in certain energy-rich countries, the report noted. web. goo.gl/6I9BK Rule of law: 10 of the worst 1. Myanmar

6. Cambodia

2. North Korea

7. Afghanistan

3. Somalia

8. Syria

4. Turkmenistan

9. Angola

5. Cuba

10. Iraq

07 IRAN

Risk of a Mid-East war grows to 60% The risk of a war breaking out between Iran and Israel is increasing, according to Exclusive Analysis. It thinks the probability of an Israeli strike against two or three Iranian nuclear facilities has risen from about 50% in April last year to 60% from September. Among reasons highlighted by the company was an “increased US preparedness”. “This is signiﬁed by the current presence of enhanced ballistic missile defence capability,” said Exclusive Analysis. US forces have also upgraded their military capabilities in the region, making it possible for them to penetrate the underground defences of Iran’s uranium enrichment plant in Fordow. web. goo.gl/oYlrC

10 REPUTATION

Reuters Rex Features

06 RULE OF LAW

Less than 10% of reputational risks are insurable

08 WEATHER

Severe storms wreak havoc across USA, Europe and Asia Natural catastrophes in the USA, Eastern Europe and Asia have killed thousands of people and caused millions of euros’ worth of damage, reported Aon Benfield. A powerful storm system in February swept through parts of central and eastern USA, killing at least 13 people and injuring more than 200 others. The US Storm Prediction Center confirmed at least 36 tornado touchdowns in more than 10 states, with total economic and insured losses likely to reach into the hundreds of millions of dollars. The severe outbreak was topped off by a force 4 tornado in Harrisburg, Illinois, which caused considerable damage. Outside the USA, Eastern Europe continued to be hit by extreme cold and snow during the first half of February. Impact Forecasting president Steve Jakubowski said: “Following last year’s record number of tornado-related casualties and the nearly $26bn [€19bn] in insured losses sustained due to severe weather events, there is a heightened sense of awareness for the peril in 2012.” web. goo.gl/1Cjp7 09 RESILIENCE

BRICs unable to withstand shock Brazil, Russia, India and China are no better placed to withstand shocks from major risk events than they were four years ago, a report says. Maplecro ’s Global Risks 2012 indicated that strong economic performance by the BRIC countries has not translated into improved societal resilience or governance. This constrains their ability to adapt and combat potential shocks from pandemics, terrorism, conﬂict, resource security, economic contagion and climate change. This resilience is increasingly important as these countries become central to the global economy’s fortunes. But, according to the research, none have improved, despite GDP growth from 2009 to 2012 of 16% for Brazil, 13% for Russia, 28% for India and 32% for China. Maplecro chief executive Alyson Warhurst said: “Resilience to external and internal shocks is built up over time, so as the BRICs’ political risk environment improves we might see resilience strengthen.” web. goo.gl/v133T

More than 90% of the 600 corporations questioned in a survey by insurance broker Willis suffered at least one major reputational crisis in the last 20 years, but less than 10% of those were insurable. The reasons for these reversals are difficult to predict. Willis warned of a lack of viable insurance solutions for reputational risk. “Our standard insurance products aren’t designed to help out when reputation is damaged, except when a policy against a peril, like product recall, coincides with a fall in reputation. But even then the sums paid are not enough to turn the heads of any reputation stakeholder,” warned Willis Global Solutions Consulting Group chief executive Phil Ellis. web. goo.gl/mbHxb

Online contents Most commented on stories Infographic: The risk universe in 2012 web. goo.gl/Izl5a Risk management at oil companies trashed web. goo.gl/tMZAv Risk Dashboard: A sample of SR100 views web. goo.gl/cIQQv Risk managers rely too much on technology web. goo.gl/hoXuC

Analysis What chance of a ‘Russian Spring’? Vladimir Putin’s re-election has sparked widespread protest. But support for him remains strong, according to JLT’s Elizabeth Stephens web. goo.gl/DT3rE Hackers could be targeting you To help companies safeguard their data, Imperva released an analysis of the methods used by hackers web. goo.gl/DuCvV

www.strategicrisk-.eu [ APRIL 2012 ] StrategicRISK

04_05_NewsMatrix_SRApr12.indd 5

15/03/2012 17:05

RISK INDICATOR [ VISUALISING DATA AND TRENDS ]

<The hacker’s tool kit> <x> Crowd sourcing Anonymous’s main innovation is its ability to recruit thousands of people to perform denial of service attacks. This relies on Anonymous making a compelling case for an attack. It also means that, if you’re monitoring the right places, you may be given prior warning of an upcoming attack.

CYBER ATTACK

Getting the message Millions of emails stolen by hackers from intelligence ﬁrm Stratfor are being made public by WikiLeaks

<x>

ROVING THAT EVEN INTELLIGENCE EXPERTS AREN’T IMMUNE TO BEING attacked by hackers, ﬁve million emails belonging to US-based Stratfor, a private intelligence company with ties to the CIA, were obtained by the hacker group Anonymous and released by WikiLeaks, the whistle-blowing website. Anonymous said in early 2012 it had stolen the email correspondence of some 100 of Stratfor’s employees and was planning to publish the data so the public would know the “truth” about Stratfor operations. WikiLeaks began publishing the hacked emails on 27 February. The emails could unmask Stratfor’s network of secret sources and shed some light on the company’s vague description of itself as a publisher with an “intelligence-based approach to gathering information”.

<1>

Low-quality data The most striking revelation from the disclosure, according to the Guardian, a le -leaning British newspaper, is the extremely low quality of the information Stratfor makes available. Commenting on the way Stratfor analysts worked in the Middle East, daily Arabic language newspaper Al-Akbar’s Beirut, Lebanon-based associate editor Jamal Ghosn told the Guardian: “They used Google to translate to read Al-Akbar news articles. This is a guaranteed way for good intelligence to be lost in translation.” Responding to the leak, Stratfor founder and chief executive officer George Friedman called the hack a “deplorable, unfortunate – and illegal – breach of privacy”. In an online video posted shortly a er the news broke, he said: “Some of the emails may be forged or altered to include inaccuracies. Some may be authentic. We will not validate either, nor will we explain the thinking that went into them. Having had our property stolen, we will not be victimised twice by submitting to questions about them.” Stratfor stressed that its systems had been rebuilt and made secure since December, when the emails are believed to have been stolen.

The company said: “For subscribers and friends of Stratfor, we stress that the disclosure of these emails does not mean that there has been another hack of Stratfor’s computer and data systems. Stratfor’s data systems, which we have worked hard to rebuild since the December hack, remain secure and protected.” In an interview with Reuters, WikiLeaks founder Julian Assange said of Stratfor: “Here we have a private intelligence ﬁrm, relying on informants from the US government, foreign intelligence agencies with questionable reputations and journalists.” Assange said that the emails reveal that Stratfor has recruited a “global network of informants who are paid via Swiss banks accounts and pre-paid credit cards – which includes government employees, embassy staff and journalists around the world”. This, he said, “is corrupt or corrupting because Stratfor is a private intelligence organisation that services governments and private clients.” On the day that the leak was made public, Imperva, a data security company, released a report analysing how a typical Anonymous attack works – this analysis is illustrated in the infographic opposite. SR

<There are three distinct phases> <1> Recruitment and communication: Illustration: Jamie Sneddon

WikiLeaks founder

A small group of instigators use social media to elicit support and recruit for an attack. For example, YouTube videos are used to promote and rationalise the attack, while Facebook or Twitter followers are dra ed in as volunteers to participate in the hacking campaign.

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

06_07_RiskInd_SRApr12.indd 6

16/03/2012 10:48

MEGA RISKS

<y> SQL injections

<z> Low-orbit ion cannon

Malicious code is inserted into a website and attacks from within. A popular tool for SQL injection is Havij, probably invented in Iran, which is designed to penetrate applications and steal data. It takes advantage of common vulnerabilities found in many websites.

Designed by hackers using open source so ware as a tool for performing denial of service attacks. It probably consists of a few hundred lines of code and uses a web browser (on a PC, Mac or mobile) to ﬂood a victim’s website with excessive traffic (thereby shutting it down).

Top ﬁve [ DEADLIEST DISEASES ]

<y> <z>

3. 4.

<2>

AIDS/HIV: Since its discovery in 1982 HIV/AIDS has claimed twenty ﬁve to thirty million lives. Almost 70% of people with the disease live in Africa. . Tuberculosis: It claims millions of lives each year – it is estimated that at least one person contracts TB every second. Malaria: Almost one billion people contract malaria each year. At least one million die from the disease. Cholera: Cholera is still present in many water supplies around the world. It’s very difficult to stop. Only 50 years ago a cholera outbreak in the Middle East claimed 30,000 lives. SARS: Although it didn’t claim so many deaths, SARS goes down as one of the fastest-spreading diseases ever.

OVERHEARD

“Soundbites” ‘We do try to learn from the mistakes of the past. But we are in what seems to be new territory right now and governments are unsure about what to do’

<3>

Colin Campbell Arcadia Group >>see Governance, page 29

‘My sailing boat is not just a possession but a passion of mine. Sometimes I think my wife would prefer it if I took a lover’ and application <2> Reconnaissance layer attack: Once sufficient numbers have been recruited, the second phase begins. About 10-15 skilled hackers probe the website’s vulnerabilities to identify weaknesses that could lead to a data breach.

denial of service <3> Distributed (DDoS) attack: If phase 2 fails to expose the hidden data, Anonymous appeals to its ‘non-technical’ members (or lay people). Several hundred to a few thousand then download attack so ware (such as the Low Orbit Ion Cannon) and perform a DDoS attack. Source: Imperva, a data security company

Alessandro De Felice Prysmian >>see Headspace, page 36

‘Cyber risk is by far the most crucial group of risks for companies using networks and telecommunications and the cloud’ Paolo Rubini Telecom Italia >>see Risk Innovation, special supplement

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

06_07_RiskInd_SRApr12.indd 7

16/03/2012 10:10

NEWS ANALYSIS [ CONTEXT & INSIGHT ]

MANAGEMENT CULTURE

Surviving in the public eye The Italian cruise ship tragedy in January demonstrated that there is nowhere to hide from the all-seeing eye of the camera phone today. But, given the opacity of many management structures, this may not be a bad thing HE WRECKING OF THE CRUISE SHIP Costa Concordia off the coast of Tuscany on 13 January seems to have contained all the elements of a farce. If 32 people had not lost their lives, the media reporting might have been even less restrained. As it was, the picture presented to the wider world – of a captain endangering his ship by sailing too close to shore to show off to a former colleague and then attempting to direct the evacuation process from the safety of a lifeboat – scarcely seemed credible. In due course, the media found a Moldovan dancer and a conversation with an outraged coastguard official to add to the mix. On YouTube, videos of the scenes on board the vessel rapidly appeared, while the Italian TV5 channel came up with one (also on the web) that purported to show the confusion and indecisiveness of the staff on the bridge.

Nowhere to hide The results of the official investigation into the disaster are yet to appear, but whatever they turn out to be, the damage to reputations has already been done. When a relatively slow-moving emergency situation involves 4,000 people, most of whom possess mobile phones capable of taking video, it is only to be expected that the event will soon be up for detailed scrutiny by everyone with an internet connection. The evidence may not be trustworthy (editing suites are almost as ubiquitous as cameras), but it is what the world will base its judgement on. Such is the pace of growth in “citizen reporting” that nobody ought to expect a physical emergency of any kind – however small – to go unreported or unﬁlmed. So, one question for risk managers is: How would your crisis management look on YouTube?” Because, if you have a ﬁre, an evacuation or a safety incident of any kind, this is where it could be seen. Does your staff training measure up?

