About Paul Curwell, CPP, CFE, CISSP

Paul is an experienced security, integrity, fraud & intelligence leader who works for a ‘big 4’ consulting firm. He helps mitigate physical, fraud, trusted insider, supply chain and cyber-physical threats for critical infrastructure, financial services and other clients. Prior to Deloitte, Paul was the global lead for intelligence and due diligence investigations at Australia’s largest bank for 5 years.

What are the main e-Commerce frauds targeting online stores?

Posted on July 23, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Three challenges in eCommerce Fraud Protection

One of my side hustles is lecturing postgraduate university students on financial crime intelligence – this is all about how to identify and detect fraud and illicit activity in your data. I regularly tell my students (and clients) that fraud is really a ‘process-based crime’ – it arises because of internal control gaps in your business processes which equate to vulnerabilities for your business, and opportunities for fraudsters and criminals.

shoes in boxes on shelf — Photo by Stanislav Kondratiev on Pexels.com

Different types of fraud arise at different points in the eCommerce process. Every fraud scheme has its own unique characteristics, which means we can prevent and detect it! From my perspective, there are three challenges in eCommerce fraud protection:

Detecting customer profiles or transactions which are highly likely to be fraudulent with a low false positive rate (see here for explanation); and,
Detecting the fraud in time to avoid incurring a loss (this is particularly hard with realtime payments, outourced and / or automated fulfilment); and,
Striking the right balance between enough loss prevention measures to mitigate the risk (your ‘risk appetite’) and too many controls (which makes for a bad customer experience, impacting sales conversions and customer retention).

To illustrate this for eCommerce, I have used the four-phased eCommerce marketing lifecycle promoted by SmartInsights.com and overlaid where different fraud schemes can arise:

Three categories of eCommerce fraud schemes

Let’s deep dive into the three main eCommerce fraud schemes:

Account related frauds

Some eCommerce fraud schemes revolve around a users identity or account. Examples of ways in which this may happen, either at account creation or account login include:

Phishing – social engineering attempts to compromise users and their accounts
Credential stuffing – attempts to use credentials stolen from another breach to login
Account takeover – where a user’s account credentials or browser session is hijacked
Identity theft – a victim’s identity is stolen and used to obtain loans, goods, etc.

Payment Frauds

The second category of eCommerce frauds revolves around the payment or transaction itself, including:

Use of stolen / purchased credit card details
Card testing – where criminals place small charges on a card to see if it is valid which could be disputed by the cardholder
Chargeback fraud – shopper makes a purchase on their own card, then requests a chargeback after receiving the goods
Refund Scams – shopper purchases something and ask for a refund before the product is delivered
Payment frauds – including card present and card not present transactions

black payment terminal — Photo by energepic.com on Pexels.com

Loss Prevention

The final category of eCommerce frauds is perpetrated by a user post-payment. Common fraud typologies include:

Change of address scams – delivery address is changed after payment but before shipping so goods are not sent to cardholders residence
Returns fraud – consumer receives goods, uses it, and sends it back (effectively ‘renting’)
Product diversion – where goods are basically stolen by trusted insiders (employers, contractors, suppliers)

Did you know that organised fraud, product diverters and shoplifting rings typically target specific products over others?

Products that are CRAVED are at greatest risk.

I have provided more information on which products are most likely to be targeted by organised fraud, product diversion and shoplifting rings in my article “product security risk assessments for tangible goods”.

Product security risk assessments for tangible goods

Identifying your core business activities, systems and processes is key to understanding and managing your risk profile. I will review how to do this in a future article, but if you are looking for somewhere to start try www.juliantalbot.com and this article on ‘risk appetite and risk tolerance‘.

Further Reading

Curwell, P (2021). Product security risk assessments for tangible goods
Curwell, P. (2022). Alert management and insider risk continuous monitoring systems
Curwell, P. (2023). Towards a taxonomy for product diversion
Manoukian, J. (2016). Risk appetite and risk tolerance: what’s the difference?
Julian Talbot – https://www.juliantalbot.com/
SmartInsights (n.d.). Lifecycle Marketing Model in Digital Marketing for the Ecommerce Sector, https://www.smartinsights.com/ecommerce-lifecycle-marketing/

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

SOCI Act 101 – Operational Information explained

Posted on July 15, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Understanding SOCI is inherently complex

I’ve said it before and I’ll say it again – Australia’s Security of Critical Infrastructure Act, or SOCI for short, is a big, complex piece of legislation comprising the Act itself, supported by (5) legislative instruments (Rules) which provide more guidance on implementation. Anyone who claims the legislation is simple really hasn’t read it!

Working with legislation like this is likely to be completely new for many Australian executives and security professionals unless they have prior experience in highly regulated industries or in regulatory compliance.

If you are new to compliance or would like to understand how to build an ISO 37301:2021 Compliance Obligation Register, have a read of this article I wrote in March 2023:

Developing an compliance obligation register for your business

Each time I read the legislation I pick up something new – this often requires my flicking back and forth throughout the various documents and sections of the Act to cross-reference each obligation or definition and understand its intent.

With legislation like this, you only start to understand it’s nuances as you apply it to real world examples, decomposing each element of a critical asset and applying the legislative tests to determine the appropriate treatment.

Developing a compliant CIRMP whilst minimising unnecessary costs and the impact on a critical infrastructure operators business, workforce and supplier ecosystem is the challenge.

SOCI creates two key documents

Information or data (as opposed to information system security) is a domain of SOCI, just like Personnel referenced in my previous article on Critical Workers:

Who are SOCI Act Critical Workers?

Under SOCI, there are effectively two key documents which relate to information and information protection:

Register of Critical Infrastructure Assets – this Register is not public and is maintained by the Secretary of Home Affairs. It comprises information on specific critical assets and beneficial ownership and control information for every piece of Australian critical infrastructure.
Critical Infrastructure Risk Management Plan (CIRMP) – all Reporting Entities are required to have a complete RMP by six months after the day of commencement of the Rules, or 18 August 2023.

The Register needs to include your Operational Information

Operational Information is different to Sensitive Operational Information under SOCI. Divn 2 (19) of the Act requires Responsible Entities to provide an initial version of their Operational Information to the Department for inclusion in the Register.

