DAILY NEWS

Thursday, 30 October, 2014

18th ANNUAL GRC CONFERENCESYDNEY

News 2-4 | Features 5-13 | Quiz 15 | Schedule 16 | Weather 29⁰C

NEWS

President welcomes attendees

Page 03 FEATURE

How to manage a crisis

Page 05 FEATURE

Improving your organisation’s compliance

Page 08

www.acigrc.com www.complianceinsider.com

GRC2014

The Governance, Risk and Compliance Institute’s (GRCI’s) 2014 Conference in Sydney got off to a lively start last night with a fun and energetic

drinks reception. From 7pm onwards delegates filled the exhibition hall, catching up with old friends and discuss-ing the week’s forthcoming conference.

Opening speaker Deborah Coram, CEO at The Safetrac Group, described the GRC annual conference as “the best of its type in Australia”. She told delegates how her daughter had once dreamed of becoming a compliance officer, like her mother, but had since opted to become Prime Minister of Australia so that she could decide her own bed time. “Most people do not grow up dreaming of becoming a compliance officer, but we all love what we do now,” she said.

If the first evening is an indication of things to come, GRC2014 is sure to be a fun and sociable event, with nu-merous opportunities to learn and to network. “We look forward to seeing you throughout the next two days,” said GRCI President Alf Esteban. “Have a great time!”

First timers to the GRC Institute’s (GRCI’s) annual conference were given a tour of the venue and some invaluable conference

tips during the ‘First Time Attendee Orientation’ yesterday. The GRCI’s Maree Hurley and Caroline Lee guided newbies around levels one and two, where the workshops will be held, and then on to the exhibition hall on level three.

Programme manager Hurley told tour attendees: “We implore you to meet all of the exhibitors, who are really lovely people. Many of them used to be practitioners and have an incredible net-work of contacts.”

Acknowledging that the art of networking doesn’t come naturally to many people, but is one of the most valuable skills that can be mastered in business, the GRCI has initiated its

First timers encouraged to network‘Start a Conversation’ campaign at GRC2014. The more proactive delegates have the chance to win a set of BOSE headphones by complet-ing a questionnaire, while other networking tools include drinks coasters with pick-up lines and cocktail recipes.

“We really want everyone to get to know each other,” said sponsorship and exhibition manager Caroline Lee.

All conference delegates, but especially first tim-ers, should remember to send follow up emails to those they meet at GRC2014, and to utilise the GRCI’s LinkedIn profile group.

Lee urged first timers to embrace the use of so-cial media at GRC2014 – in particular, the confer-ence’s Twitter hashtag of #GRC2014syd.

However, Lee’s encouragement came with gen-

tle warning. “We want to be trending so keep it positive and friendly. You don’t want an angry, drunk tweet to be seen on a 30-foot screen.”

Hurley encouraged listeners to ‘Connect and Engage’ by downloading the official GRC2014 app for free. “The single most valuable thing you will take away from this conference is the relationships with the people that you will meet,” she said.

GRC2014 opens with a bang

NEWS

www.complianceinsider.comGRC2014 Thursday, 30 October 201402

As President of the GRC Institute (GRCI), Alf Esteban presides over the management of staff and the ongoing strategy of the Institute.

But there is nothing he loves more than meeting GRCI members and finding out what more the Institute can do for them. Esteban spoke with Compliance Insider® about preparations for GRC2014

What are your hopes for the 18th Annual GRCI Conference here in Sydney, and why Sydney?The annual GRCI Conference is held mostly in Sydney or Melbourne because our membership base is large in NSW and VIC, and finding facilities for hosting such a conference is easier here. We have also held it in Brisbane and on the Gold Coast, and we’re currently looking at hosting a one-day event for our WA membership.

We’ve also hosted one-day events in New Zealand, Hong Kong and Singapore. As our membership becomes more international, it makes sense to reach out to those markets rather than assuming that members will bear the cost of coming to Australia.

We view compliance as a risk that needs to be managed, hence our rebranding from the Australasian Compliance Institute (ACI) to the GRC Institute.

Our members do not want a conference that is purely focused on how to do risk and compliance management. The intent of GRC2014 is therefore to get a feel for the issues that are current and topical, so that our members can hear from industry figures that are outside of their sector on how they overcame challenges. We talk about issues that will get our members thinking, ‘how can I apply this to my own sector’.

Which sessions at GRC2014 are you most looking forward to?Keynote speakers are always a highlight. It’s fascinating to hear their stories and relate them to my own situation. And I always find the breakout sessions to be extremely valuable.

The conference is designed to have everyone’s wants and needs taken into consideration.

What can delegates expect at this year’s event in terms of programme innovations?Well the KPMG workshop on crisis management has a number of surprises associated with it. It is something new that we have not done in the

President welcomes attendees

past, and we don’t believe it’s something that’s been done in Australia before. A number of pre-conference rehearsals are occurring so we’re taking it very seriously.

How important are the networking opportunities for GRCI delegates?We host end of financial year networking drinks and pre-Christmas drinks. And we run the occasional seminar or lunchtime meeting.

Facilitating networking opportunities is an important part of the role of the GRCI. It’s important that our members are part of a profession where they know where to turn to when they need advice or assistance.

It’s also good for GRC professionals to be able to talk to people from outside of their own industry sector.

The GRCI is the peak member organisation for GRC professionals across the Asia Pacific. What do you put its success down to?Firstly, it’s down to very hardworking staff that bend over backwards to make sure that our courses and events remain relevant, and that we’re listening to our members and what they want.

Secondly, we have a very good membership base of people who recognise the value of being part of an organisation that enhances their value. We’re an institution that exists for our members and because of our members.

