MAGAZINE - Realview

MINIMISE | MITIGATE | MANAGE
MAGAZINE
August 2009 Issue 66 www.riskmagazine.com.au PP255003/06868
Financial Regulation:
A blueprint for effective change
AML/CTF: Patchy compliance
and light-touch penalties
Cost-cutting:
Is it now a permanent corporate fixture?
SPECIAL REPORT: BUSINESS CONTINUITY
COMING
FULL
CIRCLE
EXPECT THE UNEXPECTED …
plus:
Stuck
in Second on Carbon
CPRS an uphill battle
Fighting to Recalibrate Risk
Financial services firms struggle
Sanctions Sour Corporates
Compliance sapping resources

made to measure
Premium, tailored insurance products and solutions
from a proven market leader with global capacity
and local authority, expertise and knowledge.
The People, The Products, The Capacity.
www.liuaustralia.com.au

IN THIS ISSUE
18
32
CUTBACKS COME HOME TO ROOST
ALTHOUGH COST-CUTTING HAS BEEN A
NECESSARY RESPONSE TO THE GFC,
THIS HAS COME AT ITS OWN PRICE WITH
SUPPLY CHAIN ISSUES AND THE IMPACT
OF REDUNDANCIES NOW THE TWO
BIGGEST RISKS FACING BUSINESS.
SERIOUSLY SCARY STATS
ARE YOU READY FOR SOME SERIOUSLY
SCARY STATISTICS? RSA, THE SECURITY
DIVISION OF EMC, HAS JUST RELEASED ITS
THIRD QUARTER SECURITY STATISTICS
REVIEW, AND HERE RISK PUBLISHES SOME
OF THE MORE FRIGHTENING FINDINGS.
COMING FULL CIRCLE
BUSINESS CONTINUITY IS ALL ABOUT
JUST WHAT THE TERM SUGGESTS IT
IS – THE SURVIVAL OF A BUSINESS IN
FACE OF A SERIOUS DISRUPTION.
BUT AS IBM’S BUSINESS CONTINUITY
EXPERT ANDREW FRY EXPLAINS,
PLANNING IS PARAMOUNT AND
TESTING CRUCIAL.
ALSO
12
4 Straight Talk
6 News
11 News Feature
17 Cloud Computing: A Down-To-Earth Take
19 Business Continuity Case Study
33 Risk Compliance and Software Directory
NEXT
MONTH
As the GFC has graphically
demonstrated, all organisations
need to place an ever-increasing
emphasis on the audit function.
The September issue of Risk
will feature a comprehensive
Special Report on audit,
examining in particular its role
in ensuring better corporate
governance and strategic risk
management.
The report will feature interviews
with some of the industry’s
leading practitioners who will focus
on ways in which the audit function
can be used to combat an escalating
range of internal and external threats
to business continuity, as well as
case studies illustrating how specific
companies have maximised the bang
they get from the bucks they spend
on auditing.
To participate in the report,
contact advertising manager
Richard Birrell on (02) 9422 2891
RISK August 2009 3

STRAIGHT TALK
MARK PHILLIPS EDITOR
News that Islamic extremists in Melbourne were close to launching
a potentially devastating attack on an Australian Army base
has probably shocked many – but it shouldn’t. The fact that the
cell was inspired by the Somalia-based terrorism movement al-Shabaab,
which is aligned with al-Qa’ida, while disturbing, is arguably no more
surprising. After all, security analysts have long warned that it was not a
case of “if” Australia would be the target of an attack, but “when”.
That the Australian Federal Police were able to stop the would-be
perpetrators before they stormed the base with automatic weapons no
doubt saved many lives, but the risk of a similar plot reaching fruition
sometime and somewhere soon remains.
What will hopefully make some sort of ongoing difference is the fact
that Australia finally got around to enacting anti-money laundering and
counter-terrorism financing laws – something comparable jurisdictions
had done several years before. Needless to say, the core aim of the legislation
is to reduce the ability of criminals and terrorists to launder funds
through Australia’s financial system.
On December 12 last year a final set of obligations were introduced
under the first tranche of the Anti-Money Laundering and Counter-
Terrorism Act, requiring reporting entities to report suspicious matters
and, if applicable, threshold transactions and international funds transfer
instructions to AUSTRAC.
Unfortunately, as James Cozens writes in this issue (see page 22), compliance
with these obligations has been patchy, and the imposition of penalties
by the regulator decidedly light-touch. As if this were not bad enough,
the Federal Government has delayed implementing Tranche II of the Act,
which is supposed to bring lawyers, accountants, real estate agents and
jewellers within the AML/CTF regime. As Cozens notes, at present these
types of businesses are not monitored at all, “providing a great roadmap
to safe havens for criminals”.
But, as reported on page 9, there have been some wins, with AUS-
TRAC accepting an enforceable undertaking from Barclays Bank following
an assessment of its compliance with AML/CTF, which exposed a number
of deficiencies and reporting breaches.
Hard on the heels of this and another enforceable undertaking, AUS-
TRAC is now finally upping the ante in its efforts to detect money laundering
and terrorism financing activity, investigate crimes and secure prosecutions.
The just-released AUSTRAC Supervision Strategy 2009-2010
“AUSTRAC is now finally upping the ante in its
efforts to detect money laundering and terrorism
financing activity, investigate crimes and secure
prosecutions”
sets out the agency’s plans for supervision and, where necessary, enforcement action, within the
evolving AML/CTF environment.
Against a backdrop of growing criticism for a perceived lack of enforcement against noncompliant
entities within the financial services sector, AUSTRAC acting CEO Thomas Story
has undertaken to “adapt our supervision approach as we move from implementation into a
business-as-usual phase of AML/CTF reform”.
“The central focus of our supervision strategy is maximising coverage of the regulated population
by matching different supervisory tools and techniques to different industry sectors based on
their varied levels of compliance. This will involve a greater variety of supervision methods in the areas
of engagement, support, resources, frontline activity and enforcement,” he said.
This is to be welcomed, especially given that Prime Minister Kevin Rudd has warned of “an enduring”
threat of terrorism in Australia and acknowledged that it is “alive and well”.
Perhaps he should also acknowledge that there is no excuse to continue delaying Tranche II of
the AML/CTF Act.
“
Failure to implement Tranche II [of the
AML/CTF Act] makes the whole exercise read
What’s your
like an episode of the British television classic,
take on this quote?
To have your say write to the editor
Yes Minister.
mark.phillips@lexisnexis.com.au
Best comments will be published in
”the next issue of Risk
COMPLISPACE CONSULTANT JAMES COZENS
Editor: Mark Phillips Designers: Christian Harimanow, Ken McLaren Online News Manager: Rebecca Whalen Publisher: Rayma Creswell
ABOUT
US
Associate Publisher: Craig Donaldson Design and Production Manager: Alys Martin Group Production Editor: Wendy Beecroft Production
Manager: Kirsten Wissel Editorial Consultant: Debra Taylor Group Advertising Manager: Joseph Sing Account manager: Richard Birrell
SUBSCRIBE TODAY
Risk Magazineis published monthly and is available by subscription. Please email subscriptions@lriskmanagementmagazine.com.au All subscription payments should be sent to: Locked
Bag 2333, Chatswood D/C, Chatswood, NSW 2067 ADVERTISING ENQUIRIES: Richard Birrell - Sydney - (02) 9422 8836 richard.birrell@lexisnexis.com.au EDITORIAL
ENQUIRIES: All mail for the editorial department should be sent to: Lawyers Weekly, Level 1 Tower 2, 475 Victoria Ave Chatswood, NSW 2067
Circulations Audit Board: 6,802
(As at March 2009)
Copyright is reserved throughout. No part of this publication may be reproduced without the express written permission of the publisher. Contributions are invited, but copies of all work should be kept as Risk Magazine can accept no responsibility for loss. Risk
Magazine and LexisNexis are divisions of Reed International Books Australia Pty Limited, ACN 001 002 357 Level 1 Tower 2, 475 Victoria Ave, Chatswood, NSW 2067 tel (02) 9422 2203 fax (02) 9422 2946 ISSN 1833-5209 Important Privacy Notice You have both a
right of access to the personal information we hold about you and to ask us to correct if it is inaccurate or out of date. Please direct any queries to: The Privacy Officer, LexisNexis Australia or email to privacy@lexisnexis.com.au. © 2009 Reed International Books
Australia Pty Ltd (ABN 70 001 002 357) trading as LexisNexis. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., and used under license.
4 RISK August 2009

NEWS
COMPILED BY MARK PHILLIPS
Marketers undermine shareholder privacy
A government review into share register access has been told to clamp down on unscrupulous marketing activity.
“Unfortunately, as the law now stands, companies have little option
but to hand over highly personal shareholder details – even if they
suspect the information will be used for improper purposes”
SYDNEY: Privacy issues are back in the spotlight.
Chartered Secretaries Australia (CSA)
has just provided the Federal Government with
confidential data which, it has claimed, clearly
demonstrates that shareholder registers are primarily
being sought by charities, brokers, investment
companies, genealogical research
companies and other self-interested parties,
mainly for marketing purposes.
To strengthen its call for legislative amendment
to protect the privacy of retail shareholders,
CSA has provided the Government
with a letter from a charity which recently wrote
to a number of large publicly listed companies,
noting that it “wished to gain a greater
understanding of the wealth holdings of the
individuals on the register”.
“Shareholders in a string of popular blue-chip
companies – including ANZ, Westpac, BHP Billiton,
Westfield and AMP – that were contacted
by this charity and many other organisations like
it are rightly distressed that their personal and
financial information can be so easily plundered,”
said CSA chief executive Tim Sheehy.
CSA also told the Government that a big
bank received 11 share register requests in
the past two years, only one of which was a
legitimate request from a shareholder. Alarmingly,
the remainder were variously from a body
offering to purchase shares at below market
value, charities, investment companies and
estate finders.
“Unfortunately, as the law now stands, companies
have little option but to hand over highly
personal shareholder details – even if they suspect
the information will be used for improper purposes,”
Sheehy said. “Shareholder consent is not
needed, and those third parties don’t even have
to disclose what they will use the information for.
“A request could be refused if a third party
specifically admitted they wanted to use the register
for marketing purposes, but most savvy
marketers have worked out by now that, by saying
nothing, they can get their hands on a very
cheap mailing list and there is nothing a company
or shareholders can do to stop them.”
According to a poll of CSA members in ASX
Top 100 companies, a staggering 95 per cent
of requests for company share registers come
not from shareholders but from third parties
seeking to exploit the information for their own
commercial activities. The finding confirms
the dramatic increase in the number of requests
for share registers from third parties since the
Full Federal Court found in 2008 that a reasonable
fee for a copy of a company’s share register
was $250. Previously, share registry fees
often in excess of $15,000 represented a significant
practical barrier to inappropriate requests
for shareholder information, Sheehy said.
“The Corporations Act needs to be changed
to include the same privacy protections for shareholders
that exist for all other financial dealings
and personal information,” he said. “Privacy laws
currently prohibit the disclosure of someone’s
bank account or superannuation account details,
so it does not make sense that anyone can
obtain a shareholder’s name, address and portfolio
information simply because the shareholder
chooses to invest in this manner.”
CSA has urged the government to introduce
a “proper purpose” test to rein in access to
share registers. According to Sheehy, such a
test would protect the privacy rights of shareholders
and at the same time would not interfere
with shareholders’ existing rights to use the
register for the legitimate purposes of contacting
other members in relation to the governance
and management of the company.
THE “PROPER PURPOSE” PROPOSAL
• Specify that requests to access a register must be for a “proper
purpose”;
• Give clear guidance as to which purposes are “proper”;
• Require access seekers to give their name and address and to
state the purpose for which the information will be used;
• Require access seekers to use the information only for the disclosed
purpose and to return or destroy the information once
that purpose is complete;
• Specify that the company must comply or refer the request to an
external dispute resolution body within 10 working days; and
• Specify that if the company considers the request is not for a
“proper purpose” it may apply to an external dispute resolution
body not to release the register.
6 RISK August 2009

