Operational Risk Management in a Period of Disruption – Will Normal Programming Resume Shortly?

In both normal times and uncertain times, policies and procedures seek to give all employees support in the carriage of business activities. The current COVID-19/coronavirus social and economic crisis is, however, putting to the test existing, proven and robust policies and procures in all organisations, argues Peter Deans, of 52 Risks management, in this blog

Peter Deans, Creator & Founder of the 52 Risks management framework, argues that risk managers must put aside any desire they harbour to continue ‘business as usual’ without making adjustments that reflect the changing external environment. Peter offers eight key activities and priorities for operational risk and compliance managers in this period of significant disruption.


Why do policies and procedures exist? They provide a roadmap for the smooth day-to-day operation of business activities. They can provide guidance on how to be compliant with laws and regulations, ensure sound customer and business outcomes, help to streamline decision-making, and generally make business activities as trouble-free as possible. In both normal times and uncertain times, policies and procedures seek to give all employees support in the carriage of business activities.

The current COVID-19/coronavirus social and economic crisis is, however, putting to the test existing, proven and robust policies and procedures in all organisations. The normal operational rhythm has been disrupted, and new ways of operating many business activities are being developed in real time. Many business activities that have operated unchanged for many years are having to be redesigned and reshaped.

Risk managers are now asking themselves many questions: Should we continue to operate our existing enterprise risk or operational risk management frameworks (‘risk frameworks’) unchanged in this environment? Do we temporarily pause our existing risk framework for a while? Do we continue to operate our risk frameworks ‘as is’ but acknowledge the significant disruption to normal activities? Do we need to rewrite our risk frameworks to reflect an extended period of disruption?

Will ‘normal programming’ resume shortly – as the television service message used to say?

The goal for organisations of any size should be to have a dynamic, living and breathing set of operational protocols, policies, and procedures. These should enable a dynamic and flexible approach to doing business that readily flexes and adapts to a changing external and internal environment. The coronavirus crisis, however, is putting to the test the ability of organisations to adapt to a dramatically changing environment.

As has been stated many times, this crisis is unprecedented. Few governance and risk management frameworks can have contemplated the extent of disruption being experienced. Accordingly, risk managers must put aside any desire they harbour to continue ‘business as usual’ without making adjustments that reflect the changing external environment. A fresh approach (and clear head) is needed.

Key activities and priorities for operational risk and compliance managers in this period of significant disruption will include:

Deferring any low priority or non-essential operational risk activities. Existing risk and governance frameworks, reflecting compliance and regulatory requirements, require a range of scheduled periodic activities. This will include, for example, annual or biannual product reviews. Risk managers should look to have many of these deferred to free up the business unit and risk resources for more urgent, higher priority activities.

Liaising closely with internal governance forums and regulators to discuss and agree on revisions to approved governance frameworks in this period. Regulators have already demonstrated significant flexibility in deferring or suspending the legislative agenda and regulatory change projects. All internal and external stakeholders recognise this period is not ‘business as usual’.

Focus on supporting business functions and activities that are being significantly redesigned in response to the crisis. These business functions will have a very different operating model for an extended period. Seek to quickly complete abridged risk assessments so that business changes can be quickly implemented (or even defer completion of the risk assessments until shortly thereafter). Look to redirect operational risk resources temporarily or permanently from business activities that are substantially quieter (or have ceased to operate) in this period.

Maintain strong oversight of key compliance and customer outcomes. All financial institutions will need to continue to ensure that expected customer outcomes are delivered in this period. Financial institutions now see record levels of financial hardship across their consumer and business loan portfolios. In addition, new arrangements are being quickly designed and put in place. High priority needs to be given to ensuring these are robust processes – an important role for compliance and operational risk managers.

Look to bring forward automation and process efficiency initiatives that can support a leaner and more nimble organisation. It will be necessary to cancel or defer many initiatives that may disrupt critical business activities or cannot be funded due to profitability challenges. However, there will be some initiatives that can help the organisation operate more effectively and efficiently in this period. These should be reprioritised and brought forward.

Review management reporting to governance forums and business partners to ensure focus on business-critical activities that have already been disrupted. Risk committee members and executives will want to understand the changing risk profile of the business.

Conduct a review of material third party arrangements. Risk managers and internal stakeholders should be urgently seeking to identify any suppliers, vendors or third-party business partners that have been impacted and/or may be encountering financial stress.

Monitor the impact of restructuring and downsizing. The short-term financial impact of the economic shock of the coronavirus will inevitably lead to significant cost-cutting. It will be incumbent on risk managers to ensure that nothing ‘slips between the cracks’ in this period, and that the organisation is fully aware of the changed risk profile post-restructuring. Risk management functions themselves will also be the subject of restructuring. This will all require significant change management and operational risk support.

A new rhythm will need to be developed for an extended period of disruption ahead. Once the external environment begins to normalise – and it is unlikely that it will return to its previous state – a new operating model may need to be developed for risk governance.

