Understanding High Risk Roles

What are High Risk Roles?

Understanding the concept of High Risk Roles begins with the concept of assets. There are generally agreed to be two categories of asset – tangible (e.g. physical things) and intangible (e.g. knowledge). Examples of tangible assets include property (facilities), information (including intellectual property and trade secrets), reputation, people (workforce), systems and infrastructure, and stock or merchandise.

Every business is comprised of a variety of different roles, each of which poses a different risk.
Photo by Matheus Bertelli on Pexels.com

Whilst loss, degradation or compromise of an asset may cause a financial loss or inconvenience, not all assets are critical to an organisation’s survival: Those assets which are critical are often referred to as ‘critical assets‘.

Definition: Critical Assets
A ‘Critical Asset‘ is an asset which the organisation has a high level of dependence on; that is, without that critical asset the organisation may not be able to perform or function.

Paul Curwell (2022)

Critical assets typically comprise only a small fraction of all assets held by any organisation, but their loss causes a disproportionately high business impact. In security risk management, we never have enough resources to treat every risk, nor does it make sense to do so. By extension, an organisation’s critical assets are those assets which it must use disproprotionately more resources to protect. This may range from restricting access to the asset to prevent loss or damage through to providing multiple layers of redundancy and increasing organisational resilience in the event of unanticipated shocks or events.

Not every activity is critical: its important to identify these and focus limited resourced on what's really important.
Photo by Pixabay on Pexels.com

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

High Risk Roles: What are they and why are they important?

High Risk Roles are those which confer privileged access to an organisation’s critical assets, as well as other types of access privileges, user privileges, or delegations of authority.

High and Low Risk Roles Defined

High Risk Roles – those which confer privileged access to Critical Assets (including information) or decision-making rights
Low Risk Roles – those which confer normal access to Critical Assets, information or decision-making rights (i.e., non-privileged).

Paul Curwell (2022)

The concept of privileged access to assets, including information, is very much situational within the organisation concerned. If an organisation has no controls to protect its critical assets from loss, damage or interference, then every role is effectively high risk.

In contrast, if some roles are subject to less controls, supervision or oversight; senior staff are easily able to bypass or compromise internal controls by virtue of their position (or coerce junior employees or subordinates into doing so); or are more readily able to access critical assets (such as in organisations where critical assets are closely guarded or ‘locked down’), then a higher degree of trust is inherently placed in those individuals. This degree of trust is reflected in their ‘privileged access’ to these assets – some organisations have historically used the term ‘positions of trust’ to refer to such roles.

What are some examples of privileged access which make a position ‘high risk’?

An organisation’s workforce must have access to its critical assets to perform its core functions. Members of the workforce with access to its critical assets may not just comprise trusted employees, but also contractors, suppliers and other third parties, making it essential to have a mechanism to track who has access to what as part of good governance, let alone risk management and assurance. Examples of postitions which an employer may deem ‘high risk roles’ based on a risk assessment process include:

Unless defined by legislation, what constitutes a High Risk Role will differ between organisations. Some organisations use the Personnel Security Risk Assessment as a tool for identifying these roles (refer below).

The more senior an employee's position, the greater the potential risk exposure.
Photo by Andrea Piacquadio on Pexels.com

Five suggested tools to manage High Risk Roles

As outlined in the preceding paragraphs, the purpose of defining High Risk Roles is to identify the subset of your overall workforce which has privileged access to critical assets. In most organisations, perhaps with the exception of smaller organisations such as startups, those in High Risk Roles will comprise a very small percentage of the overall workforce. There are five main steps in managing high risk roles, as follows:

1. Personnel Security Risk Assessment (PSRA)

The purpose of the PSRA is a structured approach to identifying those groups of roles, or even specific positions, in the organisation which may be defined as high risk. The PSRA helps inform development of a number of risk treatments and internal controls, including design of Employee Vetting and Supplier Vetting Standards (also known as Employment Screening, Workforce Screening, Employee Due Diligence or Supplier Due Diligence or Supplier Integrity standards) and Continuous Monitoring Programs.

This alignment helps ensuring that the vetting (background check) programs reconcile to the organisation’s inherent risks where the risk driver is a trusted insider with an adverse background, and that Continous Monitoring Programs are risk-based and justifiable. The relationships between these high level concepts is illustrated in the following figure:

Organisational context shapes and influences PSRA design. Personnel Security risk treatments should correspond to a specific risk.

