boosting influence

s.gibbins

GRC_October_final

October 2015 | The Official Magazine of The GRC Institute

boosting influence

of compliance and

risk professionals

Self-defeating

Devices

The challenge of unethical

business culture and

inconsistent regulation

Maybe the sky

is falling

Cybersecurity needs

integrative approaches

Bringing

workplace

diversity into

the mainstream

The value of an inclusive

workplace

Doing Business

in Asia

Considering the culture

behind the business


GOVERNANCE • RISK • COMPLIANCE

GRCI’s Graduate Certificate in Compliance

Management 91517 NSW has been designed

exclusively for senior governance, risk and

compliance professionals looking to further

develop skills for career progression to the most

senior level.

Graduate

CertifiCate Graduate

in

ComplianCe CertifiCate in

manaGement ComplianCe

91517 NSW manaGement

Considered the benchmark accreditation

for compliance professionals, this course is

a nationally accredited qualification.

This course offers you a career advantage

through demonstrable skill development over

an intense study period of four days. You will

also become part of a strong network of

professionals supported by GRCI, including

special events exclusively for CCP alumni.

Dates for 2016 courses will be announced shortly

Certified Compliance Professional (CCP)

91517 NSW

Certified Compliance Professional (CCP)

For more information and bookings please visit:

www.thegrcinstitute.org or email

education@thegrcinstitute.org

GOVERNANCE • RISK • COMPLIANCE


Contents

Cover story

17

Boosting influence

of compliance and

risk professionals

Risk and compliance professionals are not

always consulted or their advice is not always

listened to at management or board-level

discussions on strategy.

Change Meridian managing director Michelle

Gibbings has produced a whitepaper titled

Stepping Up: Taking Governance, Risk and

Compliance Professionals to the Next Influence

was based on research conducted between

June and August 2015, which stated that 70%

of respondents in the risk and compliance

industry felt they had not been consulted on

an issue that they felt they should have been

consulted.

md’s MESSAGE X page 4

News X page 6

best links from the web X page 8

News features

Doing business in Asia

When conducting business in other countries

or regions, one must be aware of the cultural

and maturity differences in regulation as it

pertains to risk and compliance. X page 11

GRC2015 Conference Workshop

Highlights X page 12

Self-Defeating Devices: The Challenge

of Unethical Business Culture

In the Thomson Reuters Accelus 2014 report

entitled, The Rising Costs of Non-Compliance:

From the End of a Career to the End of a Firm,

Stacy English and Susannah Hammond

said that, “Many of the compliance failures

and weaknesses in systems or procedures

that are now being punished are a direct

result of cost cutting.” At the end of 2008,

a Thomson Reuters survey revealed that

56% of the 280 compliance practitioners

who participated in the survey believed their

budget would be cut or frozen. X page 15

Bringing workplace diversity into mainstream

Flexible work options is an issue affecting

many. In particular, women, older workers

and those returning to the workforce

can all benefit from a change in attitude

to workplace diversity X page 20

Support groups for working

women making a difference

Women in Business and Finance (WiBF)

Chief Executive Officer Amanda Dobbie

says that the WiBF, which was launched in

2000, “…started as flagship program to

assist women in the industry.” X page 22

Student Profiles

Profiles on students who recently

completed the Graduate Certificate in

Compliance Management. X page 26

Writing outside of compliance and risk

Some risk and compliance professional say

that the lack of focus on ‘soft’ skills, like

communication, is one of the barriers to GRC

being integrated fully into the decision making

process in many organisations. X page 28

Institute news

The latest from the GRC Institute. X page 29

Contact us

GRC Professional is the official monthly

publication of GRCI in Australia, New

Zealand, Hong Kong & South-East Asia.

GRC Institute

President: Carolyn Hanson

Vice President: Lois McCowan

Director: Craig Greenwood

Director: Susan Cretan

Director: Stephen Luk

Director: Christine Mead

Director: Alexi Paxinos

Director: Sasha Culjkovic

Director: Martin Tolar

Managing Director:

Naomi Burley

naomi.burley@thegrcinstitute.org

Business Development Manager:

Elizabeth Kent

liz.kent@thegrcinstitute.org

Ph: +61 2 9290 1788

Fax: +61 2 9262 3311

www.thegrcinstitute.org

GPO BOX 4117 Sydney

NSW 2001 Australia

GRC Professional

Editor:

Kwame Slusher

Kwame.Slusher@thegrcinstitute.org

Advertising:

Naomi Burley

+61 2 9290 1788

naomi.burley@thegrcinstitute.org

Disclaimer:

While GRCI uses its best endeavours in preparing and

ensuring the accuracy of the content of this publication,

it makes no representation or warranty with respect to

the accuracy, applicability, fitness, legal correctness or

completeness of any of the contents of this publication.

Information contained in this publication is strictly for

educational purposes only and should not be considered

legal advice. Readers must obtain their own independent

legal advice in relation to the application of any of the

material published in this journal to their individual

circumstances. The Institute disclaims any liability to any

party for loss or any damages howsoever arising from the

use of, or reliance upon, any of the material contained in

this publication.


MD’s

MESSAGE

Embracing Change

There is nothing like a deadline to galvanise the mind – yes this column is a tad late – and, for once, it

feels like there is “too much” news to convey to everyone. Suffice to say, we have had a few changes

here! New Managing Director (myself), new Editor (Kwame Slusher) and new Business Development

Manager (Elizabeth Kent.)

They will be introduced to you later in the magazine and those who attended our 19th Annual

Conference last week, will have had a chance to meet them, along with Clare Williams, our Membership

and Student Coordinator.

The conference was a great opportunity for us to speak directly with members and for the new team

members to get to know exactly who we are working with and for, as well as attending the sessions to

understand what we perceive to be the challenges you all face.

In addition to the conference, I have been fortunate enough to have a chance to catch up with

members in Sydney, Melbourne and Auckland and have frank one on one discussions about what you

need from us and what you need for your careers and organisations. Don’t worry Brisbane, Adelaide

and Perth – you are all next!

What I already knew, and just had reinforced by all these conversations, is that our members are

really smart people. People who are passionate, committed and equipped with an amazing depth of

knowledge about compliance and risk. But even they are challenged by the forces of organisational

power, vested interests, and lack of leadership will.

We have moved well beyond ‘checkbox compliance’ and have been much more mature than that

for some time. However the messages throughout an organisation can often contradict what we know

and make embedding a compliance and risk framework that much harder because in doing so people

have to change: their minds; the way they work; how they think about compliance and risk; and whose

responsibility it is to make it a success.

This is the feedback from our members and our challenge is – how can we help them equip

themselves to influence within their organisations and get their message through? How can the GRC

Institute advocate on their behalf to show the value of the compliance and risk functions in their

organisations that aren’t being capitalised upon?

GRC2015 was just one way we worked to provide access to great speakers and challenging

workshops to assist. We’ll continue with our delivery of courses that provide education and skills in

core compliance and risk competencies, they are necessary and valuable for incoming professionals.

At the same time, for our really experienced and knowledgeable members it’s time for us, and them,

to be able to step up to showcase for the market this generational change for compliance and risk:

it can provide immense value to an organisation and while it is silenced it cannot reach its potential

and neither can the organisation. With your input we hope to be able to develop some more genuine

thought leadership activities, events and whitepapers that will assist members with making those

inroads necessary to really achieve professional success.

“ ... our members

are really

smart people.

People who

are passionate,

committed and

equipped with an

amazing depth

of knowledge

about compliance

and risk. But

even they are

challenged by

the forces of

organisational

power, vested

interests,

and lack of

leadership will.”

Naomi Burley,

Managing Director, GRCI.

4 GRC Professional • October 2015


Truly dynamic charting

Use Blueprint OneWorld’s ChartIt to deliver clear and

engaging organisation charts you can edit and share

Contact us for a demonstration

+61 2 8096 8300 icsasoftware.com/bponeworld aunz@icsasoftware.com

© 2015 ICSA Software International Limited.

