Riskmanagement 2014 by Lyonsdown

YOUR AWARD-WINNING SUPPLEMENT

The René Carayol column

Should top execs act more like professional footballers? | Page 2

The new frontier

Global cyber-crime now costs $445bn every year | Page 7

August 2014 | business-reporter.co.uk

EXCLUSIVE Nick Leeson, the original rogue trader, on regrets, remorse… and revival Pages 11-15

24-PA SPEC GE EDITI IAL ON

RISK & FRAUD

THE MAN WHO BROKE THE BANK

DISTRIBUTED WITHIN THE SUNDAY TELEGRAPH,PRODUCED AND PUBLISHED BY LYONSDOWN WHICH TAKES SOLE RESPONSIBILITY FOR THE CONTENTS

Business Reporter · August 2014

Risk & fraud

Opening shots René Carayol

ANY OF us were blown away by the excitement of the recent World Cup, and shocked by the jaw-dropping transfer fees generated by those players in the ultimate shop window of global TV. Barcelona paid £75million for Luis Suárez, despite the fact that he disgraced himself again by biting yet another opponent. A further £50million was paid for David Luiz, despite him having had a stinker for Brazil in their 7-1 defeat by Germany. The humungous transfer fees were matched by breathtaking salaries of up to £200,000 per week. You would never believe that world income inequality has been decreasing, especially with China and India catching up. It was a little surprising, then, that Thomas Piketty argued in his seminal book Capital In The TwentyFirst Century that the world is becoming more unequal, and dangerously so. Inequality has been quietly on the rise in most of the wealthier countries in recent years with the pre-eminence of disruptive technology, instant communications, big data, the cloud, and their impact on an interdependent and increasingly connected world economy. This has pushed massive wealth to the few who are benefiting commercially from these innovations. Piketty would have us believe that “whenever the rates of return on capital are significantly higher than the growth rate of the economy, inheritance predominates over savings”. Historically, the best way of becoming wealthy was to inherit significant wealth from your parents or ancestors.

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Find us online: business-reporter.co.uk

Like footballers, top business talent may opt for riskier paths in return for higher rewards Piketty’s research of his native France informs us that inheritances as a proportion of national income fell from 24 per cent in 1900, to around 4 per cent by 1950. Inherited wealth as a proportion of total wealth was 90 per cent before the First World War, but fell to 45 per cent by 1970. This would appear to support the meritocratic dream of an egalitarian world, but from the 1950s onwards things have gone the other way in France. He predicts that inheritance flows will rise to around 16 per cent of national income by 2050. His potential solution to this is worrying in the extreme, as it really is about taxing just about everything: inheritance, capital gains, property, and anything else you may like to think of. Most parents hope that the most talented people rise to the top – however, inherited wealth kills these dreams. If your parents own property, or die early, you are likely to be in for a windfall whether you are the most talented and hardworking or not. This is the last thing our society needs in these times of huge global youth unemployment. Clever algorithms coupled with slick technology and reams of historical data in the hands of smart

and able investment bankers played a huge part in helping cause our recent global financial crash. They were able to hedge and bet on the ups and downs of the vagaries of the world’s financial markets. But it only took a few of them overstepping the mark to bring global financial systems to the brink of disaster. We are collecting individual data at levels of detail never seen before. It is now possible to envisage a world where similar financial dexterity and knowhow might well be moved towards enabling individuals to hedge or insure their chosen career paths. So those deciding to take much riskier paths for the promise of higher rewards might well be able to insure against failure in the future. How long before slick and agile insurers, combined with the latest technology focusing on a hugely competitive talent marketplace, manage to change the game for ever? Perhaps it’s similar to the skills displayed at the World Cup – we might see top talent with a short shelf life, earning huge amounts to compensate for the risk and lack of certainty, without ever having to bite anyone.

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Like us: www.facebook.com/biznessreporter

Risk & fraud

Find us online: business-reporter.co.uk

Risky business: the dangers of underfunded risk management By Dave Baxter FIRMS CONTINUE to underestimate the cost of “risk management failures”, despite an increased sense of awareness following the financial crash, an influential global body warns. The Organisation for Economic Co-operation and Development (OECD), a forum used by governments around the world, claims that although companies have a greater awareness of risk, their practical understanding of this is still falling short in many cases and potentially leaving them vulnerable. The OECD’s 2014 report, Risk M a n a ge me nt a nd C or p or ate Governance, warns that companies and boards should work to increase their understanding of risk and the “catastrophic” threats they could encounter, even if these have a small probability of actually materialising. It also notes that some businesses are too narrowly focused on risk in a financial context and not more broadly. The report looked at the rules and practices around risk management in 27 of the jurisdictions taking part in its corporate governance committee, including Norway, Singapore and Switzerland, all three of which provided more in-depth case studies. The report acknowledges the importance of risk in business operations but warns that the practicalities around controlling risk need to be better understood. It reads: “The review finds that, while risk-taking is a fundamental driv ing force in business and entrepreneurship, the cost of risk management failures is still often underestimated, both externally and internally, including the cost in terms of management time needed to rectify the situation. “Corporate governance should therefore ensure that risks are

New study suggests that charities are overcautious A FEAR of risk could be making charities less innovative and causing them to let down their users, a paper argues. The piece, by volunteer Fiona Sheil, has been published by think tank New Philanthropy Capital, in a series of publications discussing the future of the charity sector. It argues that, by avoiding risk, charities could be failing to meet users’ needs. The author worries about a suppression of certain understood, managed and, when appropriate, communicated. “Following the financial crisis, many companies have started to pay

market forces when it comes to dealing between charities and the public sector. She writes: “In public services, the application of a quasi-market model to drive competition and force risk onto providers compromises the user-focus of charities. Contracts demand allegiance to the service purchaser, which often conflicts with the needs of the people charities serve.” more attention to risk management. This is, however, seldom reflected in changes to formal procedures, except in the financial sector and in companies

that have suffered serious risk management failure in the recent past. “It appears that most companies consider that risk management should remain the responsibility of line managers.” It adds: “Listed company boards need to be provided with incentive structures that appropriately reward business success, as well as awareness and management of risk. “Existing risk governance standards for listed companies still focus largely on internal control and audit functions, and primarily financial risk, rather than on (ex ante) identification and comprehensive management of risk. “Corporate governance standards should place sufficient emphasis on ex ante identification of risks. Attention should be paid to both financial and non-financial risks, and risk

management should encompass both strategic and operational risks.” The report also extends its analysis to boards, and argues that top executives should place greater emphasis on major potential threats – even if these seem highly unlikely. It reads: “It is not always clear that boards place sufficient emphasis on potentially ‘catastrophic’ risks, even if these do not appear very likely to materialise. “More guidance may be provided on managing the risks that deserve particular attention, such as risks that will potentially have large negative impacts on investors, stakeholders, taxpayers, or the environment. “Boards should be aware of the shortcomings of risk management models that rely on questionable probability assumptions.”

Business Reporter · August 2014

Risk & fraud

ExpertInsight

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

ADVERTISING FEATURE

Keep yourself safe from financial fraud INDUSTRY VIEW

e’ve all been at the receiving end of a cold call but, while most are a minor annoyance, others can be more alarming. Barclays customer Mary Wilson (not her real name) was conned into handing over £7,000 to a courier after receiving a cold call from fraudsters pretending to be from Barclays. The caller invited Mary to ring the number on the back of her debit card to

Your bank may contact you from time to time with useful advice and information about products and services, but bear in mind it will…. • Never email you a link that takes you straight to the online banking login page • Never email you asking you to verify your account details • Never email or call to ask for PINs, authorisation codes or passwords • Never email or call or visit you at home to ask you to hand over your card or cash • Never email or call to ask you to move money to a new account

ExpertInsight

Find us online: business-reporter.co.uk

verify their claim. After dialling, Mary assumed she was speaking to bank staff and was unaware that the caller had not hung up and was impersonating a Barclays’ employee asking for money. Mary then handed over her cash. Fraudsters are targeting online customers too. Sending emails designed to look legitimate and claiming to be from banks, they ask for bank and security details and provide links to bogus sites that resemble the real thing. Any sensitive information submitted via these links goes straight into the fraudsters’ hands. Scam emails can also contain viruses that can be installed without the user realising, allowing a third party to take information from the computer. Despite the sophistication of some scams, banks are doing all they can to fight fraud. Barclays, for example, has teamed up with Get Safe Online, the government’s online security adviser, to help raise awareness of fraud. And there’s plenty you can do to protect yourself, too.

Seven-step safety guide 1 Protect your computer with the latest security software and install regular updates 2 Only visit your bank’s online banking

site from a trusted bookmark or by typing the name in your browser 3 Keep your PINs, passwords and bankcard details to yourself – don’t share them with anyone who phones, emails or calls at your door 4 Be wary of opening attachments in emails that you’re not expecting or are unsure about 5 Strengthen your passwords with letters, numbers and symbols and don’t write them down 6 Check statements regularly and tell your bank about any odd activity 7 Keep your bank updated with your

latest contact numbers so it can get in touch if it identifies suspicious transactions Need more help staying safe online? Barclays has 7,000 Digital Eagles in branch to help everyone – even if you don’t bank with them. There is also a range of online how-to videos, with hints and tips at barclays.co.uk/ digitaleagles. To find out what else you can do to protect yourself from fraud, visit www.barclays.co.uk/fraudprevention

Protecting your organisation from growing cyber-threats A comprehensive defence strategy where protection is proportional to risk and value INDUSTRY VIEW

ou don’t need to be convinced that the threat of fraud is real. You’ve seen the headlines – there have been a significant number of high-profile names admitting to breaches, with now more than one billion individuals having their information and identities stolen. Identity is the new money and fraudsters can get their hands on this steady stream of emerging targets more easily and more cheaply than ever before. Add to this the rise in consumer omni-channel behaviour and with it a new set of fraud risks. Globally, 67 per cent of consumers made purchases in the last six months of 2013 using multiple channels (Source: LoudHouse, Nov 2013). And businesses are meeting these demands – in a recent Experian Marketing Services global study, 80 per cent of marketers reported that they plan to run cross-channel campaigns in 2014. The majority (67 per cent) will

integrate three to four channels. With mobile in particular – the increasing number of mobile devices and their relatively fewer protections are creating opportunities for fraudsters to exploit. All of this is making cyber-crime a focal point for fraud defence. It’s critical for organisations to identify customers as quickly as possible while diligently protecting themselves, but at the expense of the customer experience? In a recent study, 41st Parameter, a part of Experian, found that 87 per cent of customers feel upset, frustrated or betrayed when an online transaction is declined (Source: 41st Parameter, Measuring Consumer Attitude on CNP Credit Card Declines, Dec 2013). Those at the forefront of riskmanagement and cyber-security take a “be everywhere” approach. If you always assume that fraudsters have successfully obtained your customers’ information, you will diligently watch out for them through their life-cycle interactions. But

treating customers as potential intruders in their own domain is unlikely to foster a positive association and long-term mutual trust. Detection is the key but the challenge is increasing confidence in customer relationships without placing additional burden on your good customers. One of the most effective ways to do this is to establish relationships with the devices used to make these connections. Recognising a user’s device(s) is a private, hidden, effective way to connect the dots between devices and accounts, building trust and quickly spotting and stopping undesirables from gaining access. The best type of protection is invisible. The last thing you want is to tip the fraudster on how you protect your customers. And you want to ensure a frictionless experience for the good customers. Implementing a fraud detection solution with

device-recognition capabilities that sit behind the scenes ensures the good guys don’t get caught up in the bad guy process. The online channel is where cybersecurity threats loom large, and device intelligence is the strongest defence. But fraud and identity theft is a multi-channel threat, growing more sophisticated and complex – as should your approach to prevention. With the 2013 acquisition of 41st Parameter, Experian has the unmatched expertise and a broad range of fraud and identification capabilities to help organisations implement a comprehensive, layered defence strategy where protection is commensurate with risk and value. Richard Harris is vice president, Global Fraud and ID for Experian 0845 266 6604 experian.co.uk/idf