Under s26 of the Act, should a Notifiable Event arise then an updated version of the Responsible Entities’ Operational Information must be provided to Home Affairs. Presumably, this information will enable the Australian Government to rapidly perform a damage assessment and to support any crisis or national security response that may be required.

big waves under cloudy sky — Photo by GEORGE DESIPRIS on Pexels.com

Under SOCI, Operational Information related to a Critical Infrastructure Asset means:

The asset’s location and a description of the area the asset services;
Information about each organisation that is the Responsible Entity for (or an operator of) the asset, comprising: the entity’s name, business registration number, head office or principal place of business address, and country of incorporation or formation
Information about the CEO (or equivalent) comprising their full name and citizenship(s),
A description of the arrangements under which each operator operates the asset (or a part of the asset), including details of any control system of the asset if it is managed by a separate body;
A description of the arrangements under which data prescribed by the rules relating to the asset is maintained;
Information prescribed by the Rules for the purposes of this paragraph (see below)

The ‘information prescribed by the Rules‘ referenced above is currently only defined in Division 2.2 of the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021, where Operational Information comprises six categories:

Personal Information for at least 20,000 people (as defined in the Privacy Act 1998)
Sensitive Information (as defined in the Privacy Act 1998)
Critical Infrastructure Asset related Research and Development information
Information on systems needed to operate the Asset
Information about risk management (including security) and business continuity / crisis management / operational resilience about the Asset
Other sector-specific information as defined in 2.2 (17) (1) (vi) of these Rules

How is confidential information compromised?

For any of the above Operational Information, Responsible Entities must provide a description of the arrangements for the Department’s Register that comprises:

The name of the entity that maintains the data; and
If that entity is not the responsible entity for the asset (e.g. Microsoft, Google etc), the entity’s business registration number, head office or principal place of business address, and country of incorporation; and,
The address where the data is held (e.g. where computers or servers holding the data are located) and whether the computers or servers are part of a cloud service; and if using a cloud service—the name of the cloud service (e.g. Microsoft) and the kind of data that the entity maintains in these computers / servers / cloud environment.

What is Sensitive Operational Information?

Sensitive Operational Information is only mentioned in the CIRMP Rules in relation to identifying Material Risks to a Critical Infrastructure asset. These Rules list six examples of what would be constitute sensitive information:

Layout diagrams
Schematics
Geospatial information
Configuration information
Operational constraints or tolerances information
Data that a reasonable person would consider to be confidential or sensitive about the asset

The above category of information is primarily technical in nature – such as pertaining to engineering or ICT applications – but is focused on minimising the disclosure of information about a critical infrastructure asset’s vulnerabilities, particularly where this information is stored, transmitted or processed outside of Australia.

In business, confidential information is a critical asset

6 steps to improving security and integrity culture in the workplace

Posted on July 8, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Workplace Culture – a curious concept

Culture is a funny concept: It is neither tangible nor permanent, but rather develops and evolves over time and is a reflection of the members of that ‘tribe’. Organisations, groups and communities can all develop unique intrinsic cultures as a results of the collective actions, behaviours, norms and values of that organisation.

The fact that culture is not a tangible thing makes nurturing a ‘good’ culture hard for leaders to achieve, and very easy to destroy. Good workplace cultures can become self-perpetuating, attracting others of similar visions and values and contributing to a highly engaged workforce. In his 2013 article in the Harvard Business Review, Michael Watkins provides a great discussion on organisational culture, outlining different perspectives on what it is and how it permeates the modern workplace.

Culture is recognised as being one of the most important components of successful companies. According to James L. Heskett, culture “can account for 20-30% of the differential in corporate performance when compared with ‘culturally unremarkable’ competitors”, making understanding it essential for all leaders (HBR, 2013).

people sitting on chair — Photo by Rene Asmussen on Pexels.com

Seven dimensions of security culture

When applied to security, the concept of organisational culture is no different. According to Perry Carpenter in Forbes Magazine (2021), there are seven dimensions to security culture. I have taken Carpenter’s seven dimensions and adapted it to provide more context for risk leaders:

Attitudes: Employees have a positive view of security and understand why it exists. A positive culture of reporting security incidents is established
Behaviours: Employees conduct themselves in a manner that positively impacts overall security. Innocent, unintentional security breaches or accidents are not punished or perpetrators ostracised
Cognition: Employees know about security and have a high level of awareness of threats and security programs
Communication: Security is communicated clearly and regularly, with key messages being enforced in ways which are easily understood by all and which resonate with the workforce
Compliance: Employees comply with security policies voluntarily, not because they have to
Norms: Being conscious of security and the need for it, as well as the expected behaviours, becomes part of the organisation’s fabric. Employees who go against these norms are counselled by peers, not security, compliance or management
Responsibilities: Employees understand their security obligations and take them seriously. They know what to do and when, and comply with these rules and expectations

How does your organisation compare in relation to these seven dimensions? What about your previous employers? Reflecting and thinking critically about what we do and how we behave as leaders makes us think what else can we do better, and potentially enhance our culture in the process.

people sitting on green grass waving their hands — Photo by RDNE Stock project on Pexels.com

Six things leaders can do to improve security and integrity culture

Despite achieving a good security culture being hard to achieve, leaders need not despair. There are things we can do to improve security culture, it just takes time and effort. Listed below are six things I would encourage leaders to do to build or improve your security and integrity culture:

‘Tone from the top’ – what senior leaders say and do matters as just like pets or children, behaviours will be replicated. Leaders should continually demonstrate the importance of security and integrity within the business, and not just pay lip service.
Awareness training – regular training on security and integrity is important in the workplace. People need to know how they are expected to behave, and to understand the organisations policies and accepted practices. Ideally, not all training would be computer-based as people need time to talk through scenarios and learn from peers such as via interactive, discussion based forums.
Risk is part of the organisation’s DNA – thinking about risk does not mean being discouraging staff from taking risks. Taking risks is an important element of creativity and innovation, but ideally risk taking would be measured to avoid taking risks from which organisations or staff cannot recover. Thinking about what could go wrong (or right) and ways in which adverse consequences or likelihoods can be mitigated or proactively managed should ideally be part of the organisation’s cultural fabric.
Penalties are not applied for accidents, near misses or unintentional incidents – rather, a constructive approach that focuses on continuous improvement and lessons learned should be taken. Inquiries into organisations with poor risk culture found that poor organisational cultures are those where blame is apportioned, messengers are blamed, and where subordinates are too scared to tell the truth to senior management for fear of repecussions. Leaders cannot fix problems they know nothing about.
Staff feel comfortable speaking up about their peers – in my previous post on the critical path method and insider risk management, I spoke about the need for organisations to identify workers who are struggling (and may pose a security or integrity risk to the organisation by virtue of their situation). Peers who have a concern about a co-worker should ideally be able to confidentially raise these concerns without worry that the struggling co-worker will be fired or penalised, but rather supported.
Treating people fairly – where problems or allegations do arise, the workforce must know they will be treated fairly and that the principles of natural justice will be applied to the investigation and resolution of incidents.