NEWS
New deal for risk
The popular television game show, Deal or No Deal?, has become the unlikely subject of serious risk analysis.
MELBOURNE: In an innovative departure from the norm, a
new study in the International Review of Finance used data
from the popular television game show, Deal or No Deal?, to
explore risk aversion and economic decision-making behaviours
of individuals in a high-stakes setting.
Apparently the setting of the game show provides an ideal
condition for studying a range of issues relating to risk aversion.
It begins with 26 suitcases of prizes ranging from 50
cents to $200,000, with most of the prize money amounting
to $10,000 and below. The contestants are asked to select
one suitcase to be set aside, and then asked to continue eliminating
the rest of the suitcases by choosing between the offers
made by the bank, or staking their chances on an unknown
amount in any particular suitcase.
The study, Deal or No Deal, That is the Question: The Impact
of Increasing Stakes and Framing Effects on Decision-
Making under Risk, examines the statistics from 102 episodes
of the Australian version of the game show.
Findings showed that while risk aversion increased with
the stakes, people were generally willing to bear risks despite
very high stakes. Researchers also found that males were
more willing to take risk and less likely to be swayed by a positive
counter offer. While gender and age are significant determinants
of risk aversion, it found, wealth was not a factor
when establishing a person’s risk behaviour.
“The analysis of decisions under uncertainty is fundamental
to modern economics and finance,” said co-author of the
report, Professor Robert Faff, from the Department of Accounting
and Finance at Monash University.
“By studying contestant choices in Deal or No Deal? we
were able to explore risk aversion in the context of both very
high and wide-ranging pay-offs. It also allowed us to answer
questions including heterogeneity and how this varies with demographic
characteristics such as age, wealth and gender.”
“Findings showed that while risk aversion
increased with the stakes, people were
generally willing to bear risks despite
very high stakes”
RISK August 2009 7

NEWS
“Green shoots” wake corporate predators
Corporate directors would do well to prepare for a rise in unsolicited takeover offers.
NEW YORK: There may be signs of so-called “green shoots”
in the economy, but one of them does not necessarily bode well
for all boards of directors. Indeed, a sharp rise in unsolicited
takeover offers in the US means many may now have to confront
the very real disruption and distraction that results from a
predatory threat to ownership.
Hostile offers accounted for 47 per cent of the M&A transactions
that took place in the United States during the first
few months of 2009, compared with 24 per cent in all of 2008
and just 7 per cent in 2004, according to a report from the
Conference Board Governance Center (CBCC).
“Today’s market conditions permit some companies to be
‘put in play’ more easily than before,” said the author of the
report, Frederick Alexander.
The concern particularly applies to companies with undervalued
stock prices, surplus assets or constrained performance
– often resulting from short-term liquidity issues – that invite bargain-hunting
by acquirers capable of obtaining financing or using
their equity currency to pursue growth opportunities.
“Over the past few years, in response to pressures from
proxy advisory groups and activist shareholders, some of those
companies have reduced their structural takeover protections
by repealing poison pills and declassifying boards, and may
now be particularly vulnerable,” Alexander said.
The report, titled The role of the Board in Turbulent Times:
Responding to Unsolicited takeover Offers, encourages directors
to become familiar with the corporation’s governance profile
and the tactics that can be used to protect shareholders’ interests
from opportunistic behaviours in the marketplace.
“The tactics discussed in the report are not about thwarting
unsolicited offers,” Alexander emphasised. “They are about
ensuring that directors are given enough time to fulfil their fiduciary
obligations and obtain the information necessary to
make a rational business decision with respect to the offer, as
well as to explore all alternatives.”
Recommendations in the report include: reviewing existing
organisational (charter and bylaws) provisions; monitoring shareholder
base and intentions; maintaining proactive external relations;
and understanding how investors and gatekeepers
(proxy advisors and governance rating agencies, in particular)
could perceive and react to possible amendments to the company’s
governance profile.
IT risk solution for pandemic
The alarming spread of so-called Swine Flu has prompted one software developer to adapt
an existing governance, risk and compliance solution to help organsiations better maintain
business continuity in face of the pandemic.
NEW YORK: US-based Modulo, a provider of
IT governance, risk and compliance solutions,
has adapted its software product, Modulo Risk
Manager, to help private and public institutions
deal with the current Swine Flu pandemic.
Modulo Risk Manager was first applied in a
pandemic-like scenario when it was implemented
by one of Brazil’s biggest banks, Banco Real
(part of Santander Group), during the Avian Flu
outbreak in 2006. The software was adopted as
a tool for internal risk management and a solution
was developed to support the necessary decisions
in the event of wholesale contamination.
Essentially, it automates the process required
for minimising the risks of contamination through
providing checklists, graphs, and maps in order
to prevent and protect a business and its customers
from potential damages and resulting
losses, thereby helping protect organisations
from the impact of possible epidemic scenarios
and providing business continuity solutions.
“In the case of the contamination threat of influenza
A, organisations which adopt a preventative
strategy together with good business practices,
can return to their core activities much more
quickly after a crisis situation,” said Modulo cofounder
Alvaro Lima.
“Unfortunately, many organisations cannot
return quickly and effectively to their activities
after such a global crisis.”
“In the case of the
contamination threat
of influenza A,
organisations which
adopt a preventative
strategy together with
good business practices,
can return to their
core activities much
more quickly after a
crisis situation”
8 RISK August 2009

Barclays Bank in
AML/CTF breach
AUSTRAC has accepted enforceable undertakings from Barclays Bank.
SYDNEY: Australia’s anti-money laundering and counter-terrorism financing regulator
and specialist financial intelligence unit, the Australian Transaction Reports
and Analysis Centre (AUSTRAC), has accepted an enforceable undertaking from
Barclays Bank PLC.
The undertaking was accepted as a legally enforceable commitment by Barclays
following an on-site assessment in April 2009 of Barclays’ compliance with local
anti-money laundering and counter-terrorism financing (AML/CTF) laws. It was the
second of two enforceable undertakings accepted by outgoing AUSTRAC CEO Neil
Jensen within a week.
Under Australian law, banks are required to submit a range of transaction and suspicious
reports to AUSTRAC. They must also have in place an AML/CTF program to
prevent their services being used to facilitate laundering of the proceeds of crime or the
financing of terrorism.
“AUSTRAC has a
suite of
enforcement
powers
available under the
AML/CTF Act and
will use these
powers in a
measured and
appropriate
manner to
secure compliance
with the Act”
AUSTRAC’s on-site assessment of Barclays disclosed a number of deficiencies
and breaches, including reporting breaches, of AML/CTF laws. Within the terms of the
enforceable undertaking, it has agreed to:
• Review transactions for a period of seven years and provide AUSTRAC any outstanding
reports required by law;
• Develop and implement proper systems and controls to ensure that Barclays complies
in the future with its reporting and AML/CTF obligations; and
• Submit to AUSTRAC an independent expert report detailing Barclays’ compliance with
the AML/CTF laws. It will also be required to submit similar reports in 2010 and 2011.
Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
(AML/CTF Act), the AUSTRAC CEO is empowered to accept enforceable undertakings
as a means to ensure compliance with the AML/CTF Act, including as an alternative to
taking criminal or civil enforcement action.
“AUSTRAC has a suite of enforcement powers available under the AML/CTF Act and
will use these powers in a measured and appropriate manner to secure compliance with
the Act,” Jensen said. “Compliance with the AML/CTF Act plays a key role in protecting
the integrity of the Australian financial system.”
RISK August 2009 9