In the medium to longer term, the priorities of both the risk management function and the organisation will likewise evolve. The lasting effects of the coronavirus crisis are not yet known, however there will undoubtedly be significant medium and long-term change for many businesses. For example, those with extensive outsourced and/or overseas operations may look to reassess this operating model. Organisations will inevitably be looking to adopt greater automation – continuing a trend evident for many years.

In summary, normal programming is unlikely to resume in the short, medium or long term. The challenge – and opportunity – for risk managers is, however, unchanged. They should seek to assist and guide their respective organisations through what will be an extended period of change and disruption.


Peter Deans is a former Chief Risk Officer and industry leading risk management specialist. Peter retired from banking & finance in 2019 after a career of over 32 years at several Australian and international banks.

Peter was awarded Australian Banking & Finance magazine’s Chief Risk Officer of the Year award in 2014, 2015, 2016 and 2018.

Peter is now a risk and strategy consultant supporting companies in the financial services, corporate and start up/technology sectors.

Peter is also the Creator & Founder of the 52 Risks management framework (www.52Risks.com) and a Non-Executive Director of The Regtech Association in Australia.


GRC Solutions resources




ACCC Compliance and Enforcement Priorities for 2020

The Australian Competition & Consumer Commission (ACCC) has recently released its ‘Compliance and Enforcement Priorities’ for 2020.

The ACCC is responsible for encouraging compliance with the Competition and Consumer Act 2010. It can also take enforcement action in response to breaches of the Act. Penalties for breaching the Australian Consumer Law are up to $10,000,000 for corporations and $500,000 for individuals per offence.

The ACCC has highlighted the following areas as priorities for 2020:

Competition and consumer issues in:

  • the funeral services sector
  • the digital sector
  • the pricing/selling of essential services (especially in the energy and telecommunications sectors)
  • misleading conduct in selling/promoting food products
  • conduct affecting competition in the commercial construction sector
  • ensuring the protection of small businesses under competition and consumer laws (especially the Franchising Code of Conduct)
  • ensuring compliance with the Dairy Code of Conduct
  • empowering consumers and improving industry compliance with consumer guarantees (especially with respect to high value goods, e.g. motor vehicles, electricals, whitegoods)
  • pursuing regulatory options to prevent injuries and deaths to children by button batteries
  • finalising the recall of vehicles with Takata airbags.


Enduring priorities

The ACCC has identified certain areas as ‘enduring priorities’, owing to their continued potential to undermine consumer welfare and the competitive process. These include:

  • cartel conduct
  • anti-competitive conduct
  • product safety
  • conduct impacting vulnerable and disadvantaged consumers
  • conduct impacting Indigenous Australians.


COVID-19 Crisis

The ACCC is alert to any instances of unfair or unconscionable conduct on the part of businesses in dealing with consumers during the current COVID-19 crisis and is looking at issues such as:

  • travel cancellations and changes
  • event cancellations
  • product price increases
  • gym closures

Click here for updated consumer rights information.


Competition & Consumer Protection – Online Compliance Training

It is crucial that businesses operating in Australia comply with their obligations under the competition and consumer legislative regime. It is also important for your staff to be aware of their obligations under the Act.

GRC Solutions’ Competition & Consumer Protection courses are designed for both general staff and management teams. Our courses have just been visually refreshed with a new design format to help create an engaging and effective learning experience.

Click here for more information.

So be good for goodness sake: workplace behaviour at end-of-year events

As we head into the silly season, it’s worth keeping in mind that silliness is no excuse for poor standards of behaviour or even misconduct at work functions.

We’ve all heard stories about office parties where a worker has embarrassed themselves and/or others, or caused harm to others, because they’ve had too much to drink or just gotten carried away.

We’ve also all heard stories of employers firing staff because of such inappropriate behaviour.

Perpetrators of misconduct often ruin otherwise enjoyable events for the majority and may even cause lingering damage.

But behaviour at work functions is more than just an issue of “fun” – it can also be a serious compliance problem.

Workplace codes of conduct and anti-bullying and harassment laws can extend to conduct which takes place outside what is traditionally considered “the workplace”. This means staff behaviour at work functions held at off-site venues are included in the scope of the law. In some situations, travel to and from such events may also be covered. Laws and policies may also apply to posting online about work or work events, for example, uploading pictures of colleagues or commenting on other people’s posts.

Employers are responsible for providing a safe work environment for staff (including volunteers and contractors) as well as clients. A safe work environment means one which is free from bullying and harassment. Your organisation could be held liable for inappropriate staff behaviour at work functions.

Most people have no issues treating others with respect and professionalism while having a good time. Others might need a reminder.

Ensuring all staff members are informed of and understand the standard of behaviour expected of them at these events helps everyone to have a great time and can go a long way towards preventing lingering legal or reputational consequences.