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Like us: www.facebook.com/biznessreporter

Risk & fraud

Find us online: business-reporter.co.uk

Number 1 for risk coverage WE AT Business Reporter know that this year’s 24-page supplement into risk management has a lot to live up to after last year’s report won a prestigious award for its accessible coverage of a complex industry. The 2013 report’s excellence was recognised by the Institute of Risk Management, who awarded Business Reporter its Risk Management Journalism of the Year prize at the Global Risk Awards 2014. The winning entry included an interview with security expert and former soldier Andy McNab, a risk analysis of supply chain

complexity, an article on the business impact of bad weather, and a piece by our authoritative columnist Rene Carayol urging companies not to be risk-averse during a downturn. Editor Daniel Evans said at the time: “I’m particularly pleased that the judges highlighted our accessible style and I hope we can continue to address niche business areas in a way that can interest and engage experts and non-experts alike. Hopefully this award will be the first of many.” Right: Business Reporter’s Matt Smith and Dave Baxter are presented with the award by Mana Communications MD Caleb Hulme-Moir

‘Right to be forgotten’ should not be used as PR damage limitation, says expert By Dave Baxter PEOPLE are wrong to see the so-called “right to be forgotten” as the “holy grail” of reputation management, a specialist claims. The Court of Justice of the European Union recently ruled that links to web pages with personal information could be removed from search listings in specific circumstances, saying: “Individuals have the right – under certain conditions – to ask search engines to remove links about them. “This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of data processing.” The court added that this right would be balanced against other considerations, including freedom of expression and the media, as well as the “public

interest” in keeping search results up, and that all cases would be judged on their own merit. It added: “The right to be forgotten is certainly not about making prominent people less prominent or making criminals less criminal.” Appl icat ions a re now flooding in from people looking to have search results removed. Google, the search giant, has notably removed links to some news articles, prompting a

response from media outfits including the BBC. The new right may appeal to those looking to rid negative mentions of their name from Google’s results. But one specialist claims that using this tactic to manage reputational risk is likely to backfire. Si mon Wad s wor t h , managing director at Igniyte, an online reputation ma nagement f i r m, say s applying for links to be removed could ultimately attract more attention to controversial or embarrassing information. “The danger is some people may want to bury things and end up bringing it back out in the open again,” he says. “Do you just open up a can of worms? I think people latched onto it as being the holy grail of content online, which isn’t the case.” Wadsworth notes that a

number of his own clients have applied to Google in an attempt to have links removed – but without success. “The first batch we have had have all been noes,” he says. “The people we deal with tend to be higher-profile and Google has hidden under the public interest [defence]. The less high-profile applicants may be more successful.” He warns that people focusing on reputational risk and finessing their online image need to go f urther than tinkering with search results. “There are wider services than deletion and delisting,” he says. “Brands coming to us want PR and positive stuff and content that’s under their control and on-message. “There is a myth that if they have one slot covered in Google, that’s fine. I think people are finally going to realise that

With thanks to...

Publisher Bradley Scheffer...............................info@lyonsdown.co.uk Editor Daniel Evans.............................................dan@lyonsdown.co.uk Production Editor Dan Geary .................d.geary@lyonsdown.co.uk Reporters...............................................Tim Adler and Joanne Frearson Client manager Alexis Trinh........................alexis@lyonsdown.co.uk Project Managers .....................Emmanuel Arthur and Danny Dunn

For more information contact us on 020 8349 4363 or email info@lyonsdown.co.uk

having one to 10 results in Google or one to 20 is a good strategy for them.” And he adds that there is a lack of proper knowledge about how the right to be forgotten works. “From what we see from

people inquiring about it, there’s clearly a lack of understanding to what it means, which is probably natural. People want to know how they fit into the process, and what their chances of success are.”

Business Reporter · August 2014

Risk & fraud

ExpertInsight

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Find us online: business-reporter.co.uk

Why lowering barriers to fraud doesn’t mean increasing your exposure to risk Working together, it is possible to win the fight against fraud and gain real commercial advantage in an interconnected world INDUSTRY VIEW

raud continues to be a major issue for the UK, with estimates claiming it costs the economy approximately £52billion per year.¹ The blurred classification of what is defined as fraud – and therefore what’s detected – also means that in reality the costs are likely to be even higher. In addition, the behaviour of customers, and their perception of what is fraud as opposed to a “white lie” are posing challenges to organisations. In a recent Equifax survey², conducted in conjunction with YouGov, 19 per cent of respondents aged 25-34 said they felt it was slightly acceptable to overestimate the value of goods or the cost of repairs when making an insurance claim. The same percentage, from the same age group, also said it was slightly acceptable to omit some existing financial agreements when making an application. However, contrary to the ABI news in May that the value of fraudulent insurance claims uncovered by insurers has topped £1billion a year³, in the motor insurance sector, fraud prevention provided for the biggest drop in motor policy pricing in the UK for a decade. This is shown by the AA British Insurance Premium Index where Q1 2014 demonstrated a 16 per cent decrease in policy quotation⁴. In combination with some limiting legislation regarding personal injury, it has resulted in each and every motor insurance customer saving approximately £100 per year, which is all down to better fraud prevention. So, while it may be impossible to completely eliminate fraud, it is clear that technology and data sharing initiatives are tightening the net. Data is now used in increasingly

sophisticated ways to correlate, identify and report fraud; and the technology enabling this is more affordable and readily available than ever before. The flip-side to this, however, is that the technology revolution and evolution has provided organised criminal groups with the ability to operate more efficiently. It has also facilitated the potential opportunity for increased collaboration between individual fraudsters. The concept of “trading” within a fraud attack is real, with each individual involved providing an anonymous function or area of expertise to the overall fraud. For example, data on individuals can be harvested by software designed in Eastern Europe, then sold online to others in Africa. They may then commission UK individuals to orchestrate the elements required and create multiple layers of transfers between organisations and facilities to extract the funds. These frauds are sophisticated, professional and often very lucrative. In a recent scam, for example, two financial institutions in two different countries were targeted and details spread across operatives around the globe. This resulted in $45million being withdrawn across 4,500 ATM machines in 27 different countries within 45 minutes. The New York cell alone withdrew $3million in 25 minutes across 40 different cash machines. Investigation is possible but tracking the international movements and individual elements is complex, time consuming and the costs can often far outweigh the losses from the fraud committed. However, it’s easy to understand why national security organisations are keen to understand these covert digital operations in order to infiltrate them. The challenge is to increase barriers to fraud without negatively impacting the customer experience. In an increasingly security conscious and wired world we can all become frustrated with the need to remember different passwords or provide additional authentication through mobile, code tokens, phone calls and emails. But place too many security requirements in front

of the customers and there is a risk of long-term customer losses as the organisation is perceived to be too difficult to deal with. It’s leading to an approach which balances the customer experience against any exposure to risk. But while the customer is still king they’ll often expect the red carpet treatment. Those businesses who don’t look after their customers are finding that they quickly move on – often to the nearest competitor. The required quality of service demands a flexible and balanced approach to authentication. There then need to be – at application or any other stage of the customer lifecycle – technological approaches that offer progressive authentication. This simply means recognising as many aspects and traits of the consumer as possible: but it also needs to be done as silently as possible. Recognising that the application or transaction is generated by the genuine person allows barriers to be lowered: and when an interaction looks out of the ordinary, it will raise challenges which only the genuine consumer will be able to pass. We help our clients achieve this balance, improving their organisational performance by enabling them to better recognise and react to customers. They can understand the traits and patterns of the genuine and ensure any transaction is quick, easy and has minimal authentication and verification requirements. After all, you already know and often interact with them; you see and understand their behaviour and, consequently, you trust them. We are also implementing biometric technology – such as fingerprint and voice and face pattern recognition – into our fraud and ID solutions. This all contributes to a

layered approach of verification and authentication, allowing the genuine customer to move quickly through a purchase process and raising barriers for suspicious activities. It may seem easy to view this as lowering the barriers to fraud. But the use of advanced technology, providing a constant evolution of defences and vital insight from analytical intelligence, ensures that the balance between customer experience and fraud defence is maintained. We might think of creating better and stronger defences against fraud as an “arms race” – a race for commerce. It’s multi-faceted, highlighting the requirement to treat customers fairly, deliver excellent service and protect against the less scrupulous, whether opportunistic or organised. This fraud arms race will continue to show innovation in the way fraudsters choose to attack and the responses such attacks require. To win you need the tools, data and intelligence to be innovative, flexible and advanced. If you get all of these elements right and working together it is possible to win the fight against fraud and gain real commercial advantage in an interconnected world. John Marsden (far left) is identity and fraud expert at Equifax +44 (0)7789 996557 john.marsden@equifax.com ¹ National Fraud Authority, June 2013 ² W hitepaper: What do clients really think about fraud? ³ www.abi.org.uk ⁴ w ww.theaa.com/newsroom/bipi/ 201404-bipi.pdf

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Like us: www.facebook.com/biznessreporter

The

Risk & fraud

Find us online: business-reporter.co.uk

Bank on the value of risk managers INDUSTRY VIEW

NUMBER of UK projects are gearing up to tackle the spectre of cybercrime. The cost and risk associated with cyberthreats are difficult to quantify, but often assumed to be significant. A McAfee report published this year, in one of its estimates, puts the global cost of c yber- cr ime at $4 45billion. Government figures from 2011 put the annual cost to Britain alone at £27billion. But different projects are now running with an aim of improving the UK’s defences – either by discovering the next batch of cyber-security experts or by encouraging the general public to be savvier about possible threats. One project, the Cyber Security Challenge UK, which involves a series of “cyber games” carried out online and in person, launched in May with the aim of uncovering the UK’s best security talent. Terry Neal (below), CEO at Infosec Skills, the firm behind the project, says this and other schemes need to focus on people from seemingly unrelated areas who could play a future role in the UK’s cyber defences. “We are looking for the skills you need to create the next generation of cyber security experts,” he says. “We know about the skills shortage but it’s not just highly technical skills that are needed. We need information security managers, risk managers, and business continuity managers. These skills combined with an appreciation of information architecture and how systems are designed would be very useful.” But Neal says finding people with an area of expertise – such as risk management – and an understanding of information architecture can be “very rare”, because t hey of ten do not consider themselves

Cyber-crime is on the increase - but British businesses are gearing up to hit the hackers back. By Dave Baxter

to be suitably qualified to work in the industry. He says: “People are scared because they are not a hacker and don’t consider themselves to have the computing skill or aptitude they do have. “But they are more qualified than they think, and they can use those skills. It’s about widening the network of capabilities of individuals with another skill set.” Neal believes that the risk of cyber attack is getting bigger and now applies to many SMEs – making the need for proper defences more urgent. “With smaller businesses, they never used to be a target,” he says. “But now they are reporting increased attacks. “We must do more and more and more, and as much as we possibly can, to promote careers in cyber-security, w h e t h e r t h r ou g h academies or apprenticeship schemes. The m ight of t he

British empire and the UK is built on apprenticeships. Now it’s coming back.” Other organisations are focusing on behaviour among the wider public. The Open Universit y (OU) recently announced plans to launch a Massive O p e n O n l i ne C ou r s e f o c u s e d predominantly on teaching the basics about personal cyber security. Dr Yijun Yu, a senior lecturer in computing at the OU, says that personal security has been growing in importance. “Cyber security is an emerging important area in the western society, so the security and privacy issues are very important to personal life,” he says. “Password protection is no longer the only way to protect your account. “People in the new generation are very much interested in usable systems like the iPhone. They are highly usable but users give away their personal information too easily, too often. “It’s a huge concern that the hackers and the malware people can take advantage. Education is the most important way to help this generation.