How does the GRCI ensure that education and training remain a key focus of the Institute?Several years ago, the board made the decision to invest heavily to have the qualification certificates and accreditation by the then ACI recognised at the government education level. Since becoming a government registered training organisation (RTO) in 2010, the GRCI has also made sure that its accreditation is recognised internationally. And we’ve entered into MOUs with a number of universities

regarding accreditation for their various courses.

This all enhances the value of the accreditation, and we’ve recently put in a submission for an equivalent accreditation in risk management.

How would you describe your own role and responsibilities within the GRCI?The role of the president and the board is to preside over the management of staff and the ongoing strategy of the Institute. But we’re mostly here to represent our members. One of the things that I love to do is to meet members and find out what they want. Without our members, we don’t exist.

But it’s a delightful role and a privileged one, and it’s something I don’t take lightly.

We are a member elected body and not an old boys club that only brings in the people we like. We always have a very dynamic, changing board, which demands that existing board members adapt to the ways of new board members… and vice versa.

How do you see the role of the GRC professional developing over the next few years?I know that some professionals see their role as taking their organisations out of the dark ages and towards international standards such as ISO 19600. In other words, they are the change agent for their organisations.

Other professionals focus on how they can assist their organisations in using risk and compliance to gain additional value. This is a step towards performance management: how can we combine a risk management system with appropriate policies and procedures and move towards a performance management system?

Alf Esteban

FEATURE

www.complianceinsider.com GRC2014 Thursday, 30 October 2014 03

FEATURE

www.complianceinsider.com GRC2014 Thursday, 30 October 2014 03www.complianceinsider.com GRC2014 Friday, 31 October 2014 03

IntegraWatch® | Compliance Screening has critical data on high-risk individuals, companies and organisations, and is always up to date. So with only a few keystrokes you can comprehensively identify risk and fulfil compliance requirements. IntegraWatch® is based on The Red Flag Group’s proprietary ComplianceChallenged® content and has been specially developed

to fill the gap in the market for structured data on people and companies who fall outside regulatory-driven lists. Compiled and

maintained by a global team of experts, IntegraWatch® covers people and companies who have, or are suspected to have, been

involved in illicit activities. This information is structured to help you extend third-party screening beyond just regulatory risk.

Contact us at contact@redflaggroup.com to find out how we can support your legal and compliance programmes

with high-quality integrity analysis services, ranging from a simple check of a proposed partner’s background through

to full, ongoing integrity due diligence research into any potential compliance risk.

| Create | Improve | Monitor | Integrate | Train | Audit | Investigate | Educate

CAN YOU GET QUICK ACCESS TO REGULATORY AND POLITICAL

LANDSCAPE CHANGES?

© 2014 The Red Flag Group. All rights reserved.

To keep up with constant changes to the regulatory and political landscape, compliance teams need quick access to up-to-date information

INTEGRITY

T he decisions and steps that companies take to manage a crisis can have a significant

impact on its reputation. Former crisis team leader and founder of Hands Across the Water, Peter Baines, will today help GRC2014 delegates work through a hypothetical crisis so that they understand the best framework and responses to mitigate damage.

To what extent is a crisis management plan the responsibility of the compliance officer as opposed to the board?The compliance officer will help establish a framework, find ways to implement policy and procedures, and make sure the company doesn’t stray from them. Their role is to show flexibility but also to not stray from procedures because they are there for a reason. The compliance officer should know when you can and when you should follow policy.

What is the most important thing to remember when creating a crisis plan for the first time?Leadership structure. I worked in Saudi Arabia and my company at the time did not have a good leadership structure. A lot of time was wasted working out who would lead.

You should know what position will be responsible for leading, and what resources you have at hand.

Is there an effective standard crisis management framework, or does it differ from company to company?Although there are many factors to consider, such as geography and culture, there is a standard framework that people have used before – or skeleton to wrap the meat around.

Are there any tourist attractions in Sydney that you would recommend for a first timer to the city?The ferry is a great way to spend an afternoon. You can take it from Circular Quay up to Manly and the northern beaches, and it’s really nice at sunset.

What first sparked your interest in crisis management?I worked for 20 years investigating crimes and responding to them quickly, and part of my role was crisis management.

What important takeaway from your keynote address are you hoping to impart on conference attendees?It will be different for a number of people, as it will depend on their life. It could be ‘taking action’, or ‘clarity’, or any number of other things.

Crisis policy and procedures require strong leadership

Peter Baines

NEWS

Compliance Publishing GroupLevel 20, Bonham Trade Centre, 50 Bonham Strand, Sheung Wan, Hong KongT: +852 3185 0700F: +852 3185 0701E: editor@complianceinsider.com

EDITORIAL TEAMEditor in Chief: Scott LaneManaging Editor: Stephen MulrenanJournalist: Mark Agnew

Contact the Compliance Insider Daily News on +61 424 954 330

or visit us in the Speakers’ Lounge or at Booths 4 & 5 in Exhibition Hall.

PRODUCTIONProduction manager: David WestProduction designer: Pasu Ng Printers: Pegasus Print Group

ADVERTISINGPublisher: Denny Squibb M: +852 9839 1554E: denny.squibb@complianceinsider.com

MARKETINGMarketing Coordinator: Charlotte Smith

SUBSCRIPTIONSSubscription Officer: Christina Lai

The Compliance Insider Daily News is produced by Compliance Insider® in association with the GRCI. Printed in Sydney. The Compliance Insider Daily News is also available online at www.complianceinsider.com. © The Red Flag Group 2014. No part of this publication may be reproduced without prior written permission. Opinions expressed in the Compliance Insider Daily News do not necessarily represent those of the GRCI or any of its members.

www.complianceinsider.comGRC2014 Thursday, 30 October 201404

HOW EFFICIENT IS YOUR DUE DILIGENCE PROCESS?