GRC Solutions is an award-winning provider of compliance training. To find out more about our Diversity & Equality course which details how your workplace should manage and prevent bullying, contact us today.

Australian company cited in US indictment for million-dollar bribes to Iraqi officials

The US Department of Justice (DoJ) has alleged that senior executives of Australian company Leighton Holdings (now known as CIMIC) were involved in offering bribes amounting to AU$8.25 million as part of an effort to win a billion-dollar construction project in Iraq.

The allegations were made in the context of the DoJ’s wide-ranging inquiry into Unaoil, the Monaco energy industry consultancy said to have helped global companies such as Leighton and Rolls Royce to bribe officials.

According to the DoJ, back in 2010, senior executives at Leighton Offshore had targeted construction jobs in Iraq that were worth up to $2 billion. The executives sought to bribe corrupt officials in the Iraqi government that had been identified to them by Cyrus and Saman Asahni, the brothers who ran Unaoil with their father, Ata. If Leighton’s bid to win the work were successful, it was envisaged that the brothers would win millions of dollars in commissions – enough for Unaoil to pay off corrupt officials within the oil ministry of Baghdad and the government’s South Oil Company.

The DoJ’s 2019 indictment alleges that “certain executives at [a business referred to as ‘Company 8’] ensured” there were “sufficient funds to make bribe payments to Iraqi government officials”. A Fairfax report identifies former Leighton executive, Russell Waugh, as a key figure, and while the indictment only refers to ‘Company 8’ as a “listed Australian company”, Fairfax further alleges that “it is clear it is Leighton”.

Unaoil executive Peter Willimont is alleged to have met with Waugh in May 2010 in a Perth hotel, where the pair, along with others, “agreed to rig the bidding process for projects in Iraq”.

The Ahsani brothers have already pleaded guilty to charges of bribery and money laundering as well as to having “destroyed incriminating documents with the intent to prevent their discovery by law enforcement”. They have since become FBI informants.

This is the longest running bribery case in Australian history. If found guilty, CIMIC could face penalties running into hundreds of millions of dollars.

Sources: 2019 indictmentLeighton Holdings 2016

GRC Solutions is an award-winning provider of compliance training. To find out more about our Anti-Bribery course, contact us today.


GRC Solutions Perth Whistleblowing Seminar 2020

First GRC Solutions Perth event for the year: Whistleblowing

GRC Solutions hosted its latest lunchtime seminar in Perth on 19 February – Whistleblowing 2.0 – making whistleblowing work, considering post policy practicalities. We were very pleased to welcome key legal, risk and compliance professionals from diverse organisations along with local members of the GRC Institute.

Our presenter was Kirsten Trott, an international expert on whistleblowing systems. Kirsten is the founder of Moken Consulting, a boutique consultancy focused on advising companies how to move beyond compliance and get their whistleblowing systems working in practice. Kirsten spent several years working internationally; she was at the forefront of promoting whistleblowing in the UK’s push for more transparent and accountable corporate culture in the early 2000s. More recently she ran the global whistleblowing program for Standard Chartered Bank out of Singapore.Standard Chartered Bank out of Singapore.

Now that organisations have whistleblowing policies in place, Kirsten’s focus was to guide the audience through the next steps for whistleblowing. She had a number of useful anecdotes (in some cases rather humorous ones) where organisations had got whistleblowing wrong and discussed how to get it right.

She talked about:

  • Policy implementation imperatives
  • Policy commitments and processes in practice
  • How to avoid the big fines –providing practical protections
  • Monitoring and reporting on your whistleblowing data – who needs to know what.

The new whistleblowing laws impose significant responsibilities on Australian organisations and the audience found Kirsten’s presentation informative and practical. They went away with a heightened understanding of the strategies and tactics available to them in meeting those responsibilities.

GRC Solutions will continue to provide seminars focusing on specific legislation and regulations which will allow legal and compliance professionals to engage good governance practices. The next event will be announced soon.

GRC Solutions is an award-winning provider of compliance training. To find out more about our Whistleblowing course, contact us today.

An article written by
Tricia Clarke
Business Development Manager for WA/SA
GRC Solutions

GRC Solutions held a Perth event on Modern Slavery

Last month in Perth, GRC Solutions hosted a lunchtime seminar on Modern Slavery and were very pleased to welcome key legal, risk and compliance people from diverse organisations along with local members of the GRC Institute.

GRC Solutions were delighted that Kimberly Randle, Principal Lawyer at Fair Supply, Australia’s first law firm dedicated to working with organisations to implement Modern Slavery legislation, was in Perth to deliver this presentation.