Reuters

There is a bigger question that arises from the Costa Concordia disaster, to do with the command chain. In some ways, it is the opposite of the Air France ﬂight 447 crash (StrategicRISK, 9 October 2011). In that situation, automatic systems handed over command to a crew who appeared not to have coped. On the Italian ship, it appears that the captain deliberately overrode the automatic course-deviation warnings to perform his “sail past”.

Follow the leader In certain professions, such as the military, aviation and shipping, the prevailing culture is of instant, unquestioning obedience to orders – for good and obvious reasons. But the risk is equally obvious. If the person at the top gives an order that is

‘Few businesses face this kind of emergency, but the ﬁgure of the ambitious chief executive with a lust for unfettered command is all too common’

Media reporting of the Costa Concordia disaster was extensive, and muted only by the fact there were 32 fatalities

gravely misguided or, as appears to have happened on the Costa Concordia, subsequent orders are confusing or delayed beyond sense, the chain of command fails in its duty because nobody can question it. There are neither checks nor balances – and disaster follows. Most businesses have the luxury of seldom facing the kind of emergency that requires instant obedience to orders. Yet the ﬁgure of the ambitious chief executive with a lust for unfettered command is all too common. Despite the reams of paper that have been dedicated to good governance, we continue to see organisations – big and small, public and private – jeopardised by bad decisions taken at the top going unquestioned. In too many places, the prevailing culture is that if you do not agree with the decisions of top management, you resign – probably signing a gagging agreement on the way. This is not a good culture for the modern organisation to embrace. It is a quick way to end up on the rocks. SR

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

08_NewsAnalysis_SRApr12.indd 8

15/03/2012 17:23

Photos : Creatas, Photodisc, Enrique Algarra/PIXTAL, DigitalVision, Juliet White/Gettyimages -

a redeďŹ ned vision of service

a reliable company available teams attentive advice

www.axa-corporatesolutions.com

SR_Ad_Page_ID.indd 1 1 239x309_Strategic_risk.indd

14/03/2012 10:48 10/04/09 14:56:36

Corbis

NEWS ANALYSIS [ CONTEXT & INSIGHT ]

UNREST

Libya’s new future risks running into the sands Largely out of the headlines since its civil war ended, Libya remains unstable, with the threat of renewed unrest because of frustration over lack of progress and the threatened breakaway of the oil-rich eastern region

OPULAR DISCONTENT IN LIBYA IS ON the rise as the population becomes increasingly frustrated with the lack of economic and social progress since the revolution, according to intelligence experts. There is even a risk that the oil-rich eastern region could break off from the rest of the country. A er the civil war, which began with protests in Benghazi in February last year, hopes were boosted about new investment opportunities in the country. But, today, Libya is far from stable. The National Transitional Council’s (NTC) offices in Benghazi were looted

recently, a symptom, analysts say, of rising public disaffection with the governing council’s achievements so far. Companies with operations, or plans to invest, in Libya face considerable strategic and tactical risks, according to a report by risk consultants at Aegis Advisory.

Uprising imminent On 10 February, almost a year to the day since the civil war began, Saadi Gaddafi (third son of the former Libyan leader, Colonel Muammar Gaddafi) announced that he was in close contact with Libyans who are unsatisfied with the interim

Security risks in the Middle East TURKEY TUNISIA

LEBANON ISRAEL

MOROCCO

SYRIA IRAN

IRAQ JORDAN

ALGERIA

LIBYA EGYPT UAE SAUDI ARABIA

OMAN

TRIPOLITANIA CYRENAICA

YEMEN

FEZZAN

Libyan regions

3 Permissive

10 Non-permissive

government. He warned of an imminent uprising. “The Libyan people should revolt against these militias and against this deteriorating situation. The NTC is not a legitimate body and is not in control of the militias,” Gaddaﬁ said. With elections on the way in the summer, discontent is only set to rise, Aegis says. Militias are dominating the streets, security is poor and crime is rising. According to the Aegis report: “The frustration of the people is abundantly clear. Every word spoken on the streets is pulsating with fear over limited opportunities and disillusionment. There is no improvement in sight.” The security situation in the capital, Tripoli, is “unpredictable” and “deteriorating”, the Aegis report states. Foreigners are particularly at risk at night. Meanwhile, outside Tripoli the situation is even worse. Gaddaﬁ’s former stronghold of Bani Walid, a

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

10_11_NewsAnalysis_SRApr12.indd 10

15/03/2012 16:49

Libya’s region of Cyrenaica is threatening to declare itself independent: it accounts for 66% of the country’s oil production

town 110 miles south-east of Tripoli, should be avoided altogether, they say. Security concerns are shared by the international community. A UN Special Representative for Libya recently told the Security Council: “The threat from weapons falling into the hands of groups like Al Qaeda and the Islamic Maghreb is great.”

Control of oil ﬁelds More worrying, East Libyans in Cyrenaica (see map), who make up 25% of Libya’s population, are likely to seek control over oil ﬁelds in their region, which accounts for 66% of the country’s entire production, according to another specialist intelligence company, Exclusive Analysis (EA). This would hit energy companies and infrastructure contractors operating in Libya, including in the aviation, power and water sectors. Cyrenaica, which extends from the central coastal city of Sirte to the Egyptian border, is

‘The frustration is abundantly clear. Every word on the streets pulsates with fear over limited opportunities and disillusionment’ Aegis report likely to declare itself an autonomous entity within a federal Libya, says EA. The prediction follows some eastern Libyans’ refusal of the proposed allocation of seats in the planned Constituent Assembly, due to be elected in June 2012, and the formation of a self-declared ‘Barqa’ (Cyrenaica) Army. This information is unconﬁrmed and based on EA’s assessment of political and violent risks in Libya. Political and military leaders from the Libyan region of Cyrenaica indicated they would meet in the coming weeks and declare their region to be

self-governing with its own parliament. If Cyrenaica goes ahead with the breakaway, contract risks will increase for companies with business in the area, EA warns. It would also affect oil buyers worldwide because they would be uncertain who to deal with. A break-up could also precede all-out war. The Tripoli government’s rejection of Cyrenaica’s likely declaration of autonomy could lead to conﬂict, particularly near Sirte, where EA’s analysts expect forces to form a defensive line. The Tripoli government is not expected to have the military capability to impose its will on Cyrenaica. Any hopes for future stability in Libya should be viewed with scepticism, Aegis’s report concludes, which also points out that most Libyans do not understand the purpose of political parties and o en see their existence as divisive rather than as an expression of democracy. SR

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

10_11_NewsAnalysis_SRApr12.indd 11

15/03/2012 16:50

NEWS FEATURE [ COVER STORY ]

CYBER ATTACK

War of the cyberworld

YBERSPACE HAS BECOME THE FIFTH DOMAIN OF warfare, after land, sea, air and space, according to a recent article in the Economist. According to a high-ranking intelligence source, an estimated 20 countries are ‘sophisticated’ enough to launch a serious cyber attack, including the USA, UK, China, France, Israel, and Iran, which boasts the second-largest cyber army. But while nation states around the world are busy building cyber warfare arsenals, there is another front opening up and the foes aren’t all that evenly matched. On one side is a global force of hackers – from sophisticated cyber-criminals, to online activists with subversive political aims, or groups of individuals hired to steal company secrets – on the other are the often woefully unprepared corporate security defenders. Computer security experts do not underestimate the size of the problem. Cyber attack has been recognised by the UK government as a top security concern and, in an otherwise ﬁscally austere budget, another £650m (€775m) has been allocated to help bolster the country’s cyber defences. Each day, GCHQ, the UK’s spy centre, monitors 80-90 million cyber “incidents”. Meanwhile, one risk manager who wished to remain anonymous told StrategicRISK that his organisation is subjected to thousands of attempted cyber attacks every day. From a corporate perspective, one of the most serious cyber threats is to intellectual property, which is extremely valuable in the wrong hands, often highly vulnerable and easily stolen from electronic systems without anyone ever noticing.

Illustration: Jamie Sneddon

There’s a battle going on out there, with ‘hacktivists’, spies and criminals trying to steal corporate and government secrets, and cyber security experts struggling to stop them

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

12_14_NewsFeature_SRApr12.indd 12

16/03/2012 12:49

Key points 01: An estimated 20 countries have the capability to launch cyber attacks on other nations 02: The most serious threat to companies is intellectual property the 03: A common weakness in IT security is not understanding who the attackers are

As McAfee vice-president of threat research Dmitri Alperovitch says: “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised, or will be shortly, with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.” Cyber experts sometimes add a third category to this list: companies that know they’ve been attacked but don’t care. Business leaders can be reluctant to spend the large sums needed on cyber security if there’s no immediate or obvious return on their investment. If intellectual property goes missing it may be some time before a competitor can use that information to their advantage. New products, even with stolen designs, take time to build, for example. As a result there may be no impact on share price or profits for a while. But over time this compromised information can be used to erode a victim’s competitive edge. In the hands of a competitor, the stolen information could be used to build a better product or beat the victim to a key negotiation.

Unsophisticated and opportunistic

‘Cyber espionage Is the rate of intrusions, or ‘compromises’ in the technical jargon, on the rise or is it a new represents a massive phenomenon? “I find this question ironic,” says economic threat, not just Alperovitch. “Because these types of exploitations have occurred relentlessly for at to individual companies least a half decade, and the majority of the recent but to entire countries’ disclosures have, in fact, been a result of relatively unsophisticated and opportunistic exploitations.” Dmitri Alperovitch McAfee Hacker groups like Anonymous and Lulzsec, which recently suffered a blow when one of its founding members turned out to be working for the FBI (see box, overleaf), seek notoriety by stealing organisations’ secrets or attacking government websites. But targeted attacks are much more insidious and occur largely without public disclosures, warns Alperovitch, and they present a far greater threat to companies and governments as the adversary is tenacious and persistent in achieving their objectives. “The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat.” “Cyber espionage represents a massive economic threat, not just to individual companies but to entire countries that face the prospect »

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

12_14_NewsFeature_SRApr12.indd 13

16/03/2012 12:50

NEWS FEATURE [ COVER STORY ]

Operation Shady RAT 71 compromised organisations

» of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that suddenly lose out to unscrupulous competitors in another part of the world.” McAfee recently uncovered a shocking high-level hacking campaign, dubbed Operation Shady RAT, which involved infiltrating computer systems from national government to global corporations and non-profit organisations, with more than 70 victims in 14 countries. From ‘secure servers’ the perpetrators lifted countless government secrets, e-mail archives, legal contracts and design schemes – see chart, right, showing which types of organisation were affected and where they were located. The most common weakness in most organisation’s IT security is lack of an understanding of who the attackers are. As a result, companies often don’t know how to target their defences. If, for example, you know that your competitors are desperate to get hold of the designs for a new product you’re about to launch, you know to bolster your defences around this key corporate asset. In an investigation into the Operation Shady RAT plot, which ran for five years, McAfee offered some explanations about how the intrusions typically worked. The standard procedure was for a ‘spear phishing’ email containing an exploit (a piece of software or code that takes advantage of a bug or other vulnerability) to be sent to an individual with the right level of access at the company. The exploit, when opened on an unpatched system, would trigger the download of the malicious implant software. That malware executed a backdoor communication channel to the command and control web server. Afterwards, live intruders jump onto the infected machines and move laterally around the organisation establishing more footholds via other infected machines.

