Designing your workforce screening program

Posted on April 1, 2023 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Executive Summary

Workforce Screening is an important function for any business today, however it cannot be developed on the fly and needs to properly balance the organisations’ risk and regulatory obligations against an employee’s right to privacy and the cost and operational burden created by the screening program itself. Workforce Screening should form part of a well-governed, risk-based program managed by HR and Security / Integrity comprising a range of policies, a personnel security risk assessment, and associated guidance to enable effective implementation. This article provides an overview of the key considerations when designing any workforce screening progam in Australia.

What is Workforce Screening?

The practice of Workforce Screening goes by many names – vetting, background checks – all of which are the same thing. In Australia, the term Employment Screening has been used since at least 2006 with the introduction of Australian Standard AS4811:2006. However, this standard was recently updated and republished as AS4811:2022 Workforce Screening.

A Workforce Screening Program comprises the specific checks performed on each employee or contractor to determine initial and ongoing suitability for employment and the associated processes and records to manage those checks. In many organisations there are a few key artefacts which comprise any Workforce Screening Program:

Employment Policies
Corporate Security and Integrity frameworks and associated programs
Workforce Screening Guideline

The Workforce Screening Guideline (or Standard) details what identity verification, security and character checks are required for employees, contractors, or consultants as a condition of employment and under what circumstances these checks will be performed, such as the risk posed by an employees’ role. The relationship between these documents, and how they are created is outlined below:

Graphic illustrating the various inputs to the Workforce Screening Program and the supporting Guideline and SOPs.

In our book Terrorist Diversion, Oliver May and I provide a detailed process map and overview of all forms of vetting, including insiders and suppliers.

When should workforce screening be performed?

Typically, workforce screening is performed periodically with four triggers:

During recruitment – ideally prior to the letter of offer being issued; and,
Periodically throughout employment; and,
In response to an incident; and,
Upon resignation – particularly important for employees involved in creating Intellectual Property or where potential Conflicts of Interest may arise post-separation.

Workforce Screening is different to Insider Threat Detection. Whilst there is a relationship between the two functions, screening is holistically focused on who the individual is (taking into account the ‘whole person’) whilst insider threat detection is focused on what the individual does once they enter the organisation. One is not a substitute for the other: they are different controls.

Screening is a legal requirement for some industries

Workforce Screening is a mandatory obligation in Australia for many regulated industries under a variety of legislation, including:

Financial Services – Anti-Money Laundering and Counter Terrorist Financing Act 2006 and Rules
Aviation – Aviation Transport Security Act 2004 and Regulations
Ports, Maritime and Offshore Oil and Gas Platforms – Maritime Transport and Offshore Facilities Act 2003 and Regulations
Commonwealth Public Service – Public Service Act 1999, Subsection 22(6) Security and Character Checks
Australia’a 11 declared Critical Infrastructure sectors – Security of Critical Infrastructure Act 2018 and Rules

Having the right team is critical to success in the workplace — Photo by fauxels on Pexels.com

What checks are typically performed in workforce screening?

There is a standard menu of checks which are performed across public and private sectors in Australia, including:

Identity verification
Citizenship and / or work rights
Credit rating and bankruptcy status
Education and occupational licences / trade certificates
Criminal history (National Police Check)
Sanctions and Adverse Media
Psychometric testing (in accordance with applicable employment policies)
Litigation history
Regulatory Actions pertaining to their profession
Internal employer database and record checks (for ongoing employees)
Candidate interview
Referee interviews

More intrusive checks permissible in Australia under certain circumstances include:

National Security Assessment – such as those required under the SOCI Act for ‘critical workers’ and here for an explanation of SOCI
Drug and alcohol testing
Health screening and medical examinations

Not everyone will pass workforce screening, potentially including ongoing employees. There are a number of considerations associated with any workforce screening adjudication process which will be addressed in a future article.

What’s the relationship between the PSRA and High Risk Roles in Workforce Screening?

Selecting which specific background checks to perform in your employment process should not be determined by way of a ‘lucky dip’. Many organisations require a ‘background check’ as a condition of employment, but fail to articulate why each check is necessary – such as where credit scores are used as a proxy for character tests.

Rather than ad hoc approaches, organisations need traceability from a regulatory obligation, personnel security risk, policy or similar instrument which establishes the risk and outlines how performing the respective background check will mitigate this risk. To provide this traceabiilty, the Register of High Risk Roles informs the Personnel Security Risk Assessment (PSRA), and the PSRA informs the design and implementation of the Workforce Screening Program as well as the Insider Risk Management Program.

The Register of High Risk Roles identifies:

Which positions pose a greater trusted insider risk due to a variety of factors, and therefore,
Which position numbers are most likely to require additional vetting and insider risk monitoring to mitigate inherent risks.

The PSRA identifies:

Suitable internal controls to manage the organisation’s inherent risk exposure (including that arising from High Risk Roles) to within risk appetite.
The specific trusted insider risks faced by an organisation and where these may arise by team, function, business line etc; and,

Cost and privacy are two important factors that also need to be considered: As with any security decision, there are tradeoffs. Workforce Screening is intrusive, expensive and has an operational impact, often delaying the commencement of new hires as well as reducing the total pool of candidates. The need for screening should be balanced against the PSRA to guide employers on what to check when, and why.

a mobile phone near the documents and laptop on the table — Photo by Leeloo Thefirst on Pexels.com

Searching court records in Australia

Posted on January 21, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

A subject’s legal history says a lot about their integrity and suitability

Performing any sort of counterparty due diligence requires an understanding of the “whole person” (this applies to both individuals and legal entities). In financial sector or service delivery organisations, this is referred to as a “single view of customer” and is used to manage fraud risk, credit risk and regulatory compliance.

A subject’s legal history is an important element of the ‘whole person’; without it, managers may make decisions based on incomplete or inaccurate information only to regret it later. Performing legal checks requires an understanding of Australia’s courts to develop an informed search strategy.

grey concrete court-like building — Photo by Brett Sayles on Pexels.com

Australia’s court structure

In Australia, legal matters can be brought under State / Territory or Commonwealth law, as well as other mechanisms (such as professional standards schemes which are expected to regulate their members). Some dispute mechanisms are industry based.

State or Territory courts:

Local Court, County Court, Magistrates Court – hears most criminal and summary prosecutions and minor civil matters (e.g. <100,000). 95% of criminal cases commence at this level.
District Court (excluding TAS, NT and the ACT) – hears appeals from Local Court, serious criminal cases (excluding murder, treason), civil matters typically <$750,000.
Supreme Court – hears serious civil cases >$750,000 and serious criminal cases (including murder, treason and piracy).

Commonwealth (federal) courts:

Federal Court – has jurisdiction over 120 plus federal Acts of Parliament.
Family Court – jurisdiction over all divorces and maintainence over children and spouses.
High Court – primary role is to interpret and enforce the Constitution, amongst functions.

The State Library of NSW provides a useful overview of Australia’s courts and tribunals.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Where to search court records

Most Australian jurisdictions have consolidated their legal records, making the task of searching for a record relatively easy once you know what you are looking for:

Jurisdiction	Civil or Criminal	Source	Comments
NSW	Both	CaseLaw	Generally within 24 hours
ACT	Both	Judgements	–
QLD	Both	CaseLaw	Generally within 24 hours
VIC	Both	Multiple Websites	Varies
SA	Both	Judgements	–
TAS	Both	Decisions	Published on AustLII*
WA	Both	Decisions	–
NT	Both	Multiple Websites	–
Federal Court Family Court Federal Circuit	Both	Federal Law Search	–
Federal Court	Both	Judgements	Released within 24 hours

@ForewarnedBlog (2022). Research.

* The Australian Legal Information Institute (AustLII) is jointly operated by the UTS and UNSW law faculties and aims to pubish public legal information, including primary and secondary legal materials. AustLII is not a primary source.

NSW Caselaw advanced search interface — NSW CaseLaw – advanced search interface

Criminal Records are considered ‘sensitive information’ under the Privacy Act

Note that searching court records is different to a National Police Check (‘criminal history check’). Under the Privacy Act 1988 (Cth), an individual’s criminal record is considered a category of sensitive information.

A National Police Check is the appropriate mechanism to understand whether an individual has a criminal record (such as for workforce screening purposes or before contracting with the management team of a prospective business partner). The National Police Check process considers important factors such as Spent Convictions.

Importantly, performing a National Police Check in Australia requires the individual’s informed consent.

How do you search court records?