With the ComplianceDesktop® Technology Platform your due diligence reports are just one click away

The Red Flag Group helps you to build automated due diligence processes through an integrated technology platform that allows you to monitor and stay up to date on any status changes of your third parties, ensuring that you mitigate risks and protect your corporate reputation. From one single platform, you can gather information on your third parties, assess their compliance risk, order and store due diligence reports, and manage the status of all third-party interaction with your compliance programme.

To schedule a free demo or to learn more about how The Red Flag Group can help, contact us at contact@redflaggroup.com.

| Create | Improve | Monitor | Integrate | Train | Audit | Investigate | Educate

© 2014 The Red Flag Group. All rights reserved.

How to manage a crisis

C ompliance professionals are often the first to sniff out a potential or looming crisis, despite the fact that crisis management involves skills and strategies that were not taught in law school. But there are

plenty of lessons to be learned on how to avoid a crisis becoming public, and how to deal with a crisis once it has gone public.

The most important element you can use to avoid public crises is creating trust in your internal systems. Whistleblowers tend to only go public if they have exhausted all the internal avenues available to them – alerting the public sphere is a last-ditch effort.

When allegations of improper practices are made public, the consequence to a firm’s reputation can be disastrous. Mitigating the fallout from such events begins first and foremost with establishing, implementing and maintaining an effective internal reporting programme. Internal whistleblowing is always easier to manage than external leaks. Thus, reporting must be encouraged internally to

dissipate the chances of negative media, public and regulatory attention.

Whether you’re just starting to plan or are already evaluating the internal whistleblowing procedures at your firm, you must consider the following:

• Do you have a strong and enforceable procedure for internal reporting of ethical and/or legal issues?

• How is whistleblowing perceived by the culture of the firm?

The answers to these questions will usually uncover the abstract barriers that all organisations face in starting or maintaining a successful internal

reporting and ethics programme. Employees often do not report ethical and legal concerns because of the structural and cultural flaws within corporations. These flaws usually include distrust in the internal reporting system, the vilification of “snitches”, a belief that management is not held to a uniform standard, and the fear of retaliation and alienation from peers.

How can you implement or restore faith in the internal reporting system and alleviate employee fears of retaliation? If you are evaluating a longstanding policy on reporting unethical and corrupt behaviour, or if no such policy exists and you have just received a complaint, ample opportunity exists to strengthen the compliance and ethics of the firm.

www.complianceinsider.com GRC2014 Thursday, 30 October 2014 05

FEATURE

Here are some tips to help implement and solidify a culture centred on ethics and compliance:

AttitudeWhat is the attitude towards whistleblowing at the firm? If self-interest and unquestioning loyalty towards the firm take precedence over ethical behaviour, employees are unlikely to report transgressions. Changing the attitude towards internal whistleblowing starts with top management, though regular transparent communication and protection of employees that raise issues.

Transparency and communicationAre reporting processes transparent? Firms must communicate the fact that they have an internal reporting scheme. The process should be clear, with assigned accountability at every step.

AnonymityIs it possible to raise an issue anonymously? Giving employees access to a hotline and guaranteeing a certain amount of anonymity somewhat eliminates the fear of social or material reprisal from management and peers.

Disincentives for whistleblowingWhat are the possible material and social repercussions for the whistleblower? Many employees fear losing their job or getting demoted if they press an issue too aggressively. There are also fears of social consequences (for example, alienation by other staff) for those who uncover and report any issues that cast a

Rigidity and uniformityIs the policy communicated, followed and adopted uniformly across all levels? Sometimes employees overlook corruption and fraud because they believe management does not hold the same ethics standards as they do. Great managers lead by example; thus, top management must be on board to show all employees that ethics and compliance are the foundation to sustainable success. Management should regularly communicate the message to employees to instil a rigid, ethical culture within the firm.

Quick follow up and investigationWill the employee’s concerns be investigated, or will they be disregarded? An employee may not want to bother with reporting transgressions if they think their concern will be filed away, overlooked or blindly dismissed. Issues brought directly to managers or reported via hotlines should be escalated as quickly as possible. The majority of employees who leak information to external media raise and press the issue internally at first, yet they become discouraged if the issue is not investigated or dismissed, causing them to choose their personal code of ethics over reputational damage to the firm. Employees need to feel confident that if they raise an issue with a manager or through a hotline, an investigation will ensue.

Companies must establish and maintain a transparent, uniform, well-defined reporting framework to encourage internal whistleblowing. Cultural and abstract barriers can be overcome with clear communication and adoption of the policy through all levels of

employees, stakeholders and the public that the firm is serious about sustainable business practices. If external whistleblowing occurs, a successful internal reporting strategy is proof that such an incident is an anomaly, and that the firm takes compliance matters seriously.

Firms must communicate the fact that they have an internal reporting scheme. The process should be clear, with assigned accountability at every step

Handling a public crisisLanny Davis, counsellor to Bill Clinton in the late 1990s, pointed out the basics of crisis management: “Tell it early, tell it all, tell it yourself”. In an age of lightning fast information, a firm’s reputation is its most valued asset. Showing eagerness and willingness to improve the culture and reputation of the firm proves that management is concerned with sustainability.

What happens when an organisation is blindsided by external whistleblowers? Ideally, there is already a structured compliance and risk management plan in place, but not all companies spend time preparing for such occurrences. If you find yourself in this situation, there are things you need to remember and abide by in order to minimise reputational and financial damage to the firm.