Stolen emails published on WikiLeaks These types of electronic attacks are normally perpetrated by different agents than, say, online smear campaigns. Anonymous, one of the most famous ‘hacktivist’ groups, is a loosely co-ordinated global collective with shared ambitions and motivations. On their Twitter account (@AnonOps) members describe themselves as “ﬁghters for internet freedom”, but this hides the full extent of the growing global movement. Anonymous has strong ties to WikiLeaks, as demonstrated by a recent intrusion into US intelligence company Stratfor’s private communications. Last year Anonymous announced that it had stolen the email correspondence of 100 of Stratfor’s employees. In February WikiLeaks began publishing the hacked emails, unmasking Stratfor’s network of secret sources that it relies on to publish intelligence insights for public and private sector clients. But Anonymous suffered a blow in March when 25 members of its Spanish wing were arrested when law enforcers swooped in Latin America and Europe. The suspects were involved in cyber attacks originating from Argentina, Chile, Colombia and Spain that targeted sites including Colombia’s defence ministry and presidency and Chile’s Endesa electricity company and national library. Two of the suspects were only 17. “We hope you understand that we are not hackers on steroids. We are activists and what happens in the world matters to us,” said one of the defendants. The extraordinary thing about Anonymous is the way it recruits a critical mass of sympathisers to participate in its online campaigns. At its heart Anonymous is a group of highly skilled hackers that revel in exposing what they see as moral outrages perpetrated by

USA 49

Government

Electronics/IT/ communications

Defence contractors

Real estate/ ﬁnancial services

Heavy industry/ energy

Geographic locations of the targets

Non-proﬁt

Indonesia, Vietnam, Denmark, Singapore, Hong Kong, Germany, India 4

Canada Taiwan Japan, South Korea, Switzerland, UK

organisations that represent the status quo. But if these highly skilled hackers fail to penetrate a victim’s security systems then Anonymous launches an online marketing campaign, using Facebook, Twitter and YouTube videos to encourage thousands of other activists to get involved. These aspiring hacktivists don’t necessarily need any technical skills, just a willingness to participate. By downloading relatively simple open source software, which can be launched via any web-enabled device (including mobile phones), the wider Anonymous community targets the victim’s website to bring it down with excessive traffic. This is exactly what happened during Operation Payback, which targeted the MasterCard and Visa websites when they stopped allowing payments to WikiLeaks. This demonstrates the power and influence that Anonymous now holds. Getting your corporate IT defences right is the first step in mitigating some of these threats (see Theory & Practice, page 34). But it’s also worth noting that old tricks work the best. The sturdiest IT security in the world is meaningless if a fraudster calls one of your employees and tricks them into giving up a security passcode. And putting customer experience before cyber security can be a mistake. South Korea’s largest consumer-finance firm, Hyundai Capital Services, learnt the hard way when hackers demanded a ransom to prevent the release of stolen, confidential data. Hyundai’s chief executive now recognises the full extent of the threat. “We are now slowing down the whole organisation. How things look and how they work is now secondary. Security is now first.” SR

Lulzsec members arrested THE FBI ARRESTED FIVE OF THE TOP members of the infamous hacking group Lulzsec in March, acting largely on evidence provided by one of the group’s founding members who had been working for the FBI for months. According to the FBI, the mole was 28-year-old father of two Hector Xavier Monsegur, an inﬂuential member of three hacker groups, Anonymous, Internet Feds and Lulzsec, which are allegedly responsible

for cyber attacks against various businesses and organisations throughout the world. Among other things, including bank fraud, the authorities claim that Monsegur was involved in cyber attacks, including the the and dissemination of conﬁdential information as well as denial of service attacks against Visa, PayPal, MasterCard, Sony, Fox and the governments of Algeria, Yemen, Tunisia and Zimbabwe.

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

12_14_NewsFeature_SRApr12.indd 14

16/03/2012 12:50

Viewpoints

[ PEOPLE ] [ OPINION ] [ COMMUNITY ]

> My top risks ........................... 18 Local regulations and inadequate insurance, as well as the ERM frenzy are Martin Sijmons’ top worries

Andrew Leslie, EUROPEAN EDITOR, STRATEGICRISK IN MY OPINION

The seven deadly sins of risk management Forget sloth, gluttony and lust, these are the vices all risk managers must work hard to avoid

F RISK MANAGEMENT WERE A CLINICAL, mathematical process similar to working out the mechanical stresses on a bridge, for example, we would all be a lot happier. Unfortunately, it also involves that squishy, unreliable construct – the human being. Forgetting this can lead the risk manager to overlook the deadly sins.

Complacency When things are going well, organisations, like human beings, are tempted to relax and assume that tomorrow will be the same as today. The focus is on perfecting past success, not on innovation. This comfortable delusion can be rapidly disturbed, perhaps by an unforeseen event, but more probably by the increasing rapidity of technological change. Kodak, one of whose employees actually invented digital photography, is the latest in a long line of seemingly invincible companies that failed to move with the market. Founded in 1892, it applied for bankruptcy in 2012.

Believing the numbers Look no further than the credit crunch for examples of placing too much belief in data. Models have their place, but data can be wrong and assumptions can turn out to be false. A ‘thousand-year event’ could happen tomorrow. The Fukushima nuclear disaster is an example of this. Anti-tsunami barriers were 5.7 metres high; the height of the wave exceeded 10 metres.

Attempting clairvoyance It is tempting to rely on past experience to predict the future, especially if there are datasets going back decades. But this habit can be fatal, especially if it infects decision-making at a strategic level. Many retail companies have been mortally wounded by assuming that shopping patterns were ﬁxed and ignoring the exponential growth in online buying. Intelligence failure Organisations that do not listen carefully enough to their customers or their workforce are vulnerable. Presentations or reports that aggregate opinions are seldom a substitute for hearing directly from individual customers or staff. It is the best, perhaps the only, way of spotting problems before they develop into something worse. The notorious failure of call centres to live up to customer expectations took a long time to remedy, partly because the cost savings were so attractive that the voice of

the customer was ignored. Result: badly damaged reputations for the ﬁrms that did nothing.

Credulity It’s an age-old delusion that because something is expensive, it must be good. The opposite is all too often true. This is particularly so with IT projects – many organisations remain locked into IT systems that have never really worked well, but are too expensive to dump. Probably the best example ever is the UK’s ‘Connecting for Health’ – which was to take the NHS into the electronic age. Begun in 2002, it has consumed £12.4bn (€14.9bn), and is still not dead. In August 2011, a damning parliamentry report noted the failure. “The department has been unable to deliver its original aim of a fully integrated care records system Organisations that across the NHS.”

do not listen carefully enough to their customers or their workforce are vulnerable

Cowardice This is more common than bravery, despite the fact that bravery brings benefits. Cowardice is seen when things go wrong – first denial of responsibility, then grudging admission, then hiding behind lawyers, and finally niggardliness about putting things right. This sin is visible in a list of disasters and mistakes too long for comfort, with the 1989 wreck of the Exxon Valdez at the top. Growing evidence that chief executives are recognising the need to own up and communicate properly is welcome, but somewhat tarnished by the fact that organisational cowardice on a smaller scale – usually when dealing with whistleblowers – still infects many organisations. Obfuscation Obfuscation is the direct opposite of clear

communication. It is a sin, and a worse sin still if it is done deliberately. On a daily level it runs through most organisations like a disease, with jargon, metaphors and cliches that mean little or nothing being used to give the impression of endeavour and achievement. Obfuscation is not conﬁned to language – it can appear in numbers, charts and graphs. The risk is that things that should be clear are subject to misunderstanding, and that false impressions are given that things are better than they are. When the habit of wrapping communication in ambiguity spreads outside the organisation to the media interview or the annual report, the risk is heightened: stakeholders are not reassured by jargon. SR

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

15_19_Viewpoints_SRApr12.indd 15

16/03/2012 15:32

VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]

Am I insured for that? Effective risk management is not just about plants and buildings. There is also crime and other less predictable risks – such as product breakdown liability – to worry about, Scania’s Martin Sijmons believes

EN YEARS AGO SWEDEN’S TRUCK AND ENGINE manufacturer Scania suffered a rare event – a €1.7m fraud at its subsidiary in Malaysia. That got Martin Sijmons, Scania’s corporate insurance manager, thinking. Here was a company with a long history of effective risk management of its extensive physical assets, including 17 production sites and 450 wholly owned garage/workshops. Indeed, Scania was one of the pioneers of Sweden’s highly efficient and much-admired Scania Blue Rating fire safety system, jointly developed in the 1990s with Willis, Cigna (now ACE) and Winterthur (now XL). Thorough, transparent and relatively simple, it’s based on a 23-point checklist performed on site. Adopted by most of Sweden’s commercials giants from competitor Volvo to retailer H&M, it’s considered a key element of the manufacturing economy. But the fraud confronted Scania with a risk of a different kind for which it was not properly prepared, in Sijmons’s opinion. It highlighted a need to be ready even for incidents and claims that happen less frequently. “Scania’s physical assets were well protected,” says Sijmons. “We knew how to do that. But we were not well enough prepared for a major crime loss and other less predictable risks. Insurers don’t typically do maximum possible loss scenarios for crime, product liability and director and officer liability that might expose the company to shareholder action.” For Sijmons, the difficulty is that the exposure is largely unknown, often regional or local, and therefore often more difficult to measure. “A physical risk is a universal risk,” he says. “A fire in a factory in Brazil is the same as a fire in France because there are common elements in these plants. But product liability is much more complicated. If a Scania school bus were to crash in UK, the company’s exposure would likely be very different if that were to happen in, say, Africa. Not only are the laws different, but so is the culture in terms of the value that is put on people’s lives, unpleasant as that is.” Similarly if one of Scania’s emergency generators failed to start up during a power blackout at a US hospital, the liability risk would most likely be substantial. Loss-of-life and other claims could result from a brake failure in a heavily laden truck or from an engine fire on a ferry that in a worst-case scenario led to its sinking. In short, any one of these could result in a catastrophe with long-tail consequences. “In such events it’s much harder to know if the sum insured is

CV 1981 Started in insurance as assistant to the account manager, Bekouw Mendez/Alexander & Alexander, Holland 1986 Became manager for international accounts, Bekouw Mendez/ Alexander & Alexander, Holland 1990 Joined Alexander & Alexander Scandanavia as international manager of the global business unit 1996-8 Specialised in public products liability for Aon Sweden 1998 Joined Scania as an insurance specialist 2001 Appointed manager of corporate insurance

correct,” he says. “But unfortunately underwriters appear less interested in these issues. I believe it’s something we need to look at. More has to be done.”

D&O risk on the rise The rise of shareholder claims against companies deemed negligent also concerns Sijmons as well as senior company executives. More and more frequently, he receives phone calls from top brass around the world asking whether they’re covered against the kind of class actions that are routinely prosecuted in the more litigious jurisdictions, as BP will vouch in the wake of the Deepwater Horizon disaster in US waters in the Gulf of Mexico. “I get questions from my directors in Brazil and Australia and elsewhere, asking: ‘What’s my risk if something like this were to happen?’” For a company operating in more than 70 countries, this is clearly a highly pertinent issue and Sijmons would like brokers and underwriters to put more thought and effort into it by identifying local or regional exposures. It would, for example, be helpful in assessing Scania’s ultimate exposure if it could draw on research showing the top five or 10 risks by region or locality. “I would not be surprised if Scania were to get a D&O liability claim from one of its smaller subsidiaries worldwide rather than a major claim made in Sweden against the parent company or its directors and officers,” he says. As for product liability exposure, it’s becoming more challenging by the year. This is especially true in fleet orders such as buses when the purchaser, often a global fleet owner operator or municipal authority, seeks to make the supplier responsible for just about every possible failure leading to an interruption in the service or business. “The larger buyers want to stick as much as possible into the contract,” Sijmons says. The fraud case in Malaysia illustrates the mounting financial exposure of firms such as Scania to risks not directly related to its products. Until the embezzlement occurred with the help of insiders at a local bank, Scania’s biggest loss had been the €680,000 that resulted from a fire at an engine test cell in Holland.