See my article here for more detail on Personnel Security Risk Assessment process.

2. Identify your High Risk Roles

This involves an exercise to determine which position numbers (or groups / types of roles) have privileged access to your critical assets. This activity manually assigns a risk rating to each position, group or type of role in the company’s HR Position Control or HR Position Management registers extracted from the organisation’s Human Resources Information System and might be stored somewhere such as Active Directory.

An example of the process used to identify high risk roles.

In some cases, the identification of High Risk Roles is undertaken as part of the Personnel Security Risk Assessment, whilst other organisations chose to do this as a discreet exercise.

3. Apply enhanced vetting to individuals occupying High Risk Roles

Many organisations run multiple levels of workforce screening (employment screening) for prospective and ongoing employees. Importantly, vetting looks at the employees’ overall background but does not consider their activity, behaviours or conduct within the organisation or on its networks (this is the role of Continuous Monitoring, below).

To manage cost and minimise unnecessary privacy intrusions, low risk roles will typically be subject to minimal screening processes – perhaps Identity Verification, Right to Work Entitlement (e.g. Working Visa or Citizenship), and Criminal Record Check. Vetting programs for High Risk Roles should be treatments for some of the risks identified through the Personnel Security Risk Assessment.

4. Conduct periodic ICT User Access Reviews

This should be undertaken on an ongoing basis as part of your cybersecurity hygiene, but Users who have higher access privileges, administor access, or access to critical assets should be periodically re-evaluated by line management to ensure this access is still required in the course of work. It is common to find people who are promoted or move laterally to new roles who inherit access privileges from previous roles which may no longer be required in subsequent roles.

Restricting Administrative Privileges is one of Australia’s Essential 8 Strategies to Mitigate Cyber Security Incidents, as published by the Australian Cyber Security Centre, which recommends revalidation at least every 12 months and that privileged user account access is automatically suspended after 45 days of inactivity.

Australian Cyber SEcurity Centre (2022)

5. Apply continuous monitoring for users in high risk roles

Continuous Monitoring through the correlation of data points obtained through User Activity Monitoring and / or other advanced analytics or behavioural analytics-based insider risk detection solutions (such as DTEX Intercept, Microsoft Insider Risk or Exabeam) should be disproportionately focused towards those in High Risk Roles (see Albrethsen, 2017).

In summary, the identification and management of High Risk Roles should be a feature of any Insider Risk Management, Supply Chain Risk Management, or Research Security Program. Increasingly, various legislative frameworks – such as Anti-Money Laundering / Counter-Terrorist Financing (AML/CTF) regime – also consider the concept of High Risk Roles in their compliance programs as a way to manage personnel related risks. Don’t forget, given that High Risk Roles change periodically as the organisation changes, regular updates to related artefacts form part of a mature capability.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What is Show and Shadow Manufacturing?

What is contract manufacturing?

The economics of manufacturing in the 21st century meant many factories relocated to developing countries where labour is plentiful and costs lower. To further reduce costs and focus on ‘core business’, many manufacturers (principals) outsourced production to Contract Manufacturing Organisations (CMOs). This involves standard outsourcing activities as well as winding down a principal’s factories in favour of focusing on higher value add activities such as R&D, product management, sales and marketing. Examples of industries using CMOs include pharmaceutical and electronics companies.

Contract manufacturing allows outsourcing of noncore functions
Photo by Los Muertos Crew on Pexels.com

Whilst use of CMOs might make commercial sense, it also introduces unique risks such as ‘shadow manufacturing’ which must be managed to maintain brand, product and supply chain integrity.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

‘Show factories’ versus ‘shadow factories’ – what’s the difference?

Most CMOs are completely above-board and legitimate, offering excellent service and conforming to a host of certification standards and regulatory obligations. However, ‘show factories’ and ‘shadow factories’ are an exception. Show and shadow factories can be defined as follows (adapted from APEC, 2017):

  • Show factories – typically ‘impressive’ facilities which claim to manufacture a given product or component; however, this is intended to mislead (defraud) the principal seeking to contract with the show factory CMO
  • Shadow factories – manufacturing facilities which operate in the shadows, either owned by a show factory or a ‘sub-contractor’ to a show factory

Theoretically, there is nothing to say a CMO cannot become a show factory at some point during the supplier lifecycle. Examples of triggers for this transition might include management or ownership changes, local crime or corruption in the area where the factory is based, or financial distress. This highlights the importance of performing regular, ongoing supplier integrity and supplier assurance throughout the supplier lifecycle.

