Financial crimes

Singapore gears for transboundary prosecutions

KEY TAKEAWAYS FROM 7-ELEVENLessons learned at a high price

BOARD SEAT BECKONSQ&A with RSA’s Chad Alpert

DET SCANDAL WAKE-UP CALLBut there are positives for compliance managers

COMPANIES IGNORING THE ABCs OF ABCStudy says more vigour needed to fight corruption

September 2015 | the Official magazine Of the grc inStitute

CHINA’S GREAT BUSINESS BARRIER

INTELLECTUAL PROPERTY THEFT

 

Change Catalyst

The GRC InsTITuTe’s 19Th AnnuAl ConfeRenCe

GOVERNANCE • RISK • COMPLIANCE

C o n f e r e n C e28–30 Oct 2015 • MelbOurne crOwn cOnference centre

The GRC2015 conference 3 day program features inspirational leaders exploring topics across the change management spectrum at an organisational and individual level.

GRC2015 provides an exciting opportunity for networking and professional development and exposure for commercial partners to consolidate in the GRC marketplace.

To book your seat at this exceptional event or for sponsorship opportunities please visit: www.grcconference.com.au

Cover story

16 Beware IP theft in China there are countless risks for foreign companies already operating in or considering doing business in china. books have been written about them, covering everything from the danger of a slowing economy and environmental and social concerns, to bribery and corruption. but whatever you do, don’t leave home without intellectual property protection.

Contact us

GRC Professional is the official monthly

publication of grci in australia, new

zealand, hong Kong & South-east asia.

GRC Institute

President: alf estebanVice President: carolyn hansonTreasurer: gillian Kinder Director: Susan cretanDirector: David morrisDirector: Stephen lukDirector: lois mccowanDirector: Kellie powell

Managing Director: naomi burleynaomi.burley@thegrcinstitute.org

Business Development Manager: elizabeth Kentliz.kent@thegrcinstitute.org

ph: +61 2 9290 1788fax: +61 2 9262 3311www.thegrcinstitute.orggpO bOX 4117 Sydney nSW 2001 australia

GRC Professional

Editor: mark phillips

Advertising: naomi burley +61 2 9290 1788naomi.burley@thegrcinstitute.org

Disclaimer: While grci uses its best endeavours in preparing and ensuring the accuracy of the content of this publication, it makes no representation or warranty with respect to the accuracy, applicability, fitness, legal correctness or completeness of any of the contents of this publication. information contained in this publication is strictly for educational purposes only and should not be considered legal advice. readers must obtain their own independent legal advice in relation to the application of any of the material published in this journal to their individual circumstances. the institute disclaims any liability to any party for loss or any damages howsoever arising from the use of, or reliance upon, any of the material contained in this publication.

PRESIDENT’S MESSAGE X page 4READER POLL X page 6NEWS X page 8

FINANCIAL CRIMES NEWS X page 21

‘Unknown unknowns’ best protection against cyber attackIn less than five years, cyber espionage, theft of IP and cyber warfare have become a $1 trillion problem in their own right. This cybercrime segment is growing faster than – and is already bigger than – any other crime category in history. Wynyard Group VP APAC Jon Piercey provides insight into a new approach to protecting organisations where a cyber compromise could have high-consequence impact. X page 22

DET scandal a wake-up call for allVictoria’s Department of Education and Training has launched a major crackdown on corruption within its ranks in wake of damning findings by the Independent Broad-based Anti-Corruption Commission. The revelations of ongoing fraud have been a source of embarrassment for many, but for compliance professionals, there are positive takeaways. X page 24

New challenges as the risk landscape changesIn this exclusive Q&A with GRC Professional, RSA Archer Australia and New Zealand director Chad Alpert discusses some of the key issues confronting risk management today, and ways to deal with them. X page 27

Key takeaways from 7-ElevenAs calls for an inquiry into the wages scandal that has engulfed 7-Eleven increase, so too does the focus on what does – and does not – constitute good corporate citizenship. X page 30

Institute newsThe latest from the GRC Institute. X page 35

Contents

4 GRC Professional • September 2015

PRESIDENT’S MESSAGE

Change is one of the only constants in the universe. Be it the change of seasons; change in government (and even Prime Ministers!); or change in business environment – change is all around us.

GRC professionals are at the heart of change in their organisations. Some, unfortunately, are seen as potential roadblocks to required change, while many in our profession see their role as being change catalysts for their organisation.

This year’s GRC Institute 19th Annual Conference has as its theme “Change Catalyst”, with topics focussed on the role of GRC professionals in the change process in their organisations.

The GRC Institute is also going through change. Naomi Burley has taken on the role of Managing Director and will be making new appointments to drive the organisation forward. She is also looking at new and changing ways the GRCI delivers services and benefits to members. Expect to see new faces and new approaches in the not too distant future.

The board of the GRCI is also entering a phase of change, with five board positions becoming vacant in October. Calls for member nominations for election to the board were sent to all members earlier in September and I encourage any member with the passion, drive and willingness to give back to the profession to nominate.

Serving on the board as an effective director requires the investment of the most precious commodities of our members – their time and intellectual contribution. Board members expect their peers to actively engage in, and contribute to, board discussions.

The board meets in full for approximately one to two hours every month. It also holds one half or full-day strategic meeting each year, generally on a Saturday in February, devoted to the consideration of GRCI’s strategic planning and vision.

Although board meetings in themselves are only monthly, directors are also required to consider correspondence and other issues between meetings and are expected to arrive suitably prepared for each meeting to be able to actively participate in the GRCI’s governance.

It is also expected that directors will serve on one or more of the Board Committees (the Finance Committee, Audit & Risk Committee, and Mergers and Acquisitions Committee) or other key committees or working groups of GRCI. Board committees may meet once or more per month, in addition to the board meetings. In addition to serving the membership, being a GRC Institute director also enables members to enjoy further professional growth. If you feel that you have the desire and qualities to serve on the GRC Institute Board we would encourage you to nominate for election.

It is also a time of change for me as your President. After serving on the board for the past six years, with the last three as President, it is my turn to step down. During my time on the board I have seen and been involved in much change within the GRC Institute. We have successfully expanded internationally; we have seen the coming together of risk and compliance professions into the GRC Institute; we have changed the way we deliver, certify and accredit our education offerings; and we have been the change agents in driving the adoption of the AS/NZS 3806 standard to become the ISO 19600 standard.

I would like to thank the many members, staff and fellow directors who have given their time and energy to make the GRC Institute the professional body it is today.

I look forward to seeing many of you at the GRC Institute Annual Conference in Melbourne at the end of October and being your host for the Annual Gala Dinner and Awards’ Night.

My parting comment is: embrace change – be a change catalyst and don’t let the tide of change sweep over you.

Thank you

It’s all about change

alf esteban ccP, President, Grci

GRCI’s Graduate Certificate in Compliance Management 91517 nsW has been designed exclusively for senior governance, risk and compliance professionals looking to further develop skills for career progression to the most senior level.

Considered the benchmark accreditation for compliance professionals, this course is a nationally accredited qualification.

This course offers you a career advantage through demonstrable skill development over an intense study period of four days. You will also become part of a strong network of professionals supported by GRCI, including special events exclusively for CCP alumni.

next available certificate courses:

Sydney, 7-11 October 2015 New Zealand, 10-13 November 2015

for more information and bookings please visit: www.thegrcinstitute.org or email education@thegrcinstitute.org

GOVERNANCE • RISK • COMPLIANCE

Graduate CertifiCate in ComplianCe manaGement91517 NSWCertified Compliance Professional (CCP)

Graduate CertifiCate in ComplianCe manaGement91517 NSWCertified Compliance Professional (CCP)

GOVERNANCE • RISK • COMPLIANCE

5

READER POLL

6 GRC Professional • September 2015

CHARGES OVER “BOILER-ROOM” FRAUD X

READER POLL LAST MONTH’S POLL

Crisis, what crisis? WhAT DO yOu MAkE OF ThE CRISIS

currently engulfing 7-Eleven? As we note in our story on page 31, at the very least it is a major body blow to the perceived integrity of the franchising sector, which in Australia is estimated to be worth around $130 billion.

Despite a chequered history, increased regulatory oversight had seemed to be driving most of the cowboy operators out of town – but not all. Is more regulation of the sector the answer, especially given revelations of collusion between franchisees in a racket known as the “half pay” scam?

If you think there is a case for increased regulation of the sector as a whole, email naomi.burley@thegrcinstitue.org and we will publish your views in the next issue.

LAST MONTh WE ASkED FOR yOuR views on the preparedness of your organisation’s crisis management strategy. Is it “state of the art”, “getting there”, or given the extent of potential risks the firm faces, “completely inadequate”.

It was an important question because as we noted in our story “Crisis, what crisis?” the long-term damage a crisis inflicts on the reputation of a business can be just as devastating as the immediate interruption to operations.

Respondents to our survey largely agreed that although business continuity management (BCM) and disaster recovery (DR) programs have, through necessity, been getting better, a lot of work still need to be done to increase the quality and maturity of such programs.

BEST FROM AROUND THE WEB these were the stories being discussed at the grc institute this month:

VW EXHAUSTS ITS CREDIBILITY X

In fact, 80 per cent said their BCM and DR strategies were just “getting there”. A handful said they were “state of the art”, but many admitted they were “completely inadequate” if they had to deal with any one of the serious risks companies face today.

