Risk Management

Responding to the risk revolution

BY Richard Summerfield               

Due to a challenging economic and trade outlook, companies are finding it increasingly difficult to invest sufficiently in preparing for risk and protecting the continuity of their operations, according to Aon’s 2019 Global Risk Management Survey. Aon surveyed thousands of risk managers across 60 countries and 33 industries to identify the key risks and challenges their organisations are facing.

Economic slowdown is highlighted as the chief risk facing companies today. Others include the possible impact of Brexit, higher US interest rates, slowing growth in Europe, China, Japan and many emerging markets, the highly charged geopolitical climate, and diminishing prospects for further economic expansion in the US.

The escalating China-US trade war is also a cause for concern, with the International Monetary Fund (IMF) cutting its economic growth forecasts for both countries in October. According to the IMF, growth in the US will slow from 2.9 percent to 2.5 percent in 2019, and China’s GDP would drop to 6.2 percent.

“Companies of all sizes are struggling to prioritise their risk management efforts amid so much change and uncertainty,” said Rory Moloney, chief executive of global risk consulting at Aon. “What was once a tried-and-true strategy for risk mitigation – using the past to predict the future – is now a challenge and coupled with a more competitive global economy, it is causing an all-time low level of risk readiness. As a result, risk management plans need to take a different approach than they have in the past.”

Damage to a brand’s reputation, business interruption and cyber attacks have also emerged as key concerns for many organisations. Though cyber attacks have only featured in Aon’s top 10 risks since 2015, they have quickly grown to be perceived as one of the most pressing issues of the day. Indeed, for North American respondents, cyber attacks are now the number one risk.

The elevation of new risks has become a common theme in the recent years. The speed of technological change, aggressive regulatory actions, product recalls, an active cycle of devastating natural disasters and corporate scandals are disrupting supply chains and business operations.

As a result of these rapid and paradigm-shifting changes to the risk management landscape, risk managers are reporting their lowest level of risk readiness in 12 years, since many of the top risks are uninsurable.

Risk managers must evolve with the times if they are to protect their organisations. “The use of data and predictive analytics that can generate actionable insights, will help businesses protect their bottom lines while adapting to accelerated change and economic fluctuations,” said Mr Moloney.

Report: 2019 Global Risk Management Survey

Third-party offences top 2018 ABC risks, says new report

BY Fraser Tennant

Third-party violations of anti-bribery and corruption (ABC) laws are top of the list of perceived risks for compliance professionals in 2018, according to a new report by Kroll and the Ethisphere Institute.

The ‘2018 Anti-Bribery and Corruption Benchmarking’ report reveals compliance teams are having to deal with the convergence of regulatory mandates, critical reputational factors and data security issues as they try to protect their organisations from substantial financial and reputational harm, as well as regulatory and legal exposure.

Furthermore, 93 percent of 448 study respondents said ABC risks will remain the same or worsen in 2018. Those who expect a greater level of ABC risks attribute the rise to increased enforcement of existing regulations, followed closely by new regulations.

“The report brightly illuminates the challenges facing today’s compliance experts, including the likelihood that third-party risks will grow in relevance and impact,” said Erica Salmon Byrne, executive vice president and executive director of the business ethics leadership alliance at Ethisphere. “We are encouraged, however, that partnerships across organisations continue to grow as company leaders assign greater priority to the adoption of best-in-class ABC programmes that protect not only individual organisations, but also the integrity of the global business ecosystem.”

Reputational and integrity concerns remain the number-one reason why a third-party fails to meet an organisation’s standards, with organisations stating they were “concerned” or “very concerned” with beneficial ownership risks associated with their third parties.

“The stakes are high and so is the risk level, which is likely causing some sleepless nights for the average compliance professional,” said Steven J. Bock, global head of operations with Kroll’s compliance practice. “In today’s hypersensitive business environment where a company’s hard-earned reputation can be easily lost through a lapse of judgment by a third-party, the job of a conscientious compliance professional has never been tougher or more central to the success or failure of a business.”

On a positive note, 36 percent of respondents indicated that their organisation dedicated more resources to ABC issues in 2017 than in 2016. Executive leadership support also remains strong, as 92 percent of all survey respondents said that their leadership team is “highly engaged” or “somewhat engaged” in their ABC efforts.

Mr Bock concluded: “Ongoing monitoring that includes a regular refresh of the underlying third-party data emerged among the report findings as a key strategy for maintaining the effectiveness of ABC programmes overall, and especially for keeping up with potential ownership changes.”

Report: 2018 Anti-Bribery and Corruption Benchmarking

Leading companies lack transparency over risks of modern slavery in supply chains, reveals new report

BY Fraser Tennant

Transparency among major companies relating to the risks of modern slavery in their global supply chains is severely lacking, according to a new report by corporate watchdog the CORE Coalition.  

The report – Risk Averse: Company Reporting on raw material and sector-specific risks under the Transparency in Supply Chains clause in the UK Modern Slavery Act 2015’ – examines the statements of 50 companies, as under the terms of the UK Modern Slavery Act, all firms with an annual turnover above £36m are required to publish a slavery & human trafficking statement.

Of the 50 companies under the microscope, 25 source raw materials known to be linked to labour exploitation – cocoa from West Africa, mined gold, mica from India, palm oil from Indonesia and tea from Assam. The other 25 operate in sectors known to be at-risk of modern slavery, such as clothing and footwear, hotels, construction, football and service outsourcing.