NEWS
IN BRIEF
NEW YORK: Despite poor results, insurance companies continued
to compete vigorously for business in the second quarter,
according to a new Risk and Insurance Management Society
(RIMS) Benchmark Survey.
General liability and workers’ compensation policies both
posted average decreases in renewal premiums. Directors and
officers liability (D&O) policies renewed at higher premiums on
average, but the increase was due to financial sector companies,
a segment that has been bloodied by the sub-prime mortgage
meltdown and credit crisis.
“Insurance capacity is disappearing at a startling rate, but the
market, nonetheless, remains competitive,” said Advisen executive
vice president and editor-in-chief of the report Dave Bradford. “As a
result of the recession the demand for insurance capacity has also
decreased, which has kept pressure on rates. Companies are
downsizing, which means there is simply less to insure.”
RIMS board of directors member Daniel Kugler concurred: “If the
gloom of the global recession has a silver lining for risk managers, it
is the competitive insurance market.”
HYDERABAD, India: Software solutions provider SoftPro Systems
has acquired 100 per cent of Cura Software Solutions.
Established in 1994, SoftPro provides a wide range of solutions
to the banking, finance, insurance, retail, telecom and manufacturing
industries. Cura has its HQ in South Africa and was
established in 2002. It offers companies around the world solutions
aimed at improving governance, risk management, compliance
(GRC) and performance management. It has 100 staff
members in four countries, distributors in another 10, serves more
than 200 customers and has achieved year-on-year revenue
growth for the past four years.
“It has taken us months of searching to find a partner that will
help us grow our business internationally and inject the funding
we require to achieve our long-term goals,” said Cura chairman
David Frankel. “After considering approaches by competitors,
acquirers and venture capitalists, we settled on SoftPro as their
culture, ethics and strategic approach was in line with all our
stakeholders’ interests.”
SoftPro’s intent is to grow Cura into a company with more
than $US150 million ($185 million) in revenue by 2014. Cura will
retain its brand.
LOS ANGELES: Bank of Tokyo Mitsubishi’s senior vice president
of corporate data security, Emil D’Angelo, has been elected
international president of ISACA – a global association serving
86,000 IT governance, assurance and security professionals in
160 countries – at its 37th annual International Conference in
Los Angeles.
D’Angelo also assumes the role of international president of the
IT Governance Institute (ITGI), the non-profit, independent research
affiliate established by ISACA in 1998 to help enterprise leaders
ensure that IT supports the enterprise’s mission and goals.
A member of ISACA for more than 30 years, D’Angelo has
served on its Strategic Advisory Council and Governance Advisory
Council and chaired the Security Management Committee. He is a
recipient of ISACA’s Eugene Frank Award, awarded by the board of
directors for outstanding contributions to ISACA or ITGI.
Local firms upbeat on growth prospects
While most companies around the globe remain intent on simply surviving the economic
crisis, it seems their Australian counterparts are now gearing for growth – but they are not out
of the woods yet.
SYDNEY: Australia may well prove to be the “lucky
country” for businesses emerging from the global
financial crisis. According to the results of a new
survey of 380 C-suite and board level executives
from corporate Australia, compared to results of
a similar world study, local businesses have been
more confident and more aggressive in responding
to the crisis and the changing business landscape
than global players.
The study, The lucky country looks forward –
Opportunities in adversity for Australian business,
conducted by Ernst & Young, appears to confirm
that the impact on Australian businesses has not
been as severe, with 76 per cent of respondents
believing the effect on profitability of the current
crisis will be temporary.
“Australian businesses are cautiously optimistic
for the 2010 financial year, with far more proactive
plans over the next 12 months,” said E&Y corporate
accounts leader Patrick Winter. “Access to
capital is still difficult, particularly for small and
mid-cap companies, however organisations have
implemented initiatives to reduce costs and manage
cash and working capital more effectively.
“Many have introduced flexible working practices
to help them avoid substantial headcount reduction,
with a view to retaining the talent they will
need when the market recovers.”
He said that while global respondents were primarily
concerned with surviving the downturn,
Australian businesses are focused on growth.
In the next 12 months, 78 per cent of Australian
businesses placed the greatest importance
on improving the performance of current
assets, 70 per cent are restructuring their business
to meet new conditions, and 66 per cent
are prioritising taking advantage of the situation
to pursue new market opportunities. However,
the question now is whether they have done
enough to prepare for growth and capitalise on
the upswing when conditions improve.
While 70 per cent are restructuring their business,
this is primarily centred on cost-cutting rather
than fundamentally realigning business structures
and operations.
“The limited availability of debt has led to a
gap in buyer/vendor expectations and a stagnant
M&A market,” Winter said. “These factors
are inhibiting the ability of companies to truly
restructure by divesting non-core businesses,
products or divisions.”
While 53 per cent of respondents saw access
to capital deteriorate over the past six months, 34
per cent of those with $10 billion or more annual
revenue reported improved access to capital in the
same period, reflected in the record capital raisings
dominated by the larger ASX-listed companies.
“Australian businesses
are cautiously optimistic
for the 2010 financial
year, with far more
proactive plans over the
next 12 months”
“Many of our discussions with clients in recent
months have focused on working capital and liquidity,
as the pressure on management has intensified,’
Winter revealed. “Our survey respondents
agree – only 15 per cent say that cash is not an
issue for their business.”
The study shows Australian businesses have
been more proactive than global respondents
around debt finance, including reviewing, monitoring
and renegotiating debt covenants and considering
alternative sources of liquidity. However,
they have been slightly less proactive in building
working capital measures into management performance
objectives and having an emergency
plan for cash release.
10 RISK August 2009

NEWS FEATURE
Downturn prompts risk review
A majority of corporate executives have reported a need to
overhaul their approach to risk management.
NEW YORK: An overwhelming majority (85 per
cent) of corporate executives have conceded
they need to overhaul their approach to risk management
if the lessons of the economic crisis are
to be used to improve business results, according
to a new study by Accenture.
The 2009 Global Risk Management Study –
based on responses from 260 chief financial
officers, chief risk officers and other executives
with risk management responsibilities at
large companies in 21 countries – also found
that 40 per cent said their companies already
have increased or will increase their investments
in broader risk management capabilities
in the next six months. Nearly another third (31
per cent) said their companies are currently
considering increasing their future investment
in such capabilities.
The analysis pointed to a lack of integration
of current risk management and performance
management processes. While
nearly half the respondents said their company’s
risk management function is involved
to a great extent in strategic planning (48
per cent) or in investment and divestment
decisions (45 per cent), only 27 per cent said
it was involved to a great extent in objectivesetting
and performance management.
“Executives could improve their organisation’s
performance and position themselves for
economic recovery by linking and balancing
risk management and performance management
to aid their decision-making and increase
shareholder returns,” said Accenture Finance
and Performance Management practice managing
director Dan London. “Being effective at
this also requires companies to integrate their
risk management capabilities enterprise-wide.”
Respondents identified a number of common
problems with their risk management
functions, including:
• Ineffective integration of risk, return
and capital issues in decision-making
(85 per cent);
• Lack of alignment between the company’s strategies and its risk
appetite (85 per cent);
• Insufficient enterprise-wide risk culture (82 per cent);
• Inadequate availability of timely risk, finance and business data
(80 per cent);
• Lack of integration and aggregation across all risk types
(78 per cent); and
• Ambiguous risk responsibilities between corporate and business
units (78 per cent).
However, executives also identified the benefits they anticipate as a
result of addressing their companies’ risk management shortcomings.
For example, while nearly three-quarters (72 per cent) said their companies’
risk management function has a significant impact on their ability to
comply with regulations, nearly two-thirds (61 per cent) said the same
about its impact on the company’s ability to sustain profitability, and 58
per cent said risk management has a big impact on its ability to manage
liquidity and cashflow.
Further, the study found that broader and better integrated risk management
capability can have a variety of impacts on companies, including:
ability to achieve competitive advantage (cited by 53 per cent of
respondents); reputation with the public and media (53 per cent); rating
agency ratings (53 per cent); ability to secure positive analyst commentary
(50 per cent); and ability to reduce cost of capital (47 per cent).
“The current economic downturn is the ultimate stress test of a company’s
risk management function, and the lessons learned can be leveraged
to restore confidence and create a stronger, better integrated and
aligned platform for improving performance under a variety of business
conditions,” London said. “Leading companies recognise that an
expanded, integrated risk management program supported by technology
that allows management to monitor risk management-related factors
across a company is not just a protective tool – but one that can provide
companies with a competitive edge in a constantly changing world.”
The study also found that companies expect new risk-related challenges
as a result of the current economic environment, including more
stringent regulations and increasing costs associated with growing complexity
in the risk environment. For instance, 41 per cent of respondents
reported their risk management costs had increased by at least 25 per
cent in the last three years, while 14 per cent cited a 50 per cent rise.
Asked to identify the biggest challenges they face over the next
two years as they develop more rigorous risk management capabilities,
respondents pointed to difficulty aligning with the overall business
strategy (93 per cent); need for more effective collaboration
with business units (89 per cent); need for greater integration in the
firm’s processes and culture (89 per cent); and inadequate resources
and talent (88 per cent). R
“The current economic downturn is the ultimate stress test of a
company’s risk management function, and the lessons learned can
be leveraged to restore confidence and create a stronger, better
integrated and aligned platform for improving performance under
a variety of business conditions”
RISK August 2009 11

SPECIAL REPORT: BUSINESS CONTINUITY
Coming
full circle
Business continuity is all about just what the term suggests it is – the
survival of a business in face of a serious disruption. Planning is paramount,
and testing crucial. Mark Phillips spoke to IBM’s business
continuity expert, Andrew Fry, to find out more.
12 RISK August 2009

About two weeks ago a blaze in the administration
building of Melbourne’s Silver Top
Taxi, which occupies 50 per cent of the city’s
taxi market, crippled the company’s operations
and caused massive disruptions to taxi
telephone bookings. The fire, which is thought to have
started in a downstairs office and spread quickly throughout
the timber warehouse-style building, which included a
call centre for bookings, also destroyed historic relics from
Victoria’s taxi industry and caused “exceptional distress”
among staff at the administration centre.
The incident was yet another example of the frailty of
many companies’ business continuity, and the importance
of having well thought-out and tested plans in place
to deal with crises. Unfortunately, even those firms that
have invested in putting a business continuity plan
together sometimes fail themselves when it comes to executing
it in a crisis.
“The plan is often poorly designed in terms of people
knowing what to do and when,” says Andrew Fry, business
unit executive manager, IBM Business Continuity and
Resiliency Services. “There is often a reliance on or an
assumption that base infrastructures will still be around.
Depending on the scenario, there may not be a mobile
phone network, and transportation is not necessarily
a given.”
Call trees have long been a standard in default planning,
but their merit as a fail-safe system is questionable.
Someone will get a call that something has gone wrong,
and they, in turn, will contact perhaps another five people,
and so it goes.
“Typically it takes about two hours from the crisis
point using a call tree to get the message out, and then
another two hours for a response from the first message,”
Fry says. “The first four to five hours after a crisis
strikes is the golden period – the critical time in which
you have to manage your response to media and stakeholders
such as clients, suppliers and staff. By using a
manual call tree you are only going to get one message
“The first four to five hours after a crisis strikes is the
golden period – the critical time in which you have to
manage your response to media and stakeholders”
out and back within two to four hours, which is a pretty
poor way to manage a crisis.”
Although it is one of the biggest exposures in continuity
plans, people haven’t necessarily found any easy
alternatives. After all, you can’t exactly recreate your
own mobile network if it’s down. What you can do,
however, is seek out software tools specifically designed
to assist with crisis communications.
One of the services offered by IBM is a web-delivered
tool which will pretty much instantly communicate
with thousands of people across all available devices –
be they mobiles, landlines, email, fax machines or radio.
“In so doing, you can actually shorten the initial
response from a four-hour window to a matter of minutes
and, importantly, have just the message that is relevant
to a particular person go out. For example, a CEO
will have a different role to someone who has to go out
and fix a server, find alternate premises for staff, or
speak to the media. You can articulate different activities
to the right people and manage what can be very
complicated communications.”
Of course, this assumes that people know in advance
what their role is supposed to be a crisis, which is a key
planning issue that can be managed in-house, outsourced
to specialist providers, or operated from web-delivered
software such as IBM’s Business Continuity Planning
Toolkit, which integrates with its communications tool.
Unfortunately, it is a fact that businesses today face a
whole raft of risks to their continuity – everything from
pandemics to natural disasters to malicious web attacks. In
face of declining budgets, can organisations realistically
expect to have tried and tested continuity plans to counter
all the threats they potentially might have to deal with?
According to Fry, it is important to – as far as practically
possible – separate planning from individual scenarios.
“Our view is that continuity planning should be able to
handle any kind of event, meaning that you need to think
of it as an event or disruption per se, not a pandemic, fire,
flood or cyber-attack. Yes, these are different scenarios
RISK August 2009 13