UNION ROYAL COMMISSION: MORE REVELATIONS

X

PROSECUTORS TARGET EX-FIFA BOSS X

Contact us for a demonstration+61 2 8096 8300 icsasoftware.com/bponeworld aunz@icsasoftware.com

© 2015 ICSA Software International Limited.

Blueprint OneWorld is a registered trademark of ICSA Software International Limited.

Truly dynamic charting

Use Blueprint OneWorld’s ChartIt to deliver clear and engaging organisation charts you can edit and share

8 GRC Professional • September 2015

NEWS

Australian companies doing business overseas are facing greater challenges on anti-bribery and corruption (ABC) compliance than ever before, according to a new survey report by kPMG Interna-tional, “Anti-Bribery and Corruption: Rising to the challenge in the age of globalisation”.

“The report shows that a growing number of governments around the world are tightening ABC regulations or introducing new ones,” says kPMG Australia head of forensic Gary Gill.

“For Australia, of most relevance is the fact that the Chinese authorities are making significant efforts to crack down on corruption. China is already our biggest trading partner and if the FTA [free trade agreement] goes ahead, levels of trade will only increase and Australian businesses need to be aware of the risks and how to manage them.

“As Australian companies do increasing business overseas they rely more heavily on third parties, often in areas where there is a high risk of corruption, and Asia is not immune from that. It is third parties who are often conduits for bribes and they are difficult to detect, so management of third parties is a real challenge when it comes to ABC compliance.”

Indeed, the global study – which included 15 Australian compa-nies – found that as companies continue to globalise, their manage-ment of third parties pose the greatest challenge in managing ABC programs, ranking first in terms of auditing third parties for com-pliance and third in conducting due diligence over them.

Despite the difficulty of monitoring their business dealings with third parties, nearly half the respondents do not identify high-risk third parties. More than half of those respondents with right-to-audit clauses over third parties have not exercised these rights.

Nearly two thirds of companies indicated that M&A is part of their growth strategy, but many admit they are unaware of the conse-

quences of failing to identify ABC risks during the acquisition phase. They blame lack of resources to manage ABC risk, which ranks fourth overall among the top challenges facing organisations.

Despite the fact that data analytics has become an increasingly important and cost-effective tool to assess ABC controls, only a quarter of respondents said they use data analysis to identify violations, and of those that do, less than half continuously monitor data to spot potential violations. A similar proportion (26 per cent) could not say either way.

“The findings and issues revealed have resonance in Australia, where bribery and corruption cases are on the increase and have the potential to seriously damage an organisation’s reputation,” Gill continues.

“The AFP [Australian Federal Police] is making renewed efforts to crack down on bribery and corruption in Australia, but as a nation we don’t always prosecute allegations with the same vigour as other countries, and findings of corruption do not always result in criminal prosecutions. This does not persuade companies to make the investment necessary to manage bribery and corruption risk effectively, despite the obvious advantages of doing so from a reputational perspective.” •••

Senator alleges wind farm non-complianceIn a controversial allegation, Senator John Madigan has alleged that wind farm compliance reports have been faked.

According to Madigan, “all levels of government have been duped by sham compliance reports which allowed major wind farms to breach noise limits and collect millions of dollars in subsidiaries” – a serious allegation.

however, he made his comments under parliamentary privilege to “blow the whistle” on what he claimed was a corrupt system of assessing noise from wind farms.

he singled out international noise consultant Marshall Day (MDA) and its consultant Christophe Delaire, who has been involved in more than 50 wind farm projects.

Madigan told the Senate MDA’s commercial arrangements with wind farm operators Acciona and Pacific hydro had “adversely affected the independence of its reports and the legitimacy of conclusions”.

In a formal statement, MDA chief executive Peter Fearnside said: “We have decided not to respond.” •••

Companies ignoring the ABCs of ABC

NEWS

9

Queensland-based egg producer Darling Downs has been hit with a $250,000 fine for making what the Federal Court has declared were misleading claims about its “free range” egg lines.

In December last year, the Australian Competition and Consumer Commission (ACCC) initiated legal action against the company as part of a broader crackdown on the veracity of so-called free range claims.

“It’s clearly misleading to claim your eggs are free range when the hens that laid the eggs didn’t roam freely outdoors,” says ACCC chairman Rod Sims. The eggs were from hens permanently confined in barns.

The court has also ordered that Darling Downs Fresh Eggs implement a compliance program and publish corrective notices in major metropolitan newspapers and on its website, and contribute to the ACCC’s costs.

For its part, the company maintains it “inadvertently” broke the law while dealing with a bird flu outbreak.

Nonetheless, the court’s decision is important insofar as it acts as a clear warning to companies against making unsubstantiated claims about their products. Indeed, the ACCC has a long history of zero tolerance of such misconduct.

The fact that penalties have been applied on Darling Downs is also a timely reminder to compliance professionals of the importance of carefully monitoring and reviewing the actions of their respective marketing teams, as well as the accuracy of all external company communications. •••

Darling down and out over egg claims

Timothy Pilgrim has been reappointed Australian Privacy Commissioner. his appointment will be for a period of 12 months, commencing on 19 October 2015. he was appointed acting Australian Information Commissioner for a three month period in July 2015, while the government considered options for the future of the Information Commissioner position.

Before his current acting position, Pilgrim served as Privacy Commissioner from July 2010 to July 2015, and was Deputy Privacy Commissioner from 1998 to 2010. During that time, he was involved in several major amendments to the Privacy Act 1988, including the extension of the Act to private sector organisations in 2001 and widespread amendments to the Act in 2014.

he has been proactive in building awareness of privacy rights and obligations, working closely with the business community, consumer groups and Australian Government.

One of Pilgrim’s first initiatives since his reappointment has been to open an investigation into a data breach of the dating website Ashley Madison.

Avid Life Media, the company that operates the site, is based in Canada and, recognising the global nature of the incident, the Commissioner’s investigation will be conducted jointly with the Office of the Privacy Commissioner of Canada.

All organisations that carry on business in Australia and are covered by the Privacy Act 1988 (Privacy Act) have obligations in relation to the personal information they hold. This includes taking reasonable steps to ensure that personal information is held securely. The Office of the Australian Information Commissioner’s (OAIC) investigation will focus on this issue.

Avid Life Media has already been cooperating with the OAIC since it began making preliminary inquiries following news that the breach had occurred. The OAIC will publish a further statement at the conclusion of its investigation, outlining its findings.

“All individuals have the right to expect that their personal information will be managed in accordance with the Privacy Act,” Pilgrim says. •••

Pilgrim back as Privacy Commissioner: Acts on Ashley Madison

10 GRC Professional • September 2015

NEWS

Cyber criminals up the anteAustralia was ranked sixth in the world for countries with the highest number of macro malware detections in Q2 2015, according to Trend Micro’s latest security roundup report, “A rising tide: new hacks threaten public technologies”.

The quarter also saw an increase in the number of malicious app downloads by Australian mobile device users.

During the second quarter of 2015, cybercriminals became more inventive in their attack methods to infiltrate and abuse existing technologies that are often overlooked.

“We saw a shift in the threat landscape with cyber criminals be-coming more sophisticated and creative, amplifying existing meth-ods of attack, and using them in new ways,” says Trend Micro Asia Pacific managing director Dhanya Thakkar. “They are taking more strategic approaches, refining their methods and targeting more se-lective victims to improve their infection rates.”

Other highlights in the report include:• hacks causing disruptions to public utilities: broadcast networks,

airplanes, automated vehicular systems and home routers pose not only the risk of malware infections, but physical inconve-niences and threats.

• Lone wolf cybercriminals gaining notoriety via successful ran-

somware and PoS attacks: FighterPoS, solo hackers “Lordfenix” and “Frapstar,” along with “hawkeye” keylogger attacks, dem-onstrated that single individuals are capable of making a signifi-cant impact in today’s threat marketplace.

• Government entities fight back against cybercrime: Interpol, Europol, uS Department of homeland Security and the FBI all played a role in taking down longstanding botnet operations. Additionally, the indictment of Silk Road founder Ross ulbricht brought to light the nebulous nature and dangers of the so-called “dark web”.

• National and political impacts were made by attacks on govern-ment organisations: The attack on OPM was a shocking realisa-tion that no one’s personal data is safe. Macro malware and is-land-hopping were among the tactics used to target government data in this and similar breaches.

• Public-facing websites and mobile devices were threatened in new ways: While threats to software are always present, vulnerabilities in web apps were proven to be just as dangerous. Attackers will leverage any vulnerability available and custom applications need custom security attention to ensure such entry points are eliminated. •••

11

NEWS

Slow progress on women on boardsThe representation of women on corporate boards continues to increase, but the number of women leading boards still remains low globally. Overall, women now hold 12 per cent of seats worldwide with only four per cent chairing boards, according to the new “Women in the Boardroom: A Global Perspective” report by Deloitte Global.

The report outlines the efforts of 49 countries to increase the number of women occupying board seats. European countries continue to lead on gender diversity in the boardroom, with Norway, France, Sweden, and Italy all ranking high. Regionally, countries in the Americas and Asia Pacific region have progressed the least. According to the report, the regional breakdown of female chairs is: EMEA (five per cent), the Americas (four per cent) and Asia Pacific (four per cent).

“We’ve seen a welcome increase in women on boards, however the number of women securing the top spot remains elusive even in the most progressive countries,” says Deloitte Global managing director of the Deloitte Center for Corporate Governance, Don konigsburg.