Make a statement as early as possibleAddress the public, stakeholders and customers as soon as possible after initial leaks occur. It is important to show the public that the company is actively investigating the situation. Firms that are quick to align their goals with the public’s in finding out as much information as possible and taking appropriate action have a much better chance of saving face.

Do not lieIn today’s age of social media and 24-hour news sources, information can be unveiled and verified much quicker than appropriate corporate response times. Even if you believe allegations are false, it is best not to dismiss them until an adequate amount of information and proof is collected and analysed.

the firm. Successful internal reporting strategies aim to:

• establish a strong ethical firm culture, with compliance being a priority

• encourage employees to raise issues with the confidence that they will be dealt with immediately

• minimise damage if external leaks do occur.

Establishing a strong ethical foundation shows

negative light on the firm. The best way to invite employees to raise issues

is to reassure them that material repercussions will not take place, and align ethical

standards of people with the standards of the

firm. Profits are important, but only if they are obtained

by legal means.

The GRC Institute is running two prize draws at GRC2014 you won't want to miss out on!

GET SOCIAL & WIN AN APPLE IPAD MINITo give you a little extra incentive to download the GRC2014 conference app, the GRC Institute is giving away an Apple iPad mini 16GB to the delegate who posts the most creative Tweet with the hashtag #GRC2014syd during the conference.

Whether it's a conference selfie with one of our speakers or exhibitors, or a creative way you want to demonstrate

our theme #takecontrol, we'll be on the look out for the best Tweets from GRC2014 and announcing our winner during afternoon tea on Friday 31 October.

We've made it really easy for you to post directly to Twitter through our conference app.

and win!START A CONVERSATION & WIN A SET OF BOSE QC25 HEADPHONES

This year the GRC Institute is giving away a set of Bose QC25 Headphones to delegates and GRCI members who can complete the questionnaire contained in their delegate satchel bag.

The questionnaire is a fact-finding mission about the sponsors and exhibitors of GRC2014 and to obtain the answers, you’ll need

to start a conversation with each participating exhibitor. When you’re done, drop the completed questionnaire in our collection box at the Speaker’s Lounge. Only complete and 100% correct entries will be counted towards the prize draw!

www.complianceinsider.comGRC2014 Thursday, 30 October 201406

FEATURE

Establish the company as the main point of contact and provide updates regularlyDepending on media exposure of the case, many information outlets will reach out directly to the company for updates and information. It is important to establish the firm as the authority on the matter by investigating the allegations thoroughly and immediately. This makes it easier to mitigate negative media and shows the firm’s commitment to resolving the issue. Regularly updating on the progress of the investigation through press releases and other venues instils a responsible image of the firm to the public, stakeholders and customers.

Work with authoritiesIf it is alleged that laws are broken, firms that actively work with enforcement agencies in investigating the issue will be issued much lighter sentences or fines. In some cases, where there has been exceptional cooperation with authorities, no penalty has been handed down at all.

Learn from observed mistakesAfter all is said and done, analysing the situation and the causes for transgression will lead to better developed compliance and internal reporting standards.

KPMG will today turn the Hilton Hotel into a crisis management centre, where GRC2014 delegates will work in teams to respond to a mock-crisis in real time. This

In today’s age of social media and 24-hour news, information can be unveiled and verified quicker

than appropriate corporate response times

The major thing to take away from a public crisis is to implement an internal reporting scheme as soon as it is feasible. To maintain a solid reputation among customers, it is necessary to catch corrupt and fraudulent practices early. If the firm is blindsided by allegations, however, management should use the occasion as an opportunity to improve compliance and ethics internally, as well as to prove to stakeholders that sustainability is their number one priority.

interactive exercise will teach delegates how to manage the expectations of internal and external stakeholders in times of crisis, equipping you with the knowledge and skills to take control in a crisis situation. At a crisis management debrief later in the day, KPMG will provide delegates with an effective crisis management framework that you can take back to your own organisations.

The GRC Institute is running two prize draws at GRC2014 you won't want to miss out on!

GET SOCIAL & WIN AN APPLE IPAD MINITo give you a little extra incentive to download the GRC2014 conference app, the GRC Institute is giving away an Apple iPad mini 16GB to the delegate who posts the most creative Tweet with the hashtag #GRC2014syd during the conference.

Whether it's a conference selfie with one of our speakers or exhibitors, or a creative way you want to demonstrate

our theme #takecontrol, we'll be on the look out for the best Tweets from GRC2014 and announcing our winner during afternoon tea on Friday 31 October.

We've made it really easy for you to post directly to Twitter through our conference app.

and win!START A CONVERSATION & WIN A SET OF BOSE QC25 HEADPHONES

This year the GRC Institute is giving away a set of Bose QC25 Headphones to delegates and GRCI members who can complete the questionnaire contained in their delegate satchel bag.

The questionnaire is a fact-finding mission about the sponsors and exhibitors of GRC2014 and to obtain the answers, you’ll need

to start a conversation with each participating exhibitor. When you’re done, drop the completed questionnaire in our collection box at the Speaker’s Lounge. Only complete and 100% correct entries will be counted towards the prize draw!

www.complianceinsider.com GRC2014 Thursday, 30 October 2014 07

FEATURE

I n many companies, being a member of a compliance team is a tough role. There are a lot of preconceptions about compliance and many business executives still see the function as a checking, validation and

audit body that does not understand the business and its needs. Addressing the following five dysfunctions of compliance will go a long way to making sure that compliance is seen as a useful and value-adding business team.