Public Record checks are typically performed at the early stages of any due diligence or vetting process, once you have a clear understanding of the scope and parties involved. A typical process for searching court records is as follows:

1. Identify the full legal name of all entities and individuals, including close associates and related parties.

2. Determine which databases to query and over what timeframe. The scope and your professional judgement will set the timeframe, whilst jurisdiction is dependent on what you know (or need to know) about the subject. In some cases, a negative search result (i.e. no results returned for a party name) may be all need to know. If you have no idea where they have lived or operated, search every database (you may also need to search overseas).

3. Perform the search(es) and review the results. On the first pass, I use a spreadsheet to manage my searches and put all results in one of three categories: no match, possible match, match. Matches mean there is a record involving your subject (i.e. not another party with the same name). Possible match means you need to spend more time working out whether it’s your subject or not.

4. Assess the implications of your results

Vetting or due diligence is not simply about database checks – anyone can do this. Done properly, background investigations involve identifying potential risks based on what is and is not present (but should be), before determining the implications and what to do about them.

This is where diligence becomes an art. There is nothing in a database to tell you what is missing – this comes down to professional experience, judgement and skill.
Paul Curwell (2022). REfer Chapter 8 in ‘Terrorist Diversion’

5. Identify any other leads which need to be followed up.

6. Update your working papers or case notes, including what you did, when, where and the outcome. Databases and the internet change all the time, so a record that was there five minutes ago may be different when the same search is re-performed.

person working on black laptop — Photo by EVG Kowalievska on Pexels.com

Primary versus Secondary Sources

Wherever possible, primary (original) sources should be used. Secondary source vendors are often more expensive, yet serve two main purposes:

For companies that are willing to accept the risk of a record being inaccurate, incomplete, missing or out of date, secondary sources may offer an efficient alternative which enables multiple types of searches to be performed from a single location (e.g. court records, credit ratings, company ownership, land titles) as well as the ability to automating record search and retrieval to your case management system via API.

For investigators, secondary sources provide a handy way of quickly identifying potential relationships, transactions or other records which can the be verified via the primary source. Some vendors offer the ability to search all fields in a record, unlike the limited search functionality often offered by primary vendors.

When it comes to secondary, sources, Caveat Emptor: (1) they are not a primary source (hence they could be incomplete or out of date), and (2) they are often a ‘black box’ in terms of search parameters, so you may not actually know what is or is not being searched (some vendors have a nasty habit of changing search functionality without informing their customers, so what worked when you undertook your diligence one week may be completely different the next).

Court Lists

Court lists are published online in most Australian jurisdictions to inform parties to a case when and where they need to be. Often, court lists are published temporarily and subsequently removed. They are not an authoritative source.

How can Insider Threats manifest in the Supply Chain?

Posted on August 6, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Executive Summary

Insider Threat Management is difficult at the best of times, let alone cascading this implementation into the supply chain. The starting point for managing this risk is to understand how and where insider risks may arise in the supply chain, as well as assessing the likely business impact. Only then can these risks start to be managed effectively. The second consideration is contracting with suppliers to set expectations and form contractual obligations on expected practices: Some organisations rely solely on contractual obligations to manage their insider risks, an approach which is fraught with danger. This article explores these risks in more detail and outlines common pitfalls encountered when developing Insider Threat Management clauses in contract schedules.

Employees and contractors of your suppliers have access to your most sensitive information — Photo by Format on Pexels.com

How can insider threats affecting a principal materialise in the supply chain?

In this post, I use the term ‘principal’ to reference the party engaging a third party (e.g. a supplier). Insider threats can be malicious, complacent or ignorant, and there are two ways trusted insiders in the supply chain may impact a principal:

Principal is targeted directly by the insider – examples include supply chain attacks (ICT), issue motivated activism (e.g. anti-fossil fuels), or the introduction of SSFFC (Substandard, Spurious, Falsely Labelled, Falsified and Counterfeit) and / or non-conforming parts or components into the principal’s supply chain.
Principal is not directly targeted but is impacted by the consequences of the event – examples might include a workplace violence incident which causes a downstream business interruption that affects quality, availability or some other service level.

Under Australia’s new Security of Critical Infrastructure Act and Rules (2022) (referred to as SOCI), critical infrastructure operators are required to more actively manage insider threats and supply chain hazards. The relevant Rules have been reproduced below:

Personnel Hazards: minimise or eliminate material risks that negligent employees and malicious insiders may cause to the functioning of the asset (paragraph (c))
Supply Chain Hazards: minimise or eliminate the material risk of, or mitigate, the relevant impact of: misuse of privileged access to the asset by any provider in the supply chain (paragraph (b))

To comply with these obligations, organisations need to understand the intersection of insider threats and supply chain threats and how they might manifest in practice.

What insider risks can manifest in a direct impact on the principal?

We buy products or services from our suppliers, and we may also use other third party relationships such as alliances or consortiums to facilitate business in some way. This means that insider risks can impact people, assets, information as well as products, services and quality. Examples of insider risks in the supply chain are outlined below:

Risk	Description	Controls
Unauthorised use or disclosure of information	May involve the following categories of information: a) Intellectual Property & Trade Secrets b) Commercially sensitive information c) Personally Identifiable Information	Information Protection Programs Supervised Destruction at contract termination
Unauthorised use or copying of molds, proprietary materials, manufacturing equipment, tools or techniques	Where a supplier uses tools and equipment provided for a permitted purpose without authorisation (relevant to Contract Manufacturers and Contract Resesarch Organisations)	Supplier Assurance / Audits Equipment Disposition Market Surveillance Programs Supervised Destruction Contract clauses specifying ownership of IP
Supplier reputation (entity)	Adverse media / reputation Management track record Finances & Credit Ratings Watchlist & Sanctions checks Ultimate Beneficial Ownership & Control LItigation history & enforcement action Other checks as appropriate	Supplier Integrity Program Supplier Due Diligence Supplier Assurance / Audits
Supplier’s employees	Potential for infiltration by hostile actors (e.g. organised crime, nation state actors) of the supplier. Hiring of unsuitable employees, contractors by a supplier.	Workforce Screening Program (background checks) Supplier Integrity Program Insider Threat Management Program
Sabotage	Physical Sabotage ICT System Sabotage Data Sabotage Supply Chain Attacks Product Tampering	Physical Security Program Personnel Security / Insider Threat Program Supply Chain Integrity & Security Program IT Disaster Recovery
Introduction of SSFFC & Non-Conforming Parts	Failure of, or damage to, critical assets whilst in service due to malicious insertion or latent vulnerabilities in parts, components or software. Unidentified cybersecurity vulnerabilities in products or systems (e.g. network back-doors). Failure of products or components whilst operating withinin specifications. Substitution of authentic (conforming) for inauthentic (non-conforming) parts or components.	Supply Chain Integrity & Security Program Quality Assurance Program
Intentional Interference & Contract Frustration	Supplier / service provider under-delivers or incorrectly delivers intentionally for some reason (including through economic coercion or hostile control by other nation states)	Supplier Due Diligence Threat and Risk Assessments Contracting Supplier Assurance / Audits

Designing and enforcing Insider Threat clauses in contracts can be challenging

In my experience working on both supply chain security and insider threat engagements, it is common to see organisations placing a high degree of reliance on the provisions in a contract to manage these risks. Quite often these courses of action are driven by legal or procurement policy decisions in organisations which don’t fully appreciate their threat and risk environment.

Relying on contractual provisions to manage insider threats (or any other supply chain threat) means your organisation is reactive or response-driven: when you need to enact the provisions general incident or loss has already materialised, and sometimes the legal remedy may not be obtained until years after the event, during which time considerable management time, expense and effort has been expended.

Legal mechanisms are only one way to manage trusted insider risks

In addition to the above, I regularly encounter a range of challenges with these contract clauses, including:

Sometimes contracts are silent on Insider Threat Management, or the clauses that do exist cannot be readily or easily enforced.
Supplier contracts often last for multiple years, and renewals may be simple extensions without using the latest templates. This can mean a patchwork of standards and obligations exist throughout the supplier base, some of which may not align to the organisations current standards and practices.
Principal’s don’t specify their expectations of a suppliers Insider Threat Management program, which could be mitigated by providing standards and frameworks for suppliers to follow and referencing these in contract schedules.
Sometimes the relevant clauses are in a contract but they are never audited or enforced to confirm the supply plied is actually adhering to what they agreed to. Also, suppliers may have been compliant at a point in time, but then ceased to comply due to cost pressures or management decisions.
When dealing with the situation where there is only one or a small number of suitable suppliers globally, negotiating power is an issue. The principal may have the best intentions and a good framework to follow, but the supplier is not interested in agreeing to these clauses and refuses to sign the contract, knowing the principal will likely have to back down.
In some cases, it may not be possible for a supplier to agree to the principal’s requirements due to the nature of legal, industrial relations, employee engagement, or culturally-acceptable practices in the suppliers jurisdiction. Workforce surveillance practices such as Used Activity Monitoring is a good example here.