There are methods you can use like encryption and decryption but it’s the awareness that’s the most critical.” Yu argues that much can be achieved by getting the public to wise up about their own cyber vulnerabilities, whether this is on their smartphones, using online banking or even in the workplace. But he still believes it can be difficult to close the skills gap when it comes to cybersecurity – in part because of the appeal of the “dark side” of hackers. “There’s still a lack of the knowledge that the dark side has,” he says. “Usually if you go to a conference or event, people are talking about being a security company – but they were on the dark side before. “You hear that someone from a very young age was a hacker, but they become a national expert in security because they know more. There’s the emphasis on cyber security but in my humble opinion this is still not enough. We are in an area of modern society where technology is moving forward very quickly.”

While the UK economy continues to show steady signs of progress, it is clear the scope, focus and pace of recovery will be shaped by perceptions of risk within the business community. Many businesses are already placing an increased focus on managing the multitude of risks they face, as well as the benefits from so doing. The recognition of the importance of risk management continues to spread, and in many companies the discipline is increasingly becoming embedded. However, it is apparent that there is still a significant level of opportunity for businesses to further improve their approach. In order to explore current areas of risk management focus, business insurance specialist QBE commissioned an independent programme of research among businesses in the UK involving interviews with 400 key risk decisionmakers from small, medium sized and larger businesses. The conclusion is that businesses have taken on a range of completely new risk exposures over the last few years and most still recognise a need to strengthen their approach. Organisational culture continues to challenge the risk management profession and, while it is true that best practice companies tend to be those whose leaders facilitate and engage in the processes of risk management, often a seat at the top table to generate meaningful discussion around the topic eludes risk managers. Richard Thomas, QBE head of risk solutions, says: “Companies are increasingly seeing the benefit of strong risk management. They are embracing risk so they can understand and exploit risk opportunities to help grow their business.” +44 (0)20 7105 4000 QBEeurope.com/nn

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Risk & fraud

Find us online: business-reporter.co.uk

With corporate fraud back in the spotlight, some experts are calling for more legal protection to be afforded to whistleblowers. Dave Baxter reports

ExpertInsight

Campaigner Julie Bailey speaking to press after the publication of the enquiry into the Mid-Staffordshire NHS scandal

HEY are a check on wrongdoing and a powerful, sometimes untapped force in the fight against corporate fraud. But some believe that more must be done to protect and encourage whistleblowers. With recent events bringing them back into the spotlight, discussions have begun around whether whistleblowers are being adequately protected. And while some measures have been put into place to make whistleblowing easier, there are calls from certain quarters for further action. Edward Snowden’s disclosures about the NSA may now be famous, but scandals closer to home have led to serious questions around the ability of employees to safely and simply expose problems in the workplace. One high-profile case, the probe into the running of the Mid Staffordshire NHS Trust which was investigated for its high mortality rates and later shut down, originally stemmed from the efforts of a whistleblower. Julie Bailey, whose mother died in Staffordshire General Hospital in 2007, helped expose the crisis when she set up a campaign, Cure the NHS, to encourage others to come for ward about any failings in the system. Controversy around this has led to a renewed look at legislation covering the practice of whistleblowing and a number of changes aimed at making it easier for this to happen. Amendments introduced to the law last year

Studies reveal two thirds of staff may commit fraud under certain circumstances INDUSTRY VIEW

ccording to the 2014 Report to the Nation on Occupational Fraud and Abuse, research shows that the typical organisation loses 5 per cent of its annual revenue each year due to employee fraud. And it is not just a small minority of employees who are the likely culprits. Studies have found that up to two-thirds of staff would be tempted to commit fraud under certain circumstances.

Screening should also be extended to temporary and contract workers.

Establish the right culture With staff in place, a code of conduct (or “ethics policy”) which sets out formal guidelines on what is and is not acceptable behaviour, should be implemented. If it is presented to staff as part of an induction process, it makes it much easier to take action and determine penalties for any subsequent breaches.

Adequate recruitment screening

Raise awareness

The most important step in a company’s fraud-prevention strategy is to recruit the right staff, ensuring that they have not only the right skills, but also integrity and honesty. Senior recruits are often hired without extensive checks, but, in fact, people at these levels are more likely to commit fraud as they have greater authority to approve expenditure.

Directors will also need to raise awareness of fraud in the organisation and encourage staff to remain vigilant and come forwards if they have any concerns. Invariably, someone, somewhere always knows what is going on within the company but often don’t come forward as they are frightened that they will become the victim.

Plan for the worst Although the risk of fraud can be reduced, it can never be eliminated. The response from directors will be crucial. The action taken in the first few hours or days following the discovery of a fraud is likely to impact on the future success of any investigation or legal action to recover lost monies. Andrew Durant is senior managing director at FTI Consulting 020 3727 1144 www.fticonsulting.com

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Like us: www.facebook.com/biznessreporter

Risk & fraud

Find us online: business-reporter.co.uk

Fighting crimes without borders INDUSTRY VIEW

meant that workers would be protected in an employment tribunal if they believed a disclosure was “in the public interest”. And a previous requirement that workers must make a disclosure “in good faith” and not, for example, in order to benefit themselves or get revenge on an unpopular boss, was scrapped. Another change meant companies could be held responsible if an employee were badly treated by co-workers after blowing the whistle. Other steps have been taken since then. The Whistleblowing Commission, a group set up by the charity Public Concern at Work (PCAW), made a series of recommendations last year. It called for the adoption of a code of practice, set down in law, outlining whistleblowing arrangements, as well as the strengthening of anti-gagging provisions and specialist training for employee tribunal members on how to handle whistleblowing cases. And after a consultation on the subject, the government recently announced a number of new measures, including the improvement of guidance around whistleblowing.

UT some believe such disclosures could be taken more seriously – both in the law and in the workplace. Shonali Routray, legal director at the PCAW, says that unexposed problems can have huge, and even deadly, consequences later on – as they did in a ferry disaster that killed 193 people. “It’s important that your staff can raise issues early and effectively so they can prevent disasters,” she says. “You have had incidents like the Zeebrugge disaster in 1987, where the ferry left the port and sank in three minutes. “They found that on five occasions, staff had raised concerns but the communication was bad.

You also have things like the Libor scandal or Wonga sending out fake letters.” Though the Whistleblowing Commission’s code of practice has not been enshrined in law, PCAW is now running a campaign, the First 100, to get companies to adopt the code voluntarily. But she says that companies in general could take whistleblowers more seriously. “There’s no organisation, even with five employees, that doesn’t have problems with their operations,” she says. “In big companies, more questions have to be asked at board level about the arrangements and whether they are working. Non-executives have an important role in this and they need to be asking these questions. “We also need to make the process work. We have lots of amazing managers who are really good at doing things, but often the whistleblowing will happen on a Monday morning or Friday afternoon – how do we deal with that?” Beyond the processes, others believe the law surrounding whistleblowing is hard to perfect. Fraser Younson, a partner at the law firm Squire Patton Boggs, says it can be difficult to achieve clarity and a balance between protecting whistleblowers and preventing abuse of the system. “What the government did after Mid Staffordshire was to take away the requirement that it must be in good faith,” he says. “They put in a line about the public interest, but that hasn’t been defined. What’s in the public interest? “The government also decided not to have a reward system like they do in the US, but (financial watchdog) the FCA are still looking at it.” He says that whistleblowing could make a

“In big companies, more questions have to be asked at board level. Non-executives have an important role in this and they need to be asking these questions” – Shonali Routray, Public Concern At Work difference, but would be unlikely to eradicate fraud on its own. “Fraud will always happen,” he says. “There will always be people who get involved in fraud. That has been mankind’s nature and those people are at risk of being whistleblown on. “I don’t think the changes in the law will stop people doing fraudulent stuff because there is no incentive to blow the whistle. “What the changes do is make it legally easier for people to blow the whistle. But if you want to stay in your job, you have got to be quite a brave person to say ‘My employer has done terrible things’. “If you are a 60-year-old about to retire you may not mind doing it. But if you are in your 20s, or have kids or a mortgage to pay, that’s different.” He also warns that some existing law could Top left: Edward Snowden, the be impractical for firms – particularly the high-profile requirement that whistleblowers are protected whistleblower who blew the lid from detrimental treatment at the hands of their on NSA secrets; colleagues and others. below: the 1987 “How does an employer manage that?” he Zeebrugge asks. “If you have grassed on your co-workers ferry disaster might have been and you think you can still be friends, I think averted with a more transparent that’s an area the government hasn’t thought business culture through.”

Cyber crime is the perfect fraud for criminals in a digital economy, where information is easily changed and monetised for personal gain. Weaknesses are exploited and incidents go undetected. Fraudsters hide behind real and digital borders and their crimes are often victimless, making it easier to rationalise. Companies are fully dependent on technology. Whether the focus of a cyber-attack is on data theft, unauthorised fund transfers, hiding losses or disrupting systems, the stakes have never been higher. A study by Protiviti, a global business and risk consultancy firm, noted cyber-security as a top-priority risk at board level for well-managed companies. But boards need to better understand their exposure and establish a risk appetite that prioritises those they can accept and those to be avoided. Even with increasing investment, breach response rates are still too long and traditional cyber-risk management approaches are not working. Companies continue to play catch-up with tech-savvy fraudsters. While maturing technologies exist to help organisations respond, Protiviti’s cybersecurity study revealed only 28 per cent of organisations have adopted them. Companies are still trying to get the basics right and cost is often a barrier. In the fight against fraud, companies will need to accept a degree of inconvenience. However, if they are honest about risks they can live with and prioritise the risks they are not willing to accept, solutions can be implemented to minimise this inconvenience. Jonathan Wyatt is global leader of Managing the Business of IT at Protiviti +44 20 7024 7522 jonathan.wyatt @protiviti.co.uk

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Risk & fraud

Find us online: business-reporter.co.uk

Satellites could function as flood-risk warning systems Insurers too risk-averse, says industry body

ExpertInsight

INSURERS need to be bolder and more innovative when it comes to their products, a survey of risk managers has suggested. The Association of Insurance and Risk Managers in Industry and Commerce (Airmic) surveyed 110 of its members about their concerns, and found that the biggest complaint was a “lack of innovation”, something chosen by 26 per cent of respondents. Beyond this, 17 per cent were worried about issues around how and if claims were paid by insurers. John Hurrell, Airmic’s chief executive, said: “I understand the difficulties that insurers face, but in my view underwriters need to be bolder. There’s a huge gap there for underwriters to fill if they can get it right.”