SPECIAL REPORT: BUSINESS CONTINUITY
Andrew Fry: Effective communication is a
vital component of continuity planning.
“Continuity planning should be able to handle any
kind of event, meaning that you need to think of it as
an event or disruption per se, not a pandemic, fire,
flood or cyberattack”
absolutely, but a true continuity plan will look at all the
aspects that are critical in an organisation and, if a disruption
were to occur to those aspects, what you would
need to do to keep things running.
“The increasing threat profile is not something you
can walk away from just because times are economically
tough. If anything, there needs to be a heightened focus
on it and it is even more critical to have tested continuity
plans in place. The challenge is how to do that with
potentially more limited budgets.”
In response, companies are increasingly receptive to
alternative ways of managing their business continuity.
Where once many insisted on conducting the process inhouse,
today there is growing reluctance to maintain capital-intensive
kits such as data centres which, it needs to be
said, are some of the most expensive pieces of real estate
going around – without necessarily delivering improved
recovery times via any particularly advanced technology.
If, as Fry maintains, effective communication is a vital
component of continuity planning, equally important is
awareness of the processes involved.
“When a plan is frequently and comprehensively
tested, people automatically gain awareness of their role
in a crisis,” he says. “On average, most organisations
test once a year, some once every two years, some not at
all. Rarely do they test every six months because it can
be an expensive exercise.”
With regards to staff and processes, the big end of
town has been known on a weekend to bring hundreds
of people to an IBM recovery site for a mock run to test
such things as whether phones divert properly.
“That sort of a test can be a large investment, but it
ensures that if a crisis occurs the people who actually
need to can operate from somewhere else and that they
know exactly what they’re doing and where they’re
going,” Fry says.
On the other hand, an IT-related disaster recovery
exercise is less logistically challenging, requiring only
that those physically performing the recovery be familiar
with the process. And that, Fry notes, is where most
testing tends to occur.
“The majority of the tests that we run every year tend
to be IT disaster recovery, not so much the workplace,”
he says.
This gives rise to another – frequently misunderstood
– issue, namely what differentiates disaster recovery plans
from business continuity plans.
“The approach is the same but they stream out into
different actions or resilience points,” Fry explains. “In
very simplistic terms, an organisation is a group of people
operating a variety of processes to deliver a product
or service to a stakeholder. These days, those processes
are often founded on data, meaning that people,
processes and data are all intrinsically linked.”
14 RISK August 2009

SPECIAL REPORT: BUSINESS CONTINUITY
As such, survival plans need to be driven by an enterprise-wide
approach that identifies all of the core processes
required to deliver a service or product to stakeholders.
“Business continuity is often talked about in terms of
people and process – whereas disaster recovery is often
facilities and IT,” Fry continues. “The reality is that while
they can be split in terms of designing a strategy that solves
a business problem, the approach always needs to start
from where the organisation’s critical core processes reside
and the dependencies on those. More often than not, you
will find that people, processes and data are key to both
business continuity and disaster recovery.”
Arguably implicit in this is a need for IT professionals
to become more proactive in educating and involving
business decision-makers in disaster recovery
planning – something further reinforced by what Fry
identifies as an emerging C-suite trend.
“Interestingly, many of the CIOs I converse with these
days are business rather than IT heritage people. The CIO
role is more and more a business rather than IT role.
Because of this evolution, recovery is getting more airplay
and serious attention, but it still tends to be stuck in an IT
space – to be considered an IT as opposed to company
problem, especially in small-to-medium-size enterprises. A
lot of the people I speak to who are in IT say a common
challenge is that because they are in IT they tend to get
lumbered with business continuity, and struggle to get the
message out that it is bigger than just an IT issue. By comparison,
in larger companies continuity can fall under the
scope of the CFO or chief risk officer.”
Of course, regardless of where the continuity buck
stops in an organisation or institution, a universal concern
is the escalating incidence of potentially devastating
cyberattacks. Fry, however, is cautiously upbeat on
the subject.
“When you consider the business that is transacted
today in an IT/internet-based environment, the world is
incredibly successful in that space,” he says. “If you
operate a supermarket or corner store there will always
be security issues with respect to theft and the model,
but no-one can argue that the likes of Wal-Mart are not
successful. Overall there is a lot of dependency on IT,
but there is also a lot of success. Take, for example, the
online banking system, which is incredibly successful.
“Obviously the flipside is that there are always going to
be security risks, and there is no doubt that the guys in the
black hats are getting smarter and smarter and continue to
create new threats. But equally, the white-hat guys are doing
a good enough job so that the world can quite comfortably
continue to operate in this environment.”
In 2006 IBM spent approximately $US1.3 billion
($1.57 billion) acquiring Internet Security Systems (ISS),
which provides security solutions to thousands of the
world’s leading companies and governments, helping to
proactively protect against internet threats across networks,
desktops and servers.
Part of the acquisition was ISS’s much-vaunted X-Force
security intelligence service, which is a specific team of
people who pretty much bunker down and go head-tohead
with the black hats to create solutions to threats
being thrown forward virtually every day of the week. X-
Force research and threat identification is embedded in
every product that goes out the door from ISS.
But, despite the escalating war on the internet frontline,
Fry is reluctant to pinpoint cyberattacks as the single
biggest, over-riding threat to business continuity.
“It is recognised across the world that security is an
increasing threat, because it has no boundaries,” he says.
“However, whether you would focus on that more than
anything else, I don’t think it’s fair to say. Again, you
CREDIT RISK OPERATIONAL RISK
MARKET RISK COMPLIANCE RISK
Dedicated to advancing the use of sound risk principles in an enterprise approach
engaged in Operation, Credit, Market and Compliance Risk.
Through an array of event programs and educational resources, the RMA aims to further the ability
of its members to identify, assess and manage the impacts of risks on their businesses and customers.
The rma is the premier association for
The RMA provides an independant forum for: thought leadership; the promotion of industry best
practise; an awareness of market trends and developments; endorsement of ethical standards and
professional conduct; recognition for financial risk management professionals.
RMA Australia represents members at a national level and its initiatives reach over 1,500 individual
members and risk related practitioners across the financial services market.
Globally the RMA represents 3,000 institutions and has over 18,000 individual members in the US,
Canada, UK, Hong Kong, Singapore, and Australia.
For more information on the
RMA Australia, PO Box 576, Crows Nest NSW 1585
Tel: 02 9431 8689 Email: info@rmaaustralia.org
www.rmaaustralia.org
16 RISK August 2009

CLOUD COMPUTING: A DOWN-TO-EARTH TAKE
should come back to the principles of what your core
processes are and the risks that might present against
those. In some cases, such as in manufacturing, an IT
security risk may not be the biggest risk to an organisation
– it could be power failure, fire or flood. It is
absolutely dependent on industry, geography and the
processes that are core to the organisation.
“Laterally speaking, I would even suggest that the
biggest threat to business continuity is complacency, not
a scenario per se.”
In other words, if an organisation has locked on to the
processes that need protecting, but fails to do so, the
notion of business continuity will – sooner or later –
become nothing more than a contradiction in terms. R
“It’s not a fix-all, but nothing ever is,” Andrew Fry says of cloud computing. “And it comes in
different forms. From a public cloud point of view, you are effectively outsourcing some of
your risk and security to a service provider in the same way that you might use web banking
rather than going to a branch. Essentially you outsource the personal security risk of walking
into a branch with cash to having the bank look after the security risk of transacting online.
It is standardised and pay-as-you go, and its resilience is typically not your problem.
“The cloud model can provide immediate, direct business benefits just in terms of cost
and effectiveness, let alone resilience and security.”
In contrast, with private clouds – when the cloud is created inside an enterprise – you
first of all have to make sure you get it right, because you inherit the risk of providing the
service internally. As a rule, however, Fry does not believe that security or resiliency risks
necessarily increase.
“One of the key cornerstones and inherent benefits of cloud computing is resilience,” he
says. “It is a way of managing risk, reducing cost, and increasing effectiveness and productivity.
Also, often a private cloud is based on using a company’s existing infrastructure and making
better use of that. When you wrap the standard architecture of a cloud around existing infrastructure
you can actually improve its security and resilience, meaning you are probably going
to have a better outcome by adopting the cloud option.”
In Australia, however, that adoption rate has been relatively low.
“The terminology has been around for a long time, and so has a lot of scepticism,” Fry
agrees. “But I think the definition of what it actually means and what it means in today’s
environment has changed. It has evolved and matured. The pervasive use of virutalisation,
as well as improved standards and security, have made it much more viable and something
you can depend on in the same way as other IT services we today take for granted.”
Be this as it may, Fry has his time cut out educating the local market on its potential
advantages.
“Even as recently as yesterday we held a webinar on cloud computing, with particular reference
to resilience,” he reveals. “Certainly the questions in the forum were at a fairly base level,
having to do with how companies can understand more about private and public clouds and
how they can use one versus the other. Still, I think there is an increasing acceptance and
awareness that this is something they need to treat seriously because it can really help. With
regards to the Australian organisations we are working with right now, there is some very serious
investment in time and resources to sort this out.” R
To view all jobs, free surveys and more visit
www.taylorroot.com .au
Compliance Roles: Australia
Melbourne - Neil Williams - +61(0)3 8610 8400
E: neilwilliams@taylorroot.com.au
Sydney - Amanda Atherton - +61(0)2 9236 9000
E: amandaatherton@taylorroot.com.au
Neil
Williams
Amanda
Atherton
Risk & Compliance Director
Sydney • c.A$200,000
Diversified financial services group is seeking to recruit within the retail advice
group for a senior compliance professional for a leadership role. The position will
oversee the day-to-day management of a large risk and compliance team. This
position will have performance management responsibility for the team and
provide coverage for the Head of Risk, as well as drive continuous improvement
and business as usual duties of assessment, surveillance and monitoring.
Compliance Manager
Melbourne • c.$150,000
Our financial services client seeks an experienced compliance professional to
manage one of its new business units. This role will respond to any regulatory
matters and review and approve external communications as well as review all
policies and procedures. The position will also take a lead on training
requirements across the business, responding to complaints and new product
approval. This role will be rewarded with a competitive salary package.
The SR Group | Brewer Morris | Carter Murray | Frazer Jones | Parker Wells | SR Search | Taylor Root | London | Birmingham | Manchester | Leeds | Dubai | Hong Kong | Sydney | Melbourne
RISK August 2009 17