As you can see, there is a lot to consider when making policy decisions on Insider Threat Management practices generally, let alone when suppliers are thrown into the mix. Effective management requires a clear understanding of the threats and risks affecting the principal and how they may impact critical assets. Only then can a risk-based management strategy be developed tailored to the principals needs and risk profile. There is often little room for a ‘one size fits all’ strategy in this scenario.

Third parties defined – what are they exactly, and how should these risks be managed?

Posted on June 25, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Defining third parties

I frequently use the term ‘third party’ throughout my blog and in the course of my day to day consulting work. Most often, when we talk about third parties we are referring to suppliers, vendors or service providers, but there is a whole ecosystem of third parties present in business today – particularly applicable to those businesses that operate overseas.

As you can see from the table below, third parties also encompass contractors (often we forget about this category and may even consider them like employees, especially when evaluating insider threats, but this oversight can create downstream problems from a fraud, integrity and security perspective if not managed properly):

Third Party	Definition
Joint Venture Partner	An individual or organisation which has entered into a business agreement with another individual or organisation (and possibly other parties) to establish a new business entity and to manage its assets.
Consortium Partner	An individual or organisation which is pooling its resources with another organisation (and possibly other parties) for achieving a common goal. In a consortium, each participant retains its separate legal status.
Agent	An individual or organisation authorised to act for or on behalf of, or to otherwise represent, another organisation in furtherance of its business interests. Agents may be categorised into the following two types: – Sales agents (i.e. those needed to win a contract) – Process agents (e.g. visa permits agents).
Adviser	An individual or organisation providing service and advice by representing an organisation towards another person, business and/or government official. Examples include legal, tax, financial adviser, consultants and lobbyists.
Contractor	A non-controlled individual or organisation that provides goods or services to an organisation under a contract.
Sub-Contractor	An individual or organisation that is hired by a contractor to perform a specific task as part of the overall project.
Supplier / Vendor	An individual or organisation that supplies parts or services to another organisation.
Service Provider	An individual or organisation that provides another organisation with functional support (e.g. communications, logistics, storage, processing services).
Distributor	An individual or organisation that buys products from another organisation, warehouses them and resells them to retailers or directly to end-users.
Customer	The recipient of a product, service or idea purchased from an organisation. Customers are generally categorised into two types: – Intermediate customer: A dealer that purchases goods for resale. – Utimate customer: One who does not in turn resell the goods purchased but is the end user.

World Economic Forum (2013) Conducting Third Party Due Diligence Guidelines

Distributors can be particularly challenging for product-based supply chains, especially if distributors have poor processes and controls in place to manage processes like large discounts to end users, poor end user verification, and poor inventory management controls (both stock on hand, obsolete or discontinued stock marked for discount, and stock marked for write-off). These distributors can be vulnerable to product diversion schemes.

How are companies responsible for the actions of their third parties?

It’s all to easy to forget that under legal ‘Principal-Agent theory’, the company contracting the third party (principal) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their third party arrangements.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Third party risk is an area receiving increased attention from company executives and regulators world-wide, particularly in a the following risk categories:

Reputation risks (including political donations)
Modern slavery risks
Bribery and corruption risks
Sanctions risks
Fraud & integrity risks (both vendor fraud and against the end user)
Security risks (including insider threats and product diversion schemes)

Increasingly, Environmental Social Governance (ESG) or sustainability considerations are also playing a role in third party and supply chain decisions based on preferences and / or pressure from shareholders, employees and customers.

All companies – large and small – are responsible for the actions of their third parties, and may find themselves the subject of reputation and brand damage as well as litigation, financial losses, and regulatory enforcement action if these risks are improperly managed. Additionally, small and medium sized companies are not immune to regulatory enforcement action simply because of their size.

What should companies do to manage their third party risks?

There are a number of actions that can and should be taken to mitigate third party risks such as those listed above. Whilst no program is ever able to completely mitigate the risk of something happening either now or at any point in the future, implementing steps to try to manage these risks does go a long way.

For offences involving bribery and corruption and breach of international sanctions regulations, regulators such as the United States Department of Justice (Foreign Corrupt Practices Act) and United States Treasury Office of Foreign Assets Control (sanctions regulations) provide pathways for principals to mitigate penalties for misconduct and illegality arising from the conduct of their third parties, but only where the principal has an appropriate compliance program in place to manage these risks.

Any program to properly manage third party risks must follow the third party lifecycle, which may include some or all of the following management actions:

Lifecycle Stage	Illustrative Management Actions
Third Party program setup and governance	1. Setting the ‘tone from the top’ 2. Develop the Compliance Obligations Register 3. Determine risk appetite 4. Develop policies and frameworks 5. Undertake risk assessments 6. Develop a risk management plan, including risk treatment strategies 7. Training and awareness programs 8. Develop due diligence frameworks and programs 9. Develop ongoing monitoring and evaluation frameworks
Third Party Selection	1. Document the principal’s specific requirements 2. Perform due diligence 3. Identify the third party’s material risks, process or capability gaps 4. Identify potential treatments for these gaps
Third Party Onboarding	1. Develop risk-based contract schedules which are practical, auditable and enforceable by the principal 2. Agree contracting and legal agreements 3. Agree third party audit or contract compliance arrangements
Third Party Operations	1. Perform Quality Assurance 2. Manage the third party relationship 3. Provide regular oversight and direction 4. Undertake periodic audits or contractual compliance reviews 5. Periodically review and update Compliance Obligation Registers and Risk Assessments 6. Undertake periodic due diligence throughout the term of the contract with review frequency based on the assessed risk
Third Party Offboarding	1. Execute termination protocols as agreed in the contract 2. Collect all principal documentation, Intellectual Property, equipment and other assets 3. Supervise the destruction of data, assets (e.g. molds, prototypes) or equipment where not easily transferred 4. Periodically review the footprint of the third party’s operations for a period after termination to ensure all IP has been returned and monitor for competitor relationships

Paul Curwell (2022) – illustrative actions to manage third party risks

All businesses today need third party relationships, and whilst they do present risks they also present tremendous opportunity. Further, most businesses today would not be able to thrive without access to their third party ecosystem. Whilst there are risks inherent with third parties, these can be managed effectively and appropriately via a risk-based approach that both considers the context and materiality of the risk and implements practical, effective treatments that work for both the principal and the third party. After all, any party can walk away if contracting becomes too onerous, which may not be a good outcome for either party. Treading this fine line is one of balance and mutual agreement.

Critical Minerals – what’s the problem here?

Posted on May 28, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What are critical minerals anyway?

Critical minerals are defined by Geoscience Australia as “metals and non-metals that are considered vital for the economic well-being of the world’s major and emerging economies, yet whose supply may be at risk due to geological scarcity, geopolitical issues, trade policy or other factors” (2022). One category of critical minerals, ‘rare earth elements’ (listed below) are particularly important:

(Ga) Gallium
(In) Indium
(W ) Tungsten
Platinum-group elements (PGE) including
- (Pt) Platinum (Pt)
- (Pd) Palladium
(Co) Cobalt
(Nb) Niobium
(Mg) Magnesium

(Mo) Molybdenum
(Sb) Antimony
(Li) Lithium
(V) Vanadium
(Ni) Nickel
(Ta) Tantalum
(Te) Tellurium
(Cr) Chromium
(Mn) Manganese

The problem with critical minerals is their availabiilty: they are not distributed evenly throughout the world, and in some cases it is not economical to extract them using current technology. This is particularly the case with rare earths, where according to InvestingNews, the top 10 countries for rare earth production are:

1 China	6 India
2 United States	7 Russia
3 Myanmar	8 Thailand
4 Australia	9 Vietnam
5 Madagascar	10 Brazil

InvestingNews (2021)

Readers will note that some of the countries are subject to greater geopolitical risks than others – ranging from emerging to developed economies and sanctioned to non-sanctioned jurisdictions. One of Australia’s strengths is our proliferation of critical minerals and our geopolitical and economic stability. As shown in the following figure, Australia has critical mineral deposits distributed across the country:

Critical Minerals Supply Chain in the United States: Mapping the Landscape for Australian Suppliers (AUSTRADE, 2019)

As demands for the world’s critical minerals increase and supplies dwindle, rich countries will increasingly seek alternative sources. Deposits that were previously uneconomic to extract may become economical, whilst other countries may resort to war or coercion to achieve or maintain geostrategic advantage. Geoscience Australia has ranked Australia’s resource potential for critical minerals and their associated criticality (or scarcity):

Geoscience Australia (2022). Critical Minerals.