Agent of change The insurance of assets is generally seen as a largely static function – a back-stop for the company when an unwanted event occurs. But this is not the case at Scania, where Sijmons views the insurance process not as a mere indemnity but as an agent of change. When

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

15_19_Viewpoints_SRApr12.indd 16

16/03/2012 15:32

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

15_19_Viewpoints_SRApr12.indd 17

16/03/2012 15:32

VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]

PERCEPTIONS

My top risks 1. Local regulations encroach on global cover The pressure coming from local regulations is forcing global companies to write local policies that may conﬂict with carefully constructed group cover. One of the many objectives of single group cover is the control it provides over claims handling. For example, it gives the company discretion at corporate level about whether to trigger a policy or not. But when local policies are issued as part of group insurances, we may ﬁnd that local subsidiaries actually trigger the group cover against the corporate interest. 2. Inadequate cover by foreign suppliers and customers It’s ironic that a growing number of countries require many western companies to have local policies while suppliers and customers in those countries who want to do business with us quite happily go without the very same cover that Scania is supposed to have. These include business interruption, products liability, directors’ and officers’ liability, to name some key covers. It can be pretty frustrating to be seen as coming from a different planet when asking potential suppliers and business partners in China and India, for example, to have a minimum level of cover.

‘Insurance can be a lonely function. But there’s nothing like a major loss in our ﬁrm or somewhere else to wake people up to its importance’ Martin Sijmons Scania

his six-person office is presented with a claim, it’s standard procedure to work back to the source of the problem. “Why did this happen?” is the operative question. Thereafter procedures must be put in place to prevent the event from happening again. “Incidents and claims must be visible,” he says. “All losses, big and small, should be reported to us. We mainly apply relatively small or zero deductibles. It may make for higher premiums but it means that almost all incidents and claims are reported to us.” Despite its obvious usefulness in identifying companydamaging practices, to a manufacturer such as Scania the insurance function can all too easily be regarded as, if not quite irrelevant, then certainly not centre stage. “Insurance can be a lonely function,” says Sijmons. “But there’s nothing like a major loss in our firm or somewhere else to wake people up to its importance.” He recalls an urgent phone call from a senior manager after the chief financial officer at another global company ran into legal trouble over failing to issue profit warnings as required by company law. “Am I insured for that?” he was asked. SR

3. ERM frenzy Many companies implement ERM functions or organisations without recognising the role of well-established corporate insurance or corporate risk management functions. It’s the thing to do. But far from ‘only’ buying insurance, as many think, a corporate insurance team like mine identiﬁes risk, measures it, avoids it, minimises it and ultimately ﬁnances its management. We regularly outperform other corporate units in clear loss scenarios, risk information tools and in performance. My company is on its own ERM path, with different corporate units and functions increasingly developing a common risk language, common tools and all that. A professional and robust insurance team should have a place in any successful company.

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

15_19_Viewpoints_SRApr12.indd 18

16/03/2012 15:32

Nathan Skinner, EDITOR,

Community update

STRATEGICRISK IN MY OPINION

The Viking spirit A

S I SLIPPED, SKIDDED AND CRASHED HELPLESSLY TO A soggy standstill on the solid icy crust of Lake Malaren, I looked around for my friends but they were nowhere to be seen. “See you in Stockholm,” was the last thing I remember hearing from Peter Den Dekker, the Dutch risk manager who’d roped me into this race in the first place, as he whizzed off gracefully towards the finish in Stockholm city. That’s what happens when you agree to take part in an ice-skating marathon with Dutch and Swedish ‘pro-skaters’ when you can barely stand up on ice. Not that I blame any of them (there were nine of us altogether, of varying degrees of ability, but I was clearly the novice of the group). After all, it’s not as if this was the first time I’d agreed to take part in the Viking Run, an 80km (50-mile) race that traces a Viking-era route from Uppsala to Stockholm. It’s a tradition that was started in February 2011 by Peter Den Dekker, as a way of promoting the Ferma conference (in Stockholm that year). Most of the risk managers left Stockholm when the conference ended in October, but I’d agreed to come back with a small band of them to take part in the Viking Run. Last year (some readers might remember) I’d only managed to make 67km. Having reached the final checkpoint, exhausted, at 3.15pm, I was promptly asked to exit the race. I was 15 minutes late and the safety conscious Swedes won’t let you continue once the light starts to fade. I was devastated. “Next year you have to complete the race, Nathan. It’s essential that you do that,” Den Dekker’s challenge still rung in my ears. I primed myself to take on the challenge for a second time. This time with my sights set on completing it. “Looks like the weather will hold,” mused Arjen Ronner, probably one of the most experienced skaters in our group as we prepared ourselves for the race on a teeth-chatteringly cold February morning. It didn’t last long. Almost as soon as we hit the ice in Uppsala the conditions nosedived. A strong headwind picked up and as the air warmed the ice began to melt into a fudgy mess. I looked around to see how the others were coping. It looked as if all the other racers nearby were having a tough time. Intermittently the ice conditions did improve, momentarily, but at about 40km into the race it started to rain. “You’re not going to make it,” I heard someone say. I looked up to see one of the race officials shaking her head pitifully. “You’ve got another 5km to go to the next checkpoint and they’re closing it in five minutes,” she said with a hint of a sneer. The next 5km were even more painful in the knowledge that it was all in vain. It was a small relief to discover that, in lieu of the horrible conditions, the race organisers decided to hand out medals at the 50km mark. “At least you got your medal this year,” consoled Den Dekker. He’d finished the race in darkness after about six hours. As a consummate risk management professional he had refused to leave the ice when the officials asked him to. “I had to finish the race,” he told me afterwards.

French risk management association Amrae’s risk management certiﬁcate CEFAR has been so successful that it is now also offered to people who don’t already work in risk management departments. More than 500 professionals have completed the training initiative in France and Switzerland, and the next two batches of courses will start in January and June 2012.

Former president of Ferma Marie Gemma Dequae has been appointed an independent director of nationalised Belgian bank and insurer Dexia Bank Belgium and its subsidiary Dexia Insurance Belgium. Dequae will focus on the bank’s governance and its operational management through risk management and both internal and external audit.

Head of the German risk managers’ association DVS Klaus Greimel demanded better and more far-reaching insurance cover for contractual liability claims at the Euroforum liability conference in Hamburg. “Today companies are more exposed to contractual liability claims,” he said. “The insurance industry should offer more solutions in this area.”

It had taken our best skaters, Adri van der Waart and Bas van Mullem, a good ﬁve hours to complete the full 80km. Out of a few thousand who’d started, only a few hundred actually crossed the ﬁnish line. All scant consolation. “Third time lucky?” It was a thinly disguised invitation from Den Dekker to return again next year — and I’m not likely to turn it down. SR

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

15_19_Viewpoints_SRApr12.indd 19

16/03/2012 15:32

Risks

> Risk Atlas ............................... 22 Travel is essential to global business. But where in the world are you most at risk of picking up a disease?

[ THREATS ] [ OPPORTUNITIES ] [ MANAGEMENT ]

CORRUPTION

Foregone conclusion The ground could be starting to shift beneath Putin’s feet. But when corruption leads the likes of Ikea and Walmart to abandon Russian expansion, what can other companies do to beat the extortionists?

RESIDENT VLADAMIR PUTIN GREETED HIS LANDSLIDE re-election on 4 March with the deﬁant cry of “Glory to Russia!” But an estimated 20,000 of his fellow citizens saw things differently, and marked the result with another mass protest in Moscow – watched over by riot police, who later swept in and arrested hundreds.

“This is a time of dramatic change,” says Robert Amsterdam, a Canadian attorney who has defended several high-proﬁle clients in Russia. Although Putin was officially returned to power with 64% of the vote, international election monitors say the result was buoyed by massive fraud. “The regime’s lack of legitimacy, corruption and the weak rule of law are becoming a huge deal for many Russians,” Amsterdam says. “Even if protests die down for a while, this has become an existential crisis now for Russia. It’s just a matter of time before something cracks.”

An unpredictable place “The mood has deﬁnitely shifted,” agrees Luke Harding, a former Moscow correspondent for UK newspaper the Guardian, and author of Maﬁa State: How one reporter became an enemy of the

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

20_21_Risks_SRApr12.indd 20

16/03/2012 14:03

middle class has continued to grow, creating demand for new goods and services. ‘Russia has become a But corruption is not the only risk at play. classic developing world It’s worth remembering that much of the Russian boom has come from the high price kleptocracy. The people of oil and gas, and earnings from the fuel and energy sector make up nearly half of the at the top are only government’s budget. While commodity interested in stealing: prices are currently going only one way – up – some analysts, including the IMF, have making a lot of money raised concerns about the country’s and offshoring it’ over-reliance on natural assets. “If you take into account some of the Luke Harding Mafia State author pledges Putin has made on defence, then balancing the budget depends on oil at $150 Danger money a barrel,” Harding says. “Coupled with a bloated public sector – Russia is currently ranked 154 of 178 in Transparency who are a key political cadre for Putin – we could see a real issue International’s Corruption Perceptions Index – alongside the with the state’s financial stability if the price dropped.” Republic of Congo and Tajikistan – and US diplomatic cables How to do business in Russia published by WikiLeaks in 2010 suggested that bribery in Russia So, how can risk managers looking for opportunities negotiate the was worth an estimated $300bn (€228.8bn) a year to crooked increasingly confusing situation? “It’s very complex,” Amsterdam police, bureaucrats and members of the Federal Security Service. says. “One key thing is to ensure that you are leveraging your Many multinational investors have already hit quicksand in position for the benefit of your Russian partners, simply because Russia. In 2006, Royal Dutch Shell handed over control of its then it’s far less lucrative for them to work against you. biggest Russian project, the $22bn Sakhalin-2 oil and gas “The other thing is to maximize your online reputational development, to the state-run OAO Gazprom, amid threats by presence. This is counter-intuitive for many western companies, regulators to revoke the projects permits on environmental who are used to keeping their heads down. But in Russia that just grounds. plays into the hands of extortionists. In 2010, Nestlé was warned by officials that it was violating “Also, stop using the same advisers as every other safety rules at its Russian plants in what was widely seen as an multinational; hire local people with real contacts. In the end, attempt to extort money or benefit local competition, while the personal relationships are everything, because you can’t rely on world’s two biggest retailers, Walmart and Carrefour, have both institutions.” now decided to abandon Russia and concentrate on China, India Maplecroft associate director Mandy Kirby says: “The level of and Brazil. bureaucracy is very high in Russia, and because of this high level of But, while working in Russia certainly has its problems, it also interaction with officials, there is the potential for a high level of offers rates of growth far higher than much of the western world. corruption. This problem can be mitigated to an extent by using a From 2003-11, Russia’s average quarterly GDP growth was 1.22% good local partner to help negotiate what can be a Byzantine – with a historical high of 3.2% in December of 2006 – while process. It’s also worth remembering that there can be different poverty and unemployment has declined, and the affluent, new regulations in different regions, and even professional staff in courts can be affected by corruption. SPOTLIGHT “On the legal front, we would strongly suggest including arbitration clauses and other safeguards in contracts. But, even here, one of the issues to be aware of is that cases are heard in the court closest to the action, so in the case of some resource-related EVEN SLICK SWEDISH EFFICIENCY “We have zero tolerance on issues, these can be very remote, and there can be some quite has been defeated by Russia’s endemic corruption and we have a very clear bizarre outcomes as a result.” corruption, and last year Ikea announced policy,” Ikea Russia’s managing director Resource nationalism is another issue to be aware of: “Mr that it was to halt its plans to expand Per Wendschlag told reporters. Putin has talked about re-nationalisation and re-negotiating a lot of beyond the Moscow region. The company’s founder, Ingvar contracts signed in the 1990s,” Kirby says. “Some of this is The decision came a er officials Kamprad, said that he had been undoubtedly rhetoric, but there remains an uncertainty.” refused permission for two outlets of ‘’over-optimistic’’ about Ikea’s ability to But it’s also worth remembering that one of the main risks, the retail giant in the central cities of operate in Russia. certainly in the short to medium term may come from outside Samara and Ufa a er Ikea declined to The company had already fired Russia’s borders. pay bribes, according to the Russian two employees in February 2010 for “For me, the main risk is economical,” one Russian risk non-governmental National permitting a third party to pay a bribe in manager said. “More than anything, the real problem is that our Anti-Corruption Committee. St Petersburg. country has to find its way through the new global economical climate change.” SR

Uprising: Putin may have secured his position for another term, but Russia’s people are starting to ﬁght against a ‘developing world kleptocracy’

brutal new Russia. “Putin may be in power for another six-year term, but he’s in a very unpredictable place.” According to Harding, Russian democracy has been systematically extinguished over the last 10 years. “It’s very hard to see a mechanism for getting rid of Putin, and when the end comes it will probably be as a result of an inter-elite struggle, rather than a popular uprising. In the meantime, Russia has become a classic developing world kleptocracy. The people at the top are only interested in stealing: making a lot of money and offshoring it.”