SPECIAL REPORT: BUSINESS CONTINUITY
“There is now a real understanding across many levels
of business that firms simply cannot afford any
interruptions to critical business operations”
Cutbacks
come home to roost
Supply chain issues and the impact of redundancies are now
the two biggest risks facing business.
KEY FINDINGS:
Although wide-ranging cost-cutting has been a necessary
response by many businesses to the GFC,
inevitably this has come at its own price, with
supply chain issues and the impact of redundancies on
business effectiveness emerging as the two biggest risks
to business operations.
A poll by the Institute of Chartered Accountants in
England and Wales and disaster recovery specialist Sun-
Gard Availability Services, conducted ahead of a round
table debate, also showed that two-thirds of organisations
that responded believe they face greater operational
risks than compared with 12 months ago.
• Sixty-five per cent of those polled believe that levels of operational risk have increased
within the past year;
• Seventy per cent believe they are at more risk from damaging supply chain issues (e.g. business
partners going out of business compared with a year ago);
• About half state that redundancies and cost reductions have impacted on effectiveness of
day-to-day operations and increased operational risks; and
• A third say that risk and resilience issues are now discussed at board level.
More than 70 per cent of those polled at and shortly
before the event – which was attended by chief financial
officers, finance directors and heads of operational risk
– said the risk of disruption caused by supply chain issues
had dramatically increased over the last year, with concern
about the stability and resilience of smaller supplies
and partners in the difficult economic climate. The impact
of redundancies and cutbacks on the effectiveness of dayto-day
operations was also cited by more than 50 per
cent of delegates as a growing cause of concern.
Roland Brook, associate director at accountancy firm
Smith & Williamson, emphasised that the threat of collapsing
supply chains had become a vital issue for many
managers during the recession.
“Resilience has become much more of a major focus
for our clients over the past year as many have had to
contend with new threats, such as supply chain disruption,
which have dramatically increased in the recession,”
he said. “There is now a real understanding across many
levels of business that firms simply cannot afford any
interruptions to critical business operations.”
Group operational risk manager at Investec Asim
Balouch agreed: “It’s quite telling that most organisations
are planning to increase investment in areas such
as network and communications infrastructure, servers
and security. Organisations are becoming increasingly
aware that they cannot operate effectively without having
a complete understanding of their data and the way
that their IT systems underpin operational efficiency and
integrity.”
According to the managing director UK and executive
vice president Europe for SunGard Availability Services,
Keith Tilley: “All organisations need to assess the
impact that disruption to their supply chain could have
on their business and have plans in place to continue
normal operations should a supplier run into problems.
“What is encouraging about this research, however, is
that resilience is now being discussed at the highest levels
of decision-making within more and more organisations,
whereas before it was often overlooked and left
to the IT department to look after.”
IT advisory partner with Baker Tilly and chairman of
the ICAEW IT Facility, John Oates, who chaired the
event said: “In the last 12 months we have seen operational
risk rise up the business agenda as organisations
identify new threats to their business, not least that
caused by growing numbers of redundancies, both in
terms of knowledge and malicious attempts by departed
employees to exact revenge on their employers.
“More than ever, organisations need to create contingency
plans that are watertight and workable, but also
flexible enough to cope with the new and unexpected
threats thrown up by the current economy.” R
18 RISK August 2009

SPECIAL REPORT
Breakthrough on
BlackBerry breakdowns
The world’s largest advertising agency has shored up its
business continuity infrastructure through software that
provides continuous availability of RIM BlackBerry services.
“The entire
Neverfail
software suite for
the BlackBerry
Enterprise Server
was installed and
configured
within two days”
With a blue-chip client roster that includes Air
France, Kraft Foods, IBM, Jaguar, Pernod Ricard,
L’Oreal, Volvo and New York Stock Exchange,
among a host of others, Euro RSCG Worldwide is one of the
world’s leading integrated marketing communications agencies
in the world, made up of 233 offices located in 75 countries
throughout Europe, North America, Latin America, the
Asia-Pacific Region and the Middle East. In 2008, Advertising
Age ranked the agency the world’s largest by global
accounts, for the third year in a row.
With an imperative to be continuously available to
service the high-pressure demands of a global client base,
Euro RSCG Asia Pacific CIO, Ivan Glaser, was in the
market for a solution that could offer uninterrupted
access and continuous uptime to the CEO, CFO and
other BlackBerry users in the 16 offices across APAC
and Australia who rely on their smartphones to relay
crucial messages and contracts.
“As a CIO managing a diverse region including India,
China and other countries spread across multiple time zones,
it is imperative that our senior staff have access to the Black-
Berry Enterprise Server 24 hours a day, seven days a week,
especially when there are contracts and deadlines that need
to be met,” Glaser says.
In addition to using their BlackBerries to conduct routine
email business, Euro RSCG executives rely on their
devices for additional applications such as Worldmate, a
mobile travel application that allows for the management
and planning of travel; Sametime for Chat, a client-server
application that provides real-time, unified communications
for enterprises; Oanda, which provides currency and
foreign exchange rates to finance teams; and ROVE
Mobile, which enables Glaser to administer all of Euro’s
IT infrastructure via his mobile device.
After a crippling hard-drive failure took the agency’s Black-
Berry email services down, requiring a day-and-a-half of
downtime to rebuild the servers, Glaser started shopping for
a solution. It was in 2008, while attending a BlackBerry Roadshow,
that he came across Neverfail. After discussing its
potential benefits with the New York-based global CIO,
Glaser was given approval to be the first division of Euro to
deploy the product.
“The entire Neverfail software suite for the BlackBerry
Enterprise Server was installed and configured within two
days,” he explains. “We tested it internally and trialled the
switch process multiple times. The speed of switchover and
switchback left me feeling secure about how it operates. It
has ensured that emails are always accessible and, more
importantly, that maintenance can be performed during
working hours.”
Being personally responsible for ensuring BlackBerry availability,
Glaser reveals that prior to installing Neverfail the
only time he was able to conduct server maintenance was
during obscure hours on the weekend, because of time zones
throughout Asia and needs of users.
“Now I don’t need to come into the office on my off-time
to fix a crashed server or conduct maintenance. We are up and
running 100 per cent of the time,” he says.
Neverfail proactively monitors the health of Euro’s
entire server environment, including hardware, network
infrastructure, operation system and supported applications.
Should an issue arise with its primary server environment,
users are seamlessly redirected to the company’s
secondary site. Once the issue is resolved on the primary
server, failback is done through a simple click of a button,
with users able to continue working given there is no
need to restart any application.
“All our continuous availability requirements have now
been met and, as a result I’m confident that, should an issue
arise, we are protected against any amount of downtime,”
Glaser says. R
RISK August 2009 19

REGULATION
Financial regulation:
A blueprint for change
Many have predicted the inevitability of a regulatory surge in the
wake of the GFC, but to date any detail on the desired future
direction of financial regulation has been fairly thin on the ground.
Against this backdrop, the Association of Chartered Certified
Accountants has just released a blueprint for effective change.
Risk management must be paid more than lip service
to protect the Australian economy against future financial
shocks, the Association of Chartered Certified
Accountants (ACCA) has warned.
The comment comes as the ACCA releases the Future of
Financial Regulation report following extensive consultation
with financial experts across its 57 global accounting partnerships.
Significantly, the report provides nine key principles
for regulators, boards and professionals to use as a
blueprint for effective regulation (see opposite page).
“Financial regulation is a global issue and Australia is not
immune to its failings,” says Australian ACCA panel member
Chris Campbell. “While the Australian market has not
been hit as hard as other nations around the world, there is
always room to improve and strengthen the sector against
future financial shocks.”
He believes the three key principles Australia should
look to improve are risk management and internal control,
incentives, and business conduct.
“Australian companies have risk management policies in
place, however, most are not transparent in how these are
governed, implemented and reviewed. Companies need to
elevate the importance of risk management and internal audit
to safeguard against financial threats and corporate failure,”
he maintains.
According to Campbell, adopting ethics-based corporate
cultures on issues such as remuneration and incentives will also
ensure financial institutions continue to act in the long-term
interests of stakeholders.
“Remuneration and incentive schemes should be structured
to match the long-term interests of a company to remain
fair and effective,” he says. “Recent scrutiny of executive
remuneration schemes and boards has demonstrated that getting
it wrong can be detrimental to a company’s reputation
and long-term financial stability.”
Notably, he says organisations should go beyond the
minimum when it comes to disclosure.
“Transparency is imperative to maintain ethical business
conduct. Efforts to improve the disclosure of fee structures
to consumers and increased scrutiny of new financial products
by regulators are examples of how the market is building
momentum towards better regulation and responsibility
to stakeholders.
“The accountancy profession plays a key role in ensuring
the quality of financial reporting and auditing to restore faith
with stakeholders.”
However, some of Australia’s existing regulations are
already in line with the ACCA’s recommendations, such as
“ensuring fair competition in the marketplace”.
“Australia’s ‘Four Pillars’ policy, which forbids mergers
between the Big Four banks, is one example of promoting
healthy competition in the market,” Campbell says. “Regulations
such as these have helped to shield Australia from
the worst of the global economic downturn.”
The Future of Financial Regulation report also warns that
the failure of “light touch” regulation and its role in the
global economic downturn does not mean a “heavy-handed”
approach is the answer.
“Many corporate failures have not been the result of
insufficient regulation, but, rather, inadequate enforcement
of the rules,” Campbell notes. “Authorities need to consider
whether increased disclosure will improve compliance before
making unnecessary changes to regulatory policy.
“The nine principles put forward in the report provide
a blueprint to strengthen regulation. The adoption
of these recommendations will maintain Australia’s position
in the global marketplace for when the market
picks up again.”
20 RISK August 2009

REGULATION
NINE KEY PRINCIPLES FOR FUTURE FINANCIAL REGULATION
1. Establish the purpose of regulation: Facilitate business activity while providing essential safeguards for the interests of stakeholders. Authorities need to have a thorough
understanding of the businesses and markets they are supervising.
2. Ensure fair competition in the market: Governments, national and regional authorities should regard healthy competition in the marketplace as crucial to the enhancement
and potential effectiveness of their regulatory systems.
3. Standards of business conduct: Strengthened regulation and supervision must promote integrity and transparency. A commitment to an ethical corporate culture will
help protect the interests of shareholders and external stakeholders, achieve transparency and help combat threats such as fraud and bribery.
4. Standards of competence: Companies should be expected to have appropriate skills and human resources at all levels of the business. Each company’s board of directors
must understand the technicalities of the business. Individuals with appropriate skills and experience must be involved in the decision-making process and be alert
and responsive to developments in business practices.
5. Corporate governance: Boards, shareholders and stakeholders should have a common understanding of the ultimate aim of securing long-term prosperity for the company
concerned, while recognising the special interests and rights of others.
6. Accountability: Companies should be expected to account for their activities transparently, thoroughly and with due regard for the demands, rights and information
needs of their stakeholders. The process of external audit ensures shareholders and the markets receive independent, external assurance about the way that boards
manage their companies. Regulators and the auditing profession also have the potential to add new value to the regulatory process through changes in the nature of an
audit or extensions to its scope.
7. Incentives: Remuneration schemes for directors and employees should be integrated into a company’s strategic plans and be careful not to distort behaviour which
could be detrimental to the long-term interests of the company. In particular, incentive schemes should be linked, primarily, to the achievement of longer-term shareholder
value by the company as a whole.
8. Risk management and internal control: All companies should set up risk management and internal controls that can be objectively challenged by the board, independently
of line management. To ensure the integrity of both the risk and internal audit functions, they need to be given a high status within the company structure. Ideally,
the officer responsible, if not a member of the board, needs to be made accountable directly to the board rather than to executive management.
9. Funding: Companies in the financial sector should be required to have capital structures and levels of liquidity which correspond to the scale and level of risk inherent in
their activities. Structures should also make reasonable provision for changes in economic circumstances. International regulatory authorities should pursue a co-ordinated
approach to the definition of optimal capital levels for the major retail banks. As an integral part of any new regime on capital requirements, the regulation system
needs to have built-in safeguards which will help protect against future repetition of boom and bust cycles. R
RISK August 2009 21