Blueprint OneWorld is a registered trademark of ICSA Software International Limited.

5


NEWS

Maybe the sky is falling

On 25 September 2015, RSA Archer Australia and New Zealand

Director Chad Alpert spoke at the RSA Breakfast Roundtable

meeting hosted at the GRC Institute. The presentation was titled,

Intelligence Driven Security: The Need for Risk and Compliance.

Organisations, large and small are faced with a contradictory

task, and that is to balance the need to maintain an active internet

presence for the purposes of marketing and networking with the

need to protect themselves from cyber-attack.

Alpert highlighted the release of Gartner’s Strategic Planning

Assumption 2015 that stated by 2020, less than five percent of

organisations globally will be making board level decisions on

risk without consideration for the information technology impact.

This is because, at board level, organisations must realise they will

own the risk; a cyber-attack is just a risk with a heavy information

technology base.

Alpert also mentioned the Verizon Data Breach Investigation

Report that stated 70% to 90 % of all malware was tailored

specifically to target individual organisations.

“So, think about this: we are dealing with adversaries who seem

to have the power, and the momentum, and the desire to create

custom attacks for each organisation they are going after. We’ve

got an increase in compliance and regulatory obligations, but we’re

not getting corresponding organisational investment to balance

that massive increase.” Alpert added that boards want to maintain

their digital intellectual property because of reliance on Information

Technology.

However, he explains that, “[Organisations] have had a massive

investment over the years of trying to build a bigger wall in front

of their building, to stop the bad guys getting in - dig a deeper moat

around my castle [and] find ways to protect myself.”

The problem is balance. “We all want to be social, but to be

competitive in today’s market, we’ve got to leverage technology

because the cost of human capital is so high for a lot of the mundane

things you can do. You’ve got find ways to drive better automation.

I think where the security industries typically failed in the past is the

‘Chicken Little’ conversation.”

Alpert named the millennium bug as the quintessential example to

the “sky is falling” phenomenon, where businesses were told that,

and “…If we don’t update every single piece of code globally…”

the world is going to end. However, because the issues were

minimal in the end, now the challenging aspect of “Chicken Little”

conversations is convincing companies to take new threats seriously.

As technology develops, so do new threats.

Organisations have to learn that leveraging technology is critical

to societies dependent on information technology for day-to-day

things. “No, information technology is not going to fix the water

crisis, but we’re not going to fix the water crisis without investment

by organisations to leveraging technology.” The key to leveraging

technology is by integrating GRC with IT. There is a need to move

away from the debilitating silos that separate them.

Alpert stated that the World Economic Forum placed the threat

of cyber-attacks higher than that of terrorist attacks, and a X

6 GRC Professional • October 2015


NEWS

higher concern than the food crisis. So the question is now how

to talk to business about risk and compliance management, while

integrating the growing significance of information technology

to organisations.

“Building bigger walls isn’t the right approach,” Alpert

stated. “We need to re-proportion where we invest our money,

and we need to invest it across people processing technology. It’s

not about more controls, it’s about better use of the controls.”

“Target got breached, not because they didn’t have the

firewalls, the antivirus, or every possible security tool under

the sun. They got breached because they weren’t able to quickly

enough mobilise the identification of a threat, to make sure that

the right people were aware, with the right knowledge and the

right processes in place to react to it…,” Alpert said.

In a 2014 article on Bloomberg Business, co-written by

Michael Riley, Ben Elgin, Dune Lawrence and Carol Matlack,

titled Missed Alarms and 40 Million Stolen Credit Card numbers: How

Target Blew IT, coming up to Thanksgiving in 2013, “…someone

installed malware in Target’s (TGT) security and payments

system designed to steal every credit card used at the company’s

1,797 US stores. At the critical moment—when the Christmas

gifts had been scanned and bagged and the cashier asked for a

swipe—the malware would step in, capture the shopper’s credit

card number, and store it on a Target server commandeered by

the hackers.”

Since the digital arena touches every aspect of business

operations, it is difficult to keep adversaries out. What an

organisation can do is try to mitigate the damage by keeping

them from extracting that critical information.

Target is the perfect example of a company that invested

heavily in raising its walls higher and still was unable protect

itself because of the lack of integration between the GRC

function and IT.

The answer, then, is integration—to have a conversations

that link all the silos together to not only allow organisations

to protect themselves against ever-evolving threats, but also to

allow them to see and exploit opportunities the ‘risk landscape’

can create.

The companies represented at the RSA Breakfast

Roundtable included:

• Grant Thornton Australia

• Toyota Finance

• Australian Regulation Prudential Authority (APRA)

• St. Catherine’s School

• Clayton Utz

• ClearView

• Commonwealth Bank of Australia •••

7


est from

the web

Best from around the web

These were the stories being discussed at the GRC Institute this month:

More Scrutiny for

foreign money

coming into Australia

X

Santander sets aside

£43m for investment

advice claims

X

Risky Business: Money

Laundering and the City

X

EU Rules Bitcoin is

a Currency, US Says

Bitcoin is a Commodity

X

ASIC use of customer

complaint data helps

ANZ proactively

report breach

Deutsche Bank Is

Expected to Settle

Sanctions Violation Case

for at Least $200 Million

X

X

Australian tourism,

education, agriculture

- new export

X

opportunities in China?

Qantas, Virgin to

appear before credit

card inquiry

Macquarie and CBA

in global top 100

X

X

X

8 GRC Professional • October 2015


X


GRCI News

From the Australian

Securities and Investment

Commission

Australian and New Zealand Banking Group has been inaccurately

applying bonus interest to Progress Saver Accounts. Now, ANZ is

compensating 200,000 people approximately $13 million.

The breach was discovered following a customer complaint and

the ANZ advised ASIC that is will assess the financial impact on all

PSA holders.

According to ASIC “PSA holders qualify for bonus interest

payments in any particular month if they satisfy deposit and

withdrawal requirements for that month. ANZ misaligned the

monthly cycle it applied to determine whether a PSA holder was

eligible for bonus interest payments and the monthly cycle it applied

to calculate bonus interest payments. This issue was limited to PSA

holders who made qualifying deposits or disqualifying withdrawals

near the end of their monthly interest cycle, and did not impact the

payment of bonus interest in other circumstances.” •••

From Australian Forum

The Migration Institute of Australia say that more needs to be done

to check that money brought into Australia for investment is clean.

According to the Australian Forum “The MIA represents

professional registered migration agents across Australia and

overseas, many of who work every day with foreign investors. The

MIA makes every effort to educate its members regarding the current

legislative requirements foreign investors need to meet to ensure all

investors they deal with have earned their money legitimately.”

Recommendations are being considered to improve the local antimoney

laundering regime as a part of a review of the Terrorism and

Financing Act 2006. •••

From The Mandarin

According to The Mandarin, Australia has slipped two places in a

survey on regional cyber security maturity, prompting calls to rethink

security strategies.

The Mandarin states “The co-author of the Australian Strategic

Policy Institute’s second survey of cyber maturity in the Asia-Pacific

region, Dr Tobias Feakin, says Australia has lost ground relative to

progress made in Japan, South Korea and Singapore.”

The Mandarin continued “The new cyber scorecard comes as the

Australian government is preparing a major report on cybersecurity,

co-ordinated by the Department of the Prime Minister and Cabinet

and led by first assistant secretary (cyber policy and intelligence)

Lynwen Connick. And the latest State of the Internet security report,

from Akamai Technologies, confirms the scale of the security

problem is growing every year, as is the sophistication of attacks.’’

Despite the fact that online crime is a global problem, there are

still significant differences between countries and their ability to

respond to cybercrime.