Further Reading

Laker, J., Broadbent, J., and Samuel, G. (2018). Prudential Inquiry into the Commonwealth Bank of Australia (CBA) Final Report, Australian Prudential Regulatory Authority, www.apra.gov.au
Carpenter, P. (2021). The Importance Of A Strong Security Culture And How To Build One, Forbes Magazine, www.forbes.com
Coleman, J. (2013). Six components of a great corporate culture, 6 May 2013, Harvard Business Review, https://hbr.org/2013/05/six-components-of-culture
Curwell, P. (2022). Applying the critical-path approach to insider risk management
Watkins, M. D. (2013). What is Organizational Culture?, 15 May 2013, Harvard Business Review, https://hbr.org/2013/05/what-is-organizational-culture

Who are SOCI Act Critical Workers?

Posted on July 2, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

A recap on Australia’s SOCI Act

In 2022, Australia’s 2018 Security of Critical Infrastructure Act (SOCI Act or SOCI) was amended to strengthen the security and resilience of critical infrastructure. The number of industry sectors and asset classes deemed critical was expanded to eleven, and new legislative obligations were introduced for all Responsible Entities under SOCI.

Responsible Entities for a critical infrastructure asset are the bodies with ultimate operational responsibility for an asset.

A CIRMP is a Critical Infrastructure Risk Management Plan, as set out in the CIRMP Rules.

SOCI is a large, complex piece of legislation comprising the Act plus 5 Legislative Instruments (Rules). The CIRMP Rules, which became law on 17 February 2023, also require compliance with one of 5 accepted information security frameworks (although further time has been granted for organisations to complete these cybersecurity uplifts). To comply, Responsible Entities have 6 months to develop a CIRMP (i.e., by 18 August 2023).

In my opinion the focus of SOCI on uplifting national resilience is much needed in Australia and should be applauded, although it is noted that interpreting SOCI requires careful reading and research. Implementation is complicated by changes to legislation during the parliamentary processes which affects relevance of the guidance material.

scenic photo of water dam during daytime — Photo by Frans van Heerden on Pexels.com

How is a ‘critical worker’ defined?

Part 1, Divn 2, Section 5 of the SOCI Act

The term ‘Critical Worker’ means an individual, where the following conditions are satisfied:

(a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies (i.e., the asset is subject to a CIRMP);

(b) the absence or compromise of the individual:

(i) would prevent the proper function of the asset; or

(ii) could cause significant damage to the asset; as assessed by the responsible entity for the asset;

Meeting all elements of the above test is required to be deemed a ‘Critical Worker’. Note that Element (b) applies both an insider threat and business continuity lens to identify those who could prevent the asset’s operation or cause significant damage.

Whilst not linked to personnel in the legislation, the way in which potential risk events could cause significant damage would ideally be via risk assessment based on residual risk ratings determined by the Responsible Entity.

What steps do I need to take to manage ‘Personnel Hazards’ under the Rules?

Identifying Critical Workers is only the start of the Personnel risk management process. Appropriate security measures and access controls must be implemented to ensure only Critical Workers who have passed the AusCheck (or comparable) processes gain access. Responsible Entities must also take reasonable steps to minimise or eliminate trusted insider risks (insider threats), including during the offboarding process.

Section 9 Personnel hazards

(1) For paragraph 30AH(1)(c) of the Act, for personnel hazards, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:

(a) to identify the entity’s critical workers; and

(b) to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access; and

(i) arising from malicious or negligent employees or contractors; and

(ii) arising from the off-boarding process for outgoing employees and contractors.

Conceptually, getting your head around the idea that some positions in an organisation pose higher risks than others can take time. Some months ago, I wrote this primer on understanding high risk roles which may assist.

Understanding High Risk Roles

The High Risk Role concept is only one element of what SOCI calls Personnel Hazards. Whilst not mentioned in SOCI, a Personnel Security Risk Assessment is a broader activity used by the UK’s National Protective Security Agency and which provides the level of traceability and scruitiny needed to identify, assess and mitigate Personnel Hazards.

What is a Personnel Security Risk Assessment?

What are the implications for employers?

Employers of Critical Workers need to confront the fact that some employees or contractors (or those of their suppliers) may not pass the AusCheck process. Three options are likely for each individual:

Employees (or employees of a critical supplier) who meet the ‘critical worker’ test voluntarily submit to the AusCheck process, with no impacts to employee engagement or employment contracts
Employees (or employees of a critical supplier) with existing employment contracts object to participating in AusCheck along the grounds of ‘conscientious objections’ or the suspicion they may fail
Employees (or employees of a critical supplier) fail the AusCheck process

Conceivably, managing the legal, financial and workplace relations implications of people who object to, or fail, the AusCheck process could be onerous, especially for industries which have not historically employed rigorous workforce screening.

Designing your workforce screening program

Real dilemmas are likely to be encountered by smaller Responsible Entities’ whose operations are not big enough to separate their critical and non-critical operations. This may mean those employers cannot move employees who fail or object to AusCheck into non-critical worker roles as there may not be any available. One thing is clear: Employers need to be proactive and focus on what this could mean for their workforce as early as possible. Every new employment contract issued before August that does not adequately address this issue may need future remediation.

Counterfeits can compromise your Supply Chain Integrity

Posted on June 12, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

How counterfeiting threatens Supply Chain Integrity

Counterfeiting has been prevalent throughout the global industrial era, and given its profitability and the low risk of conviction for offenders it is not going away anytime soon. Unfortunately, there have been numerous examples of public and private organisations which unknowingly procure counterfeit, fraudulent, substituted or substandard products in their supply chain – two such examples include:

June 2020: U.S. Air Force pilot 1st Lt. David Schmitz died when his parachute didn’t deploy from a malfunctioning ejection seat, which the US Air Force later found may have contained up to ten counterfeit and faulting resistors and semiconductor chips
March 2021: Police in China and South Africa seized thousands of fake doses of Covid-19 vaccine, with Interpol warning this represented only the “tip of the iceberg” globally. Police raided the manufacturing premises, arresting ~80 suspects and seizing over 3,000 fake vaccines

As the above examples show, it is all too easy for counterfeit materials to enter the supply chain of even the world’s largest organisations. Critical Infrastructure operators, such as those falling under the purview of Australia’s Security of Critical Infrastructure Act 2018, have a requirement to use high quality parts and components produced by reputable manufacturers to an engineer’s specifications, whilst in life sciences, fraudulent or substandard medicines frequently cause premature death or serious injury.

flight flying airplane jet — Photo by Pixabay on Pexels.com

How do sub-standard parts enter a supply chain?

