Tag Archives: 3rd Party Due Diligence Frameworks

An introduction to third party screening processes

Posted on by

Paul Curwell, CPP, CFE, CISSP

7 minutes

What is screening and why is it important?

Screening is a term applied in the governance, risk and compliance field which equates to one or more database checks. In a screening process, the name of a business, organisation or individual is queried in a database to identify potential matches.

white jigsaw puzzle illustration
Photo by Pixabay on Pexels.com

Where a match is identified, the screening process should include a confirmation step to determine how reliable the match is prior to determining next steps. Screening is used in a range of functions, including:

Many risk and compliance laws and international standards have a reasonable expectation that screening will be performed by business and government as part of routine business operations or as part of customer service delivery. Vendor screening is also an essential part of vendor due diligence and is a foundational element of any supplier integrity framework.

Building your supplier integrity framework

Overview of the screening process

Any screening process comprises two stages – screening design and screening delivery – with a total of five steps in the process, as follows:

Stage 1 – Screening Design

  • Determine screening context and objectives: Confirm what you need to achieve by screening. This could be an obligation under legislation, standards, or policies.
  • Agree screening parameters: Determine what you are going to search (sources), when (at what point in a process or relationship), how frequently (e.g. once on commencement of relationship annually ), who will perform the work and where the results will be stored.

Stage 2 – Screening Delivery

  • Perform name-based screening: Query the relevant database for a name manually or automatically, ensuring all steps and results are documented.
  • Qualify potential matches and escalate matters of concern: Have a mechanism to perform further view (investigation) of likely matches
  • Perform Quality Assurance (QA) to validate search parameters, providing assurance that your proceses achieve their intended objectives.

Keeping detailed and accurate records of what you search for, when, where, and what results were achieved is essential in any compliance or due diligence process. You never know when you may be required to produce these records as part of your legal defence, when seeking external investment, or a similar activity.

It is also essential to keep records of how and why you designed the screening process, any inherent risks in the screening process and how these are mitigated.

Screening processes employing ‘name matching’ algorithms are inherently risky

If you are unfamilar with text analytics or computer science, you could be forgiven for thinking every search you do in a database is the same, but this is not correct. Broadly speaking, there are two main types of screening query:

  • Exact Name Matching: This search setting queries the exact phrase you have entered against the database (some systems may also be case sensitive). If there is a typo or names are back to front, no match will be returned giving a erroneous result.
  • Fuzzy Name Matching: Fuzzy matching is used to compare to search strings which may be similar but are not identical based on critieria determine either by the user (when performing the search) or by the algorithm.
google search engine on macbook pro
Photo by Pixabay on Pexels.com

Common problems encountered when designing your screening process (Stage 1 above) include:

  • Spelling errors
  • Truncated words
  • Names containing multiple languages (e.g. Arabic + English)
  • Names that have been incorrectly translated to English (either in a database record or in the search parameter)
  • Dealing with initials and titles / honorifics
  • Words that are out of order (e.g. surname -> first name or first name -> surname)
  • Spaces and hyphens
  • Nicknames or unofficial names

When performing screening for compliance purposes, it is common to determine how your screening procesess (including selected search parameters) complies with your organisation’s policy, legislative obligations, or risk appetite. It is also important to understand your data, both in the database and the material you are using to search. If your data quality is poor, you can have the best process in the world but you will still miss something. In a compliance or reputation context, improperly performing screening can have serious financial and legal consequences.

What should businesses screen for?

Precisely what a business screens its vendors for will vary depending on regulatory obligations, internal policy settings and risk appetite. In some cases, the cost of performing the screening may outweigh the risk. Examples of what is commonly employed as part of a screening process include:

Screening is only the first step in any supplier due diligence or third party risk management. Remember that not everything is in a database, and may require an audit or use of investigative techniques for detection. Show and Shadow Factories are one such example.

What is Show and Shadow Manufacturing?

There are a plethora of screening solutions on the market, particularly for vendors. Some screening solutions are aggregators meaning they offer access to multiple different databases (e.g. financial viability plus adverse media) within the same interface. Many aggregators also offer proprietary reporting and case management tools, as well as continuous monitoring and alerting functionality at a variety of price points.

What about emerging markets where there is no data?

Screening tools are powered by databases, so the quality of the output reflects the data quality inputs. I have previously worked with clients to test the accuracy, coverage and reliability of paid proprietary databases against known results to determine whether the information holdings of paid databases are as accurate as they claim.

Unfortunately, the results of these comparisons haven’t always been great, particularly when it comes to data quality in emerging markets. Here are three things to consider in this scenario:

  • Consider the type of record and what the regulatory obligations are for updating that record in the given jurisdiction. A country which provides 3 months for company secretaries to register a change of director is not going to show up in a database just because the company has made a press announcement
  • Understand whether the database vendor collects the records themselves, or if they are an agregator (or worse, an aggregator of aggregators). The closer your provider is to the primary source the greater the likely the record will be accurate and timely
  • Remember that errors can be made in declarations or when transposing information unless the country uses data validation tools. Some errors can be intentional, such as where a front company provides fictitious director details

When designing your screening process, it pays to understand what you are doing and why, and confirm this meets your requirements and acceptance criteria.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Understanding High Risk Roles

Posted on by

Paul Curwell, CPP, CFE, CISSP

What are High Risk Roles?

Understanding the concept of High Risk Roles begins with the concept of assets. There are generally agreed to be two categories of asset – tangible (e.g. physical things) and intangible (e.g. knowledge). Examples of tangible assets include property (facilities), information (including intellectual property and trade secrets), reputation, people (workforce), systems and infrastructure, and stock or merchandise.

Every business is comprised of a variety of different roles, each of which poses a different risk.
Photo by Matheus Bertelli on Pexels.com

Whilst loss, degradation or compromise of an asset may cause a financial loss or inconvenience, not all assets are critical to an organisation’s survival: Those assets which are critical are often referred to as ‘critical assets‘.

Definition: Critical Assets
A ‘Critical Asset‘ is an asset which the organisation has a high level of dependence on; that is, without that critical asset the organisation may not be able to perform or function.

Paul Curwell (2022)

Critical assets typically comprise only a small fraction of all assets held by any organisation, but their loss causes a disproportionately high business impact. In security risk management, we never have enough resources to treat every risk, nor does it make sense to do so. By extension, an organisation’s critical assets are those assets which it must use disproprotionately more resources to protect. This may range from restricting access to the asset to prevent loss or damage through to providing multiple layers of redundancy and increasing organisational resilience in the event of unanticipated shocks or events.

Not every activity is critical: its important to identify these and focus limited resourced on what's really important.
Photo by Pixabay on Pexels.com

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

High Risk Roles: What are they and why are they important?

High Risk Roles are those which confer privileged access to an organisation’s critical assets, as well as other types of access privileges, user privileges, or delegations of authority.

High and Low Risk Roles Defined

High Risk Roles – those which confer privileged access to Critical Assets (including information) or decision-making rights
Low Risk Roles – those which confer normal access to Critical Assets, information or decision-making rights (i.e., non-privileged).

Paul Curwell (2022)

The concept of privileged access to assets, including information, is very much situational within the organisation concerned. If an organisation has no controls to protect its critical assets from loss, damage or interference, then every role is effectively high risk.

In contrast, if some roles are subject to less controls, supervision or oversight; senior staff are easily able to bypass or compromise internal controls by virtue of their position (or coerce junior employees or subordinates into doing so); or are more readily able to access critical assets (such as in organisations where critical assets are closely guarded or ‘locked down’), then a higher degree of trust is inherently placed in those individuals. This degree of trust is reflected in their ‘privileged access’ to these assets – some organisations have historically used the term ‘positions of trust’ to refer to such roles.

What are some examples of privileged access which make a position ‘high risk’?

An organisation’s workforce must have access to its critical assets to perform its core functions. Members of the workforce with access to its critical assets may not just comprise trusted employees, but also contractors, suppliers and other third parties, making it essential to have a mechanism to track who has access to what as part of good governance, let alone risk management and assurance. Examples of postitions which an employer may deem ‘high risk roles’ based on a risk assessment process include:

Unless defined by legislation, what constitutes a High Risk Role will differ between organisations. Some organisations use the Personnel Security Risk Assessment as a tool for identifying these roles (refer below).