“Australia’s growing digital economy and our rapid integration

into the wider Asian economy means a broader approach to risk and

associated protections is required.”

According to the ASPI South Korea, Singapore and Japan

have are noteworthy for their centralised cyber policy governance

frameworks.

“This has recently occurred in Canberra, where much of the

Australian government’s digital functions have been brought into the

Prime Minister’s Department. There has also been the appointment

of a Minister assisting the Prime Minister for Digital Government,

Senator Mitch Fifield.” •••

From The Australian Financial Review

A Ponzi scheme is being cited as the reason for the $140 drop in Bitcoin.

According to the Australian Financial Review “Bitcoin surged above $US500 on the Bitstamp exchange on Wednesday, before falling back

to $US408 later in the day as reports spread of a wave of new Chinese members of a bitcoin pyramid scheme set up by a Russian con artist. On

Thursday it fell another 3 percent, to $US395.”

The sharp drop was a result of a network called MMM owned by Sergey Mavrodi, a former member of the Russian parliament who was once

incarcerated for fraud.

According to the AFR the website for the scheme, calls “honest people to participate together to make the world a better place”, and

promises a 30 percent monthly return, with a 10 per cent bonus for referring another person to the scheme.

Fiat currency and bitcoin trader Ashfaf Laidi says that the sharp sell off because of the Ponzi scheme is another unfortunate blow to the

image of bitcoin. •••

10 GRC Professional • October 2015


IN DEPTH

Doing business in Asia

When conducting business in other countries or regions, one must

be aware of the cultural and maturity differences in regulation as it

pertains to risk and compliance.

“In Asia, every

regulator

wants its own

regulatory

framework. The

challenge in a

regional role,

therefore, is that

each regulator

interprets the

underlying

architecture

differently.”

In a recent interview with

GRC Professional, Commonwealth Bank Australia

Chief Risk Officer CFS GAM Margaret Ammon

said that business in Asia might be more different

than people appreciate. Ammon was the Schroders

Asia Pacific Head of Risk, based in Singapore before

coming to work for CBA.

“Some of the practices and expectations that we

take very much for granted in Australia and the UK

are not the way it’s done in Asia. If you think about

the curve of maturity around risk practices, then I

would suggest that the UK and Australia are ahead of

Asia — and that is a bit of generalisation - but if you

think about it that way, there are still some areas for

development.”

Ammon explained that, in Australia and the UK,

the functions provided by compliance and risk teams

are defined more clearly than they are in Asia. As a

risk professional, she stated that, in Asia, there was

less focus on the independent risk function. So, one

has to get accustomed to the Asian expectation.

In Asia, every regulator wants its own regulatory

framework. The challenge in a regional role,

therefore, is that each regulator interprets the

underlying architecture differently.

That makes it difficult, in this era of cost-cutting and

simplicity, to build a framework that accommodates a

variety of regulatory processes. The existing regulatory

structures in Asia are a long way away from matching

the Australian regulatory environment.

The challenge, Ammon indicated, is that there

exists a measure of competitive tension to the

financial services hub within Asia.

Singapore-based GRC Solutions Asia General

Manager Sam Gibbins said that financial institutions

in South Asia have been complaining about the

increasing regulatory red tape.

He added that there is also the complication

of digital disruption that will require increased

regulation to contend with the possible restructuring

of financial and business frameworks. The problem

with digitisation of certain traditional structures is

that it creates new challenges for cybersecurity – this

is an issue even for countries with a more established

regulatory framework, like Australia.

However, Ammon said that business in Asia

remains “old school” in nature; thus, conversations

about digital disruption are not taking place at the

same level as elsewhere.

Gibbins said that Hong Kong and Singapore,

as ex-colonies, have traditionally been inundated

with expatriate workers; however, with the drive to

consider compliance more seriously also comes the

drive to source and develop the local talent pool.

Both Gibbins and Ammon see opportunity in

the increasingly complex landscape. As Ammon

explained, “One thing that Asia is renowned for,

beyond financial services, is to evolve. There is

always someone out there looking to do something a

bit smarter, a bit quicker and a bit cheaper. •••

11


GRC 2015

Highlights

Bringing GRC and

strategy together

“The central

question of

this workshop

is how to use

the dynamic

between

strategy and

risk to deliver

value to

shareholders for

better business

performance.”

Sector Seven legal practitioner

Director Deborah Latimer was the presenter of

workshop Strateg y and Risk: Changing the Dynamic at the

recent GRC2015 Conference.

“The central question of this workshop is how

to use the dynamic between strategy and risk to

deliver value to shareholders for better business

performance,” she stated.

She said that she has had a lot of experience

in trying “to push risk into the strategic

conversations”—two things that, traditionally, have

been quite separate. However, she contended that

risk provides information for decision making and it

provides a process for determining the outcome.

“If you think about strategy and risk, they are both

fundamentally about making choices. So, if you’re

setting strategy, it’s all about making choices about

what you want your future to look like, and if you

think about risk, risk is all about balancing options.”

Another problem Latimer noted is that GRC

professionals tend to be perceived as technical,

but increasingly, they need to have the right

communication skills to get into that conversation, in

order to have influence at the strategic level.

“Risk practitioners really need to think about their

role a bit differently in order to do this. It’s not about

expounding risk management theory and compliance

theory, it’s actually about having a different

conversation at a different level and really integrating

risk into the decision making…to add value,” she

explained.

Sector Seven Director, Deborah Latimer

Those who attended the workshop were asked to

consider four questions that “touch on the levers” of

decision making in risk and strategy:

1. What are the risks to which the strategy exposes

the enterprise?

2. What is the risk appetite?

3. How will the risks assumed be managed?

4. How will the enterprise capitalise on the risk?

The workshop Strateg y & Risk: Changing the Dynamic

was one of five concurrent workshops held at the

GRC2015 Conference. •••

12 GRC Professional • October 2015


GRC 2015

Highlights

How to make the

right decisions

“In the world

of risk and

compliance, that

little bit of data

or incident that

a compliance or

risk professional

overlooks may

result in lasting

consequences.”

Decision makers, like compliance

and risk professionals, are not always aware of the

mental shortcuts and unconscious biases that may be

influencing their decision-making.

Change Meridian Founder and Director Michelle

Gibbings was the presenter of the workshop The

Dangers of Decision Making, at GRC2015.

The workshop was designed to help compliance

and risk professionals understand their own

unconscious bias—how one might think a decision is

rational, but in actuality, it is not.

“We often judge based on things that have

happened in the past. When learning to drive a car,

you have consider every single action, but after you’ve

been driving for a while, you no longer have to think

about it,” Gibbings explained.

The brain selectively focuses on information and

rejects things that have different perspectives. The

workshop encourages participants to use a more

systematic process that will result in a “diversity of

opinions”.

In the world of risk and compliance, that little bit of

data or incident that a compliance or risk professional

overlooks may result in lasting consequences.

Gibbings explained that, when making everyday

decisions, people use Heuristics, or mental short

cuts. But decision making is fundamental in risk

and compliance, so it is important to understand the

complexity of the decision-making process.

Workshop attendees were introduced to tools and

techniques to overcome unconscious bias and to help

“rewire” their brain.

Change Meridian Founder and Director Michelle Gibbings

The workshop was interactive; however, reading

material was also provided to assist in consolidating

the lessons learned.

For all GRC professionals Michelle recommends

reading:

• Thinking Fast and Slow, by Daniel Kahneman

• Brain Rules, by John Medina

• Your brain at work, by Dr David Rock

• The Honest Truth about Dishonesty, by Dan Ariely

The workshop The Dangers of Decision Making

was one of five concurrent workshops held at the

GRC2015 Conference. •••

X

13


GRC 2015

Highlights

The Science behind

building an effective

GRC Culture

“It is a common

misconception

that an

organisational

culture can be

summed up

by a series of

vague, quasivalue

terms,

such as integrity,

entrepreneurial,

excellence or

respect. These

often tend to

be managerial

wish-list, rather

than any real

description of

what people

actually believe

or the way

they actually

behave.”