Understanding the criticality of raw materials is particularly important when assssing your supply chain threats and risks, as is understanding the geopolitical risks associated with the Critical Minerals value chain (refer figure below).

Geoscience Australia (2022) notes that some “category one and category two metals and semi-metals are primarily by-products of refining of the major commodities such as zinc, copper, lead, gold, aluminium and nickel”. Australia has abundant stockpiles for many of these commodities, however they are not always cost effective to extract. In the future, advances in processing techniques might mean these can be extracted in a highly targeted way at a cost that makes economic and environmental sense.

What industries use critical minerals?

Critical minerals underpin the world’s 4th Industrial Revolution as well as the high tech gadgets as well as enabling a green low-carbon, digitised economy. Without access to critical minerals, we would not be able to have our computers, phones, wind turbines, electric vehicles or solar panels that are decoming de rigueur in Australia and worldwide. Here are some lesser known examples and their applications:

Critical Mineral	Usage (examples, not exhaustive)
Yttrium	Ceramics (abrasives, jet engine coatings, oxygen sensors in cars, and corrosion resistant cutting tools) Electronics (microwave radar, dental and surgical procedures, digital communications, industrial cutting and welding, photochemistry, distance and temperature sensing) Metallurgy (superalloys, high-temperature superconductors)
Tantalum	Production of tantalum alloys, capacitors, compounds and metal Major end uses for tantalum capacitors include automotive electronics, mobile phones and personal computers Tantalum oxide is used in glass lenses and tantalum carbide is used in cutting tools
Germanium	Fibre optics, infrared optics, electronics and solar applications including solar cells for satellites

Critical Minerals Supply Chain in the United States: Mapping the Landscape for Australian Suppliers (AUSTRADE, 2019)

As you can see, the applications for critical minerals are diverse – without them, much the advanced civilisation we live in today would cease to function.

What are the security and supply chain risks for Australian companies?

Two principal security and supply chain risks associated with critical minerals are worth highlighting, both of which have a geostrategic flavour – (1) foreign ownership, control and influence, and (2) sanctions and trade embargo risks, as illustrated below:

Paul Curwell (2022) – adapted from AUSTRADE *Critical Minerals Supply Chain in the United States* (2019)

The Foreign Ownership, Control and Influence (FOCI) risks we have seen globally tend to materialise in two scenarios, outlined in the following table:

FOCI Risk	Risk Description / Scenario
Mining rights (licences) are held by a single company which controls a substantial percentage of production	This scenario is particularly applicable to Rare Earth Elements which are only found in a few locations around the world, hence global supply is very low in comparison to demand. In this case, a single company could conceivably control a substantial percentage of the production for a given rare earth element globally.
Ownership of multiple mines is held by shareholders of the same nationality (i.e. a concentration risk)	This effectively gives the parent country ‘control-by-proxy’ of critical minerals production, meaning the minerals can be exported under the guise of legitimate trading contracts to the parent country for stockpiling and / or use in manufacturing. Once extracted and shipped, there is no easy way of getting the minerals back, and the country which holds all the stockpiles effectively controls both market pricing as well its permitted end use (for example, military end-use export controls might be applied, effectively giving the controlling country a military advantage).

The second type of risk is sanctions and embargos risk. Historically, when we think of sanctions, trade embargos or even naval blockades it is typically on countries such as North Korea and Iran for their actions against the global community and internationally acceptable norms and behaviours.

As a source country for critical minerals, there is always the possibility that Australian companies or Australian exports could be sanctioned. However, two factors act in our favour to mitigate this risk with critical minerals:

First is global availability, being that critical minerals are either only located in specific geographic regions or can only be extracted in a way that makes economic sense from a small number of locations.
Second is the global balance of power. Whilst geostrategic power is shifting away from the United States, we are not yet at the point where other geostrategic players have sufficient power or leverage to impose meaningful sanctions or export restrictions at a large scale (note this does not mean that targeted, and even non-conventional forms of sanctions would not be possible or effective).

Another commonly used sanctions and embargo tool is the naval blockade would be very oenerous to enforce in a country such as Australia, which is so large and surrounded by navigable waters.

What can we do about it?

Like an increasing number of countries around the world, Australia has implemented foreign ownership and foreign investment restrictions to prevent the scenario arising whereby our mining companies or mining licences are owned by foreign investors either at issue or throughout their period of validity, without appropriate review. Additionally, we have introduced a range of foreign intereference laws to criminalise and help prevent actions by foreign governments and their proxies (including legal entities) from interfering in Australia’s sovereignty.

As with saw with trade restrictions on Australian exports, the management of sanctions, embargos and the like are much harder to mitigate. This is particularly the case where Australia sends extracted ore to a third country for processing and refining, which may then be purchased for re-import back to Australia. In this scenario, Australian manufacturers or businesses are immediately exposed to potential sanctions risks. One way to mitigate this is to conduct mineral processing and refining here in Australia, allowing Australia to export refine material as well as to use it directly in Australian manufacturing.

If there is one positive thing that can be said for the COVID-19 pandemic (aside from introducing more flexible working practices), it is that the supply chain disruptions have really refinforced the need for Australia to expand our domestic manufacturing capability and the need to be less reliant on other countries for our critical supplies and services in the Australian psyche. Understanding where security, geopolitical (country) and resilience risks lie in your supply chain, and implementing appropriate risk treatments, is critical for every Australian business.

Ukraine and looming Russian sanctions – implications for supply chains

Posted on February 20, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Historically, awareness of sanctions has been mixed in Australia and typically strongest in financial services and commodities. This article examines what sanctions are, who issues them, the core components of a Sanctions Compliance Program, and what the introduction of sanctions on Russia as a result of any future invation of Ukraine might mean for Australian supply chains.

Moscow, one part of Russia which will feel the pinch of international sanctions. — Photo by u0414u043cu0438u0442u0440u0438u0439 u0422u0440u0435u043fu043eu043bu on Pexels.com

What are sanctions?

According to HM Treasury, “sanctions are restrictions put in place to achieve a specific foreign policy or national security objective. They can (a) limit the provision of certain financial services, or (b) restrict access to financial markets, funds and economic resources”.

Each jurisdiction uses its own terminology for sanctions, but the United Kingdom categorises sanctions into three simple categories:

Targeted asset freezes – for individuals and entities
Restrictions on financial markets and services – for individuals, entities, specified groups or entire sectors including:
- Investment bans
- Restrictions on access to capital markets
- Directions to cease banking relationships and activities
- Requirements to notify or seek authorisation prior to certain payments being made or received
- Restrictions on the provision of financial, insurance, brokering or advisory services or other financial activities
Directions to cease all business – specifying the type of business and applicable to a specific person, group, sector or country

As you can see, sanctions and their impact can by quite broad and far reaching. One particular challenge with sanctions lies in identifying parties who are indirectly sanctioned. This requires more sophisticated due diligence and compliance oversight to manage properly.

Who promulgates sanctions?

The UN Security Council (UNSC) has the power to levy economic and trade sanctions however this requires consensus from the five permanent members of the UNSC, which is rare.

In addition to the UNSC, individual countries have also recognised the strategic power of sanctions, resulting in country specific legislation that impacts companies and individuals resident of, or operating in their jurisdiction that has been enacted since the use of blockades during World War One (Mulder, 2022).

Some national sanctions regimes are politically motivated, such as where foreign dissidents, human rights defenders, or the political opposition are targeted, but this sort of behaviour is typically restricted to non-democratic countries. Globally, major sanctions bodies align with the worlds main financial centres, including:

United Nations Security Council – with sanctions enforced by each member state
US Treasury Office of Foreign Assets Control (OFAC)
HM Treasury Office of Financial Sanctions Implementation (OFSI)
European Commission Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA)

Of these, OFAC is undoubtedly the strongest in terms or reach, influence and enforcement. This is because of the United States’ position as the global financial centre, with most companies having a presence or nexus to that market (including through their bank transactions). OFAC is also an active regulator, levying substantial fines and penalties on companies worldwide. This means that OFAC can be used as the benchmark for any sanctions compliance program – if you satisfy OFAC, you will probably satisfy all other regulators as well.

As it’s global power and influence grows, the People’s Republic of China is increasingly becoming a player in relation to sanctions as highlighted in the Atlantic Council’s Global Sanctions Dashboard. China’s rise and influence in relation to sanctions will be increasingly important.

What should a sanctions compliance program comprise?