The more senior an employee's position, the greater the potential risk exposure.
Photo by Andrea Piacquadio on Pexels.com

Five suggested tools to manage High Risk Roles

As outlined in the preceding paragraphs, the purpose of defining High Risk Roles is to identify the subset of your overall workforce which has privileged access to critical assets. In most organisations, perhaps with the exception of smaller organisations such as startups, those in High Risk Roles will comprise a very small percentage of the overall workforce. There are five main steps in managing high risk roles, as follows:

1. Personnel Security Risk Assessment (PSRA)

The purpose of the PSRA is a structured approach to identifying those groups of roles, or even specific positions, in the organisation which may be defined as high risk. The PSRA helps inform development of a number of risk treatments and internal controls, including design of Employee Vetting and Supplier Vetting Standards (also known as Employment Screening, Workforce Screening, Employee Due Diligence or Supplier Due Diligence or Supplier Integrity standards) and Continuous Monitoring Programs.

This alignment helps ensuring that the vetting (background check) programs reconcile to the organisation’s inherent risks where the risk driver is a trusted insider with an adverse background, and that Continous Monitoring Programs are risk-based and justifiable. The relationships between these high level concepts is illustrated in the following figure:

Organisational context shapes and influences PSRA design. Personnel Security risk treatments should correspond to a specific risk.

See my article here for more detail on Personnel Security Risk Assessment process.

2. Identify your High Risk Roles

This involves an exercise to determine which position numbers (or groups / types of roles) have privileged access to your critical assets. This activity manually assigns a risk rating to each position, group or type of role in the company’s HR Position Control or HR Position Management registers extracted from the organisation’s Human Resources Information System and might be stored somewhere such as Active Directory.

An example of the process used to identify high risk roles.

In some cases, the identification of High Risk Roles is undertaken as part of the Personnel Security Risk Assessment, whilst other organisations chose to do this as a discreet exercise.

3. Apply enhanced vetting to individuals occupying High Risk Roles

Many organisations run multiple levels of workforce screening (employment screening) for prospective and ongoing employees. Importantly, vetting looks at the employees’ overall background but does not consider their activity, behaviours or conduct within the organisation or on its networks (this is the role of Continuous Monitoring, below).

To manage cost and minimise unnecessary privacy intrusions, low risk roles will typically be subject to minimal screening processes – perhaps Identity Verification, Right to Work Entitlement (e.g. Working Visa or Citizenship), and Criminal Record Check. Vetting programs for High Risk Roles should be treatments for some of the risks identified through the Personnel Security Risk Assessment.

4. Conduct periodic ICT User Access Reviews

This should be undertaken on an ongoing basis as part of your cybersecurity hygiene, but Users who have higher access privileges, administor access, or access to critical assets should be periodically re-evaluated by line management to ensure this access is still required in the course of work. It is common to find people who are promoted or move laterally to new roles who inherit access privileges from previous roles which may no longer be required in subsequent roles.

Restricting Administrative Privileges is one of Australia’s Essential 8 Strategies to Mitigate Cyber Security Incidents, as published by the Australian Cyber Security Centre, which recommends revalidation at least every 12 months and that privileged user account access is automatically suspended after 45 days of inactivity.

Australian Cyber SEcurity Centre (2022)

5. Apply continuous monitoring for users in high risk roles

Continuous Monitoring through the correlation of data points obtained through User Activity Monitoring and / or other advanced analytics or behavioural analytics-based insider risk detection solutions (such as DTEX Intercept, Microsoft Insider Risk or Exabeam) should be disproportionately focused towards those in High Risk Roles (see Albrethsen, 2017).

In summary, the identification and management of High Risk Roles should be a feature of any Insider Risk Management, Supply Chain Risk Management, or Research Security Program. Increasingly, various legislative frameworks – such as Anti-Money Laundering / Counter-Terrorist Financing (AML/CTF) regime – also consider the concept of High Risk Roles in their compliance programs as a way to manage personnel related risks. Don’t forget, given that High Risk Roles change periodically as the organisation changes, regular updates to related artefacts form part of a mature capability.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Building your supplier integrity framework

Posted on by

Paul Curwell, CPP, CFE, CISSP

What is Supplier Integrity ?

The Cambridge Dictionary defines integrity as “the quality of being honest and having strong moral principles that you refuse to change”. Increasingly the term ‘business integrity‘ is being used to reflect the way companies manage compliance risks and regulatory obligations. More recently, the term ‘supplier integrity’ is also starting to arise.

Photo by ThisIsEngineering on Pexels.com

Supplier Integrity is a logical extension of the concept of ‘business integrity’ (see below – note that some authors use ‘business integrity’ specifically to refer to anti-bribery and corruption). Before diving into the concept in more detail, it is worth setting some boundaries for what constitutes ‘supplier integrity’.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Despite searching, at the time of writing I was unable to locate a standard or guideline on supplier integrity. However, the OECD Due Diligence Guidance for Responsible Business Conduct provides a useful set of guardrails for what might be included within a supplier integrity framework:

  • Human Rights
  • Environmental Protection
  • Employment and Industrial Relations
  • Financial Crime, specifically:
    • Anti-Bribery & Corruption
    • Economic and Trade Sanctions
    • Fraud
    • Money Laundering & Terrorist Financing
    • Tax Crime
  • Consumer Protection
  • Competition & Anti-Competitive Practices

In my opinion, one of the other fundamental elements to Supplier Integrity is Beneficial Ownership, or the identify of the natural person(s) who actually own the supplier. Whilst determination of beneficial ownership is likely to occur during Supplier Due Diligence, understanding who you are actually proposing to do business with – what the World Bank refers to as the “corporate veil” – is essential and should not be overlooked (refer this related post).

Why is Supplier Integrity important?

There are at least two main reasons why Supplier Integrity is important in business today: the first is legal, whilst the second is more a reflection of ethics and values. One of the primary legal reasons for needing a robust supplier integrity program is Principal-Agent Theory which holds that the company contracting the third party (‘principal’) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their supplier arrangements.

  • Under this legal doctrine, if a supplier does something illegal there is generally a degree of civil and / or criminal liability for that conduct which can fall on the principal.
  • Whilst activities such as Supplier Integrity and associated supplier compliance programs can help mitigate this liability in the event of something going wrong, it generally does not absolve the principal completely.
  • One example of this in practice is a principals’ liability for bribery and corruption performed on its behalf by a supplier under the U.S. Foreign and Corrupt Practices Act (FCPA) (FCPA Guide, p136).
Photo by Pixabay on Pexels.com

In relation to ethics and values, there are four key drivers which underscore the importance of a robust Supplier Integrity Framework:

  • ESG and shareholders – the Environmental Social Governance (ESG) investment movement is becoming increasingly important globally as we recognise the value and importance of sustainable business practices, as well as the importance of integrity and transparency in business generally. According to McKinsey, companies demonstrate a strong ESG proposition correlate with higher equity returns.
  • OECD Guidelines for Responsible Business Conduct (RBC) – these Guidelines cover covering environmental, industrial relations, financial crime, competition, human rights, and consumer protection and are the OECD’s most comprehensive international standard on Responsible Business Conduct. The Australian Government is committed to promoting the use of the Guidelines and their effective and consistent implementation. Companies operating in Australia and Australian companies operating overseas are expected to act in accordance with the principles set out in the Guidelines and to perform to the standards they suggest. The Guidelines are supplemental to Australian law and are not legally binding (AusNCP).
  • Consumer expectations and social licence to operate – this driver is much more fluid and reflects the will and appetite of the local community and populace to allow a company to operate. Companies which do more respect the communities or environment in which they operate are being identified and actively targeted by global consumers for socially unacceptable behaviour, potentially impacting sales, employee attraction and retention, and political support.
  • Reflection of the company’s values and ethics – perhaps the most important of all, a companies suppliers are a reflection of its brand. Poor choices in suppliers can manifest in quality and reputation risks impacting factors such as profitability down stream.
Photo by Akil Mazumder on Pexels.com

What would you expect to see in a Supplier Integrity Framework?

A Supplier Integrity Framework fulfils and specific purpose – ensuring that the principal’s suppliers conform with its ethics and values as well as comply with applicable legislation. There are six components I would expect to see in any Supplier Integrity Framework:

  1. Supplier Code of Conduct – reflects the principal’s ethics and values to ensure these are demonstrated by its suppliers
  2. Supplier Integrity Policy –
    • Outlines roles and responsibilities, acceptable behaviours or expected practices (see Supplier Code of Conduct);
    • Aligns with compliance obligations and the principal’s broader policies and frameworks (eg risk and compliance frameworks, procurement policy, supplier management framework),
    • Outlines the ongoing monitoring and due diligence practices and the supplier compliance program; and,
    • Sets out how incidents are to be reported and managed.
  3. Risk Assessment – identifies the main supplier integrity risks and where they may manifest in the supply chain (geographical, spend category, etc), as well as associated controls and risk treatment plans
  4. Supplier Due Diligence and Ongoing Monitoring Program – conduct due diligence and continous monitoring on a supplier’s integrity throughout the supplier lifecycle (i.e. selection, contracting, contract management, termination)
  5. Supplier Compliance Program (aka Supplier Assurance Program or Vendor Assurance) – documents how and what the principal will do to ensure compliance with its Supplier Integrity Framework as well as other aspects of contractual compliance. This should also include appropriate incident management, audit and investigation provisions.
  6. Performance and reporting – details how compliance with the policy will be tracked and reported with appropriate levels of governance and oversight.