There are many challenges to

building effective GRC culture in organisations.

One of the most challenging elements to achieving

such a culture is change. This is not just change

within the market place, but also change in thinking

about human behaviour in an ever evolving social

environment.

Fortinberry Murray Principal Dr Bob Murray,

presented a workshop titled, The science behind building

an effective GRC culture, at the GRC2015 Conference,

strategy that many GRC theories are based on old

psychological ones, and that this is why so many of

them fail.

“People used to think the best way was to give

people facts and they would follow instructions,” he

said. He added that now, it is considered an erroneous

assumption that people make decisions based on

fact and reason; many decisions are often made

irrationally.

In his article, The Science behind Creating the Right

Culture for your Organisation, co-authored with Alicia

Fortinberry, Murray shows that challenges to

organisational structure can be seen in all industries.

“It is a common misconception that an organisational

culture can be summed up by a series of vague,

quasi-value terms, such as integrity, entrepreneurial,

excellence or respect. These often tend to be a

managerial wish-list, rather than any real description

of what people actually believe or the way they

actually behave.”

Fortinberry Murray Principal Dr Bob Murray

Murray said that his workshop was designed to

enlighten people on the new science of thinking,

bringing to light some key elements of a new

understanding of human behaviour that would help

GRC professionals have a clear understanding of how

they can build an effective GRC culture.

The workshop looked at how to consider trust,

stress and influence, as well as how to create a highperforming

team. •••

14 GRC Professional • October 2015


comment

Self-defeating devices:

Challenge of Unethical

Business Culture and

inconsistent regulation

“The VW

scandal offers

an opportunity

to ask general

questions about

the industry

and the cheques

and balances

that supposedly

ensure certain

standards. There

are implications

that transcend

the ex-CEO and

the allegedly

small group

of culpable

employees,

and even VW.”

In the Thomson Reuters Accelus 2014

report entitled, The Rising Costs of Non-Compliance: From

the End of a Career to the End of a Firm, Stacy English

and Susannah Hammond say that, “Many of the

compliance failures and weaknesses in systems

or procedures that are now being punished are a

direct result of cost cutting.” At the end of 2008, a

Thomson Reuters survey revealed that 56% of the

280 compliance practitioners who participated in the

survey believed their budget would be cut or frozen.

Fast forward to the Volkswagen scandal.

Earlier this month, the Australian Competition

and Consumer Commission Chairman Rod Sims

stated that, “…using defeat devices is specifically

prohibited under the Australian Design Rules,

which are picked up as Australian Consumer Law

(ACL) mandatory safety standards.”

He added that, “Businesses must be able to

substantiate any claims they make. The ACCC will

be seeking marketing materials from VW Group

and will not hesitate to take action if consumers

were exposed to false, misleading or deceptive

representations.”

The briefing indicated that the maximum

penalty per breach of the ACL is $1.1 million for a

corporation. Of the 11 million compromised VW

vehicles sold worldwide, more than 90 thousand

have been sold in Australia.

Wider implications

The VW scandal offers an opportunity to ask general

questions about the industry and the checks and

balances that supposedly in place ensure certain

standards. There are implications that transcend the

ex-CEO and the allegedly small group of culpable

employees, and even VW.

This should not be seen as some kind of VW

witch-hunt but a wakeup call, and this is not the first

one. There was controversy surrounding the 1971

Pinto when it was discovered that the structural

design allowed the fuel tank filler neck to break

off and the fuel tank to be punctured in a rear-end

collision, resulting in fires from spilled fuel. A spark

is all that would be needed and the car would be

engulfed in flames.

According to an article posted on The Engineer,

“According to Ford’s estimates, the unsafe tanks

would cause 180 burn deaths, 180 serious burn

injuries, and 2,100 burned vehicles each year. It

calculated that it would have to pay $200,000 per

death, $67,000 per injury, and $700 per vehicle, for

a total of $49.5 million. However, the cost of saving

lives and injuries ran even higher: alterations would

cost $11 per car or truck, which added up to $137

million per year.”

The article continued that when it was

discovered the gas tank was unsafe, no one reported

it to then President of the company, Lee Iacocca,

because that person would have been fired “Safety

wasn’t a popular subject around Ford in those days.”

While the scenarios are quite different, the

question of cost is the common denominator.

As English and Hammond noted in their report

about non-compliant businesses, there are decision

makers that consider the consequences of cutting

costs as just the cost of doing business.

It raises some big questions about the

effectiveness of testing that would facilitate

enforcement of existing regulations, and how the

decision makers for companies perceive these

regulations through their own prisms of risk

appetites and risk cultures. One can even ask, apart

from regulatory structures, how much has really

changed between the Ford Scenario in the 70s and

the VW scenario now. The sanctions for violating

existing regulatory structures are obviously not a

deterrent.

An article in the Economist titled, A scandal

in Motoring Industry: Dirty Secrets states that, “…

in Europe, emissions-testing is a farce. X

15


The carmakers commission their own tests,

and regulators let them indulge in all sorts of

shenanigans, such as removing wing mirrors

during testing, and taping up the cracks around

doors and windows, to reduce drag and thus

make the cars burn less fuel.” So there is also the

problem of inadequate and inconsistent regulatory

guidelines that may permit this kind of unethical

behaviour.

In an article in The Conversation, Emory

University Director of Ethics and Servant

Leadership Program Edward Queen tries to

explain the VW scandal by pointing a finger at the

tradition of unethical behaviour in business. He

argued that, “…there is need to look at the broader

cultural realities that drive unethical decisions in

business, particularly the perception that the only

way of determining value and worth is money.”

While this assertion seems almost naïve in the

face of the fact that businesses are created to make

money, there is certainly a need to understand the

underlying value system that permits unpleasant

scenarios, like the 1971 Ford Pinto and the VW

emissions test scandal.

According to Business Australia writer Ben

Moshinsky, VW was not caught out by formal

testing procedures, but by a clean-air advocacy

group called the International Council of Clean

Transportation, who were testing VW vehicles

“It raises some

big questions

about the

effectiveness

of testing that

would facilitate

enforcement

of existing

regulations,

and how the

decision makers

for companies

perceive these

regulations

through their

own prisms of

risk appetites

and risk

cultures.”

because they thought they would be great example

of how diesel can be used as a clean fuel.

Moshinsky explained that on nearly 4,000

kilometres of highway, “The tests find that the

Volkswagen Jetta exceeds nitrous oxide caps by 15

to 35 times, with the Passat exceeding emissions

caps by five to 20 times.”

English and Hammond noted that regulators

do not trust organisations to regulate themselves.

In their report, they stated that, “Regulators

appear to have lost faith in firms’ ability to clean up

their own act; they are under pressure themselves,

and this has led them to seek more creative

measures to drive good behaviour and drive up the

cost and consequences of non-compliance.”

The challenge here is what good is regulation

and regulatory bodies if they are unable to enforce

those regulations? The regulatory breaches for

Ford and VW respectively, are not just regulatory

breaches in big name automotive companies, but

are also breaches in the regulatory structure itself.

However, it is clear that the consequences for

breaching restrictive regulation like the ACL is not

enough to inspire an ethical business culture. The

regulation must be enforceable, since it is not every

day that a well-intentioned advocacy group will

conduct independent testing and stumble across a

major discrepancy. •••

16 GRC Professional • October 2015


in depth

Boosting influence of

compliance and risk

professionals

Risk and compliance professionals are not always consulted, and

when they are, their advice is not always listened to at management

or board-level discussions on strategy.

“Risk and

compliance

professionals

are not always

consulted or their

advice is not

always listened to

at management

or board-level

discussions on

strategy.”