In 2019, the U.S. Treasury published its 12-page guidance on designing and implanting a Sanctions Compliance Program in a document entitled “A Framework for OFAC Compliance Commitments”. OFAC expects regulated entities to undertake at least five core elements in their compliance program:

Management Commitment
Risk Assessment
Internal Controls
Testing and Auditing
Training

On face value, these elements are much like any other risk or compliance program we would expect to see. However, with sanctions the devil lies in the detail and particularly the complexity of the various regimes. This post is not intended to be a detailed overview of sanctions compliance, rather to provide context for the following discussion on what this means for supply chains.

If your sanctions program is not up to scratch, or if you don’t have one at all, seek specialist advice as the fines and penalties for non-compliance can be substantial and extend beyond the enforcement action to potentially mean your suppliers and customers will no longer do business with you due to the risk you present.

Photo by ThisIsEngineering on Pexels.com

What does the situation in Ukraine mean for supply chain hazards, as an example?

Under Australia’s new Security of Critical Infrastructure (SOCI) Act, one of the key elements of the associated Rules, Supply Chain Hazards, requires regulated entities to ‘establish and maintain in the entity’s program a process or system that the entity uses to minimise or eliminate the material risk of, or mitigate, the relevant impact of” amongst other things “(d) disruptions and sanctions of the asset due to a disruption in the supply chain”.

With the prospect of more sanctions on Russia, companies need to start working now to review their suppliers, update their risk assessments, and identify any potential connections to Russian individuals, entities and sectors. Some of the steps you may need to take include:

Examining the geographic presence of your suppliers – are any based and / or headquartered in Russia or its allies?
Ultimate Beneficial ownership or control – who (individuals) or what (other legal entities) one some or all of your suppliers and are any of them Russian, or do they have a nexus to Russia?
Once you have identified your suppliers and their beneficial owners, be prepared to conduct name screening against the relevant sanctions lists, or alternately use a reliable vendor solution such as Refinitive’s WorldCheck, Dow Jones Watchlist, LexisNexus World Compliance.
Identify any other potential foreign influence from Russia or its proxies that could impact your supply chain or operations.

If you are new to sanctions, your reaction is probably that this would take a lot of effort and involve some cost. In my experience, this is exactly the case. Once sanctions are promulgated, you need to compare the sanctions list(s) to your supplier data to ensure there are no matches. Your bank will do the same, so if you don’t do this you risk a supplier payment being confiscated by a regulator which can be hard to recover. In addition, intentionally or unintentionally breaking a sanction has serious criminal and civil penalties.

Upcoming changes to private investigator and security licencing in New South Wales

Posted on February 15, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Australia’s path to security industry regulation

Australia has had legislation to regulate the security industry since the 1980’s, and was introduced to establish minimum qualification and character requirements (including criminal history checks) and to try to prevent infiltration of the sector by organised crime (see Prenzler and Sarre 2012).

This is State or Territory-based legislation: there is no regulation of the private security industry by the Commonwealth, and arrangements involving Australian Government security clearances and the Defence Industrial Security Program are completely separate. State police predominately manage security licencing in Australia, however there are exceptions where this role is performed by a state’s Office of Fair Trading. Legislation in each state or territory contains provisions for mutual recognition of licences held in other Australian jurisdictions, as well as limited provisions for temporarily working in other states.

Current legislation in NSW

In New South Wales (NSW), Australia’s most populous state, the NSW Police currently manages licencing for Private Investigators and Security Consultant’s under two pieces of legislation as at the time of writing:

Security Industry Act 1997 (NSW)
Commercial Agents & Private Inquiry Agents Act 2004 (NSW)

The legislation establishes licencing requirements for individuals (known as ‘operator licences’) and employers (known as ‘master licences’). In 2016, the Security Industry Amendment (Private Investigators) Act 2016 No 40 (not commenced) was passed to establish the legal basis for these changes, however there was no date when this was to take effect until October 2021, creating an element of confusion for licencees.

Effective 1 July 2022, licencing of private investigators will be incorporated into the Security Industry Act. In practice, this means professionals who offer both private investigator and security consulting services go from requiring two master and operator licences to one of each category. The addition of Class 2E to an operator’s security licence authorises the licensee to act as a private investigator or act in a similar capacity. These improvements to regulations, warmly welcomed by me as a holder of both licences, will streamline compliance.

Individual (operator) licencing in Australia

In Australia, it is common to find individuals working in roles that provide services which involve private investigation and security consulting within the same engagement. An example might be where an investigation is performed into theft, which also results in advice on how an organisation can improve its internal controls to prevent theft in the future.

Cybersecurity professionals are not explictly included or excluded from the need for operator licencing in Australia, which means some people are licenced and others are not. In my view, licencing of cybersecurity professionals is overdue, this gap creates confusion and inconsistency. It is reasonably safe to assume that some unlicenced activity is being undertaken in Australian industry.

The scope of licenced security consulting and private investigation services in NSW are as follows:

Private Investigator

private investigator means a person who is employed or engaged for the purposes of either or both of the following:(a) the investigation of persons, being any activity carried out by a person on behalf of a second person (not being his or her employer) that involves finding a third person or investigating a third person’s business or personal affairs,
(b) the surveillance of persons, being any activity carried out by a person on behalf of a second person (not being his or her employer) that involves the surveillance of a third person.

Security Consultant

Security Consultant (licence class 2A) —authorises the licensee:
(i) to sell security methods or principles, and
(ii) to act as a consultant by identifying and analysing security risks and providing solutions and management strategies to minimise those security risks,

Definitions of activity licenceable under NSW law

To be eligible for the above licence, individuals must hold the relevant qualifications, as well as satisfy relevant employment experience and character requirements (including undergoing fingerprinting by police).

Performing the above services without a licence is a criminal offence in all Australian states and territories. The maximum penalty for “carrying on a security activity” unlicenced in NSW is a fine of 500 penalty units ($110 fine per penalty unit, so $55,000) or imprisonment for 2 years, or both (refer legislation).

Employer (master) licencing in Australia

Holding a master licence means organisations can provide licensed security operatives to carry out security activities in NSW (i.e. including security consulting services and, as of 1 July 2022, private investigation services). Master licence holders must ensure that only appropriately licenced employees provide security services. There are three categories of master licence holder under NSW law:

Individual – individuals registered as a sole trader (or partnership) who wish to either carry out security activities in a self-employed capacity with a Class 1 or Class 2 security operative licence, or provide security operatives under an ABN
Corporation – ASIC-registered corporations, excluding trusts and partnerships, that wish to provide security operatives to carry out security activities
Government Agency – government agencies that wish to provide security operatives to carry out security activities.

A master licence holder is subject to a number of prerequisites as well as character checks of directors and ‘close associates’. As with individual licences, there are penalties for providing unlicenced security services. These are currently 1,000 penalty units in the case of a corporation ($110,000) or in the case of an individual, 500 penalty units ($55,000) or imprisonment for 2 years, or both.

How to check an individual or business is licenced in Australia?

The regulator for security industry and private investigator licencing in each state or territory manages their own register of licencees. In NSW, this register can be queried by members of the public here: Service NSW.

As with any industry, there are a range of practitioners from those offering highly professional, highly skilled services through to those with substantially less experience. Prospective buyers of these services should perform appropriate due diligence.

Understanding the risk of organised crime infiltration in your business

Posted on February 1, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is Serious Organised Crime anyway?

The concept of organised criminal infiltration into your business or supply chain is interesting. I’ve worked with a number of critical infrastructure operators in Australia who have this concern: the nature of their business provides a unique opportunity for criminals to exploit their business, or the employees position, to facilitate their own or others criminal activity. Before we start to get carried away that serious groups like the mafia are infiltrating your business, it’s worth understanding key elements of the ‘spectrum of crime’ which forms a basis for any Threat Assessment:

Criminal enterprise – a group of individuals with an identified hierarchy, or comparable structure, engaged in significant criminal activity (FBI)
Opportunistic individuals – individuals who take advantage of internal control gaps or weaknesses and opportuinities of circumstance to perpetrate criminal and / or unethical activity (e.g. fraud or business espionage) (Curwell, 2022)
Organised criminals – “small, organised networks of entrepreneurial offenders, often transitory in nature, that develop to exploit particular opportunities for illegal profit. These groups vary from temporary associations created to commit a time-limited series of offenses, to enduring businesses that invest in on-going criminal activities” (Eck & Clark, 2013, p28).
Organised crime (organised criminal group) – “a structured group of three or more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material benefit” (Smith 2018 in United Nations 2004: 5).
Transnational Organised Crime – those self-perpetuating associations of individuals who operate transnationally for the purpose of obtaining power, influence, and monetary and/or commercial gains, wholly or in part by illegal means, while protecting their activities through a pattern of corruption and/or violence, or while protecting their illegal activities through a transnational organisational structure and the exploitation of transnational commerce or communication mechanisms (FBI)

Its important to remember that not all crime that happens somewhere like a border, port or airport will be perpetrated by serious organised crime. Anecdotally, a lot of the crime I come across day to day involves opportunistic individuals and organised criminals. These risks are managed through employment screening and internal controls (which might include detection programs – see What can be done about it? below).