Kimberly is an experienced human rights advocate and an expert in the field of Modern Slavery. She was able to talk to the audience about how to apply and operationalise the Modern Slavery Act 2018 in their organisations. The presentation discussed the following key issues:

  • How to identify and address modern slavery risks in operations and supply chains
  • Scope and application of the Modern Slavery Act
  • Operationalising policy and document review
  • Risk mitigation and remediation
  • How to engage with high risk suppliers
  • What is considered sufficient compliance for a Modern Slavery Statement

Those attending found the presentation to be very informative and practical, and this led to some great questions from the floor. It was also an opportunity to meet peers, discuss where Modern Slavery could be found in their supply chains and understand what others may be doing to address the reporting requirements of a Modern Slavery statement.

GRC Solutions will continue to provide seminars focusing on specific legislation and regulations which will allow legal and compliance professionals to engage in and drive good governance practices. The next event is planned for February 2020 and will cover Whistleblowing.


GRC Solutions is an award-winning provider of compliance training. To find out more about our Modern Slavery course, contact us today.

An article written by
Tricia Clarke
Business Development Manager for WA/SA
GRC Solutions

Top 5 employee induction tips

The first few days of introducing a new hire into the workplace is the best time to build a mutually beneficial professional relationship. While they’ve passed the application process and pressure of interviews, it’s what happens during orientation that will influence performance in the long run. With this in mind, here are some top tips on setting the groundwork for retaining fresh talent that adds value to your team:

  1. Prepare your induction infrastructure

Even the smallest details such as having computer logins ready and some friendly faces to help a new person settle in, can make all the difference. For managers, taking the time to cover logistics such as an entry pass, quick tour of the facilities and fire exits communicates that your organisation values safety and compliance. Establishing this ‘tone from the top’ from the beginning has a direct influence on employee conduct in the long term.

  1. Cultivate corporate culture

Establishing whether a person will be a good fit for the organisation can be made clearer during the recruitment process by having a casual ‘culture fit’ chat after someone has passed the initial interview. Beyond this, encouraging morale-building activities such as team lunches and checking in for feedback on how the person is settling in, makes for a smooth transition. The benefit of engaging effectively at this stage of the onboarding process is to increase employee retention. A study referenced by the Society for Human Resources Management reveals that 69% of employees are likely to stay with a company for three years or more if they have a positive experience during orientation.

  1. Clarify job roles and responsibilities

The induction process is an ideal opportunity to readdress the finer details of the job role and clarify any concerns. Facilitating an open flow of communication can be achieved through holding an informal meeting which covers how they can best meet the needs of the organisation, alongside how you can enhance their experience through flexible working arrangements for example. Additional strategies such as introducing a mentor to explain the ‘ins and outs’ on areas such as document control and cybersecurity measures encourage best practices from the outset.

  1. Embrace the ‘learning by doing’ approach

A structured onboarding program with comprehensive on-the-job training has been shown to produce a 62% increase in time-to-productivity ratios. In a supportive environment where it’s possible to develop the necessary skills and learn on the job, new employees are given the tools to understand how they are contributing to the organisation’s objectives in the bigger picture. As data published by Aberdeen Group illustrates, “employees are more likely to stay with a company, and to continue to strive to perform, when they are challenged by their job, enjoy the company culture, and feel supported and valued by the organisation.”

  1. Educate on internal policies and obligations

Developing a culture of compliance starts from the ground up and every workplace strives to have employees that have taken the company values on board, fit in with the culture and act ethically. The first step towards achieving this is a well-organised orientation program that includes compliance training on the company’s code of conduct and other internal policies and procedures. Information should also be provided on who to contact with questions or concerns about what regulatory obligations affect the employee’s specific job role.

In essence, these five tips illustrate that investing in comprehensive training that instils the values of a positive workplace culture, focus on compliance and setting goals for productivity, are going to ensure that your organisation is at the forefront of employee satisfaction and business success.

Sources: Society for Human Resources ManagementHarvard Business Review

GRC Solutions is an award-winning provider of both off-the-shelf and bespoke compliance training. For more information on how our courses can contribute to positive workplace behaviours in your organisation, contact us today.


The global problem of modern slavery

In this article Kimberly Randle, Fair Supply’s Executive Director and Lawyer, discusses the global problem of modern slavery.

The latest data unequivocally demonstrates that addressing environmental, social and governance (ESG) issues including modern slavery, is a proven business strategy that results in increased profitability, return on investment and overall brand enhancement. Larry Fink, CEO of Black Rock Investments, stated in his 2019 letter to CEOs that the “purpose is not the sole pursuit of profits but the animating force for achieving them. Profits are in no way inconsistent with purpose – in fact profits and purpose are intrinsically linked.” This comment has resonated deeply with me this year as I have sought to pioneer Fair Supply, a law firm exclusively dedicated to partnering with organisations to fulfil their transparency and reporting obligations under the Commonwealth Modern Slavery Act. I launched Fair Supply as a forward-thinking response to assist the private sector to not only achieve compliance but also move the needle on modern slavery, an issue that still affects over 40 million people globally.