DATA from NASA satellites could be used to help combat the risk of devastating floods, according to new research. A study by the University of California, Irvine, found that data could be used to predict the likelihood of a river basin flooding, months before it happened. The research looked at the flooding of the Missouri river in 2011, and found that water storage information could have sped up local flood warnings from two months to as much as five months. Increased warning time could, potentially, reduce any loss of lives as well as property, and limit the risk of flood damage. Jay Famiglietti, one of the scientists involved in the research, said: “We’re not talking about actual flooding but about the saturation level of the ground and its predisposition to flooding. “When it finally rains and the basin is full, there is nowhere else for the water to go.” Following a series of damaging floods in Britain, there have been calls for the UK government to take a more

effective approach against this risk. Earlier this year the Institute of Risk Management, a trade body, criticised the government for having a “fingers crossed” approach to risk. Richard Anderson, the body’s chairman, said: “The terrible flooding in Somerset and the Thames has brought into sharp focus the ‘fingers crossed’ and ‘touching wood’ approach to risk management strategy that is so often adopted by government. “Since the flooding we have seen lots of f renetic activ it y f rom

government officials which is unproductive, and the government would be better served by seeking the advice of the increasing cadre of expert risk professionals who are largely being ignored at the moment.” According to the government, the winter of 2013 to 2014 was “the wettest on record”. It notes more than 7,800 homes and nearly 3,000 commercial buildings were flooded, and that £14m has been paid out to help communities, with another £183.5m to come from local authorities.

Housing slump ‘no danger to recovery’ A SLOWDOWN in the UK housing market is unlikely to undermine the economy, a credit ratings agency has claimed. House prices have jumped, with Office for National Statistics figures showing they increased by an average of 9.9 per cent in the year to April in the UK and by 18.7 per cent in London. Sir Jon Cunliffe, deputy governor for financial stability at the Bank of England, recently warned that the housing market posed the “biggest risk” to the UK economy. A Moody’s report, in contrast, claims that a sudden housing crash would not cause significant damage. It says: “Although a slowdown in the housing market triggered by a deterioration in mortgage affordability would dent growth and undermine banks’ asset quality somewhat, it is unlikely to derail the economy or cause significant losses for UK banks. “Banks and households are also currently relatively protected against the worst outcome of a property downturn by the low proportion of high loan-to-value mortgages.”

Managing risk while supporting business growth INDUSTRY VIEW

s economic prospects brighten and businesses pursue their growth goals, many could assume that the importance of risk management will diminish. The chief risk officer (CRO), a relatively new and important role in financial institutions since the 2008 crisis, is the ideal figure to realise its full potential. Aligning risk and business objectives, CROs have the opportunity to expand the definition of risk management beyond just controlling risk. They can help identify and gauge the merits of growth opportunities, embed risk management within the company’s strategy and make a significant commercial contribution. Achieving this is far from simple though. Complying with incessant and changing financial regulation has created huge pressure on CROs. According to recent research commissioned

by SunGard, 86 per cent of financial services senior executives, CROs among them, say they are stressed by regulatory change. Around half of the respondents even warn that dealing with regulatory change has distracted them from focusing on core business activities. The insurance industry, itself essentially about managing risk to allow society and enterprise to flourish, is a classic case study. Meeting regulatory requirements around solvency capital and internal risk model approval, with all its justifying documentation, has created a massive strain on insurers’ operations, and has evidently left less time for CROs to partner with senior colleagues on other important matters. How can chief risk officers keep on top of this while also supporting strategic and operational decisions? Critical areas to consider are expertise, time, resources and persuasive communications. Risk-management know-how is clearly fundamental.

CROs, working with actuarial experts, can establish the risk governance framework, modelling platform and processes. They also understand how scalable risk technology systems and supporting managed services best add value. And on top of providing the usual reports, sophisticated risk models can help CROs capture the board’s attention with genuinely new and vital insights – for example, around risk correlation or the risk of entering a new market. Re-engineering the company’s risk management system for greater efficiency and accuracy can help free up this expertise and precious time. A growing number of insurers are managing this by integrating and automating their risk data processes around leading modelling technologies, supporting regulatory and internal management reporting. However, efficiency alone will likely be insufficient for risk management to reach its full promise. Like adding lanes to a busy motorway, increasing capacity tends to lead to greater demand. Internal and external stakeholders ask for more results

in greater detail, and faster. Increased processing firepower with cloud computing will only compound this. How risk is communicated is probably a decisive factor. This is progressively supported by graphically rich and easily consumed business intelligence capabilities around risk systems. Senior executives – indeed colleagues in general – are required to understand how risk is, and should be, managed. Sophisticated business intelligence technology, drawing on data from a wealth of sources, can present key information throughout the organisation to help people make more confident risk-based decisions. At the centre of this, and armed with the right tools, the modern-day CRO is well positioned to secure risk management’s rightful place at the executive table. William Diffey (left) is director of the general insurance business practice within SunGard’s insurance business william.diffey@sungard.com www.sungard.com/insurance/risk

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Like us: www.facebook.com/biznessreporter

Risk & fraud

Find us online: business-reporter.co.uk

The big interview Nick Leeson

THE LEESON LESSON TWENTY YEARS ON…

The man who brought down Barings talks to Business Reporter about taking risks and taking responsibility

Exclusive by Dave Baxter

E IS the self-professed “original rogue trader” who wrecked a 233-year-old bank and suffered a miserable fate, from the years spent languishing in a Singapore prison to his divorce and struggle with cancer. Nearly 20 years after the collapse of Barings Bank, Nick Leeson’s “biggest mistake” continues to cast a long shadow – something he, by his own admission, has found difficult to accept. For him, it was a story of unchecked risk-taking, where a furious obsession with success, a stifling culture of fear and a lack of adequate communication led to him “treading water with no hope to surface”. Leeson quietly ran up some £862million in losses, which eventually toppled the UK’s oldest investment bank and sent shockwaves through the world of global banking. “There’s a phrase that does the rounds that ever ybody reaches their own level of incompetence,” he tells me over coffee. “I probably did that at that period, and there wasn’t the support and the structures in place at Barings at the time. I had poor coping strategies and avoided coming to terms with what was going on. I didn’t understand the risk that I was taking – both personally and the risk I was putting the organisation under.” Leeson, more t han anyone else, is associated with the downfall of the banking institution. At the same time, he has managed to turn his turbulent legacy into

Continued overleaf

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Risk & fraud

Find us online: business-reporter.co.uk

Continued from previous page something brighter. After surviving incarceration and illness, Leeson’s experiences have led to a book, a film, and his reinvention as a conference and after-dinner speaker, telling risk management and financial services professionals all the lessons he learned so painfully and publicly in the 1990s. It is likely that, for some, he remains a controversial figure. But Leeson, who speaks softly and openly, says he is rarely badly received by audiences. “I have never had a negative reaction, except once at St Andrews Golf Club in Scotland. I was heckled by Sir Gavin Laird, who was a former trade union leader,” he says. “He thought what I did was co-ordinated and that I set out to undermine the banking system. That’s a load of b*****ks. “If I was asked to describe the fraud I was involved in, the only word I could use was ‘crude’. It’s about people not understanding and lacking the detail.” He may not believe in f raud conspiracies but Leeson – who is on his way to speak at a conference in Mexico when we meet – now spends time t ravel l i ng t he glob e, wa r n i ng professionals how to spot the very real threats to their organisations.

Portraits: Andras Rac

IS own story is no exception, with the recent history of banking littered with colourful and damaging events including the financial crash, the Libor scandal, the actions of the “London Whale” trader and BNP Paribas, France’s largest bank, being hit with a $9billion settlement over alleged sanctions violations. This has provoked a number of responses, from harsh punishments – including large fines and prison sentences – to a broader focus on regulation, with the intention of making banks more cautious and risk-averse. But for Leeson the knowledge from his own experience – around people, cultures and enforcement – remains the most valid. “Financial markets are complex and innovative,” he warns. “They are fast and getting more so. If your own internal cultures aren’t keeping pace, then you are in danger.” He tells me that a strict, unambiguous moral code needs to be established and that staff should be encouraged to speak out about problems before it is too late. “Communications become very important within an organisation but people become influenced by what they see,” he says. “If behaviour is wrong, it’s always wrong. It can’t be wrong sometimes. That presents an ambiguity that people get resigned to. You look at things like Libor. If people see that going on, it becomes more widespread. It becomes market practice because everyone’s doing it. It becomes more acceptable. People don’t understand grey. Everyone can deal with black and white, but the deterrent needs to be adequate.” These issues, he says, all played a role in the Barings disaster. Even though he was well aware of the huge losses being racked up, Leeson says he never realised the bank would go to ruin. “I knew the effect of my accounts was going to be calamitous, but not as calamitous as

I genuine didn’t rea at any sta that the b was going to collapse it was,” he says. “I knew there were going to be significant losses. You come to exist in a parallel area where you are just not worrying about it. I didn’t wonder every day about the money. It only became an issue for me when I didn’t get paid. “The number of zeroes doesn’t make the money not real. I still know what 50 quid feels like in my pocket. But since you are in that difficult situation, you are consumed by other things. You continue avoiding it like a lot of people do with debt these days. I genuinely didn’t realise at any stage that the bank was going to collapse.” Leeson accepts, with trademark candour, that he was at fault for what happened. But he also believes that with Barings and many of today’s large organisations, a culture where people are encouraged to spot mistakes is vital. “The responsibility is entirely mine but there were a lot of other people at the organisation who weren’t particularly good at their jobs,” he says. “They were all dyed-in-the-wool bankers

who had lots of experience – but they didn’t ask the important questions. “With that lies one of the biggest problems of any organisation: asking the difficult questions. The biggest threat is that people still find it difficult to ask what are thought to be simple questions – but they are really the difficult questions. Psychologically they are quite difficult to ask, because they expose a lack of understanding.” Solving this, he says, comes down to a number of cultural changes which should be set from the top. He tells me, with some pleasure, that a friend of his who runs a bank urges new employees to admit their mistakes on the job, using Leeson’s

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Like us: www.facebook.com/biznessreporter

Risk & fraud

Find us online: business-reporter.co.uk

ely alise age bank g e

The story of account 88888: how Leeson brought down Barings By Dave Baxter

BREAKING THE BANK: From top: Leeson is taken into custody on his arrival at Singapore; in better times; on his early release in 1999; Inset, below, getting to grips with the real news

story as an example of the potential consequences of keeping quiet. For his part, Leeson is calling for clarity around risks combined with a freedom to speak out about problems. He says: “I see people getting caught up in the feel-good factor that everybody’s in – everybody’s making money and people don’t remember what went on before,” he says. “Look at the Barings collapse and Libor. They should learn from that. “I think communication is a great tool for changing the culture. I worked in an organisation that was more about competition. People talked about their successes but never talked about their failures and how they were feeling. Talking about that is crucial. You need to get away from that whole fear that you will lose your job or bonus [if you admit to mistakes]. That can result in the type of behaviour I had. Failure was

the one thing I just could not countenance. I was very blinkered. I couldn’t put my finger on when it was, but at one stage you go from being slightly out of your depth to completely treading water with no hope to surface.” In a time steeped with financial and corporate scandals, Leeson believes that an open culture and the ability to challenge others can steer organisations away from the risks they face. But there are some things, including controversial bonuses, which he believes are here to stay. He says: “I never do the banking industry down because I loved it when I worked in it. I have had many discussions with regulators saying what they will do and how things get better, but regulators are always behind the curve. “There was a debate about how to change bonuses. Nothing happened. If we are going to try and change a banker’s bonus structure, I think within 15 minutes they will have a new structure that works in the same way. They have the best accountants and lawyers. They push

boundaries to the extreme. If something’s legal or as legal as it can be, they will do it.” Despite this, and an insistence on being realistic, Leeson seems upbeat about the future in a number of respects. He is happy that the financial crisis has prompted the media and government to challenge banks more robustly, saying it keeps the general population more informed and means more questions are asked. And he praises some brands, such as challenger bank Metro, in being more service-related, in what he hopes could be an industry-wide shift from sales to looking at what customers want. “We need to go to a situation where the bank manager knows a local customer,” he says. Beyond that Leeson, who lives in Ireland with his second wife and children, appears to have moved from his rogue trader existence to a happier place. When I ask him what motivates him in his speaking duties, he turns to me with a grin. “It’s a good source of income,” he says. “And it has no emotional baggage for me.” ■