“Of course, in many countries, the chair is an executive position, but this absence of women among chairs is revealing. For example, Denmark has the sixth-highest number of women on its boards, yet ranks bottom – our study didn’t identify a single board in Denmark that had a woman chair. This is not the only country where this is the case.

“The global statistics mask important differences within countries. For example, Scandinavian countries have successful policies that make it easier for women to serve on boards, compared with the Asia Pacific region, which has been slow to implement such policies. So, it’s clear that more can be done. We actively encourage increased collaborative effort from organisations, governments and policy-makers; it is the only way we will begin to see results.” •••

12 GRC Professional • September 2015

NEWS

The Federal Court has ordered Visa Worldwide to pay a pecuniary penalty of $18 million for engaging in anti-competitive conduct, in proceedings brought by the Australian Competition and Consumer Commission (ACCC). Visa Worldwide is the subsidiary of Visa Inc which contracts in Australia with financial institutions for the supply to them of access to and participation in the Visa network.

For international travellers to Australia wishing to use their Visa card to make purchases at point of sale (POS), Visa has always supplied the currency conversion services necessary to allow the Australian merchant to be paid in Australian currency and the purchases to be later billed to the cardholder in their home currency. Visa earns substantial revenue from the provision of these services, both in the form of foreign currency trading revenue and fees.

Dynamic Currency Conversion (DCC) is a service which competes with Visa’s currency conversion services and gives international cardholders a choice to complete a transaction in their home currency rather than in the local currency of the merchant, including online merchants. If a consumer chooses DCC, the exchange rate is locked in and disclosed to the cardholder at the time of making a transaction.

During the period 1 May 2010 to 6 October 2010, Visa Worldwide implemented and maintained a moratorium by making changes to the Visa rules which prohibited the further expansion of the supply of DCC services on POS transactions on the Visa network by its rival suppliers of currency conversion services in many parts of the world, including in Australia.

This prohibition meant that retail stores, hotels and restaurants that were not already offering DCC to their customers as at 30 April 2010 could not choose to offer DCC. In effect, this froze the pool of merchants who could offer DCC during the period of the prohibition, which in turn prevented the further expansion of DCC during that period. The court declared that by this conduct Visa contravened section 47 of the CCA.

The court indicated that the penalty should send a clarion call to large multinational corporations with operations in Australia, that whatever decisions may be made globally, Australia will not tolerate conduct that contravenes its competition laws and will not tolerate conduct likely to substantially lessen competition in Australian markets.

Visa ordered to pay $18 million Heed the warningfor risk and compliance professionals – especially those operating in multinational organisations – of particular note with regards Visa’s anti-competitive conduct was that in reaching his decision, Justice michael Wigney added $2 million in costs to the penalty, saying:

“. . . it sent a signal to multinationals the world over that australia was not going to put up with anything that blocked competition in the local market. companies that are responsible for the australian operation of multinational groups must be deterred from putting into effect and enforcing global decisions made outside Australia where the decisions adversely affect competition or are likely to adversely affect competition in australia.”

needless to say, the competition and consumer act (cca) is made up of several parts and schedules, each dealing with particular issues or types of conduct relevant to competition or consumer protection law.

the key competition law provisions of the cca are contained in part iV, which regulates restrictive trade practices and mergers. its aim is to prevent anti-competitive activity by companies and individuals.

everyone associated with risk and compliance needs to be aware that the cca includes a variety and potentially very significant penalties for breaching the competition provisions.

it may be possible to structure a transaction or business dealing to avoid exposing the business, and its directors, to these large penalties, but this needs to be considered at the start of any deal. the cca also includes criminal penalties (including jail) for some offences, and an individual who has breached or been involved in a restrictive trade practice may be disqualified from being a director or being involved in the management of a corporation.

X

13

NEWS

“unlawful conduct which prevents or hinders the competitive process in concentrated industries and restricts consumer choice are priority areas for the ACCC,” ACCC chairman Rod Sims says.

“The ACCC was concerned that Visa’s conduct was likely to stop the growth of currency conversion services which competed with its own and, as a result, limit the choices available to consumers.

“The substantial penalty imposed against Visa Worldwide reflects the serious nature of the conduct, which hindered the competitive process and restricted an emerging technology and service from developing under otherwise competitive market conditions.”

The court also made orders that Visa pay the ACCC’s costs of the proceeding, in the amount of $2 million.According to Sims, the ACCC has noted media reports speculating that the matter was resolved on the basis that Visa admitted a

contravention of section 46 of the CCA. “This was not the case,” Sims says. “The ACCC has an obligation to resolve proceedings wherever appropriate and practicable, and given

Visa’s admission in this case of a serious contravention of section 47 the ACCC did not further press allegations in relation to section 46. One reason for this is the significant legal hurdle and complexity presented by proceedings under section 46 of the CCA.” •••

Regulation still number-one global risk for insurers Cyber risk, political interference, and macro-economic volatility rank among the top sources of anxiety for Australian insurers, according to a new joint PwC and Centre for Financial Innovation (CSFI) report.

The Australian results from the fifth biennial “Insurance Banana Skins” survey found that concerns about cyber risk jumped from 19th place in 2011, to 13th in 2013, to top place in 2015.

At a global level, insurers are slightly less concerned about cyber risks than their Australian counterparts, placing it in fourth place behind concerns about regulation, the macro-economic outlook, and interest rates.

For the third survey running regulation remained the highest ranked risk globally, however in Australia regulation fell from top position in 2013, to 16th position in 2015.

According to PwC Australia insurance leader Scott Fergusson, the degree of regulatory change is considerably less now than two years ago, when the Australian Prudential Regulatory Authority (APRA) was implementing its new life and general insurance capital standards. •••

14 GRC Professional • September 2015

NEWS

NZ reviews telco regulations New Zealand’s Communications Minister Amy Adams has launched a discussion paper to look at ways to future-proof the country’s com-munications regulation.

The discussion paper “Regulating communications for the future” continues the government’s review of the Telecommunications Act 2001 and seeks views on a range of options for communications regulation post 2020.

“Digital convergence, new technology and innovation are trans-forming the way we live, work and do business and communication networks have come a long way since the Telecommunications Act was passed in 2001,” Adams says. “This review is a critical step in ensuring we have a regulatory regime which supports growth, invest-ment and innovation in these sectors into the future.

“Private sector investment in high quality communications in-frastructure such as broadband and mobile networks is important to deliver better connectivity to kiwis. The more certainty communica-tions sector investors have about the regulatory environment, the bet-ter placed they are to deliver more technology choices for consumers.”

New Zealanders have embraced streaming video on demand. By 2022, at least 80 per cent of consumers will have access to fibre and 90 per cent will have 4G mobile coverage.

“For this reason, it’s vital we have the right regulatory settings to support the future of communications beyond 2020,” Adams says. “Like other countries around the world, New Zealand is grappling with issues of rapid transformation of its communications sectors. It’s important to ensure our regulatory system is well positioned to sup-port this period of rapid change,” Adams says.

If GRCI members would like the institute to formulate a response on their behalf for input into the discussion paper, contact Naomi Burley on +61 2 9290 1788 or email naomi.burley@thegrcinstitute.org •••

Uber regulation likelyIn wake of industrial action by Melbourne’s taxi drivers against uber X, it now appears almost certain that the ride-sharing operation will be subject to increased regulation in Victoria.

According to Victorian Taxi Families spokesperson Sandy Spanos, “it’s time it [uber] played by the rules”, alluding to the fact that the company is not subject to the same regulations as other taxi operators.

In a formal statement, Victorian Premier Daniel Andrews said the uber operation was a case of “technology getting ahead of the law”.

“Clearly, we can’t have a situation where people are purchasing a service where there’s not proper regulation, insurance, accreditation, simple things like complaints processes, lost property, security,” he said. “All of these things need to be dealt with.”

Indeed they do, but uber is by no means unique in its ability to circumvent existing regulations. Since the advent of the internet – upon which the uber business model is built – the law has struggled to keep up with advances in technology. For example, there are no specific new laws anywhere in the world that relate to the internet of things. Instead it is governed by existing legal frameworks, which in terms of protecting any personal data transmitted by such devices to

companies keen to monitor what were previously private activities, are hopelessly antiquated and inadequate.

Referring specifically to uber, Premier Andrews said: “This is new, it is complex in some areas and it needs to be done properly.”

For its part, uber has called on the government to “implement sensible, safety-based ride-sharing regulation as soon as possible”. •••

15

16 GRC Professional • September 2015

COVER STORY

BEWARE IP THEFT IN CHINAThere are high-stake risks and rewards when it comes to doing

business in China, but whatever you do, don’t leave home without

intellectual property protection. mark Phillips reports.

“High street-like chains are stocked to the brim with upmarket knock off Bvlgari watches, tom Ford sunglasses and Waterman pens.”

software, automotive and aircraft parts, and pharmaceuticals now scattered throughout the world. In fact, you only need visit the Indonesian resort island of Bali to see just how sophisticated the industry has become, where high Street-like chains are stocked to the brim with upmarket knock off Bvlgari watches, Tom Ford sunglasses and Waterman pens.

These are not just stalls in a backstreet market. Shop assistants dress in neat uniforms (interestingly, all female), the thousands of accessories are impeccably displayed and clearly priced (some watches retail for up to A$200 and nothing is negotiable), the outlets themselves are meticulously fitted out, air-conditioned and maintained. What’s more, they stock only A-grade replicas – there is now a strictly enforced quality code when it comes to copies (A+, A, B+, B, C+, C).

