ANNUAL REPORT - Raiffeisen Informatik

VI.3. COMPLIANCEVI.4. RAIFFEISEN INFORMATIKCODE OF CONDUCTVI.5. COMPUTER EMERGENCYRESPONSE TEAM (CERT)Raiffeisen Informatik’s growth and internationalization,and the increasingly stringent legal requirements of auditors,customers and diverse certification bodies motivatedus to review our legal compliance in 2011, and asa consequence, widen its scope and implement a legalcompliance system for the company. On the one hand,this lowers the risk of criminal and civil law responsibilityfor employees, the management and the company itself,and on the other, the legal compliance system will help toimprove the company’s reputation and guarantee thetransfer of legal knowledge. To this end, a GovernanceRisk Compliance Committee was founded that has theresponsibilities of the compliance officer.The members of the Governance Risk ComplianceCommittee (GRC-C) are the heads of the following departments:Group Audit, Personnel, Information SecurityManagement, Management & Audit Services, Organization,Finance and Legal & Corporate InvestmentManagement. The goal of the Committee is to harmonizecompliance throughout the company and develop aholistic understanding of compliance. The GRC-C isresponsible for monitoring compliance with legal provisions,regulations and internal corporate guidelines.The core tasks of the Risk Compliance Committee aresummarized as follows:1. The development of internal guidelines, processesand organizational rules which help to guarantee thatRaiffeisen Informatik, its bodies and employees act incompliance with the rules and regulations.2. Monitoring employees’ behaviour3. Ascertaining any breaches to rules and takingcorrective measures.4. Training and consulting for employees5. Discussion of compliance-relevant matters among themembers of the CommitteeThe core tasks of the Committee listed above are discussedand carried out on a regular basis. The actual implementationof the individual measures is done by the membersresponsible for the area concerned. The membersalso inform the Committee on an ongoing basis of theprogress achieved. The Chairperson and the Vice Chairpersonof the Committee are available to employees andalso for external inquiries by e-mail at compliance@r-it.at.The GRC-C presents an exhaustive Compliance Reportto the management board of Raiffeisen Informatiktwice a year. The corresponding summary report is alsopresented regularly to the Audit Committee of the company.The purpose is to present the status quo of currentcompliance projects and to identify weak spots andrisks. An important instrument available to the GRC-C iscompliance risk assessment. Risks relating to thecompany are regularly surveyed by the staff unit “RiskManagement and Group Audit” at workshops andmonitored by group “Legal”. The workshop is held once ayear for every department and/or organizational unit. Thelist of questions on risks includes the following themes:business crime, inside dealings; anticorruption measures,anti-trust law, labour law, representation authorization,intellectual property rights and data protection. Theobjective of the risk assessment is to check compliancewith laws and current work instructions as well as to raiseawareness among employees for the matter. The extensivelegal compliance programme of Raiffeisen Informatikis described in a compliance manual and communicatedinternally.Furthermore, a Code of Conduct has been publishedfor all employees as guidance on how to act. The Codeof Conduct is an element of the general employmentterms and is binding for daily business operations. Italso covers the topics of data protection, bribery, corruption,confidentiality, market abuse, inside dealings,trust law, bookkeeping and finances.In 2012, some major steps were taken to advance thecompliance system and position it firmly within thecompany. The measures included:■ A comparison of the compliance system with theGerman auditing standard IDW PS 980 and, for the firsttime, its use at an audit with a positive outcome■ Numerous training courses■ Execution of a legal compliance assessment■ Compliance focus on the theme of information securitymanagement■ A number of preparatory training courses andmanagement interview on anti-corruption laws that takeeffect in 2013Raiffeisen Informatik is committed to sustainable corporatemanagement and the social responsibility vis-à-viscustomers, employees, owners and society. RaiffeisenInformatik always follows the law, rules and regulationsof the countries in which it does business. A special focusis placed on mutual respect, honesty and integrity,and corrupt business practices are never used. For thisreason, a binding set of rules was defined in 2011,namely the Raiffeisen Informatik Code of Conduct (CoC)that applies to the everyday business practices of allemployees and is the valid Code of Conduct of thecompany.The Code of Conduct provides clear rules for thebusiness, ethical and social activities of RaiffeisenInformatik employees. The Code of Conduct is bindingon all employees of the Raiffeisen Informatik Groupand guarantees compliance with the highest standards inbusiness dealings and ethical behaviour. It is based onthe Raiffeisen principles and is oriented on the concreterequirements of routine business activities within thecountry and abroad. The Raiffeisen Informatik Code ofConduct is supplemented by the comprehensiveRaiffeisen Informatik compliance programme (workinstructions, web-based training, seminars, etc). Thesetranslate the principles of the Code of Conduct intoconcrete rules for everyday business practices.The protection of a company’s data is one of the coreareas of competence of Raiffeisen Informatik. Above all,cyber crime, which is ubiquitous due to the global networksbased on the Internet, poses a fast-growing threatfor companies. IT officers and IT security experts areconstantly faced with new challenges. Today, Internetattacks come from all over the world.The global security network FIRST was founded in 1990and currently consists of over 274 CERT teams in 59countries that work together internationally. Together,security gaps are identified, processed and preventivemeasures taken. The international teams report the latestsecurity incidents to the FIRST association on which itacts by issuing warnings, alerts and advice to the membercompanies. This direct worldwide network of informingon security incidents gives member companies anadvantage in terms of knowledge and time in the fightagainst computer crime.Raiffeisen Informatik sees its function in proactive responsibilityfor the security of the data and IT infrastructure ofits customers. This is why Raiffeisen Informatik was thefirst Austrian IT service provider to become a member ofthe FIRST network and to set up a “Raiffeisen InformatikComputer Emergency Response Team” (CERT) as earlyas in 2009. The CERT team of Raiffeisen Informatikis made up of the security specialists of the RaiffeisenInformatik Security Competence Centre in Zwettl.The inclusion in this round of security experts is achievedby being nominated by at least two current membersand by meeting the diverse requirements such asthe implementation of a functioning information securitymanagement system.Furthermore, at the European level, Raiffeisen Informatikwas named “Trusted Introducer” and listed by the“European Network and Information Security Agency”(ENISA), which is an institution of the European Union,as the Austrian contact for security matters.Financial Statements Certifications and Awards Risk Management CSR Group Management Report Group Profile Corporate Bodies / Shareholders Preface80 81