THE COLLAPSE of Barings Bank followed the rise of an ambitious, working class boy from Watford who later made a series of mistakes and lost control of events. Nick Leeson admits that he had a “very exalted idea” of what success meant. “Success would have been the key motive through everything I did,” he says. “I wanted to succeed and be successful and be at the top of the organisation.” This drive took him far. In the early 1980s he started working as a clerk with Coutts, followed by a number of other jobs in the industry, until he ended up at Barings in Singapore. Leeson was promoted to the trading floor and later became head of a new division focusing on the Singapore Monetary Exchange, which made money by betting on the future direction of Japan’s Nikkei Index, a stock market index roughly equivalent to the UK’s FTSE system. Leeson made big profits, convincing his bosses in London that all was going well. He was credited with making them more than £10million in 1993. But in the following year, everything changed. With so many transactions being done every day, special accounts were commonly used at the time to temporarily hold losses from errors made on the trading floor. A loss could, for example, be held in the account until a trader could make up for it. As Leeson puts it: “Lots of people used to use error accounts and run them for a couple of days. The role in the markets is to cut all errors straight away, but in reality that doesn’t always happen.” Leeson used a now notorious error account, 88888, which was of little interest to the bank’s London office. “The 88888 account was always there and it was an error account,” he says. “London didn’t want it. There were always errors when we were making trades. London said they only wanted to know the profit and loss. “It [the account] became available to me. Over the years it became common practice. It became accepted that if one of the boys on the trading floor made a mistake,

Continued overleaf

Business Reporter · August 2014

Risk & fraud

ExpertInsight

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Find us online: business-reporter.co.uk

Shielding smaller companies from fraud Time to give the same level of protection to all INDUSTRY VIEW

raud cases can often have a far bigger impact on a smaller business than a large one. When selling online, small businesses can use automated fraud detection tools as part of their e-commerce solution, to emulate the protection that bigger companies have and free up valuable time to focus on growing their business. The UK is Europe’s largest online shopping economy and there is plenty of opportunity for small businesses to grow online – in 2013 £91billion was spent online, up 16 per cent from the previous year. However, card fraud also rose 16 per cent to £450million from £388million the previous year, with the majority of card fraud found in the e-commerce space, rather than face-to-face transactions. The most common threats are ID theft and friendly fraud, which is where a customer claims fraud on a legitimate purchase they’ve made, and many small businesses rely on time-consuming manual order checks to make sure the person buying the goods is legitimate. Small companies looking to accept card payments from their website should look for an e-commerce payment solution that has automated detection in place, to free up their time to run their business rather than having to manually review hundreds or thousands of transactions which, in the main, will be fine. About half of large companies have

pretty much eliminated manual transaction checks because they have automated tools in place to identify and stop fraud in its tracks. Having an automated detection device in place gives small companies the same advantages as their bigger rivals. Lloyds Bank will be launching Lloyds Bank Cardnet Online Payments in the next few months, which contains a tool (Risk Shield) that detects and stops payments when suspicious behaviour is detected, based on key features of the transaction and wider insight on fraud trends. Richard Armstrong, head of products at Lloyds Bank Commercial Cards & Acquiring Solutions, says: “There are key factors merchants should look for when assessing risk tools. For example, it is important that the fraud prevention tools are able to see what the most prevalent sources of fraud are in transaction types and then learn how to become better at stopping them. In addition, if merchants are aware of particular postcodes in the UK or in a particular country that they have had problems with, they can configure their fraud rules to block a potential transaction coming from those areas.” Having automated detection in place reduces the risk of fraud and provides small companies with the same level of protection as the big players, and, most crucially, it frees up valuable time to focus on growing their business. www.lloydsbank.com/ cardservices

“Prison was tough. You are locked up for 23 hours a day. Everyone you see is a Triad gang member, so you have to adapt and understand the rules.” Continued from previous page it got hoovered up. It stayed there, because they weren’t reported or admonished.” Leeson’s first abuse of the account was to cover up a mistake made by a team member to stop them from potentially being fired. But, as he began to make big losses of his own, he started using the 88888 account – named so because eight was viewed as a lucky number in Chinese culture – to hide them away. “For me, the 88888 account wasn’t such a big step, because we had seen it happen before,” he says. “I knew it was wrong but I’d seen people doing it.” By December 1994 Leeson had lost hundreds of millions, and began making increasingly risky bets in the hope of rescuing the situation. He was betting that the Japanese economy would recover after a long recession, but in January 1995 an earthquake in the city of Kobe sent the Nikkei Index tumbling. Leeson then made a series of large bets on a post-quake recovery which failed to come in. At the end, the total value of his losses ran to around £862million – enough to topple the 233-year-old Barings. Because of the error account, a lack of questions about his actions and Leeson’s various excuses, the losses were not discovered until February 1995. “In the weeks leading up to that, I remember getting some calls, being asked why I was exceeding my trading limit. Throughout the whole process, all I was ever doing was thinking on my feet,” Leeson says. “A response I gave to one call was entirely different to the response

to another call, but if they had shared the responses they would have known something was wrong. Throughout the three years when I was at Barings, I was never challenged. Probably the only day was February 23, 1995, when someone had done a position check and asked me to explain it. At that point, I ran away.”

EESON fled Singapore, famously leaving a note reading “I’m sorry” on his desk. He and his wife Lisa went on the run with the intention of reaching the UK, but were caught in Germany. He unsuccessfully tried to avoid being extradited to Singapore, and in December 1995 was sentenced to six and a half years in prison after pleading guilty to deceiving the bank’s auditors and cheating the Singapore exchange. Barings, on the verge of bankruptcy, was sold to ING, a Dutch bank, for £1 in 1995. Leeson would leave prison – slightly earlier than expected, in 1999 – but not before he had endured captivity, divorce and a life-threatening illness. “Prison was tough,” he says. “You are locked up for 23 hours a day. Everyone you see in prison is a Triad gang member so you have to learn to adapt and understand the rules. It’s about evolving to the situation you are in – however tough it may be.” Leeson admits that the strain of being incarcerated was intense, even before his wife divorced him and he was diagnosed with colon cancer. But he believes it fostered an inner strength. “The boredom was extreme,” he says. “At the time it felt like it would never end.

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Risk & fraud

Find us online: business-reporter.co.uk

ExpertInsight

Like us: www.facebook.com/biznessreporter

Leeson is arrested at Frankfurt airport before being extradited to face trial in Singapore; below: he now lives in the west of Ireland with second wife Leona

Now it’s a very small part of my life. You have to survive, and it comes down to survival. You find that strength to keep with it, or you end up a manic depressive and either kill yourself or end up attempting to get someone else to do it, both of which were never on the agenda for me.” Leeson’s wife had started working as an air hostess in order to be able to visit him in Singapore, but eventually the strain on the marriage was too much and they divorced. Later, he was diagnosed with cancer. He says: “I never calculated going to prison or being diagnosed with a life-threatening illness. Both were consequences of my actions from being in Singapore. But cancer brought out another element of fight and survival for me. It became a stubborn two fingers up, and I thought ‘I’m going to survive through this’. “I was ignorant about what cancer was, what it did, how it affected you. I had to go and get knowledge and get understanding and learn what was going on. What I had to do was ask questions of the doctor and challenge them.” Leeson managed to survive prison and cancer – though he still needed some treatment after being freed – to write his confessional book, Rogue Trader. And when he was released, he was at unsure what to make of his life. “After prison you don’t know what

you are going to do,” he says. “I relied very heavily on my lawyer. I hadn’t made any decisions for the four and a half years preceding that. I was seeing people, enjoying myself a bit. It became apparent that adequate structure was something missing from my life. “I could go out Friday, Saturday, Sunday and I would wake up with a hangover on a Monday and my friends would go to work. That was demoralising and depressing so I did a degree [in psychology]. That tempers your behaviour and gets you a bit more normal. You continue enjoying yourself but everyone else is gone. The easiest way to find that structure is to get a job.” Since then, Leeson has kept busy – from speaking and writing a second book to serving as CEO at Galway United Football Club, a position he resigned from in 2011. He says: “The offers were flooding in to do other things and to do after-dinner speaking and conference speaking came on the agenda. “I would describe myself as extremely introverted and not a great communicator, so I had to go on courses. I like to think I have become an accomplished speaker, and I speak in various places around the world.” Leeson, now happily married to Leona, may have given up the high life of a trader, but he says this has required a “reshaping” of what he initially viewed as success. “People can gain success simply by putting food on the table for their children,” he says. ■

Getting your facts right Bank on specialist firms to provide independent analysis and expert witness support INDUSTRY VIEW

ith the recent spate of regulatory investigations and litigation related to market manipulation and fraud, banks are increasingly relying upon specialist firms to provide independent analysis and expert witness support. Imagine a trader accused of insider dealing: profiting from options that paid out on a stock falling when another large proprietary trade was executed by a different trader at the same bank in the same stock at the same time. This poses a huge challenge for the bank to objectively understand whether trading the options was a legitimate strategy or whether the options trader potentially acted upon inside information. This is easier said than done as the factual history is likely to be locked up in thousands of emails, chat messages and telephone calls. Trade details are often held within different systems within the bank which are set up primarily to allow their traders to execute orders and report profit and loss accurately, rather than to be interrogated in the many different ways necessary to establish whether or not inappropriate behaviour has taken place. Specialist firms like Navigant can retrieve, order and make sense of the terabytes of data required to determine these facts by searching and analysing large volumes of emails, chat messages, recorded telephone calls and trading system data. It is also possible to set up a “virtual” risk system to independently recreate and simulate the trading history using contemporaneous market data. Once this system is built, various analyses can be run to verify the narrative provided by the trader aligns with the factual information. Such analysis helps to paint a picture of the

trader’s typical trading pattern in options. For example, the system allows for the behaviour of the trader in response to changes in the market, client activity and risk positions during the course of the day to be looked at in detail. If it transpires that a trader tends to trade offsetting “hedge” trades whenever it trades with a client, and that the option strategy pursued was consistent with this behaviour, then it becomes more easily defensible. If, on the other hand, the trader’s strategy added to the overall risk, was executed at a different time to client trades or was more generally at odds with the normal trading behaviour then more questions and doubts can emerge. Sarah Cannon (below), director at Navigant, says: “The results of such analyses may not always be good news for the financial institution involved. However, they provide valuable information to help form a judgment as to which parts of the investigation or litigation are worth defending against, allowing cost effective decisions to be made.” 020 7469 1111 sarah.cannon@navigant.com

Business Reporter · August 2014

Risk & fraud

Find us online: business-reporter.co.uk

ExpertInsight

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Winning in the face of uncertainty Transforming risk management to balance defensive resilience with offensive agility INDUSTRY VIEW

hile the scale and magnitude of Brazil’s loss to Germany at the World Cup shocked us all, the result wasn’t that surprising when one considers how each team responded to the risks and uncertainties they faced. Brazil had lost key players and had the weight of a nation’s expectation on their shoulders; Germany had the pressure of unfulfilled promise from their golden generation, an unpredictable adversary and an extremely partisan environment to play in. Faced with this volatile environment, Brazil pinned their hopes on past reputation, rigid tactics and technical ability. In contrast, Germany recognised the uncertainty, planned meticulously for different scenarios and made decisions based on foresight, and in doing so leveraged their defensive solidity as a springboard to charge forward. One team sought to manage risks by doing more of the same; the other understood uncertainty, exploited it in innovative ways and created a unifying rallying call solely focused on their goal – winning.