Before we explore this further, we need to remember there are two perspectives here: (1) what a manufacturer can do to ensure their products are not counterfeited or compromised between the factory and the end user, and (2) what end users can do to ensure they do not introduce compromised product into their inventory or operations. The second option is the focus of this post.

Sub-standard, counterfeit or fraudulent parts / components / products (also referred to as ‘non-conforming‘ materials) can enter the supply chain in at least four ways, including:

Supplier intentionally introduces non-conforming material, perhaps for profit or because they are unable to obtain the conforming item and do not want to risk their relationship with the buyer
Supplier unintentionally introduces non-conforming material as a result of inadequate or complacent internal practices and procedures
Corrupt or malicious insider compromises the supply chain for gain or profit, or,
As a result of foreign interference by a nation state actor against an adversary

Given these vectors for introducing non-conforming materials, how can organisations protect their supply chain integrity? The answer is developing an Anti-Counterfeit Management Plan, otherwise known as a Material Authenticity Assurance Plan (MAAP), which based on AS6174 published by SAE International can be developed in five main steps.

woman in black shirt holding a hand sanitizer bottle — Photo by Anna Tarazevich on Pexels.com

Step 1 – Assess the risk posed by sourcing counterfeit product

I have previously written about the concept of security risk management and the fact that we can’t treat all problems to the same standard: Risk management decisions must be based on risk appetite and focused on using a business’s limited resources to protect the most critical assets.

For a buyer, the risk of counterfeit parts is largely a quality control issue as long as there are multiple qualified suppliers in a given market. However, for products requiring specific know-how or capability, or where Intellectual Property licensing applies, different sourcing considerations are required.

The first step in managing supply chain integrity issues arising from counterfeits involves identifying those areas where the business impact of compromise is greatest. This allows sourcing managers to modify their approach and policies to compensate for potential risks. One example of criticality tiering by product can be found below:

Impact / Criticality	Type of product
HIGH	LIfe dependent applications
	Safety critical applications
	Mission critical applications
	Applications where field work / repair is impossible
MEDIUM	Reclaimed / Refurbished parts
	Application critical
	Product is accessible for field repair
	Short product life expectancy
LOW	Non-critical applications

AS6174 – SAE International

man in black jacket standing beside black car — Photo by Andrea Piacquadio on Pexels.com

Step 2 – Identify which sources provide the greatest assurance

Budget is always a finite issue in any organisation, and it is not always possible (or necessary) to buy the best of everything. Where multiple suppliers exist it makes good business sense to buy the highest quality items (typically the most expensive) for those areas which are the most critical either to your business’ operations or to life and safety.

So how do you determine this? SAE International provides useful guidance here, ranking the main types of ‘source’ in order of those which provide the greatest level of confidence that their materials will be high quality (and therefore the lowest risk of non-conformance):

Confidence Level (non-conformance risk)	Product / Component Source
HIGH (LOW risk)	OEM or Certified Manufacturer
	Authorised Distributor
	Original Manufacturer or Contract Manufacturer
MEDIUM	Vetted or pre-qualified Independent Distributor (e.g. verified quality, reputation)
	Unknown Independent Distributor (e.g. quality, reputation not asessed)
	Unknown source
LOW (VERY HIGH risk)	Vendor is subject to adverse reporting from industry participants (i.e. other buyers have reported purchasing non-confirming product from this seller)

AS6174 – SAE International

Step 3 – Develop your organisation’s product assurance processes

The risk of sourcing non-conforming material is omnipresent for any critical industry or life sciences organisation, so undertaking assurance on your suppliers and any parts / components / software purchased from them is an ongoing activity for the life of your operations.

For physical products, there are four ways to obtain this assurance which can be used in isolation or in combination depending on the risk profile:

Document and packaging inspection – before opening the package, inspect for obvious tampering, spelling errors, typographic issues, missing or damaged holograms, peeling labels, amended dates, etc.
Visual Inspection – remove the product / part / component from the packaging. Does it match the expected style, form and quality of what was ordered?
Non-Destructive Testing – involves radiological, acoustic, thermographic and optical techniques to verify conformance without damaging the component / part / product.
Destructive Testing – usually used as a last resort these options involve analytical chemistry, deformation and metallurgical tests, exposure tests, and functional tests which will likely damage the component / part / product.

Further information can be found here. Irrespective of whether fraudulent, substandard or counterfeit, non-conforming materials identified should always be removed from circulation within the organisation’s inventory or operations, and either retained as evidence for legal and associated purposes, securely destroyed or returned to the supplier (depending on your policies and obligations).

top view photo of white keyboard — Photo by Olena Bohovyk on Pexels.com

Step 4 – Plan for contingencies

It is a fact of life that manufacturers stop producing products / components due to factors such as shortages in raw materials, financial solvency, or simply product strategy decisions. Buyers who require parts or components to support an extended operational life of say two to three decades need to implement plans to mitigate these risks.

Contingencies include purchasing additional inventory, regular engagement with manufacturers to obtain advanced notice of production changes, finding contract manufacturers, or sourcing alternative components.

Step 5 – Document your Product Assurance Framework

To ensure consistency and proper governance some sort of framework is required to set out your organisation’s policies, risk appetite, roles and responsibilities, regulatory compliance obligations, key risks and controls, staff awareness training and product assurance program.

A documented provides a mechanism to ensure consistent implementation throughout the organisation, and a mechanism to continuously improve as well as benchmark historical performance.

Workforce Screening Programs should include your suppliers

Posted on April 29, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Insider Threats are often overlooked when it comes to your supply chain, but suppliers are a key source of trusted insider risks.These risks need to be identified and incorporated into procurement decisions and sourcing contracts, inclusive of contractual obligations by suppliers to conform to your requirements. This may well incur additional costs, making it important for buyers to work collaboratively with their suppliers to agree an approach that is workable for all parties. This may mean buyers need to change their processes to mitigate a risk rather than transferring the management of this risk to a supplier.

Workforce Screening is a foundational element that should be included in any supplier agreements, but its application needs to be targeted towards the buyers material risks. This article explores this challenge, provides suggestions on good practice, and discusses the role of supplier assurance in relation to Workforce Screening Programs.

Many businesses are complex ecosystems with different parties - employees, contractors, suppliers, visitors - constantly interacting. — Photo by Ralph Chang on Pexels.com

We need to recognise that suppliers also pose trusted insider risks

Suppliers and Third Parties are a core part of the ecosystem for every business enterprise. By the nature of their roles and functions, many suppliers and other third parties have privileged access to their client’s (i.e. your organisation) information, systems and critical assets. Examples of trusted insider access by suppliers include:

Service providers with remote access to critical systems or networks, such as Programmable Logic Controllers (PLCs) or Operational Technology (OT) systems
Outsourced IT managed services
Managed data centres
Contract Manufacturers and Contract Research Organisations (CROs, CMOs)
Outsourced Clinical Trials Managers
Distribution Centres for order fulfilment
Repackaging and relabelling services
Recruitment, accounting, audit, consulting and law firms and insurance brokers
Corporate catering, cleaning services

Many more services can be added to this list: clearly, the breadth and scope of functions performed by suppliers today is nearly ubiquitous – this needs to be taken into account when identifying insider risks.

