MANAGER LIABILITY You’Re in Their Sights a STEP TOO FAR? REPUTATIONS at RISK Some Just Don’T Care

July 2015 | The Official Magazine of The GRC Institute

SCHEMES AND SCAMS MANAGER LIABILITY You’re in their sights A STEP TOO FAR? REPUTATIONS AT RISK Some just don’t care

MOBILE TIME BOMBS The danger of BYODs

COUNTRY SNAPshot Doing business in Indonesia

RANSOMWARE RISING To pay or not to pay?

Financial Crimes

Accounting scandal rocks Toshiba, CEO under fire The GRC Institute’s 19th Annual Conference The GRC2015 conference 3 day program features inspirational leaders exploring topics across the change management spectrum at an organisational and individual level. Conference GRC2015 provides an exciting opportunity for 28–30 Oct 2015 • Melbourne networking and professional development and exposure for commercial partners to consolidate Crown Conference Centre in the GRC marketplace. To book your seat at this exceptional event or for sponsorship opportunities please visit: www.grcconference.com.au Change Catalyst

GOVERNANCE • RISK • COMPLIANCE GRCI’s Graduate Certificate in Compliance Management 91517 NSW has been designed exclusively for senior governance, risk and

GOVERNANCE • RISK • COMPLIANCE compliance professionals looking to further develop skills for career progression to the most senior level. Considered the benchmark accreditation Graduate for compliance professionals, this course is a nationally accredited qualification. CertifiCate Graduatein This course offers you a career advantage through demonstrable skill development over ComplianCe an intense study period of four days. You will CertifiCalso abecomete part inof a strong network of professionals supported by GRCI, including manaGementComplianspecial eventsC eexclusively for CCP alumni. 91517 NSW Next available certificate courses: Certified Compliance Professionalma (CCP)na GSydney,ement 7-11 October 2015 91517 NSW New Zealand, 10-13 November 2015 Certified ComplianceFor more informationProfessional and bookings (CCP) please visit: www.thegrcinstitute.org or email [email protected]

GOVERNANCE • RISK • COMPLIANCE Contents

President’s MESSAGE X page 5 Contact us Cover story Reader Poll X page 6 News X page 8 News features X page 10

Financial Crimes 12 News X page 17 GRC Professional is the official monthly publication of GRCI in Australia, New Ransomware exacting a high toll Zealand, Hong Kong & South-East Asia. Manager liability Individuals and organisations alike are edges closer falling victim to a sophisticated new way to extort money. X page 19 GRC Institute As Britain gears for the introduction of a hard-line approach to making The rise and rise of scamming President: Alf Esteban individuals personally liable for Scams have become synonymous with Vice President: Carolyn Hanson corporate misconduct, others question the internet, but they can be countered Treasurer: Gillian Kinder by common sense. X page 20 Director: Susan Cretan the viability of trying to scare people into Director: David Morris behaving ethically. Director: Stephen Luk Fear, loathing and malicious intent Director: Lois McCowan There might be a maturing appreciation Director: Kellie Powell of the risks that can arise from gross misconduct in the workplace, and the Managing Director: hugely negative impact it can have on Martin Tolar [email protected] corporate reputation, but still some just don’t seem to care. X page 26 National Manager: Naomi Burley Mobile time bombs [email protected] BYODs are now ubiquitous in the Ph: +61 2 9290 1788 workplace, and if left unmanaged Fax: +61 2 9262 3311 can be a serious threat to business www.thegrcinstitute.org continuity. X page 30 GPO BOX 4117 Sydney NSW 2001 Australia Doing business in Indonesia In the first in a series of articles examining the risks facing organisations GRC Professional looking to embark on business Editor: activities in different parts of the Mark Phillips Asia Pacific region,GRC Professional +61 2 8245 0704 looks at Indonesia. X page 33 [email protected]

Advertising: Lost privacy costing big time Naomi Burley Open-plan offices are taking a +61 2 9290 1788 heavy toll on workers’ engagement, [email protected] creativity and wellbeing – and one of the reasons is that they know Big Brother is watching. X page 37 Disclaimer: While GRCI uses its best endeavours in preparing and ensuring the accuracy of the content of this publication, it makes no representation or warranty with respect to the accuracy, applicability, fitness, legal correctness or completeness of any of the contents of this publication. Information contained in this publication is strictly for educational purposes only and should not be considered legal advice. Readers must obtain their own independent legal advice in relation to the application of any of the material published in this journal to their individual circumstances. The Institute disclaims any liability to any party for loss or any damages howsoever arising from the use of, or reliance upon, any of the material contained in this publication.

4 GRC Professional • July 2015 PRESIDENT’S MESSAGE

Changes at the Institute Martin Tolar, Managing Director of the GRC Institute, advised the Board in early July of his intention to resign with effect end August to pursue interests outside of the GRC sector. The Board has accepted his resignation and has implemented the agreed succession plan by promoting Naomi Burley to lead the GRC Institute through to our next phase. Martin has led the GRC Institute for the past nine years. During this time he has led our expansion internationally with over 15 per cent of members now based outside of Australia; the establishment of the GRC Institute as a Registered Training Organisation, allowing for the Associate and CCP courses to be accredited to the level of Certificate IV and Graduate Certificate respectively; the rebranding and repositioning of the then ACI to the GRC Institute, recognising the close interaction between the compliance and risk professions and the growing membership from the risk profession; and working with Standards Australia and our membership in transforming the AS/NZS 3806 Compliance Management standard to become the ISO 19600 Compliance Management standard. On behalf of the Board and members, I wish Martin the best in the next stage of his career and thank him for his efforts over the past nine years. The change in leadership at the GRC Institute has enabled the Board to undertake a full review of operations of the organisation as well as a reassessment of our strategy and direction, working closely with Naomi Burley in her upgraded role. This review is currently underway, led by our former Director and Treasurer Robert Emery. The review is anticipated shortly and any material changes to our operations and direction will be communicated to members. In the meantime, it is business as usual at the GRC Institute under Naomi’s direction. The traditional End of Financial Year networking events will be held in Sydney, Melbourne, Brisbane, Perth and Auckland in August. This is a great opportunity to meet your fellow risk and compliance professionals in a casual environment, share insights in our profession, make new friends and reacquaint with old ones. I encourage you to attend these events which are free for members and a small fee for non-members. Places are strictly limited so I recommend that you register soon to avoid disappointment. Registration forms and additional details are available in the Events section of the GRC Institute website. The EOFY Networking event is but one of the many benefits available from your membership to the GRC Institute. Existing members will have received their membership renewal notifications and I am pleased with the response to date in the level of renewals and the new member applications received. The GRC Institute Annual Conference will be held in Melbourne from 28 to 30 October at the Crown Conference Centre. The theme of this year’s conference is “Change Catalyst” and our line-up of inspirational speakers will explore topics across the change management spectrum at an organisational and individual level. The feature of our conference is on the focus of practical insights from senior practitioners in governance, risk and compliance. Back by popular demand, we will be running a change management simulation as well as a series of breakout sessions. Along with our gala dinner, graduation ceremony and annual awards presentation our conference again promises to be the must-attend event of the 2015 conference season. Additional information on GRC 2015, the 19th Annual GRC Institute Conference, is available on the website (www.grcconference.com.au). I look forward to seeing you at what will be the conference event of the year for risk and compliance professionals.

Alf Esteban CCP, President, GRCI

5 Reader Poll

Last month’s Poll Best from around the web Reader Poll BYODs These were the stories being discussed at the GRC Institute this month: Is manager As we outline in our story on page 31, how easy would it be for your liability a employees to grab a client list and forward it TALK ABOUT SHOOTING to themselves or others or copy it onto a USB YOURSELF IN THE FOOT! X step too far? memory stick and walk out the door? Organisations can spend years developing As we report on page 12, there templates, operations manuals, procedures, TOO LATE TO SAY SORRY X is a huge divide in opinion on whether internal software and client data. Many can making managers personally liable for their take the value of this for granted and it is actions will have any real impact on ethical not until a breach occurs that management behaviour. realises that if the material is passed to the DOES MY INSURANCE This month we’re asking for your opinion opposition, they could lose vital business. COVER THIS? X on the matter, but before doing so check Hence, last month we asked whether your out our story, because as Britain gears for firm has a strict policy on Bring Your Own the introduction of a hard-line approach Devices (BYODs) into the workplace. CAR AND EMPLOYER’S to making individuals personally liable for Almost unanimously (there was one REPUTATION TRASHED X corporate misconduct, others are seriously exception), the answer was no. questioning the viability of trying to scare To find out more about how you can people into behaving ethically. better protect your organisation from the Email mark.phillips@thegrcinstitute. potential dangers of BYODs, and how to org and we will publish your views in the counter them by implementing a solid BYOD next issue. It is simple and straight-forward, policy document based on your business requiring an answer to just one question: Will requirements and risk profile, and insisting more regulations increase ethical decision- that employees sign it, don’t miss the feature making? in the current issue.

6 GRC Professional • July 2015 Add extra protection against Malware threats

Blueprint BrowserProtect is the solution for advanced browser security

Blueprint OneWorld is a registered trademark of ICSA Software International Limited. NEWS

Uber opens the door to regulation In a development sure to be watched closely around the world, Meanwhile, in a dramatic turn of events, a court case that was taxi-booking service Uber has said it is open to the possibility of testing the legality of UberX’s ride-sharing service in Victoria took government regulation in New Zealand. a dramatic turn on July 20 when the Taxi Services Commission David Plouffe, Uber chief strategist and a former advisor to ambushed a driver in the courtroom, serving him with three Barack Obama, is understood to have already spoken with NZ additional charges. transport minister Simon Bridges about a possible government approach to the issue which, he says, is taking a “fair and considered” approach to possible regulation of the controversial service. The California-headquartered charter company, which operates through smartphone technology and allows customers to book and pay for low-cost vehicles, has caused widespread resentment among traditional taxi operators. Internationally, Uber is now worth around US$18 billion. Also, in a related development, changes to the regulation of Western Australia’s taxi industry have been flagged by its transport minister, Dean Nalder. However, the industry is unhappy that a green paper to “provoke discussion” on reforming the sector is taking so long to be released. The Taxi Industry Forum is demanding that the government act with greater urgency because, it says, the heavily regulated industry is struggling in the face of increasing competition from Uber. Although acknowledging that change is inevitable, including the phasing out of taxi plates, Nalder is adamant there will be no compensation for taxi plate holders. WA Premier Colin Barnett has rejected any compensation because he says “it is not up to the taxpayer to compensate people”.