The world we live in Its clients tell EY that the volatility of global business environments and markets has increased dramatically, the velocity of change has never been greater, and the visibility of their strategy operations, investments and actions is very high and travels at light speed. Yet they worry that their ability to recognise and manage the uncertainties embedded in these challenges is not growing and being applied at the same pace, as one CEO put it recently. This represents both a grave threat

to companies and a significant set of opportunities lost. For example, internet accessibility has grown exponentially in recent years (the average UK household now owns more than three types of internet-enabled device, with one in five owning six or more), yet many “bricks and mortar” retailers have not effectively evolved to maintain competitiveness with online retailers, and have lost or are losing market share. How did their risk-management practices allow this performance drop? What could they have done differently while the risk was still emerging? Are they missing future signals?

From list management to true risk management Amid this change, many organisations continue to operate risk management programmes that have not evolved and may not protect them from today’s risks. They are still seen as an exercise in compliance – compliance with a risk process that generates lists, registers and reports, but provides limited performance insight, and a technical solution that the business does not or is not able to use to inform decision making. This causes risk management to lose much of its credibility. There is no doubt that monitoring and compliance are critical for any healthy organisation; they are the foundations on which a performance-enabling risk management capability needs to be built. However, there is additional benefit to be derived from putting risk management on leaders’ agendas, given its potential to inform, influence and even set a company’s strategy. EY research found that companies in the top 20 per cent of risk-management maturity deliver three times the level of EBITDA of the bottom 20 per cent. When distilled, this maturity is reflected in successful organisations balancing both risk resilience (defence) and risk agility

(offence), and harnessing uncertainty to derive competitive advantage. Wouldn’t it be great if you could increase the predictability of your business outcomes? Predicting change is a tough proposition which gets exponentially harder the farther into the future you look. However, identifying areas of uncertainty in business plans and expectations is easier, and more actionable as well. In the case of physical retailers versus online channels, there was uncertainty around customer acceptance of new channels and technological capabilities. Would things

Wouldn’t it be great if you could increase the predictability of your business outcomes? have turned out differently had some of them built indicators and triggers based on those factors, instead of online retailers’ top line revenue growth? By the time their revenue had grown to significant levels, the new marketers had already solved most of the uncertainties and cemented their position. Understanding uncertainty means challenging basic assumptions and envisioning new ways to view the world. Directly linking ongoing performance metrics to the ability to react quickly to risk enables business leaders to become the first line of defence and truly own both the business and the risk agenda. Stakeholders then have greater visibility into the health of the business and better information to support strategic decisionmaking, with the resulting benefits of fewer surprises, operational efficiencies, and improved predictability of results. They are also better equipped to assess and act on opportunities, rather than having them pass by unnoticed.

Managing uncertainty to build a better working world Understanding the nature of uncertainties that can, or have the potential to, dramatically

impact business performance, and then using that awareness to improve decisionmaking, is a critical starting point. Consider the FMCG company whose bottom line was subject to a £200million volatility range due to supplier quality issue uncertainties; it had no visibility of the likelihood of suffering this hit. By identifying the components of that uncertainty range (supplier adherence to quality assurance processes, supplier vetting issues, etc), it was able to focus on the key issues driving results’ variability and reduce potential negative effects on its profit and loss. The benefits realised in this predictability both freed up resources (capital) to deploy elsewhere, and stabilised performance outcomes. EY recommends a four-point agenda to make risk management more valuable: • Determine what key uncertainties your business is facing, relative to its performance objectives • Align your company’s risk profile with its risk appetite • Embed risk-enabled decision-making insights into the rhythm of the business • Create a risk-conscious culture where accountability for managing risks is set and managed from the leaders down This agenda lies at the heart of a risk-enabled performance approach to business, connecting risk insights to both value protection and creation. This is the future of risk management, and more importantly, a better pathway to improved business performance and competitiveness. As the FD of a major infrastructure business recently told us: “Today we have performance discussions and hope that the underlying risks and uncertainties are being managed; my wish is to have a risk conversation with my colleagues, knowing that when we get that right, performance will automatically follow.” Ashish Singh (far left) is risk transformation director at EY asingh1@uk.ey.com www.ey.com/advisory

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Like us: www.facebook.com/biznessreporter

Risk & fraud

Find us online: business-reporter.co.uk

Kidnapping: the next big risk

ExpertInsight

Corporate kidnapping is already a danger in the extractive industries

By Dave Baxter COMPANIES face new challenges as kidnapping becomes “ugly and organised” in certain parts of the world, an expert warns. Nick Powis, a crisis consultancy manager at Marsh, an insurer that covers kidnapping, says that firms have good practices in the more established economies but that the greatest potential – and some of the biggest risks – can be found in the newer, “frontier” markets. “We know about places like Pakistan, Iraq and Syria,” he says. “People really do dig in and spend a lot of money on their front-line mitigation. In Iraq there’s a lot of depth to people’s security layers. People do very often have good housekeeping in these territories. But you have less research in emerging territories like Mozambique.” He warns that in areas such as these, the threat of kidnapping is becoming more of a concern. “There’s kidnapping that’s getting ugly and organised,” he says. “That could expand into the oil and gas sector. It can be quite challenging.” He notes that kidnapping in newer markets can have a variety of forms and causes. “The spectrum of kidnapping is quite wide,” he says. “It could come for a number of reasons. It can come as a result of blackmail and extortion or be more spontaneous, or it can be totally targeted and the kidnappers could go after a key person in the business.” And he claims that while certain industries such as the oil and gas sector have significant experience in dealing with kidnapping, some companies can leave their preparations “far too late”.

He says: “You should always map out your business and key relationships. But firms think it’s always a cost and never a benefit, so that layer tends to be added on far too late. Often it’s an incident or a near miss that causes them to take action.” A number of the “frontier” markets – which are seen as having potential for huge growth but not being as stable as more developed options such as the BRICs – have been tainted by kidnapping. Mozambique may have had a number of incidents in recent years, but it is not alone. Nigeria’s economic potential is attracting attention, but Boko Haram, a militant Islamist group, has made waves with a series of abductions, as well as bombings and murders. Earlier this year more than 200 schoolgirls were abducted, with Boko Haram claiming responsibility. Bring Back Our Girls, a global campaign, has been calling for their return since then. A number of the frontier markets are attracting businesses because of their abundant natural resources and the wealth rapidly generated from these. But Powis warns that this can attract “trouble”. “The mining industry, the prospecting industry and oil and gas, they have got a lot of experience,” he says. “Historically it’s a bit of a pantomime. Wherever you find oil, you find trouble.” He says some less experienced industries may need to learn quickly if they want to avoid problems in unpredictable countries – and that individuals can sometimes create risks through “ad hoc” travel. “These industries are quite strategic and they do drive that and they are willing to pay for it,” he says. “But you also get the financial

services sector and they get a portfolio and it might involve these markets. “I have also dealt with a couple of cases where businessmen and women may go to one territory on a task and then to another territory in an unplanned move. It can be somewhat ad hoc. They go from a somewhat benign area to deeper water. That sort of thing happens a lot, though it doesn’t always end up causing problems.” Some industries seem to be taking kidnapping, and broader geopolitical risk, into account. A recent report, “Emerging and frontier markets: assessing risk and opportunity”, published by Cushman and Wakefield, a real estate firm, warns about the threats in newer markets. It reads: “Recent political unrest in the Middle East and across the world has increased the security risks related to both corporate assets and also employees, especially in the emerging and frontier markets. “Existing political systems in many countries are under pressure and states with poor governance and cultural tensions are susceptible to terrorism and other crimes, such as piracy, kidnapping and bombing. Operators of property must redesign and continually review their approach to many of these markets.” For other industries, risks such as kidnapping are becoming more prominent. But Howis believes that some of these sectors are more experienced than people realise. “There are issues around deployment in a supply chain,” he says. “ Supply c ha i n m a nage me nt ha s probably got deeper and wider, but the industry has dealt with issues like these for a long time.”

Five strategies to combat online fraud INDUSTRY VIEW

raud is continually evolving. It can hamper prospects for growth, restrict profitability and increase overheads. While there is no simple solution to this threat, there are some strategies to help mitigate fraud.

1 Unmask even the most determined fraudsters Proxy piercing and device fingerprinting can help pinpoint a customer’s true location, enabling retailers to establish automated rules to filter and block suspected transactions.

2 Manage risks country-by-country IP geo-location tools offer retailers the ability to identify threats and block transactions from high-risk countries.

3 Monitor and review multiple channels Analysis of payment data can help identify fraud patterns per sales channels.

4 Use your data to detect “clean fraud” Reviewing fraud-related chargebacks across criteria such as country, product and channel may help to spot trends and identify patterns.

5 Track potential friendly fraud An order history based on chargeback analysis can be used to help prevent further fraudulent attempts from the same customer, card number or shipping address. Finding the right balance between fraud prevention and a seamless shopping experience is key for success. Your payment acquirer can analyse your fraud and payment data to help identify patterns and highlight potential improvements. 0845 399 1120 chasepaymentech.co.uk Chase Paymentech Europe Limited, trading as Chase Paymentech, is a subsidiary of JPMorgan Chase Bank, N.A. and is regulated by the Central Bank of Ireland. ©2014, Chase Paymentech Europe Limited. All rights reserved. The information herein does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision. This document and the information provided herein may not be copied, published, or used, in whole or in part, for any purpose other than expressly authorised by Chase Paymentech Europe Limited.

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Risk & fraud

Find us online: business-reporter.co.uk

BT takes steps to safeguard employee pensions time-bomb Captive domiciles such as Guernsey will now have to compete with separate captive insurance firms

UK offshore havens face new challenge

ExpertInsight

THE ISLE of Man, Dubai and Guernsey, all known as captive domiciles, are being joined by a new rival – the US state of Ohio. Legislation has recently been signed meaning that businesses will be able to create captive insurance companies in the state in order to cater for their own insurance needs. Ohio joins a number of other states which allow captives, meaning it already has some competition. The state of Vermont, for example, is known for actively courting them. Last year, Vermont’s governor, Peter Shumlin, announced that the state had licensed its 1,000th captive insurance firm. Captives, which are set up to deal with a parent company’s insurance needs, can be attractive to host states because of their potential to bring in potential jobs and tax revenues.

By Dave Baxter A PENSION scheme for the telecommunications giant BT has set up a captive to safeguard its future against an ageing membership. Like many ot hers, t he pension scheme faces the issue of its members living for longer, meaning that providing for them in retirement could potentially cost much more. The BT Pension Scheme has now set up a captive in order to provide longevity insurance and reinsurance to protect itself from these extra costs. A release published on the scheme’s website claimed that the new arrangements “cover over 25 per cent of the scheme’s total exposure to improvements in longevit y, covering some £16bi l lion of t he sc heme’s liabilities”.