Suppliers, as outsourced service providers, often have direct and unsupervised access to a business' most critical assets without us realising.

Existing practices often fail to properly assess supplier-insider risks

Supplier-insider risks need to be managed with a degree of foresight given that supplier contracts are often multi-year agreements with the potential for extensions. This means that failing to incorporate the necessary provisions upfront may create a vulnerability for multiple years or even a decade.

Understanding the insider risk posed by your supplier’s workforce begins with identification of your High Risk Roles – are any of those outsourced? This information informs your Personnel Security Risk Assessment which qualifies the inherent risk and determines whether internal control coverage is adequate for your risk appetite.

The gap between inherent and residual risk where the risk actor is a member of your supplier’s workforce is what you may need to address through any Supplier Agreement using tools such as a Workforce Screening Program. This process justifies which members of your supplier’s workforce need screening and to what extent, and why based on their access to your organisation’s assets.

Suppliers should be contracted to implement your Workforce Screening program

Security and integrity is seen by many as a business enabler, but many businesses still see it as a cost and management overhead. It is not uncommon to find suppliers with either no security or integrity program, or that lack the requsite level of capability maturity required to manage complex risks that may arise in their customers’ business.

It goes without saying that buyers need to provide guidance to their suppliers on their expectations, just like any other aspect of the sourcing process. Considerations on leading practices for supplier-insider risk management include:

Imposing contractual obligations to maintain a risk based security and integrity program that conforms to your organisations standards and policies
Providing a copy of your current workforce screening standard and other continuous monitoring information to ensure your supplier knows exactly what they need to do to comply
As a buyer, performing continuous monitoring (insider threat detection) of your supplier’s interactions with your endpoints, network access and critical assets (including your most valuable information) – don’t rely on anyone else to do this
Incorporating requirements for a time-bounded escalation or notification mechanism obligating your suppliers to inform you of certain types of incidents within defined timeframes
Ensuring appropriate supplier assurance and supplier audit / investigations clauses are included in your contracts and don’t be afraid to use them

These practices could also be incorporated into your Supplier Integrity Framework.

checking information in documents — Photo by Alexander Suhorucov on Pexels.com

Workforce Screening should be incorporated into ongoing Supplier Assurance

Just because there is a contractual requirement to do something does not mean a counterparty will comply, or that they have the internal governance mechanisms to keep track of this. In some cases, counterparties start out with the best of intentions, but some years after contract signing business may get tough or management may change and contract compliance could slip as a result. Supplier assurance (vendor assurance) programs are intended to regularly monitor or reivew key aspects of a supplier’s compliance with contract.

Ensuring contract compliance with Workforce Screening and other Insider Risk obligations should form part of any supplier assurance program, however this should be supplimented with insights from period updates to your Personnel Security Risk Assessment, Register of High Risk Roles, and revisions to your Workforce Screening Program Guideline (standard) to ensure supplier practices correspond to your inherent risks and risk appetite.

Further Reading

ASIS International (2022). Preemployment Background Screening and Vetting, ASIS PSBV-2022, https://www.asisonline.org/publications–resources/standards–guidelines/preemployment-background-screening-vetting/
Curwell, P. (2022). Building your supplier integrity framework
Curwell, P. (2022). Third parties defined – what are they exactly, and how should these risks be managed?
Curwell, P. (2022). Understanding High Risk Roles
Curwell, P. (2022). Designing your Workforce Screening Program
Curwell, P. (2022). What is a Personnel Security Risk Assessment?
Standards Australia (2022). AS4811:2022 Workforce Screening, published 4 March 2022, www.standards.org.au

Developing a Service Catalogue for fraud, security and integrity teams

Posted on April 15, 2023 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

What is a Service Catalogue and why is it important?

Service Catalogues are receiving increased attention from Chief Operating Officers and business managers as organisations continue the digital transformation journey for internally-facing shared services teams. A Service Catalogue comprises the list of the service offerings (the ‘services menu’) for a functional team, making it easy for internal customers (stakeholders) to understand and access the team’s services.

Service Catalogues also create boundaries that define what a functional team will and will not do, particularly when developed in consultation with, and approved by, senior management. Optional or ‘nice to have’ services may simply not be feasible or affordable at a point in time – the service catalogue process provides a mechanism to agree these offerings and then align them with performance scorecards, resource availability, corporate strategy and internal policies.

Illustrative Service Catalogue (Curwell, 2003)

How do you build one?

Building a Service Catalogue is a relatively straight forward process involving data collection and interviews or workshops. I typically use Microsoft Excel as my tool of choice for building the initial service catalogue. Once built, I may move this to Microsoft Sharepoint, JIRA or other solutions (see below) depending on the client’s strategy. There are six main steps involved in building a Service Catalogue:

Step 1 – Review the organisational chart and position descriptions: Organisational charts usually show the functions within a Business Unit (BU) or team which typically align to the main categories of service offering.
Step 2 – identify the main service offerings within each service category: this typically involves interviews or workshops with people in the respective team. The aim here is to understand everything team members do on a day to day basis, and to try and categorise these into distinct services.
Step 3 – populate the Service Catalogue template: based on responses gathered from Step 2.
Step 4 – remove duplications and deconflict services: sometimes there is a tendancy for team members to view a service as being completely distinct, when it is actually a variation of another service. Ideally, variation should be avoided where possible as this generates waste and errors (in lean six sigma language). If variations are required,
Step 5 – process map each service and prepare SOPs: Once each service has been identified, the business process should be mapped and any opportunities to streamline or increase process efficiency implemented. Standard Operating Procedures (SOPs) should be prepared for each service offering which align to the process map.
Step 6 – align the Service Catalogue with performance metrics, team resourcing and HR position profiles: Once developed, it is important to assign performance metrics to the team, such as the turnaround time (SLA) which an internal customer has to wait for a process to be completed (e.g. building passes for new hires will be issued within 24 business hours of lodging a request form). Team metrics, tracked through tools like Kanban boards, allow team leaders to implement daily standups with their team to focus effort on the highest priority tasks and remediate delayed or overdue tasks.

An example of a Service Catalogue template (Curwell, 2023)

As illustrated by the six step methodology above, building a Service Catalogue is a relatively straightforward process that helps focus the attention of internal teams on core business.