Relationship between Supplier Integrity, Procurement and Supplier Management Frameworks

The Supplier Integrity Framework is likely to be one element of a principal’s broader suite of corporate governance artefacts. Ordinarily this framework will be subordinate to other frameworks in the organisation such as the principal’s Code of Conduct and other business integrity policies and practices which apply to all employees.

The Supplier Integrity Framework is likely to be subordinate to the Procurement and Sourcing Policy, which likely sets out how the principal performs these functions, as well as other Supplier Relationship Management (SRM) and Supply Chain Management (SCM) frameworks.

Each of the above policies and frameworks performs and important role in the overall supply chain of third party management ecosystem. Importantly, a well-designed supplier integrity framework compliments other governance and risk-related concepts, such as those outlined in the Australian Government’s Critical Technology and Supply Chain Principles (’10 Agreed Principles’, see previous post), as well as providing a solid foundation from which to address a range of other supply chain threats and risks.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Critical Minerals – what’s the problem here?

Posted on by

Paul Curwell, CPP, CFE, CISSP

What are critical minerals anyway?

Critical minerals are defined by Geoscience Australia as “metals and non-metals that are considered vital for the economic well-being of the world’s major and emerging economies, yet whose supply may be at risk due to geological scarcity, geopolitical issues, trade policy or other factors” (2022). One category of critical minerals, ‘rare earth elements’ (listed below) are particularly important:

  • (Ga) Gallium
  • (In) Indium
  • (W ) Tungsten
  • Platinum-group elements (PGE) including
    • (Pt) Platinum (Pt)
    • (Pd) Palladium
  • (Co) Cobalt
  • (Nb) Niobium
  • (Mg) Magnesium
  • (Mo) Molybdenum
  • (Sb) Antimony
  • (Li) Lithium
  • (V) Vanadium
  • (Ni) Nickel
  • (Ta) Tantalum
  • (Te) Tellurium
  • (Cr) Chromium
  • (Mn) Manganese
Photo by Maxime LEVREL on Pexels.com

The problem with critical minerals is their availabiilty: they are not distributed evenly throughout the world, and in some cases it is not economical to extract them using current technology. This is particularly the case with rare earths, where according to InvestingNews, the top 10 countries for rare earth production are:

1 China6 India
2 United States7 Russia
3 Myanmar8 Thailand
4 Australia9 Vietnam
5 Madagascar10 Brazil
InvestingNews (2021)

Readers will note that some of the countries are subject to greater geopolitical risks than others – ranging from emerging to developed economies and sanctioned to non-sanctioned jurisdictions. One of Australia’s strengths is our proliferation of critical minerals and our geopolitical and economic stability. As shown in the following figure, Australia has critical mineral deposits distributed across the country:

Critical Minerals Supply Chain in the United States: Mapping the Landscape for Australian Suppliers (AUSTRADE, 2019)

As demands for the world’s critical minerals increase and supplies dwindle, rich countries will increasingly seek alternative sources. Deposits that were previously uneconomic to extract may become economical, whilst other countries may resort to war or coercion to achieve or maintain geostrategic advantage. Geoscience Australia has ranked Australia’s resource potential for critical minerals and their associated criticality (or scarcity):

Geoscience Australia (2022). Critical Minerals.

Understanding the criticality of raw materials is particularly important when assssing your supply chain threats and risks, as is understanding the geopolitical risks associated with the Critical Minerals value chain (refer figure below).

Geoscience Australia (2022) notes that some “category one and category two metals and semi-metals are primarily by-products of refining of the major commodities such as zinc, copper, lead, gold, aluminium and nickel”. Australia has abundant stockpiles for many of these commodities, however they are not always cost effective to extract. In the future, advances in processing techniques might mean these can be extracted in a highly targeted way at a cost that makes economic and environmental sense.

What industries use critical minerals?

Critical minerals underpin the world’s 4th Industrial Revolution as well as the high tech gadgets as well as enabling a green low-carbon, digitised economy. Without access to critical minerals, we would not be able to have our computers, phones, wind turbines, electric vehicles or solar panels that are decoming de rigueur in Australia and worldwide. Here are some lesser known examples and their applications:

Critical MineralUsage (examples, not exhaustive)
YttriumCeramics (abrasives, jet engine coatings, oxygen sensors in cars, and corrosion resistant cutting tools)
Electronics (microwave radar, dental and surgical procedures, digital communications, industrial cutting and welding, photochemistry, distance and temperature sensing)
Metallurgy (superalloys, high-temperature superconductors)
TantalumProduction of tantalum alloys, capacitors, compounds and metal
Major end uses for tantalum capacitors include automotive electronics, mobile phones and personal computers
Tantalum oxide is used in glass lenses and tantalum carbide is used in cutting tools
GermaniumFibre optics, infrared optics, electronics and solar applications including solar cells for satellites
Critical Minerals Supply Chain in the United States: Mapping the Landscape for Australian Suppliers (AUSTRADE, 2019)

As you can see, the applications for critical minerals are diverse – without them, much the advanced civilisation we live in today would cease to function.

What are the security and supply chain risks for Australian companies?

Two principal security and supply chain risks associated with critical minerals are worth highlighting, both of which have a geostrategic flavour – (1) foreign ownership, control and influence, and (2) sanctions and trade embargo risks, as illustrated below:

Paul Curwell (2022) – adapted from AUSTRADE Critical Minerals Supply Chain in the United States (2019)

The Foreign Ownership, Control and Influence (FOCI) risks we have seen globally tend to materialise in two scenarios, outlined in the following table:

FOCI RiskRisk Description / Scenario
Mining rights (licences) are held by a single company which controls a substantial percentage of productionThis scenario is particularly applicable to Rare Earth Elements which are only found in a few locations around the world, hence global supply is very low in comparison to demand.
In this case, a single company could conceivably control a substantial percentage of the production for a given rare earth element globally.
Ownership of multiple mines is held by shareholders of the same nationality (i.e. a concentration risk)This effectively gives the parent country ‘control-by-proxy’ of critical minerals production, meaning the minerals can be exported under the guise of legitimate trading contracts to the parent country for stockpiling and / or use in manufacturing. Once extracted and shipped, there is no easy way of getting the minerals back, and the country which holds all the stockpiles effectively controls both market pricing as well its permitted end use (for example, military end-use export controls might be applied, effectively giving the controlling country a military advantage).
(c) Paul Curwell 2022

The second type of risk is sanctions and embargos risk. Historically, when we think of sanctions, trade embargos or even naval blockades it is typically on countries such as North Korea and Iran for their actions against the global community and internationally acceptable norms and behaviours.

As a source country for critical minerals, there is always the possibility that Australian companies or Australian exports could be sanctioned. However, two factors act in our favour to mitigate this risk with critical minerals:

  • First is global availability, being that critical minerals are either only located in specific geographic regions or can only be extracted in a way that makes economic sense from a small number of locations.
  • Second is the global balance of power. Whilst geostrategic power is shifting away from the United States, we are not yet at the point where other geostrategic players have sufficient power or leverage to impose meaningful sanctions or export restrictions at a large scale (note this does not mean that targeted, and even non-conventional forms of sanctions would not be possible or effective).

Another commonly used sanctions and embargo tool is the naval blockade would be very oenerous to enforce in a country such as Australia, which is so large and surrounded by navigable waters.

Photo by Yevgen Buzuk on Pexels.com

What can we do about it?

Like an increasing number of countries around the world, Australia has implemented foreign ownership and foreign investment restrictions to prevent the scenario arising whereby our mining companies or mining licences are owned by foreign investors either at issue or throughout their period of validity, without appropriate review. Additionally, we have introduced a range of foreign intereference laws to criminalise and help prevent actions by foreign governments and their proxies (including legal entities) from interfering in Australia’s sovereignty.

As with saw with trade restrictions on Australian exports, the management of sanctions, embargos and the like are much harder to mitigate. This is particularly the case where Australia sends extracted ore to a third country for processing and refining, which may then be purchased for re-import back to Australia. In this scenario, Australian manufacturers or businesses are immediately exposed to potential sanctions risks. One way to mitigate this is to conduct mineral processing and refining here in Australia, allowing Australia to export refine material as well as to use it directly in Australian manufacturing.