Ikea takes a stand against corruption

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

20_21_Risks_SRApr12.indd 21

16/03/2012 14:03

RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

RISK ATLAS GLOBAL HEALTH

Healthy obsession While political unrest overseas is topping many ﬁrms’ risk agenda, the well-being of foreign-posted staff should also be up there

ITH CIVIL UNREST RIPPLING ACROSS THE WORLD, IT’S easy to overlook some of the other health and safety risks facing employees who travel overseas. According to a poll by International SOS at the beginning of the year, 13 months a er uprisings in Tunisia sparked the Arab Spring, a quarter of businesses are most concerned about the impact of political turmoil and government instability on their business travellers. Opportunistic crimes (16%) and natural disasters (15%) were second and third on the list of worries. But the emphasis on political risk threatens to overshadow another important issue for companies that send staff abroad: the danger of contracting an illness or suffering an injury abroad. Being taken ill or injured in a foreign land can be a distressing experience as well as a costly one if it is badly handled. Organisations (and their directors) have a duty of care to make sure employees are safe when they are at work (see Theory & Practice on page 33 for more details on legal liabilities). This includes when they travel abroad for work. As businesses increase their activity in emerging and frontier markets, the issue becomes all the more

Being taken ill or injured in a foreign land can be distressing as well as costly pertinent. As our Risk Map on these pages shows, the risk hotspots can be found in many of the emerging markets, such as Africa, the Far East and Latin America. Poorly prepared employees sent overseas can face problems. These range from the mild, such as a stomach bug, to the extreme, for example diphtheria, a throat and respiratory infection that can cause ugly sores and even heart failure. While it has been largely eradicated in the industrialised countries of the West, diphtheria is not uncommon in some parts of the Far East, Russia, North Africa and Latin America. The bacteria are contracted through physical contact with infected people or via airborne particles. A sore throat is the ﬁrst symptom. Diphtheria is commonly vaccinated against in Europe but since the beneﬁts of vaccination decrease with age, a booster shot is recommended for anyone travelling to areas where the disease has not been eradicated. Putting aside the emotional distress and physical trauma that a disease like this causes for the individual concerned, having key workers struck down by illness can be potentially costly for the organisation concerned. It’s unlikely that any large company would send employees abroad without the right insurance, but if they are

found to be not fulﬁlling their duty of care, they could be on the receiving end of a costly law suit. Having a proper health and safety programme that covers all employees no matter where they are in the world is critical for businesses bringing operations to new locations safely, effectively and proﬁtably. A good health and safety programme can improve staff productivity and loyalty, reduce medical risks and reduce the costs of treatment, as well as diminish your liability risk. For their part, employees have a responsibility to act and behave appropriately. At the very least, according to International SOS, employees who travel to disease prone areas should: • consult a doctor or clinic for an individualised health and risk assessment prior to departure; • ensure that routine vaccinations (including tetanus, diphtheria and measles) are up to date; • consider vaccinations for hepatitis A, hepatitis B, typhoid and rabies; • be particularly aware of malaria risk. Discuss preventative medications with your doctor; and • research how to avoid illness, select safe foods and water, and avoid injury. (For more tips on safe travel, see opposite page) SR [READ MORE ONLINE] Download a PDF of this risk map at www.strategic-risk.eu or goo.gl/joFlH

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

22_23_RiskAtlas_SRApr12.indd 22

19/03/2012 09:25

FIVE SAFE TRAVEL TIPS 1. Drink cautiously – Alcohol dulls the senses, and in an unfamiliar location this lessened awareness can be especially dangerous. If you have one too many, ensure you have planned the route back to your hotel in advance and remain with a group.

2. Be street smart – Tourists can be vulnerable to robbery, pickpockets and assault, particularly because they may not know the areas to avoid. To limit the risks, stick with your group and avoid travelling alone. Leave valuables (like your passport) in the hotel safe. And be sure to only access an ATM from a secure facility, like a bank.

3. Manage your medications and health – Every country has different 3

rules and regulations about prescription drugs. If you need to carry medication abroad, be sure to check local laws. Travellers who violate the rules (even unintentionally) may face serious consequences. Pack extra medicine in case your travel is delayed. Purchasing medicine abroad is not advisable as the quality or dosages might be different.

4. Enjoy local ﬂavours without fear – Food-borne illness and local strains of bacteria can run havoc on a traveller’s digestive system. Be sure to check, before you leave, if your destination has safe tap water or other dietary concerns. Bottled beverages are always your safest bet and be careful about ice and fountain beverages.

5. Take the high road when it comes to ground transport – Navigating unusual roadways can be confusing and dangerous. Travellers face a greater risk of injury or death from vehicle-related incidents, especially in developing countries. Try to avoid driving at night or when weather conditions make it difficult. Use only regulated cabs and always sit in the backseat in case an accident occurs. Source: International SOS

USA, Kansas: Spanish ﬂu

Hong Kong: Hong Kong ﬂu

Despite its name, Spanish ﬂu originated in a US 1 military camp in Kansas in March 1918. It is considered the most lethal pandemic in the history of humankind, killing as many as 100 million people worldwide. The virus has since been identiﬁed as a strain of H1N1.

Vietnam and Singapore. In comparison to other pandemics, the Hong Kong ﬂu yielded a low death rate. It infected about 500,000 Hong Kong residents and killed 33,800 people in the USA.

China, Guizhou: Asian ﬂu

Mexico City: Swine ﬂu

The virus originated in China in early 1956 and 2 lasted until 1958. The World Health Organisation estimates the worldwide deaths cause by the pandemic to be about two million. Asian ﬂu was of the H2N2 strain of type A inﬂuenza and a vaccine was developed in 1957 to contain its outbreak.

The third ﬂu of the 20th century appeared in

3 Hong Kong on 13 July 1968 and soon spread to

The H1N1 inﬂuenza virus, dubbed ‘swine ﬂu’

4 by US media, was the ﬁrst official pandemic

of the 21st century. While it is not known where the virus originated, it was ﬁrst detected in Mexico City on March 18th 2009. It caused 14,286 conﬁrmed deaths worldwide.

Key Global health risks (estimated total deaths in thousands)

100 and over 50-99.9 25-49.9 (global average = 49) 2-24.9 0-1.9% no data Source: World Health Organisation. Includes communicable and non-communicable disease and injuries (ﬁgures for 2008)

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

22_23_RiskAtlas_SRApr12.indd 23

19/03/2012 09:25

:H PDNH LW RXU EXVLQHVV WR XQGHUVWDQG \RXUV 2XU FOLHQWV FRXQW RQ /RFNWRQ $VVRFLDWHV DURXQG WKH JOREH WR KHOS WKHP GHDO ZLWK VRPH RI WKHLU PRVW GLI¿FXOW EXVLQHVV LVVXHV

7R ¿QG RXW KRZ /RFNWRQ FDQ KHOS \RX SOHDVH YLVLW ZZZ ORFNWRQ FRP RU FRQWDFW %HQ %HHVRQ RQ

:( /,9( 6(59,&( /RFNWRQ &RPSDQLHV //3 6W %RWROSK %XLOGLQJ +RXQGVGLWFK /RQGRQ (& $ $*

/RFNWRQ &RPSDQLHV SR_Ad_Page_ID.indd 1 //3 LV DXWKRULVHG DQG UHJXODWHG E\ WKH )LQDQFLDO 6HUYLFHV $XWKRULW\ $ /OR\G¶V %URNHU

(

16/03/2012 09:37

Special Report

Cyber risks CYBER RISKS

Contents [ CYBER RISKS ]

SPONSORED BY

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

25_28_SpecialReport_SRApr12.indd 25

16/03/2012 17:18

SPECIAL REPORT [ CYBER RISKS ]

CYBER ATTACKS

Worms and virtual warfare The Stuxnet virus that hit computers in Iran were the ﬁrst time many of us had heard of cyber warfare. But experts warn such attacks will be a key challenge for companies and organisations in the 21st century

HILE ISSUES AROUND DATA security and employees’ social networking tend to be the stories that hit the headlines, there are other cyber risks that potentially pose graver threats. Global Risks 2012, the seventh edition of the World Economic Forum’s (WEF) annual risk report, published in January, talks at some length about “the dark side of connectivity”. It says: “The impacts of crime, terrorism and war in the virtual world have yet to equal that of the physical world, but there is fear that this could change.” The Stuxnet worm could be a wake-up call: it targeted the Siemens equipment used in nuclear facilities in Iran. “While evidence of the impacts of Stuxnet is questionable … its

broader significance lies in suggesting what is possible,” says the WEF. And it is not only government operations that may be targeted. The WEF cites the case last year of four people arrested in the Philippines over the hacking into of US telecommunications companies’ systems, resulting in losses of $2m (€1.5m) for AT&T alone, funds moved to the accounts of terrorist financiers. It warns too that “subversion” can severely damage reputations and undermine trust. “For example, in 2011 the US technology security firm HBGary Federal – whose clients include the US government and McAfee – claimed to have information on the identities of a notorious group of activist hackers, or ‘hacktivists’, known as

Anonymous. In response, Anonymous inﬁltrated HBGary’s servers, libelled them on their own website, published 40,000 of the company’s private emails, took down their phone system, took over their chief executive officer’s Twitter account and posted his social security number online.” A white paper published in January by US law ﬁrm Edwards Wildman, Everyone’s

‘Potentially, the consequential business loss for companies both in the short term and from loss of future revenues dwarfs the cost of all the other cyber risks’ Henry Harrison Detica

DATA PROTECTION

Keeping it conﬁdential The growing number of data protection breaches has prompted a European Commission move to harmonise regulations. But not everyone thinks they go far enough, or that they will make compliance easier

ATA SECURITY REMAINS A RISK for businesses in terms of protecting the personal information that they hold on individuals as well as conﬁdential corporate data. “There appears to have been a huge increase in criminals using the internet to steal information and, despite companies’ endeavours to take preventive measures, incidents still keep occurring,” says risk management consultant Chris Luck. “This suggests that some businesses are not doing as much as they could in checking for ﬂaws in their systems. Hackers seem to be developing their techniques faster than the security solutions designed to combat them.” The European Commission is poised to step in with proposals to end continuing data breaches and a hotchpotch of regulation. On 25 January, it announced plans for common rules across member states, saying this would remove fragmentation and administrative burdens, “leading to savings for businesses of around €2.3bn a year”. The proposed new rules have met with a mixed reception from security experts. Interoute security services product manager

Jeff Finch says: “There is some good news. The collation of harmonised data protection rules across 27 countries will without a doubt save organisations from a headache. Piecing together differing national data protection laws will have felt like one massive patchwork task, especially as cloud computing placed question marks over the location of data. “The next step is to look for harmonisation with laws in other countries like the USA, where the Patriot Act enables authorities to search telephone, e-mail, and financial records without a court order. Thus, understanding where data resides and in whose data centre will continue to be a crucial part of corporate governance.” Informatica senior vice-president of global sales strategy Charles Race suggests businesses will need to re-evaluate their efforts to prevent data breaches. “Already the subject of stringent regulation and the risk of hefty fines from the UK Financial Services Authority, following these new standards the financial services industry in particular will be feeling the heat to make doubly sure that data security measures are up to scratch,” he says.