17 out of the 40 million victims of modern slavery around the world are exploited in private economy, distorting global markets and undermining responsible business. The Modern Slavery Act 2019 (Commonwealth) is the first piece of domestic legislation that provides a definition of modern slavery including trafficking in persons, slavery, servitude, forced marriage, debt bondage, child labour, deceptive recruiting and forced labour. The implications of this new legislative framework for addressing modern slavery in Australia are significant. The reporting obligation under the Modern Slavery Act refers to the requirement of reporting entities to publish an annual Modern Slavery Statement addressing seven mandatory reporting requirements relating to a description of modern slavery risks in the reporting entities operations and supply chains. The description of those risks includes a description of all factors that have the potential for reporting entities to, in a material way, cause, contribute to or be directly linked to modern slavery. While the Modern Slavery Act sets out clear obligations it also provides profound opportunities.

Prior to launching Fair Supply, I was the Senior Director of Corporate and Legal for International Justice Mission Australia, a partner office of the world’s largest anti-slavery NGO.  During that time, I was in a unique position to witness the real-world impact of the efforts of my international colleagues in rescuing victims of modern slavery from brick kilns in India and from cybersex-trafficking dens in the Philippines. In the midst of such experiences I became aware of the scale of human rights abuses hidden within the complexities of international supply chains. Put simply, modern slavery functions within the ubiquitous economic model of supply and demand which also provides a unique opportunity for Australian businesses to lead the global market in incorporating transparency, humanity and acuity into best practice.


GRC Solutions is an award-winning provider of compliance training. To find out more about our Modern Slavery course, contact us today.

An article written by
Kimberly Randle
Executive Director and Lawyer
Fair Supply


Foreign Financial Services Providers. Will new rules from ASIC make it easier to do business in Australia?

In this article, Liam O’Brien, GRC Solutions’ Senior Consultant is going to discuss the new rules from ASIC. 

ASIC are reviewing the existing Australian Financial Services Licence (AFSL) requirements for offshore providers of financial services in Australia, known as Foreign Financial Services Providers (FFSP).

The existing rules for FFSPs required that they meet one of two options in order to rely on exemptions in providing regulated services in Australia (regulated services being those that would ordinarily require an AFSL). The two existing options are summarised below:

1. Adequate equivalence and/or limited connection

Equivalence is the basis for an exemption most often provided to businesses in other common law jurisdictions with similar regulatory intent and requirements to those in Australia – in particular, those countries with existing regulatory cooperation agreements with ASIC including Germany, Singapore, Hong Kong, United States and United Kingdom.

A limited or incidental level of involvement with, or reliance on, Australian customers (wholesale only) is another avenue of exemption under the current framework.

As it stands, both are open to interpretation by both the regulator and the regulated and in some circumstances, this can lead to uncertainty.

2. ASIC Consultations

Consultation papers 301 (CP 301) and 315 (CP 315) both seek to explore the merits of change to the current regime. Both set the scene for an alternative licensing regime consistent with AFSL, for FFSP.

At the time of writing no new regulatory guidance has been published to replace Regulatory Guide 176 (RG 176) or information sheet 157 (INFO 157). However, CP315 strongly indicates that both will be updated to reflect ASIC objectives and the outcomes of the consultation process.

What’s next

ASIC are clear that they will remove INFO 157 and amend RG 176. FFSPs who rely on these exemptions should be seeking advice on the implications of applying for an AFSL.

It may also be a reasonable expectation that the regulatory certainty afforded by a clear process may increase the number of businesses wanting to expand to Australia.

GRC Solutions is an award-winning provider of compliance training and advisory consulting. To find out more about our consulting services, contact us today.

An article written by
Liam O’Brien
Senior Consultant


Nowhere to run to, nowhere to hide. APRA update rules on contagion risk

In this article, Liam O’Brien, GRC Solutions’ Senior Consultant is going to explain about the APRA update to rules on contagion risk 

The title sounds a little dramatic but perhaps no more so than the term “contagion risk” which APRA are using to describe risks arising from associations and related entities of ADIs.

The Prudential Standard in question is “APS 222 Associations and Related Entities” which was re-released by APRA to address “… concessions in the existing framework [which] led to some ADIs establishing operations in foreign jurisdictions, which are managed and funded within the domestic bank…” John Lonsdale APRA Deputy Chair.

Clearly, some ADIs were taking advantage of these structures (which are outside APRA’s jurisdictional visibility) often in attempts to shift costs and/or manage regulatory capital.

What’s new in APS 222

APS 222 will come into effect on 1 January 2021 which should provide impacted businesses with sufficient time to address complex requirements such as “step-in risk”, which occurs in circumstances where an ADI is required to support an entity that is of questionable relatedness.

