News - Mosaic Associates

Bribery Act 2011
1st April 2011
Following delays the government has finally published guidance on how SMEs can prove they have ‘adequate procedures’ for preventing bribery. When considering their procedures organisations should adopt 6 principles:

• Proportionality: Actions should be proportionate to the risks faced;
• Top Level Commitment: Senior management are responsible to ensure the business is acting ethically and without bribery and should establish a culture within the organisation in which bribery is never acceptable;
• Risk Assessment: Cover the market being operated in and the individuals being dealt with;
• Due Diligence: Ensure you know exactly who you deal with in the supply chain including agents, intermediaries and joint ventures;
• Communication: Ensure policies and procedures are communicated to employees and others who will perform services on your behalf.
• Monitoring and review: Institute mechanisms to ensure compliance with the policies and procedures.

Failure to comply with the Act could lead to prosecution with penalties of up to 10 years imprisonment for individuals and an unlimited fine for companies.

First monetary penalties served for serious data protection breaches

24 November 2010

The Information Commissioner today served two organisations with the first monetary penalties for serious breaches of the Data Protection Act.

The first penalty, of £100,000, was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings.

The second monetary penalty, of £60,000, was issued to employment services company A4e for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.

Information Commissioner, Christopher Graham, said:

“It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks. The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data”.
“These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.”

Principles for enhancing corporate governance

4 October 2010

The Basel Committee on Banking Supervision today issued a set of principles for enhancing sound corporate governance practices at banking organisations to address fundamental deficiencies in bank corporate governance that became apparent during the financial crisis and cover:

the role of the board, which includes approving and overseeing the implementation of the bank's risk strategy, taking account of the bank's long-term financial interests and safety;
the board's qualifications. For example, the board should have adequate knowledge and experience relevant to each of the material financial activities the bank intends to pursue to enable effective governance and oversight of the bank;
the importance of a risk management function (including a chief risk officer or equivalent for large banks and internationally active banks), a compliance function and an internal audit function, each with sufficient authority, stature, independence, resources and access to the board;
the need to identify, monitor and manage risks on an ongoing firm-wide and individual entity basis. This should be based on risk management systems and internal control infrastructures that are appropriate for the external risk landscape and the bank's risk profile; and
the board's active oversight of the compensation system's design and operation, including careful alignment of employee compensation with prudent risk-taking, consistent with the Financial Stability Board's principles.

The principles also stress the importance of the board and senior management having a clear knowledge and understanding of the bank's operational structure and risks. This includes risks arising from special purpose entities or related structures.

Supervisors also have a critical role in ensuring that banks practice good corporate governance. In line with the Committee's principles, supervisors should establish guidance or rules requiring banks to have robust corporate governance strategies, policies and procedures. Commensurate with a bank's size, complexity, structure and risk profile, supervisors should regularly evaluate the bank's corporate governance policies and practices as well as its implementation of the Committee's principles.

The need for sound corporate governance improvements has also been observed in other financial sectors. That is why, in developing the principles issued today, the Basel Committee coordinated its work with the International Association of Insurance Supervisors (IAIS), which is currently reviewing its Insurance Core Principles to address corporate governance for the insurance sector. The Basel Committee and the IAIS seek to collaborate on monitoring the sound implementation of their respective principles.

$375,000 fine for data loss

Whilst the ICO in the UK has recently announced the maximum fines it can impose have increased from £5,000 to £500,000, in the US, FINRA has hit DA Davidson with a $375,000 fine for failing to safeguard confidential client information. A group of criminals hacked into the firm’s computer and got access to data for approximately 192,000 customers. Despite the fact that after the breach, DA Davidson contacted and cooperated with authorities, they now must pay a $375,000 fine to FINRA because of their failure to protect client information.

Chief Executives to focus on Risk

CEOs are intending to upgrade their enterprise-wide risk management capability according to the PwC 13th Annual Global CEO Survey. The study involved a survey of 2,000 executives across 50 countries.

Risk is not only moving up the corporate agenda in response to the financial crisis, but is seen as something that needs to be embraced by the organisation as a whole. That one in five say their board of directors is ‘significantly more engaged’ in assessing strategic risk indicates that for many, approaches to risk are moving beyond controls-based risk management to corporate strategy and financial management.

The higher level of involvement by directors is not only taking place in the financial sector, where risk standards are actively changing, but across all sectors.

Attention is being focussed on both internal and external factors.

Of those CEOs who said they plan some change or significant change to their approach to managing risk – and 89% of those interviewed are – slightly more said they plan to integrate risk management capabilities into business units. They are assigning risk functions to business heads, a process that aligns risk with strategic business planning.

‘We learned that we must further strengthen our internal controls and risk management capabilities. The financial crisis has made it clear that all enterprises must be better prepared against future risks’, said Huang Tianwen of Sinosteel Corporation.

ICO Penalties Increase

New rules from the Information Commissioners Office (ICO) take effect from 6th April 2010. The most significant change is that maximum financial penalty for non-compliance with the Data Protection Act is increased from £5,000 to £500,000.

The ICO state that there are still problems with unencrypted portable media devices, poor governance and lack of risk assessment.

Global Risks 2010, a World Economic Forum Report, sets out the 36 major risks relating to Economic, Geopolitical, Environmental, Societal and Technological issues. The 2010 Report reveals that there has been a dramatic increase in the level of recognition that global risks are now tightly interconnected even if the impact differs at local level. In addition there is a higher level of systemic risk (interconnections among risks) that demands an integrated approach to risk management.

To obtain a copy of the full report click here