A basis for improving governance, performance and team resourcing

Service Catalogues contribute to better governance and performance outcomes, enabling functional team leaders to clearly define what they do, how they do it, and the value it contributes to the business. Non-customer facing support functions are always under cost and resource pressure in any business: Service Catalogues should also align with performance scorecards to track service delivery against agreed KPIs.

white shirt sitting behind counter under television — Photo by PhotoMIX Company on Pexels.com

Employee position descriptions should align with the Service Catalogue, ensuring staff holding those roles are able to effectively perform the required functions without being over or under qualified. Capturing service delivery performance metrics, including time taken to execute each service and the number of requests for that service over a defined period of time also provides the data required to ‘right size’ the team headcount to suit business requirements, required service levels, and risk appetite.

Service Catalogues – an enabler of digital transformation

Every manager knows that resources are always limited – there is always more you should, could, or would like to be doing but time, cost and quality is a handbrake. Digital transformation is increasingly being adopted by internally facing services teams such as security, fraud, HR, finance, legal and others. The adoption of digital transformation tools, such as case management solutions, workflow management tools and process automation offers the chance to minimise manual handling and allow users to self-service, reducing demands on support staff.

lens display business market — Photo by RODNAE Productions on Pexels.com

Having done a few of these activities before, I often find that the Office of the CIO has procured an IT Service Management tool which can be easily adapted and redeployed for other non-IT Service Management tasks with an incremental increase in spend (typically licensing and configuration). Once developed, Service Catalogues are increasingly being implemented in online tools such as:

Atlassian JIRA – extremely popular and easy to use, Australian company Atlassian’s web-based JIRA solution makes it easy to track tasks and integrate workflows and decisioning for service requests.
ServiceNow IT Service Management – An increasingly popular and common option, ServiceNow is being rolled out as part of enterprise implementations to transform internal operations.
Microsoft SharePoint – One of the more enduring and common corporate intranet solutions, SharePoint can help streamline processes and workflows using a combination of SharePoint lists and tools such as Power Automate and Power Apps from a web browser.

These solutions provide simple opportunities to streamline and enhance service delivery and performance of internal services teams, and can form the basis for digital transformation across all shared services teams in any business. In a future article, I will provide a guide on implementing your Service Catalogue in JIRA.

Designing your workforce screening program

Posted on April 1, 2023 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Executive Summary

Workforce Screening is an important function for any business today, however it cannot be developed on the fly and needs to properly balance the organisations’ risk and regulatory obligations against an employee’s right to privacy and the cost and operational burden created by the screening program itself. Workforce Screening should form part of a well-governed, risk-based program managed by HR and Security / Integrity comprising a range of policies, a personnel security risk assessment, and associated guidance to enable effective implementation. This article provides an overview of the key considerations when designing any workforce screening progam in Australia.

What is Workforce Screening?

The practice of Workforce Screening goes by many names – vetting, background checks – all of which are the same thing. In Australia, the term Employment Screening has been used since at least 2006 with the introduction of Australian Standard AS4811:2006. However, this standard was recently updated and republished as AS4811:2022 Workforce Screening.

A Workforce Screening Program comprises the specific checks performed on each employee or contractor to determine initial and ongoing suitability for employment and the associated processes and records to manage those checks. In many organisations there are a few key artefacts which comprise any Workforce Screening Program:

Employment Policies
Corporate Security and Integrity frameworks and associated programs
Workforce Screening Guideline

The Workforce Screening Guideline (or Standard) details what identity verification, security and character checks are required for employees, contractors, or consultants as a condition of employment and under what circumstances these checks will be performed, such as the risk posed by an employees’ role. The relationship between these documents, and how they are created is outlined below:

Graphic illustrating the various inputs to the Workforce Screening Program and the supporting Guideline and SOPs.

In our book Terrorist Diversion, Oliver May and I provide a detailed process map and overview of all forms of vetting, including insiders and suppliers.

When should workforce screening be performed?

Typically, workforce screening is performed periodically with four triggers:

During recruitment – ideally prior to the letter of offer being issued; and,
Periodically throughout employment; and,
In response to an incident; and,
Upon resignation – particularly important for employees involved in creating Intellectual Property or where potential Conflicts of Interest may arise post-separation.

Workforce Screening is different to Insider Threat Detection. Whilst there is a relationship between the two functions, screening is holistically focused on who the individual is (taking into account the ‘whole person’) whilst insider threat detection is focused on what the individual does once they enter the organisation. One is not a substitute for the other: they are different controls.

Screening is a legal requirement for some industries

Workforce Screening is a mandatory obligation in Australia for many regulated industries under a variety of legislation, including:

Financial Services – Anti-Money Laundering and Counter Terrorist Financing Act 2006 and Rules
Aviation – Aviation Transport Security Act 2004 and Regulations
Ports, Maritime and Offshore Oil and Gas Platforms – Maritime Transport and Offshore Facilities Act 2003 and Regulations
Commonwealth Public Service – Public Service Act 1999, Subsection 22(6) Security and Character Checks
Australia’a 11 declared Critical Infrastructure sectors – Security of Critical Infrastructure Act 2018 and Rules

Having the right team is critical to success in the workplace — Photo by fauxels on Pexels.com

What checks are typically performed in workforce screening?

There is a standard menu of checks which are performed across public and private sectors in Australia, including:

Identity verification
Citizenship and / or work rights
Credit rating and bankruptcy status
Education and occupational licences / trade certificates
Criminal history (National Police Check)
Sanctions and Adverse Media
Psychometric testing (in accordance with applicable employment policies)
Litigation history
Regulatory Actions pertaining to their profession
Internal employer database and record checks (for ongoing employees)
Candidate interview
Referee interviews

More intrusive checks permissible in Australia under certain circumstances include:

National Security Assessment – such as those required under the SOCI Act for ‘critical workers’ and here for an explanation of SOCI
Drug and alcohol testing
Health screening and medical examinations

Not everyone will pass workforce screening, potentially including ongoing employees. There are a number of considerations associated with any workforce screening adjudication process which will be addressed in a future article.

What’s the relationship between the PSRA and High Risk Roles in Workforce Screening?

Selecting which specific background checks to perform in your employment process should not be determined by way of a ‘lucky dip’. Many organisations require a ‘background check’ as a condition of employment, but fail to articulate why each check is necessary – such as where credit scores are used as a proxy for character tests.

Rather than ad hoc approaches, organisations need traceability from a regulatory obligation, personnel security risk, policy or similar instrument which establishes the risk and outlines how performing the respective background check will mitigate this risk. To provide this traceabiilty, the Register of High Risk Roles informs the Personnel Security Risk Assessment (PSRA), and the PSRA informs the design and implementation of the Workforce Screening Program as well as the Insider Risk Management Program.