In short, other than the fact they deal only in designer counterfeits, you could be in a Westfield. The business model seems to have only one downside – the outlets are too small for the volume of trade. If they were the size of a Bunnings Warehouse, they would probably still be packed with customers.

The bottom line: every single item for sale is “Made in China”.

Everything at riskunfortunately, the IP violations go beyond products. They extend to pirated operational processes and the replication of entire business and service models. For many international corporations, this means IP leakage frequently becomes a barrier to Chinese sites becoming fully integrated partners in global innovation activities.

The leakage often occurs through staff transfers or shared practices from foreign corporations to local joint venture or supply chain partners. For many, however, it is often a calculated risk worth taking in

ThERE ARE COuNTLESS RISkS FOR foreign companies already operating in or considering doing business in China. Books have been written about them, covering everything from the danger of a slowing economy and environmental and social concerns, to bribery and corruption. The number-one challenge, however, is intellectual property (IP) protection

In a recent address on the problems multinational companies face with IP theft in the People’s Republic, united States Secretary of Commerce Penny Pritzker said that although China’s drive to have an innovation economy meant it was genuine in its desire to protect IP, “the real conversation needs to be not just about the laws on the books but also about the court system and the broad and consistent application of these rules”.

Pritzker cited a report compiled on behalf of the Commission on the Theft of American Intellectual Property, which found that China accounts for nearly 80 per cent of IP thefts from uS-headquartered organisations, amounting to a staggering uS$300 billion in lost business. Among European corporates, the loss of IP in China reduces potential profits by 20 per cent.

Quoting from the report, Pritzker said: “A core component of China’s successful growth strategy is acquiring science and technology. It does this in part by legal means – imports, foreign domestic investment, licensing, and joint ventures – but also by means that are illegal. National industrial policy goals in China encourage IP theft.”

The China-Australia free trade agreement, although possibly still not a done deal, only serves to bring the issue of IP leakage into even starker focus.

Bogus luxuries The effects of the theft are ubiquitous, with counterfeited items including toys, luxury goods,

17

exchange for greater access to local markets through a partner’s channels or better quality parts from local suppliers. Even so, unintended leakage can seriously impact a company’s reputation and profitability and, in the worst case, create powerful local or even international competitors – as is happening with the Bagus Watch chain in Indonesia.

So, how can a company best protect the technology it brings to China? As Pritzker noted, combined with the lack of legal enforcement, the issue of protecting intellectual property rights is now the single biggest hurdle for most companies to overcome when thinking about entering the market.

Premier Li keqiang recently received Pritzker and a delegation of uS clean tech companies seeking a windfall from China’s drive to reduce pollution, during which he highlighted China’s plans to set up a new IP tribunal.

Meanwhile, lawyers in China say foreign companies are already increasingly willing to turn to the country’s arbitration courts, particularly in Shanghai and the yangtze Valley, where they claim courts are becoming more professional.

Nonetheless, doubts remain over fair treatment in the country’s legal system and as Pritzker emphasised, continue to act as a barrier to foreign companies which do not want to risk committing their best technology to the market.

As RSA Archer Australia and New Zealand director Chad Alpert points out in our story on page 27, it is a dilemma: multinational corporations cannot afford to stay away from China, but to remain competitive they must develop mechanisms that allow them to minimise the risk of losing critical know-how.

Precautions and solutionsFortunately, there are a variety of ways to protect technology in China. None, of course, are fool-proof, but taking certain precautions can substantially lessen the risk. For example, setting up a wholly owned foreign company where possible to manufacture the product, rather than entering into a joint venture, provides more control over who has access to the technology and know-how. Breaking the manufacturing process into several X

“IP violations go beyond products. they extend to pirated operational processes and the replication of entire business and service models.”

18 GRC Professional • September 2015

COVER STORY

X

may be expanding so rapidly that they expose themselves by postponing registration.

It is imperative to consult a law firm familiar with Chinese intellectual property law. Such a firm should be able to help you identify key elements of your IP that absolutely have to be protected, and advise on the process to apply for registration.

Registration of intellectual property rights is essential, as patents and trademarks registered in other countries are not usually protected. Notably, China’s trademark and patent regimes operate on a “first-to-file” registration system, rather than a “first-to-use” or “first-to-invent” basis.

discrete operations that are located in different facilities can prevent any single group of employees from seeing the whole process. Another good way to prevent technology leakage is to manufacture more components, where much of the technology is contained, in-house, rather than outsourcing.

Further, failure to register trademarks and/or patents is one of the principal difficulties foreign companies encounter in the Chinese market. Some mistakenly believe that registration in their home country protects them in China; others may underestimate the risk of IP abuse; some believe that registration is expensive, time consuming and not worth the effort; for others still, business or exports

“National industrial policy goals in China encourage IP theft.”

19

COVER STORY

Companies that do not register their IP risk having their inventions registered by others operating in bad faith. While recourse mechanisms do exist to address this type of situation, objection and appeal processes can take years to wind their way through the system, and at considerable expense. It is also worth registering the Chinese language versions of trademarks.

Conducting due diligence on potential partners, agents and/or distributors is a must, particularly given that associates or former employees are a frequent source of rights violations. Make sure you have clear contractual protection for all aspects of IP, including clauses on your ownership rights and use limitations on your partner, distributor, licensee or employees. When hiring employees, have them sign an agreement that contains clauses on confidentiality, non-concurrence and the use and ownership of IP.

It is also important to include clear contractual protection for all IP, as contractual problems have been shown to be a frequent source of IPR (intellectual property rights) infringements. Ensure that you have your own legal counsel (do not rely on the legal advice from your Chinese partner) before you enter into an agreement and be prudent in conducting negotiations. Remember: the best contracts are those that do not have to be enforced.

Patent registrationchina and australia are both signatories to the patent cooperation treaty (pct), which is administered by the World intellectual property Organization (WIPO), and provides a unified and simple patent application system for the filing of patents in multiple jurisdictions.

Filing a single international application under the PCT gives an application automatic effect in 148 countries and allows you further time to decide whether you want to pursue patent protection, and in which countries.

therefore, when you apply for a patent in australia, you have the option to submit an application for a chinese patent. in order to register patents in china this way, companies must initiate the patent process for china within 30 months of the priority date. You can apply for a Chinese patent either within Australia, the PCT website or via the Chinese Intellectual Property Office.

however, it is important to note that if the patent has already been granted in australia, it may preclude obtaining one in china, as your “invention” will not be considered “new and innovative”, unless you apply within a defined period – one year for patents and utility models, and six months for industrial designs.

Trademark registrationCompanies wishing to register trademarks in China must go through the Trademark Office of the State Administration for Industry and commerce (Saic). those with no habitual residence in china must appoint a patent or trademark agency designated by the State council to act as an agent. Foreign companies with a presence in China may file directly.

As mentioned in the main story, China’s trademark registration process is a “first-to-file” system. This means that the first party to file for registration of a particular trademark will be granted rights to that trademark. failure to use a registered mark for three consecutive years in china means it will be subject to cancellation. •••

Strange but truean anomaly to the damage caused by piracy recently took place in china, where the small Danish company that makes “Angry Birds” actually found a benefit in the widespread, illegal copying of its game, which has been downloaded 50 million times in that country.

the company turned the widespread knowledge of its brand in china that resulted from the piracy into a marketing advantage for its other products. moreover, since users couldn’t differentiate between the fake and genuine products, sales skyrocketed.

regardless, piracy of creative products can also significantly damage the brand of the original manufacturer when consumers can’t tell the difference between a counterfeited product – which may be shoddy – and the genuine article. cheapening of the brand can be a serious problem, especially as reputations are hard to recover when lost.

“Failure to register trademarks and/or patents is one of the principal difficulties foreign companies encounter in the Chinese market.”

20 GRC Professional • September 2015

Securely delivering digital papers across many devices

© 2015 ICSA Boardroom Apps Limited.

BoardPad is a registered trademark of ICSA Boardroom Apps Limited.

Spending days producing your board packs? BoardPad lets you produce and dispatch instantly

Contact us today for a demonstrationICSA Boardroom Apps,Level 33, 264 George Street, Sydney+61 2 8096 8300 info@boardpad.com boardpad.com

Your problem... Our solution!

21

Financial crimes

china acts on illegal stock trading

As its financial markets continue to struggle, China is cracking down on thousands of stock accounts linked to illegal trading.

The China Securities Regulatory Commission (CSRC) has so far targeted 3255 accounts, shutting some and forcing others

to trade through legal channels, it says in a formal statement.

According to the CSRC, the violations include investors failing to register real names on their accounts and using platforms that facilitate margin trading outside regulators’ oversight.

The regulatory crackdown began in July and the CSRC still has to check more than 2000 accounts holding nearly 188 billion yuan (uS$29 billion) worth of shares, it says.

Earlier this month the CSRC fined three companies a combined 453 million yuan (uS$71 million) for conducting “illegal securi-

ties business”, which has been blamed for vola-tility on the plunging markets.

Meanwhile, police have detained Wang Xiaolu, a journalist with business magazine Caijing, after he wrote a story saying the regulator was studying plans for government funds to exit the market.

Authorities have also detained an official from the CSRC and four senior executives of Citic Securities, the country’s biggest brokerage by assets, for “stock market violations”, the official news agency Xinhua reports. •••

‘Unknown unknowns’ best protection against cyber attackPage 22

Surge in current account fraud Page 22

Fires force Singapore’s handPage 23

Edition Fifteen September 2015

myki hit by Os fraudsters

In another blow to Public Transport Victoria (PTV) and its beleaguered Myki electronic ticketing system, it has been revealed that international crime

syndicates have swindled more than $4 mil-lion from it, using stolen credit card details to buy Myki cards which they then sell on the black market.