Other key areas of interest for ADIs are:

  • Extended definition of related entity to include common material shareholders and directors;
  • Obligations and requirements for the assessment of contagion risk(s);
  • Removal of options for ADIs’ overseas entities to be regulated via APRA’s Extended Licensed Entity Framework;
  • Changes to limits of exposure for ADIs with overseas subsidiaries; and
  • Changes to requirements for ADIs with associations to fund management vehicles.
Where’s the impact

APRA reports that the final version of APS 222 is considerate of the feedback, suggesting the initial proposals may have been an overreach or not particularly considerate of practical implications.

The impact is most likely going to be felt the most by those who are relying on associations and related entities to better manage regulatory capital and this is not always for dishonourable purposes.

As is often the case, smaller players who have the same regulatory burden to shoulder as the big end of town may see find this to be one hurdle too many, at a time where the timing of (frequent) regulatory changes is seemingly out of step.

Source: APRA

GRC Solutions is an award-winning provider of compliance training. To find out more about our Compliance Training, contact us today.

An article written by
Liam O’Brien
Senior Consultant


Preventing data breaches: when one wrong click becomes a costly business

You come into work with fifty unread emails waiting and the chime of notifications for all the tasks to be completed ASAP. A few flurried hours later, with a cascade of tabs open and an important email ready to go out to a hundred clients, you finally hit send and breathe a sigh of relief. That is, until you realise that you just made everyone’s contact details visible thanks to using the ‘CC’ field instead of ‘blind-copy’.

When human errors like these happen, there’s reason to investigate whether gaps in staff training or an organisation’s compliance culture are a contributing factor. The scenario above is not far from reality. In August 2019, a marketing employee from a global real estate company published the email addresses of 300 customers to each recipient which led to an internal investigation and snowballing costs. After reporting the incident to the Office of the Australian Information Commissioner, the company spent thousands on advice from consulting firms and lawyers to fix the aftermath of the mistake. It was eventually found that the organisation did not have a data breach response plan in place.

Security in Depth’s 2019 State of Cyber Security in Australia Report found that 55% of Australian organisations don’t have a cyber governance platform in place, and 38% of companies have not carried out any structured cyber awareness training. It’s true that there may always be an underlying risk that an employee simply isn’t paying enough attention to the task at hand. But it pays to have a framework in place so that staff in the organisation can be more aware of the risks connected to privacy concerns and the impact this has on costs, workflow and reputation in the industry. Knowing both how to prevent data breaches and act in response if the worst-case scenario does eventuate is key.

Cyber security awareness is more than just an IT issue, which goes beyond being able to send emails correctly, recognise suspicious links in phishing scams or keep anti-virus software up to date. It’s about ensuring that both your staff and clients are confident that your organisation can be trusted to keep their sensitive information out of the wrong hands.

Sources: Security in DepthThe AgeAustralian Cyber Security Centre

GRC Solutions is an award-winning provider of e-learning and compliance training that can be customised to your organisation. For more information on our Cyber Security course, contact us today.

Main Street Banking & GRC Solutions – Podcast

Justin Muscolino, our Head of Compliance Training North America has been interviewed by Byron Earnheart – Main Street Banking in this very informative podcast discussion about compliance training.

Compliance training does not have to be boring. As a matter of fact, in the many years that we have been evaluating our faculty and our curriculum, one of the highest rated classes is Compliance. The faculty members contribute a great deal to this, to be sure, but the topic is one that must be discussed. And if that’s the case, then let’s make it interesting and actually beneficial to the bank.

Dodo makes admission for misleading advertising

The Australian Competition and Consumer Commission (ACCC) has accepted a court enforceable undertaking from Dodo Services Pty Ltd (Dodo) after Dodo admitted its conduct was likely to be false or misleading and in breach of Australian Consumer Law (ACL).

Between 2015 and 2018, Dodo advertised its NBN plans as “perfect for streaming”, including plans providing only 10 gigabytes of included data. The advertised statement of “perfect for streaming” was found to be an inaccurate representation of Dodo’s capacity to provide internet to customers on the 10 gigabyte plan.

The ACCC highlighted issues with the amount of data offered, the speed and video quality offered by plans which did not meet the “perfect for streaming” standard relied upon by consumers. Customers who purchased plans containing 10 gigabytes of data from Dodo were required to pay fees for exceeding their data even though they were simply using the service as advertised. Dodo’s advertised service and the subsequent service delivered were a false performance claim and misleading to consumers.

Following Dodo’s admission, the telco agreed to refund up to AU$360,000 to 16,000 affected customers. In addition, affected customers can also exit their contract at no extra cost. The arrival of the ACCC’s 2019 Compliance and Enforcement Policy indicates that the ACCC will continue to have a strong consumer law focus in 2019. False and misleading advertising by telcos will continue to be investigated by ACCC as customers rely on how internet service providers describe their service when picking the best broadband or mobile plan for themselves. As data quality, quantity and performance has become increasingly important for consumers, network operators have had to respond with the growing demand for connectivity. Companies must ensure that any claims they make about the quality and standard of products or services are accurate. The ACCC will act against exaggerated advertising claims which fail to comply with the ACL.