There are five main reasons as to why a compliance team may not be highly respected by the business or is generally regarded as dysfunctional:

1 Lack of alignmentCompliance teams are there to help businesses. Charities and non-government organisations aside, businesses are there to make a profit. The role of management teams is to execute the strategy of their board and generate shareholder value. The shareholder value is not about the value of the brand, nor is it about how the company looks across the industry – it is solely about how much the company’s shares are worth. The compliance team’s needs and those of the shareholders are aligned as compliance’s role is to increase the value of the business’s shares.

Improving your organisation’s compliance

There are a number of reasons for shares changing in value that are beyond the control of a compliance team (for example, macroeconomic changes or stock market changes); however, most increases in share prices come down to something that a compliance team can control: assets and liabilities, or profit. At the end of the day, profit generates share value and increasing profits will in turn increase the value of shares (assuming that the market is reasonably stable). That being said, the compliance team – as part of management – needs to think about how it contributes to profits (that is, increasing revenue and decreasing costs).

Alignment between the compliance team and the business is essential. When the two

are not aligned the business loses trust in compliance’s value and the team is seen as dysfunctional. Compliance must get aligned by mapping its goals directly against the business’s goals.

2 Lack of metrics on valueEvery part of the business world works off numbers: speaking in terms of growth and in percentages, graphs, pie charts and red or amber or green lights, and talking about changes over time and the causes for certain abnormalities. If the compliance team doesn’t share that view and cannot produce metrics about compliance at the push of a button and, more importantly, show how they are aligned to the business, then the compliance department is dysfunctional.

www.complianceinsider.comGRC2014 Thursday, 30 October 201408

FEATURE

If your compliance metrics are not up to scratch you need to invest in some tools to get them there. However, tools will not do the entire job for you – you must re-engineer the compliance programme itself to allow for it to be measured in the first place. Many compliance programmes simply don’t have any measurement attached to them or the measurement is totally obvious and therefore useless (such as keeping training records). More effective metrics are those where you can see the direct impact of the compliance programme on the business, such as measuring the number of people trained versus the number of violations or issues identified over time and the increase in revenue.

3 Lack of knowledgeWorking in compliance is challenging: a compliance team needs to understand compliance and the law, but, more importantly, it must understand the business. There is nothing more dysfunctional than a compliance team that focuses inwards, learning about compliance but not enough about business.

Everyone in the compliance team needs to know the facts about the business: its drivers,

its numbers, where the risks are and the identity of all of its stakeholders. If you do not have a business mind you are in the wrong job.

Knowledge must also extend to how compliance can add value to the business. You need to be ready with great examples and real facts to demonstrate how compliance adds value. Use your metrics for this purpose.

4 Lack of communicationA compliance team is dysfunctional if it does not communicate. Too many compliance teams spend all their time on training and not enough on communication.

Communication should not only include emails regarding recent cases or competitors getting into trouble, but also encompass several different forms of delivery. It should address all of

the stakeholders that are relevant to compliance – both internal and external.

A dysfunctional compliance team is one that hides away from the

business, fights to get any airtime or simply doesn’t appear at the front of the

minds of those within the business.

5 Lack of trustAll of the above dysfunctions contribute to the potential lack of trust that the business has in compliance. If there is a lack of respect and/or trust, then the compliance function is always going to be seen as an audit function.

It takes a great deal of work to build a business’s trust in its compliance team. To do this, a compliance team must listen to, communicate with, align to and engage the business. This means understanding the business, allowing the business teams to be heard, and aligning the objectives of compliance back to their business objectives.

Learning how to make compliance function better as a core element of a company’s culture, moving beyond self-assessments and audits, is challenging. GRC2014 delegates are therefore fortunate to have the opportunity this afternoon to hear from Barbara Lichti, compliance director, CSMB Asia-Pacific Japan at Dell Australia, on her company’s approach to designing its compliance function.

www.complianceinsider.com GRC2014 Thursday, 30 October 2014 09

FEATURE

HOW OFTEN DO YOU RECEIVE YOUR DUE DILIGENCE REPORTS?

Being one step ahead of the risks before they occur Due Diligence as a Service™ (DDaaS) can enable you to manage risk by continuously monitoring your subject companies, allowing you to concentrate on your business goals. With this continuous monitoring you will be able to adopt a proactive approach in managing and foreseeing risk, while lowering your due diligence programme costs.

Due Diligence as a Service™ is cost and risk optimisation in one With DDaaS you annualise your due diligence spend and get the opportunity to be covered for three years while reducing your cost. For the entirety of the three-year period that you are covered, you will have an audit trail and you can rest assured that your subject companies will not have status changes, in terms of compliance risks, outside of your knowledge.

© 2014 The Red Flag Group. All rights reserved.

| Create | Improve | Monitor | Integrate | Train | Audit | Investigate | Educate

Conflict minerals are natural resources that are mined and traded in conditions of conflict, human rights abuses, and violations of international humanitarian law. One way of reducing the demand for, and thus the profitability of, conflict minerals in more developed nations is through greater regulation of the sale of the minerals involved.

In connection with this, the 2 June 2014 Securities and Exchange Commission (SEC)-mandated deadline for conflict minerals disclosures has seen organisations across the globe make obligatory investments to determine if their products and supply chains contain conflict minerals.

Even with periodic guidance offered by the SEC and assistance available from third party experts, companies still face the continuing challenges

of complying with conflict minerals laws and determining whether covered minerals are sourced through their supply chains.

GuidelinesEstablishing the source of minerals is not easy. There is some guidance available from consulting firms, but even the guidance itself can be confusing. There are several steps that may need to be followed, including:

• conducting a Reasonable Country of Origin Inquiry (RCOI)

• conducting due diligence using an internationally-recognised due diligence framework

• filing a form SD

• undergoing an audit.