The fraud is now subject to an international police investigation, while PTV had refunded $4.2 million to international credit card holders who had Myki purchases charged to their accounts over the past 18 months.

PTV chief executive Mark Wild has been at pains to reassure commuters that money in their Myki accounts and personal credit card details are not at risk and that the fraud has “mostly” been perpetrated by the use of overseas credit cards.

“It’s organised, it’s a constant threat, but I’d like to reassure everybody it’s nothing to do with people’s personal details or Myki money,” he says. •••

Pratten found guilty

The largest tax evasion investigation in Australian history – costing tax-payers just over $507 million – has wound up with fraudster Timothy

Charles Pratten being found guilty by the Supreme Court of NSW on seven counts of obtaining a financial advantage by deception.

Pratten, an insurance broker, failed to properly declare income of more than $5 million between 2003 and 2009 and used an elaborate web of trusts and companies in Australia and Vanuatu to stash huge sums of money and hide it from the Australian Tax Office (ATO).

The ATO’s Operation Wickenby, which was established in 2006 to crack down on secret offshore tax evasion schemes, uncovered a veritable treasure trove of luxury items in the investigation, including a four-seater helicopter and 45-foot yacht.

Sentencing submissions for Pratten, who faces a possible jail term, will be heard next month. •••

more charged with ‘cramming’

Two men have been charged with helping to run a so-called “cramming” fraud in which they earned tens of millions of dollars

by charging unsuspecting mobile phone users for unwanted junk text messages.

The charges were brought by the office of uS Attorney Preet Bharara in New york, which previously charged six other men in May in connection with the scheme.

Prosecutors say the gang reaped tens of millions of dollars from 2011 to 2013 by signing thousands of mobile users, without their knowledge, up for text messages containing horoscopes, celebrity gossip and trivia for uS$9.99 a month. •••

22 GRC Professional • September 2015

In less than five years, cyber espionage, theft of IP and cyber warfare have become a $1 trillion problem in their own right. This cyber crime segment

is growing faster than – and is already bigger than – any other crime category in history.

Cyber attacks are reported to cost large Australian enterprises an average of $8.3 mil-lion a year, but the real costs could be much higher (hP Enterprise).

The theft of intellectual property or commercially sensitive information online by transnational, organised cybercrime syndicates is recognised as one of the biggest issues for businesses, according to the ACSC 2015 Threat Report. Faced with growing threats, what can IT security teams do when traditional methods are no longer enough, as evident from ongoing and multiple high-profile attacks?

When protecting against cyber attacks, many companies focus on endpoint

protection and breach prevention. But protecting the cyber perimeter with firewalls and anti-virus packages means they often only possess the ability to detect an intrusion by matching it to a list of threats previously detected and seen before.

While this perimeter defence is necessary, a more complete cyber security program must also offer protection against the “unknown unknowns” – previously unidentified or unseen threats or indicators of those threats that no one was aware existed.

A new approach is to use a Pro-active Cy-ber Forensics solution – one that gives cyber security teams the ability to identify anoma-lies and unusual patterns within the network.

By establishing a baseline of the company’s network and its routine operations, a Pro-active Cyber Forensics solution then uses advanced analytic machine learning techniques to search for anomalies. This could be a device trying to access an

unusual amount of data or an unseen pattern of user login activity – possible indications of both external and internal threats. When unknown threats are identified an alert is triggered. Because this happens early in the timeline it means potential harm and damage to the network can be identified, remedied and mitigated.

While the ability of cyber adversaries to create, identify and exploit vulnerabilities in networks creates significant challenges for Australia’s cyber defenders, with the right tools, IT security teams can be better protect-ed against a high-impact cyber compromise.

The deep analytic capabilities of a Pro-ac-tive Cyber Forensics solution is a critical com-ponent of any overall IT security strategy. It enables security to concentrate on identify-ing cyber risks and areas of vulnerability and threat detection, including indicators of cur-rent compromise. •••For more information visit www.wynyardgroup.com

surge in current account fraud

Current account fraud in the uk almost doubled in Q2 2015 due to extensive large scale organised attacks. The rate of fraudulent applications soared from 81 in every 10,000 to 151 by the end of the quarter. Identity theft was at the heart of the attacks. In Q1 2015, 49 per cent of all

current account fraud was identity theft, but by Q2 2015 the figure had risen to 69 per cent.“We’ve seen current accounts slowly become the main target for criminals over the past

year, but this sudden surge in fraud is alarming and indicative of a widespread organised at-tack on financial service providers,” says uk director of identity and fraud at Experian, Nick Mothershaw.

“The good news is that these figures relate to detected and prevented fraud, so these large scale attacks are being blocked before the damage is done. however, it does reveal the fervour with which fraudsters are targeting current accounts and the dangers for both the individuals whose identities are stolen and the organisations trying to protect them.”

Despite the growth in current account fraud there has also been a sharp decrease in the rate of fraudulent mortgage applications. In Q1 2015, the fraud rate stood at 83 in every 10,000 applications, but by Q2 2015 this had dropped to 70. This is the first time since Q3 2013 that the quarterly fraud rate for mortgages dropped below 80 in every 10,000 applications. •••

‘Unknown unknowns’ best protection against cyber attack Wynyard Group VP APAC Jon Piercey provides insight into a new approach to protecting

organisations where a cyber compromise could have high-consequence impact.

How to prevent falling victim to ID fraud• always shred or destroy documents that

contain personal information before throwing them away.

• Never respond to cold phone calls or emails asking for account details, pins, passwords or personal information.

• Don’t give too much away on networking websites. for example, pets’ or children’s names could be used as passwords.

• Monitor all post regularly so you know when to expect important documents – and when to act if they don’t arrive.

• Always use secure, unique passwords for as many online accounts as possible, and ideally all of them. at the very least, have a unique password for each type of service provider such as financial services, retail services and email.

• Do not store account names and passwords on a smartphone, either in email, as a note, or to “autocomplete” when you open a website or app. it will be a goldmine for fraudsters if your device is lost or stolen.

• Read all bank and card statements regularly to check for suspicious transactions.

23

Singapore’s ambitious Trans-boundary Haze Pollution Act looks set to be tested in wake of illegally lit forest fires in

Indonesia’s Sumatra and kalimantan islands, the smoke from which has engulfed large parts of SE Asia, particularly Malaysia and Singapore.

The dramatic piece of legislation, which was enacted in September last year, establishes extra-territory liability for entities engaging in setting fires abroad that cause transboundary smoke or “haze” pollution in the city state. The impetus for the Act’s enactment can be traced to the serious haze pollution that hit Singapore in June 2013, which had serious environmental, health and economic impacts on Singapore.

According to Singapore’s Ministry of the Environment and Water Resources, Singapore has been affected by recurrent haze resulting from land and forest fires in Indonesia since 1991. Last year the haze was particularly severe, resulting in signifi-cant disruptions to businesses and liveli-hoods and causing around S$1 billion in financial losses. Notably, the Transbound-ary haze Pollution Act provides for both criminal and civil liability for such con-duct, with fines ranging from S$300,000 to S$450,000.

At its core, the intent of the Act is to move environmental crimes such as have been happening in Indonesia, into the sphere of financial crimes. Quite simply, Singapore has had enough, with the lat-est fallout from the fires not only severely impacting its lucrative hosting of the cov-eted Formula One Grand Prix, but forcing some schools to close and airlines to delay flights.

Indonesia, meanwhile, has ordered a crackdown on lighting fires to clear for-ested land, with its Environment and For-estry Minister Siti Nurbaya revealing that

this year’s haze has already caused trillions of rupiah in losses to the Indonesian econ-omy, with further losses expected.

For the first time, Indonesian authori-ties have agreed to share with Singapore the names of companies suspected of de-liberately burning forests, thereby opening the door to trans-border prosecution. Ac-cording to Nurbaya, a Malaysian company is among more than 20 firms currently be-ing investigated.

By any standard, the Transboundary Haze Pollution Act is a pioneering piece of

legislation. No one knows for sure if it will actually work – including lawyers in Singa-pore – but there are many large palm oil-related companies that hope it doesn’t.

On the other hand, millions across SE Asia whose health and livelihoods are at stake live in hope that it does.

Loss of reputation is not an issue for those suspected of paying impoverished local farmers to ignite the forests (they don’t have one to lose) – the only deterrent is to hang them out to dry, revoke their licences, and make them pay for it. •••

Fires force singapore’s handby Mark Phillips

24 GRC Professional • September 2015

CASE STUDY

DET SCANDAL A WAKE-UP CALL FOR ALLRevelations of ongoing fraud at one of the Victorian Government’s

key departments has been a source of embarrassment for many, but

for compliance professionals, there are positive takeaways.

“No one could reasonably understand how this might have been going on for nearly 20 years, and that at least $2.5 million of taxpayers’ money spirited away.”

Fraudsec, which has just entered into an agreement with GRCI, guarantees whistleblowers anonymity by providing organisations with a unique two-way communication platform via any web-enabled device.

According to Mansotte – himself a one-time whistleblower on a major fraud at Leighton Contracting – the fact that Napoli got away with his scam for such a lengthy period just goes to show how blind people can be to blatantly fraudulent behaviour.