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

25_28_SpecialReport_SRApr12.indd 26

16/03/2012 17:18

nightmare – privacy and data breach risks, states: “Another type of cyber risk has become increasingly prominent: cyber attacks that are directed not at acquiring information, but rather at causing signiﬁcant physical effects or business disruption, including destruction or disruption of computer control systems, and the industrial systems and equipment on which the operations of industrial entities and public utilities depend.” Edwards Wildman quotes former US deputy defence secretary Robert Gates: “In the twenty-ﬁrst century, bits and bytes are as threatening as bullets and bombs.” Cyber espionage – theft of commercially sensitive information – is increasing too. At StrategicRISK’s 100 risk retreat in November, Detica technical director Henry Harrison said incidents had been reported by the chemical, oil and gas industries and other businesses. Most occurrences are either not detected or not reported, however. “Potentially, the consequential business loss for companies both in the short term and from loss of future revenues dwarfs the cost of all the other cyber risks,” he said. PricewaterhouseCoopers cyber and information security practice director William

Imperva director of security strategy Rob Rachwald considers the new EU privacy law to be a good step forward for individuals’ privacy. “However, the proposal doesn’t do enough to protect data,” he says. “Since it mainly proposes fines, it will not help keep EU citizen data safe from hackers or insiders. Rather, the EU should put in place fines coupled with a more prescriptive approach, identifying specific actions firms should take to protect data.”

SPONSOR’S WORD

KEY QUESTIONS •

•

What steps can be taken to improve the sharing of information and build safeguards to reduce cyber threats? What incentives will mobilise businesses and the public sector to invest in the resilience of information infrastructures? How do we reconcile the beneﬁts of innovation through open source so ware with the risk that individuals might manipulate code for malicious purposes? Source: Global Risks 2012, World Economic Forum

Beer says: “Cyber security is not just an IT issue. All public and private sector organisations need to transform their mindset. Leaders see cyber as a technical issue and fail to appreciate the business impact of an attack. “Recent attacks have shown incredible resourcefulness and ability on the part of the criminals, and even the most cyber-savvy organisations have found themselves exposed and ill-prepared to manage the effects.” SR

Varonis Systems director of strategy David Gibson believes the migration to the new rules may be a complex process for some multinationals – and ﬁrms pushing into new countries. But he welcomed the news that companies with more than 250 staff will be required to appoint a data protection officer. “The appointment of a data protection officer will help focus the attention of many more companies on what has become a major issue for everyone in this digital age ,” he says. SR

WHAT BRUSSELS PROPOSES •

• • •

A single set of rules on data protection removing unnecessary administration, such as notiﬁcation requirements. Increased responsibility and accountability for those processing personal data. Organisations only having to deal with a single national data protection authority. People having easier access to their own data, being able to transfer personal data from one service provider to another more easily and delete their data if there

•

are no legitimate grounds for retaining it. Application of EU rules if personal data is handled abroad by companies that are active in the EU market. Strengthening of national data protection authorities with the power to impose ﬁnes of up to €1m or 2% of global annual turnover for data protection breaches. A new directive applying general data protection principles and rules for police and judicial co-operation.

Shanil Williams and Steve Bonnington, vice-presidents of ﬁnancial lines, Chartis

Steps to managing cyber risk What are the top cyber risks facing companies right now? Broadly speaking cyber risks can be split into ‘third party risks’ (such as a company facing litigation because they have mislaid sensitive employee or customer data), and ‘first party risks’ that could cause financial harm to the company itself (like business interruption due to a network failure or reputational damage from a data breach). One hot topic at the moment is the evolving data protection legislation around the world and specifically in Europe. There’s a lot of uncertainty about whether major legislative changes are imminent. A company may have operations in hundreds of different countries, but does it have a real grasp of all of the regulatory requirements in each of those jurisdictions? Companies not only need to be aware of any changes but prepared to implement them. Companies also need to understand how evolving technologies, such as cloud computing, could affect their privacy and network security exposures. Another big challenge for companies is estimating the financial losses they could be exposed to, from a downed network, for example, which could have a major, far-reaching impact. How can companies prepare for and mitigate some of these threats? As an insurer, our view is that the management of cyber risks involves a three-part process: preparation, mitigation and risk transfer. Preparation requires boardroom awareness that the threat exists. Acceptance from senior management is essential because of the substantial investment necessary to manage these issues. Mitigation is about taking proactive steps, such as crisis containment policies to minimise exposures as they arise. (In the case of a data breach you are fighting several battles on different fronts all at the same time – so you need to be prepared for that.) Finally, you need an insurer that understands just how critical it is to respond to these issues on a timely basis. In what ways is the insurance market innovating to help clients overcome some of these challenges? From an insurance perspective, speed is of the essence. At Chartis, we provide more than just financial security. We act as a central hub and co-ordinator, a er a data breach for instance, by arranging specialist legal advice or public relations expertise so our clients can manage the fallout. We believe that an insurer with the skills, processes, procedures and infrastructure to respond quickly is essential, even if the incidents happen infrequently. As a multi-line insurer Chartis is also in a strong position to advise clients about how some of their other policies might overlap. A D&O policy, for example, might also respond to the costs of a regulatory investigation following a data breach.

For further information, visit: www.chartis.com

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

25_28_SpecialReport_SRApr12.indd 27

16/03/2012 17:18

SPECIAL REPORT [ CYBER RISKS ]

WEB 2.0

Anti-social media The boom in the use of sites such as Facebook and Twitter has created opportunities for businesses – but they also have to beware what their employees might be saying about them

HE USE OF SOCIAL MEDIA SUCH as Facebook, LinkedIn and Twitter is a prime example of the risk versus opportunity conundrum. Companies have much to gain from embracing the opportunities provided to create and consolidate an audience of loyal followers. But their efforts may be undermined – inadvertently or deliberately – by the postings of their employees. In a study by law ﬁrm DLA Piper, Knowing your tweet from your trend, partner Kate Hodgkiss says the next few years are likely to see major growth in the use of social media in the workplace, whether as a tool for organisations to communicate with a geographically diverse workforce, for training, or to let teams collaborate and share ideas. “Whether you’re a regular tweeter or new to the game, a Facebook aﬁcionado or a beginner, there is no mistaking that Twitter, Facebook and LinkedIn have had a major impact on the way we interact and communicate. Unfortunately, the impact is not always positive,” she says. “Employee use of social media, inside and outside the workplace, can expose employers to serious legal liabilities. Social media presents employers with some new problems, a new platform for existing problems and potential to magnify common business risks.” DLA Piper’s study reveals that use of social media is landing employees in trouble: • 21% of employers have taken disciplinary proceedings because of information an employee has posted on a social media site about another individual; • 25% of employers have taken disciplinary proceedings because of information an employee has displayed about their activities at work; • 31% of employers have taken disciplinary proceedings because of information an employee has posted about the organisation; and

•

30% of employers have taken disciplinary proceedings because of the level of an employee’s social media use at work. Commenting in StrategicRISK’s Amrae dailies, GDF Suez deputy chief risk officer, and vice-president of Ferma, Michel Dennery warns: “Social networking offers many opportunities for discussion among ‘friends’ who are mostly just online acquaintances. The tone is open, uninhibited, mocking and jokey. They believe themselves to be having a private conversation. “However, these chats get picked up, forwarded to other friends and rumours develop independently of the original source. Control disappears. To expose to just anyone disparaging comments about the business or its management, when these should remain within the private domain, is a liability.” Lou Dubois on US website Inc.com says: “Whether it’s in the hiring and recruitment process or when an employee is legally employed, setting a clear and speciﬁc

‘Social media presents employers with some new problems, a new platform for existing problems and potential to magnify common business risks’ Kate Hodgkiss DLA Piper

standard for social media usage and guidance is a requirement. Defining what your employees can and cannot do, both in the workplace and at home, needs to be spelled out. If you fire an employee for something they’ve said on Facebook or on another social network, that needs to be spelled out in your own company’s policy or you could be subject to a wrongful termination suit.” At October’s Ferma Forum in a session called “The risks of the virtual world”, Bureau Européen d’Information Commerciale secretary general Laurent Delhalle recommended that companies follow the example of an enlightened few that have already written guidelines or a charter for employees on using social networks. “This would constitute protection not just for the company but also the employee concerned, who might otherwise face an action for breach of confidentiality,” he said. DLA Piper suggests introducing or reviewing confidential information provisions and post termination restrictions in employment contracts on the use of social media, and using a social media policy to emphasise the ban on disclosure of confidential information and ownership of business contacts. Requiring employees to adopt ‘closed’ privacy settings on sites such as LinkedIn and stepping up monitoring during and after termination of employment to detect leaks of confidential information and misuse of contacts are further strategies. But social media is not all negative. On Mashable Business’s website, Levick Strategic Communications senior digital strategist Patrick Kerley says companies that have established a strong social media presence in “peace time” can use this to refute damaging allegations and even dominate search engines so that they communicate their side of the story first. SR

FACTS AND FIGURES Top ﬁve risks of social media in the workplace: 1 2 3 4 5

HR policies and practices not keeping pace with technology Bullying and harassment Discrimination Disclosure of conﬁdential information Damage to reputation and brand

Source: DLA Piper

Defamation is becoming a huge issue on social media sites as lawsuits for this particular offence are rising dramatically. In Canada and the USA, 15% of all web 2.0 rulings were on defamation cases. In France, it’s 49% and in Quebec it’s more than 10%. Source: US PhysOrg.com

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

25_28_SpecialReport_SRApr12.indd 28

16/03/2012 17:18

Corbis

Governance

[ ETHICS ] [ COMPLIANCE ] [ REPORTING ]

> Black swans ............................ 31 ‘We need to take the long view, look at the danceﬂoor from the balcony and take account of what we don’t know: the black swans’ Lee Howell, WEF

POLITICS

Taming the monster Governments’ main answer to continued economic uncertainty seems to be to legislate. But what risk managers really need is a considered approach to the problems rather than political crowd-pleasing »

Monster mash: As the economic crisis lumbers on, governments should try to take a longer view before deciding how to attack

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

29_31_Governance_SRApr12.indd 29

15/03/2012 16:50

Corbis

GOVERNANCE [ ETHICS ][ COMPLIANCE ][ REPORTING ]