BT is taking measures to protect itself from an ageing workforce’s pension demands

T he c omp a ny ’s p e n s ion scheme had 318,751 members as of June 30 2013, according to its own figures. In a report published last year, entitled “Longevity risk transfer markets: market str uct ure, growth drivers and impediments, a n d p o t e n t i a l r i s k s ”, t h e Basel Committee on Banking Super v i sion, wh ic h br i ng s together experts from across the world, warns of longevity risk and its effect on pensions worldwide. It say s: “ L ongev it y r i sk – the risk of pay ing out on pensions and annuities longer than anticipated – is a major risk for the sustainability of retirement systems around the world. “While longevity risk-holders are much focused on investment r isk s, a one-year longev it y underestimation is expected to cost them between $450billion and £1trillion in aggregate.”

Guernsey – home of the captive A location where you’ll find expertise and experience INDUSTRY VIEW

ecent data suggests that the developed global economies are recovering from the financial downturn and the UK is making much quicker progress than many other comparable centres. However, I am sure that, despite this upturn in prospects, many business leaders will be keen to take advantage of the cost savings and risk management efficiencies afforded by captive insurance. If you do then it is worth considering that an important factor in establishing a captive is the choice of domicile. Guernsey’s first captive insurance company was established in 1922 and this heritage has helped the island grow significant experience and expertise. Today, the island plays host to leading global captive insurance managers such as Aon, Jardine

Lloyd Thompson and Marsh and Willis, as well as independent, boutique operators such as Alternative Risk Management, Hepburns Insurance, Kane and Robus. The number of international insurance entities managed by providers in Guernsey has risen by 96 in the 12 months to the end of May this year, taking the total number domiciled in the island to 796. Indeed, the island is the largest captive insurance domicile in Europe and number four in the world. Guernsey’s status as a British Crown Dependency which is English-speaking, uses sterling and is in close proximity to and within the same time zone as the rest of the British Isles has helped attract a large number of captives from parent companies based in the UK. Our client base includes some 40 per cent of the

FTSE 100 companies which have a captive, such as BP, BHP Billiton and Tesco as well as UK government-owned entities such as Network Rail and Transport for London. The island’s location between the UK and France also means it has attracted captives from parent companies based around Europe. However, international insurance business in Guernsey is also increasingly coming from much further afield. A major attraction of Guernsey in more recent years has been the island’s early commitment not to seek equivalence with Solvency II. Guernsey is in Europe geographically but it is not in the EU and therefore adoption of EU directives is on a voluntary basis. The island has decided that seeking equivalence to Solvency II would not be

in the interests of its captive insurance sector – instead, we will continue to meet the standards of the International Association of Insurance Supervisors (IAIS). This provides a stable and proportionate regulatory environment for captive insurance in Guernsey. The island is also considered an innovator in insurance legislation. Guernsey pioneered the cell company concept when it introduced the Protected Cell Company (PCC) in 1997. Until then, captives had been the preserve of larger organisations but the innovation enabled small and medium sized enterprises to “rent” a cell of a PCC and thereby take advantage of the captive concept without the associated costs of establishing their own fully-fledged insurance company. Indeed, a growing number of new captive formations are coming from the SME market according to the Marsh captive benchmarking report for 2014. There are many benefits to having a captive and we believe that they are optimised by choosing Guernsey as the domicile. Fiona Le Poidevin (far left) is chief executive of Guernsey Finance +44 (0)1481 720071 www.guernseyfinance.com

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Like us: www.facebook.com/biznessreporter

Risk & fraud

Find us online: business-reporter.co.uk

Charities urged to consider captive insurance firms By Dave Baxter

ExpertInsight

LARGE charities could increasingly look at captive insurance as a way of saving costs and controlling investments, experts argue. Setting up a captive – a firm which the parent company then uses for its own insurance needs – has long been an option for large corporations looking to bring together different forms of risk, particularly if they need to insure multiple operations across the world. But as they look to cut costs and stick to tight rules, the bigger charities could begin to get involved. Paul Hopkin, technical director at the Association of Insurance and Risk Managers in Industry and Commerce (Airmic), says charities are increasingly looking at the financial advantages of using captives. “We have a number of charities that are members of Airmic, and I think there is a general trend of charities looking more carefully at the expenditure in all areas around insurance,” he says. “I think as part of that closer scrutiny there are a couple of trends. One is looking at the policies around the world and asking if it’s possible to pool all the risks into one insurance policy. “If you can do that, you

The Red Cross in Guatemala last month – some charities could save money by investing in captive insurance, claim experts

c a n a sk ab out t he deductibles and policies around the world and you wonder if you can take one very big deduc t ion f rom this global pool. T here is also a rationalisation of it

to save costs and have a tighter control of how you handle risk.” Katherine Outhwaite (left ), commercial director for the global captive practice at Willis, an insurance broker, says: “A benefit for very large, international charities is the use of a captive as a central co-ordinating point for all insurance purchasing, ensuring

that local divisions or projects get the full benefit of being part of a global community rather than having to negotiate locally with insurance providers.” But captives are not without their disadvantages. Hopkin warns that charities should consider them “with their eyes open” and notes that initial

costs are likely to exclude smaller organisations. “The difficulty, as with commercial organisations, is finding the capital,” he says. “If you are going to write a £5million insurance policy, then you have to have £5million.” And though charities will manage to save money in their captives if no insurance needs to be paid, an unexpected claim could lead to a financial shock. Outhwaite warns: “Whenever risk is retained internally, rather than transferred externally, there is downside risk. “A l t h o u g h m a n y c a p t i v e programmes are designed to limit this as much as possible, there will always be the chance of an unexpected, significant event. “A p p r o p r i a t e r e i n s u r a n c e protection, and a clear understanding of the financial tolerance and risk appetite of the charity is critical, as is the use of analytical and actuarial tools and forecast losses.” Hopkin also believes certain charities will want to ensure that their captive arrangements match their ethics and ideals. “If a charity is UK-based and feels it should run things out of the UK, it may need to be sensitive about things like setting up a captive elsewhere,” he says. “But generally, I don’t think there should be any difficulties. In terms of tax and reputation, captives are not dodgy.”

Dublin demonstrates the value of the captive model INDUSTRY VIEW

hen Facebook’s Mark Zuckerberg said, “The biggest risk is not taking any risk... in a world that’s changing quickly, the only strategy that is guaranteed to fail is not taking risks”, his bold statement omitted a vital aspect of the equation: while failing to take risks may well result in failure, failing to manage risks is also likely to end badly too. Enterprise risk management, once disparaged as business school jargon, is now recognised as key to every business and every board. As boardrooms have developed their risk appetites, risk management strategies and risk transfer mechanisms, the captive re/insurance sector has similarly evolved. Within the EU, the impending regulatory changes under Solvency II, to come into force

at the beginning of 2016, are implementing greater levels of sophistication in terms of risk management, corporate governance, strategies, processes and reporting. The robust processes of Solvency II implementation are increasingly aligning with captive owners’ objectives, driving parent company activities such as risk governance and mitigation strategies. In addition, using a captive for efficient allocation of capital to risk and the opportunity to centralise costs are driving out frictional costs. For several years, it has been identified that Solvency II will enhance the centralisation of capital, and for parent companies with international risks – particularly within the EU/EEA – those efficiencies are already being accomplished. At the same time, as risks evolve faster and faster, captive solutions are able to flex quickly to respond to these changes, as well as react rapidly to parent company

changes in risk appetite. Increasingly, areas such as cyber-risk and trade credit, as well as more established property and liability covers, are being written as part of the captive risk portfolio. Over the 25 years that captives have been established in Dublin, times of market dislocation such as 9/11, major natural catastrophes and the global financial crisis have demonstrated the persistence and value of the captive model to parent companies. +353 1 775 9448 www.dima.ie

Business Reporter · August 2014

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Like us: www.facebook.com/biznessreporter

Risk & fraud

Find us online: business-reporter.co.uk

Inspector Dogberry

Dogberry, for one, has been feeling pretty upbeat about the economy lately. But what risks remain? The biggest threat to stability could be a change of government in 2015, according to a recent poll by professional services firm Deloitte.

By Natasha Clark, web assistant

u Editor’s pick Fraud Happens

When it comes to risk

change. But because they have

were already affecting them.

management, more and more

trouble quantifying the financial

But 84 per cent said they did

112 CFOs were asked to review

http://fraudhappens.wordpress.com

businesses are concerned about

costs of this, they are failing

not measure the costs of this,

different events, giving them

things they can’t always see or

to come up with “suitable risk

and 38.8 per cent believed a

a risk rating of between zero

touch. This could be an imminent

mitigation strategies”.

return on investment would

and 100. The 2015 election

be needed before they could

had the highest rating, of

If Paul McCormack were ever to succeed in preventing all fraud, his blog would become obsolete. But he knows that’s not happening anytime soon, so instead encourages businesses to get clued up and invest in prevention methods. With a range of news, tips, polls and opinion going back a few years, this is an interesting read for anyone in fraud prevention.

cyber attack, or the reputational fallout of a particular decision. Firms may be wise to worry

The ‘Resiliency: adapting to extreme weather events and a changing climate’

spend on strategies against climate change. If extreme weather becomes more

As part of the research,

55, followed by a possible EU referendum on 50 and a rise

about intangible risk and how

report, published

to respond to it. But have they

by insurance and

forgotten the other issues? One

risk management firm

could begin to take

approaching, will it be a

report suggests that, in London

Marsh, noted that 62

action. But how

tense year

at least, businesses are well

per cent of business

much damage has

for British

aware of the commercial impact

surveyed thought

to be done before

business?

of one tangible risk - climate

“extreme weather events”

they act?

Dogberry’s more regular readers may remember his fascination with an annual risk report published by the World Economic Forum (WEF). The publication highlights pressing global risks, from environmental concerns to social developments. But it was a note about a “lost generation” of workers that caught the inspector’s eye in the 2014 edition. It reads: “The generation coming of age in the 2010s faces high unemployment and precarious job situations, hampering their efforts to build a future and raising the risk of social unrest. The generation of digital natives is full of ambition to improve the world but feels disconnected from traditional politics. Their ambition needs to be harnessed if systemic risks are to be addressed.” What can be done to get the most out of this group?

frequent, firms

ExpertInsight

in UK interest rates was rated 46. With the election

Bubble trouble Is the

bubble, claiming that mortgage

government’s

regulations announced by the

Help to Buy

Bank of England were “reducing

scheme creating

the risk of overheating and

unnecessary risk? The initiative

increasing the long-term health

aims to get more buyers on the

of the market”. Perhaps the

property ladder – but some think

scheme has some life in it yet.

it could pump air into a possible

Corporate Frauds Watch

http://thefraudblog.com

Mainly focusing on corporate fraud in India, but written in English, this regularly updated resource is a great news site for the latest developments. It goes back as far as 2008, and featured hundreds of dedicated information, comment and legal information on cases.

The Fraud blog focuses on a variety of different kinds of fraud, but stands out because of its simple, clear format and the use of fun infographics to brighten up topics which don’t usually lend themselves to such things. The blog also features links to other information and tips for employers.

Clear Risk

Whether it creates a major

http://www.clearrisk.com/riskmanagement-blog

risk is yet to be seen, but Help to Buy is working for some. Taylor Wimpey, a housebuilder, claims that 42 per cent of its completed sales in the six months running up to June 29 have involved the down any concerns of a housing

The Fraud Blog

http://corporatefraudswatch. blogspot.co.uk

London property bubble.

scheme. The company played

Twitter: @dogberryTweets

Reportable (iOS, Free)

ACFE app (iOS, Free)

Designed to help risk managers keep track of their firm’s potential risks, this records events while suggesting alternative solutions.