As stated in the Organisation for Economic Cooperation and Development’s Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas (OECD Guide) – which is actually the only internationally-recognised due diligence framework that conflict minerals laws and informational guides continually refer to – there are five basic steps that organisations must follow to develop a robust conflict minerals compliance programme. These five steps are:

• establishing a framework for the programme

• identifying and assessing risk in the supply chain

• conducting risk management

• identifying and focusing on smelters and refiners

D eveloping policies and implementing and analysing questionnaires are vital steps to ensuring conflict minerals compliance. But there are a number of additional practical steps that companies can take

that can put them on the right track to long-term compliance success.

Conflict minerals compliance

www.complianceinsider.comGRC2014 Thursday, 30 October 201410

FEATURE

www.complianceinsider.com GRC2014 Thursday, 30 October 2014 11

• reporting out on the results of the entire review.

There are numerous sub-steps under each of these five steps. While full compliance will require your organisation to pay attention to and carry out all applicable steps in the process, getting your programme off the ground should focus on:

• developing a conflict minerals policy

• implementing a conflict minerals questionnaire

• setting up a questionnaire review process.

These three steps are probably the three most important and simple commitments an organisation can make towards developing a conflict minerals compliance programme, and the OECD Guide discusses them in depth.

According to the OECD Guide, creating a conflict minerals policy is the first step towards establishing a framework for a conflict minerals compliance programme.

A conflict minerals policy is important because it communicates the organisation’s values, principles and expectations regarding conflict-free sourcing, and raises awareness among the organisation’s employees and suppliers, as well as the general public.

Annex II of the OECD Guide lays out a model supply-chain policy and makes recommendations for which conflict minerals

STEP 1Developing a conflict minerals policy

FEATURE

topics a policy should ideally address. These topics include:

• human rights violations related to sourcing minerals

• support of armed groups or security forces through procurement of conflict minerals

• bribery, fraud, money laundering or other illegal payments made in the course of procuring conflict minerals.

Integrating your organisation’s values and principles and addressing relevant conflict minerals topics is not a difficult or expensive endeavour. At its core, a conflict minerals policy is there to advise employees and suppliers of their responsibilities to ensure conflict-free sourcing; therefore, the bulk of your organisation’s policy should be dedicated to describing these responsibilities so that employees and suppliers can begin to prepare themselves.

WOULD YOU LIKE TO SUBSCRIBE?

Please contact Denny Squibb at

denny.squibb@complianceinsider.com

or subscribe through our website at

www.complianceinsider.com

Once the policy has been finalised and is in use, your organisation has completed the first and most important aspect of developing a framework for the conflict minerals compliance programme. While there are other important steps in fully developing this framework (as the OECD Guide describes in greater detail), developing and rolling out the policy is paramount.

For employees, responsibilities will likely include:

• introducing the conflict minerals policy to suppliers, explaining its significance and integrating acceptance of its terms into contracts

• identifying and assessing risk in the supply chain through various actions, including:

o sending out questionnaires to suppliers

o reviewing completed questionnaires and identifying issues or red flags

o building a database of information on suppliers and smelters.

For suppliers, responsibilities should include:

• agreeing to the organisation’s conflict minerals policy and working to embrace its standards, values and expectations

• cooperating with the organisation’s due diligence process by supplying answers to questionnaires and providing supporting documentation upon request

• implementing a due diligence framework that meets the organisation’s requirements.

Setting out your organisation’s values and principles and clearly identifying the resulting responsibilities are the mainstays of a sound conflict minerals policy; however, there are other areas that should also be addressed and built up as the policy is periodically updated. These other areas include:

• monitoring and enforcing the policy

• consequences for non-compliance

• frequently-asked questions regarding conflict minerals compliance

• a glossary of terms

• how to conduct an RCOI.

The policy should be kept as simple as possible to avoid it becoming more of a procedure. Employees have enough to worry about as it is, and suppliers will often be reticent about participating in the process if too much information is thrown at them at once.

Once the policy has been finalised it should be made visible to the public via your organisation’s website. Acceptance of the policy should be made a staple of supplier contracts and the policy, along with the conflict minerals questionnaire, should be delivered to all suppliers.

www.complianceinsider.comGRC2014 Thursday, 30 October 201412

the actions taking place by upstream entities (and may in fact have little to no information on the names and locations of these entities); upstream companies may have little incentive to bolster their due diligence frameworks or improve their sourcing practices without pressure from larger downstream companies.

Even after your organisation is able to identify the smelters and refiners that its suppliers use, it will be difficult to gain information on the sourcing practices of these smelters and refiners beyond their corporate profile and media reputation as they are likely to be very high up the supply chain. This is why the OECD Guide stresses that it is of utmost importance to approach the conflict minerals due diligence process as a gradual movement that aims to build a repository of knowledge on all entities within your organisation’s supply chain. As information is built up through due diligence practices such as sending out questionnaires, your organisation will be able to coordinate with other industry members who utilise the same suppliers and smelters and refiners to cross-check and expand upon this data.

The questionnaire that your organisation ultimately uses should ask suppliers:

• which conflict minerals, if any, they handle, and whether those minerals come from covered countries or recycled or scrap sources

• whether all of their smelters and refiners have been identified and independently audited through processes such as a CFSI assessment (which is an independent third party review of a smelter to determine if the smelter possesses sufficient documentation to demonstrate with reasonable confidence that the minerals it processes originate from conflict-free sources)

• which due diligence processes they utilise, including whether they have sent out questionnaires to their own suppliers and whether those suppliers have conflict minerals policies.