New benchmark for DPAs under fire Anti-corruption groups Transparency International, Corruption compliance Watch and Global Witness have warned Britain’s Serious Fraud The ISO Compliance Management System Standard, ISO 19600 Office (SFO) not to follow a trend set in the US where criminal has just been adopted in Australia, and will now be known as AS/ charges are increasingly being replaced with deferred prosecution ISO 19600:2015. agreements (DPAs). The objective of the standard is to provide guidance for The use of DPAs, in which a prosecutor basically agrees to grant establishing, developing, implementing, evaluating, maintaining amnesty in exchange for a company agreeing to pay fines, implement and improving an effective and responsive compliance management corporate reforms and comply with various other measures on the system within an organisation. proviso there is no further wrongdoing, has come under increasing The project brings to completion the work of various industry criticism in the US. bodies, including the GRC Institute, to transfer the original compliance The anti-corruption groups have written to SFO director David standard AS 3806 from an Australian standard, to a joint standard with Green in a bid to head off anything similar developing in the UK, New Zealand and now an internationally adopted standard. arguing that deals should not become a common way to resolve “On behalf of the GRC Institute, I would like to thank the investigations and instead be subject to court approval in a public countless number of compliance professionals over the years that hearing. have made a contribution to this invaluable tool being adopted as In the letter, they contend that immunity to individuals should the international benchmark for compliance programs,” says GRC be avoided while companies should be hit with fines of “significant Institute managing director Martin Tolar. deterrent value”.

8 GRC Professional • July 2015 NEWS

Surge in copyright infringement New research conducted by the Australian and United Kingdom was: cheaper (39 per cent), more available (38 per cent), and had the governments shows Australia has high levels of online copyright same release date as other countries (36 per cent). Notably, 43 per infringement and reinforces the need for international and industry cent of internet users stated that they were not confident of what is cooperation to address piracy. legal online content. Both countries conducted surveys between March and May this Recent amendments to the Copyright Act 1968, which enable year to measure online copyright infringement across different the blocking of infringing overseas websites, and complement the content types. Copyright Notice Scheme Industry Code that is currently being The Australian survey carried out 2630 interviews and found developed by both rights holders and internet service providers, are nearly half (43 per cent) of respondents who had consumed digital part of the solution, according to the Department of Communications, content had consumed at least one of those files illegally, compared which commissioned the survey. However, rights holders’ most to only a fifth in the UK. powerful tool to combat online copyright infringement is making It also found people would likely stop infringing if legal content content accessible, timely and affordable to consumers.

Law firm confirms ASIC probe Despite initially denying as “misleading and inaccurate” reports that would cooperate fully with ASIC and confirmed that an accounting it is being investigated by ASIC over its relationship with auditor error has been found in its UK business. Pitcher Partners, law firm Slater & Gordon, an ASX-listed company, UK regulator, the Financial Conduct Authority, is currently has since confirmed that the watchdog is, in fact, pursuing the matter. investigating Quindell, a company that Slater & Gordon paid Shares in Slater & Gordon plunged more than 25 per cent to $3.75 $1.3 billion to for its professional services division in March on news of the announcement. In a formal statement, the firm said it this year.

Echo denies SEC targets Deloitte The US Securities and Exchange Commission (SEC) has charged underworld claim Deloitte & Touche LLP with violating auditor independence rules Melbourne’s Sunday Age newspaper has reported that underworld when its consulting affiliate kept a business relationship with a figures, their business associates and friends have been warned to trustee serving on the boards and audit committees of three funds stay away from Jupiters Hotel & Casino on the Gold Coast because of Deloitte audited. fears they might jeopardise owner ASX-listed Echo Entertainment Deloitte has agreed to pay more than US$1 million to settle the Group’s bid to win a new a new licence in Brisbane, apparently worth charges. The SEC also charged the trustee with causing related more than $12 billion. reporting violations by the funds, as well as the funds’ administrator According to the report, Echo is worried an investigation by with causing related compliance violations. They also agreed to regulators or adverse publicity could impact its proposal. settle the charges. Echo has emphatically denied the report. Auditor independence rules require outside auditors to “remain independent from their clients to ensure there is not even the appearance of a firm compromising its objectivity and impartiality when auditing financial statements”, the SEC notes. Deloitte violated its own policies by failing to conduct an independent consultation before starting a new business relationship with the trustee, it adds.

9 NEWS features INSURERS GRAPPLE WITH MAJOR REGULATORY CHANGE The pace of regulatory change in the insurance sector looks set to accelerate, putting even more pressure on insurers to stay ahead of the game.

“ICS requires “We are truly in the early stages of requirements and whether new standards will require substantially a new journey in global insurance regulation, and changes to local solvency requirements. more as a result of new global requirements, insurance KPMG Australia insurance risk lead, Rob Curtis, understanding groups are going to be subject to new, more rigorous points out that in addition to ongoing CPS 220 and and debate governance, reporting and capital requirements.” ICAAP requirements, the introduction of a chief among So says KPMG global insurance head, Gary risk officer (CRO) role adds pressure on insurers to supervisors Reader, on the release of the firm’s fifth annual report demonstrate the adequacy and effectiveness of their and industry, on the world’s insurance sector. According to Reader, risk management framework. particularly recent actions by the International Association of “These Australian requirements are world- regarding how Insurance Supervisors (IAIS), other global bodies leading,” he notes. “APRA is ahead of its other global global standards and regional regulators are leading the transition to supervisory counterparts in mandating a formalised will coexist a new era in insurance regulation and fundamentally CRO role and this will continue to have cost and alongside local change the way the insurance industry operates. resourcing implications for Australian insurers.” requirements.” It is not welcome news for the sector, as according As part of these measures, boards are now required to PwC’s latest biennial “Insurance Banana Skins” to form a view regarding risk culture within their survey, regulation is top on the list of external organisations to ensure alignment with risk appetite risks faced by the industry. In fact, it is the third strategy and the broader risk management conducted consecutive edition in which regulation rates as the by the entity. It is a considerable step-change for number-one risk. most insurance boards, which must now be able to Some of the most notable international regula- demonstrate that all staff understand and abide by the tory developments are the steps taken by IAIS with risk management framework relevant to their areas of the establishment of the Insurance Core Principles responsibility. (ComFrame) and developments with the ICS, be- Curtis maintains that, aligned with these devel- ing publication of a consultation document and ICS opments, regulators are moving towards a forward- guiding principles. looking, proactive and judgment-based supervisory For its report, titled “Evolving Insurance approach. Regulation – The Journey Begins”, KPMG canvassed “This increased focus on consumer outcomes insights from a panel of industry leaders and regulators. means regulators such as ASIC and APRA are not “While they see value in greater international just interested in the control environment, but also in consistency and harmonisation of insurance re- firms’ business models and strategies – for example, quirements, with ongoing cooperation and engage- consideration of key drivers of profit and whether con- ment by supervisors, and a desire for greater IAIS sumers are being treated fairly in the sale of products. focus on supervisory activities going forward, con- “We expect to see a considerable increase in cerns have been raised as to whether this can actu- such focus over the next 12 months from Australian ally be achieved in practice,” Reader says. regulators, particularly the drivers of conduct risk He believes implementation of ICS requires which will place further pressure on senior executives substantially more understanding and debate among and management to respond accordingly.” supervisors and industry, particularly regarding KPMG Australia insurance sector leader how global standards will coexist alongside local Martin Blake summarised: X

10 GRC Professional • July 2015 news features

“Over the past decade, the pace of change in the insurance sector has been exceptional, with new Key findings models, competitors and technologies all combining • Group risk officers interviewed support global regulatory efforts but worry how with additional regulation to impact insurers around global standards will coexist with local requirements. the world. All signs indicate that this pace is only • Australian insurers will be impacted by increased focus on a move to domestic going to increase in the future, particularly in regards systemically important insurers, risk culture and consumer outcomes. to disruption and innovation in the Australian • Disruption and innovation changes are set to significantly impact the Australian ••• insurance industry.” insurance market.

BEST PRACTICE IGNORED ON INCIDENT RESPONSE Most organisations are inadequately prepared for the challenges of today’s advanced cyber threats.

The latest global breach readiness and a process to update information to reduce the survey from RSA, the security division of EMC, has chances of future incidents. revealed that the majority of organisations worldwide Most organisations recognise that basic log are still not prepared for security breaches. collection through SIEM (security information and The survey covered 30 countries and compared the event management) systems only provides partial results with another survey by Security for Business visibility into their environment. In the general Innovation Council (SBIC), a group of security survey, 72 per cent of respondents have access to experts from Global 1000 companies. malware or endpoint forensics, but only 42 per cent Using SBIC as a benchmark, RSA’s study focused “Incident response have capabilities for more sophisticated network on four main areas of breach preparedness and is a core capability forensics, including packet capture and net flow response: incident response; content intelligence; that needs to be analysis. analytic intelligence; and threat intelligence. The developed and Further, despite external threat intelligence and results suggest most organisations continue to consistently honed information sharing being a key for organisations struggle with the adoption of technologies and best to effectively to stay up-to-date on attackers’ current tactics and practices that will allow them to more effectively motives, just 43 per cent are leveraging an external detect, respond to, and disrupt cyberattacks that turn counter the threat intelligence source to supplement their into damaging breaches. increasing volume efforts. RSA says incident response is a core capability that of cyberattacks.” “Attackers continue to exploit known but needs to be developed and consistently honed to ef- unaddressed vulnerabilities in damaging breaches,” fectively counter the increasing volume of cyberat- says RSA chief trust officer, Dave Martin. “Despite tacks. However, the survey shows that while all lead- this common knowledge, the survey found that ing edge SBIC members have developed an incident only 40 per cent of the general population has an response function, 30 per cent of at-large organisa- active vulnerability management program in place, tions have no formal plans. Even 57 per cent of those making it more challenging to keep their security that do admit to never updating or reviewing them. programs ahead of attackers.” The content intelligence component measured According to Martin, organisations are awareness gained from tools, technology and pro- struggling to gain visibility into operational risk cesses in place to identify and monitor crucial assets. across the business. While all SBIC members can gather data and “As business has become increasingly digital, provide centralised alerting, 55 per cent of general information security has become a vital area of respondents cannot, rendering them blind to operational risk and while many organisations numerous threats. Only one in two said they have may feel they have a good handle on their security, developed a plan for identifying false positives. In it is still rarely tied in to a larger operational risk comparison, over 90 per cent of SBIC members strategy, which limits their visibility into their have installed automated cybersecurity technologies actual risk profile,” he says. •••

11 COVER STORY

MANAGER LIABILITY EDGES CLOSER As Britain gears for the introduction of a hard-line approach to making individuals personally liable for corporate misconduct, others question the viability of trying to scare people into behaving ethically. Mark Phillips reports.