AML/CTF
Yes Minister, but
it’s a matter of national security!
Extensive non-compliance and indifference, a delay in
implementing Tranche II, a one-size-fits-all approach and
increasing complexity have hardly endeared Australia’s antimoney
laundering and counter-terrorism financing initiatives to
the broader business community, writes James Cozens.
“Failure to
implement
Tranche II makes
the whole
exercise read
like an episode
of the British
television classic
Yes Minister”
AUSTRAC, the body responsible for protecting
the integrity of Australia’s financial system in
relation to the prevention of money laundering
and terrorism financing, has been extremely
busy in recent weeks dealing with some highprofile
cases of non-compliance within the financial services
sector, as well as addressing growing pressure from senior
executives and industry bodies questioning loopholes in the
current regime.
The primary issue is the Federal Government’s delay in
implementing Tranche II of the Anti-Money Laundering and
Counter-Terrorism Financing Act 2006, which is supposed to
bring lawyers, accountants, real estate agents and jewellers
within the AML/CTF regime. At present, these types of businesses
are not monitored at all, providing a great roadmap
to safe havens for criminals. Indeed, failure to implement
Tranche II makes the whole exercise read like an episode of
the British television classic Yes Minister.
Jim Hacker, Minister for Common Sense: “But, Sir
Humphrey, surely this makes a complete joke of the whole
regime. We need to explain things to the people. We need to
do something about this.”
Sir Humphrey: “Unfortunately, Minister, there is simply
nothing we can do. This is now classified. It is a matter of
national security!”
Australian Bankers Association chief executive David
Bell has questioned the delay and highlighted the dangers
in not monitoring industry sectors that “complete large
transactions similar to financial institutions and are in an
ideal position to report instances of suspected money laundering”.
While many may find it difficult to feel any sympathy
for bankers at the moment, Bell does have a pretty
good point.
In face of such ongoing criticism, Attorney-General
Robert McClelland commented that the Government is
“conscious of the need to balance the second tranche of
reforms against the very immediate needs of business in the
current financial climate”. His department’s website recently
announced that the Government now proposes to reconsider
the implementation process for the second tranche of
reforms in December 2009.
While this is good news for businesses that will fall within
the second tranche of legislation, it is bad news for the credibility
of Australia as an international business centre.
When I spoke with outgoing AUSTRAC CEO Neil Jensen
a few weeks ago he confirmed that there could be up to
40,000 entities caught up in Tranche II, although he qualified
the statement by adding: “We don’t really know what
Tranche II is going to cover at this stage”.
This is not AUSTRAC’s fault. It is because the Government
has not told the regulator what it is doing. About
40,000 businesses – the majority of which will be smallto-medium-size
– coming to grips with the complexities
of the AML/CTF Act and implementing risk management
and compliance systems will, at the very least, be a challenge.
Spare a thought for the small-town regional
accountants, lawyers, real estate agents and jewellers who
probably have not the slightest clue about what is about
to come their way.
22 RISK August 2009

AML/CTF
Further criticism has recently been directed at AUS-
TRAC due to a perceived lack of enforcement against noncompliant
entities within the financial services sector, and
also a lack of serious penalties for those businesses that
have failed to lodge a compliance report for the 2008
period. Estimates suggest that about 20 to 25 per cent of
the approximately 15,000 reporting entities across Australia
have failed to lodge compliance reports, suggesting
an alarming level of “don’t care” sentiment.
There are growing concerns, particularly within the
gaming industry, that many entities do not have adequate
programs in place or, worse still, have not even addressed
the issue. Of course, this is not really surprising when you
consider that similar rules and obligations apply to big
banks and right through to the local pub in a country town
operating a few pokies – albeit that the entities do not
share the same degree of complexity.
Many of the businesses that have done the right thing
and spent considerable time and money during the financial
crisis building programs to address AML/CTF obligations
are becoming increasingly disillusioned by an
apparent lack of penalties for non-compliance. Little
wonder, then, that the regulator has just struck back,
after having accepted enforceable undertakings from Barclays
Bank and Mega International Commercial Bank
(also see story page 9). In my discussions with Jensen he
made it very clear that AUSTRAC is not just going to sit
“Australia remains behind many other Western nations
in terms of the regulation and prevention of money
laundering and terrorism financing”
back. It has a range of powerful enforcement tools and
intends to use them.
Overall, however, Australia remains behind many other
Western nations in terms of the regulation and prevention of
money laundering and terrorism financing. This cannot be
a good thing, particularly in light of recent corporate scandals
and the international desire to crack down on money
laundering activities.
As Jensen prepares to step down from his post at AUS-
TRAC he can probably be satisfied with the initiatives he
and his team have put in place over the past few years – especially
the requirement that all reporting entities lodge targeted
annual compliance reports and undertake regular
independent reviews of their AML/CTF programs.
The real question is what the Federal Government is doing
to close the gaping holes in the system and how it is going to
deal with the enormous challenge of having tens of thousands
of small-and-medium-size enterprises comply with a piece of
legislation that can be headache-inducing in its complexity. R
James Cozens is a consultant with corporate governance
solutions specialist CompliSpace.
RISK August 2009 23

STRATEGY
Cost-cutting:
a permanent
corporate fixture?
It’s a disquieting scenario, but the
concerted focus on reducing costs may
well become a continuum even as the
economic environment improves.
While economic “green shoots” seem to be
sprouting in the local economy, prospects
on the economic front in some overseas
locations look as grim as the impending
northern winter. Latest forecasts suggest
that GDP in the UK is likely to decline this year by a massive
4.5 per cent – the largest amount in a single year since the end
of the Second World War.
In response, many companies are expecting to make further
cuts of up to 25 per cent in the next couple of years,
ushering in what some analysts believe will be a new era of
“permanent cost-cutting”. According to predictions, the
painful cost-cutting and curbing of discretionary expenditure
endured over the last 18 months may yet prove to be
the “easy bit”.
A study by CFO Europe Research Services for KPMG has
found that firms have focused on the short-term as they try to
weather the economic storm, with 86 per cent of respondents
requiring cost initiatives to deliver a payback within 12 months.
Unfortunately, while this may be a natural reaction to intense
market pressure, it does not always deliver a strategy for permanently
lower levels of cost in an organisation.
Perhaps the biggest challenge now facing organisations,
however, is how to make changes to the cost base that are both
sustainable and generate cash for future growth.
“It seems that the next 24 months will see organisations
stepping up their focus to deliver further cuts to the cost base
to create a sustainable advantage,” says a partner in KPMG’s
European Operations Strategy Group, Jeremy Kay. “This
requires a bolder longer-term commitment to a lifecycle
change, not merely a short-term diet, as old habits can easily
creep back in.
“In a more prudent economic environment, the emerging
winners will be those that successfully and regularly recycle
funding from cost initiatives to generate cash for growth.”
Just over a quarter of respondents said they were using
organisational restructuring strategies, including headcount
reductions, to cut costs. But while such strategies deliver the
biggest savings, they are not the most sustainable for the
majority. One-fifth said improving process efficiency was
their second most important strategy, while just less than 10
24 RISK August 2009
“A new focus on
cost management
is here to stay
and it must
become a
continuum even
as the enonomic
environment
improves”
per cent claimed that using better risk management was a priority
in cutting costs.
“A new focus on cost management is here to stay and
it must become a continuum even as the enonomic environment
improves,” Kay warns. “More than half (53 per
cent) the respondents in our survey agree that it has become
a permanent and more prominent feature of day-to-day
business, both now, and as and when we move out of the
economic downturn.”
The survey also showed that organisations have already
taken steps to embed better cost management, such as making
cost leadership an explicit part of the overall strategy.
However, there is still work to do in broadening ownership
of cost management. A mere 5 per cent of respondents
said that all employees were responsible for cost management
initiatives. The survey shows that cost management
still remains in the domain of the C-level executive, with
more than 40 per cent of CFOs and an additional 20 per
cent (CEOs) saying they were responsible for these programs.
“The survey shows there are winning themes emerging,
with a focus on building commercial capability and prioritising
sustainability – but there is still a long way to go,”
Kay says.
Adds partner and leader of KPMG’s European Operations
Strategy Group, Martin Scott: “Many businesses probably
feel as if they have done enough, in cost reduction terms,
to survive the current downturn. But as only a fifth of respondents
said they were looking at more radical options than they
were 12 months ago, shareholder expectations to deliver
bolder and more sustainable cost strategies may take some
time to be met.
“The winners will be those that create adaptive approaches
to cost management so they can continually rebalance
resources from underperforming areas into those that promise
growth. A new era of ‘earning the right to grow’ is here
to stay.” R

Risk = opportunity
TRANSITION TO ISO 31000 WORKSHOPS
In anticipation of a positive vote in the ballot of ISO member organisations, the AS/NZ
Standards Committee has approved adoption of the new standard as AS/NZS/ISO
31000:2009 – RM – Principles and guidelines. AS/NZS 4360:2004 – RM will be withdrawn.
A practical workshop series, Transitioning to the New RM Standard, has been developed by
RMIA in conjunction with leading ISO 31000 specialists, and will be introduced Australia-wide.
Workshop details:
Adelaide: Aug 24, Oct 22 Brisbane: Aug 20, Oct 16 Canberra: Sept 10, Oct 19
Cairns: Nov 25 (after the RMIA Annual Conference) Hobart: Sept 8
Melb: Aug 18, Sept 9, Oct 21 Perth: Aug 25, Oct 23 Sydney: Aug 19, Sept 11, Oct 20
A registration brochure will be available soon. For expressions of interest, email
msc@rmia.org.au.
RMIA ANNUAL CONFERENCE
The RMIA Annual Conference, Risk management: the road to resilience, is in Cairns, far north
Queensland, on November 22–25. It is an excellent opportunity to partner with RMIA as
a sponsor or showcase your products and services in the exhibition area. The partnership
prospectus is on the website, www.rmia.org.au.
FUNDAMENTALS OF RISK CONTROLS WORKSHOPS
RMIA is hosting Fundamentals of Risk Controls workshops for people working in all
types of organisations who need to acquire knowledge of how controls help identify
and manage risks.
Email education@rmia.org.au for more information.
Scheduled dates are:
Hobart: Sept 2 Melbourne: Oct 13
FUNDAMENTALS OF MANAGING RISK WORKSHOPS
Participants in Fundamentals of Managing Risk workshops acquire the
skills and knowledge to apply the RM process in their organisations by
understanding the AS/NZS 4360:2004 standard. Reference is also made
to the draft ISO 31000 RM standard. Workshops are scheduled for:
Sydney: Aug 26–27 Perth: Sept 22–23 Darwin: Oct 12–13
Melbourne: Oct 27–28 Wellington, NZ: expressions of interest welcome
In-house FMR workshops are available.
Please email education@rmia.org.au for details.
RMIA DIARY Information or bookings, email eventadmin@rmia.org.au or visit www.rmia.org.au
AUGUST
12: Vic chapter meeting
Speaker: Paul Barton, Director, Office of Sustainability & Environment
17: NSW chapter conference, Sydney
RMIA is a not-for-profit professional membership organisation. For information about partnering with RMIA, email membership@rmia.org.au.
R E A L I S I N G O P P O R T U N I T Y
Risk Management Institution of Australasia Ltd ACN 106 528 509
PO Box 97 Carlton South Victoria 3053 T 03 8341 1000 F 03 9647 5575
www.rmia.org.au E membership@rmia.org.au