STEP 2Implementing a conflict minerals questionnaire

After the policy has been rolled out, the next essential step is to implement a conflict minerals questionnaire and review process.

Your organisation will be unable to determine whether its products contain conflict minerals without closely surveying the supply chain. The easiest way to begin assessing your organisational supply chain is to send suppliers questionnaires to gather additional information regarding their sourcing practices.

Questionnaires are useful for more than just finding out which suppliers might use conflict minerals and whether any of these minerals come from covered countries. They can also help to:

• determine which suppliers understand the conflict minerals issue and which may need further education (based on the accuracy of their responses to certain questions and terminology)

STEP 3Setting up a questionnaire review process

As suppliers begin to send completed questionnaires back to your organisation you will need to have a focused process to review

FEATURE

• find out which suppliers are taking your organisation’s stance and commitment to compliance seriously (based on which suppliers actually return completed questionnaires and answer all mandatory questions)

• build knowledge of each supplier and their associated smelters and refiners.

It is important to realise that it is extremely difficult to determine exactly whether there are any conflict minerals in your organisational supply chain. Downstream companies will have little oversight over

Setting out your organisation’s values and principles and clearly identifying the resulting responsibilities are the mainstays of a sound conflict minerals policy

the responses. The first step is to separate the questionnaires that explicitly state that the supplier handles any of the four covered minerals. From here you can begin a more pointed review that includes:

• which suppliers use each of the four conflict minerals

• the sources of any conflict minerals – whether they are scrap or recycled, or smelter and refiner (if smelter and refiner, you should list out the names of the smelter and refiner for each mineral that the supplier uses)

• which smelters and refiners are CFSI audited or otherwise independently audited

• a short media review of each smelter and refiner to capture any negative media

• any other identifiable red flags from each questionnaire, such as wrong or contradictory answers or a poor understanding of the questions.

This information should be catalogued in a master matrix or other database that is dedicated to conflict minerals. A list of recommended next steps should then be outlined for each supplier, based on the totality of its answers.

While your organisation will need to tailor the recommended next steps based on its risk appetite, there are some general steps that can be followed:

• Those suppliers that admitted to handling conflict minerals from the covered countries should begin mapping their own supply chains up to the mine.

• Suppliers that have no due diligence controls should be requested to, at a minimum, start implementing a conflict minerals policy and sending out questionnaires to their own upstream suppliers.

• Suppliers that provided obviously inaccurate answers or answers that were inconsistent (such as claiming that they have implemented compliance controls but then stating that they have not sent out questionnaires or developed a policy) should be informed about the inconsistency of their answers. They may also need additional information to educate them on the objectives of such questions, and they may need to fill out the questionnaire again.

• Suppliers that have provided incomplete answers, such as leaving out smelter and refiner names, should be informed that they must provide the missing information as a

prerequisite to maintaining their relationship with your organisation.

• Suppliers that have stated that they have some due diligence controls (such as a conflict minerals policy, supplier review process or the like) should be asked to send your organisation supporting documentation or other proof.

Your organisation should also begin creating a sub-sheet within the larger matrix or database to track all suppliers that use smelters and refiners that are not CFSI-audited. As the conflict minerals compliance effort grows and information is gradually built up on these smelters and shared among companies, your organisation will be able to populate this database with more information.

Next steps

The next steps towards full compliance involve conducting advanced due diligence on any suppliers, smelters and refiners that your organisation knows or suspects source from the covered countries, and reporting on the results of your review process.

While the exact scope of this due diligence and reporting depends on a number of factors, such as the quality of information provided by your suppliers or whether your organisation is subject to conflict minerals laws as an issuer, potential next actions could include:

• conducting spot-checks on smelters and refiners that are not independently verified through CFSI or other such auditing processes

• following up on certain “red flag triggers” that have been uncovered through your review of suppliers, such as:

o minerals originating from a country with limited reserves, resources or production levels

o minerals originating from a country in which minerals from conflict-affected or other high-risk areas are known to transit

o suppliers having shareholders or other interests in companies that supply minerals from a red-flag location

• creating a report that encapsulates the steps taken, results of the review, and basic metrics regarding suppliers, smelters and refiners for examination by senior management

• filing an SD report if your organisation is subject to conflict minerals laws as an issuer.

www.complianceinsider.com GRC2014 Thursday, 30 October 2014 13

Developing a robust conflict minerals compliance programme is an unprecedented challenge given the difficulties in overseeing and gathering information over an entire supply chain, the relatively-recent passage of the Dodd-Frank Act and the lack of user-friendly informational sources available. While most companies would have done the bare minimum to meet the June 2014 reporting deadline, the true test will be whether organisations can implement a working programme that allows them to review and monitor their supply chains on an ongoing basis. If a simple but effective programme can be implemented it will be much easier to report on conflict minerals in the future.

GRC2014 delegates will hear this afternoon from Leonard Blazeby, head of the mission for the International Committee of the Red Cross (ICRC) in Australia. He will be discussing how warring countries can be encouraged to respect international humanitarian laws.

FEATURE

GRC2014

www.complianceinsider.comGRC2014 Thursday, 30 October 201414

Question: What are you most looking forward to at GRC2014?

Behind the scenes with GRC solution providers

Wednesday afternoon saw the exhibition hall on level three take shape in a flurry of activity, as exhibitors and sponsors set up their booths in preparation to answer delegates’ questions. GRC2014 delegates have the opportunity to learn about a wide variety of products and services from companies specialising in everything from finance compliance to technology security.

BoardVantage’s Kirsty Hodson is attending the GRC conference for the first time, although her company has attended in previous years. Hodson said she would like delegates to be “educated” if they stop by her company’s booth, and to learn about “containing material in secure portals”.