Last month GRC Professional reported At its core, SMR aims to put paid to what happened on calls by the Australian Securities and Investments in wake of the GFC, when senior executives simply Commission (ASIC) for tougher penalties on banks blamed widespread banking failures on the culture to counter what it said is a “rotten culture” purely of the institutions they worked for and in so doing focused on short-term gains ahead of anything else. shirked any individual accountability. Regulators now If that was not enough to set alarm bells ringing want someone they can hang out to dry. in the financial sector, commencement of the Libor trials in London perhaps should be. It’s getting personal Tom Hayes, a former trader on trial for allegedly “Holding individuals to account is a key component “We believe conspiring to rig benchmark interest rates, has of our job as regulators of banks,” says Andrew that enhancing admitted to being motivated by greed and was fired by Bailey, deputy governor for prudential regulation and individual US bank Citigroup in 2010. CEO of the Prudential Regulation Authority (PRA). accountability Hayes is the first person to be prosecuted over “The combination of clearer individual and improving manipulation of the London interbank offered rate responsibilities and enhanced risk management the alignment of (Libor) after a seven year, global inquiry that has led incentives will encourage individuals in banks to take risk and reward to banks and brokerages paying around US$9 billion greater responsibility for their actions. We believe that should have a in fines and sparked an overhaul of how financial enhancing individual accountability and improving positive impact benchmarks such as Libor are policed. the alignment of risk and reward should have a on behaviour Since the global financial crisis (GFC), financial positive impact on behaviour and culture within and culture institutions have been subject to a plethora of new banks and will help to ensure that they are managed within banks.” regulatory pressures, among them Solvency II, Basel in a way that promotes the safety and soundness of III, FACTA, Dodd-Frank, MiFID, T2S and various individual institutions.” EU initiatives. But not everyone agrees, arguing instead that it Nothing, however, quite compares to the will only lead to a reduction in the overall quality of controversial Senior Managers Regime (SMR), an boards, less top management talent and by holding integral tenet of which is that board members should individuals personally liable, an overtly punitive be personally liable for business operations where approach to compliance and regulatory failings. there is misconduct. However, given the greed, systemic negligence, Slated for introduction in the UK in March next poor governance and generally “rotten” culture year, SMR will clarify the lines of responsibility at that has become synonymous with banking, Martin the top of banks, enhance the ability of regulators Wheatley, CEO of Britain’s Financial Conduct to hold senior individuals in banks to account and Authority (FCA), gives the impression it’s a done deal. require banks to regularly vet their senior managers “This is what people inside and outside the for fitness and propriety. banking sector expect,” he says. X

12 GRC Professional • July 2015 COVER STORY

What’s more, there is no shortage of people who doing the right thing” suggests regulators adopt a would like to see the framework ramped up to capture more positive tone by focusing on the good behaviour all financial institutions, superannuation funds and they want new rules to promote, rather than the bad investment schemes. The regulatory Genie, it seems, behaviour they hope to stamp out. Likewise, it says may well and truly be out of the bottle, as evidenced by rule makers in businesses should reinforce the effect some new developments in the US. by identifying their firms’ purpose with what the rules stand for. An environment of fear “The upshot, “Just by changing how they communicate, rule Earlier this month the Wall Street Journal ran a report on it seems, is that makers can create a more positive climate in financial whether compliance officers are being unnecessarily the two SEC services and individual businesses, while still being targeted by the Securities and Exchange Commission commissioners clear about sanctions for bad conduct,” the report (SEC), after its commissioner Luis Aguilar was forced harbour states. to defend the agency’s enforcement actions. conflicting “Leaders can play a vital role by putting the Aguilar was adamant that the SEC does not take views about the spotlight on the positive outcomes of good behaviour actions against compliance officers who “take their relative merits rather than the penalties for behaving badly. And by jobs seriously and do their jobs competently, diligently of the stick changing the emphasis of management information and in good faith to protect investors”. and carrot.” systems, businesses can encourage innovation However, his comments came in stark contrast to and creativity as well as spot warning signs of bad remarks made only a couple of weeks before by fellow behaviour.” SEC commissioner Daniel Gallagher, to the effect that The study reveals that when presented with the agency was now “extending its reach” by targeting situations where the negative consequences or compliance officers for the actual implementation of punishment for poor performance were highlighted, programs, not just their creation. managers were 15 per cent more anxious than This, Aguilar admitted in a prepared statement, had excited, leading them to be more than twice as likely “unnecessarily created an environment of unwarranted to behave unethically. Managers presented with the fear in the CCO community [which is] unhelpful, sends same situations, but with the positive outcomes of the wrong message, and can discourage honest and success highlighted, were correspondingly more competent CCOs from doing their work”. excited, leading them to be more than twice as likely The upshot, it seems, is that the two SEC to demonstrate innovative behaviour. commissioners harbour conflicting views about the “We aren’t suggesting this research means we relative merits of the stick and carrot. should abandon rules or abolish penalties for bad behaviour,” emphasises Duncan Wardley, people and Calls for a positive tone change director and behavioural science specialist A new report by professional services firm PwC leaves at PwC. “The systemic conduct issues present little room for doubt on the matter: you can’t scare in financial services are serious and need to be people into doing the right thing. In fact, a get-tough addressed. It’s essential that people understand what’s approach to poor manager performance in terms acceptable and what isn’t – and that wrong-doers at all of behaviour and reaching targets risks creating a levels are appropriately sanctioned. climate of fear and breeding more unethical conduct in financial services – the very opposite of what Counter-productive sanctions regulators, businesses and the public want. “However, the focus on sanctions, aimed at The report, conducted with the London Business punishing the minority of people who are prepared School and based on a study of 2431 managers from to commit deliberate fraud, breeds anxiety in those UK financial services organisations representing who are seeking to do the right thing, but who now banking, insurance and wealth management, reveals head into work every day fearful of making a mistake. that the threat of fines, bonus clawbacks and even These kinds of pressures have the potential to push prison won’t work on its own because anxiety disrupts ordinary well-meaning people into behaving less people’s capacity to make good decisions. ethically than we, or they, would like.” Perhaps predictably, the report titled “Stand out According to Wardley, the research clearly shows for the right reasons – why you can’t scare bankers into people who are competing with their colleagues are

13 COVER STORY

“A get-tough more likely to behave ethically when they’re excitedly approach to pursuing rewards than when they’re fearfully poor manager avoiding punishments. This, he says, should matter performance to business leaders and regulatory bodies alike. in terms of “They play a big role in deciding whether behaviour and companies habitually frame competition positively, reaching targets in terms of benefits, or negatively, in terms of risks creating a penalties,” he says. “That has a huge influence climate of fear on the emotional state of the people who work in and breeding financial services. By presenting competition in more unethical a more positive way, leaders can create a culture of conduct.” excitement rather than fear, and help people behave more ethically. “In fact, leaders should see creating the right climate and the right culture as being a central part of their role.”

More than money A key takeaway from the study is that experiences matter more than policies, and that a firm’s culture isn’t just about its official rules, but the kind of behaviour the business values and rewards. Indeed, the attitude of respondents to the basis for X

14 GRC Professional • July 2015 COVER STORY

promotion and bonuses varied so widely as to suggest While deferral and clawback might sometimes be no relation to the company’s actual policies. necessary, Gosling believes pay regulation has become Further, the research reveals that despite popular too focused on how people are paid and not enough on belief, when it comes to bonuses, size isn’t everything. what people are paid for in the first place. Managers were asked how their company’s “Regulators need to focus on creating a positive approach to rewards made them feel. When it made culture in which ethical behaviour is a result of them feel anxious, they tended to say money was one employees’ intrinsic motivation as opposed to fear of of their key motivators. They also tended to take more “It’s essential negative consequences,” he says. risks and make unethical choices. that people On the other hand, respondents who said their understand The future now company’s approach made them feel excited were less what’s Whether a regime such as SMR will achieve this driven by money and more likely to be motivated by acceptable remains to be seen. Already, two non-executive board approval from their bosses, colleagues and clients for and what isn’t members from HSBC’s UK operation have quit, citing doing a good job. — and that SMR as one of their main reasons. “Tough medicine prescribed by regulators wrong-doers In the US, Aguilar is telling anyone who will to curb conduct issues meets the public appetite at all levels are listen that only eight cases in 2014 involved SEC for retribution,” says Tom Gosling, head of pay, appropriately enforcement action against a compliance officer, or six performance and reward at PwC. sanctioned.” per cent of the total, down from 19 per cent in 2013. “But pay regulation based purely on pay structures So far, his assurance seems to have done little to quell and penalties can unintentionally create the very the “environment of unwarranted fear” in the CCO conditions that make unethical behaviour more likely.” community he talks about. The research shows that an approach to pay Further, advocates of introducing senior manager regulation that focuses too much on pay instruments, liability in Australia appear undeterred, and arguably deferral, and clawback can create the emotional states have little to worry about anyway After all, given that in which creativity is crowded out, focus on financial the SMR approach in the UK, Europe and US has an rewards is maximised and unethical behaviour extraterritorial aspect, one way or another it’s coming becomes more likely. any way. •••

The toss of a coin A new study has found that when bankers start thinking about their job, it leads them to dishonesty.