Shadow factories can involve forced labour
Photo by u041cu0430u0440u0438u044f u041au0430u0448u0438u043du0430 on Pexels.com

Shadow factories introduce a host of risks for principals

The nature of shadow factories mean they expose the principal to a wide variety of risks, some of which can materialise or persist many years after the shadow factory has been shut down or eliminated from the supply chain, such as regulatory action or litigation arising from involvement with modern slavery. Examples of these risks include:

  • Product Diversion – conforming product can be diverted, such as through overproduction using molds or trade marked materials supplied by the Principal to the show factory
  • Product Integrity – shadow factories can introduce problems with product conformance and product safety, which mean the product obtained by an end user does not meet expectations and can give rise to financial, brand, ESG and safety ramifications
  • IP and Trade Secrets theft – shadow factories might be provided with commercially valuable IP, such as trade secrets, manufacturing molds, recipes and authentic packaging. When uncontrolled, these could be used for counterfeiting, product diversion, and establishing competing businesses
  • Brand Integrity & reputation risk – companies which find shadow factories in their supply chain can be left with adverse brand and reputation damage, as well as be required to pay damages to workers who may be victims of wage theft, modern slavery, or workplace accidents
  • Modern Slavery – workers in shadow factories are often also vulnerable members of society. There is a high chance workers could be victims of modern slavery, such as bonded labour, debt bondage, or child labour
  • Occupational Health & Safety (OHS) – shadow factories often have poor safety conditions, which can give rise to deaths or dreadful workplace accidents. Shadow factory owners may bribe public officials, such as workplace inspectors, to look the other way, further impacting the welfare of factory workers
  • Environmental protection – as with OHS, a track record of environmental damage is common with shadow factories, particularly those which use hazardous chemicals or substances. The need for environmental remediation to remove legacy toxins or pollution is common when shadow factories are closed
  • Business Continuity – shadow factories run as lean as possible, and are unlikely to be able to effectively mitigate unplanned interruptions. Further, show factories might not be able to scale up quickly enough in the event something happens to the shadow factory, leaving the principal with a false sense of security and no protection against business interruptions

By their nature, shadow factories are much cheaper as they typically lack the quality management, regulatory compliance, occupational health and safety, and environmental protections found in legitimate factories. Additionally, workers in shadow factories may be victims of modern slavery, which introduces legal, ethical and integrity issues for the contracting principal, not to mention ESG risk for the principal’s lenders or investors.

Indicators of show and shadow factories

When thinking about how we can detect show and shadow factory activity it is important to remember that manufacturing is a process comprising inputs (raw materials, components) which feed production, resulting in a standardised output. Conforming products are manufactured to a consistent standard, with inputs defined by the Bill of Materials (or BOM lists the precise inputs and quantities required to produce a conforming product).

It is possible to forensically identify potential shadow factory activity
Photo by Anton Mislawsky on Pexels.com

The nature of manufacturing means it is possible to identify discrepancies between expected and actual inputs, production metrics, and outputs which could indicate a CMO is actually operating a ‘show’ factory and that work is being performed by elsewhere by a ‘shadow’ factory. According to APEC, indicators used to determine whether a CMO is operating a show or shadow factory include:

  • Capacity versus output calculations in relation to a given factory’s estimated production capacity
  • Recieving records which may indicate discrepancies in volumes, values, dates / times or other data points
  • Materials reconciliation – reconciling usage versus output may identify unexplained anomalies or inconsistencies
  • ‘Unavailability of packaging materials’ onsite for a given client – such as where the expected packaging materials are not physically located in the show factory (i.e.because they have been shipped to the shadow factory)
  • Maintenance records – including records showing longer than expected gaps between servicing due to inactivity
  • Production records – including staff rosters and payroll records
  • Distribution records – including vehicle logs and delivery records
  • Security access control records and vehicle access logs such as truck deliveries via a security gate)
  • Equipment usage logs – including records showing below expected machinery usage counts
  • Cleaning logs – potentially showing cleaning performed infrequently or less than planned in the show factory
  • Accountability and traceability of rejected materials or defects arising during manufacture
  • Utility usage versus manufacturing output – comparisison of electricity, gas, water usage and bills against plan