If there is one positive thing that can be said for the COVID-19 pandemic (aside from introducing more flexible working practices), it is that the supply chain disruptions have really refinforced the need for Australia to expand our domestic manufacturing capability and the need to be less reliant on other countries for our critical supplies and services in the Australian psyche. Understanding where security, geopolitical (country) and resilience risks lie in your supply chain, and implementing appropriate risk treatments, is critical for every Australian business.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Ukraine and looming Russian sanctions – implications for supply chains

Posted on by

Paul Curwell, CPP, CFE, CISSP

Historically, awareness of sanctions has been mixed in Australia and typically strongest in financial services and commodities. This article examines what sanctions are, who issues them, the core components of a Sanctions Compliance Program, and what the introduction of sanctions on Russia as a result of any future invation of Ukraine might mean for Australian supply chains.

Moscow, one part of Russia which will feel the pinch of international sanctions.
Photo by u0414u043cu0438u0442u0440u0438u0439 u0422u0440u0435u043fu043eu043bu on Pexels.com

What are sanctions?

According to HM Treasury, “sanctions are restrictions put in place to achieve a specific foreign policy or national security objective. They can (a) limit the provision of certain financial services, or (b) restrict access to financial markets, funds and economic resources”.

Each jurisdiction uses its own terminology for sanctions, but the United Kingdom categorises sanctions into three simple categories:

  • Targeted asset freezes – for individuals and entities
  • Restrictions on financial markets and services – for individuals, entities, specified groups or entire sectors including:
    • Investment bans
    • Restrictions on access to capital markets
    • Directions to cease banking relationships and activities
    • Requirements to notify or seek authorisation prior to certain payments being made or received
    • Restrictions on the provision of financial, insurance, brokering or advisory services or other financial activities
  • Directions to cease all business – specifying the type of business and applicable to a specific person, group, sector or country

As you can see, sanctions and their impact can by quite broad and far reaching. One particular challenge with sanctions lies in identifying parties who are indirectly sanctioned. This requires more sophisticated due diligence and compliance oversight to manage properly.

Photo by RANJITH AR on Pexels.com

Who promulgates sanctions?

The UN Security Council (UNSC) has the power to levy economic and trade sanctions however this requires consensus from the five permanent members of the UNSC, which is rare.

In addition to the UNSC, individual countries have also recognised the strategic power of sanctions, resulting in country specific legislation that impacts companies and individuals resident of, or operating in their jurisdiction that has been enacted since the use of blockades during World War One (Mulder, 2022).

Some national sanctions regimes are politically motivated, such as where foreign dissidents, human rights defenders, or the political opposition are targeted, but this sort of behaviour is typically restricted to non-democratic countries. Globally, major sanctions bodies align with the worlds main financial centres, including:

Of these, OFAC is undoubtedly the strongest in terms or reach, influence and enforcement. This is because of the United States’ position as the global financial centre, with most companies having a presence or nexus to that market (including through their bank transactions). OFAC is also an active regulator, levying substantial fines and penalties on companies worldwide. This means that OFAC can be used as the benchmark for any sanctions compliance program – if you satisfy OFAC, you will probably satisfy all other regulators as well.

As it’s global power and influence grows, the People’s Republic of China is increasingly becoming a player in relation to sanctions as highlighted in the Atlantic Council’s Global Sanctions Dashboard. China’s rise and influence in relation to sanctions will be increasingly important.

Photo by Sabel Blanco on Pexels.com

What should a sanctions compliance program comprise?

In 2019, the U.S. Treasury published its 12-page guidance on designing and implanting a Sanctions Compliance Program in a document entitled “A Framework for OFAC Compliance Commitments”. OFAC expects regulated entities to undertake at least five core elements in their compliance program:

  • Management Commitment
  • Risk Assessment
  • Internal Controls
  • Testing and Auditing
  • Training

On face value, these elements are much like any other risk or compliance program we would expect to see. However, with sanctions the devil lies in the detail and particularly the complexity of the various regimes. This post is not intended to be a detailed overview of sanctions compliance, rather to provide context for the following discussion on what this means for supply chains.

If your sanctions program is not up to scratch, or if you don’t have one at all, seek specialist advice as the fines and penalties for non-compliance can be substantial and extend beyond the enforcement action to potentially mean your suppliers and customers will no longer do business with you due to the risk you present.

Photo by ThisIsEngineering on Pexels.com

What does the situation in Ukraine mean for supply chain hazards, as an example?

Under Australia’s new Security of Critical Infrastructure (SOCI) Act, one of the key elements of the associated Rules, Supply Chain Hazards, requires regulated entities to ‘establish and maintain in the entity’s program a process or system that the entity uses to minimise or eliminate the material risk of, or mitigate, the relevant impact of” amongst other things “(d) disruptions and sanctions of the asset due to a disruption in the supply chain”.

With the prospect of more sanctions on Russia, companies need to start working now to review their suppliers, update their risk assessments, and identify any potential connections to Russian individuals, entities and sectors. Some of the steps you may need to take include:

  • Examining the geographic presence of your suppliers – are any based and / or headquartered in Russia or its allies?
  • Ultimate Beneficial ownership or control – who (individuals) or what (other legal entities) one some or all of your suppliers and are any of them Russian, or do they have a nexus to Russia?
  • Once you have identified your suppliers and their beneficial owners, be prepared to conduct name screening against the relevant sanctions lists, or alternately use a reliable vendor solution such as Refinitive’s WorldCheck, Dow Jones Watchlist, LexisNexus World Compliance.
  • Identify any other potential foreign influence from Russia or its proxies that could impact your supply chain or operations.

If you are new to sanctions, your reaction is probably that this would take a lot of effort and involve some cost. In my experience, this is exactly the case. Once sanctions are promulgated, you need to compare the sanctions list(s) to your supplier data to ensure there are no matches. Your bank will do the same, so if you don’t do this you risk a supplier payment being confiscated by a regulator which can be hard to recover. In addition, intentionally or unintentionally breaking a sanction has serious criminal and civil penalties.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

How should I perform due diligence to comply with Australia’s Modern Slavery Act 2018 (part 2)?

Posted on by

Author: Paul Curwell

Introduction

This article is the second in a series on Australia’s Modern Slavery Act, this time with a focus on due diligence practices. Readers of my previous post may recall that one of the requirements of the MSA is to ‘Describe the actions taken by the reporting entity and any entities it owns or controls to assess and address these risks, including due diligence and remediation processes‘ (p29). The Guidance goes on to say that due diligence is a key term within the UN Guiding Principles (pp46-47), and directs readers to the OECD Due Diligence Guidance for Responsible Business Conduct as a source of ‘key international standards and guidance’ (p90).

In this second article, I aim to help readers understand the Australian Government’s expectations of a Reporting Entity’s human rights due diligence program so as to comply with the MSA in a clear and practical manner.

Australia's Parliament House
Australia’s Parliament House

The UN Guiding Principles establish the concept of ‘human rights due diligence’

The United Nations Guiding Principles on Business and Human Rights (UNGPs) were endorsed by the United Nations Human Rights Council in June 2011. The UNGPs are intended to apply to both nation states and businesses regardless of factors such as size or jurisdiction, and set out the intended duties and responsibilities of both parties. Under the UNGPs, what constitutes ‘human rights’ are defined as those rights outlined in the International Bill of Human Rights and the International Labour Organisation Declaration on the Fundamental Principles and Rights at Work (UNGP 12).

Of the 31 Guiding Principles, three in particular establish responsibilities for business in relation to human rights due diligence, as follows:

  • GP 13 – requires businesses to avoid causing human rights impacts through their operations or activities, and to seek to prevent or mitigate any adverse human rights impacts linked to them
  • GP 15 – states that in order to meet their human rights responsibilities, businesses should have: (a) a human rights policy, (b) a human rights due diligence process, and (c) a process to enable remediation
  • GP 17 – states that human rights due diligence is required by business to ‘identify, prevent, mitigate and account’ for adverse human rights impacts. This activity “should include assessing actual and potential human rights impacts, integrating and acting upon the findings, tracking responses, and communicating how impacts are assessed”

The Australian Government’s Modern Slavery Act Guidance for Reporting Entities is aligned to the UNGPs, hence an understanding of them is useful when designing a due diligence program in order to comply with the Modern Slavery Act.