“Evidence has emerged over the five weeks of IBAC’s hearings that banker schools paid for expensive Italian wine, Easter bunnies, Christmas puddings, office furniture, computers, lavish staff Christmas parties – and one very expensive toupee,” he says.

Mansotte says red flags that should have caught Napoli out long ago include:• He was not only a long-term and trusted

employee of the department, but also a long-serving finance manager who knew too well how to work around the system. In fact, he was actually responsible for implementing the recommendations of a departmental audit, which revealed the banker school system posed a high risk of fraud and should be abolished

• he was a person you couldn’t challenge, and knew it.

VICTORIA’S DEPARTMENT OF EDuCATION and Training (DET) has launched a major crackdown on corruption within its ranks in wake of damning findings by the Independent Broad-based Anti-Corruption Commission (IBAC).

The department has finally decided to abolish the banker school system that was used to rort $2.5 million of education funds, while new whistleblower protection and an integrity division that investigates misconduct will be introduced.

Nonetheless, serious questions remain about how the scam and its architect, the department’s former finance manager, Nino Napoli, escaped scrutiny for so long. The IBAC inquiry has revealed that the scam benefited Napoli’s relatives and former acting secretary Jeff Rosewarne, and that some principals reaped the benefits of interest accrued on the banker school accounts.

So far, the inquiry has claimed 11 scalps, with the department sacking three staff, including Napoli, and suspending eight others.

“No one could reasonably understand how this might have been going on for nearly 20 years, and that at least $2.5 million of taxpayers’ money spirited away,” says Fraudsec founder Sylvain Mansotte.

“you do not have to have an MBA or be a rocket scientist to feel that something is not right. But when all the red flags were raised, it seems no one was there to see them.” X

2525

“The case of Nino Napoli is no different to the one of Damian O’Carrigan, which I uncovered at Leighton Contractors,” Mansotte says. “There are simple, key actions that would deter or stop these types of basic fraud schemes – basic, yes, but very damaging in their consequences.”

These include:• A strong tone from the top down. “There is a

real need to define the right ‘ethical culture’ so that individuals know what is right and what is wrong. They also need to know that if they suspect something is wrong, they can report it without fear. To do so, there is a need to enable what I call independent and anonymous two-way communication. Only then will the organisation be in a position to investigate, communicating back and forth with the whistleblower. Without question, this is the best way to ensure all facts and evidence is collected to substantiate the allegations made.”

• Walking the talk: “Organisations that set the tone at the top also need to ‘walk the talk’ by implementing regular fraud and corruption awareness and training sessions that all staff and third parties, such as suppliers and contractors, are obligated to attend. The same should apply to hR-related matters, like harassment and bullying.”

• Due diligence: “It is vital to perform an

• He was an “old school” leader who steered the ship with power, rather than management skills.

• Lack of control and staggering gaps in the processes and procedures of DET.

• Lack of transparency and visibility in the way funds were allocated to schools.

• Lack of an independent and anonymous two-way communication facility to enable the many public officials who either knew or suspected misconduct, but feared for themselves and kept quiet.

• Lack of due diligence when on-boarding new suppliers, lack of detailed invoices, compounded by lack of controls – a three-way match.

• uncontrolled accounts: banker schools with loose accounting and nobody to keep track of funds.“Fortunately, there was a whistleblower finally

prepared to speak out and risk everything,” Mansotte notes.

That whistleblower was Dr Stephen Brown – a qualified former teacher – who had years before conducted an audit into the banker school system and urged that it be abolished – a recommendation DET rejected.

At the IBAC hearings, he gave evidence on what he called a “completely unethical practice by a number of people in the leadership team in the department at the time”.

“[It] just goes to show how blind people can be to blatantly fraudulent behaviour.”

X

26 GRC Professional • September 2015

CASE STUDY

“Fortunately, there was a whistleblower finally prepared to speak out and risk everything.”

contain little or no detail, and particularly when the content does not appear to make sense – for example, a hotel charging for consulting services.”

• Staff rotation: Ensure all staff rotate from one department to another – or change their roles every three-to-five-years: this will help prevent fraud from going on for decades.

• System monitoring: Mansotte suggests performing regular checks on systems access to ensure all permissions are revised when a change of role or function occurs. “This is to ensure not one person has ‘super user’ access to the organisation’s ERP [enterprise resource planning], which would otherwise allow him or her to perpetrate a fraud without being noticed or blocked by someone else. It’s commonly referred to as having the appropriate level of segregation of duties [SoD], and is the golden rule for all IT systems.”

• Asset register: use an asset register, as well as a gift and hospitality register, to record everything, Mansotte advises. Then, importantly, ensure this is aligned with policies and guidelines so staff know what is acceptable, and what is not.

• Audits: Perform regular audits of all the organisation’s functions on a regular basis. Then ensure the implementation of the recommendations are being done in a timely way and supervised by someone outside the audited department.

• Ban all petty cash and replace it with an effective expense claims process or – just maybe – a petty cash card. •••

in-depth due diligence process when selecting suppliers and contractors,” Mansotte warns. “The process should not be owned by one individual or one department. Appropriate segregation has to be in place, as well as random monthly checks to ensure all required information is collected and verified. Police and reference checks should be done to ensure the individual is who he/she says they are.”

• Annual leave: “Ensure members of staff take their leave entitlements at a minimum of one or two weeks at a time. Fraudsters have a routine and it is important to at some point break it.”

• Three-way match: “Ensure a three-way match for all invoices – an approved purchase order by authorised personnel, the receipting of the right goods and/or services and at the right price by a second person, and finally matching of the invoice, PO and receipt by a third.

• Check detail: “Ensure no staff pay invoices that

27

RISK MANAGEMENT

27

NEW CHALLENGES AS THE RISK LANDSCAPE CHANGESIn this exclusive Q&A with GRC Professional, RSA Archer Australia

and New Zealand director chad alpert discusses some of the

key issues confronting risk management today, and ways to deal

with them.

“today we’re starting to get better context around the decisions being made – we’re taking a more balanced view with regards to the implemen-tation and rationalisation of risk management.”

again, just because you’re compliant with a particular framework or regulation doesn’t mean you’re managing risk.

So what we’re starting to see is the pendulum swing back towards the middle ground. I think a micro-management approach drives the wrong outcomes – it’s counter-productive because no one wants to make a decision because, God forbid, something goes wrong.

Today we’re starting to get better context around the decisions being made – we’re taking a more balanced view with regards to the implementation and rationalisation of risk management. The conversation is being had, but there is still a way to go.

At a grass roots level, what practical steps can organisations take to more effectively use risk management to exploit emerging business opportunities, while simultaneously avoiding potential pitfalls?To some degree it comes down to standard practices. Any business case involves a risk management-based

How do you think the overall standard of risk management among Australian corporates stacks up against those in comparable jurisdictions, such as the US and UK?There are two primary drivers with this, the first being within organisations themselves – the decision to invest or not invest in risk management – and the second is external influences that force us to behave in a certain way.

From a competency perspective, as individuals I think we are absolutely on par with regards to capability, education and so on, but the implementation and operation of risk management as a function is not as compelling here because the regulators aren’t hammering it home as hard as they are in the uS and elsewhere.

It has been argued that systemic risk can never be truly regulated, but are organisations perhaps over-regulating or micro-managing their own internal processes to the detriment of positive risk-taking?That is the other side of the double-edged sword: with regulation comes a desire to tick the boxes and become compliant, but that doesn’t necessarily mean we’re managing risk appropriately. It is important to remember that risk isn’t a bad thing.

I think we have seen the pendulum swing. If we go back to the most globally compelling event that drove a focus on risk management, it was Enron and the subsequent creation of Sarbanes-Oxley.

What happened as a result is that we went from having little real appreciation of effective risk management, to a compliance-driven mentality. But

RSA Archer’s Chad Alpert.

28 GRC Professional • September 2015

RISK MANAGEMENT

“the Big Four banks in Australia have realised thousands of hours in time savings through an integrated approach on just a couple of small processes.”

Is enough being done to ensure a holistic view of risk management across different organisational functions?No. Organisations are still struggling in bringing together near real-time views of organisational risks from within the business operational risk teams.

If we think about what is required today with the need for a fully integrated risk management approach that ties top-down risks with bottom-up activities across all the key domains of risk management – ERM, ORM, resiliency, assurance, physical risk, IT risk, IT security, supply chain risk, and so on – it becomes too heavy a load for most organisations to bear.

With this said, there seems to be an appetite by executives and board members alike to better understand the risk landscape we operate in today and there does seem to be a desire by a number of early adopter organisations to start on the journey to an integrated approach.

decision – how much do I spend, what’s the return on investment, how big is the problem we’re solving, do I care enough about it?

At the grass roots level it is incumbent on everybody to understand their responsibility within managing risk at every level of an organisation and to contextualise that into the broader perspective of what the organisation is trying to achieve. For example: is there risk in moving into China? Absolutely, the leakage of intellectual property is a massive concern. But on the flip side, it’s a market opportunity with a billion-plus people (also see story page 16).

So, putting appropriate controls in place is important, because we can’t go down the alternative path, which is to drive a zero risk acceptance level that would stifle innovation and change. ultimately, we need to put a value against it, and that is not just a financial value – it’s a reputational value and sustainability value as well. X

29

RISK MANAGEMENT

X

thousands of hours in time savings through an integrated approach on just a couple of small processes. The value ramps up exponentially as more and more risk functions come on board. Regulators are driving organisations to get with the program and forcing a more integrated approach. They are doing this because we know that not integrating and aligning the business is not effective and causes massive ripples in the market when things go wrong. Just look at the impact of the uS subprime mortgage crisis or collapse of Enron and, as I said, the resultant creation of significant uS regulation.