SUSTAINABILITY
Stuck in second
on carbon scheme
Although many local organisations are starting to prepare for
the inevitability of a carbon-constrained economy, it seems
that for most it is still an uphill battle.
While Australian businesses are beginning
the journey of adapting to emerging
carbon constraints, the downside
is that there is a real lack of understanding
about the proposed Carbon
Pollution Reduction Scheme (CPRS) and a worrying surge
in regulation associated with greenhouse gas emissions.
These are the overriding findings in a national survey
into business readiness for climate change conducted by
the Australian Industry Group (Ai Group) and KPMG,
titled Gearing Up: Business Readiness for Climate
Change. Based on responses from 400 businesses in the
manufacturing, construction and services sector, it examines
what stage they are at in adapting to emerging carbon
constraints, how well they are prepared for the
introduction of a national emissions trading scheme and
the extent of regulatory burdens in the area.
“There are plenty of very encouraging signs that businesses
have begun to take active steps to measure and
manage their carbon footprints,” says Ai Group chief
executive Heather Ridout. “Businesses also have strong
plans to take these initial steps further over the coming
few years.”
However, the survey also points to some significant
problem areas.
“Businesses are not yet well informed about the Commonwealth
Government’s proposed CPRS,” she acknowledges.
“While some have a very good understanding of
the key elements of the proposal, this is far from widespread.
There is clearly a great deal more that needs to
be done before we can assume business is adequately
prepared for the scheme and its impacts.”
According to KPMG national partner in charge of
Sustainability, Climate Change and Water, Jennifer Westacott,
the firm’s work with clients in this space has
shown time and again that the complexity and practical
challenges of being ready to respond to big regulatory
and economic change cannot be underestimated.
“One of the
biggest concerns
for business is
the disturbing
proliferation
of regulatory
measures
in the climate
change area in
recent times
– and the strong
expectation of
more to come”
“It is essential for business to move beyond a simple
compliance focus to a comprehensive business strategy
that creates value and competitive advantage,” she maintains.
“While some companies are leading the way and
making good progress, there is much work to be done.
It is critical that government and business factor in realistic
lead times for all sectors of the Australian economy
to be ready for this significant change.”
One of the biggest concerns for business is the disturbing
proliferation of regulatory measures in the climate
change area in recent times – and the strong expectation
of more to come. Notwithstanding some promising initial
comments by the Commonwealth Government, as Ridout
notes, there is yet to be any significant streamlining of
regulation concerning greenhouse gas emissions.
“These findings accord with a recent report by the
Productivity Commission in which it counted no less
than 244 regulatory measures related to greenhouse gas
emissions administered by 56 different agencies,” she
says. “This is emerging as a major failure of policy in
Australia. The Government needs to put right at the top
of the policy agenda a plan with clearly defined targets
aimed at getting rid of unnecessary and productivitydamaging
climate change regulations.”
26 RISK August 2009

MACQUARIE UNIVERSITY
APPLIED FINANCE CENTRE
EXECUTIVE TRAINING COURSES
FOR FINANCE PROFESSIONALS
“It is essential for business to move beyond a simple
compliance focus to a comprehensive business strategy
that creates value and competitive advantage”
A low carbon economy is no longer an “if”, it’s a “when”, Westacott
adds.
“It’s concerning that only a quarter of the respondents to the survey
have undertaken a formal assessment of the impacts of the
CPRS, while a third have reviewed costs and opportunities to
reduce cost impacts,” she says. “When business really understands
the detail, it is clear this is not only a compliance and reporting issue
– it is integral to business strategy.
“Australian business needs to act now despite the uncertainty
around the CPRS. Strong global momentum for change is building
and business has to start getting ready for the low carbon economy
of the future.” R
GEARING UP – KEY FINDINGS
• Almost three-quarters of businesses currently measure or plan over
the next three years to measure their carbon footprint;
• About 38 per cent have taken steps to reduce their direct emissions,
reduce energy overheads, or to reduce energy inputs per
unit of production;
• More than 60 per cent have taken steps or plan over the next three
years to invest in “cleaner” capital equipment as part of management
of their carbon footprint;
• Only 15 per cent were confident they had knowledge of all key elements
of the CPRS;
• More than 30 per cent say they have no knowledge of the key elements
of the scheme;
• More than 55 per cent are currently not taking steps to become better
informed;
• Almost one-third had no knowledge of the main elements of the proposed
scheme;
• Close to one-quarter have undertaken a formal assessment of the
impacts of the CPRS;
• About one-third have assessed cost impacts of the CPRS and ways
to reduce these;
• More than one-quarter have assessed opportunities arising from the
CPRS;
• Manufacturers are the most active in taking steps to assess the
impact and costs of the CPRS;
• Sixty per cent of businesses intend to boost the capacity of existing
personnel to assist in managing their carbon footprint;
• Almost four in 10 reported an increase in costs of complying with regulation
in the area over the past three years; and
• Across businesses of all sizes, almost 70 per cent expect to be allocating
extra resources over the next three years to compliance with
regulations in the areas of greenhouse gas emissions and energy use.
MAFC is the home of the world’s
largest Masters of Applied
Finance Program. We specialise
in courses specifically tailored
for finance professionals. All our
lecturers are highly qualified with
extensive industry experience.
STRATEGIC RISK MANAGEMENT –
GOVERNANCE, ORGANISATION
& FRAMEWORKS *New Course*
Melbourne 14 & 15 September – 2 days
Within the context of the current global
financial crisis, this new course outlines
the means to ensure that the risks to
your firm’s strategies are considered and
mitigated. Lessons learned from recent
failures of risk management are examined
through relevant case studies.
MANAGING SYSTEMS RISK
Sydney (CBD) 22 & 23 October – 2 days
The re-engineering of firms’ ‘core systems’
in response to changing customer
demands has increased interest in
techniques for managing Systems
Risk. Participants will gain a working
knowledge of and an approach to
managing new regulatory requirements
as they relate to IT Strategy, E-commerce,
Infrastructure and Business Continuity.
MANAGING OPERATIONAL RISK
Sydney (CBD) 10 November
This practical course meets the growing
need in industry for operational risk
managers to focus on emerging models
and tools for identifying, measuring,
monitoring and mitigating operational
risk. The course covers the impact of the
latest regulations in this area by the ASX,
APRA and Basel II.
These courses are delivered by
DR PATRICK McCONNELL who is a
published author and an expert in
process improvement.
www.mafc.mq.edu.au for information,
pricing and registration
email shortcourses@mafc.mq.edu.au
telephone +61 2 9223 6231
CRICOS Provider Code 00002J
RISK August 2009 27

RISK MANAGEMENT
Financial firms fight to recalibrate risk
With the GFC having prompted a sweeping reassessment of risk
management, many financial institutions are still struggling with
a raft of cultural, technological and organisational challenges.
There is no question that the global financial
crisis has exposed fault lines in the management
of risk across many sectors of the financial
services industry. Faced with a massive
erosion of confidence among key stakeholders,
and the prospects of difficult times ahead as the industry
seeks to rebuild itself, risk professionals are now
questioning the very foundations of risk management.
According to findings from a new SAS-sponsored Economist
Intelligence Unit (EIU) report, titled After the Storm:
A new era for risk management in financial services, less
than half of risk professionals in the industry believe the
principles of risk management remain sound.
Clearly, this suggests that fundamental changes to risk
management are required – not just better execution. On
the upside, many risk professionals seem to recognise this,
with 53 per cent of the 334 senior risk managers questioned
in the EIU study indicating that they have conducted,
or plan to conduct, a big overhaul of their risk management
in response to the crisis. The findings also highlight an
acute lack of understanding between the risk function and
the broader business, with just 40 per cent of respondents
believing that the importance of risk management is widely
understood throughout the business.
In their efforts to overhaul risk management, key areas
of focus include the strengthening of risk governance, a
move towards a firm-wide approach to risk, the deeper
integration of risk within the business and improvements
to data quality and availability. Respondents state that
the need for reform is being driven, in particular, by executive
management, but that regulators are also starting
to apply the pressure.
“The financial crisis has prompted a wholesale reassessment
of risk management in many financial institutions as
“Firms are
adopting a range
of new ideas and
approaches, but
face a number of
important
cultural,
technological
and
organisational
challenges before
they can
successfully
recalibrate their
risk
management”
they come to terms with a dramatically changed environment,”
says the report’s editor, Rob Mitchell. “Firms are
adopting a range of new ideas and approaches, but face a
number of important cultural, technological and organisational
challenges before they can successfully recalibrate
their risk management.”
Other findings from After the Storm: A new era for risk
management in financial services, include the following.
Retreating from risk
Only about one-third of executives believe the outlook
is positive for their business in terms of either revenue
growth or profitability over the next year, and less than
one-third say they are seeing confidence return. This
erosion in confidence is having a dramatic impact on
the kinds of business that financial institutions are willing
to carry out, with many retreating into familiar,
domestic areas.
Increased transparency
Asked about the initiatives they thought would be most
beneficial to the financial services industry, respondents
pointed to greater disclosure of off-balance sheet vehicles,
stronger regulation of credit rating agencies and the central
clearing of over-the-counter derivatives as being three
among the top four that have the greatest potential benefit.
Although these are wide-ranging activities, there
seems to be a common theme across all of them – namely,
the requirement for greater transparency and disclosure
to facilitate the more effective management of systemic
risk issues.
Supervisory response
Just three in 10 respondents are confident that policy-makers
can formulate an effective response to the crisis. Regulators,
in particular, are singled out as being a potential
weak spot, with less than one-third rating their handling of
the financial crisis as good or excellent (a lower proportion
than for either central banks or governments). R
28 RISK August 2009

ACI 13th Annual
Conference
Tuesday & Wednesday
13 & 14 October 2009
Hilton Hotel, Sydney
SAVE $500
if you register for the
Early Bird rate by the 4th
of September 2009
GROUP DISCOUNTS AVAILABLE
Register 6 delegates and save
over $600 for group bookings.
Earns 12 CPD POINTS
Doing More With Less
Our expert speakers include:
ACI invites you to attend our 13th Annual Conference – the
premier compliance and risk event of 2009. In light of the recent
economic challenges ACI’s has developed a unique conference
program to explore the ways in which organisations can build a
robust compliance framework in preparation for pending regulatory
changes maximising the effectiveness of compliance and risk
systems for the long term.
The leaders in compliance and regulation will provide guidance on how to increase
your efficiency in compliance by doing more with less.
Our program of expert speakers and practical workshops will help delegates to:
Maintain compliance awareness with the organisation and key stakeholders
during tumultuous times
Increase stability and transparency through the use of compliance data and metrics
Manage the wave of regulatory change whilst ensuring the organisation meets
its business objectives
Assess the changing power of third party regulators in varying industry sectors
Engage proactive and strategic business solutions within the area of compliance
Ensure effective risk management in today’s environment
Maintain a rigorous compliance program in the face of change for the benefit of
both the business and consumers
David Landau, Chief Compliance
Officer USA, Starbucks Coffee
Company
The Hon. Nick Sherry,
Assistant Treasurer
Vikram Singh, Chief Compliance
Officer, GE Capital, Asia Pacific
Greg Kirk, Senior Executive Leader
– Deposit takers, credit
and insurance providers, ASIC
Sarah Court, Commissioner, ACCC
Thomas Story, CEO a/c, AUSTRAC
Charles Littrell, Executive General
Manager, Policy, Research and
Statistics, APRA
To register:
visit www.compliance.org.au or
email events@compliance.org.au
or call +61 2 9290 1788
Alumni Sponsor
Silver Sponsor
Bronze Sponsors
making effective compliance easy