Key points 01: While new regulation is a given, it is unclear how it will affect business 02: Other changes, such as in data protection legislation laws, could act as trade barriers 03: The current regulatory framework was developed in response to 18th and 19th century problems, not a 21st century global economy 04: There is a risk of politicians making populist, protectionist decisions instead of looking beyond the next election 05: Legislators should innovate by looking around the world for examples of best practice

IKE A MOVIE MONSTER THAT REFUSES TO DIE, the economic crash of 2008 lumbers on, stamping across politics and economics, while governments try to find a way to stop the destruction. All around the world, on the streets, in the papers and on television the pressure is on to do something. Many ordinary people feel frightened, out-of-control – and they want elected representatives to act. But this drive to legislate against risk brings its own risks. “We need better safeguards that are anticipatory and dynamic,” said Swiss Re chief risk officer David Cole at the World Economic Forum in January. “Some of our regulations have traditionally been prescriptive, over-complicated, inadequate, fragmented and too slow to respond to the accelerated pace of change.” New regulation is on its way, there’s no doubting that. But how it will impact on business and whether it will actually make the world a safer place remains far from clear. “Things will change in the financial world but not just in 2012 – there’s pressure all around the world with economies in trouble or trying their best to get to better growth,” says Arcadia Group head of risk management and compliance Colin Campbell. “In the UK, we have media, political and public pressure on the banks, which will eventually result in either regulatory moves or self regulation, but all done ‘in public’. The Basel III environment is coming nearer for insurers, and the financial sector will feel the impact – which will impact on all European business. Cole adds: “The outcome of the Greek – and other eurozone economies’ – economic improvements will not be known for many months, or even years, but there are increased suggestions that Greece may have to leave the euro. This will affect all UK businesses in some way. Away from the financial crisis, there’s a great deal of EU regulation to hit in the future: changes to data protection legislation is imminent, with the impact unknown at this time – but these could act as barriers to trade.” Most of the current regulatory framework was developed in response to 19th and 20th century problems focused on national issues. In the new millennium, most of the issues facing legislators are international, and regulating across borders is uncertain territory. Natural disasters such as the Icelandic ash cloud and the Japanese tsunami illustrate just how far the impact of a local incident can spread. But how can states respond effectively?

Lack of consensus “We do try to learn from the mistakes of the past, but we are in what seems to be new territory right now and governments are unsure about what to do,” Campbell says. “Business still has a voice, but less so than before and there’s no real consensus among politicians or economists as to what the best routes are.” In the era of mass media, there can be an intense public pressure for governments to take action swiftly in response to disasters or scandals – but the old adage of act in haste, repent at leisure still applies. “The principal problem is that, particularly in democracies, there can be a protectionist, populist response by legislators,” says World Economic Forum managing director Lee Howell. “Those two factors feed off each other and can come into play very quickly. Conversely, what we actually need is more risk taking by politicians: we need a bolder vision that genuinely looks to the future, not inﬂuencing the result of the next political contest.

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

29_31_Governance_SRApr12.indd 30

15/03/2012 16:50

USA

Clean air bill thwarted by the economy The highly unpredictable politics of legislation is well-illustrated by US president Obama’s recent attempts to reform smog regulation. In September 2011, he was forced to ask the Environmental Protection Agency to shelve the plans a er coming under sustained attack from congressional Republicans and business lobbyists, who successfully argued that more red tape was not what was needed at a time of economic uncertainty. Would this have been the result in the boom years? What if there wasn’t an election slated for 2012? Where does the public interest really lie? In a democracy, unpicking the relative inﬂuence of a tangle of vested interests is essential to understanding political risk.

“We seem to be living in an era of shocks, but it doesn’t have to be like this. We need to take the long view and politicians need to step up, look at the danceﬂoor from the balcony and take account of what we don’t know: the black swans. Take the situation in Iran. We have all seen that coming since at least the 1990s, yet no one was taking the long view. Or those that were didn’t have the conﬁdence to speak up and now we all seem surprised.” But Howell argues that living in an era of big data is a huge advantage for legislators – the problem is how to assimilate it all with an eye to the future, rather than trying to solve yesterday’s problems.

Looking for best practice

PROTECTIONISM

Exacerbating the Great Depression Although the Great Depression of the 1930s was caused by a stock market crash, many economists argue that protectionist legislation, such as the Smoot-Hawley Tariff Act of 1930, which raised tariffs on many thousands of goods imported into the USA, made it far worse by sparking a trade war. The Act was intended to support US businesses over foreign competitors, but other countries quickly followed Washington’s lead with their own legislation aimed at propping up domestic producers. This quickly caused international trade volumes to be sucked into a downward spiral, exacerbating unemployment and, arguably, prolonging the Depression.

“There are much better tools available now,” he says. “The problem is, like science, things move forward on the basis of failure. That’s how we learn. But there’s little appetite for failure in the public policy sphere, so the question is: how can legislators innovate?” One answer may be a greater willingness to look outwards to examples of best practice around the world and learn from what works elsewhere. “Japanese municipalities were very good at this in the 1980s,” Howell says. The fear is that without a new approach regulators will just create new levels of complexity. “Already in many OECD countries you can be looking at hundreds, if not thousands, of pages of regulation running across multiple agencies,” Howell says. “How can that be ‘Just because there are navigated? It’s great work for lobbyists and lawyers, sure. But just because there are more more rules, doesn’t rules, doesn’t mean that the system is any safer. mean that the system Efficiency is also important.” Faced with all this uncertainty, how should is any safer’ risk managers prepare? “Don’t panic,” Campbell Colin Campbell Arcadia says. “Review current identification systems and make sure you keep your board up to date with relevant regulatory changes. “We will need to be alert to fast change and we need to keep our eye on the ‘regulatory ball’ outside of the financial markets and ensure we identify new moves, national, EU and beyond – for example, in Asia where the Chinese authorities are changing legislation regarding foreign companies trading in China. The same thing is happening in India.” For now, businesses are trapped between a lumbering recessionary monster and unpredictable, trigger-happy governments playing to the crowd. Risk managers need to do all they can to keep their employers out of the crossfire. SR

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

29_31_Governance_SRApr12.indd 31

15/03/2012 16:50

EUROPEAN RISK MANAGEMENT AWARDS

OUR WINNERS WILL BE ANNOUNCED AT OUR AWARDS LUNCH ON TUESDAY 8TH MAY 2012 INTERCONTINENTAL HOTEL, LONDON

CONGRATULATIONS TO OUR FINALISTS European Risk Manager of the Year

Best Risk Communication of the Year

Tsambika Jeffries – UK Power Networks

Aviva Woodleigh Outreach Support Service London Borough of Lambeth Zurich Financial Services KPMG

Maurice Sammut – BA John Ludlow – InterContinental Hotels Group Phil Murray – Petrotechnics Ltd Robert Ebel – Hoerbiger Holding AG

Best Risk Management Approach in the Public Sector Irish Public Bodies Mutual Insurances Southend on Sea Borough Council Sandwell Metropolitan Borough Council London Borough of Ealing Redcar & Cleveland Borough Council

Most Innovative use of IT or other Technology

Risk Management Product of the Year

Zurich Global Corporate JSC RusHydro London Borough of Ealing SAP AG KPMG

ALARM Acclimatise London Borough of Lambeth Maplecro Aon Benﬁeld

Best Business Continuity Approach of the Year

Risk Management Young Achiever of the Year

Telenor Sweden InterContinental Hotel Group Veolia Environmental Services UK SAP AG XChanging

Moritz Bachmann – MCH Group AG Teri Owens – Woodleigh Outreach Support Service Craig Forson – Veolia Environmental Services UK Nicholas Vioix – Westﬁeld Shopping Towns Ltd Andy Nolan – Rexam

Rexam

Best Risk Training Programme

Cathay Paciﬁc Airways

Aviva Woodleigh Outreach Support Service InterContinental Hotel Group POLRISK Association of Risk Management Chartis

European Risk Management Team of the Year

Adam Greene – Coca Cola Hellenic Gilbert Canameras – ERAMET SA Patrick Smith – Hertz Europe Jeremy Harrison – Network Rail Tony Dimond – CEMEX

Enterprise Risk Programme of the Year Irish Public Bodies Mutual Insurances InterContinental Hotel Group JSC RusHydro ACCOR Gazprombank Open Joint Stock Company SAP AG Campofrio Food Group

Mobile TeleSystems OJSC

INTER RAO UES Mobile TeleSystems OJSC JSC RusHydro Network Rail Rexam PLC

For table sales and sponsorship opportunities, please contact Cathy Turner on 020 7618 3423 or cathy.turner@strategic-risk.eu For more details visit www.strategic-risk.eu/srawards2012 SR_Awards12_FP.indd 2

15/03/2012 16:00

Theory & Practice

[ INSIGHT ] [ CASE STUDIES ] [ BEST PRACTICE ]

FIVE-STEP GUIDE

Protect against health and safety prosecution Individual prosecutions for health and safety offences are on the rise, so it is more important than ever to ensure that senior managers are fulﬁlling their duties

SENIOR STAFF MUST UNDERSTAND THEIR HEALTH AND SAFETY DUTIES AND THE CRIMINAL IMPLICATIONS OF NOT FULFILLING THEM Regulators are taking a hard line when it comes to prosecuting individuals, a trend illustrated by a recent case involving the manager of a south Wales mine that ﬂooded, who has been charged by the police with gross negligence manslaughter despite almost dying himself. Those at the top of an

ORGANISATIONS SHOULD BE READY FOR THE INSPECTOR’S CALL Organisations should consider what they would do in the event of an accident. It is o en useful to create an incident response protocol, with specialist legal input, so employees and managers know how to manage the immediate a ermath and the investigation, and at what stage it is appropriate to involve lawyers.

ORGANISATIONS SHOULD ENSURE THEY HAVE EFFECTIVE D&O COVER Given the increase in directors and senior managers being prosecuted, organisations should check they are adequately insured in case one of their individuals is investigated. These prosecutions can be expensive and, in difficult ﬁnancial circumstances, can put strain on the individual and organisation. Directors and officers insurance cover can be purchased and the organisation should ensure the wording is sufficiently broad to cover its risks and business proﬁle. SR

Getty Images

OLLOWING A RECENT FREEDOM OF information request, the Health and Safety Executive (HSE) was forced to release figures showing that the number of directors and senior managers prosecuted under section 37 of the Health and Safety at Work Act 1974 (HSWA) had soared by 400% over the past five years. Perhaps the most startling fact was that, of the 43 individuals investigated for this offence between 2010 and 2011, 21 were prosecuted following no fatality or injury of any kind. Section 37 states that legal action can be taken when a breach of health and safety law by an organisation has been committed with the “consent, connivance or neglect” of one of its directors or senior managers. Those found guilty can be fined, disqualified from being directors or, in the most serious cases, imprisoned (see box, below). While the figures released only relate to section 37 investigations, directors and senior managers can also be investigated under section 7 of the act and for gross negligence manslaughter. How many of these people realise that they could be individually prosecuted? Below are five steps that organisations can take to protect themselves and their directors.

DIRECTORS SHOULD INSTIL A POSITIVE HEALTH AND SAFETY CULTURE FROM THE TOP Those at the top need to make sure health and safety is taken seriously at every level of their organisation. All employees should feel conﬁdent about reporting hazards and risks, knowing their warnings will be acted upon. Directors and senior managers must satisfy themselves that any internal or external health and safety professionals are competent. All employees, not just a few dedicated health and safety professionals, should be involved in improving safety.

organisation must be aware of their safety responsibilities and the consequences of not meeting their obligations.