The OECD’s Multinational Enterprise Guidelines compliments and expands upon the UNGPs

In May 2010, the governments of the 42 OECD and non-OECD countries which adhere to the OECD Declaration on International Investment and Multinational Enterprises and related Decision, of which Australia is a member, commenced work to update the original OECD Multinational Enterprise (MNE) Guidelines originally developed in 2000. In addition to providing concepts and principles, the Guidelines provide specific guidance in eight domains:

  • Human Rights
  • Employment and Industrial Relations
  • Environment
  • Combating Bribery, Bribe Solicitation and Extortion
  • Consumer Interests
  • Science and Technology
  • Competition, and,
  • Taxation

The revised version of the MNE Guidelines included a new chapter on Human Rights which is consistent with the UNGPs. The MNE Guidelines are intended to provide “non binding principles and standards for Responsible Business Conduct”, and are “the only multilaterally agreed and comprehensive code of responsible business conduct that governments have committed to promoting” (p3).

The MNE Guidelines contain a number of requirements pertaining to Human Rights Due Diligence (i.e. Modern Slavery Act due diligence practices), however this guidance aligns with that of the UNGPs and does not warrant repeating.

Why should the OECD’s MNE Guidelines matter to Australian businesses?

Australia is a signatory to the OECD Declaration on International Investment and Multinational Enterprises and Decisions. To effect this, the Australian Treasury manages Australia’s OECD MNE ‘National Contact Point’ to promote and implement the MNE Guidelines. The Government expects Australian businesses to comply with the MNE Guidelines and the OECD Due Diligence Guidance for Responsible Business Conduct and associated sector due diligence guidelines (see below) as they “represent standards of behaviour that supplement Australian law and therefore do not create conflicting requirements“. Non-judicial complaints can be brought against Australian businesses, and are investigated by an Independent Examiner (currently WA Barrister Mr John Southalan).

To assist business in interpreting and implementing the MNE Guidelines, the OECD has produced its Due Diligence Guidance for Responsible Business Conduct, supported by additional sector specific due diligence guidance for:

The OECD also introduces new sector-specific guidelines periodically.

The OECD has developed guidance for business on how to undertake ‘human rights due diligence’

Photo by Roman Pohorecki on Pexels.com

As an Australian, I struggle with the way the ‘human rights due diligence’ concepts are presented in the UNGPs and OECD guidelines. We so frequently design our governance, risk and compliance frameworks along the lines of ISO31000 – Risk Management and ISO19600 – Compliance Management Systems that it is easy to forget these elements are not so ingrained overseas.

I raise this because the OECD Due Diligence Guidelines for Responsible Business Conduct (DDGs) introduce a six-step due diligence process which contains some functions we might ordinarily consider constituting part of a risk and compliance framework, as follows (Figure 1, p21):

  1. Embed Responsible Business Conduct into policies and management systems
  2. Identify and assess adverse impacts in operations, supply chains and business relationships
  3. Cease, prevent or mitigate adverse impacts
  4. Track implementation and results
  5. Communicate how impacts are addressed
  6. Provide for, or cooperate in, remediation where appropriate

Although the OECD states that businesses may not see these elements as being exclusive to a due diligence program per se, the DDG also states the focus of human rights due diligence processes should be external to the business itself (as opposed to risk management’s traditionally internal focus) and focused on its extended operations, products or services, and its ‘business relationships’ (what Australians might consider as Third Party Risk Management).

Human Rights Due Diligence can build off (although it is broader than) traditional transactional or ‘Know Your Counterparty’ (KYC) due diligence processes

The DDGs are not intended to replace those practices commonly referred to as ‘Know Your Customer‘ (KYC), ‘Know Your Supplier‘ (KYS), ‘Know Your Partner‘ (KYP) or ‘Enhanced Due Diligence‘ (under AML/CTF laws, legislated in Australia as ‘Enhanced Customer Due Diligence’) (p16). These due diligence activities are different to human rights due diligence, albeit there will likely be some overlap, and commonly focus on around some variation of the following nine key areas:

  • Identification and Identity Verification
  • Legal entity formation and directors
  • Determination of Beneficial Ownership
  • Financial viability, credit ratings and performance
  • Litigation, bankruptcy & lien searches
  • Name screening (adverse media, Politically Exposed Persons, Sanctions)
  • Assessment of management’s style, integrity, competence and track record
  • Reputation in business, industry, the company or community
  • Disclosed and undisclosed Conflicts of Interest, Related Party relationships and other red flags

Simplifying the OECD’s six-step due diligence process

When I look at the OECD’s six-step due diligence process outlined earlier, Step 2 constitutes what I would consider to be the crux of the actual due diligence (Figure 1, p21). The purpose of Step 2 is to “identify and assess actual and potential adverse impacts associated with the enterprise’s operations, products or services”, which the guidance decomposes into four elements:

  • 2.1 – Develop an enterprise-level risk assessment to identify the areas of highest risk based on a range of internal and external factors, including information gaps. Complete the due diligence from areas of highest to lowest risk
  • 2.2 – Undertake iterative and increasingly in-depth assessments of operations, suppliers and other business relationships to identify and assess adverse Responsible Business Conduct impacts, starting with the highest risk areas first from 2.1 (above)
  • 2.3 – Assess whether the enterprise caused (would cause), contribute to, or whether the adverse impact is (would be) directly linked to its operations in order to determine an appropriate response (i.e. is it actually involved, or potentially involved)
  • 2.4 – Prioritise the most significant risks and impacts for action based on severity and likelihood

Step 2.1 will resonate well with anyone familiar with the principles of risk management in that resources should always be concentrated towards those areas of the highest risk exposure.

Step 2.2 is an interesting one. In Terrorist Diversion (Routlege, 2021), I wrote the chapter on due diligence practices for non-profit organisations. In this, I outlined a risk-based process where the level (extent) of due diligence initially undertaken is predicated on the perceived inherent risk prior to commencing due diligence. Where indications are encountered that an entity is actually higher risk whilst performing the diligence, the extent of diligence can be easily increased. Step 2.2 aligns with these principles.

Steps 2.3 and 2.4 start to get into matters of liability and social responsibility for any identified (or potential adverse) findings, and subsequently a treatment plan. Depending on your organisation, this may or may not be the responsibility of the team actually performing the due diligence itself.

To make it easier for readers to follow all of this, I have developed this simple cheat sheet which I hope will be a useful resource (please remember to cite me appropriately).

– (C) Copyright Paul Curwell (2000, Australia). http://www.forewarnedblog.com

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Modern Slavery, Human Trafficking & People Smuggling? (Part I)

Posted on by

Author: Paul Curwell

Introduction

According to Antislavery.Org, “someone is in slavery if they are forced to work through coercion, mental or physical threats; trapped and controlled by an employer; dehumanised, treated as a commodity, or sold as property; and subject to physical movement constraints”. Antislavery.Org identifies six primary forms of slavery:

  • Forced labour
  • Debt bondage (bonded labour)
  • Human trafficking
  • Descent-based slavery (people born into slavery)
  • Child slavery (as opposed to child labour)
  • Forced and early marriage

The 2016 figures from the International Labour Organisation (ILO) are startling:

  • 40.3 million people are in modern slavery, including 24.9 million in forced labour
  • This is a ratio of 5.4 victims (slaves) per 1,000 people, with 25% of those being children
  • 64% of the victims of forced labour are exploited in private sector industries such as domestic work, construction or agriculture, and almost 17% are in forced labour imposed by government authorities
  • Females are disproportionately affected, accounting for 58% of forced labour victims across all sectors except the commercial sex industry, where they represent 99% of victims

Globally, the international legal framework to address modern slavery includes the Universal Declaration on Human Rights, and various other international conventions and into different forms of slavery, forced labour and human trafficking.

It is common to see the terms ‘modern slavery’, ‘human trafficking’ and ‘people smuggling’ used interchangeably, but they are actually different concepts with different actors, motives and outcomes (see Australian Criminal Offences below).