The Register of High Risk Roles identifies:

Which positions pose a greater trusted insider risk due to a variety of factors, and therefore,
Which position numbers are most likely to require additional vetting and insider risk monitoring to mitigate inherent risks.

The PSRA identifies:

Suitable internal controls to manage the organisation’s inherent risk exposure (including that arising from High Risk Roles) to within risk appetite.
The specific trusted insider risks faced by an organisation and where these may arise by team, function, business line etc; and,

Cost and privacy are two important factors that also need to be considered: As with any security decision, there are tradeoffs. Workforce Screening is intrusive, expensive and has an operational impact, often delaying the commencement of new hires as well as reducing the total pool of candidates. The need for screening should be balanced against the PSRA to guide employers on what to check when, and why.

a mobile phone near the documents and laptop on the table — Photo by Leeloo Thefirst on Pexels.com

Microsoft Purview Information Protection – an overview

Posted on March 18, 2023 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

It’s April 2022 – enter, Microsoft Purview

In 2017, Microsoft introduced its cloud-based Microsoft 365 solution, offering a range of personal and business applications to customers. Then, in April 2022, the Microsoft Purview platform was unveiled, combining fuctionality previously called Azure Purview with what was then Microsoft 365 Compliance, providing a host of new tools and functionality for corporate teams involved in protecting and managing sensitive data, including:

Microsoft Purview Insider Risk Management
Microsoft Purview Data Loss Prevention
Microsoft Purview Data Lifecycle and Records Management
Microsoft Purview eDiscovery
Various legal holds, auditing and compliance tools, and,
Microsoft Purview Information Protection

These solutions are Microsoft’s answer to a range of risk, compliance and security problems which commonly arise in businesses across a range of industries. They are designed to largely be implemented out of the box with configuration (as opposed to customisation); however, more advanced technical skills are required to setup features such as APIs, perform PowerShell coding, and undertake other technical tasks.

Microsoft Purview solution catlogue — Microsoft (2022). Microsoft Purview – Solution Catalogue

Remember: technology is not the first or only step!

I’ve written numerous articles on the importance of protecting sensitive business information, Intellectual Property, and research on this blog, but irrespective of what you are protecting it all starts with a good Information Protection Program.

A well-designed Information Protection Program starts with a fit for purpose framework, supported by policies (such as a Code of Conduct, employment and IT Acceptable Use policies) to confidential information naming conventions, appropriate physical / cyber and personnel security programs, security culture and awareness training, and physical and ICT (virtual) monitoring and auditing.

Once your Information Protection Program is developed, Microsoft Purview Information Protection contains a range of tools to help implement and sustain that program over time. Like any software, Microsoft Purview Information Protection is not a substitute for a good Information Protection Program. Conversely, in today’s data and technology rich environment, Information Protection Programs are unlikely to be truly effective without tools like those offered by Microsoft.

man wearing black blazer — Photo by Caleb Oquendo on Pexels.com

Let’s cut to the chase: Microsoft Purview Information Protection is suitable to help manage a variety of information types, including:

Trade Secrets
Personally identifiable information (PII)
Confidential business information (pricing, customer lists, strategies, etc)
Research data (eg pre-patent, draft papers), and,
Government classified information

Whether Microsoft Purview Information Protection is suitable for managing your organisations information risk profile is subject to a few considerations, including:

Is your sensitive information stored outside of a Microsoft 365 environment?
Do your employees use offline systems, paper records, personal devices or endpoints which are not centrally managed or onboarded?
Do your suppliers create or replicate your sensitive information on their systems, out of reach of your management and control?

If you have answered yes to any of the above, you may only have partial protection from Microsoft Purview Information Protection without changes to the way your organisation operates.

What features does Microsoft Purview Information Protection offer?

In my opinion, Microsoft Purview offers a range of great tools out of the box which are suitable for many organisations, particularly those which generate and manage sensitive information within the Microsoft ecosystem. Primary data protection tools include:

Sensitivity labels – provides the tools to classify documents, files, emails and other datasets using your organisation’s information classification scheme (i.e. confidential, proprietary, commercial-in-confidence). This is one area where Microsoft Purview configuration needs to reflect the framework and polices setup in your Information Protection Program.
Sensitive information types – these are pattern-based classifiers, and used to find datasets containing defined data patterns, such as the format of a Medicare or Tax File Number, BSB and Bank Account etc. Microsoft Purview comes with a host of sensitive information types pre-defined out of the box, saving configuration time and effort.
Trainable classifiers – the ability to train in-built AI tools to identify and classify datasets based on their attributes. Like all AI tools, this requires a sufficient sample size to learn from, and works best for content not suited to manual (human) or automated-pattern matching (keywords such as ‘confidential’, text strings such as credit card numbers, and file metadata).
Data classification – provides a host of tools for managers of a Information Protection Program to view and understand how the program is being implemented by users, where sensitive information resides in the organisation (e.g. by type, sensitivity label, etc), and host of other features. This can help inform identification of High Risk Roles and Personnel Security Risk Assessments to inform Workforce Screening Program design, as well as inform implementation of Information Protection Programs and control improvement plans.

white caution cone on keyboard — Photo by Fernando Arcos on Pexels.com

I’m enthusiastic about the ability of Microsoft Purview to bring Information Protection, eDiscovery and Insider Risk Management capabilities to small and mid-sized organisations which otherwise might not be able to afford to implement and maintain different vendor solutions to achieve the same outcome.

Two questions I have is what the buyer profile is for E5 licensing in Australia (are these primarily large corporates, or can small to mid-sized organisations afford this as well?), and of the current E5 buyers, how many have actually turned this functionality on. I haven’t been able to find information on Microsoft’s market penetration in Australia, so answers to my questions will need to wait for another day! For organisations who are interested, Microsoft offers a 90-day free trial.

Perhaps most importantly, I strongly recommend you already have an Information Protection Program either operating or the framework development well underway before you procure or implement any technology solution. Pleasingly, so does Microsoft!

Not only will this inform your business requirements and business case, but it will ensure that the technology solution is implemented in a way that actually aligns with the way your organisation operates. There is nothing worse than when technology, rather than business need, dictates your operating model.

Operationalising your Information Protection Program

All too often, I see cases where organisations have purchased a software solution and expect this will address all their ills. Technology is an enabler that can enhance the effectiveness of an Information Protection Program, but is is not a substitute for implementing the program itself.

Like any technology solution, using Microsoft Purview requires regular attention and maintenance to ensure it does what was intended and is not impacting business users unnecessarily. Microsoft Purview will need periodic adjustment as your organisation changes, such as where new sensitive projects are setup that requiring new sensitivity labels, or in response to insider threat events.