Although contemporary commentators have rushed to blame the plethora of scandals involving everything from rogue trading to interest rate fixing in the financial sector on its business culture, there has been little scientific evidence to support the claim. As a result, researchers from the University of Zurich recently decided to test the honesty of 200 workers at a major international bank. The study found that on average, they behaved honestly in a controlled environment However, when their professional identity as bank employees was rendered salient, a significant proportion of them became dishonest. This, the researchers noted, was specific to bank employees because controlled experiments with employees from other industries, using the same technique, showed they do not become more dishonest when their professional identity or bank-related items are rendered salient. “Our results suggest that the prevailing business culture in the banking industry weakens and undermines the honesty norm, implying that measures to re-establish an honest culture are very important,” the researchers state. In other words, it weakens culture because rather than dishonest people going into banking, it seems that the materialism of the industry – including the lure of lucrative bonuses – in itself leads to people lying and cheating. X

15 COVER STORY

In the study, the university team split the 200 bank workers into two groups and asked them a series of questions. One group answered questions about their hobbies, while members of the second were quizzed about their job. They then took part in a private coin-tossing exercise designed to assess honesty, with each told they would win around $20 every time the coin landed a certain way. Finally, they were asked to report how many of the 10 “Our results tosses landed the winning way up. suggest that Those asked about their hobbies said they had made a winning throw roughly half the time which, based the prevailing on the laws of probability, was to be expected. However, those who had focused on their jobs claimed to have business culture flipped a winning heads or tails far more often. The researchers knew this because the participants were secretly in the banking observed. industry In all, a quarter of those who thought about their work cheated. Importantly, non-bankers did not become weakens and less honest when made to think about their jobs. Also of note is the fact that further experiments showed the undermines the bank workers’ dishonesty wasn’t driven by fear of competition. honesty norm.” Instead, materialistic values seemed to be to blame, with those made to think about their jobs more likely to say that wealth is key to social status and success. “Our results suggest that the prevailing business culture in the banking industry favours dishonest behaviour and thus has contributed to the loss of the industry’s reputation,” the researchers claim. It seems, however, that there is a long way to go. A further experiment by the same team revealed the public considers bankers to be even more dishonest than prison inmates. They even went so far as to suggest that measures such as a Hippocratic Oath for bankers could help restore public confidence in the sector. •••

16 GRC Professional • July 2015 Financial Crimes Edition Thirteen July 2015

ACCC ups the Fiat Chrysler Ransomware ante on scams chief out of gas exacting a Page 18 Page 18 high toll Page 19

2013, when most of the alleged deception allegations, the third party committee has Accounting occurred. been examining minutes from the monthly The firm has announced that it is now meetings and emails exchanged within the scandal rocks revoking its earnings forecast of 120 billion firm, while interviewing Toshiba executive yen net profit for the past fiscal year and will board members and other employees. not pay a dividend. Similarly, Tanaka is also said to have Toshiba Various reports in the Japanese media been demanding that each division meet n a sensational development, reports have alluded to Sasaki at regular monthly budgetary targets as he wanted the firm to out of Japan suggest that the forced meetings aggressively urging division chiefs earn its highest-ever operating profits, with resignation of Toshiba president His- to meet budget targets. To confirm the accounting fraud continuing throughout. ••• ao Tanaka is now imminent. IThe Japanese conglomerate has been the subject of a third party investigation into serious accounting irregularities which, it has been alleged, involve overstating around 200 billion yen ($1.6 billion) in its group operating profits for the five years to March 2014. The irregularities are understood to relate to Toshiba’s mainstay infrastructure, semiconductor, television and lucrative personal computer businesses. The panel charged with investigating Toshiba’s activities apparently found that the divisions intentionally inflated near- term earnings in reports to satisfy the wishes of top management to grow profits. According to the Kyodo news agency, Tanaka and former president and current vice chairman Norio Sasaki are among those behind the profit-padding. Sasaki is expected to almost certainly also resign as a result of the scandal given he served as president between June 2009 and June Former Sigma bosses face the music

he former chief executive of overstating the company’s 2010 revenue by false or misleading information to Sigma’s Sigma Pharmaceuticals and its $15.5 million and its profit by $9.6 million. auditors and board, an offence that carries a former chief financial officer may The pair also pleaded guilty to a second maximum jail term of five years or a fine of face jail after pleading guilty to charge of overstating revenue by $3.5 up to $22,000. Toverstating the group’s profits. million in the firm’s 2009 half-year report, Both men resigned from Sigma in 2010 In an appearance before the County with the court hearing that they also intend after it recorded a $389 million loss and a Court in Melbourne both men admitted to plead guilty to two charges of giving $500 million goodwill writedown. •••

17 ACCC ups the ante on scams he Australian Competition and Consumer Commission (ACCC) is urging people not to send money or personal details to strangers after $45 million was reported lost to scams so far this year, and 45,000 complaints made (see story page 20). TIt has also just launched a new Scamwatch website (http://www.scamwatch.gov. au) which, according to ACCC acting chair Delia Rickard, has been designed to help people identify and avoid scams. “For the first time, the ACCC has published data on common scams that are causing the most harm in Australia,” Rickard says. “By following the advice on this site, you can help to protect yourself against scammers.” According to the ACCC, everyone is susceptible to scams and should, among other precautions: • Be alert to the fact that scams exist: When dealing with uninvited contacts from people or businesses, whether it’s over the phone, by mail, email, in person or on a social networking site, always consider the possibility that the approach may be a scam. If it looks too good to be true, it probably is. • Know who you’re dealing with: If you have only ever met someone online or are unsure of the legitimacy of a business, take time to do some research. Do a Google image search on photos or search the internet for others who may have had dealings with them. •••

standover and intimidation tactics, as well as Fiat Chrysler Royal the promotion of cartels, in the weeks to come. In total, the commission is expected to hear chief out of gas commission from around 40 witnesses. ••• occer star Harry Kewell made person- claims heat up al payments into the bank account of Fiat Chrysler boss Clyde Campbell af- in Canberra Lift your game ter signing a lucrative $1 million a year hen the royal commission into dealS to become a brand ambassador for Jeep, on cybercrime, trade unions came to Can- according to documents filed with the Federal berra earlier this month, the Court. expert warns first thing it heard was that a Fiat Chrysler has since launched legal WSydney-based tiler paid bribes to a construction ead of financial crime Asia Pa- action against Campbell to recoup more union official to get work in the capital because cific at BAE Systems Applied than $30 million it claims he misused or “that’s the market”. Intelligence, Sanjay Samuel, has misappropriated to help fund a lavish lifestyle As if that were not enough on the first day of warned that if businesses are to for himself and business associates. the commission’s three-week stay in Canberra, everH successfully counter cybercrime, they According to the motoring giant, it is “not a formwork subcontractor then told about how must improve and continue to develop their aware of any business reason why Kewell he had made payments of about $135,000 in risk management techniques. would deposit funds into Campbell’s personal cash, in envelopes, to the same Construction According to Samuel, all companies, bank account”. It alleges, however, that Forestry Mining and Energy Union organiser particularly those in financial services, are at Campbell authorised the purchase of Chrysler so as to “guarantee” a competitive advantage risk of serious breaches unless the standard vehicles for a number of celebrities in Britain over rivals. of security analytics is raised and relevant he called “brand ambassadors”, including The union didn’t even bother to show mitigation strategies made more effective. Kewell, even though the company has no such up, boycotting in protest at what it said was a Alarmingly, Samuel claims many program there. lack of procedural fairness, while counsel attacks are currently going unnoticed by Campbell has now quit the company. ••• assisting, Jeremy Stoljar, in his opening address organisations, despite the fact that their promised yet more details of corrupt payments, security technologies might have actually detected an initial breach. •••

18 GRC Professional • July 2015 Ransomware exacting a high toll Individuals and organisations alike are falling victim to a sophisticated new way to extort money.

tatistics abound about the cost busi- files are decrypted, and the user is returned Finally, researchers tallied the damage to nesses bear due to cyberattacks and access to their data. derive an estimated ROI that the campaign’s breaches, but arguably just as im- According to McAfee, crypto-ransom owner could be expected to take home over portant is to quantify exactly how infections nearly doubled in the first three a 30-day period. Smuch criminals are banking as a result of months of 2015. their increasingly prevalent trade. “I was frankly stunned by the figures Total expenses: -US$5,900 The just-released 2015 “Trustwave we got from this,” Karl Sigler, a threat Gross revenue: US$90,000 Global Security Report” does just that, intelligence specialist at Trustwave, says. Net revenue: US$84,100 documenting that attackers who launch a The information was derived from the ROI: 1,425% malware infection campaign can expect Darknet and discussions on criminal to earn a staggering 1,425 per cent return forums. “These types of adversaries are trying on investment (ROI) – or US$84,000 in According to Sigler, there is a well- to collect the best possible ROI they can,” revenue – over 30 days. developed criminal underground economy the report states. “This doesn’t mean just The revelation seems to put paid to any with its own supply chain that delivers cashing out once they’ve attacked, but being suggestion that cybercrime is not one of all the key elements online – a kind of cost efficient from the very beginning. If the most flourishing and lucrative rackets do-it-yourself resource for would-be they believe they are encountering a more going around. Indeed, calling it a “racket” extortionists. rigid path of resistance from start to finish – is probably a misnomer, as it fails to allot Trustwave identified forums in Eastern meaning your efforts are attempting to chip enough credit to the professionalism and Europe, Asia and Latin America providing away at their ROI – they may consider the orchestration of the heists, as well as the all of the key tools required: a malicious effort not worthwhile.” resilience of the criminal subterranean. ransomware code, an exploit kit (EK) that An overriding theme of the report is to To calculate the average ROI that can functions as a management portal for an think like an attacker. In much the same be obtained by the manager of an infection attack, and millions of possible victims. way businesses make decisions about how campaign, researchers accounted for four Trustwave researchers then tabulated to grow their revenue (which sales and primary attack ingredients widely available what criminals should expect to gain by marketing campaigns should we invest in; for sale in underground web forums, and fleecing victims, based on market estimates. which research and development should then what their cost would be to purchase we conduct?), security requires a similar and use over a month. Visitors: 20,000 thought process. These comprised: Infection rate: 10% Put another way: If you’re asking yourself 1. Payload (such as ransomware or a Payout rate: 0.5% how to make it more difficult for your Trojan: US$3000) Ransom amount: US$300 competitors to steal your customers, you 2. Infection vector (typically automated Campaign: 30 days also should be asking how to make it more emails that lead to an exploit kit: TOTAL REVENUE: US$90,000 difficult for attackers to steal your data. ••• US$500) 3. Stolen web traffic (visitors to compromised websites redirected to Should you pay? the exploit kit: US$1800) 4. encryption functionality (to hide the Don’t pay unless you have no other choice. Unfortunately, at the moment there is really payload from anti-virus detection: only one viable defence consumers and companies have against ransomware, and that is US$600). to have in place a good backup process which, in the event of the worst happening, will at least enable the recovery of much of the data encrypted by the attackers. Ransomware is a sophisticated new way to extort money out of individuals and In addition to having backups at the ready and frequently testing your restore function, organisations; it infects the machine and also be sure to regularly update workstations with the latest patches, run recognised encrypts all files until about US$300-500 endpoint security software and step end users through effective security training. in Bitcoin has been paid. At that time the

19 fraud

THE RISE AND RISE OF SCAMMING Scams have become synonymous with the internet, but they can be countered by common sense.