What are the key challenges in achieving an integrated model?Ensuring risk management is understood across all levels of the organisation. The tone at the top or executive involvement is critical in driving awareness and a culture of effective risk management. It is part of all of our roles – not just that of the risk or resiliency team.

Nonetheless, it’s important to have a company strategy if the objective is to be realised. Too often we still see the disparate functions operating in isolation of the broader intent of an integrated governance, risk and compliance framework. Even so, we need to ensure we focus on positive progression rather than perfection. Starting with one or two areas and making sure the focus is on giving value back to the organisation is the best approach: ‘A journey of a thousand miles begins with a single step’.

Why, then, do so many organisations struggle with achieving this outcome?We’re still in our infancy of understanding the requirements of risk management in today’s society. CROs didn’t really exist 20 years ago, yet now they are reasonably pervasive in most organisations – even if the role’s actual title is a little obscure in some cases.

Over the 20 years, we have seen IT security grow up, and take a few hits on the way, to the point where there are now CISOs and CSOs. We have the CCO for compliance functions, yet we often hear about a company’s IT department being responsible for PCI. A lot of these challenges are signs of a slowly maturing function and appreciation by organisations of the importance of integrated risk management.

This, I think, will lead to the creation of new roles such as chief governance risk and compliance

Banking and finance are often the early movers in this space and we are seeing some of these conversations and activities starting to come to the forefront. There are pockets of success being observed in some organisations today where the integrated approach to GRC is allowing those organisations to better understand risk and make more informed decisions about how and where to make investments in risk management activities.

As far as what can we do, I believe there is a need to keep communication lines open and never pass up on the opportunity to educate our peers in risk management and also the executives of all organisations on the challenges of yesterday and the needs of today. Equally, we have to ensure we understand our audience before we inadvertently scare the people who are looking to us for guidance and support.

Would it be fair to say that most executive teams have yet to recognise the value of a fully integrated approach to risk management?Again, pockets of success are being recognised in some organisations. It’s hard for most people who don’t operate within the risk management landscape to truly understand the value of a fully integrated risk management function until they experience it first hand, or try and deal with the ramifications of not having one after the event.

This is completely understandable given businesses focus on driving new products and services to market that easily tie into increases – or decreases – in share prices and market uptake, or deliver an easily tracked metric for ongoing review. It would be wrong to suggest having a fully integrated risk management function would by default reduce risk, however if we look at the world as it currently is and acknowledge that risk functions span and touch every aspect of business, it is easy to demonstrate that not having an effective risk management function that integrates across all aspects of risk management is not something we want to deal with. Indeed, there are examples across the board of high level companies that have failed as a result - Sony, Target and even Ansett Airways in Australia are just a few.

In practice, just how integrated do you think the “three lines of defence” within organisations really are?Cost efficiencies alone should be enough to justify this. The Big Four banks in Australia have realised

“the tone at the top or executive involvement is critical in driving awareness and a culture of effective risk management.”

30 GRC Professional • September 2015

RISK MANAGEMENT

“As the Cro position eventually morphs into a broader governance/risk/compliance responsibility, there will be a board seat for someone in that capacity.”

as the CRO position eventually morphs into a broader governance/risk/compliance responsibility, there will be a board seat for someone in that capacity.

I think it’s still a few years away, but if it’s going to happen the role will have to be bigger than risk. The question therefore becomes: who is the person that can bring that all together? That’s the secret to sitting at the boardroom table. •••

RSA, The Security Division of EMC, is a leading provider of intelligence-driven security solutions, working with many of the world’s leading organisations to solve issues such as managing organisational risk, safeguarding mobile access and collaboration, preventing online fraud, and defending against advanced threats. It delivers controls for identity assurance, fraud detection and data protection, as well as security analytics and GRC capabilities.

officer (GGRCO) which, of course, would be a cross-functional title responsible for driving the associated outcomes.

At the end of the day, people often hear me explain the fact that boards of directors of commercial firms are really only focused on two things: increasing shareholder value, and managing the risk that impacts their ability to achieve that. If this is the case – and we agree that this is the intent of such firms – then continuing to focus on a more integrated, more effective model is a priority that will help us all move towards a better model tomorrow than the one we are living today.

In your view, will risk management professionals ever get a seat in the boardroom?I don’t think businesses today truly understand the opportunities inherent in risk management. however,

31

IN DEPTH

31

KEY TAKEAWAYS FROM 7-ELEVENAs calls for an inquiry into the wages scandal that has engulfed

7-Eleven increase, so too does the focus on what does — and does

not — constitute good corporate citizenship.

“At the very least, it is a major body blow to the perceived integrity of the franchising sector.”

based on allegations of unconscionable or false and misleading conduct.

however, the revelations about 7-Eleven resulting from a joint investigation between the ABC’s Four Corners and Fairfax Media take this to a whole new level, exposing collusion between franchisees in a racket known as the “half pay” scam.

The damage to the chain’s brand is incalculable, but if history dictates anything, it will be long-lasting and extremely costly.

Not the first McDonald’s and its franchisees found this out in face of multiple lawsuits about the legality of many of the company’s labour practices, including allegations of wage theft and racial discrimination.

For a number of years now, low-wage uS workers have been publicly and theatrically agitating for high-er pay, more predictable schedules and the right to unionise. With the backing of various labour organ-isations, workers have staged strikes, protests

ThE FRONTRuNNER FOR PENNING ThE best headline of the year should be the Fairfax sub-editor who late last month came up with “7-Eleven: A sweatshop on every corner”.

It conveyed perfectly the scandalous way Austra-lia’s largest convenience store has been exploiting many of its workers in blatant contravention of even their most basic rights. According to reports, up to two-thirds of stores have been ripping of staff by pay-ing them as little as $10 an hour before tax.

Franchising takes a hitAt the very least, it is a major body blow to the per-ceived integrity of the franchising sector, which in Australia is estimated to be worth around $130 billion.

Despite a chequered history, increased regulatory oversight had seemed to be driving most of the cowboy operators out of town – but not all. The Australian Competition and Consumer Commission (ACCC) received 239 franchising-related complaints from January to July 2014, the majority of which were X

32 GRC Professional • September 2015

IN DEPTH

X

“It’s a bad situation made worse by the fact that their head office appears to have been complicit in the wage fraud against workers in their stores.”

Corners/Fairfax Media investigation, around a third of the franchised operations are in financial trouble.

To exacerbate matters, it has also emerged that the convenience store chain made more than $9 million last year from “churning” failed franchisees through its system.

Blurred boundariesBut despite all this, in a broader context there is still no real consensus on at which point a company actually crosses the line from simply being irresponsible to unethical. There are grey areas – alcohol companies dressing up full-strength beverages to look like soda pops – but some examples do seem to fit the bill:• Nestlé in the early 1970s when it deliberately

hooked Third World mothers on Western-style baby milk formula.

• Rich firms paying graft money to corrupt officials in poor countries to turn a blind eye to their sweatshops.

• That still hard-to-believe day in 1994 when seven Big Tobacco chiefs testified under oath, before a Congressional hearing, that they did not believe nicotine was addictive.There was a time when some of this would

probably not have mattered too much to everyday consumers or job seekers.

Today, however, the vast majority want to know they’re buying from and working for a company with exemplary credentials – be that in respect to sustainability, social responsibility, equal opportunity, transparency, or whatever. In other words: good corporate citizens.

Good corporate citizenshipThe Ethisphere Institute, an independent corporate ethics think tank, recently released its 2015 list of “The World’s Most Ethical Companies”. The list spans 21 countries, five continents and represents over 50 industries.

To earn a spot on the list, companies must have strong corporate social responsibility policies, they need to comply with international labour, anti-trust and trade laws and they should be monitoring their supply chain to make sure that companies they contract with are also sticking to international law and labour standards. Ethisphere will not consider organisations that have legal charges pending or those that deal in alcohol, tobacco or firearms.

and other PR campaigns, first domestically and then abroad.

Much to it chagrin, the Golden Arches soon realised that many of its consumers also cared about its policies and that being widely perceived as a poor corporate citizen was starting to hurt sales.

Likewise Apple, which earlier this year saw its shiny image tarnished in a confronting BBC Panorama program about its exploitation of factory workers in China and tin miners in Indonesia.

Nonetheless, there is a key difference to the “inconvenient truths” revealed about Apple and McDonald’s (the latter’s alleged large-scale tax-dodging in Europe notwithstanding) and the misconduct of 7-Eleven in Australia.

Whereas Apple and McDonald’s can argue to anyone still prepared to listen that they are guilty of nothing more than complying with local (often ineffectual or inadequate) regulations – be they specific to the uS, Australia, Asia or anywhere else – 7-Eleven has clearly breached them.

Head office complicity“It’s a bad situation made worse by the fact that their head office appears to have been complicit in the wage fraud against workers in their stores,” says Johannesburg-based recruitment specialist and risk management professional, Anne Morrow.

“As the [half-pay] term suggests, those workers have been paid for only half the hours they work, and it seems to have been a rort going on for years.”

Employment Minister Senator Eric Abetz is up in arms, stating that “every Australian ought to be paid according to the law – a just day’s work deserves a just day’s pay”.