Key Definitions

Whilst the concepts of Modern Slavery and Human Trafficking are related, People Smuggling is a different concept, as outlined below:

  • Modern Slavery in Australia is defined as conduct that consitutes:
    • An offence under Division 270 or 271 of the Criminal Code 1995 (Cth),
    • A form of Child Labour (as defined by the ILO), or
    • Trafficking in persons, as defined in Article 3 of the Protocol to Prevent, Suppress and Punish Trafficking in Persons, Especially Women and Children, supplementing the United Nations Convention against Transnational Organized Crime (2000)
  • Human Trafficking – the physical movement of people (recruiting, transporting or harboring) across and within borders through deceptive means, force or coercion.  The people who commit human trafficking offences are motivated by the continuing exploitation of their victims once they reach their destination country (AFP)
  • People Smuggling – the organised, illegal movement of people across borders, usually on a payment for service basis (AFP). Unlike Human Trafficking, although ‘illegals’, smuggled people are free upon arrival in their destination country

Australia’s regulatory landscape

Broadly speaking, there are now seven main pieces of legislation relating to modern slavery and human trafficking in Australia:

  • Criminal Code Act 1995 (Cth) criminalises trafficking, slavery and slavery-like practices
  • Crimes Act 1914 (Cth) protects trafficked persons when giving evidence and allows a court to make reparation to victims
  • Migration Act 1958 (Cth) creates offences for allowing an unlawful non-citizen to work or breach work-related visa conditions
  • Fair Work Act 2009 (Cth) empowers the Fair Work Ombudsman to enforce compliance with the Fair Work Act
  • Marriage Act 1961 (Cth) provides offences for solemnising underage marriages
  • Proceeds of Crime Act 2002 – provides for tracing, restraining and confiscating the proceeds of crime, including trafficking and slavery
  • Modern Slavery Act 2018 (Cth) is the newest piece of slavery-related legislation in Australia

What does the Modern Slavery Act 2018 (Cth) require of Australian Companies?

At the macro level, the purpose of the Act is to raise awareness and increase transparency of the problem of Modern Slavery in Australian supply chains, and to require companies to take steps to understand the risks and change existing practices which are conductive to slavery and slave-like conditions. The Act requires companies that meet the criteria (termed a ‘reporting entity’) to submit a modern slavery statement annually to the relevant Minister, which is also made available to the public. Mandatory content of these statements includes describing:

  • (b) the structure, operations and supply chains of the reporting entity
  • (c) the risks of modern slavery practices in the operations and supply chains of the reporting entity, and any entities that the reporting entity owns or controls
  • (d) actions taken by the reporting entity to assess and address those risks, including due diligence and remediation processes
  • (e) how the reporting entity assesses the effectiveness of such actions
  • (f) the process of consultation with (i) any entities that the reporting entity owns or controls; and (ii) in the case of a reporting entity covered by a statement under section 14—the entity giving the statement; and
  • (g) any other information considered relevant

By requiring larger companies to produce these statements, government’s objective is that over time modern slavery risks in the supply chain will be reduced and that these requirements will propagate throughout global supply chains, including down to smaller suppliers – after all, a rising tide floats all boats.

Definitions of slavery in the Modern Slavery Act are mapped to the various Australian criminal offences, meaning that in order to identify inherent risks or exposures of a prospective third party or business partner, potential joint venture partner or acquisition target, you need to be able to determine their exposure to the various offences.

Australian Criminal Offences

Criminal Offences in Australia are either national, at the Commonwealth level and enshrined in either the Crimes Act 1901 (Cth) or the Criminal Code Act 1995 (Cth), or State or Territory-based jurisdiction (e.g. Crimes Act 1900 (NSW)). Offences pertaining to Slavery, Trafficking and People Smuggling can be found in the Criminal Code Act 1995. To make it easier to identify slavery and trafficking related risks during initial or ongoing due diligence, I have developed the following taxonomy based on the legislation which can be used as a reference:

High risk industries exposed to modern slavery

Some industries are more typically exposed to modern slavery risks than others. These include the following, which have been grouped below by typology:

TypologyHigh Risk Industries
Forced Labour (Global Slavery Index 2018 – see below for citation)Cotton
Bricks
Garments – Apparel and Clothing Accessories
Cattle
Sugar Cane
Gold
Carpets
Coal
Fishing
Rice
Timber
Agriculture
Cocoa
Diamonds
Electronics – laptops, mobile phones, computers
Human Trafficking (Anti-Slavery International – see below for citation)Trafficking is the act of moving the person internationally. Upon arrival they are usually driven into other typologies, such as:
Sexual Servitude (prostitution)
Forced labour
Forced begging
Forced organised crime
Domestic servitude
Forced marriage
Forced organ harvesting
Servitude (Anti-Slavery International – see below for citation)Domestic servitude (e.g. housekeeping, cleaning, maid duties, childcare, cooking)
Sexual servitude (forced prostitution)
Deceptive Recruiting (International Labour Organisation)Labour hire organisations and their extended networks of recruiters use deception to make an adult or parent believe that they (or their child) will be going to work in a reputable job, only for the victim to find they are later channeled into Forced Labour or Servitude. Sometimes, victims even pay for their traffickers.
Debt Bondage (Anti-Slavery International – see below for citation)Agriculture
Brick kilns
Mills
Mines
Factories
Breakdown of exposure to modern slavery by Industry

As illustrated above, ‘deceptive recruiting’ and ‘human trafficking’ can be pathways for victims to Forced Labour and Servitude. Companies would rarely be exposed to every typology of modern slavery identified above: typical activities of Australian companies mean that modern slavery in the supply chain is most likely to manifest itself as Forced Labour or Debt Bondage, although Servitude may arise in the case of expatriates working offshore who employ domestic workers via an ‘agent’ for tasks such as household duties.

Jurisdictions and Human Trafficking Patterns

A number of useful publications exist to understand the prevalence and risk profile of human trafficking in the supply chain, including the annual ‘Trafficking in Persons‘ report published by the US State Department and the ‘Global Reports on Trafficking in Persons‘ issued by the United Nations Office on Drugs and Crime (UNODC).

Every country is different, and is typically classified as an Origin (source), Transit, or Destination country for Human Trafficking. As shown in this figure from the UNODC (2006), Australia is a Destination country for Human Trafficking, whilst many countries in Asia are both Origin and Destination countries. The prevalence of Destination countries in Asia means there is an increased likelihood that various forms of modern slavery would be prevalent in global supply chains given that Asia is the world’s manufacturing hub.

Photo Credit: United Nations Office on Drugs and Crime (2006). Trafficking in Persons:
Global Patterns, April 2006, Vienna,

As a primarily Destination country, Australia also has an interesting Human Trafficking profile, with key highlights from the 2019 US State Department Trafficking in Persons report including:

  • Both domestic and foreign victims are exploited in Australia
  • Women from Asia, Eastern Europe and Africa are frequently exploited in the commercial sex industry, whilst men are typically engaged in forced labour
  • Some women may also be exploited via forced marriages or domestic servitude situations
  • Employers and labour hire agencies are increasingly being linked to forced labour, bonded labour and exploitation (wage underpayment, falsification of records, excessive work hours) in agriculture, cleaning, construction and hospitality
  • There have also been instances of people on student visas becoming victims of modern slavery scams, whilst also having to pay substantial academic and related tuition fees
  • Also, many overseas students do not understand Australia’s complex employment award (salary) schemes, and some students do not feel they can approach the police for assistance due to a lack of trust in their home country
  • There have also been allegations of foreign diplomats abusing foreign household staff in Australia, as these household staff may not fall under standard Australian protections due to their employer’s diplomatic status

As we can see, no country is immune from the scourge of Modern Slavery, however a greater understanding of the way it can manifest both in the supply chain and locally in Australia means more effective risk identification and targeted due diligence practices, which in time will help combat this global problem.

Next Steps – Due Diligence, Risk Assessments and Customer Risk

As the first in a three-part series, this is Part I of a three part series on modern slavery and human trafficking. Part II will be published shortly, and will discuss the guidance provided to ‘Reporting Entities’ under the Modern Slavery Act 2018 in terms of their obligations, with a target audience of supply chain professionals and investment managers. Part III will address risks relating to slavery and human trafficking offences, which are designated categories of offences for money laundering (often referred to as ‘predicate offences’) by The Financial Action Task Force (FATF / GAFI).

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

How do you assess management’s track record?

Posted on by

Author: Paul Curwell

Introduction

In any business transaction, understanding a prospective counterparty’s management team’s behaviors, evaluating their historical performance, and determining whether they are compatible as a future partner is critical to success. Whether undertaking Mergers & Acquisitions / Joint Ventures, selecting a business partner (such as a distributor, who you might partner with for years or even decades), suppliers who might be relied upon to provide a business-critical project, or making an investment as an external investor. These insights into a management team’s track record are typically incorporated into a broader program of due diligence, the needs of which will differ depending on circumstances or transaction-specific requirements.

Often, an assessment of management’s track record is performed by the prospective partner in an unstructured or informal manner, with business leads for the transaction going off ‘gut feel’ or perhaps spending time getting to know the other party to determine whether a partnership will work. However, in some cases, this is not feasible, or alternately an independent and unbiased view might be sought which is where business intelligence professionals play a key role. So what exactly is a management track record review anyway?