Common activities of serious organised crime – is there a nexus with your business?

Understanding the types of activities which commonly involve serious organised crime groups can help businesses assess their likely exposure to this activity. In the following list, I have compiled a list of offences based on information published by the FBI and ACIC:

Bribery
Currency Counterfeiting
Embezzlement
Fraud schemes
Cybercrime
Investment and financial market fraud
Revenue and tax fraud
Credit card fraud
Superannuation fraud
Money Laundering
Murder for Hire
Drug Trafficking
Prostitution
Exploitation of Children
Organised retail crime

Human Trafficking and Slavery
Intellectual Property Crime – including Counterfeit Goods
Illegal Sports Betting
Cargo Theft
Sale and distribution of stolen property
Murder
Kidnapping
Gambling
Arson
Robbery
Extortion
Tobacco and firearms smuggling
Vehicle theft

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What we know about Serious Organised Crime in Australia today

Access to detailed assessments of the nature and sophistication of serious organised crime in Australia are not publicly available. However, one of the most useful reports is the periodic assessment of Serious Organised Crime released approximately every 5 years by the Australian Criminal Intelligence Commission. This report provides a useful outline of serious organised criminal markets in Australia, as follows:

Illicit Commodities	Serious Financial Crime	Specific Crime Markets	Crimes Against the Person
Narcotics	Cybercrime	Visa & Migration Fraud	Exploitation of Children
Illicit Pharmaceuticals & Anaesthetics	Investment & Financial Market Fraud	Environmental Crime	Human Trafficking & Slavery
Performance Enhancing Drugs (e.g. steroids)	Revenue & Taxation Fraud	Intellectual Property Crime
llicit Tobacco	Superannuation Fraud
Illicit Firearms	Credit Card Fraud

ACIC (2017). Serious Organised Crime in Australia, Canberra

Understanding whether your business, including your supply chain, has a nexus with any of these criminal markets will help inform your threat and risk assessment process in relation to organised criminal infiltration. As with assessing physical security of your office premises or facilities, you may not have a direct nexus with organised crime but your suppliers or neighbouring businesses might. This creation of an indirect nexus should also be considered, as this could have adverse reputation, safety and disruptive effects on your business, employees or customers.

The role of criminal enablers

Some organisations may not be directly of interest to OCG, but they may be recognised as having something or someone who can enable or facilitate their objectives. Examples here include access to information, professional facilitators (eg. lawyers, accountants, trust & company service providers), systems (eg being able to change a database record in a third party system), or sub-leasing warehouse or storage space.

The Australia Criminal Intelligence Commission identifies six enablers of serious and organised crime (ACIC, 2017):

Money laundering
Technology
Professional facilitators
Identity crime
Public Sector corruption
Violence and intimidation

Enablers can be targeted by organised crime either directly (eg group leases warehouse space for its own activities) or in relation to employees in key positions. Employees who have some sort of vulnerability, either at home or at work, may be coerced, bribed, intimidated or extorted to perform acts at the direction of a group.

What can be done about the risk of organised criminal infiltration?

So far in this post, we’ve demystified what constitutes serious organised crime, the types of activities (offences) commonly associated with this activity, the criminal markets where organised crime groups are found, and the professional intermediaries and enablers who might knowingly (or unknowlingly) support them. The next question is what to do about it.

The starting point for any business leader concerned about potential organised criminal infilitration in their business is a thorough, objective and factual assessment of the threats and risks, and their associated likelihood and consequence. Once understood, a proper security plan can be implemented to mitigate these risks.

With infiltration by organised crime there is a potential insider threat. This can materialise within both the employee and contractor / third party populations, including within the extended supply chain. This also needs to be considered when scoping any assessments. Suggested actions for businesses concerned about organised criminal infiltration include:

Perform a Threat Assessment to map your ‘threat universe‘ (i.e. who is likely to target your organisation), and why
Undertake a Security Risk Assessment, which incorporates identifying critical assets, vulnerabilities (control gaps), consequence and likelihood (i.e. which of your assets might serious organised crime groups actually consider attractive) for the various threats identified in the Threat Assessment. For risk such as product theft or product diversion, don’t forget to assess if your products are CRAVED.
Undertake a Personnel Security Risk Assessment – this is commonly separate to your Security Risk Assessment, but identifies high risk positions and roles in the organisation which give acceess to your critical assets, and the types of employment screening (background investigation) and continous insider threat detection programs that may be required to mitigate the risk
Perform due diligence on prospective and current employees, contractors, suppliers and business partners / third parties based on the risks idenitifed in your Security Risk Assessment and Personnel Security Risk Assessment.
Develop a robust intelligence and security program to monitor for ongoing changes to your organisation’s threat landscape (including building capabilities such as media monitoring), and where appropriate, develop partnerships with police and security agencies to help mitigate the risk to within your organisation’s risk appetite.

Following these steps will ensure you know where you need to focus your security effort and resources. It may be that your greatest risk is that of opportunistic individuals and organised criminals (including trusted insiders and employees or contractors of your third parties or business partners) and not serious organised crime, requiring a different treatment strategy. If in doubt, seek assistance from an appropriately qualified professional who is licenced by the State Police to give security advice in the relevant Australian jurisdiction. If in doubt, have a read of this advice from ASIAL, the Australian Security Industry Association.

How should I perform due diligence to comply with Australia’s Modern Slavery Act 2018 (part 2)?

Posted on June 27, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Introduction

This article is the second in a series on Australia’s Modern Slavery Act, this time with a focus on due diligence practices. Readers of my previous post may recall that one of the requirements of the MSA is to ‘Describe the actions taken by the reporting entity and any entities it owns or controls to assess and address these risks, including due diligence and remediation processes‘ (p29). The Guidance goes on to say that due diligence is a key term within the UN Guiding Principles (pp46-47), and directs readers to the OECD Due Diligence Guidance for Responsible Business Conduct as a source of ‘key international standards and guidance’ (p90).

In this second article, I aim to help readers understand the Australian Government’s expectations of a Reporting Entity’s human rights due diligence program so as to comply with the MSA in a clear and practical manner.

Australia's Parliament House — Australia’s Parliament House

The UN Guiding Principles establish the concept of ‘human rights due diligence’

The United Nations Guiding Principles on Business and Human Rights (UNGPs) were endorsed by the United Nations Human Rights Council in June 2011. The UNGPs are intended to apply to both nation states and businesses regardless of factors such as size or jurisdiction, and set out the intended duties and responsibilities of both parties. Under the UNGPs, what constitutes ‘human rights’ are defined as those rights outlined in the International Bill of Human Rights and the International Labour Organisation Declaration on the Fundamental Principles and Rights at Work (UNGP 12).

Of the 31 Guiding Principles, three in particular establish responsibilities for business in relation to human rights due diligence, as follows:

GP 13 – requires businesses to avoid causing human rights impacts through their operations or activities, and to seek to prevent or mitigate any adverse human rights impacts linked to them
GP 15 – states that in order to meet their human rights responsibilities, businesses should have: (a) a human rights policy, (b) a human rights due diligence process, and (c) a process to enable remediation
GP 17 – states that human rights due diligence is required by business to ‘identify, prevent, mitigate and account’ for adverse human rights impacts. This activity “should include assessing actual and potential human rights impacts, integrating and acting upon the findings, tracking responses, and communicating how impacts are assessed”

The Australian Government’s Modern Slavery Act Guidance for Reporting Entities is aligned to the UNGPs, hence an understanding of them is useful when designing a due diligence program in order to comply with the Modern Slavery Act.

The OECD’s Multinational Enterprise Guidelines compliments and expands upon the UNGPs

In May 2010, the governments of the 42 OECD and non-OECD countries which adhere to the OECD Declaration on International Investment and Multinational Enterprises and related Decision, of which Australia is a member, commenced work to update the original OECD Multinational Enterprise (MNE) Guidelines originally developed in 2000. In addition to providing concepts and principles, the Guidelines provide specific guidance in eight domains:

Human Rights
Employment and Industrial Relations
Environment
Combating Bribery, Bribe Solicitation and Extortion
Consumer Interests
Science and Technology
Competition, and,
Taxation

The revised version of the MNE Guidelines included a new chapter on Human Rights which is consistent with the UNGPs. The MNE Guidelines are intended to provide “non binding principles and standards for Responsible Business Conduct”, and are “the only multilaterally agreed and comprehensive code of responsible business conduct that governments have committed to promoting” (p3).

