Michael has extensive experience within risk and internal audit spanning across Australia and South Africa. This experience cuts across multiple industry specialisations including financial services, government and utilities. In the last five years he has gained experience working on fraud and whistleblower activities.

Have you got a risk management strategy?

With the commencement of a new financial year, now is the time to stop and think about how your organisation has weathered the risks in the year gone by and plan ahead for the future. If you are one of those businesses that has fared well in 2017, then it could be down to a case of good risk management or good luck. Sound and effective Risk Management is the best way to manage your risks rather than relying on good fortune, especially as you try to navigate through the challenges ahead in 2018.

Risk is not only about threats but also about forgone or lost opportunities.

With change being a constant, businesses need to be agile to be able to respond to the challenging and evolving risk landscape. In the year ahead, being prepared + proactively adjusting + timely response = agile.

Risks to look out for in 2018

To be agile, you need to consider risk management a priority and devote appropriate time to risk management activities. Some of the top risks likely to be faced by businesses in 2018 include:

  • New technologies (increased connectivity, nanotechnology, artificial intelligence, drones etc.)
  • Disruptive business models & innovation coming to market (e.g. Uber and the taxi industry, Airbnb and the hotel industry)
  • Macroeconomic developments and government policy directions
  • Cyber incidents and privacy breaches
  • New regulations
  • Negative events that can damage a reputation.

Risk Appetite Statement and Enterprise Risk Management Framework

Having in place an effective Enterprise Risk Management Framework supported by a Risk Appetite Statement should be an integral part of your business. Embedding of a risk culture within your organisation is the next step towards business success. A mantra that should permeate across your organisation should be: “Risk is everyone’s business – not just the management team”.

The risk appetite underpins your group’s strategic and business planning process. It involves the board of directors or owners setting the risk appetite within which management operates, highlighting those decisions outside of risk tolerances which need escalation to the board or owners. This could mean management is not authorised to accept risks that are assessed as “Extreme” or “High” which requires board/owner approval. For example an offshore expansion or a new product development.

An Enterprise Risk Management Framework refers to the overarching structure by which the organisation organises itself for managing risks. These include things such as:

  • Defining the Risk Response Strategy (determining appropriate actions such as avoidance, reduction, taking alternative actions, sharing or insuring or just accepting the risk)
  • Articulating risk definitions and risk rating criteria
  • Developing and actively maintaining a Risk Register
  • Defining accountabilities and responsibilities for risk management
  • Defining the risk management process for your organisation and
  • Using watch lists to monitor emerging risks etc.

The key is ensuring that the level of risk management sophistication is appropriate to your business and seen as a value adding aspect to running your business. It should never be a ‘tick the box’ approach or be in isolation to the core activities of the business.

Negative Events and Reputation Risk – Ethics Management

Managing your organisation’s reputation and brand as well as demonstrating your commitment to being a good corporate citizen means having in place the necessary systems to enable this. It is very much a part of sound risk management.

One of the neglected areas in managing business risks is considering the impact of negative events on your reputation and on your business, especially in the area of ethics. All it takes is for a small issue or event to snowball out of control and the next thing you find is that you are embroiled in controversy and embarking down the road of managing an ethics-related media crisis.

The last twelve months have seen a number of high profile reputations damaged through ethical misconduct matters raised by whistleblowers. These organisations failed to put in place an appropriate mechanism for wrongdoing to be appropriately raised, especially from an anonymous source, with the result that some whistleblower’s took the last resort which was to air their grievances through the media and bring events to a head.

Good governance on ethics starts at the top, and should pervade through an organisation, becoming an embedded part of your culture. Consideration towards introducing an external independently managed hotline for individuals to raise concerns should be a key consideration in the year ahead.

Reasons why Ethics and Ethics Risk Management should be on your agenda

  • Sweeping new legislation is on the way. A Parliamentary Inquiry is currently underway looking at legislation change around Whistle-blower systems and protections;
  • Engaging your people as an employer of choice. Active policies and procedures backed up by a hotline supports and encourages reporting of wrongdoing;
  • Providing assurance to your stakeholders that you have the required systems in place for identifying damaging allegations within a safe environment and that these are properly managed before they snow ball out of control, thus protecting your brand;
  • Demonstrating that you are a good corporate citizen who values the input from your staff and others relating to wrongdoing even if it means some short term pain.

Now is the time to consider your risk management, and Ethics management response for the year ahead. For help in understanding your risks and developing appropriate strategies, including an independent whistleblower system, contact Prosperity Advisers on 1800 855 844 for a confidential discussion.

Cyber Security and WannaCry

In the news recently there has been coverage of a large global computer attack, infecting computers with a ransomware program called WannaCry. This attack has raised questions for SME businesses on what can be done to protect against these types of attacks.