Photo by Minervastudio on Pexels.com

Elements of a Management Track Record review

There is no standard approach to assessing the track record of a management team, however there are common elements which will typically form part of any assessment. The scope of any review of management’s track record is really dependent on the context and questions that need to be answered by stakeholders. Common elements are outlined below:

a. Character and Personality Traits

Running a successful business takes more than being in the right place and the right time, it requires having the right team who are prepared to make decisions and sacrifices to achieve an objective. Understanding the personalities behind the management team is critical and often overlooked in favour of more quantitative metrics, however most readers will have encountered managers or peers who succeed and gain promotion through playing politics or riding on the backs of others rather than through any unique skills or attributes of their own.

Photo by meo on Pexels.com

Questions about an executive’s character that are considered within an assessment of management include:

  • What type of personality are they? Methods such as Myers-Briggs Personality Type and Deloitte’s Business Chemistry can help provide answers
  • What are their leadership qualities and style? How does this result in their success?
  • How do they perform under pressure? What are their strengths and weaknesses? Do they ‘default’ to a common pattern of behaviour under particular conditions?
  • What is their integrity like? Are they ethical and trustworthy? Will they behave in a socially-acceptable manner in the absence of scrutiny?
  • What is employee engagement like? Do employees ‘rally behind’ and trust their leader (with all their innate faults as a human), or are employees disengaged and unmotivated to perform?
  • Are they resilient? Leadership takes its toll personally on any leader, and they need to be in it for the long game, not for five minutes.
  • What are their life goals? Do they align with where the organisation is going? Any mismatch may result in an unexpected departure which could affect business outcomes unless an adequate succession plan is in place.
  • Are they driven to succeed? What drives them and is this sustainable?

In cases where you already have a strong relationship with the management team, such as the final stages of an acquisition or a few years into a business partnership, you may be in a position to bring in an organisational psychologist to help assess these traits. However this is often not possible in many situations, such as where a company is discretely scanning the market for a new distributor or acquisition. In many cases, the inputs to these assessments need to be gathered based on publicly available information – this is common practice in the intelligence community, where foreign leaders are regularly profiled to help anticipate likely decisions or pressure points.

b. Organisational Culture

The results of many studies show that culture is a key predictor of a company’s performance. Given that executives and the board set the ‘tone from the top’ in terms of behaviours and values for any organisation, part of any management track record assessment must consider the type of culture its leadership not just espouse through codes and comments, but what they actually do through their actions.

Gaining insights into culture requires speaking to current and former staff, customers, suppliers, regulators and even competitors to build a comprehensive picture of fact versus fiction.

c. Performance

A management team’s performance is comprised of many different factors, each of which are inter-related. While I am also a great believer that people make their own success and that some successes are partly the result of being in the ‘right place at the right time’, there are a number of traits which can help qualify a management team’s performance. These include:

  • Have they demonstrated the ability to develop a viable strategy?
  • Do they have a track record of executing on that strategy, and of successfully adapting that strategy to changing internal and external (market) contexts?
  • Do they consistently deliver on promises and to meet expectations of customers, employees, and shareholders?
  • Have they been able to consistently deliver positive results over time to demonstrate a track record of success, rather than benefiting from one-off ‘lucky’ guesses?
  • Can you identify any lies or claims of exaggerated performance? Are you able to establish a pattern of slight, but regular exaggerations of fact?

Assessing performance elements of management’s track record involves understanding the performance of the organisation as a whole (or for large organisations, the relevant business unit), and the impact or effect of the management team on it. These factors are often most visible in cases where a highly successful management team resigns en-mass for a competitor or to pursue a new opportunity.

Photo by Alexander Mils on Pexels.com

d. Competency and tenure

Whilst the tenure of a leader is relatively easy to identify and validate, competency can be much harder to assess. I’m sure we have all be in situations where we worked with someone we believed or understood to be highly competent, only to be let down or disappointed. Competence of management is more than just a reflection of their technical skill as a professional (e.g. accountant, lawyer, banker, engineer). The ability to lead, motivate and manage teams, engage the workforce, and effectively deploy the organisation’s resources must all be considered. This information often needs to collected via interview.

  • How long did they spend in their various leadership roles? Anything less than a few years is likely to be a red flag
  • Did they resign from an organisation shortly after receiving a promotion at an executive level? If yes, did the timing of their resignation coincide with an adverse event at the business (e.g. regulatory action, failure to hit earnings estimates) or occur shortly thereafter?
  • Have they spent time in any ‘special projects’ type roles where they might have been grandfathered out of the business?
  • What do people who have worked for them, and with them say about their abilities? Have they heard anything adverse on the grapevine? How do competitors view them?

e. Compensation

The last element of a management track record review we will consider here is the compensation of individuals. At the end of the day, most executives get paid to make decisions that results in the company growing and creating value for shareholders. Executive remuneration typically needs to provide a balance of short term (e.g. salary, bonuses) and long term (e.g. shares) to incentivise and reward desired behaviours. That said, a number of factors should be considered in relation to executive compensation and management’s track record:

  • Does the management team’s compensation (or that of a specific individual) match the performance of the business as a whole? Also, how does this compensation align with industry benchmarks? If not, why not?
  • What has the management team done with their stock options?
  • Is the management team entitled to any sort of loan from the company?

In private (non-public) companies, it is often hard to obtain compensation data as this does not need to be disclosed, whilst in the case of partnerships partners often ‘cash out’ upon resigning from the partnership where they have equity. In these cases, other types of information may need to be used as a proxy to help gauge compensation arrangements.

When it comes to executive compensation, it is useful to remember the case of Enron where executives reportedly received a line of credit using company funds which they were able to draw upon each month, only to repay this loan with Enron stock which at that time did not require any reporting to the SEC, limiting transparency (Bean, pp.100-101).

Photo by Pixabay on Pexels.com

Techniques for obtaining inputs to a review of management’s track record

Any review of management’s track record typically starts with desktop research. Reviews of company and industry documentation, public records, media articles, presentations / speeches, and similar information is always an excellent starting point. Often, a cursory desktop review can also help frame the scope and identify where to focus in relation to a second, more detailed exercise.

The next step to obtaining this information depends on whether the subjects know you are doing this (e.g. friendly acquisition or diligence on a prospective business partner) or whether this is unknown to the subject (e.g. early stages of proposed acquisition that has not been announced to the target). Situations where your interest is known to the subject is relatively straightforward – it becomes a case of collecting and analysing the information, and then presenting it to the subject(s) for comment. Where this work is not known to the subject at that time, the range of sources available to may be more limited.

Photo by fotografierende on Pexels.com

After scoping and desktop research is complete, interviews with other parties such as suppliers, competitors, current / former employees etc can be undertaken to learn more about the management team and to corroborate key findings from desktop research. In some cases, it may be appropriate to do some sort of inspection or audit with their consent (e.g. compare the company’s performance against key events or dates), depending on the context. Obviously, care must be taken to avoid propagating any frivolous, vexatious or similar unsubstantiated claims that could give rise to a future defamation action, particularly when it comes to the specific actions (inactions) of an individual.

Once the information has been gathered, the exercise becomes an analytical one, where the goal is to build a picture using the information gathered and answer any ‘so what’ questions posed in the scope. Reviews of management’s track record are typically documented in a report which can then be used by decision makers as part of any planning. Importantly, the goal of any management track record is not to create a catalog of an executives weaknesses – noting that fraudulent claims should be identified and treated appropriately – however, for all other cases the goal is to help make an informed decision about whether the businesses involved are likely to be compatible. Where opportunities for improvement are identified with a compatible organisation, these learnings can be used to help inform plans for improvement.

Further Reading

  • Bean, E. J. (2018). Financial Exposure: Carl Levin’s Senate Investigations into Finance and Tax Abuse, Palgrave Macmillan, Switzerland.
  • Burns, C. (2019). Investment tips: How to assess management before buying shares, Australian Financial Review, 12 February 2019.
  • Fahey, L. (1999). Competitors: outwitting, outmaneuvering, and outperforming, John Wiley and Sons Inc, Canada.
  • Golis, C. (1998). Enterprise and Venture Capital: A business builder’s and investor’s handbook, Allen & Unwin, 3rd Edition, Sydney.
  • Gladstone, D. and Gladstone, L. (2004). Venture Capital Investing: The complete handbook for investing in private businesses for outstanding profiles, Financial Times Prentice Hall, New Jersey.
  • Hetherington, C. (2010). Business Background Investigations: Tools and techniques for solution driven due diligence, 2nd Edition, Facts on Demand Press, USA.
  • Investopedia Staff (2020). Factors to consider when evaluating company management, Investopedia, 29 January 2020
  • Kwek Ping Yong (2013). Due Diligence in China: Beyond the checklists, John Wiley & Sons Pte Ltd, Singapore
  • Pontefract, D. (2017). If culture comes first, performance will follow, Forbes Magazine, 25 May 2017, www.forbes.com
  • Stott, C. (2015). 5 factors to look for when assessing management, FirstLinks Morningstar, 3 December 2015, Australia.