Change Meridian managing director

Michelle Gibbings has produced a whitepaper titled

Stepping Up: Taking Governance, Risk and Compliance

Professionals to the Next Influence, based on research

conducted between June and August 2015. At the

beginning of the whitepaper she writes that “Given

the complexity of the business environment and

increasing expectations from Company, Boards and

Regulators, it’s not surprising that the role of the

governance, risk and compliance professional isn’t

getting any easier.” The research was undertaken

to evaluate the roles of GRC professionals in

organisations and see what can be done to increase

the value of that role within an organisation.

The white paper continues that “The majority of

governance, risk and compliance professionals said

they were consulted and their advice relied on when

the business was making decisions (65% and 57%

respectively).

“However, 70% also said there were situations

when they weren’t asked to participate or provide

advice on a decision that they felt they should have

been. 60% said there were decisions on which they

hadn’t been able to persuade the stakeholder to accept

their advice. Training, coaching or development

in leadership and business acumen was seen as

advantageous to helping them be more influential.

“More than 80% of respondents thought that

understanding and knowing how to effectively

manage and motivate behaviour change would help

them do their job more effectively.

“And yet, only 5% of respondents receive frequent

training in how they can understand and manage

behaviour change. Stated that 70% of respondents

in the risk and compliance industry felt they had not

been consulted on an issue that they felt they should

have been consulted.”

She writes that all this matters because having

an astute and adaptable GRC team whose advice is

heeded in strategic discussions will ultimately lead to

better organisation. This includes not only focusing

on the development of technical skills, but “soft”

skills as well.

Gibbings explained that the findings confirmed

that GRC professionals are relied on for advice when

the business is making decisions, but many times this

advice is not heeded

She added it was interesting that she got

respondents from all levels. Gibbings added that

“I think what’s good is that people were saying that

they were consulted, but there are obviously areas

for improvement, because some professionals were

saying that were always consulted.”

It is important that risk and compliance

professionals actually understand how to negotiate

outcomes, make better decisions, and navigate

through the complexity of an organisation.

According to the whitepaper just over 60% believe

that strategy and business acumen training will help

boost the influence of compliance professionals

within an organisation.

GRC Institute Managing Director Naomi Burley

said that the observations in the whitepaper were

confirmed by senior members of the GRC Institute

and external recruiters.

“The members invest a lot of time in developing

themselves professionally, testament to which is the

number who have gone through our courses and

professional development. Anecdotally, we know

that they are also extending themselves X

17


in depth

“There needs

to be a focus on

the development

on not just

technical skill,

but behavioural

skills as well.”

18 GRC Professional • October 2015


in depth

academically with other post graduate study and yet

their ability to influence upward and downward in

their organisations remains constricted.

“So we have a group of highly intelligent, highly

motivated and qualified people whose value to their

organisation can’t be capitalised on by themselves or

their employers because they are unable to sell their

own message, essentially. It’s not that their message

isn’t important or of value but it’s still far too easy for

staff, managers and the board to turn it back onto

GRC professionals and say that it’s their problem

to implement and not recognise their own role in

the compliance and risk framework structure,” she

added.

Despite the challenges that some GRC

professionals face within an organisation, the

whitepaper has also listed what the respondents

thought were the greatest opportunities in their roles:

• Establishment of CPS 220, which provides a

regulatory mandate to elevate risk management

• Achieving a better understanding of uncertainty

in decision making

• Changing the business’ perception so that

effectively managing risks leads to better

business results

• Compliance, governance and risk being seen and

embraced as a valued component of the business

and central to success

• Influencing cultural change through leveraging

of effective GRC frameworks

• Embedding an enhanced framework to manage

risk, reduce uncertainty, and prevent incidents

Building capability

Conclusion

The list of opportunities shows that the situation is

not all doom and gloom but work still needs to be

done so that these opportunities are available to all

GRC professionals in their respective organisations.

However, it is still important for risk and

compliance professionals to understand that they

need to step out of their technical purview and realise

that their professional development in ‘soft’ skills is as

equally important as their technical skills.

The GRC Institute Managing Director said

“This is a critical time for GRC professionals. The

Institute will continue advocating on their behalf,

looking to demonstrate the value of our members’

expertise to the market, regulators and government

but we also see it as a key time for members to be

“I think what’s

good is that

people were

saying that they

were consulted,

but there are

obviously

areas for

improvement,

because some

professionals

were saying that

were always

consulted.”

able to express this themselves. Ultimately, without

these skills, conversations within organisations

will be cyclical and rely on someone in leadership

in the organisation understanding the message

and selling it on their behalf. It may be time to for

professionals to step up and be able to do some of

that selling for themselves and not have to wait for

this understanding to emerge on its own.”

Highlighted results from whitepaper:

• Over 65% of respondents said they were

frequently consulted on important business

decisions

• 57% said their advice was often relied on by the

business to make decisions.

• That said, close to 70% of respondents said

that in the last 12 months they faced a situation

where they weren’t asked to participate or

provide advice on a decision that they felt they

should have been involved with.

• Additionally, 60% of respondents said that there

were decisions on which they hadn’t been able

to persuade the business stakeholder to accept

their advice.

• This is not due to a lack of confidence. More

than 61% of respondents had a high or very

high level of confidence in persuading their

stakeholders to accept their advice. Just under

9% were at low or very low level of confidence.

• Not surprisingly, over 97% of respondents saw

stakeholder management as an important part

of their role.

• In terms of training, coaching or support to

help them be more influential, the majority of

respondents were seeking either leadership

training and coaching (i.e. emotional

intelligence, behavioural skills) or strategy/

business acumen training and coaching (i.e.

strategic thinking, systems thinking, decision

making), or a combination of both.

• 77% of respondents viewed behaviour change as

an important part of securing good governance,

risk and compliance outcomes (rated as usually

and always).

• Additionally, more than 80% of respondents

thought that understanding and knowing how

to effectively manage and motivate behaviour

change would help them do their job more

effectively.

• And yet, only 5% of respondents receive

frequent training in how they can understand

and manage behaviour change. •••

19


in depth

Bringing workplace

diversity into the

mainstream

Flexible work options is an issue affecting many. In particular,

women, older workers and those returning to the workforce can

all benefit from a change in attitude to workplace diversity.

“In order for

workplace

flexibility to

move into

mainstream

acceptance, it

cannot just be

about women

looking for

part-time or jobshare

options.”

Retirement Commonwealth Bank

General Manager and Association of Superannuation

Funds of Australia Director Nicolette Rubinsztein

is an advocate for job flexibility, which was named

a key factor limiting workplace diversity in the

recent Morgan McKinley Women in Leadership

Whitepaper, Why, despite an increased focus, have we not

moved the needle on the diversity dial and what else can we do to

drive tangible results?

“Job flexibility is a capability that will help drive a lot

of acquisition and retention of valuable employees

for the companies that get it right,” Rubinsztein said

“The end goal is for it to be an accepted norm that

both parents work part-time. So, if you are doing

four days a week, you both can really share that joy of

parenting,” she added.

In order for workplace flexibility to move into

mainstream acceptance, it cannot just be about

women looking for part-time or job-share options.

“Elizabeth Broderick began Male Champions

for Change, an initiative designed to encourage

men to champion part-time and job-share

opportunities in the workplace for both sexes,” she

explained. Elizabeth Broderick is the Former Sex

Discrimination Commissioner.

“When you leave the workforce to look after your

children, you lose a lot of confidence – particularly

women who take multiple years out. They worry they

might not be able re-enter at the same level. You worry

that someone else is doing your job. Do they still want

you back? Are you still needed? Even after having

done it three times, I still experience the same loss in

confidence,” Rubinsztein said.

In 2003, Rubinsztein left her job as General

Manager of Strategy at Colonial First State to have

her first child. When returning to work, she preferred

to do so part-time; however, because of this, she

expected to lose her position.