“What had the As governments and companies dating and romance scams have cost punters victim done? around the world ponder what to do about so-called fractionally under $10.1 million, with investment Nothing more cyber vandalism and cyber warfare, investing huge schemes not far behind at just over $9 million. In than chat with the amounts of money in their efforts, some are seeing total, Australians lost shy of $46 million between perpetrator on an little return. January and June 2015, with nearly 46,000 scams internet dating Consider, for example, the Melbourne doctor reported. Alarmingly, more than 10 per cent finished site, then met up who was recently held captive for 11 hours, made to up out of pocket. with her – only empty his bank accounts, sign over his car and be “Scammers are becoming increasingly to be confronted photographed with drugs to ensure his silence on an sophisticated in their attempts to get your money or with a baseball internet date horror story. personal details,” ACCC acting chair Delia Rickard bat and knife.” What had the victim done? Nothing more than says. “Scams succeed because they look like the chat with the perpetrator on an internet dating site, real thing and catch you off guard when you’re not then met up with her – only to be confronted with a expecting it. baseball bat and knife. “Scams target people of all backgrounds, ages and Then there’s the case of Fairfield mayor Frank income levels across Australia. There’s no one group Carborne who, himself included, has told of of people who are more likely to become a victim of politicians, teachers and others of “high standing” in a scam and all of us may be vulnerable to a scam at NSW being targeted in a “sexploitation” scam aimed some time.” at tricking them into compromising positions and Although romance and investment-type scams forcing them to pay to protect their reputations. are the most prevalent, they are merely two predatory According to police, the scam was “quite an fish in what seems to be an ever-deepening pond. extensive fraud” attempt that specifically sought out Other risks individuals and organisations face people with a reputable standing in the community. include account takeover, domain name scams, So what’s new? Nothing really, except that this identity fraud, internet auction fraud, loan scams, time around the fraudsters seem to have been more government agency scams, lottery scams – the list selective. Historically, they have tended to target goes on and on. anyone. Last year marked the 25th anniversary of the There are, however, two main types of scams that internet, and with that comes news that a million seem to be on the rise. new pieces of malware – harmful software like viruses, password loggers, and other stuff you ACCC warning don’t want – are released into the wild every day. According to the Australian Competition and Plus, hackers have become very accomplished at Consumer Commission (ACCC), so far this year pretending to be, say, a local police station X

20 GRC Professional • July 2015 or a co-worker in order to get a password or network by selecting domain registrars and hosted services access out of a mark. providers that won’t notice their activities (or will And it’s not likely to get any better. ignore reports of abuse). In emerging markets – where oversight and remediation organisations Emerging threats may not even exist – cybercriminals, like pirates, According to TrendMicro, use of so-called “exploit are more likely to ply their trade unhampered by kits” is escalating (see story page 19). These are regulations. essentially malware in a box – a bundle of code that Further, targeted attacks – like whale phishing lets hackers exploit the most prevalent security flaws (going after executives) – are now aiming at a in the general user base. specific organisation or industry. They don’t need Then there’s traffic direction systems (TDS), to be very sophisticated to work well, relying on which are used to send victims to specific locations human fallibility instead of technical expertise. on the web where they can be exploited. The “Scams target Which comes back to a key part of the criminals behind TDS make money by sending or people of all problem: as long as people post too much personal redirecting traffic to these locations. backgrounds, information on social networking sites, blunder On top of this, botnets are getting smaller. ages and income into obvious and avoidable scams, and click on Not so long ago, botnets consisted of millions of levels across booby-trapped links, cybercriminals will continue “zombie” computers that cybercriminals controlled Australia. to reap big rewards. unbeknownst to the computer users. The problem There’s no According to Eugene Kaspersky, chairman and for botnet operators was that once their monolithic one group of CEO of Kaspersky, businesses and governments botnets were discovered and shut down, their game people who are need to be wary of the evolving cyber landscape. was over. With smaller botnets, authorities have a lot more likely to Kaspersky, who was in Australia last month for more ground to cover, giving cybercriminals more become a victim an AusCERT security conference, revealed that time to run their operations. of a scam.” his global security firm tackles more than 300,000 But let’s not forget mobile threats, which are malicious attacks a day. especially scary simply because there are so many Tellingly, he warned that critical infrastructure, of them. So far, there hasn’t been much evidence of like transportation and telecommunications, is very significant, concerted efforts to target e-commerce much on the radar of hackers. or banking applications through mobile devices, but “Unfortunately, there is no such thing as 100 TrendMicro expects this to change once near field per cent security,” Kaspersky says. “If attackers are communications (NFC) reaches a larger percentage professional enough, and have enough of a budget, I of the consumer market. think almost every system can be hacked.” Last, but certainly not least, is the fact that smart Notably, when it comes to how agencies can cybercriminals now know how to fly under the radar combat cybercrime without trampling on civil

21 fraud

liberties, Kaspersky thinks the debate will be up. Thanks to the Internet of Things, they could “endless’’. hold everything from connected cars to home Unfortunately, GRC professionals do not have appliances to fridges hostage. an endless amount of time to deal with these issues. • Even more insidiously, that also means they have Nor do they generally have the resources to deal the ability manipulate data and, for example, turn with threats which, according to Symantec’s latest off things like pacemakers or threaten to alter “Internet Security Threat Report”, mean: your medical records. • Data thieves don’t have to be specifically aiming So, short of going off the grid, it might seem we’re for you – you just have to be in the system. In all just sitting ducks waiting for the inevitable breach. other words, they can hack everybody. But is that really the case? • It’s not that hard for would-be hackers to get started. There are places online for interested Don’t panic “Data thieves people to learn how to break into computer Over a quarter of a century the internet – along with don’t have to be networks, and the risks of getting caught email – has proven itself to be a resource without specifically aiming are basically nil. It’s a confidence game, and precedent and one that has revolutionised the way for you – you just confidence is high. people communicate and access information. Yes, have to be in the • Often, it’s not even people who are conducting it has also proven to be a fertile medium for the system. In other the actual attack. Automated systems can scan unscrupulous, which regularly use the medium to words, they can scores of networks and break in if they detect a attempt to steal money or personal information from hack everybody.” weakness, directing the spoils to the person who unsuspecting victims. There is no question that started the bot. Humans are increasingly out of those inexperienced in the ways of the internet are the loop. especially vulnerable to scammers. • The so-called “Internet of Things” – perhaps a However, to keep things in perspective, it should more accurate name would be the “Internet of not be forgotten that the direct losses from data Threats” – is a train wreck waiting to happen. stolen through hacking, online card fraud and online Even innocuous devices such as lightbulbs, scams are actually relatively low when compared with thermostats and various other household the direct losses from welfare fraud or tax evasion. appliances connected to the web can be like Moreover, in the US, current federal spending on planting bugs in your own home. What time cybersecurity dwarfs the losses suffered by victims of does your alarm go off? When do you turn on online scams, fraud and other crimes, by at least three your TV? What shows do you watch and – by- or four times. the-by – are you playing any pirate copyright- According to Spamalytics, less than 0.1 per cent protected DVDs? Separately, these pieces of of all online credit and debit card transactions are information might seem trivial, but together compromised, meaning that despite the ubiquity of they can form a snapshot into your private life – the internet, card fraud still happens more offline a treasure trove of data waiting to be intercepted than online, such as through the use of counterfeit and data-mined. cards to make fraudulent purchases at stores and in- • Further, credit card numbers aren’t the worst person. thing a hacker can steal. After all, you can It is also worth remembering that it’s usually cancel a credit card, but if a hacker gets your the most low-tech, low-cost and simplest remedies health records, they can file claims against your that are actually the most effective in deterring health insurance company to the tune of tens of crime online. For example, use of simple two- thousands of dollars. factor authentication has proven to be an effective • But ransom is the surest way for hackers to make deterrent. The system works by confirming the money, which is why once a hacker gets onto a identity of a user by sending a code to another device corporate network, they will encrypt every file that the account holder will have immediate access the victim has, only returning access if they pay to, such as a phone. X

22 GRC Professional • July 2015 23 fraud

Tellingly, the hack on JP Morgan exploited a product to the highest bidder. The product, however, server that did not have two-factor authentication is either non-existent or not the one described. enabled. Scammers will try to collect the full funds from the Basic encryption of sensitive information is winning bidder before shipping the product. This is another tried and tested measure. Let’s not forget typically facilitated via a money wire transfer, and the that the hacked Sony passwords were stored in a plain seller will ask for funds to be sent to a third party. text spreadsheet called “passwords”. In instances where scammers do ship a product Needless to say, the first part of sidestepping to the buyer, it will almost certainly be of much lower identity theft, viruses and other intrusions is being value than what was purchased. The shipment will able to identify fraud when you see it. need to be signed for, which obligates the buyer to pay in full, even though it isn’t the promised item. “As long as Internet auction fraud and non-delivery This is known as the non-delivery of merchandise people post too of merchandise scam. much personal Internet auction fraud is a widespread scam that information targets consumers on auction websites such as eBay. Spam and identity theft on social Typically, the scam consists of someone posting Spam is implicated in a common form of fraud, in networking a product for sale on an auction site to “sell” the which bulk emails are dispersed to millions of X sites, blunder into obvious and avoidable scams, and click on booby- trapped links, cybercriminals will continue to reap big rewards.”