Source: ACCCAustralian Competition & Consumer Commission

GRC Solutions creates award-winning training programs on a range of legal compliance areas. For more information on our Competition and Consumer Protection course, contact us today.

Introduction to Risk Management


British Airways faces record fine for GDPR breach

British Airways faces a £183 million fine (AU $329 million) by the UK Information Commissioner’s Office (ICO) for breaching the EU General Data Protection Regulation (GDPR).

The ICO found that hackers infiltrated British Airways’ website and app and directed customers to an identical-looking fraudulent platform which harvested their credit card details. Approximately 500,000 customers were affected.

The GDPR has been in effect since May 2018. One of the principal requirements under the GDPR is that businesses maintain certain standards of security to protect personal data they collect or hold. Businesses are also required to report security breaches to their regulator within 72 hours of becoming aware of the breach. While British Airways reported the breach within the required time frame, the ICO still found that it had failed to implement adequate security measures in and around its online booking applications to protect their customers’ data from a cyber attack.

This is the first penalty announced by the ICO for enforcement under the GDPR. The amount represents 1.5% of British Airways’ annual turnover. Under the GDPR, businesses may be fined up to 4% of their annual turnover.

This case demonstrates the need to exercise responsible data privacy management and for businesses to ensure they are aware of and up-to-date on current cybersecurity and technology risks.

While a final penalty amount is yet to be determined and British Airways does have an opportunity to appeal, it’s expected that regulators will take a firm stance on companies who aren’t investing enough into their data security policies. As explained by Information Commissioner Elizabeth Denham, “That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken the appropriate steps to protect fundamental privacy rights.”

Sources: The Guardian; Reuters; ICO

GRC Solutions provides both off-the-shelf and bespoke training on issues surrounding privacy and data protection. To find out more about our GDPR course, contact us today.


Garuda breaches competition and consumer protection laws

Garuda Indonesia has been penalised for cartel conduct after a 10-year long legal battle.

In May 2019, the Federal Court of Australia ordered Garuda to pay a penalty of AUD$15 million for breaching Australian competition and consumer protection laws. Garuda was found to have engaged in various price fixes on the supply of air freight services. The Court heard evidence that Garuda and other international airlines had formed committees which agreed to set fuel, security and customs charges at predetermined levels. The Court ordered Garuda to pay an additional $4 million for imposed insurance and fuel surcharges from Hong Kong-based airports.

Regulators worldwide continue to take legal action against airlines for anti-competitive practices. The Australian Competition and Consumer Protection Commission (ACCC) has commenced legal action against 14 international airlines for engaging in price fixing between 2003 and 2006, with issued penalties totalling $132.5 million. Numerous international airlines, including Qantas Airways, Singapore Airlines Cargo and Air New Zealand, were found to have breached competition law. The ACCC’s determined pursuit of Garuda and the amount of the fines awarded illustrates the ACCC’s strong stance against anti-competitive behaviour.

In addition to cartel conduct, the ACCC has taken enforcement action against airlines for misleading consumers about their rights under Australian Consumer Law (ACL). Major Australian airlines like Virgin Australia and Qantas have given court-enforced undertakings to bring their policies in line with the ACL. Jetstar however, has been less fortunate, as blanket “no refund” statements on its website led customers to believe their flight tickets were ineligible for refunds. Jetstar admitted liability and was ordered to pay $1.95 million for making misleading statements about consumer rights under the ACL.

Source: Australian Competition & Consumer CommissionACCC


GRC Solutions offers award-winning compliance training in a range of areas, including Competition and Consumer Protection. To learn more about our courses, contact us today.


Compliance Evangelist & GRC Solutions – Podcast

Justin Muscolino, our Head of Compliance Training North America has been interviewed by Tom FoxCompliance Evangelist in this very informative podcast where they talk all about compliance training and how to help organisations. This podcast is available on Spotify, iTunes, YouTube and Megaphone.

Some of the highlights include:

  1. Why do organisations struggle so much with culture and what compliance training do to improve this?
  2. What do organisations often get wrong when it comes to training?
  3. What happens when organisations do not target their training?
  4. One of the issues that organisations face is measuring the effectiveness of their training benchmarking as to whether their compliance is working. How can a compliance professional use benchmarking?
  5. In a blog post on the GRC Solutions website we talk about ways to train compliance professionals on how to improve their cultures. How can you train compliance officers around this issue?
  6. What advice is there for companies trying to incorporate the right culture into their organisations?

George Clooney impersonator charged with identity theft scam

An Italian couple has been arrested in Thailand after conning investors into believing that their clothing business was endorsed by actor and filmmaker George Clooney.

Francesco Galdeli and Vanja Goffi had set up a fashion company called “GC Exclusive by George Clooney”. They had claimed to investors that Clooney was involved in the business and that clothing produced by the company would be sent for export.