Identification of these red flags requires organisation. Prior to performing a site visit or desktop audit, auditors or investigators should have already built a spreadsheet model or similar assessment tool which outlines the expected case value for each of these indicators specific to the product, location of the factory, and other relevant contextual information. This allows auditors to focus on collecting the information necessary to provide an evidence-based assessment, as well as minimising distractions on what they need to collect or questions to ask during a site visit and enabling a laser focus on what they are seeing and hearing during the inspection.

Manufacturer Fraud Audit

To this day I can recall one of the earliest fraud audits performed in my career involving a manufacturing facility recieving government grants. I was green in those days and assigned to perform the audit alone. After spending a few hours examining the manufacturer’s books and records, something wasn’t adding up. I went into the CFO’s office asking him to explain some discrepancies, only to be asked which set of records I would like to see – the records he provided me, a set they maintained for tax purposes, or the real records!

Shocked, I left his office and called my boss, who informed the government. Suffice to say the CFO no longer worked there when I went back to continue my work the next day. However, the moral of the story for these types of audits is that you only have a limited time onsite in which to make sense of the data you are being given and take action. You need to be efficient, organised and prepared, otherwise you will miss your window of opportunity – by the time you get a chance to come back, all evidence of fraud or non-compliance will likely be destroyed.

As highlighted in this article, the involvement of shadow factories in your supply chain can introduce a host of risks, not to mention legal, ethical, safety, and brand concerns. The positive, however, is that it is possible to identify potential show and shadow factory involvement in your supply chain using data analytics. Analytics, supplemented with intelligence, can be used to target your audits or investigations towards high risk third parties, ensuring they know the right questions to ask and what to look out for during site inspections.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Building your supplier integrity framework

What is Supplier Integrity ?

The Cambridge Dictionary defines integrity as “the quality of being honest and having strong moral principles that you refuse to change”. Increasingly the term ‘business integrity‘ is being used to reflect the way companies manage compliance risks and regulatory obligations. More recently, the term ‘supplier integrity’ is also starting to arise.

Photo by ThisIsEngineering on Pexels.com

Supplier Integrity is a logical extension of the concept of ‘business integrity’ (see below – note that some authors use ‘business integrity’ specifically to refer to anti-bribery and corruption). Before diving into the concept in more detail, it is worth setting some boundaries for what constitutes ‘supplier integrity’.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Despite searching, at the time of writing I was unable to locate a standard or guideline on supplier integrity. However, the OECD Due Diligence Guidance for Responsible Business Conduct provides a useful set of guardrails for what might be included within a supplier integrity framework:

  • Human Rights
  • Environmental Protection
  • Employment and Industrial Relations
  • Financial Crime, specifically:
    • Anti-Bribery & Corruption
    • Economic and Trade Sanctions
    • Fraud
    • Money Laundering & Terrorist Financing
    • Tax Crime
  • Consumer Protection
  • Competition & Anti-Competitive Practices

In my opinion, one of the other fundamental elements to Supplier Integrity is Beneficial Ownership, or the identify of the natural person(s) who actually own the supplier. Whilst determination of beneficial ownership is likely to occur during Supplier Due Diligence, understanding who you are actually proposing to do business with – what the World Bank refers to as the “corporate veil” – is essential and should not be overlooked (refer this related post).

Why is Supplier Integrity important?

There are at least two main reasons why Supplier Integrity is important in business today: the first is legal, whilst the second is more a reflection of ethics and values. One of the primary legal reasons for needing a robust supplier integrity program is Principal-Agent Theory which holds that the company contracting the third party (‘principal’) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their supplier arrangements.