COMPLIANCE
Sanction
demands sour
corporates
Concern is mounting as global sanctions
compliance saps ever-increasing
amounts of money, time and human
resources from multinationals.
Increasing global regulatory rigour has forced multinational
organisations to focus on co-ordinating their economic
and trade sanctions compliance activities across
borders. This is a key finding in Facing the Sanctions
Challenge in Financial Services, a new Deloitte survey of
388 executives and managers from around the world.
However, just one in four companies gives compliance
staff training once every two years – at the most.
The complexity of screening all the dimensions of financial
transactions (56 per cent) and meeting growing regulator
expectations (41 per cent) are some of the biggest
challenges respondents’ companies face in implementing sanctions-related
controls. Only half the companies have turned
their sanctions policies into a process.
“This creates the real possibility of regulatory discipline
by the authorities,” says Deloitte Asia Pacific Sanctions
Advisory Practice lead partner Graham Dillon. “The absence
of a robust sanctions compliance program, or an inadequate
one, poses a real risk of prosecution from either Australian
or international authorities, in particular the US
Office of Foreign Assets Controls (OFAC).
“As the authorities continue to be more rigorous in their
oversight of financial institutions and international regulators
increase their own vigilance, more organisations are
responding to regulatory actions now than in the past 10
years. At the same time, financial institutions have to contend
with shrinking compliance budgets and headcounts. This is
a combination fraught with danger.”
The study, in which 32 per cent of respondents were
based in the Asia-Pacific region, also revealed some leading
practices in sanctions compliance.
Risk assessments
Companies are increasingly using risk-based approaches to
sanctions compliance, especially since OFAC’s 2006 Interim
Economic Sanctions Enforcement Procedures and the EU
Third Money Laundering Directive required that compliance
programs be tailored to a bank’s risk profile.
Sanctions programs including risk assessments – an essential
first step to a risk-based approach – have become part of
industry-leading practices. Meanwhile, of the 44 per cent of
respondents who reported their companies had a well-defined,
sanctions-specific compliance program in place, 70 per cent
30 RISK August 2009
“The absence
of a robust
sanctions
compliance
program, or an
inadequate one,
poses a real risk
of prosecution
from either
Australian or
international
authorities”
were either completing or had completed a formal sanctions
risk assessment within the past two years.
Leveraging IT
Financial services companies are at the forefront of industries
endeavouring to use IT solutions to meet their expanding
compliance obligations, with most companies having
deployed IT solutions at the initial detection stage and then
manually investigating the alerts generated by those systems.
Just 19 per cent of respondents work for firms that have
fully automated this process, but more than twice as many
(52 per cent) expect to do so in three years’ time. Because
automation is expected to increase, the number of companies
with largely manual processes (especially at the front
end) is expected to drop from 37 per cent to less than half
that (17 per cent) in the next three years.
Global approach
Elements of sanctions compliance, from setting strategy
to overseeing lists, can be run at global, regional or local
levels, however a global approach seems most popular.
Indeed, 55 per cent of respondents’ companies set sanctions
compliance policy at the global level and 40 per cent
develop and oversee sanctions compliance and procedures
at a global level.
More than one-third of financial executives indicated
that their companies’ board and C-suite executives communicate
on sanctions compliance across all geographic
regions, co-ordinating efforts globally.
“Despite a slowly shrinking global economy in recent
months, the speed with which money is changing hands
throughout the financial services industry and beyond has
remained unchanged,” notes Deloitte Forensic and Dispute
global leader Tim Phillipps. “Finding a needle the size of a
few million laundered dollars in a billion-dollar haystack of
legitimate transactions can be a challenge for any multinational
organisation, but it should remain a global priority
for management.” R

RESEARCH
INSIDER THREAT
• US organisations lost 7 per cent of their annual revenues
to fraud committed by employees between 2006
and 2008, for an estimated total cost of $US994 billion
in losses.
(Association of Certified Fraud Examiners, 2008 Report to
the Nation on Occupational Fraud & Abuse)
DATA BREACHES AND DATA LOSS
• The average cost per compromised record is $US202.
• The average cost of a data breach to an organisation is
$US6.65 million.
• Lost business and customer churn account for nearly
70 per cent of the costs of a data breach.
• Healthcare and financial services organisations lose the
most customers following a data breach.
(Ponemon Institute)
• Seventy-four per cent of data breaches resulted from
external sources; 20 per cent were caused by insiders.
• Thirty-eight per cent of data breaches involved the installation
of malware on a system or network.
• Cardholder data was compromised in 81 per cent of
breaches; personally identifiable information was compromised
in 36 per cent; and intellectual property in
13 per cent.
• The value associated with selling credit card data has
dropped from between $US10 and $US16 per record
in mid-2007 to less than $US0.50 per record today.
(Verizon Business)
IDENTITY THEFT
• One in five online consumers has been a victim of cybercrime
in the last two years to the tune of an estimated
US$8 billion.
• 1.2 million consumers have had to replace their computers
over the past two years due to software infections.
(Consumer Reports National Research Center, Consumer
Reports State of the Net 2009 Report)
• Eighty-five per cent of respondents in the 2009 Consumer
Awareness Survey expressed concern about the
safety of sending information over the internet.
• Fifty-nine per cent of respondents expressed a need for
improvement in the protection of the data they submit
over websites.
(Identify Theft Resource Center)
Are you ready for some scary statistics? RSA, the security
division of EMC, has just released its third quarter Security
Statistics Review. Here are some of the more frightening
findings.
• Internet fraud increased 33 per cent in 2008 over 2007.
• Fraud losses in the US reached a record high in 2008.
(Internet Fraud Complaint Center [FBI], 2008 Internet
Crime Report)
• Online banking fraud losses totalled £52.5 million in
2008 – a 132 per cent increase from 2007 losses.
(APACS [UK Payment Card Association])
32 RISK August 2009

RISK COMPLIANCE AND SOFTWARE DIRECTORY
Supporting the Risk
Management Life
Cycle
risk decisions
management solutions
The new saltTM
Enterprise
Online Legal Compliance Training
“Best Compliance Training Program”
LearnX Asia Pacific awards 2008 and 2009
To learn more about our broad range of
legal compliance courses contact us on
1800 676 011 or visit our website.
www.riskdecisions.com
WWW.COMPLIANCE.BLAKEDAWSON.COM
www.riskmanagementmagazine.com.au/Directory/Compliance-Risk-Software

RESEARCH
PHISHING AND MALWARE
• Online criminals engaging in the distribution of rogueware
and malware can earn $US10,800 a day.
(Finjan Cybercrime Intelligence Report)
• One per cent of computers worldwide are infected by
malware designed to steal sensitive information.
• Thirty-five per cent of infected PCs had up-to-date antivirus
software installed.
(Panda Labs)
• A webpage is infected every 4.5 seconds.
(Sophos Security Threat Report 2009)
• Twenty-three per cent of people worldwide will fall for
spear phishing attacks.
• Sixty per cent of corporate employees who were susceptible
to targeted spear phishing responded to the
phishing emails within three hours on average.
(The Intrepidus Group)
• Cybercrime is costing Australian businesses more than
$600 million per year.
(Australian Institute of Criminology)
• Web malware infections surged 582 per cent in 2008
• Data-theft Trojans rose 1559 per cent in 2008.
• Top five verticals susceptible to web malware infection
include energy and oil, pharmaceuticals and chemical,
engineering and construction, transportation and shipping,
and travel and entertainment. This is attributed
to the vast amounts of IP stored by these sectors.
(ScanSafe Annual Global Threat Report)
• The volume of phishing attacks detected by RSA during
2008 grew 66 per cent over those detected in 2007.
• In 2008, 44 per cent of phishing attacks were hosted
on fast-flux networks.
(RSA Anti-Fraud Command Center)
• Eighty-one percent of domains used for phishing are
legitimate domains that have been compromised.
• The average uptime for a phishing site is 52 hours.
(Anti-Phishing Working Group [APWG], Global Phishing
Survey: Trends and Domain Name Use in 2008)
• There was a 40 per cent increase in the number of US
consumers that lost money to phishing attacks in 2008.
• The average consumer loss in 2008 per phishing incident
was $US351.
(Gartner, The War on Phishing is Far From Over report)
• More than one million drive-by download pages have
been detected monthly. A drive-by download page is
one that hosts malicious software where, if users visit the
website and their computers are vulnerable, they can
be exploited without their knowledge.
(Microsoft Security Intelligence Report, April 2009)
MEDICAL/HEALTHCARE
• In the first half of 2009, the medical/healthcare sector
accounted for 13 per cent of data breaches, but an
astounding 70 per cent of compromised records.
(Identity Theft Resource Center)
GOVERNMENT
• According to the US Computer Emergency Readiness
team (US-CERT), in 2008 there were 5488 installations
of malware and hostile programs on government
computers.
• The destruction from a single wave of cyberattacks on
critical infrastructures could exceed $US700 billion,
according to research from the US Cyber Consequences
Unit.
MISCELLANEOUS
• Twenty-nine per cent of survey respondents indicated
that they were “very concerned” about their sensitive
data; 56 per cent said “somewhat concerned”.
• Twenty-two per cent said their organisation had already
found sensitive data on SharePoint sites.
• Twenty per cent did not know if they had suffered a
security breach; 9 per cent have “possibly” or actually
suffered a breach.
(Courion Corporation, Security of Microsoft SharePoint
Sites) R
34 RISK August 2009

“ONE
ALEX
BROWNE
THERE’S ONLY ONE
ONE
ALEX
ALEX
BRO-OWNE
THERE’S ONLY ONE
ALEX
BROWNE
BRO-OWNE.”
AON0024/HRM/424
Characters like Alex are virtually irreplaceable. Not just because they’re good to have around, but because of the vast
amount of knowledge and experience they bring to work each morning.
Plus, if Alex were to move on, or if he was to become injured or ill, it could take months – possibly years – of expensive
training until another employee attained his high standards. So he’s well worth looking after.
At Aon, we strive to help you provide safer, more appealing working environments for your employees through improved
OH&S, Workers Compensation and employee health initiatives.
So, we‘re also able to save you a great deal of time and money.
To get a better return on your biggest investment call 1300 850 784.
TODAY. TOMORROW. READY.