Genevieve Aboud from Protecht hopes that delegates will leave her booth knowing more about enterprise risk management. “I also want them to meet the company mascot Carl,” she added. Protecht will be offering delegates Halloween-themed lollipops on Friday.

Wolters Kluwer’s David Rule, Thomas Verlaet and Vance Hetariki will not be wearing Halloween masks and capes on Friday, but will be happy to discuss “GRC solutions for financial services”. Verlaet added: “We also help companies to understand regulatory changes.”

John Soonius from CURU has been to every GRCI event since it started. “We want people to know that we’re still here,” he said.

GRC2014 is not just for delegates and exhibitors. A number of university scholarship students hoping to break into the world of compliance are also in attendance. This year’s conference represents the first time that Shanghai-based Ronald Wong has ever been to Australia. Wong hopes to leave GRC2014 with “more knowledge about compliance, particularly in the banking industry”.

With this year’s conference housing booths from a number of solution providers, GRC2014 promises to be the best yet.

Rebecca Ellis, compliance manager, legal and compliance, ING Direct

“I’m looking forward to learning something

new and gaining a new perspective.”

Alastair Phillips, head of insurance, risk and compliance, Hydro Tasmania

“Hearing about ‘best practice’ and

what others do. People are usually too frightened to share, but you learn what ‘best practice’ is at events like this.”

Peter Neumeister, manager, compliance at enterprise services and transformation, National Australia Bank

“You can get bogged down with internal issues, so I’m looking forward to meeting people I’ve not met before. I find the networking very valuable.”

Brett Crawford, investigator, Australian Securities & Investments Commission

“I’ve read one of Bernard Salt’s books, so I want to listen to him. And I want to hear about risk issues around fraud, bribery and corruption.”

Deborah Coram, chief executive officer, Safetrac

“Our main aim is for attendees to understand our brand and what it is

that we do.”

Gail Greatorex, director, Product Safety Solutions

“The opportunity to meet fellow compliance and

risk specialists. And finding out what the latest services are.”

Jeanette Scott, national manager, legal compliance and risk, Heart Foundation

“It’s a chance to re-energise and meet

like-minded people. And it’s a great opportunity for me to mention that IBM should be on the main sponsor’s list!”

Yvonne Butler, chief executive officer, Australian Institute of Project Management

“Hearing about the connectivity between

governance, risk and compliance – the value chain from strategy to execution. This conference brings out that discussion.”

Vox Pops

GRC2014

www.complianceinsider.com GRC2014 Thursday, 30 October 2014 15

SPEAKERSLOUNGE

CATERING STATION

RESTROOM

ESCALATOR

ESCALATOR

ACCESS TO PLENARY HALL

LIFT

ACCESS TO PLENARY HALL

1

2

3

4

5

6

7

8

9

10

1113

14

15

16

17

18 19 20 21 22 23

STAND SPONSOR ORGANISATION STAND SPONSOR ORGANISATION STAND SPONSOR ORGANISATION

3 - Cura 13 Bronze myCaRMS 19 - LexisNexis

4&5 Media Partner

Compliance Insider 14 - Swinburne University

20 Bronze GRC Solutions

6 - Wynyard Group 15 Silver Diligent Boardbooks 21 Silver SAI Global

7 - Protecht 16 Silver IBM 22 Annual Awards Dinner

Thomson Reuters Accelus

10 Bronze Wolters Kluwer 17 PLATINUM Safetrac 23 - NetDimensions

11 Gold RSA 18 Bronze BoardVantage Speakers Lounge Host GRC Institute

Win a one-year online subscription to Compliance Insider®!

Today’s quiz question:

What is the Twitter handle for Compliance Insider®?

Send your answer to editor@complianceinsider.com by midnight tonight. Winner announced in Friday’s edition of Compliance Insider Daily News.

#GRC2014sydmichelle whitfield @withthelastword

Looking forward to #GRC2014syd

Peter Baines @peter_baines

In times of crisis, true leaders are identified by their actions and reactions. It’s leadership without authority. More at the #GRC2014syd

Michael Nicholson @mic_nicholson

READY, SET, TAKE CONTROL! Join me at the #GRC2014syd

Leonard Blazeby @LBlazebylCRC

What’s sexier? Risk or compliance? Risk - that’s where the “heat” is! #GRC2014syd

COMPLIANCE INSIDER®It’s Not just News - It’s Intelligence

THURSDAY 30 OCTOBER 2014

TODAY’SSCHEDULE:

0800 - 0830

0830 - 0835

0835 - 0920

0920 - 1005

1015 - 1045

1045 -1245

1245 - 1330

1330 - 1415

1415 - 1500

1500 - 1545

1545 - 1600

1600 - 1645

1645 - 1730

1730 - 1735

1800 - 1930

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Ballroom, Level 3

Exhibition Hall

Conference registration

Official Conference Welcome, Alf Esteban CCP

Managing Bond - The winning leadership strategy, John Bertrand AM

Crisis Management Lessons: From the Boxing Day Tsunami to the Bali Bombings, Peter Baines

Morning Tea

Breakout: Crisis Management Workshops, KPMG

Lunch

Crisis Management Debrief, KPMG

How to get warring countries to respect international humanitarian laws, Leonard Blazeby

AUSTRAC: The key focus for 2015, John Schmidt

Afternoon Tea

How the Royal Australian Navy adopted a risk led strategy, Yvonne Butler & Commander John Metzl

Compliance By Design: Dell’s Way, Barbara Lichti

Wrap up and close

Exclusive Preview of ISO 19600, Cocktail Reception