24 GRC Professional • July 2015 email addresses in an effort to corrupt people’s Investment frauds computers, steal identities or pull unwitting individ- Various investment schemes typically target stock uals into paying for fraudulent products or services. investors, trying to steal money and investors’ A spam message will offer any number of false identities. Some will come in the form of an online dealings to recipients. Common offerings including newsletter, which for a fee will offer inside informa- low-interest loans, free credit report checks, sweep- tion on stocks and provide false data instead of real stake winnings and relationships with “local” singles. information. These types of scams require people to open “A ‘pump and Online bulletin boards have also become a a message and click on a link, which in turn opens dump’ scheme hotbed of fraudulent activity. Companies often up the computer to a virus, worm or other bug can start with use online bulletin boards to publish information; that will corrupt it. In cases of identity theft, the a fraudulent however, a bogus board will release disinformation. bug will attempt to retrieve passwords, credit newsletter or A “pump and dump” scheme can start with a card information, home addresses and telephone bulletin board fraudulent newsletter or bulletin board where secret numbers. Other bugs will embed themselves in the where secret or private information is offered. The objective is computer’s registry and damage system performance. or private to alter stock values. After effectively hindering a information stock, the schemer will sell their stock in a timely Credit card fraud is offered.” fashion for personal gain. This scam requests that a consumer registers or inputs credit card information on a fraudulent Scam indicators website. The site may sell products or services. In general, be wary of unsolicited emails that: When a reputable, trustworthy vendor asks for credit • Promise you money, jobs or prizes card information, it won’t save the data without • Ask for donations user permission and will take steps to keep user • Propose lucrative business deals information safe. Fraudulent sites will ask for the • Ask you to provide sensitive personal same information as a reputable site, but will steal the information information and make purchases using the data the • Ask you to follow a link to a website and log on credit card owner gave to the website. to an account. •••

25 CORPORATE REPUTATION

FEAR, LOATHING AND MALICIOUS INTENT There might be a maturing appreciation of the risks that can arise from gross misconduct in the workplace, and the hugely negative impact it can have on corporate reputation, but still some just don’t seem to care. Mark Phillips reports.

Many were gob-smacked by the ex- The best it could do, after the fact, was to state: traordinary Twitter attack last month against “It’s inappropriate and unacceptable and does not Assistant Treasurer Josh Frydenberg, describing him reflect the culture of our dealer group and appropriate as a “tinkering Jew”. action has been taken.” Even more astounding was the fact it was launched There were no red flags and it seems Howarth’s by the principal of a Brisbane-based financial attack on Frydenberg was out of character to the “It is a sad planning firm, Retirement Wealth Advisors. This was extent that there were no known precursors to indictment of the not a tirade by some fringe-dwelling neo-Nazi, but a his sudden misconduct which, of course, only liberties some qualified finance professional who took exception to exacerbates the problems organisations face in people now feel Frydenberg’s support for proposed changes to cut managing the misuse of social media by renegade they are entitled upfront commissions for financial advisors. current or past employees. to take simply “Get your Josh Frydenberg ‘Central Planning Jew’ Equally, they can also take a beating if even a because the punching bag AB. I ordered 5000 in on the next Cargo single well-intentioned stakeholder decides to “share” likes of Twitter flight out of ShenZhen,” John Howarth tweeted. a grievance or expose what, from the company’s allow them to.” “First course of action was to regulate insurance perspective, might be an “inconvenient truth”. salaries.” He then added: “Slap stick comedy Jew Frydenberg stars in Deregulating Regulator Regulat- Costly mistakes ing.” In April 2010, British Petroleum (BP) spilled 500 Unfortunately, it got progressively worse and million litres of oil into the Gulf of Mexico. By June, Howarth is out of a job and unlikely to find another the Facebook page “Boycott BP” – started by just one any time soon. He has also refused to apologise for his individual – had close to 700,000 “likes”. rant, defending his “right to free speech”. Five years on, the reputational damage suffered It is a sad indictment of the liberties some people by BP remains such that its Twitter platform for now feel they are entitled to take simply because the commenting has, at last count, a mere 605 followers. likes of Twitter allow them to. Once, if someone had Almost straight after news of Howarth’s tweet a gripe, effectively getting their point across meant about Frydenberg broke, Google was forced to complying with accepted business and social norms. make an embarrassing apology after a US computer Howarth simply tagged his vitriolic tweets to multiple programmer took to Twitter to show the search media outlets, then sat back and waited for it all to hit giant’s new photo app had automatically sorted the fan. “selfies” of he and his dark-skinned girlfriend into an He didn’t have to wait long. Of broader concern, album tagged “Gorillas”. however, is that regardless of whatever formal The app uses face and objects recognition standards of expected professional behaviour his software to tag and sort photos, and the programmer, licensor, Libertas Financial Planning, had in place, Jacky Alcine, was justifiably outraged to find that the the firm was essentially powerless to stop the ensuing racially charged term appeared in it. Worse, it wasn’t mess smearing its own reputation. a one-off mistake, and to prove it he also X

26 GRC Professional • July 2015 CORPORATE REPUTATION

tweeted a screenshot showing that every image of his In defending an unfair dismissal claim, Linfox friend was being automatically added to the folder. argued that Facebook postings by Glenn Stutsel In fairly blunt language, he suggested the reference breached a duty of loyalty. images Google had collected did not have black Stutsel claimed he thought his Facebook page was people in mind. “Y’all f…ed up. My friend’s not a private. Fair Work Commissioner Michael Roberts gorilla,” Alcine tweeted. “This is how you determine found in his favour. someone’s target market.” At least in part, the case turned on the fact that It’s also how you can lose one. “There is no Linfox had no social media policy, which Roberts Google is one of the biggest brands in the world, margin for error said in the current electronic age was “not sufficient”. so who – if anyone – might eventually be held for any company, Notably, however, in an interview last year with accountable for this unfortunate incident is anyone’s of any size, ABC Radio National’s Law Report, Carita Kazakoff, guess. Meantime, the president of Toshiba (itself when it comes a lawyer with Slater and Gordon, said: “I think no small fry organisation) Hisao Tanaka is likely to to ensuring all tribunals and courts are probably less likely in future be forced to resign in wake of a massive accounting stakeholders, to accept that employees don’t know the limits of scandal going public (see story page 17). from the top their social media pages.” What is certain is that there is no margin for down, adhere Also of interest is the recent Human Rights error for any company, of any size, when it comes to to acceptable Review Tribunal decision in the case of Hammond ensuring all stakeholders, from the top down, adhere ethical v Credit Union Baywide in New Zealand (see page 27, to acceptable ethical standards. Any breach will standards.” GRC Professional May 2015). almost certainly make its way into some form of social media and quite possibly go viral, just as it did with Complacency Google’s photo app debacle. Which leads to the question: if employees do know, But even if someone, somewhere and at some why do they still persist? It also leads back to the best time is hauled over the coals for this, would it really way companies can combat such threats to their represent a compliance or risk management failing by reputation and the roles CROs, CCOs and even Google, even in the event that the app’s failing proved CSOs might have in the function. deliberate and racially motivated? Insofar as employees themselves are concerned, In essence, companies have two ways of deal- Johannesburg-based HR executive Anne Morrow ing with vindictive, internally and/or externally- says the answer is straight-forward. instigated attacks on corporate reputation via so- “It’s the same sort of situation as exists with in- cial media. One is to ensure absolute, to-the-letter formation security,” she maintains. “Despite years compliance with corporate policies and procedures, of repeated warnings about the dangers of pinning thereby nipping potential problems in the bud and passwords to computer screens, having no under- with it, arguably, ushering in a kind of communica- standing or care about the implications of opening at- tions paralysis. tachments or files from unexpected emails, or simply The second is to try to put out fires that have failing to treat unsolicited messages with suspicion already started – somehow without pouring gasoline remain – and probably always will – one of the grav- on them – in the expectation that it will stop future est, common and preventable threats to data security. breakouts. This is a relatively recent, albeit costly, “You can only micro-manage to a certain extent option. and unfortunately there will always be someone who, for whatever reasons, thinks they are a law unto Defamation themselves and will do or say whatever they want, no In Australia, Stutsel v Linfox was a watershed case that matter the proper procedures or basic behavioural prompted lawyers to suggest employing the “what standards stipulated by the company.” would nanna think?” rule before posting frustrations about employers, or individual bosses, via social Expensive antics media. As many companies have found out, this can get out Basically, the case opened a can of legal worms on of control and at great cost. offensive speech versus free speech, whistleblower In 2013, a Burger King employee in Japan protection, racial vilification and the boundaries posted a photo of himself lying on a pile of burger between work and private life, among others. buns to Instagram. It went viral, but was less X

27 CORPORATE REPUTATION

nauseating than the 2009 photos and video (to date Notwithstanding local differences and develop- with just shy of 800,000 views) of Domino’s Pizza ments, there is a high degree of similarity in the ap- employees engaging in offensive acts with food. proaches taken in different geographic jurisdictions In the aftermath, Domino’s Pizza revenues on the use of social media in the workplace. tanked one-to-two per cent in a single quarter. For risk and compliance professionals, one of Also, in an incident that could almost be funny if the key questions is: are employers permitted to not for its financial consequences, less than two years monitor social media use by employees at work? ago Taco Bell’s reputation was tarnished when an In most jurisdictions, the answer is yes, although employee in a viral photo was seen licking about 30 it is important to note that this does not apply to taco shells. The product had just been launched, and surveillance of an employee’s own devices. millions spent on advertising were wasted. From the border-line comical to the downright Guiding principles malicious, the list goes on. Indeed, only last month In general, the most practical approach to the issue six British bank staff members were sacked after is to apply general legal principles, especially taking filming themselves staging a mock Islamic State-style into account: execution during a team-building day out. The HSBC workers were dressed in overalls and • Data protection laws; black balaclavas when they staged a beheading scene. • Privacy laws; The incident, which was splashed across the pages • Rules requiring consultation with employee of Britain’s highest circulating daily newspaper, representative bodies; and The Sun, involved footage posted online showing • Securing the consent of individual employees. five of them laughing and joking as a colleague in an orange jumpsuit knelt at their feet. One clutched As a rule of thumb, an effective barometer a coat-hanger as a fake knife while another held the as to what is acceptable or unacceptable is to “prisoner” by the shoulders. draw analogies from case law pertaining to “You can only One of the workers shouted “Allahu Akbar”, other technologies such as email. In almost all micro-manage Arabic for “God is greatest”, before another was jurisdictions, the approach of the courts is to seek to a certain heard whooping. balance, often on a case-by-case basis, considering extent and “As soon as The Sun brought this video to our an employer’s right to demand that employees unfortunately attention we took the decision to sack the individuals attend to their work with the employee’s right to there will involved,” a spokesperson for HSBC said. “We do maintain personal privacy. Where data protection always be not tolerate inappropriate behaviour. This is an laws exist, such regulations generally limit the someone who, abhorrent video and HSBC would like to apologise scope and methodology of collection and the for whatever for any offence caused.” eventual usage of information gathered by an reasons, Further, employees behaving badly are also put- employer’s social media surveillance. thinks they ting themselves at serious risk. Not only is social me- are a law unto dia “private data” fair game for e-discovery in court, Best practice themselves.” even sharing seemingly innocuous information So, what constitutes world’s best practice in this about their company or potentially defamatory con- potential minefield? If monitoring employees’ use tent about co-workers can cause issues. of social media, implementing the following steps is worth consideration. Fair warning • Put in place clear, well-defined and well-commu- “You can’t prevent the unpredictable, but you can put nicated policies or contractual provisions con- in place a regime that spells out, to the letter, what is cerning the appropriate use of social networking acceptable behaviour and what is not,” Morrow says. sites and the sanctions for non-compliance. “Companies need to be proactive in providing fair • Ideally, employees should explicitly consent to warning.” such policies in writing. Indeed, as Linfox discovered, the contemporary • It is imperative that monitoring go no further legal view is that having no social media policy is no than what is reasonably necessary to protect the excuse. employer’s business interests. X