This app allows fraud managers to keep up to date with the latest news, watch videos and purchase training.

This risk management blog from Clear Risk features a wide range of different risks that businesses could suffer damage from, covering everything from public liability to retail and social media. It has a range of formats too, as well as detailed interviews with industry experts.

Leveraging big data Fraud prevention could be your answer to increased sales INDUSTRY VIEW

ig data is a hot topic for merchants worldwide, as billions of us shop online. One by-product of our online lives is the growing amount of data available to merchants, which is incomprehensible to most. By 2020, there is predicted to be more than 3,000 petabytes of big data. The good news is that, in recent years, our ability to analyse data on this scale has increased, allowing detailed and meaningful analysis, and this is often the key to success if we know where to find it. At Kount we use data principally to prevent fraudulent

transactions being processed, but increasingly our analysis is being used to drive key decisions. An example of this in action is US-based online retailer HealthDesigns.com, which had a fraud problem that Kount solved. As a fraud-prevention platform Kount reviews more than 250 data elements in real-time, including where in the world the customer is, shopping cart information, whether a customer is using a mobile device, laptop or desktop computer and where the goods are being delivered. These are just a few examples but this data, in the hands of a marketer or sales director, could and should be used to improve a merchant’s bottom line. These data elements reveal hidden relationships that can assist online companies in key areas, including customer service, fraud prevention, marketing and

promotional activities and better sales conversion – even informing online firms which new countries to target. HealthDesigns reviewed the data, saw an opportunity and began international expansion that allowed movement into new territories, resulting in $40,000 of incremental monthly revenue. Big data analytics can be a difficult skill to master, but with expert third-party agencies dealing in things like fraud prevention, online retailers can make the most of data they already have for a better customer experience and top-line growth. Bradley Wiskirchen (far left) is CEO of Kount 0844 293 9764 kount.com

22 · Business Reporter · August 2014

Harold Macmillan To be alive at all involves some risk

Risk & fraud Industry view

Business Zone

“

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

How do we hit a moving target?

The future Finding the known unknowns

owerful technological advances in modelling are making it easier for analysts to run more and better analyses to understand risk. Models continue to advance but the temptation to get ever more accurate results can, however, divert risk analysts from getting the right answer. Running analyses with software models can trigger the same psychological stimulation that makes computer games so popular. We enter data, set parameters, perform the analyses and generate results. As with computer games, with each new version the harder it gets to perform the tasks, the more satisfying it can become. However, spending time analysing what we can – because we can – while ignoring the impact of what we don’t know, is an easy and sometimes costly mistake to make. Good risk-management practice requires understanding the risk transfer and

then taking it to the next level by interrogating the results. Thinking around a problem to establish what is not known, however, is uncomfortable and unfamiliar territory for many analysts. There are fewer guidelines to follow. Business tends to reward people that provide answers rather than those that pose more questions. Hurricane Sandy is a good illustration of this. Losses for this catastrophe were primarily from coastal flood. Flood levels were not anticipated, properties with basements and high-value contents in the basements were not well recorded, and flood insurance coverage terms were ambiguous. Yet, even with an abundance of data and analyses these details had not been picked up. Every company is unique and has a unique and complex set of risks. With the right tools and approach risk analysts can find the connections between

things and by challenging their own analytics they can find the “known unknowns”. Risk management is about envisioning and contingency planning for possible future problems, and models will remain the primary tool for understanding, measuring and pricing risk. Using analytics to compare alternatives is as important as getting an accurate result. Often, the very act of performing an analysis is valuable because it identifies what is missing in the original information. As models continue to become more sophisticated, risk analysts must strengthen their decision-making by having a strategy for testing their own analytics. Matthew Grant (above) is head of client development, RMS 020 7444 7600 www.rms.com

The aftermath of Hurricane Sandy in New Jersey

In focus Keeping an eye on the weather: Why it pays to plan

s your business prepared for the worst the weather can throw at it? If it is prepared today, what about the future? Heavy rain, snow, ice, extreme temperatures and high winds will all have an impact on most businesses at some point. If you are making strategic decisions, do you understand how weather and climate change might affect your business? The damage caused by natural hazards is predicted to increase to £2.25billion per year by the period 2040-60. That compares with a figure of about £1.5billion today.

There is no need to be frightened of the future, but it is imperative to understand how weather and climate change might affect your business and quantify uncertainty and risk. The Met Office helps people prepare for whatever the weather and climate have in store by providing everything, from underpinning science to sophisticated bespoke products and services. For example, the Met Office supplies the aviation industry with a de-icing service helping to ensure punctuality, efficiency and

safety. Supply and demand, safety and efficiency are obvious weather-related risks and opportunities for the energy industry. Using Met Office guidance, businesses such as onshore and offshore wind farms can take advantage of weather windows instead of enduring downtime, and Met Office science and services help developers select the best wind farm sites across Europe and maximise output.

In summary, working in partnership with the Met Office can help make businesses more resilient to the weather and climate and often provides a real competitive advantage. www.metoffice.gov.uk

The misuse of virtual currency systems and the concealment of the ownership of criminal assets using complex corporate structures are just two emerging methods used by organised criminals. The Financial Conduct Authority has been critical of the banking sector for not doing enough to protect customers from frauds that do not result in direct losses for the banks. The recent Liberty Reserve case highlighted the use of a virtual currency system that enabled the use of fictitious names and addresses by criminals, to move more than US$6bn of proceeds from fraud and drug crime. Banks were implicated in the scandal due to having relationships with broking houses for Liberty Reserve. High-profile reports from the World Bank and the ICIJ have highlighted the abuse of complex corporate structures to conceal the true ownership of assets obtained through fraud and corruption. The misuse of nominee directors and shareholders and falsification of customer due diligence has been facilitated on an industrial scale by corrupt corporate service providers and professional trustees. Firms are increasingly battling to identify the true control structures of their customers and ensure their staff, the first line of defence, do not follow processes blindly but think critically, consider plausibility and understand the inherent risks in complex structures or payment methods. Firms, regulators and law enforcement must keep up to date with the latest trends by looking outwards at intelligence and emerging typologies. After all, unless we know our enemies, we have no hope of defeating them. Pekka Dare is global head of AML/financial crime prevention, International Compliance Association (ICA) +44(0)121 362 7534 int-comp.org

Business Reporter · August 2014 · 23

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

In a world of changing threats, are you covered?

Proactive measures are critical to fraud protection

Probably not to the extent that you hope…

nstinctively, we all understand the business world has changed and the proliferation of new technologies has shifted the way in which companies operate, and with that, the risk landscape. Historically, theft of funds and fraud were risks associated with physical criminal activity. This has been revolutionised to such an extent that business owners and risk managers should now appreciate that potential theft of intangible assets, customer data and disruption of IT networks are of equally significant concern. Identity theft, whether involving credit card numbers, bank account details, e-commerce account details or other Personally Identifiable Information (PII), represents a very real threat. These threats can cause significant financial damage to any institution, whether financial or commercial, SME or macro-cap. Likewise, the demarcation between institutions whose operating model was technology based and those that provided traditional advisory or execution services was historically acute. Advancements in both consolidation and service propositions now mean that such clear daylight between these services is often not possible. Skilled, professional advice is required to ensure these insurance needs are accurately identified, addressed and protected with marketleading, bespoke solutions. Legislation adds a further layer of exposure and complexity to clients’ needs. Arguably, the July 1, 2003 California Security Breach Notification Law set a precedent, the effects of which have rippled throughout the developed world. By placing the onus on companies to notify customers if their personal information may have been compromised, such laws create additional new financial risk. Financial risks associated with data security breaches can be fatal for some companies. For instance, the litigation

that Target Corporation in the US is presently defending from banking institutions for the costs of reissuing 40 million credit and debit cards would be cataclysmic for a firm with less available financial resources. Even in the absence of specific legislation, and in the context of social networking technologies that enable individuals to share information at lightning pace, we rightly have a real expectation that the firms which we trust would advise us of any potential unauthorised access to our data, and that they would also assist us financially in mitigating our position. The costs associated with such mitigation, whether they be in the form of helplines or credit file monitoring, are significant. Such costs are now insurable. The message is clear. We acknowledge the world has changed and therefore we must acknowledge that historical solutions designed to provide historical protection are no longer adequate. Professional and expert advice and guidance is required, insurance arrangements should be changed, with obsolete solutions discarded in favour of appropriate solutions that address the changed and changing landscape in which we trade. Calvin Barnes, Senior VP calvin.barnes@uk.lockton.com Stephen Bonnington, senior VP stephen.bonnington@uk.lockton.com

More sales revenue with less risk Or how to achieve the optimum balance between fraud rate and lost earnings in e-commerce

nline retail is booming. According to Forrester Research, annual growth in European online retail will be 12 per cent on average until 2017. In the age of globalisation, a growing number of retailers have to ask themselves the following question: How can I best protect my business from fraud attempts and avoid payment defaults? Protection against payment default in online retail should not be a static system but involve a dynamic process as those committing fraud are constantly developing and perfecting their cunning methods. Consequently, fraud patterns in e-commerce are extremely diverse and vary from sector to sector. It is absolutely vital that retailers examine and scrutinise their procedures for minimising payment default on an ongoing basis. However, when doing so, it is incredibly hard to maintain an overview. External service providers can help with this process. They can help retailers establish up-to-date and professional risk management solutions, without high initial investments being required. Intelligent guidelines and complex decision-making strategies combining a range of different methods are used to carry out realtime verification before the business transaction is concluded. “In this way, we increase the success rate of identifying fraud patterns in good time and enable sound decisions to be made as to whether a sale should be approved or denied,” says Carlos Häuser (below), EVP, payment & risk at Wirecard AG, a leading global provider of electronic payment systems and risk management. “However, completely eliminating fraud is not a realistic target. Retailers who are too hasty in rejecting transactions must take into account that regular purchases may be erroneously categorised as fraudulent, which would result in lost earnings. It is therefore key to achieve the optimum balance between fraud rate and lost earnings.” www.wirecard.com

he global landscape of fraud has changed drastically since the Association of Certified Fraud Examiners (ACFE) was founded in 1988. Back then, the very mention of fraud was considered taboo among many organisations. Today, fraud examination is a well-respected profession unto its own, and anti-fraud professionals are in demand thanks to fraud’s continuing impact. We can measure that impact in financial losses suffered by businesses, government agencies, investors and individuals around the world. Research for the ACFE’s 2014 Report to the Nations on Occupational Fraud and Abuse shows that, on average, organisations lose an estimated 5 per cent of their revenues to fraud. The median duration of a fraud scheme (until discovery) is 18 months, and the average loss per scheme is $145,000. The key to detecting fraud quickly and limiting its damage is to be proactive. Organisations that detect fraud through proactive measures such as surveillance/ monitoring, internal audit and management review of transactions tend to catch frauds quickly, with relatively low losses. By contrast, those who detect fraud reactively (eg, by confession, by accident, through their external auditors or by notification from law enforcement) tend to experience longer, costlier frauds. In other words, if you want to effectively address fraud, you have to seek it out. It is a simple message, but one that is too often overlooked. James D Ratley CFE is president and CEO of ACFE +1 (512) 478 9000 www.ACFE.com