“Luckily, I had a very supportive boss. Actually,

I had supportive bosses all along. They allowed me

to work part-time, and I structured the part-time

arrangements such that, instead of coming in three

or four days a week, I came in every day and worked

from 7am till 1pm,” Rubinsztein said. Balancing work

and parenting still remained a considerable challenge,

but it helped that Rubinsztein also had the support of

her colleagues.

Rubinsztein added that the symbolic support of

CBA Chief Executive Officer Ian Narev, who has

been very vocal on the subject of workplace flexibility,

has been very important.

It is important to note that flexible work hours is

not only a key issue for women, but in the retention

and support of older members of the workforce.

The FSC CBA Older Workers Report 2015 was a

collaborative effort between the CBA and the

Financial Services Council. The report reveals that

“…thirteen per cent of respondents in this year’s

survey reported age-related discrimination because

they were over 50 – a significant halving of the 2012

response of 28 per cent.” On the issue of flexibility,

the report said that, “Over one third of the sample

20 GRC Professional • October 2015


in depth

“When you leave

the workforce

to look after

your children,

you lose a lot

of confidence

- particularly

women who take

multiple years

out. They worry

they might not

be able re-enter

at the same

level. You worry

that someone

else is doing

your job. Do they

still want you

back? Are you

still needed?

Even after

having done it

three times,

I still experience

the same loss

in confidence”

(36%) felt that more flexibility in the workplace

(both hours and remuneration) would be the most

influential factor. Less than one in five said financial

incentives would encourage them the most.”

“Yet, despite this desire for flexibility, older

workers continue to feel that they should not have

to take pay cuts to stay employed, expecting the

same or higher salary levels than equivalent younger

employees. Forty-one percent of respondents

said they expect to be paid exactly the same as

any equivalent younger employee, while the same

proportion (41%) expect to be paid more because of

their experience and knowledge.”

“When it comes to flexibility, there is training that

all managers have to go through. The key is to find

the right boss and the right organisation that will be

willing to push beyond where the legislative mandate

stops,” Rubinsztein added.

Ideally, employees should not have to look for

specific organisations or employers for flexible job

options, but at the moment job flexibility is still going

through the advocacy process.

“I think we’ve got to the stage where we have both

a management that is vocal about wanting change,

and real champions in the industry for flexibility,

but the actual capability is still being developed,”

Rubinsztein said.

She will be publishing a book in 2016 that will

address challenges faced by career mums. •••

21


in depth

Support groups for

working women making

a difference

In the wake of the Morgan Mckinley whitepaper, Why, despite an

increased focus, have we not moved the needle on the diversity dial and what else

can we do to drive tangible results?, GRC Professional went in search of

organisations that were looking “move the needle on the

diversity dial” in their own way. Women in Business and

Finance and Women in Compliance intersect in their interest to

develop what Penny James, WinC co-founder, refers to as the

“female talent pool”.

“The

establishment

of WinC was

not so much

about creating

a networking

group exclusive

to women;

rather, it is

about creating

a safe place for

discussion.”

WiBF Chief Executive Officer

Amanda Dobbie says that the WiBF, which was

launched in 2000, “started as flagship program to

assist women in the industry.”

The organisation is very interested in looking

at gender imbalance across both the business and

finance sectors. Another of the WiBF’s goals is to

develop the female talent pool.

Dobbie stated that gender imbalances in the

banking and finance industry are rooted in deeper,

societal problems and cannot necessarily be solved

just through progressive corporate initiatives.

Inequality, she says, must be combatted at the

corporate level.

WiBF events are not gender exclusive. The

organisation realises that change can only happen if

issues like job flexibility and the gender pay gap move

into the mainstream.

WiBF is there to address the fact that, traditionally,

there have not been as many job moves and

mentorship opportunities for women as there have

been men. Men are, however, encouraged to participate

in the WiBF’s regular events.

Dobbie adds that being aware of unconscious bias

does not necessarily alter the decision making process;

sometimes, however, it can justify gender-biased

decisions.

Women in compliance

Like the WiBF, Women in Compliance WinC cofounder

Penni James’ networking group developed out of a

common need for a network for women working in risk

and compliance.

The establishment of WinC was not so much about

creating a networking group exclusive to women;

rather, it is about creating a safe place for discussion.

“There are other risk and compliance groups that are

not gender specific, but WinC came about because we

knew a lot of women who were interested,” James said.

She added that the creation and running of WinC

was her way of giving back to the industry.

X

22 GRC Professional • October 2015


in depth

James has been in financial services for 30 years,

but is presently Non-Executive Director at Colonial

First State, CommInsure and Avanteous.

The five-year-old networking group has links

in both in Sydney and Melbourne, and reaches

approximately 800 members. Those members get

the opportunity to meet with other members from

different organisations, which ultimately can help

them to further their careers.

“I don’t think there is a competitive advantage

about who has the best compliance systems or the

best risk systems, so we can discuss concepts without

giving away the secrets of our organisations,” James

explained.

“I don’t think

there is a

competitive

advantage about

who has the

best compliance

systems or the

best risk systems,

so we can discuss

concepts without

giving away the

secrets of our

organisations.”

In addition to networking, the hope is to be able

to conduct discussions between members that help

raise standards across the industry.

While the networking and discussion group

is for women who hold senior positions in the

compliance field, where both technical and nontechnical

aspects of compliance can be addressed,

James also hopes WinC can help develop the

female talent pool. •••

23


wynard

report

$3.7 trillon lost

worldwide to white

collar crime

In 2014, Australia was famously described by the chairman of the

corporate regulator as a ‘paradise’ for white collar criminals due to

lax penalties.

“By picking

up indicators

of suspicious

behaviour

early on,

financial crime

analytics can

help companies

quickly

understand

whether

something is a

false positive

— such as an

innocent typo

or mistake

in a form

submission —

or the result of

true criminal

intent.”

According to the latest media reports

it seems Australia isn’t alone with this problem, as a

snapshot of white collar crime has shown that 5% of

an organisation’s revenue is lost to fraud each year -

translating to a staggering $3.7 trillion worldwide

And over half of these businesses never recover

any losses.

This may be in part down to the fact that the

average time to spot the fraud is 18 months. By this

point, irreparable damage can be caused leading

to financial loss for the company, its customer

and stakeholders – not to mention a significant

reputational loss for the organisation itself.

With the increasingly sophisticated methods

employed by criminals to commit and conceal

fraud, it is therefore more important than ever that

organisations remain one step ahead and are able to

spot potentially fraudulent activity early in the threat

timeline.

The explosion in data has for example, made the

investigative process more difficult to manage. A

vast amount of information - whilst offering a rich

source of evidence - can also be like finding a needle

in a haystack when attempting to surface patterns of

suspicious behaviour.

According to Enterprise Tech, user-friendly

analytics tools with graphical representation tools

plus big data solutions and the ability to more easily

search and track fiscal anomalies, give financial

crime fighters a much stronger arsenal in their

ongoing battle against white collar crime.

For instance, with anomaly detection, thresholds

and rules are set. When a business rule is broken,

an alert is triggered, indicating that closer scrutiny

is required. This can be used to effect within an

insurance company for example, where analytics can

identify claims that have suspicious patterns - such

as when a customer submits an unusual number

of claims within a short period of time, or offers

multiple versions of an incident. Similarly, claims

might be flagged if they exceed a certain dollar

amount, or if a customer recently changed policy

coverage or failed to disclose previous incidents.

By picking up indicators of suspicious behaviour

early on, financial crime analytics can help companies

quickly understand whether something is a false

positive — such as an innocent typo or mistake in

a form submission — or the result of true criminal

intent. That, in turn, can provide investigators with

rich and meaningful information that helps stop

criminals and lessens the impact on victims.

