Risk Management

Third-party offences top 2018 ABC risks, says new report

BY Fraser Tennant

Third-party violations of anti-bribery and corruption (ABC) laws are top of the list of perceived risks for compliance professionals in 2018, according to a new report by Kroll and the Ethisphere Institute.

The ‘2018 Anti-Bribery and Corruption Benchmarking’ report reveals compliance teams are having to deal with the convergence of regulatory mandates, critical reputational factors and data security issues as they try to protect their organisations from substantial financial and reputational harm, as well as regulatory and legal exposure.

Furthermore, 93 percent of 448 study respondents said ABC risks will remain the same or worsen in 2018. Those who expect a greater level of ABC risks attribute the rise to increased enforcement of existing regulations, followed closely by new regulations.

“The report brightly illuminates the challenges facing today’s compliance experts, including the likelihood that third-party risks will grow in relevance and impact,” said Erica Salmon Byrne, executive vice president and executive director of the business ethics leadership alliance at Ethisphere. “We are encouraged, however, that partnerships across organisations continue to grow as company leaders assign greater priority to the adoption of best-in-class ABC programmes that protect not only individual organisations, but also the integrity of the global business ecosystem.”

Reputational and integrity concerns remain the number-one reason why a third-party fails to meet an organisation’s standards, with organisations stating they were “concerned” or “very concerned” with beneficial ownership risks associated with their third parties.

“The stakes are high and so is the risk level, which is likely causing some sleepless nights for the average compliance professional,” said Steven J. Bock, global head of operations with Kroll’s compliance practice. “In today’s hypersensitive business environment where a company’s hard-earned reputation can be easily lost through a lapse of judgment by a third-party, the job of a conscientious compliance professional has never been tougher or more central to the success or failure of a business.”

On a positive note, 36 percent of respondents indicated that their organisation dedicated more resources to ABC issues in 2017 than in 2016. Executive leadership support also remains strong, as 92 percent of all survey respondents said that their leadership team is “highly engaged” or “somewhat engaged” in their ABC efforts.

Mr Bock concluded: “Ongoing monitoring that includes a regular refresh of the underlying third-party data emerged among the report findings as a key strategy for maintaining the effectiveness of ABC programmes overall, and especially for keeping up with potential ownership changes.”

Report: 2018 Anti-Bribery and Corruption Benchmarking

Leading companies lack transparency over risks of modern slavery in supply chains, reveals new report

BY Fraser Tennant

Transparency among major companies relating to the risks of modern slavery in their global supply chains is severely lacking, according to a new report by corporate watchdog the CORE Coalition.  

The report – Risk Averse: Company Reporting on raw material and sector-specific risks under the Transparency in Supply Chains clause in the UK Modern Slavery Act 2015’ – examines the statements of 50 companies, as under the terms of the UK Modern Slavery Act, all firms with an annual turnover above £36m are required to publish a slavery & human trafficking statement.

Of the 50 companies under the microscope, 25 source raw materials known to be linked to labour exploitation – cocoa from West Africa, mined gold, mica from India, palm oil from Indonesia and tea from Assam. The other 25 operate in sectors known to be at-risk of modern slavery, such as clothing and footwear, hotels, construction, football and service outsourcing.

The report’s key findings include: (i) top cosmetics companies make no mention in their statements of child labour in mica supply chains, even though a  quarter of the world’s mica (a mineral used to create a shimmer in make-up) comes from mines in Northeast India where around 20,000 children are estimated to work; (ii) chocolate companies do not provide information in their statements on their cocoa supply chains, despite acknowledging that they source from West Africa, where child labour and forced labour are endemic in cocoa production; and (iii) jewellery firms do not include any detail on the risks of slavery and trafficking associated with gold mining, although estimates by the International Labour Organisation (ILO) suggest that close to one million children work in gold mines worldwide. 

“With an estimated 24.9 million people in slavery globally, the level of complacency from major companies, particularly those that trumpet their corporate social responsibility, is startling,” said Marilyn Croser, director of CORE. “Genuine transparency about the problems is needed, not just more public relations.”

While the report focuses in the main on companies that do not report specific risks of slavery and trafficking within their supply chains, some examples of good practice are noted.

Ms Croser continues: “These firms are acknowledging the drivers of modern slavery and situating their response within a broader strategy to respect human rights. We expect other businesses to step up to the mark in the second year of reporting under the UK Modern Slavery Act.”

Report: Risk Adverse: Company Reporting on raw material and sector-specific risks under the Transparency in Supply Chains clause in the UK Modern Slavery Act 2015’

National exercise tests Singapore’s cyber attack resilience

BY Fraser Tennant

Against a backdrop of increasingly frequent, sophisticated and impactful cyber attacks, the Cyber Security Agency of Singapore (CSA) has carried out a large multi-sector exercise to test the robustness of the country’s cyber incident management and emergency response plans.

Code-named Cyber Star, the exercise tested 11 critical information infrastructure sectors (CII): government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency and media.

Comprising of a series of scenario planning sessions, workshops and table-top discussions, exercise participants were tested on their incident management and remediation plans in response to simulated cyber security incidents, such as a malware infection or a large-scale distributed denial of services (DDoS) attack.

The Cyber Star exercise followed a similar exercise in May 2016 which covered the banking and finance, government, energy and infocomm sectors.

"This is a good opportunity for us to level-up our capability and make sure that we are ready as possible," said deputy prime minister Teo Chee Hean, who observed the exercise at CSA headquarters alongside more than 200 sector leaders and owners, including the Monetary Authority of Singapore, the Energy Market Authority and Singapore Airlines.