The report’s key findings include: (i) top cosmetics companies make no mention in their statements of child labour in mica supply chains, even though a  quarter of the world’s mica (a mineral used to create a shimmer in make-up) comes from mines in Northeast India where around 20,000 children are estimated to work; (ii) chocolate companies do not provide information in their statements on their cocoa supply chains, despite acknowledging that they source from West Africa, where child labour and forced labour are endemic in cocoa production; and (iii) jewellery firms do not include any detail on the risks of slavery and trafficking associated with gold mining, although estimates by the International Labour Organisation (ILO) suggest that close to one million children work in gold mines worldwide. 

“With an estimated 24.9 million people in slavery globally, the level of complacency from major companies, particularly those that trumpet their corporate social responsibility, is startling,” said Marilyn Croser, director of CORE. “Genuine transparency about the problems is needed, not just more public relations.”

While the report focuses in the main on companies that do not report specific risks of slavery and trafficking within their supply chains, some examples of good practice are noted.

Ms Croser continues: “These firms are acknowledging the drivers of modern slavery and situating their response within a broader strategy to respect human rights. We expect other businesses to step up to the mark in the second year of reporting under the UK Modern Slavery Act.”

Report: Risk Adverse: Company Reporting on raw material and sector-specific risks under the Transparency in Supply Chains clause in the UK Modern Slavery Act 2015’

National exercise tests Singapore’s cyber attack resilience

BY Fraser Tennant

Against a backdrop of increasingly frequent, sophisticated and impactful cyber attacks, the Cyber Security Agency of Singapore (CSA) has carried out a large multi-sector exercise to test the robustness of the country’s cyber incident management and emergency response plans.

Code-named Cyber Star, the exercise tested 11 critical information infrastructure sectors (CII): government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency and media.

Comprising of a series of scenario planning sessions, workshops and table-top discussions, exercise participants were tested on their incident management and remediation plans in response to simulated cyber security incidents, such as a malware infection or a large-scale distributed denial of services (DDoS) attack.

The Cyber Star exercise followed a similar exercise in May 2016 which covered the banking and finance, government, energy and infocomm sectors.

"This is a good opportunity for us to level-up our capability and make sure that we are ready as possible," said deputy prime minister Teo Chee Hean, who observed the exercise at CSA headquarters alongside more than 200 sector leaders and owners, including the Monetary Authority of Singapore, the Energy Market Authority and Singapore Airlines.

“With greater interconnectivity and proliferation of cyber threats, the ability of our critical sectors to respond promptly to attacks is vital,” said David Koh, chief executive of the CSA.

The exercise this week also coincides with a public consultation on a proposed Cybersecurity Bill, which was launched last week by the Ministry of Communications and Information (MCI) and the CSA. The proposed Bill seeks to establish a framework for the oversight and maintenance of national cyber security in Singapore and will empower CSA to carry out its functions. The Bill also aims to minimise cyber threats and ensure that the country can better deal with cyber attacks in future.

The Bill has four main objectives: (i) to provide a framework for the regulation of CII owners; (ii) to provide the CSA with powers to manage and respond to cyber security threats and incidents; (iii) to establish a framework for the sharing of cyber security information with and by CSA officers, and the protection of such information; and (iv) to introduce a lighter-touch licensing framework for the regulation of selected cyber security service providers.

The Cybersecurity Bill consultation runs from 10 July to 3 August 2017.

News: Singapore’s 11 critical sectors tested for first time in national cyber security exercise

‘Petya’ cyber attack affects thousands

by Richard Summerfield

Fresh off the heels of the ‘WannaCry’ ransomware attack, a fresh global cyber attack disrupted computers across the world on Tuesday and Wednesday. Russia's biggest oil company, Ukrainian banks and multinational firms across Europe, the US and the Asia-Pacific region were affected.

The latest attack, known as ‘Petya’ or ‘GoldenEye’, included code known as 'Eternal Blue', which cyber security experts believe was stolen from the US National Security Agency in April and was also used in WannaCry. It is the Eternal Blue code which facilitated the speed of the assault. Indeed, the attack spread rapidly, affecting machines running Microsoft’s Windows operating systems, encrypting hard drives and overwriting files before demanding $300 in bitcoin payments to restore access. "We are continuing to investigate and will take appropriate action to protect customers," a spokesman for Microsoft said.

Globally, Russia and Ukraine were most affected by the thousands of attacks, according to Kaspersky Lab. In Ukraine, government systems as well as banks, state power utilities and Kiev’s airport and metro system were all affected. Elsewhere, advertising giant WPP, French construction materials company Saint-Gobain, Danish shipping giant Maersk, US pharmaceutical company Merck, Russian steel and oil firms Evraz and Rosneft, and the Australian manufacturing facilities of the Mondelez owned Cadbury’s chocolate factory, along with many others, were all affected. In total, more than 2000 organisations are believed to have been hit.

The effectiveness of this latest attack, and the speed at which it has spread, so soon after the WannaCry attack, is cause for alarm among companies, cyber security professionals and the general public.

After the WannaCry incident, governments, security firms and industrial groups advised businesses and consumers to make sure all their computers were updated with Microsoft patches to defend against the threat. This latest attack, believed to be smaller than WannaCry, could be more harmful than its predecessor as it renders computers unresponsive and unable to reboot. The resourcefulness of the attackers is also a concern for cyber security professionals, particularly as Petya does not appear to have the same ‘kill switch’ which was used to neutralise the WannaCry attack.

Though they are not a new development, ransomware attacks are becoming more frequent. The Petya attack is yet another reminder that many organisations are neglecting to patch their systems, allowing malicious actors to exploit weaknesses. Companies must do more to protect their networks, their data and, ultimately, their cash.

News: New computer virus spreads from Ukraine to disrupt world business

©2001-2019 Financier Worldwide Ltd. All rights reserved.