The MNE Guidelines contain a number of requirements pertaining to Human Rights Due Diligence (i.e. Modern Slavery Act due diligence practices), however this guidance aligns with that of the UNGPs and does not warrant repeating.

Why should the OECD’s MNE Guidelines matter to Australian businesses?

Australia is a signatory to the OECD Declaration on International Investment and Multinational Enterprises and Decisions. To effect this, the Australian Treasury manages Australia’s OECD MNE ‘National Contact Point’ to promote and implement the MNE Guidelines. The Government expects Australian businesses to comply with the MNE Guidelines and the OECD Due Diligence Guidance for Responsible Business Conduct and associated sector due diligence guidelines (see below) as they “represent standards of behaviour that supplement Australian law and therefore do not create conflicting requirements“. Non-judicial complaints can be brought against Australian businesses, and are investigated by an Independent Examiner (currently WA Barrister Mr John Southalan).

To assist business in interpreting and implementing the MNE Guidelines, the OECD has produced its Due Diligence Guidance for Responsible Business Conduct, supported by additional sector specific due diligence guidance for:

The OECD also introduces new sector-specific guidelines periodically.

The OECD has developed guidance for business on how to undertake ‘human rights due diligence’

As an Australian, I struggle with the way the ‘human rights due diligence’ concepts are presented in the UNGPs and OECD guidelines. We so frequently design our governance, risk and compliance frameworks along the lines of ISO31000 – Risk Management and ISO19600 – Compliance Management Systems that it is easy to forget these elements are not so ingrained overseas.

I raise this because the OECD Due Diligence Guidelines for Responsible Business Conduct (DDGs) introduce a six-step due diligence process which contains some functions we might ordinarily consider constituting part of a risk and compliance framework, as follows (Figure 1, p21):

Embed Responsible Business Conduct into policies and management systems
Identify and assess adverse impacts in operations, supply chains and business relationships
Cease, prevent or mitigate adverse impacts
Track implementation and results
Communicate how impacts are addressed
Provide for, or cooperate in, remediation where appropriate

Although the OECD states that businesses may not see these elements as being exclusive to a due diligence program per se, the DDG also states the focus of human rights due diligence processes should be external to the business itself (as opposed to risk management’s traditionally internal focus) and focused on its extended operations, products or services, and its ‘business relationships’ (what Australians might consider as Third Party Risk Management).

Human Rights Due Diligence can build off (although it is broader than) traditional transactional or ‘Know Your Counterparty’ (KYC) due diligence processes

The DDGs are not intended to replace those practices commonly referred to as ‘Know Your Customer‘ (KYC), ‘Know Your Supplier‘ (KYS), ‘Know Your Partner‘ (KYP) or ‘Enhanced Due Diligence‘ (under AML/CTF laws, legislated in Australia as ‘Enhanced Customer Due Diligence’) (p16). These due diligence activities are different to human rights due diligence, albeit there will likely be some overlap, and commonly focus on around some variation of the following nine key areas:

Identification and Identity Verification
Legal entity formation and directors
Determination of Beneficial Ownership
Financial viability, credit ratings and performance
Litigation, bankruptcy & lien searches
Name screening (adverse media, Politically Exposed Persons, Sanctions)
Assessment of management’s style, integrity, competence and track record
Reputation in business, industry, the company or community
Disclosed and undisclosed Conflicts of Interest, Related Party relationships and other red flags

Simplifying the OECD’s six-step due diligence process

When I look at the OECD’s six-step due diligence process outlined earlier, Step 2 constitutes what I would consider to be the crux of the actual due diligence (Figure 1, p21). The purpose of Step 2 is to “identify and assess actual and potential adverse impacts associated with the enterprise’s operations, products or services”, which the guidance decomposes into four elements:

2.1 – Develop an enterprise-level risk assessment to identify the areas of highest risk based on a range of internal and external factors, including information gaps. Complete the due diligence from areas of highest to lowest risk
2.2 – Undertake iterative and increasingly in-depth assessments of operations, suppliers and other business relationships to identify and assess adverse Responsible Business Conduct impacts, starting with the highest risk areas first from 2.1 (above)
2.3 – Assess whether the enterprise caused (would cause), contribute to, or whether the adverse impact is (would be) directly linked to its operations in order to determine an appropriate response (i.e. is it actually involved, or potentially involved)
2.4 – Prioritise the most significant risks and impacts for action based on severity and likelihood

Step 2.1 will resonate well with anyone familiar with the principles of risk management in that resources should always be concentrated towards those areas of the highest risk exposure.

Step 2.2 is an interesting one. In Terrorist Diversion (Routlege, 2021), I wrote the chapter on due diligence practices for non-profit organisations. In this, I outlined a risk-based process where the level (extent) of due diligence initially undertaken is predicated on the perceived inherent risk prior to commencing due diligence. Where indications are encountered that an entity is actually higher risk whilst performing the diligence, the extent of diligence can be easily increased. Step 2.2 aligns with these principles.

Steps 2.3 and 2.4 start to get into matters of liability and social responsibility for any identified (or potential adverse) findings, and subsequently a treatment plan. Depending on your organisation, this may or may not be the responsibility of the team actually performing the due diligence itself.

To make it easier for readers to follow all of this, I have developed this simple cheat sheet which I hope will be a useful resource (please remember to cite me appropriately).

– (C) Copyright Paul Curwell (2000, Australia). http://www.forewarnedblog.com

Modern Slavery, Human Trafficking & People Smuggling? (Part I)

Posted on April 30, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Introduction

According to Antislavery.Org, “someone is in slavery if they are forced to work through coercion, mental or physical threats; trapped and controlled by an employer; dehumanised, treated as a commodity, or sold as property; and subject to physical movement constraints”. Antislavery.Org identifies six primary forms of slavery:

Forced labour
Debt bondage (bonded labour)
Human trafficking
Descent-based slavery (people born into slavery)
Child slavery (as opposed to child labour)
Forced and early marriage

The 2016 figures from the International Labour Organisation (ILO) are startling:

40.3 million people are in modern slavery, including 24.9 million in forced labour
This is a ratio of 5.4 victims (slaves) per 1,000 people, with 25% of those being children
64% of the victims of forced labour are exploited in private sector industries such as domestic work, construction or agriculture, and almost 17% are in forced labour imposed by government authorities
Females are disproportionately affected, accounting for 58% of forced labour victims across all sectors except the commercial sex industry, where they represent 99% of victims

Globally, the international legal framework to address modern slavery includes the Universal Declaration on Human Rights, and various other international conventions and into different forms of slavery, forced labour and human trafficking.

It is common to see the terms ‘modern slavery’, ‘human trafficking’ and ‘people smuggling’ used interchangeably, but they are actually different concepts with different actors, motives and outcomes (see Australian Criminal Offences below).

Key Definitions

Whilst the concepts of Modern Slavery and Human Trafficking are related, People Smuggling is a different concept, as outlined below:

Modern Slavery in Australia is defined as conduct that consitutes:
- An offence under Division 270 or 271 of the Criminal Code 1995 (Cth),
- A form of Child Labour (as defined by the ILO), or
- Trafficking in persons, as defined in Article 3 of the Protocol to Prevent, Suppress and Punish Trafficking in Persons, Especially Women and Children, supplementing the United Nations Convention against Transnational Organized Crime (2000)
Human Trafficking – the physical movement of people (recruiting, transporting or harboring) across and within borders through deceptive means, force or coercion. The people who commit human trafficking offences are motivated by the continuing exploitation of their victims once they reach their destination country (AFP)
People Smuggling – the organised, illegal movement of people across borders, usually on a payment for service basis (AFP). Unlike Human Trafficking, although ‘illegals’, smuggled people are free upon arrival in their destination country

Australia’s regulatory landscape

Broadly speaking, there are now seven main pieces of legislation relating to modern slavery and human trafficking in Australia:

Criminal Code Act 1995 (Cth) criminalises trafficking, slavery and slavery-like practices
Crimes Act 1914 (Cth) protects trafficked persons when giving evidence and allows a court to make reparation to victims
Migration Act 1958 (Cth) creates offences for allowing an unlawful non-citizen to work or breach work-related visa conditions
Fair Work Act 2009 (Cth) empowers the Fair Work Ombudsman to enforce compliance with the Fair Work Act
Marriage Act 1961 (Cth) provides offences for solemnising underage marriages
Proceeds of Crime Act 2002 – provides for tracing, restraining and confiscating the proceeds of crime, including trafficking and slavery
Modern Slavery Act 2018 (Cth) is the newest piece of slavery-related legislation in Australia

What does the Modern Slavery Act 2018 (Cth) require of Australian Companies?