“With greater interconnectivity and proliferation of cyber threats, the ability of our critical sectors to respond promptly to attacks is vital,” said David Koh, chief executive of the CSA.

The exercise this week also coincides with a public consultation on a proposed Cybersecurity Bill, which was launched last week by the Ministry of Communications and Information (MCI) and the CSA. The proposed Bill seeks to establish a framework for the oversight and maintenance of national cyber security in Singapore and will empower CSA to carry out its functions. The Bill also aims to minimise cyber threats and ensure that the country can better deal with cyber attacks in future.

The Bill has four main objectives: (i) to provide a framework for the regulation of CII owners; (ii) to provide the CSA with powers to manage and respond to cyber security threats and incidents; (iii) to establish a framework for the sharing of cyber security information with and by CSA officers, and the protection of such information; and (iv) to introduce a lighter-touch licensing framework for the regulation of selected cyber security service providers.

The Cybersecurity Bill consultation runs from 10 July to 3 August 2017.

News: Singapore’s 11 critical sectors tested for first time in national cyber security exercise

‘Petya’ cyber attack affects thousands

by Richard Summerfield

Fresh off the heels of the ‘WannaCry’ ransomware attack, a fresh global cyber attack disrupted computers across the world on Tuesday and Wednesday. Russia's biggest oil company, Ukrainian banks and multinational firms across Europe, the US and the Asia-Pacific region were affected.

The latest attack, known as ‘Petya’ or ‘GoldenEye’, included code known as 'Eternal Blue', which cyber security experts believe was stolen from the US National Security Agency in April and was also used in WannaCry. It is the Eternal Blue code which facilitated the speed of the assault. Indeed, the attack spread rapidly, affecting machines running Microsoft’s Windows operating systems, encrypting hard drives and overwriting files before demanding $300 in bitcoin payments to restore access. "We are continuing to investigate and will take appropriate action to protect customers," a spokesman for Microsoft said.

Globally, Russia and Ukraine were most affected by the thousands of attacks, according to Kaspersky Lab. In Ukraine, government systems as well as banks, state power utilities and Kiev’s airport and metro system were all affected. Elsewhere, advertising giant WPP, French construction materials company Saint-Gobain, Danish shipping giant Maersk, US pharmaceutical company Merck, Russian steel and oil firms Evraz and Rosneft, and the Australian manufacturing facilities of the Mondelez owned Cadbury’s chocolate factory, along with many others, were all affected. In total, more than 2000 organisations are believed to have been hit.

The effectiveness of this latest attack, and the speed at which it has spread, so soon after the WannaCry attack, is cause for alarm among companies, cyber security professionals and the general public.

After the WannaCry incident, governments, security firms and industrial groups advised businesses and consumers to make sure all their computers were updated with Microsoft patches to defend against the threat. This latest attack, believed to be smaller than WannaCry, could be more harmful than its predecessor as it renders computers unresponsive and unable to reboot. The resourcefulness of the attackers is also a concern for cyber security professionals, particularly as Petya does not appear to have the same ‘kill switch’ which was used to neutralise the WannaCry attack.

Though they are not a new development, ransomware attacks are becoming more frequent. The Petya attack is yet another reminder that many organisations are neglecting to patch their systems, allowing malicious actors to exploit weaknesses. Companies must do more to protect their networks, their data and, ultimately, their cash.

News: New computer virus spreads from Ukraine to disrupt world business

Perspectives on the future of risk highlighted in new report

BY Fraser Tennant

Displacement by technology is among the potential threats to the future of risk management, according to a new report by the Institute of Risk Management (IRM).

In ‘Risk Agenda 2025: Perspectives on the future of risk’, the IRM sets out two future scenarios for risk management. The first, which involves risk managers working closely with their boards, sees a future in which risk controls are fully embedded in the frontline which, in turn, frees risk functions to focus on strategic risk, mitigate emerging threats and optimising opportunities.

The second scenario, a much bleaker vision, has risk management merely as a back office, compliance function, remote from the board and possessing no discernible leadership role, with displacement by technology the ultimate worst-case scenario.

That said, the IRM report is quick to reconcile these potential scenarios by observing that it is largely within the power of risk managers to choose and shape the future of their profession.

“The publication of ‘Perspectives on the Future of Risk’ marks the beginning of IRM’s Risk Agenda 2025 project,” said Clive Thompson, IRM board member and chair of the Risk Agenda 2025 project group. “The purpose of this initiative is to stimulate debate within the risk community by examining how enterprise risk management (ERM) might be delivered in 2025 and by then proposing different ways that the risk management profession might prepare itself for the possible future scenarios.”

Alongside the report, the IRM is conducting a survey to gauge the views of risk management professionals as to the future of the profession and how it is likely to evolve in the future. Mr Thompson continued: “The contribution of IRM members and other stakeholders will be critical for the quality and inclusiveness of the project’s output.”

Working alongside the IRM is the ERM solution provider Sword Active Risk, which is acting as technology partner on the Risk Agenda 2025 project, as well as helping to gather opinions and suggestions that will feed into the conversation on the future direction of our industry and inform the IRM’s thinking and strategy in the years to come.

"Such research provides an important long-run perspective on the issues and opportunities facing the risk landscape," said Keith Ricketts, vice president of marketing at Sword Active Risk. "As a company, we believe in innovation and that the way you attain this is you fund research and you learn the facts. Ultimately the IRM research is creating new knowledge for us all.”

Report: Risk Agenda 2025: Perspectives on the future of risk

©2001-2019 Financier Worldwide Ltd. All rights reserved.