APPROPRIATE GUIDANCE SHOULD BE UNDERSTOOD BY THOSE AT THE TOP OF THE ORGANISATION HSE guidance, while not obligatory, will be considered by the court if an organisation or individual is prosecuted for a health and safety offence. It provides clear and practical guidance for directors and senior managers on how to implement good health and safety practices, speciﬁcally in the areas of planning, delivery, monitoring and review. This guidance must be read by all directors and senior managers to ensure they set the tone for health and safety compliance.

Sally Roff is a partner and Jo Brook is a solicitor in the safety, health and environment group at law ﬁrm DAC Beachcro DID YOU KNOW?

Director convicted RICHARD JAMES, SOLE DIRECTOR OF Southern Property Maintenance, was convicted in May 2011 under the HSWA 1974 following the death of Shane Offer who fell through a roof. The judge said he was responsible for a “lack of a safety culture amongst his employees”. James received a suspended prison sentence and a ﬁne of £120,000.

www.strategic-risk.eu [ APRIL 2012 ] StrategicRISK

33_35_T&P_SRApr12.indd 33

16/03/2012 12:36

THEORY & PRACTICE [ INSIGHT ][ CASE STUDIES ][ BEST PRACTICE ]

in association with

CYBER SECURITY

Four steps to beating the cyber spies

Rex Features

A leading forum for the top minds in risk

Organisations ignore the threat of cyber attack at their peril, experts tell UK’s top risk managers

N FEBRUARY A MEETING OF THE StrategicRISK 100, a group of the UK’s top risk management minds, was called to discuss the key cyber risk management challenges. The meeting itself was by invitation only and off the record. The broad topic of cyber risk coalesced around three key issues. • Data security: Securing customer information, which is increasingly captured and stored electronically, is a key risk management concern for large companies. Many companies are grappling with protecting their private data from prying eyes • Cyber espionage: The risk of cyber spying is becoming increasingly clear, whether the aggressors are state sponsored or just industry competition, the results, in the form of lost intellectual property or strategic secrets, can be devastating. • Social media: Facebook, YouTube and Twitter are perhaps the most popular social media channels and all played a role in the Arab Spring uprisings, demonstrating the power and inﬂuence these new platforms wield. In the hands of disgruntled employees, crusader consumers or ‘hacktivist’ groups, social media can be a brand and reputationdestroying weapon. It was also acknowledged that companies are extremely vulnerable to cyber attacks – malicious assaults aimed at stealing information or simply damaging a company’s brand. Backing this up, cyber attack was recognised as a Tier One threat in the UK’s National Security Strategy and the UK government allocated another €775m to improve cyber security in an otherwise austere budgetary environment as part of the Strategic Defence and Security Review. One of the most signiﬁcant cyber threats is to enterprise-held intellectual property.

Extremely valuable and vulnerable, intellectual property is easily stolen from electronic systems, o en without the the being noticed. Despite the scale of the problem, SR100 members agreed that companies could broadly be split into three main categories; those who know they have been attacked, those who don’t know and those who know but don’t care. If a company loses some intellectual property and the story isn’t leaked, it’s unlikely to have much of an immediate impact on either profits or share price. For that reason it’s easy enough for senior managers to ignore it. A er all, why should they spend tens of thousands upgrading their security if they have little to show for it? But, as the SR100 conceded, this is probably not the best attitude to take, considering that five years down the line the victim could easily begin to lose its competitive edge if a competitor has that information. Issues like this are exactly why risk managers, acting as the living conscience of their businesses, need to raise awareness about the importance of cyber risks. Intellectual property the s are far more prevalent than many organisations think. For example, in 2011 an unprecedented cyber espionage campaign, dubbed Operation Shady RAT, was uncovered by McAfee. For at least five years, this high-level hacking campaign infiltrated computer systems of national governments, global corporations, non-profit bodies and other organisations, with more than 70 victims in 14 countries. The SR100 also debated possible solutions to some of these problems. One of the key subject matter experts on hand to help facilitate the discussion was John Dowdy, head of defence and security at McKinsey & Co. He said: “To protect

The UK’s Government Communications Headquarters (GCHQ) in Cheltenham says it deals with cyber attacks every minute of the day. The UK is also reportedly developing a cyber-weapons programme to give it an attacking capability in cyber space.

themselves, companies need to get serious about cyber security. That needs to start with a ‘business-back’ approach – understanding key online business assets, and how to protect them.” He recommended a defence in depth approach. Rather than defeating attackers with a single, strong defensive line, defence in depth relied on the tendency of an attack to lose momentum over time. Companies commonly don’t understand what type of attack they could be facing. They are also sometimes bad at prioritising the business assets that they need to protect. With this in mind, Dowdy recommended four simple “baby steps” that companies can take to protect themselves.

CREATE A ‘BUSINESS-BACK’ CYBER SECURITY STRATEGY Align your security strategy, policies and operations with the biggest business risks.

UNDERSTAND HOW YOU STACK UP Benchmark your organisation against your peers.

OPTIMISE YOUR INVESTMENT TO GET THE MAXIMUM BUSINESS IMPACT Align your security investments and roadmap with business needs. There may be a trade-off between security and the commercial realities of doing business.

RUN SIMULATIONS Conduct cross-functional simulations with senior executives to improve your business’s response to attack. SR

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

33_35_T&P_SRApr12.indd 34

16/03/2012 12:36

SPENDING CUTS

Innovate to mitigate effects Glasgow Caledonian University Researchers are studying ways local authorities can reduce austerity risks to vulnerable people

OCAL AUTHORITIES ACROSS THE UK face tough choices as a result of austerity measures imposed by central government. To achieve signiﬁcant costs savings these organisations are being forced to ‘reconﬁgure’ public services. A team from Glasgow Caledonian University is investigating the criteria, frameworks and priorities used by Scottish authorities to deal with public sector cuts.

The researchers say authorities in Scotland must become much more innovative if they are to protect the needs of disadvantaged and vulnerable people. They identiﬁed ﬁve key areas where local authorities need to develop their approach to risk management.

MORE INNOVATION NEEDED The researchers found some limited evidence of shi ing approaches to service delivery. These indicated a gradual move from a traditional bureaucracy to an organisation exhibiting innovation, albeit at early stages. But innovation was limited.

NEW RISK MITIGATION TOOLS One local authority had adopted an equality impact assessment (EIA) procedure as its prime risk mitigation tool. Yet criteria were restricted to speciﬁc groups (such as disabled people or women) and the EIA failed to consider the wider implications of austerity and social risks for other groups. There was no evidence that the authority

had developed new risk mitigation tools.

EXTEND RISK MANAGEMENT FOCUS BEYOND COMPLIANCE The local authority appeared to be engaged in a traditional regulatory approach to risk mitigation (focusing on statutory duties) rather than focusing on moral obligations and human rights. As a result, rather than mitigating risks to service users (the public), the local authority mitigates its own risk of non-compliance with statutory duties.

LOCAL AUTHORITIES MUST FOCUS ON THE NEEDS OF USERS Local authorities must move from a ‘service-based’ to ‘needs-based’ approach in decision making and risk mitigation and need to be more proactive, innovative and adopt an integrated risk-based model in service reconﬁguration. SR Claire McCann is a researcher at Glasgow Caledonian University

What are the key threats to your business in the next decade? And how can your company prepare itself? This White Paper from FM Global is essential reading for risk managers. It examines the three key trends that are set to shape the next decade. And it argues that strong risk management will itself become a source of competitive advantage. Download our White Paper at www.fmglobal.co.uk/nextdecade

33_35_T&P_SRApr12.indd 35

16/03/2012 12:36

VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]

WHAT’S INSIDE YOUR HEAD?

Headspace Alessandro De Felice of Prysmian fears what today’s economic problems mean for his childrens’ generation What are you thinking about right now? Is Louis Enrique the right coach for AS Roma? But more seriously, after a major acquisition made by Prysmian in 2011, I’m approaching various renewals for integrating the expiring insurance programmes. The company expects good results and selecting the best option is not easy. What is your greatest fear? Without a doubt my biggest fear is something bad happening to my children or my wife. But considering the current economic outlook I’m worried about what the future will be for our sons and whether they will be able to have something more or at least the same as their parents. What was your most embarrassing moment? I was the best man at the wedding of one of my best friends and during dinner I used a typical Italian adage which literally translates as “those who go with the lame learn to limp”. I’m not sure if there’s something similar in English but it basically means that a person learns from those he associates with. When I saw all the other diners looking at me silently I realised that my friend’s new father-in-law was sat with us and had an amputated foot. At that moment I wanted to disappear. What is your most treasured possession? My sailing boat is not just a possession but a passion of mine. Sometimes I think my wife would actually prefer it if I took a lover. What makes you happy? There’s a moment during summer holidays at sunset when I’m on a sailing boat moored in a Tyrrhenian bay, with an iced Sardinian white wine and good music. My children are playing together and my BlackBerry is switched off. True happiness does exist.

What makes you unhappy? People who don’t deliver on their promises. Our business is still made by fairness and shaking hands while looking in the eyes. What’s the biggest risk you’ve ever taken? My first son came a couple of days earlier than expected. That day I was giving a speech at the ANRA conference in Parma (120km from Milan) and while I was on stage I received a text from my wife saying she was going to the hospital. I jumped in the car and drove very fast (the Italian way of driving fast). Just outside Milan the police stopped me and I explained the situation to them. The policeman didn’t fine me but he did say: “Congratulations, I wish you all the best. But make sure your son has his father. It would be very bad if he were born an orphan.” I was taking a stupid risk. And his words were more persuasive that the biggest fine. What is the worst job you’ve ever done? When I was student, a good way to earn money (and to meet girls) was to apply for a token role at Cinecittà, a large movie production centre in Rome. Normally they need a lot of people for certain movies. Once I worked for 12 hours on the same scene on a boiling hot summer’s day. What is your greatest achievement? Currently it’s probably the feasibility study, business plan and board presentation that I had to do to launch a captive project. I’m glad to say it’s fully operational today. After four years, the result is more than satisfactory and everyone recognises it was a good idea. What’s the most important lesson you’ve learned? You can never say you have a done deal until it’s physically concluded: unexpected surprises are always around the corner. Also, in our business, fairness and transparency do really return the investment. Tell us a secret? For a perfect espresso, try putting one-quarter sparkling water and three-quarters still water in your machine. Disclaimer: I can’t guarantee the machine won’t explode. SR

Illustration by Richard Phipps

Alessandro De Felice is group risk manager at Prysmian

StrategicRISK [ APRIL 2012 ] www.strategic-risk.eu

36_Headspace_SRApr12.indd 36

16/03/2012 14:02

SR_Ad_Page_ID.indd 1

14/03/2012 10:27

Do glo bal ma rke ts f eel

FOR EIG N? Multinational means helping you feel at home anywhere. Whether your clients are in 2 countries or 92, you can count on seamless service when you choose multinational insurance solutions from Chartis. With nearly 9,000 dedicated claims professionals across 320 offices worldwide, we can help you move your clientâ&#x20AC;&#x2122;s business forward with confidence. Learn more at www.chartisinsurance.com/uk/multinational

Kek Loc Si Temple Malaysia â&#x20AC;&#x201C; Where Chartis insurers have done business since 1952

SR_Ad_Page_ID.indd 1

Chartis Insurance UK Limited is authorised and regulated by the Financial Services Authority (FSA number 202628). This information can be checked by visiting the FSA website (www.fsa.gov.uk/register). Registered in England: company number 1486260. Registered address: The Chartis Building, 58 Fenchurch Street, London, EC3M 4AB.

28/10/2011 15/03/2012 10:21 14:37