At the macro level, the purpose of the Act is to raise awareness and increase transparency of the problem of Modern Slavery in Australian supply chains, and to require companies to take steps to understand the risks and change existing practices which are conductive to slavery and slave-like conditions. The Act requires companies that meet the criteria (termed a ‘reporting entity’) to submit a modern slavery statement annually to the relevant Minister, which is also made available to the public. Mandatory content of these statements includes describing:

(b) the structure, operations and supply chains of the reporting entity
(c) the risks of modern slavery practices in the operations and supply chains of the reporting entity, and any entities that the reporting entity owns or controls
(d) actions taken by the reporting entity to assess and address those risks, including due diligence and remediation processes
(e) how the reporting entity assesses the effectiveness of such actions
(f) the process of consultation with (i) any entities that the reporting entity owns or controls; and (ii) in the case of a reporting entity covered by a statement under section 14—the entity giving the statement; and
(g) any other information considered relevant

By requiring larger companies to produce these statements, government’s objective is that over time modern slavery risks in the supply chain will be reduced and that these requirements will propagate throughout global supply chains, including down to smaller suppliers – after all, a rising tide floats all boats.

Definitions of slavery in the Modern Slavery Act are mapped to the various Australian criminal offences, meaning that in order to identify inherent risks or exposures of a prospective third party or business partner, potential joint venture partner or acquisition target, you need to be able to determine their exposure to the various offences.

Australian Criminal Offences

Criminal Offences in Australia are either national, at the Commonwealth level and enshrined in either the Crimes Act 1901 (Cth) or the Criminal Code Act 1995 (Cth), or State or Territory-based jurisdiction (e.g. Crimes Act 1900 (NSW)). Offences pertaining to Slavery, Trafficking and People Smuggling can be found in the Criminal Code Act 1995. To make it easier to identify slavery and trafficking related risks during initial or ongoing due diligence, I have developed the following taxonomy based on the legislation which can be used as a reference:

High risk industries exposed to modern slavery

Some industries are more typically exposed to modern slavery risks than others. These include the following, which have been grouped below by typology:

Typology	High Risk Industries
Forced Labour (Global Slavery Index 2018 – see below for citation)	Cotton Bricks Garments – Apparel and Clothing Accessories Cattle Sugar Cane Gold Carpets Coal Fishing Rice Timber Agriculture Cocoa Diamonds Electronics – laptops, mobile phones, computers
Human Trafficking (Anti-Slavery International – see below for citation)	Trafficking is the act of moving the person internationally. Upon arrival they are usually driven into other typologies, such as: Sexual Servitude (prostitution) Forced labour Forced begging Forced organised crime Domestic servitude Forced marriage Forced organ harvesting
Servitude (Anti-Slavery International – see below for citation)	Domestic servitude (e.g. housekeeping, cleaning, maid duties, childcare, cooking) Sexual servitude (forced prostitution)
Deceptive Recruiting (International Labour Organisation)	Labour hire organisations and their extended networks of recruiters use deception to make an adult or parent believe that they (or their child) will be going to work in a reputable job, only for the victim to find they are later channeled into Forced Labour or Servitude. Sometimes, victims even pay for their traffickers.
Debt Bondage (Anti-Slavery International – see below for citation)	Agriculture Brick kilns Mills Mines Factories

Breakdown of exposure to modern slavery by Industry

As illustrated above, ‘deceptive recruiting’ and ‘human trafficking’ can be pathways for victims to Forced Labour and Servitude. Companies would rarely be exposed to every typology of modern slavery identified above: typical activities of Australian companies mean that modern slavery in the supply chain is most likely to manifest itself as Forced Labour or Debt Bondage, although Servitude may arise in the case of expatriates working offshore who employ domestic workers via an ‘agent’ for tasks such as household duties.

Jurisdictions and Human Trafficking Patterns

A number of useful publications exist to understand the prevalence and risk profile of human trafficking in the supply chain, including the annual ‘Trafficking in Persons‘ report published by the US State Department and the ‘Global Reports on Trafficking in Persons‘ issued by the United Nations Office on Drugs and Crime (UNODC).

Every country is different, and is typically classified as an Origin (source), Transit, or Destination country for Human Trafficking. As shown in this figure from the UNODC (2006), Australia is a Destination country for Human Trafficking, whilst many countries in Asia are both Origin and Destination countries. The prevalence of Destination countries in Asia means there is an increased likelihood that various forms of modern slavery would be prevalent in global supply chains given that Asia is the world’s manufacturing hub.

Photo Credit: United Nations Office on Drugs and Crime (2006). Trafficking in Persons:
Global Patterns, April 2006, Vienna,

As a primarily Destination country, Australia also has an interesting Human Trafficking profile, with key highlights from the 2019 US State Department Trafficking in Persons report including:

Both domestic and foreign victims are exploited in Australia
Women from Asia, Eastern Europe and Africa are frequently exploited in the commercial sex industry, whilst men are typically engaged in forced labour
Some women may also be exploited via forced marriages or domestic servitude situations
Employers and labour hire agencies are increasingly being linked to forced labour, bonded labour and exploitation (wage underpayment, falsification of records, excessive work hours) in agriculture, cleaning, construction and hospitality
There have also been instances of people on student visas becoming victims of modern slavery scams, whilst also having to pay substantial academic and related tuition fees
Also, many overseas students do not understand Australia’s complex employment award (salary) schemes, and some students do not feel they can approach the police for assistance due to a lack of trust in their home country
There have also been allegations of foreign diplomats abusing foreign household staff in Australia, as these household staff may not fall under standard Australian protections due to their employer’s diplomatic status

As we can see, no country is immune from the scourge of Modern Slavery, however a greater understanding of the way it can manifest both in the supply chain and locally in Australia means more effective risk identification and targeted due diligence practices, which in time will help combat this global problem.

Next Steps – Due Diligence, Risk Assessments and Customer Risk

As the first in a three-part series, this is Part I of a three part series on modern slavery and human trafficking. Part II will be published shortly, and will discuss the guidance provided to ‘Reporting Entities’ under the Modern Slavery Act 2018 in terms of their obligations, with a target audience of supply chain professionals and investment managers. Part III will address risks relating to slavery and human trafficking offences, which are designated categories of offences for money laundering (often referred to as ‘predicate offences’) by The Financial Action Task Force (FATF / GAFI).

Executive Summary

What is Workforce Screening?

When should workforce screening be performed?

Screening is a legal requirement for some industries

What checks are typically performed in workforce screening?

What’s the relationship between the PSRA and High Risk Roles in Workforce Screening?

Further Reading

Australia’s court structure

Where to search court records

Criminal Records are considered ‘sensitive information’ under the Privacy Act

How do you search court records?

Primary versus Secondary Sources

Further reading

Executive Summary

How can insider threats affecting a principal materialise in the supply chain?

What insider risks can manifest in a direct impact on the principal?

Designing and enforcing Insider Threat clauses in contracts can be challenging

Further Reading

Defining third parties

How are companies responsible for the actions of their third parties?

What should companies do to manage their third party risks?

Further Reading

What industries use critical minerals?

What are the security and supply chain risks for Australian companies?

What can we do about it?

Further reading

What are sanctions?

Who promulgates sanctions?

What should a sanctions compliance program comprise?

What does the situation in Ukraine mean for supply chain hazards, as an example?

Further Reading

Current legislation in NSW

Individual (operator) licencing in Australia

Employer (master) licencing in Australia

How to check an individual or business is licenced in Australia?

Further reading:

What is Serious Organised Crime anyway?

Common activities of serious organised crime – is there a nexus with your business?

What we know about Serious Organised Crime in Australia today

What can be done about the risk of organised criminal infiltration?

Further Reading

The OECD’s Multinational Enterprise Guidelines compliments and expands upon the UNGPs

Why should the OECD’s MNE Guidelines matter to Australian businesses?

The OECD has developed guidance for business on how to undertake ‘human rights due diligence’

Human Rights Due Diligence can build off (although it is broader than) traditional transactional or ‘Know Your Counterparty’ (KYC) due diligence processes

Simplifying the OECD’s six-step due diligence process

Further Reading

Australia’s regulatory landscape

What does the Modern Slavery Act 2018 (Cth) require of Australian Companies?

Australian Criminal Offences

Jurisdictions and Human Trafficking Patterns

Next Steps – Due Diligence, Risk Assessments and Customer Risk

Further Reading