In addition, the ability of financial crime analytics

to process large amounts of information increases the

speed of an investigation. One FBI agent determined

that a particular fraud case would have taken 123

years to input all the data, if the investigative team

could only use the traditional approach of

spreadsheets and human clerks to enter the X

24 GRC Professional • October 2015


wynard

report

information. With financial crime analytics, this can

take a matter of moments to ingest, fuse and analyse

the data to reveal any hidden suspicious activity.

Finally, the ability to easily present large amounts

of information is a bonus for prosecutors looking for

a way to present complicated evidence in laymen’s

terms. Financial crime analytics can allow juries

to follow the case by visualising the activity and

evidence which lead to the culprit.

Using financial crime analytics tools to analyse

the tremendous amount of data that could hold

evidence of financial crime can therefore be an

effective way to help detect anomalies, inefficiencies

“Financial crime

analytics can

allow juries to

follow the case

by visualising

the activity

and evidence

which lead to

the culprit.”

and biases, and help companies adapt to the everchanging

nature of the fraud threat. •••

Wynyard Group is a market leader in high consequence

crime fighting and security software, used by law enforcement

and national security agencies, critical infrastructure

operations and major corporations.

25


student profiles

Meet two of our recent Graduate Certificate participants.

“The whole

area of risk and

compliance has

been developing

over the last

20 years and is

still developing,

and so we are

probably moving

towards what you

would consider

enterprise risk

management

being the

umbrella

incorporating

compliance

management.”

What is your current role and

what is your background?

My name is John Saunders and I am the GRC Institute

Registered Training Organisation Manager. My

background is varied. I began as a primary school

teacher and trainer of teachers. From there, I

went into the computer industry, specifically into

computer support and then onto completing tertiary

education in computer graphics. Following that, I did

compliance work.

Why did you do the Graduate Certificate

in Compliance Management?

I am doing the course because I believe it is a

handy qualification to have. It is recognised by

the Australian Skills Quality Authority (ASQA), a

regulatory body for RTOs. This means I can assist

students who contact me for advice about something

in the Graduate Certificate because I have the

qualification. In addition, I also have the required

training qualifications as well.

How do you think this

accreditation will help you?

I think I’m going to be in compliance, accreditation

and working with government agencies over the

next few years, so having continuous professional

development is necessary; it also helps me expand

on what I do.

Ultimately, it does get you thinking about

compliance and risk because it combines both

aspects. The whole area of risk and compliance

has been developing over the last 20 years and is

still developing, and so we are probably moving

towards what you would consider enterprise risk

management being the umbrella incorporating

compliance management. It’s an emerging and

evolving area, still largely undefined by industry

best practice, even though we have ISO Standards.

It is still an evolving industry. •••

X

26 GRC Professional • November 2015


What is your current role and

what is your background?

My name is Andrew Johnston and I am a Defence

and Aerospace Safety Consultant. My background

is fundamentally in operations, and then I moved

across to risk and safety. I spent 20 years in the Royal

Australian Navy, culminating in flying positions, and

then doing auditor inspections on ships to ensure we

were meeting the required standards for both civilian

and military rules.

Since leaving the service, I’ve gone on to a

number of aviation roles in Australia and overseas,

and worked with government, private jet operators,

freight handling and also for my own consulting

business.

I hold a number of contracts in defence and in

the aerospace industries. This involves providing

guidance to senior management on aspects of

business processes that work external to the Defence

Force, with the aim of making their business more

efficient and helping them to run more smoothly.

Why did you do the Graduate Certificate

in Compliance Management?

I have qualifications in quality management and

also in risk and safety management, and I thought

the third leg of the milking stool appeared to be in

compliance management.

“While there are

many roles in

financial services,

there are many

more operational

roles for nonfinance

clients

who would look

favourably upon

a qualification

such as this.”

I know of some people in the industry and, as

a new member of the GRCI, I’ve seen what has

been written about compliance. I thought it would

provide me with the tools to go forward armed with

the principles of compliance management and how

ISO 19600 differs from the other ISO standards

about quality and safety.

How do you think this

accreditation will help you?

It provides me with a qualification and a

Grad Certificate in Compliance Management.

On completion, I will be a certified compliance

professional. That gives me the opportunity to

branch into operational roles on the compliance side.

While there are many roles in financial services,

there are many more operational roles for nonfinance

clients who would look favourably upon a

qualification such as this.

I thought it was excellent. The content and the

material was challenging, and I like that about a

course. I don’t want to just breeze through; I want

to be challenged.

The theory and the practical elements of the

course were quite well balanced, so there was a

great opportunity for me research deeper, but

also for me to demonstrate the skills required of a

compliance graduate. •••

27


in depth

Writing outside of

compliance box

“The most

common problem

is technical

people write

with too much

complexity.”

Some risk and compliance

professionals say that the lack of focus on ‘soft’

skills, like communication, is one of the barriers to

GRC being integrated fully into the decision making

process in many organisations. This can include

communication to clients or potential clients,

and also communication between staff and board

members.

“The most common problem is technical people

write with too much complexity,” said Australian

Writer’s Centre National Director Valerie Khoo, in a

recent interview with GRC Professional.

Khoo explained that too many professionals

tend to hide behind jargon, thinking that long and

complex sentences make them sound knowledgeable.

They also tend to write without planning, delivering

“chunks of information as they remember them.”

This results in a lack of logical progression, making

the writing difficult for the reader to follow.

“Use subheadings, even in emails. This helps

break up reams of grey text that occur when the

writer hasn’t bothered to help the reader by dividing

information up into digestible chunks.” Khoo

explained

She added people should write in active instead of

passive voice, because the use of passive voice dilutes

the message.

An example of active voice is, “The CEO announced

record profits,” while an example of passive voice is,

“Record profits were announced by the CEO.”

Presentations and Considering

target audience

University of Sydney Dean of Professional and

Continuing Education Chief Executive Officer

Professor Ann Brewer focused on the delivery of

presentations and the importance of how they

should be tailored to suit the intended audience.

While it is important to deliver a planned

presentation or document, it is important to

consider what information may be relevant to

the target audience. Professor Ann Brewer added

that communication is really about building a

connection of understanding.

Brewer said that most of us neither listen nor

read, and grasp about only 5% of what is being

communicated at any one time. Instead, people

derive most of their understanding from nonverbal

communication.

An important example of nonverbal

communication is observation, where various

assertions can be made about the message by how it

is presented. It is important to know what it is your

target audience wants to know so that you can keep

them interested. Your intended message should be

tailored around this.

Conclusion

While Khoo and Brewer are dealing with two

different modes of communication, basic tenets –

like not hiding behind jargon - will go a long way

towards getting the intended message across to

your audience.

Communication tips:

• Write as concisely as possible

• Always plan what you want say

• Know your target audience

• Write in the active voice

• Use subheadings to help readers or listeners

• Be aware of non-verbal communication cues

• Read it over •••

28 GRC Professional • October 2015


GRC news

Meet the team!

Elizabeth Kent, Business Development

Manager at the GRC Institute

Elizabeth grew up in Sydney, Australia where a lot of

time when she was younger was spent volunteering

at her mother’s work in communications. That

experience, and many others, led her to an interest

in Marketing and Public Relations to then pursue

a degree in Communications (Business) at Bond

University.

Following this, she completed an internship in

Public Relations and just like a Gen Y kid, had to try

new fields and industry (for good reasons) to diversify

her skills in Marketing and Sales. During her time

at Wyndham Vacation Resorts, she was proud to

achieve the award as the top sales representative

of the month in May 2015 with many thanks to her

supportive manager at that time.

Through these experiences she had the

opportunity to work across various globally

recognised accounts including Adobe and Samsung

Enterprise. As well as the opportunity to work and

live in Singapore to fulfill her travel hobby; which

her parents can be blamed for due to her diverse

cultural background and her parent’s regular trips to

specifically the U.S.A and Japan. These experiences

(as you can imagine) led her to pursue a different path

in Business Development where she now resides back

in Sydney with her partner, mother and her dogs.