The founder of 7-Eleven in Australia, Russell Withers, may soon have the chance to discuss this with Abetz, given the likelihood the billionaire will now be called to testify before an existing Senate committee inquiry into visa fraud.

Doomed business modelIn fact, according to former ACCC chairman Professor Allan Fels, the franchise model Withers established in Australia was always doomed to failure. under the model, franchisees only receive 43 per cent of the profit made at their stores. head office takes 57 per cent which, Fels maintains, has forced franchisees to exploit their workers – particularly guest workers from overseas. According to the combined Four

33

As Morrow notes: “Being a law-abiding corporate is a non-negotiable – excelling above and beyond that to ensure you are a ‘good’ corporate citizen is something else altogether, and should be something every company aspires to.”

Compliance in demand“Despite incidents such as 7-Eleven in Australia, on this front I think firms are in general making headway, and compliance officers have played a key role in that. It’s why being a compliance officer is one of the hottest careers today.

“The job ranges from creating and enforcing guidelines and policies that ensure a company’s integrity, to promoting standards and values that form strong workplace cultures. Compliance officers are the ones who meet government investigators at the door when they knock. They are the guardians of an organisation’s good corporate citizenship.

“however, I think more organisations still need to realise that high-performing individuals in a compliance role are low-hanging fruit for the C-suite and the board, and represent a new and untapped talent pool. Drawing leaders from compliance professionals will ensure greater diversity along with leveraging a unique set of skills and perspectives around organisational culture, reputational value and

risk mitigation. This can only be good for business because, simply put, the larger the pool of talent, the better the quality you can draw.”

Indeed, Morrow notes that JP Morgan is reportedly spending uS$4 billion more than initially planned for risk and compliance this fiscal year—hiring 3000 employees for the function, as well as reassigning 2000 more into it.

“Demand like JP Morgan’s is outstripping supply,” she says.

u.S Bank, which is recognised on Ethisphere’s 2015 World’s Most Ethical Companies list, is also upping its investment in compliance.

“As a financial institution, the trusted relationship that we have with our customers represents the foundation upon which we operate,” says u.S. Bank chairman, president and CEO, Richard Davis.

“Acting appropriately and bringing our core values to life in every customer interaction is how we earn and keep that trust.”

Ethisphere CEO, Timothy Erblich, adds: “Transparency, integrity and compliance is paramount. Honorees use the examples they set as a means to further define their industry leadership and embrace the connection by embedding their corporate values into everything they do, X

“It has emerged that the convenience store chain made more than $9 million last year from ‘churning’ failed franchisees through its system.”

34 GRC Professional • September 2015

IN DEPTH

“More organisations need to realise that high-performing individuals in a compliance role are low-hanging fruit for the C-suite and the board.”

on the institute’s list – the only automaker to do so. Notably, last year Ford also unseated Toyota on

Interbrand’s Best Global Green Brands ranking. Executive chairman William C. Ford Jr. has

made sustainability a top priority, manufacturing the first uS-built hybrid vehicles and transforming its famed Ford River Rouge Plant from an outmoded brownfield into a model of industrial-scale sustainability. It even has a 10.4 acre, stormwater-consuming grass-covered roof.

accenTUreAccenture has established a strong reputation for commitment to high business standards and practices.

“Earning this recognition has involved the collective action of a global workforce from the top down,” Erblich says.

It is only one of two consulting services companies to appear on the 2015 list, the other being French firm Capgemini.

GaP inc.Clothing and accessories retailer Gap has been issuing social responsibility reports since 2004, making it a pioneer in the field.

Over the last five years, it has donated more than uS$1 million to hurricane Sandy relief, 460,000 volunteer hours, and committed more than 30,000 jobs to women’s career advancement.

CEO Glenn Murphy insists on ethical practices being an overriding company priority, and that em-ployees from the shop floor to the C-suite share his values.

TeacHers mUTUal BanKIt’s no global Goliath, but in terms of the standards it sets, mixes it with the biggest and best.

Recognised as an Employer of Choice for Women for six consecutive years and with a score of 91 per cent in the 2014 Corporate Responsibility Index, Teachers Mutual Bank is a long-standing supporter of many education programs and has made significant contributions to public education in New South Wales

“Profitability and sustainability are not mutually exclusive,” insists CEO Steve James, who is a member of the GRC Institute. “We believe it is our responsi-bility as a business to invest in ethical practices and to leave a positive mark on the community in which we operate.” •••

every employee they hire, and every partner they bring into their network to ensure they deliver long-term value to key stakeholders including customers, suppliers, regulators, and investors.

“Companies today are challenged by a complex and often conflicting set of laws and regulations around the world, yet despite the lack of a global rule of law there’s a growing commonality about how to do business the right way.

“More and more, we’re finding that stakeholders from employees and customers to executives and investors understand that exemplary leadership drives outcomes ranging from operational performance to corporate integrity, transparency and workforce behaviour. Companies on our list not only understand the various components of what makes a company exemplary, but are dedicated to building an environment that makes it so.”

Other companies recognised by Ethisphere this year include:

aDOBe sYsTemsAdobe is a pioneer in building green concepts into its overall business strategy.

One of very few Fortune 500 companies intending to achieve global carbon neutrality by the end of 2015, it is also the most water-productive software company on the planet, generating over uS$5 million in revenue for every cubic metre of water used.

It invests heavily in renewable energy technolo-gies, while 70 per cent of its global building footprint is certified by LEED, the world’s pre-eminent green building standards.

T-mOBile anD sinGTelIt says a lot in an age when mobile communications are reshaping the lives of billions, just two telecom-munications providers are on the Ethisphere list.

Ethisphere’s Erblich sums up T-Mobile (an operating entity of German telecommunications company Deutsche Telekom) and Singapore-based Singtel: “These companies use high governance standards as a means to further define their industry leadership and understand that creating a proper culture involves more than just an outward-facing message or a handful of senior executives saying the right thing.”

FOrD mOTOr cOmPanYSome might see this as an aberration, but in fact it’s not, being the sixth straight year Ford has appeared

35

X

INSTITUTE NEWS

THE TIME TO ACT IS NOW

“Feedback from these sessions is always outstanding and the networks and friendships formed by attendees continue for many years.”

experience to be able to spend four days with your senior peers, immersing yourself in the content and activities and, if at all possible, we do suggest this as your first option.

If you are interested in attending the Sydney session in October it is essential that you book now. It is unlikely we will run the course again this financial year, so your next opportunity may not be until July 2016. If you have any questions about the course please contact our office and we will certainly assist.

We will also shortly be releasing information about and the dates for our pilot session of a half-day training event dedicated solely to the new compliance ISO Standard 19600. This event is designed to take participants through the standard and is suited to those who are new to any compliance standard – those who have not used either this ISO or the Australian and New Zealand Standard 3806 to develop their compliance programs. A number of other first-time events are currently in the works, so please do keep an eye on our events page or your inbox for details.

We’ve also had a couple of new staff members starting in the office over the last two weeks and we look forward to introducing them to you in upcoming issues. In the meantime, some of you may be contacted by our new BDM Liz kent. Liz and Naomi Burley are looking to meet with as many members as possible and touch base about member value, gather your feedback and ideas and try to incorporate them into an exciting new program of member benefits.

It always comes back to the fact that the GRC Institute is a membership organisation and we need your participation and input to make it the organisation you want. however, we can’t do that if we don’t hear from you. If you have the time to meet with us, we’d love to meet with you. •••

IF yOu hAVEN’T hEARD ABOuT OuR conference, GRC2015, coming up at the end of October in Melbourne, then we need to talk!

however, for those who have been looking over the program we have an update – thanks to our great workshop presenters and kPMG, we’ve been able to shift the program around so we can offer the workshops on both days, which means delegates can go to two workshops over the course of the conference.

We’ll be featuring more information about the program in the lead-up to the conference, enabling people to prepare and get the most they possibly can out of the conference. With our members continually developing themselves professionally, we are seeking increasingly challenging speakers and topics to meet your growth needs and continue our thought leadership journey. The stories, lessons and skills we will be exploring at the conference are integral to ensuring the success of your organisation’s GRC programs and they require influence and leadership from you – we trust GRC2015 provides the necessary support to help you extend that influence!

The conference format doesn’t satisfy everyone, so for those in senior roles who may be looking for training more commensurate with their level of experience, we also have a residential session of the Graduate Certificate in Compliance Management available in October in Sydney and in November in Auckland.

We may be slightly biased about this course, but feedback from these sessions is always outstanding and the networks and friendships formed by attendees continue for many years. We also offer this as a Distance Education option for those that simply cannot make the residential, but it is a pretty unique

 

C o n f e r e n C e28–30 Oct 2015 • MelbOurne crOwn cOnference centre

The GRC2015 conference 3 day program features inspirational leaders exploring topics across the change management spectrum at an organisational and individual level.

GRC2015 provides an exciting opportunity for networking and professional development and exposure for commercial partners to consolidate in the GRC marketplace.

To book your seat at this exceptional event or for sponsorship opportunities please visit: www.grcconference.com.au

Special offerIf you are a non-member and wish to attend the Grc2015 conference, mention our ‘cHaNGe caTalYST’ promotion and receive membership with Grc institute from september 2015 to 30 June 2016 when you book your full conference pass at $2200. to take up the offer simply email naomi.burley@thegrcinstitute.org and she will take care of your conference booking and membership.

Change Catalyst

THe Grc iNSTiTuTe’S 19TH aNNual coNfereNce