Ransomware attacks can cause unnecessary stress and affect productivity, in addition to hurting your wallet. It’s important your business responds quickly if affected, and you make sure your systems are protected from these types of attacks.

What is ransomware?

Ransomware blocks access to a computer system or files until a sum of money is paid. It works by encrypting your data and demanding payment for its release, threatening the deletion of the data if the payment is not made.

How is ransomware deployed?

Ransomware can be deployed via phishing emails, attachments to emails and by exploiting weak network defences. Once a machine has been infected, the ransomware will attempt to spread to other computers.

How do I protect against an attack?

While it depends on the strain of ransomware, you can help to protect your system by:

  • Keeping your systems up to date – this attack takes advantage of a critical hole in older versions of Windows. Microsoft released a patch to cover the vulnerability in March 2017, so businesses with up to date software will not be affected.
  • Backing up your files – ransomware encrypts your data and demands payment for its release. An attack will be less concerning to those businesses who frequently back up their data. SMEs backing up their own systems need to ensure those systems can’t also be compromised if an attack spread.
  • Educating yourself and your staff – small businesses lost over $2 million to scams in 2016, so it’s important to educate yourself and your staff on cyber security.

Do you have your cyber security under control?

Prosperity Advisers can assist you to develop and implement a cyber security plan, which covers:

  • Conducting regular scheduled system checks, including penetration testing and using your external auditor to assist.
  • Changing your security levels as required.
  • Identifying cyber security and forensic experts that you can call on when the need arises.
  • Implementing a breach plan, including a cyber security incident response plan which involves law enforcement agencies and regulators, and a press release statement.
  • Considering limiting the impact by putting in place cyber insurance cover which can provide both indemnity and liability cover.

For further reading on managing your cyber security risk, please refer to the Australian Cyber Security Centre (ACSC).

We recommend that you review your procedures and systems and if you are at all concerned about your cyber security, please get in touch with your Prosperity Adviser. To receive our Free Cyber Security Checklist and request one of our directors contact you to discuss your situation, please send an email by clicking here.

Organisations need ‘to step up to speak up’

Encouraging employees to report wrongdoing (‘blow the whistle’), and protecting them when they do is an important part of fraud and corruption prevention and creating an ethical culture in any organisation. With a joint parliamentary committee set to report in June – now is the time for organisations to act.

Audit committees, boards and executive teams ignore at their peril the danger of ineffective or non-existent ethics and whistleblower programs in their organisations. New rules are likely in Australia soon and are anticipated to be wide-reaching, affecting companies and not-for-profit organisations alike.

Prosperity has answered the call for professional and independent support. We offer a unique service in the Australian market – Ethics Matters – developed in conjunction with leading Canadian ethics and whistleblower specialist, WhistleBlower Security (www.whistleblowersecurity.com).

Designed to be intrinsically independent, Prosperity’s Ethics Matters and WhistleBlower Security approach provides support for organisations to create policies and procedures and then deploy an organisation-wide ‘speak up’ hotline with online portal and independent case management system, along with support for investigations and effective reporting.

Organisations with programs already in place often struggle to ensure independence as well as satisfy stakeholder demands for detailed reporting, trend analysis and quantification for the impact that fraud, corruption and wrong doing is having on their organisation.

Globally recognised provider, WhistleBlower Security, is now available exclusively in Australia through Prosperity Advisers. Their state of the art hotline and case management system facilitates anonymous and confidential dialogue between the reporter and an organisation’s representative – whether initiated through a call centre, fax, and email or online. Each report is assigned a unique number and password, facilitating anonymous and confidential dialogue. Fast case management and resolution can happen in a protected environment and reporting can be detailed and in real-time.

Australians don’t need to go far to find damaging examples of poor detection and management of wrong doing in organisations. Recent cases such as the David Jones sexual harassment allegations against the former CEO, high profile cases at Seven News, Queensland Health, University of Queensland, NSW Health and Leighton/CIMIC, are all memorable examples.

Michael Mahabeer, Prosperity’s director in charge of Ethics Matters says, “From my experience on the other side, working in a large and complex corporate organisation, the implementation of an effective and independent program gave a voice to issues which would have gone undetected. It gave visibility to the Board and stopped issues escalating, effectively minimising the long-term financial impact from wrongdoing.”

Soon legislative changes in Australia are likely to drive companies and not-for-profits to implement programs and potentially report on wrong doing too. Australia could end up following the United States in this regard.

Directors of boards have a responsibility to shareholders for ensuring their organisation is protected. Avoiding brand damage which can have a lasting impact, affecting revenue and profitability must be a key consideration. Pulling the curtains back and providing support for employees to ‘speak up’ is going to be a key agenda item for boards across Australia in coming months.

For more information on Ethics Matters and WhistleBlower Security click here.