Raymond (John) Saunders,

Registered Training Organisation

(RTO) Manager for GRC Institute

John was born and bred in a Sydney western suburb

and later moved to North Sydney when a student.

John has had a mixed career starting as a teacher, a

trainer of teachers, computer graphics, IT support

and more recently compliance manager. Each

career change went hand-in-hand with professional

development and successfully completing new

qualifications.

During his varied career John has benefited from

working with dedicated resourceful people who, like

him, love their work and collaboration in spirited

teamwork. As a baby boomer John grew up alongside

hard working, focused and committed people who

became hippies and long haired weirdos, but then

took over and ruled the world.

Apart from work John loves to study, travel

overseas but avoids tourist locations, watches

television series and feeds the two chooks. His pet

hate is retirement and he claims he has never met a

retired person who he envies. He is a good son who

visits his mum for lunch every two three weeks.

Kwame Slusher, Editor of the GRC

Professional for the GRC Institute

Kwame was born in the island of Barbados but has

lived in Belize, Trinidad and the USA. He moved to

Australia with his wife in July 2015. He has been an

office administrator, a shop assistant, a barista, a book

blogger, a cofounder of a small business, an intern

journalist for a daily newspaper, a published freelance

journalist, and an arts writer.

He loves journalism, but harbours literary

ambitions. Kwame has won two literary awards and

has one published short story in a prose and poetry

collection.

In addition to writing he loves reading, travelling,

art galleries, book shops, running, video games, his

cats (except for when they are caterwauling at 3 in the

morning), rugby (watching not playing), and lots and

lots of coffee.

X

29


GRC news

Jessica Davies, Administration Assistant

at the GRC Institute

Jess is from the West Midlands in England and is

in Australia on a working holiday. She is a former

Primary School teacher who has a passion for travel,

which she is fulfilling with her sister. On her search

to find new experiences in Sydney she came across

the GRC Institute. Throughout her time here she

has enjoyed meeting new people and has picked up

a variety of new skills which she will be able to carry

throughout her professional development. Jess’s

role is to help out throughout the office, assist team

members and to register and welcome new members

to the Institute.

Outside of the workplace Jess enjoys trying new

places to eat and experiencing different cultures. She

has a large interest in health and fitness and feels that

she is in the right city to keep on track with her goals.

Yunsheng Lu, accounts officer

at the GRC Institute

Yunsheng is responsible for all accounting tasks for

the GRCI, including day to day accounting events

and monthly financial and tax reports.

She completed her accounting professional

training in Australia, then started her career in

accounting practices, worked for small businesses

and also public companies. She joined GRC Institute

in 2006.

Apart from her accounting career, she likes to

spend her spare time travelling and supporting

charities. She is a dog lover, she is very proud to have

supported the Guide Dog NSW/ACT for the past 16

years.

Clare Williams, Membership and Student

Coordinator at the GRC Institute

Clare has worked in a variety of industries and has

over 8 years’ experience within the administration

field. She has recently branched out over the last year

into organising the events for the GRC.

She is not only responsible for the events side

of things but also looks after the membership,

registrations and maintaining student records. She

also assists members with their enquiries and course

information.

Clare has a love of travelling and has travelled

throughout the UK and Europe (as you do when you

hold a British Passport) exploring other countries

and their cultures as well as visiting family over there.

Like any girl, she enjoys shopping and spoiling her

niece and nephew.

Naomi Burley, Managing Director

at the GRC Institute

Naomi has worked with the GRC Institute for

fourteen years as National Manager and was

delighted to accept the position of MD when Martin

Tolar advised he would be leaving the role. Having

undertaken most of the roles within the Institute at

some point (except RTO Manager and Editor – she’ll

leave that to the experts) she’s had conversations with

members over the years from a variety of perspectives

to understand what they need from the Institute and

has had the privilege of watching a profession mature

and come into its own.

Prior to joining the GRC Institute, Naomi

was a professional advertising and commercial

photographer who only gets to photograph her

two children and their various pets now. She’s also

obviously a sucker for punishment as she’s her

local Scout group’s Cubs leader which means she’s

learning a lot about camping, woodworking and

using a compass. Hopefully that will put her in good

stead as GRCI’s MD. •••

30 GRC Professional • October 2015


P

2,500

SUPPORTING GOVERNANCE, RISK & COMPLIANCE

PROFESSIONALS SINCE 1996

GRCI MEMBERS

NETWORKING &

DISCUSSION

SESSIONS

Network with like minded

professionals. Hear from others'

experiences, share knowledge,

challenges & ideas on

solutions.

BENEFITS

GRC institute membership benefits

Majority of members

are based in Australia,

whilst 13% are in Asia.

The remaining are

spread across New

Zealand, Europe, US &

Canada.

NEWS & UPDATES

Free monthly e­

magazine & regulatory

updates. Thought

leadership opportunities

to contribute to

published submissions,

research papers and

magazine.

70

P

2,500

SUPPORTING GOVERNANCE, RISK & COMP

PROFESSIONALS SINCE 1996

GRCI MEMBERS

NETWORKING &

DISCUSSION

SESSIONS

Network with like minded

professionals. Hear from others'

experiences, share knowledge,

challenges & ideas on

solutions.

ACCREDITED

CERTIFICATION

Earning & maintaining

accreditation keeps an

institution aware of, & engaged

in, current best practices.

BENEFITS

Majority of members

are based in Australia

whilst 13% are in Asia

The remaining are

spread across New

Zealand, Europe, US

Canada.

NEWS & UP

Free monthly e­

magazine & regulator

updates. Thought

leadership opportunit

to contribute to

published submission

research papers and

magazine.

BUILD YOU

PERSONAL

Learn how to market

better at career progr

events.

ACCREDITED

CERTIFICATION

Earning & maintaining

accreditation keeps an

institution aware of, & engaged

in, current best practices.

MENTORING

Give something back to the

community or learn from the

best.

BUILD YOUR

PERSONAL BRAND

Learn how to market yourself

better at career progression

events.

PROFESSIONAL

DEVELOMENT

Enrol in nationally

recognised courses.

MENTORING

Give something back to the

community or learn from the

best.

MEMBERSHIP

DISCOUNTS

Save an average of 25% off of

GRCI events & educational

training courses.

PROFESSIO

DEVELOME

Enrol in nationally

recognised courses.

Sign up today to

invest in your future

as a Governance,

Risk & Compliance

professional.

AWARDS

Be recognised within

industry through year

awards presented at

Annual GRC Confere

FOR MORE INFORMATION VISIT WWW.THEGRCINS

Sign up today to invest in your future as a

Governance, Risk & Compliance professional

MEMBERSHIP

DISCOUNTS

Save an average of 25% off of

GRCI events & educational

training courses.

AWARDS

Be recognised within the

industry through yearly

awards presented at the

Annual GRC Conference.

FOR MORE INFORMATION VISIT WWW.THEGRCINSTITUTE.ORG

Sign up today to invest in your future as a

Governance, Risk & Compliance professional.

31


Where governance

meets technology

BoardPad allows you to efficiently and

effectively access your meetings and

corporate documents.

boardpad.com

info@boardpad.com

Your one true source for

corporate data

OneWorld

Blueprint OneWorld securely stores all

your corporate data in one place.

icsasoftware.com/bponeworld

aunz@icsasoftware.com

Contact us for a demonstration

+61 2 8096 8300 Level 33, 264 George Street, Sydney

Blueprint OneWorld securely stores

all your corporate data in one place

© 2015 ICSA Software International Limited.

Blueprint OneWorld is a registered trademark of ICSA Software International Limited.

BoardPad is a registered trademark of ICSA Software International Limited.

Similar magazines