Minimising problems for capabilities ‘in operation’ will require someone (or a team) who has an apprecation of both the Information Protection Program and Microsoft Purview, as well as change management to minimise adverse user outcomes.

Developing an compliance obligation register for your business

Posted on March 4, 2023 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

What are compliance obilgations?

The importance of business integrity has increased over the past 10 – 15 years. Increased enforcement action by international regulators, culminating in hefty fines and prosecution, has occured in areas such as trade sanctions, bribery and corruption, modern slavery and anti-money laundering. Additionally, the ‘social licence to operate‘ for every business is gaining increased importance amongst communities globally, with businesses who behave unethically or inappropriately incuring the wrath of consumers.

man sitting in front of keyboard — Photo by Jopwell on Pexels.com

Compliance management, including complying with regulatory and policy obligations, is a fundamental component of business integrity (what the OECD refers to as ‘responsible business conduct‘). Understanding your compliance obligations and having actions in place to ensure your business complies with them is expected by regulators and consumers alike.

Illustrative example of a compliance obligation (Curwell, 2023)

For business, managing compliance obligations has always been a challenge – they are not something which can be produced once and never refreshed. Legislation is constantly changing, international standards are being updated, and organisations regularly revising internal policies. The first step in managing your compliance obligations starts with building an obligation register customised for your business.

How do you build an obligation register?

The time and effort required to conduct this work depends on your business, your industry (highly regulated industries will have more obligations), and the jurisdictions you operate in. There are six main steps to building a obligation register for compliance management:

Identify and map your compliance landscape – this step involves identifying all the regulation (legislation), international standards (e.g. ISO27001), and internal policies which create obligations that dictate the way your business, suppliers or employees / contractors need to operate. This may be most efficiently done using a combination of research, interviews and / or workshops or brainstorming – it is also a task you may wish to outsource.
Build your obligation register template – this is the document that will utlimately become your Business Obligation Register. You may wish to do this in something like Microsoft Excel, Microsoft Sharepoint, Microsoft Word or in a database, such as a Governance Risk Compliance (GRC) system (see ‘the importance of regular updates’ for more detail). An example of a Business Obligation Register is illustrated below.
Review the source documentation – for each compliance obligation (e.g. ISO27001, or your jurisdiction’s companies legislation), extract the relevant information, and populate the register. In some cases, you may need a lawyer to provide an interpretation on a specific obligation, or to help convert the interpretation of that obligation to the actual things you need to do to comply (i.e. the ‘plain english’ obligation).
Map the populated obligations to your business’ internal control environment – identify what controls do you have in place to ensure compliance or mitigate the risk of non-compliance. Note this step does not consider the effectiveness or coverage of each control, which are related but separate concepts. I will write about this in a subsequent article.
Review the final draft – this step should involve stakeholders involved in the previous steps, as well as a legal review to ensure nothing has been overlooked or misreprented prior to implementation.
Publish your Business Obligation Register in a central location which can be accessed by line managers (you may want to make this version read only to avoid any unauthorised updates or accidental modifications). You should also implement a process to periodically update the register.

Illustrative Obligations Register in Microsoft Excel. — Illustrative Obligations Register in Microsoft Excel (Curwell, 2023).

What sort of data is captured in an obligation register?

There is no mandatory structure for an obligation register – the fields you wish to capture in your obligation register depend on your organisation. Common examples of data captured include:

Document type – such as legislation, policies, international standards etc.
Document reference – this might be an identification number (e.g. ISO9001). Typically you will have obligations from multiple sources in the same register.
Document name – e.g. “Consumer Act”
Version or date of last update – to allow for comparision of the Obligations Register to the source to determine whether current
Obligation wording – the original wording contained in the source document, word for word
Simple english obligation – some legislation is gibberish to non-lawyers, and requires a simple explanation of what the organisation needs to do to comply which can be understood by all staff
Priority or importance – this might be reflected by including penalty information, or showing how critical compliance with an obligation is to the business, to help inform management decisions. An example might be where a company states it will ‘endeavour to comply’ with ISO23001 (business continuity management), but is not actually ISO certified making compliance optional.
Applicable business unit / team – not every obligation is relevant to every team on the organisational chart, so capturing this makes compliance easier for line managers
Internal control name – what is the name of the control which mitigates non-compilance with the obligation?
Internal control identifier – many organisations have numbers for controls, such as where a control is part of a mapped business process
Internal control owner – sometimes, the owner of the control resides in a different team to the owner of the compliance obligation, meaning both parties need to communicate to ensure compliance.

As you can see, obligations registers vary in relation to content and structure, but the key element is to ensure executives know what their obligations are, and what steps (in the form of controls) the business has implemented to ensure compliance.

man standing on a rock — Photo by Andrei Tanase on Pexels.com

The importance of regular updates

As we have seen in previous paragraphs, it is important that an Obligation Register is up to date and reflects the organisation’s internal and external compliance obligations at that point in time. Building an obligations register from nothing takes substantial time and effort, but it can also get out of control if periodic updates are not made.

Modern tools and technology help make period updates comparatively easy, particularly whe n it comes to monitoring obligation sources for updates. Ways businesses can monitor for updates to compliance obligations include:

Subscribing to legislative update alerts on government websites in the juridsidiction(s) concerned.
Alternatively, businesses without internal resources to do this may seek to outsource this to lawyers or consultants, or purchase updates from commercial information vendors.
Monitor the relevant International Standards Organisation webpage to get updates on when standards are being refreshed that relate to your business
Ensure the Business Obligation Register owner is informed of any internal policy refreshes or updates, such as when they are tabled at management committees or the board for endorsement, to trigger the refresh process.

Better practice involves assigning responsibility for oversight of the overall obligations register to one person (ideally a senior executive) to ensure it is properly managed and updated, however there will typically be teams from across the organisation who manage the actual updates.

Example of free subscription to receive legislative updates (Australia)

Can a Governance, Risk and Compliance (GRC) system help?

Many organisations are increasingly using Governance, Risk and Compliance (GRC) systems to help manage compliance obligations, policy versions and refreshes, risk registers, control libraries and assurance tasks. GRC systems are a great idea, however they require considerable forethought in terms of design to ensure the way they work will accomodate business requirements.

As someone who has implemented a few different GRC systems for clients in the Financial Services and Mining industries, a number of vendors on the market haven’t really thought through the ‘GRC architecture’ and design, or have designed their systems by someone who doesn’t understand the complex relationships inherent in risk architecture, meaning some systems are more difficult to implement and operate than others. More on this in a future article.