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Building a media monitoring capability 101

Posted on by

Author: Paul Curwell

Media Monitoring as part of a wider externally-focused risk intelligence capability

Businesses cannot operate effectively without an external listening capability that helps identify current and emerging issues in the operating environment. Competitors, regulatory change, technological innovation, and important developments involving suppliers and key customers have historically been ‘followed’ by businesses everywhere. However, with the rising importance of reputation risk and regulatory compliance, topics such as economic & trade sanctions, corruption, fraud, privacy & security incidents, business interruptions, modern slavery and environmental issues are also being increasingly watched, especially where suppliers or contractors pose a risk ‘by association’ to the buyer.

Our 24/7 news cycle and the global pace of change means it is no longer viable to read the newspaper once a day or occasionally Google a competitor every few months in your spare time to identify changes in your operating environment – media monitoring today needs to be a core part of your risk intelligence capability, employed on a systematic, continuous basis and integrated into other business processes to add value.

Conceptually, media monitoring seems relatively straightforward, but it follows the iceberg principle with most of the challenges laying beneath the surface. Many organisations struggle with media monitoring when they need to operate across large volumes of search criteria, countries, languages and mediums. Practically speaking, there are also differences between monitoring traditional print, TV and radio channels and social media: This post focuses on traditional channels, whilst social media will be addressed in a future article. The article outlines the key considerations when designing a media monitoring capability, the challenges, what to focus on, and what to do with what you’ve found.

Selecting sources and monitoring tools

The majority of media monitoring programs are run in an ad-hoc manner, without any real understanding of the sources or content of interest. The sophistication of these programs range from performing ad-hoc searches in the internet browser, to using tools such as Google Alerts and data aggregators. Typically, businesses focus on print media to the exclusion of TV and Radio, despite both having interesting and relevant content (take for example, an executive from a competitor being interviewed on the business channel).

The first step in selecting sources involves thinking about what, and who, you want to monitor, and where the content would be published. This ‘where’ is a function of both geography but also industry, as some of the richest coverage might be featured on niche industry platforms. Media monitoring typically focuses either on people or entities, both of which involve name-based searches (e.g. ‘Apple’ or ‘Tim Cook’). Where large numbers of search results are returned, it is normal to use boolean operators to write queries which search for the individual or entity’s name in conjunction with other search criteria, such as ‘strategy’ or ‘fraud’. This process can get quite complex, involving potentially dozens of words of interest (or derivatives of them, such as ‘Crim*’ to search for ‘criminal’, ‘crime’, etc in the same search) in addition to the entity name (i.e. “[name]” and “crim*”).

Media Monitoring Challenges

Licensing and Copyright – news information is subject to copyright, and many IP Rights Owners require their content to be licensed. These costs, and any licensing constraints (e.g. forwarding of a complete article is prohibited without an enterprise license) will require some thought around how any capability is designed, as well as impacting budget.

Syndication – increasingly common globally, syndication has the effect of increasing the volume of search results. Platforms such as Factiva have in-built tools to remove duplicates, however manual processes (e.g. Google Alerts) may take additional time to process

Reliability of free tools – free media monitoring tools use a variety of technologies to identify and index content, which can impact reliability. Unlike platform providers, they typically require closer scrutiny to ensure they are performing as intended.

Press Freedom and ‘Right to Forget’ laws – the reliability and coverage of the mainstream media is increasingly being influenced by attacks, government constraints on journalists, and corruption. In other jurisdictions, ‘Right to Forget’ laws mean the subjects of adverse coverage can have articles such as coverage of convictions or imprisonment deleted, impacting historical search results.

Where large volumes of search queries are required and where budgets allow, news aggregators such as Factiva and ProQuest, as well as other specialised industry journals, represent an excellent option provided they have coverage of the content you are seeking. Once you have identified your sources, you should check to see where their content is published as some publications are not covered by aggregators or news syndication services.

As with print media, television and radio content is also searchable via specialised aggregators. Typically these providers will index the content (i.e. note keywords and other search terms), to enable a word-based search to be performed via their portals. Once results are returned, they can then be screened for relevant content. Two examples of television indexes include BBC Monitoring and InformIT TV News.

Case Management: Reviewing, storing and evaluating matches

Media articles or other search results are typically recorded in some sort of ‘case management system’, which can be anything from a register kept in Microsoft Excel to a database or workflow system such as ServiceNow. There are a few steps in this stage of the process, including:

  • Reviewing each returned search result to determine whether it meets your criteria for retention (i.e. is it relevant, timely and actionable in relation to the question you are seeking to answer and is this new information, or is it a duplicate?)
  • Documenting selected fields / information from the article in your case management system – such as names or addresses of parties mentioned
  • Copying details of names, addresses, relationships, events or other reporting which could affect your relationships with key customers, suppliers or employees into a separate database (this is particularly important for fraud prevention and legal disputes)

This raises the question of who is performing the media monitoring, and how well they understand the intended recipients (i.e. their readers or internal ‘customers’). All too often media monitoring is performed by a central team, with consumers in the business being forwarded copies of news articles they have already read or receiving lots of emails that go unopened. Whether the function is performed centrally or by business line, the most important thing is that information is converted to intelligence so it is actually useful.

Whilst media monitoring can be started with the best of intentions, it quickly becomes a waste of time and effort if the generated content is not relevant and actionable to the recipient (i.e. can they actually do something useful with it) and timely (telling them an event has occurred 3 months after they’ve known about it is useless), if the content is not properly curated and searchable as volumes increase, and if the team performing the role becomes seen as a sender of spam.

Actioning what you’ve found

Once you have identified what’s important, the next step is to do something with it. By this stage of your process, you should be left with a number of articles that contain content of interest. In my experience, this is the stage where many media monitoring processes begin to fall apart.

Case Study:

A large bank had implemented a robust media monitoring process to track strategic developments involving competitors and the market. They were actively monitoring multiple channels, saving articles of interest to PDF from print media sources, and uploading them to a Document Library on their intranet (SharePoint). Over time they had thousands of articles containing rich information but it was never extracted and developed into intelligence. To make use of their collection, they had to individually review each search result rather than being able to see what all search results meant in the wider context. In time, it became quicker for users to simply use Google and the whole effort became a complete waste of time.

Media monitoring is only the first capability building block in an external listening process, and if your process relies upon emails or file libraries in a shared folder or on SharePoint once you hit a certain number of files you will start to encounter data challenges that affect our ability to extract any real value from your media monitoring. To avoid this situation, I recommend you add two steps to the end of your media monitoring process:

Dealing with information about people, events, places and things

Articles with content such as names, incidents, relationships, events and places need to have this information extracted into a structured format (ideally a database but CSV format will also suffice), with the original article attached. Whilst you can use document tags instead of structured content, it is not as effective (1) because you will still need to extract the data into a structured format to properly analyse it, and (2) over time libraries of tags will become unmanageable and you may encounter system limitations. To keep pace with volumes, I find this information most efficiently captured as the article is reviewed, rather than letting everything pile up.

These sort of articles typically relate to issues such as a key customer or supplier’s financial solvency, highlight relationships between employees and a supplier or customer (i.e. conflicts of interest or fraud risks), and legal disputes which might disrupt the supply chain. Consequently, the typical audience for this information will be finance / procurement, legal, audit, risk and compliance.

Articles of a strategic nature

In contrast to information about people, places and things, information of a strategic nature (e.g. articles on regulatory change, interviews given by a competitor on their new product) should be compiled into a separate document or ‘wiki’. Environmental Scanning is a common technique used in the strategic analysis and intelligence communities and is ideal for compiling and analysing this type of content, and will be covered in a future post.

The key difference between strategic information and that of people, places and things is the way it is used – it is mainly employed by strategy teams, product managers, or in other planning activities rather than more operational tasks, hence it needs to be reviewed less frequently. Strategic information is typically reviewed in the context of other strategic information or when making specific decisions.

Optimising your capability

The last step in developing any capability is to periodically evaluate its performance. For a media monitoring capability, this means running separate searches to ensure you haven’t missed anything with current search criteria (have you had consumers in the business ask about something you didn’t pick up?), ensuring that sources are reliable and credible and that search parameters are current, and that your downstream processes in terms of storing, evaluating and reporting remain valid.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.