28 GRC Professional • July 2015 • Monitoring should be conducted only by Morrow says more and more companies are designated individuals (such as a CCO or CRO) also introducing measures to address the specific who have been adequately trained to understand risks arising out of social media misuse by their the limits of their activities. employees, such as bullying and harassment, misuse • Personal data collected as a result of any moni- of confidential information (according to Gartner, toring should be stored safely, not tampered with “There has been 20 per cent of employees it interviewed said they or disseminated more widely than is necessary or a steep increase access data behind the workplace firewall using stored longer than absolutely required. in the number private devices), and the making of disparaging • A formal training program should be established of employers comments about the business and their colleagues. to familiarise both management and employees around the Even so, she says businesses could and should with the correct use of information technology. world to have be doing more to reduce the risks they face, • Anyone responsible for monitoring activity must implemented particularly given the overwhelming majority of be able to properly particularise and document dedicated social enterprises anticipate social media misuse is going any misuse of social media by employees. media policies.” to increase in the future. According to a study by international law firm However, she cautions: “Even though Proskauer Rose, there has been a steep increase in employers might have adequate legal foundations the number of employers around the world to have to justify the prohibition of access to social media implemented dedicated social media policies. It during work, it is still important to communicate claims nearly 80 per cent of companies now have that as part of an official policy that is supported such a policy, and that the majority cover usage both by clear business reasons, such as promoting at work and outside of work. productivity.” •••

29 BUSINESS CONTINUITY

MOBILE TIME BOMBS BYODs are now ubiquitous in the workplace, and if left unmanaged can be a serious threat to business continuity.

How easy would it be for your Wi-Fi employees to grab a client list and forward it to When it comes to mobile data storage and themselves or others or copy it onto a USB memory communication, it is obviously important to separate stick and walk out the door? “need to know” from “know everything”. Organisations can spend years developing Wi-Fi is a perennial weak link, and one even novice templates, operations manuals, procedures, internal hackers can exploit. Have employees enabled the software and client data. Many can take the value of security features? In practical terms, this means do this for granted and it is not until a breach occurs that they use WPA with a key that is sufficiently complex management realises that if the material is passed to to avoid dictionary attacks? the opposition, they could lose vital business. All employees should ensure that their Wi-Fi net- When it comes to protecting critical corporate work is hidden, secure, and encrypted. Other basic, but information against catastrophic data loss, nonetheless key out-of-office issues to consider are: organisations have to deal with several harsh • Do they have an up-to-date anti-virus package realities. Tighter budgets, lower staff numbers, which is set to receive automatic updates to avoid relentless increases in the amount of structured the latest attacks? Does it offer full malware and unstructured data, virtual machine sprawl, coverage? Do they ensure the AV package is new compliance mandates and the need for always- running (be aware that some viruses will disable available applications and services mean more must be “Wi-Fi is a the AV if it can). done to protect data without creating undue financial perennial weak • Is their firewall capability enabled at their router and operational burdens on the organisation. link, and one and if so, do they look at the logs? But an increasingly mobile workforce has even novice • Do they scan their systems regularly and do they hackers can become one of the most acute threats to data security check the reports? exploit.” companies face today, both in terms of possible costs • Is their software regularly checked for the and, in extreme cases, even the continuity of the availability of security updates, and are these business. Certainly Bring Your Own Device (BYOD) installed when they become available? Also, is programs and remote employee access has provided their software up to date, or do they run older potential hackers with many more potential attack versions which may not be as secure? vectors. • If they connect to systems which request The problem is, in most cases companies won’t payment details, do they check that the website is know what they don’t know unless they conduct reputable, that the SSL certificate is valid, signed an investigation – by which time the horse has and belongs to the organisation that they expect? probably bolted. Indeed, it is often said that forensic • Do they set their browser and AV to ensure investigators are the ambulance at the bottom of the add-ons, Active X controls etc. aren’t installed cliff. without user action required to confirm? However, there are a number of key risk areas • Do they use a standard password for all logins, which, if properly monitored, can be substantially or do they mitigate risks by using separate mitigated, thereby dramatically reducing the passwords for different applications? Are they likelihood of important company information – complex and regularly changed? either advertently or inadvertently – going missing. Compliance with basic security responsibilities Do they use public systems and if so, do they should no longer be incidental to employment, but a change the passwords they utilised when they return vital part of it. home? X

30 GRC Professional • July 2015 BUSINESS CONTINUITY

“Despite all the hype that surrounds it, the Cloud is really just physical infrastructure.”

The Cloud Of course, accidents happen, and short of banning What is the “Cloud”? Essentially, it’s a means of all BYODs from the workplace, no amount of storing and accessing data and programs over the controls will guarantee against data loss. However, internet. However, there is a big difference between a thorough risk analysis of the specific threats your how it’s used by individual consumers and business. organisation is likely to face will help. Larger companies are more likely to subscribe to After that, develop a solid BYOD policy dedicated applications like Salesforce.com, which is a document based on your business requirements and Software-as-a-Service (SaaS), Platform-as-a-Service risk profile, and insist employees sign it. (PaaS), where businesses can create their own custom Key elements of such a policy that GRC applications for use by company stakeholders, or professionals could actively be involved in crafting rent services from the likes of Amazon, Microsoft might include: and Google, which fall into the Infrastructure-as-a- Acceptable use: The company stipulates that Service ((IaaS) league. devices may not at any time be used to store or Collectively, cloud computing is estimated to transmit illicit materials or proprietary information, generate US$270 billion by 2020. However, despite harassment, or engage in outside business activities. all the hype that surrounds it, it’s really just physical The company defines acceptable personal use on infrastructure – numerous computers housed in company time as reasonable and limited personal massive warehouses all over the world. Accordingly communication or recreation, such as reading or and despite widespread belief to the contrary, game playing. anything saved in the cloud is not invulnerable. Ethical behaviour: Employees are expected to All businesses are going to have to share data, use their devices in an ethical manner at all times and and that includes employees. It’s imperative to use adhere to the company’s acceptable use policy. a password-protected and encrypted service that Use of company resources: Employees may use restricts access to files and allows them to share only their mobile devices to access the following company- what they want to share, and with whom. owned resources: email, calendars, contacts, docu- This allows ease of use while maintaining security ments, etc. – but only to a point. A key issue for companies is Disclaimers: The company reserves the right to whether those who download important files from disconnect devices or disable services without notice the cloud and store them on their personal devices if unacceptable behaviour is detected. In the event a also encrypt them. Even more importantly, are they device needs to be remotely wiped, it is the employee’s storing both private and company information on a responsibility to ensure backup of personal data and device that is being synced with their personal cloud the employee will be personally liable for all costs storage provider during back-ups? associated with the device. •••

31 Where governance meets technology

BoardPad allows you to produce and dispatch board packs instantly anytime, anywhere.

boardpad.com [email protected]

OneWorld

Blueprint OneWorld allows access to your corporate data 24/7 from anywhere in the world.

icsasoftware.com/bponeworld [email protected]

Blueprint OneWorld is a registered trademark of ICSA Software International Limited. BoardPad is a registered trademark of ICSA Software International Limited. COUNTRY Where governance SNAPSHOT meets technology DOING BUSINESS IN INDONESIA In the first in a series of articles examining the risks facing BoardPad allows you to produce organisations looking to embark on business activities in different and dispatch board packs instantly parts of the Asia Pacific region, GRC Professional looks at Indonesia. anytime, anywhere. Indonesia is the largest of the tries reach a new low, with political tensions height- ASEAN economies with growth predominantly ened even further by mud-slinging about asylum driven by consumption expenditure. Consumer con- seekers. boardpad.com fidence is relatively strong, which has positive impli- A few months ago chairman of the Australia [email protected] cations in demand for services, including education, Indonesia Business Council, Dabath Guharoy, was healthcare, financial and business services, recre- clearly becoming exasperated when he said: “It’s how “Australian ation and leisure. it’s done, because if you yell at the Javanese [the main businesses are The government, led by President Joko Widodo ethnic group in Indonesia] there will come a time missing what (known as Jokowi), began its term promisingly, when they will retaliate in their own way. So we have could be a last carrying out an overhaul of Indonesia’s costly fuel- to be careful with our words.” chance to secure subsidy regime. However, divisions within the Indeed, potentially at stake are the countless OneWorld a foothold in government and Jokowi’s shaky political authority millions that may arise from Jokowi’s program to Asia, as they have scaled back expectations for further reforms. build more infrastructure. Anything Australian is are unwilling to Alongside weak external commodities demand, this not exactly flavour-of-the-month in the archipelago, either change, or is weighing on economic growth prospects, with real and to lose out would certainly be a lucrative make an effort GDP forecast to ease to 4.9 per cent in 2015, from 5 opportunity gone begging. Blueprint OneWorld allows access to understand, per cent last year. Given the quality and quantity of infrastructure to your corporate data 24/7 from Asian cultures.” Although Indonesia has in recent years shown in Indonesia is still inadequate in terms of its ability that investment by the private sector can be highly to absorb current and expected macroeconomic anywhere in the world. lucrative (such as in its stock market, real estate or growth, a huge amount of investment is required certain commodities), it also contains a number to meet the basic needs of many of its 240 million of country-specific dynamics and characteristics people, let alone facilitate the full social development that can intrude on a foreign company’s ability to of the country. icsasoftware.com/bponeworld effectively conduct business. Reforms and risks [email protected] Relations hit the rocks Jokowi has also committed to resolving many long- This is particularly the case for Australian organisa- standing legal problems for investors with the aim of tions. bringing more foreign capital into the state, but with Late last year a report by professional services firm opportunity comes numerous risks, especially for the Contact us for a demonstration PwC found that Australian businesses are missing unwary in terms of a poor regulatory environment +61 2 8096 8300 Level 33, 264 George Street, Sydney what could be a last chance to secure a foothold in and lack of transparency and an ineffective and Asia, as they are unwilling to either change, or make corrupt legal system. an effort to understand, Asian cultures. In fact, in recent years several prominent Indone- At least insofar as Indonesia is concerned, things sian judges have been investigated by the Corruption © 2015 ICSA Software International Limited. have so far gone from bad to worse in 2015. The ex- Eradication Commission (KPK). Partly as a result, it ecutions of Bali Nine pair Myuran Sukumaran and is also increasingly common for international com- Andrew Chan saw relations between the two coun- panies contracting with Indonesian entities X