  • Under this legal doctrine, if a supplier does something illegal there is generally a degree of civil and / or criminal liability for that conduct which can fall on the principal.
  • Whilst activities such as Supplier Integrity and associated supplier compliance programs can help mitigate this liability in the event of something going wrong, it generally does not absolve the principal completely.
  • One example of this in practice is a principals’ liability for bribery and corruption performed on its behalf by a supplier under the U.S. Foreign and Corrupt Practices Act (FCPA) (FCPA Guide, p136).
Photo by Pixabay on Pexels.com

In relation to ethics and values, there are four key drivers which underscore the importance of a robust Supplier Integrity Framework:

  • ESG and shareholders – the Environmental Social Governance (ESG) investment movement is becoming increasingly important globally as we recognise the value and importance of sustainable business practices, as well as the importance of integrity and transparency in business generally. According to McKinsey, companies demonstrate a strong ESG proposition correlate with higher equity returns.
  • OECD Guidelines for Responsible Business Conduct (RBC) – these Guidelines cover covering environmental, industrial relations, financial crime, competition, human rights, and consumer protection and are the OECD’s most comprehensive international standard on Responsible Business Conduct. The Australian Government is committed to promoting the use of the Guidelines and their effective and consistent implementation. Companies operating in Australia and Australian companies operating overseas are expected to act in accordance with the principles set out in the Guidelines and to perform to the standards they suggest. The Guidelines are supplemental to Australian law and are not legally binding (AusNCP).
  • Consumer expectations and social licence to operate – this driver is much more fluid and reflects the will and appetite of the local community and populace to allow a company to operate. Companies which do more respect the communities or environment in which they operate are being identified and actively targeted by global consumers for socially unacceptable behaviour, potentially impacting sales, employee attraction and retention, and political support.
  • Reflection of the company’s values and ethics – perhaps the most important of all, a companies suppliers are a reflection of its brand. Poor choices in suppliers can manifest in quality and reputation risks impacting factors such as profitability down stream.
Photo by Akil Mazumder on Pexels.com

What would you expect to see in a Supplier Integrity Framework?

A Supplier Integrity Framework fulfils and specific purpose – ensuring that the principal’s suppliers conform with its ethics and values as well as comply with applicable legislation. There are six components I would expect to see in any Supplier Integrity Framework:

  1. Supplier Code of Conduct – reflects the principal’s ethics and values to ensure these are demonstrated by its suppliers
  2. Supplier Integrity Policy –
    • Outlines roles and responsibilities, acceptable behaviours or expected practices (see Supplier Code of Conduct);
    • Aligns with compliance obligations and the principal’s broader policies and frameworks (eg risk and compliance frameworks, procurement policy, supplier management framework),
    • Outlines the ongoing monitoring and due diligence practices and the supplier compliance program; and,
    • Sets out how incidents are to be reported and managed.
  3. Risk Assessment – identifies the main supplier integrity risks and where they may manifest in the supply chain (geographical, spend category, etc), as well as associated controls and risk treatment plans
  4. Supplier Due Diligence and Ongoing Monitoring Program – conduct due diligence and continous monitoring on a supplier’s integrity throughout the supplier lifecycle (i.e. selection, contracting, contract management, termination)
  5. Supplier Compliance Program (aka Supplier Assurance Program or Vendor Assurance) – documents how and what the principal will do to ensure compliance with its Supplier Integrity Framework as well as other aspects of contractual compliance. This should also include appropriate incident management, audit and investigation provisions.
  6. Performance and reporting – details how compliance with the policy will be tracked and reported with appropriate levels of governance and oversight.

Relationship between Supplier Integrity, Procurement and Supplier Management Frameworks

The Supplier Integrity Framework is likely to be one element of a principal’s broader suite of corporate governance artefacts. Ordinarily this framework will be subordinate to other frameworks in the organisation such as the principal’s Code of Conduct and other business integrity policies and practices which apply to all employees.

The Supplier Integrity Framework is likely to be subordinate to the Procurement and Sourcing Policy, which likely sets out how the principal performs these functions, as well as other Supplier Relationship Management (SRM) and Supply Chain Management (SCM) frameworks.

Each of the above policies and frameworks performs and important role in the overall supply chain of third party management ecosystem. Importantly, a well-designed supplier integrity framework compliments other governance and risk-related concepts, such as those outlined in the Australian Government’s Critical Technology and Supply Chain Principles (’10 Agreed Principles’, see previous post), as well as providing a solid foundation from which to address a range of other supply chain threats and risks.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.