Blueprint OneWorld is a registered trademark of ICSA Software International Limited. 33 BoardPad is a registered trademark of ICSA Software International Limited. COUNTRY SNAPSHOT

to include provisions for dispute resolution to be un- • A dedicated risk management plan that examines dertaken in foreign jurisdictions. all aspects of the Indonesian venture, identifying Transparency International’s Annual Corruption risks, establishes controls and monitors their Perceptions Index ranks Indonesia at 118 out of 176 effectiveness. countries. Organised crime is rife, meaning that so • Established organisational policies around gifts, too is money laundering, fraud and counterfeiting, entertainment and facilitation payments that are not to mention drugs, arms and people trafficking. applied to all Indonesian activities. In addition, assets are frequently overvalued, and “Organised • Cultural awareness training for all expat theft of proprietary information is common, as are crime is rife, employees involved in the project. conflicts of interest. meaning that • Ensuring that all policies and procedures are The labour force is also becoming progressively so too is money available in both Bahasa and English. militant, with manpower laws heavily in favour of laundering, • Foreign exchange rate controls are established the workforce. Industrial disputes are widespread fraud and to avoid currency fluctuations having a negative and unemployment rampant. counterfeiting, impact on the business. not to mention • Crisis management and response plans that Fail-safe strategies drugs, arms analyse potentially threatening incidents and a Against this backdrop, it is obviously essential that and people step-by-step, pre-determined response designed companies intending to do business in Indonesia trafficking.” to not only minimise costs and damage to carry out all necessary due diligence and have in place reputation, but to facilitate business continuity. a well-planned risk management strategy that will not • Establishment of a senior crisis management only mitigate financial risks, but protect employees, team that has been comprehensively trained in information, and assets such as physical property and their respective roles and responsibilities given reputation. the likely threat scenarios the company faces. Key steps towards achieving this can include, but Notably, where possible this should include a are not confined to: dedicated, strategically located crisis X

34 GRC Professional • July 2015 COUNTRY SNAPSHOT

Business etiquette Emphasis is placed on building relationships and the corporate culture is top-down driven. First-time meetings rarely produce any real results, unless the Indonesian company makes the initial approach. It is more likely that repeated meetings (formal and informal) over a period of time will be required before concrete business issues can be discussed. This can range between several months to several years. Meeting face-to-face is most effective and highly appreciated, however to be polite, Indonesians will often tell you what they think you want to hear. “Transparency is also required Decision-making frequently occurs through a consensus and attempting to force a decision will often have an adverse to avoid the effect on negotiations. Business is considered lost when an Indonesian begins to avoid you or is stand-offish. common pitfall of discovering, after the management centre from which the crisis (expatriate and local) which, in addition to being event, that the management team can operate. aptitude-oriented, incorporates a thorough back- company has • A formal security policy that has been signed off ground check to guard against conflicts of inter- been dealing by senior management and is constantly updated est, corporate espionage, IP theft, fraud and com- with ‘middle as situations in-country change. This should be pliance contravention. men’ in its supported by standard security operating proce- • Profiling the background of potential joint supply chain.” dures tailored to manage routine duties conduct- venture partners is also critical, in addition ed by in-house and/or third party providers. to simply being an important part of good • A dedicated budget that is sufficient to ensure governance. This applies equally to the effective action against all likely contingencies procurement function, where collusion between can be taken as and when required. a company’s employees and vendors, resulting in • An in-house person charged with the oversight corrupt practices, is not unusual. Transparency and coordination of all day-to-day security needs. is also required to avoid the common pitfall of If necessary, the role can be outsourced subject to discovering, after the event, that the company the provider meeting stringent skills, knowledge has been dealing with “middle men” in its supply and capability criteria. chain, with all the risks to the bottom line and • A screening process that applies to all employees corporate reputation that can entail. •••

Indonesia cuts live cattle trade

The volatility of Australia’s relationship with Indonesia has again been put under the spotlight with a drastic reduction in Indonesia live cattle import permits. Australia’s live export industry has been reported as being in shock following the cut back, with Australian Livestock Exporters Council chief executive Alison Penfold describing it as a “disappointment and surprise”. Although she has claimed the move is unrelated to any other issues to do with the Australia-Indonesia relationship, the opposition’s agriculture spokesperson Joel Fitzgibbon maintained that the deterioration in relations with Indonesia at the political level was definitely a factor. In a formal statement, he said “there’s no doubt that Australia’s relationship with Indonesia has deteriorated under Tony Abbott”. The allocation of permits for the July to September quarter has been slashed from an expected 200,000 to just 50,000.

35 Beyond Risk

The risks that businesses and government face each day are constantly changing, and consistently complex. With a strengthened risk management strategy and framework in place, you can create a competitive edge.

With a sharp insight into the ever-changing risk landscape, KPMG will work with you to develop a strategy that does more than keep your business compliant and protected. By embedding an understanding of risk into the core of your organisation, you can be confident that the decisions you make and the conscious risks you take lead to fundamentally kpmg.com.au better results.

Ready to turn risk into an advantage? Talk to KPMG.

36 GRC Professional • July 2015 © 2 0 1 5 KPMG,anAustralianpartnership.All rightsreserved. privacy LOST PRIVACY COSTING BIG TIME Open-plan offices are taking a heavy toll on workers’ engagement, creativity and wellbeing – and one of the reasons is that they know Big Brother is watching.

How would you feel if 85 per cent of your • 63% of employers monitor employee internet workforce said they were dissatisfied with their work connections environment and can’t concentrate? What if almost a • 47% store and review employee emails third complained that to get anything done, they had to • 36% review employee computer files leave the office? • 15% use video to record employees on the job This is exactly what a new survey of 10,000 workers • 8% store and review employee voicemail messages. across 14 countries has found. Of course, most employers justify their monitoring The study, commissioned by the workplace futures of employee activities as essential to protecting the team at global office facility company Steelcase and con- organisation from unwanted actions conducted over ducted by global research firm Ipsos, suggests that the the employer’s network. As such, the responsibility decades-long trend towards open-plan offices is backfir- to secure the network outweighs employees’ ing – both on employers and employees. expectations for privacy in the workplace. Constantly cramming more employees into smaller But balancing employee privacy and business spaces and, by default, ever-dwindling workplace privacy needs is essential to developing an effective and de- has now become a false economy, according to Steelcase fensible monitoring program, and this is where GRC “People not only vice president Bostjan Ljubic. professionals can play a key role. expect privacy An overwhelming 95 per cent of respondents in the It’s obviously prohibited to use cameras in in their private study said that having the ability to work privately is impor- certain places, such as a restroom or changing area. lives, they want tant, but just four out of 10 said they have the opportunity. Elsewhere, however, it becomes more of a “grey” area, Beyond it at the office “People not only expect privacy in their private lives, and despite the risk of installing cameras to watch Risk as well.” they want it at the office as well,” Ljubic says. “For people employees implying mistrust, many still do it. to collaborate with their colleagues more effectively CROs and CCOs can help mitigate the impact on they need less ‘we’ time and more ‘me’ time than they are morale by: getting today.” • Being upfront: Don’t hide the fact that there are Ljubic says the situation has now reached crisis pro- cameras in the workplace, that computers are portions. Indeed, the study reveals that more and more monitored, or that phone calls are recorded. employees are becoming chronically disengaged at work; Explain how the monitoring protects employees they are unmotivated, unproductive and overly stressed; and helps you help them do their work. Honest and have little capacity to think and work creatively and employees won’t be concerned, and the dishonest constructively. ones may be discouraged and look elsewhere. The risks that businesses and government face each What’s more, one of the key reasons for this is that • Establish a company policy: Formulate an day are constantly changing, and consistently complex. they question the real reason behind their employer’s employee privacy policy and stick to it. Define With a strengthened risk management strategy and continuing love affair with open plan office design. Most exactly why cameras are there, when they are to framework in place, you can create a competitive edge. suspect it is because it allows managers to keep an eye on be used, and how. For example, you may want what everyone is doing. cameras in a warehouse to observe workflows With a sharp insight into the ever-changing risk And they may well be right, because video surveil- and promote better safety practices. Alternatively, landscape, KPMG will work with you to develop a lance and business security systems are now used for you may want to record customer service calls strategy that does more than keep your business everything from measuring efficiency, to data security, for the purpose of finding better scripts. Use the to compliance with securities laws. In fact, the growth monitoring for performance improvement, not compliant and protected. By embedding an in employer surveillance systems is nothing less than punishment. understanding of risk into the core of your organisation, stunning, as these statistics from the American Man- • Show employees how video surveillance works for you can be confident that the decisions you make and kpmg.com.au agement Associations “Workplace Monitoring and Sur- them: Share what you discover from analysing the the conscious risks you take lead to fundamentally veillance Report” demonstrate: video. Use it for employee training. Ask employees better results. • 82% of managers use some type of electronic moni- to review videos for process improvement. toring in the workplace • Limit use: Keep surveillance out of places where Ready to turn risk into an advantage? Talk to KPMG. • One-third of all employees are under surveillance in employees have a reasonable right to expect some the workplace privacy, such as a break room. •••

37 © 2 0 1 5 KPMG,anAustralianpartnership.All rightsreserved. RSA is proud to announce that we have been positioned by Gartner as a leader in four Magic Quadrants related to GRC. The Leader designation was given• tohttps://community.emc.com/docs/DOC-41831 RSA based on demonstrated ability to execute and completeness of vision.

See what the analysts say in the online reports: • IT Vendor Risk Management • Business Continuity Management Planning Software • Operational Risk Management • IT Risk Management

Visit RSA Archer | RSA APJ Twitter | RSA APJ Facebook | Contact Us