The real George Clooney took legal action against the pair for fraudulently using his name back in 2010 and they were sentenced in Milan to 8 years’ imprisonment. They managed to flee Italy but were subsequently arrested in July 2014 after they were found living in Pattaya, Thailand on an expired visa. But Galdeli successfully bribed prison guards with 20,000 Thai baht to cover their escape.

Galdeli and Goffi are known to have operated a range of other scams, including advertising fake Rolex watches online and sending customers packets of salt instead. It was not until June 2019 that Interpol, in conjunction with Thai and Italian authorities, was able to catch the fraudsters for good.

This George Clooney imposter scam isn’t the first time a celebrity’s name has been used to deceive victims. In 2017, a scammer posing as Bruce Springsteen defrauded a woman in Chicago out of US$11,000 by sending her Facebook messages which stated his marriage was ending and he had lost control of his assets. The scheme started relatively small, with the victim sending the fraudster $500 in iTunes cards over a few weeks. But things quickly escalated, with “Springsteen” sending a photo of gold bullion he claimed to have located in Dubai and asking the woman to send thousands in money transfers in order to cover shipping of the bullion to the US.

While many people may like to think they would never fall for such a ploy, the US Federal Trade Commission reported that in 2018 consumers lost close to US$488 million to all types of impostor scams. Whether it’s someone famous contacting you at random, or a member from a “government agency” calling to update your bank details, it always pays to question who’s really at the other end of the line.

GRC Solutions creates award-winning training programs on a range of legal compliance areas. For more information on our Privacy or Fraud Awareness courses, contact us today.

Salt Adaptive product update

Counterfeit goods: fraud, terrorist funding and third party risks

Everyone loves a bargain, but the true cost of counterfeit goods to businesses and individuals is complex and often deeply chilling.

A US1.7 trillion-dollar problem and counting

We often think of the counterfeit goods industry as tourists browsing through “luxury” sunglasses, watches and handbags, care of a street vendor or maybe a clandestine showroom. But that’s only the tip of the iceberg – after all, it’s an industry that according to the OECD costs the global economy more than US$1.7 trillion. Just look at online retail, which allows consumers to connect with retailers of fake goods half a world away – most commonly in China, although India, Malaysia, Pakistan, Thailand, Turkey, Vietnam and South Korea are all also reported to be major sources of illicit goods.

And that’s just the consumer level. Business’s supply chains are rife with counterfeit goods, often unknowingly. Legitimate businesses have been found selling everything from counterfeit apparel and accessories to counterfeit toothpaste, wine, vitamins and more.

Risky business

Firstly, and most obviously, there are intellectual property (IP) issues associated with dealing in products that are clearly imitations of someone else’s designs.

The counterfeit goods are generally not of the same quality as legitimate products or as thoroughly regulated. Many are even actively dangerous. Dealing in counterfeit goods puts your customers’ health and safety at risk – not to mention the host of reputational and legal risks you and your organisation could face should the worst happen.

One of the reasons that counterfeit goods are sold so cheaply is because they tend to be manufactured under forced labour conditions and/or by persons who have been trafficked. This might be a good time to remind you that some jurisdictions, including Australia, require businesses to report on the risks of engaging in modern slavery through their supply chains, making this a regulatory compliance consideration as well as an ethical one.

Finally – and perhaps most disturbingly – the production and sale of fake goods have been shown to have been used as a method of fundraising by organised crime and terrorist organisations. Apparently, it’s even more profitable than drug trafficking. For those entities who have anti-money laundering/counter-terrorist financing obligations (AML/CTF), that should ring a few alarm bells. And even those who don’t should be aware that dealing in property owned or held by terrorists is an offence with severe penalties in many jurisdictions.

So how can I ensure my business stays clear of fake goods?

Due diligence is king. Vet your customers and third parties, including your suppliers – remember, their actions could have real, significant implications for your business. Always know your product. Ensure your quality control standards are up to par and are being enforced.

It’s natural to be tempted by something that seems like a good deal. But if it’s too good to be true… remember the risks.

Contact GRC Solutions today for more information about our off-the-shelf and bespoke online training modules on Anti-Money Laundering, Modern Slavery, Fraud, Third Party Risk and more.


GRC Solutions has won the top compliance training and custom development awards in the Asia Pacific at the LearnX Live! Awards 2019.

The LearnX Foundation’s annual awards represent the industry standard in the region.

GRC has good form at the awards, having won for our online compliance training every year since 2008.

This year, we won platinum for Best Learning & Development ProjectCompliance for the Banking Code of Practice course we developed with the Australian Banking Association. It’s our twelfth win in a row in this category.

The course brings to life the Code’s best banking practice standards, using scenarios and a sleek, modern design to flesh out precepts on ethical behaviour, responsible lending, greater financial protection and increased transparency. It is now being used by ABA member banks throughout Australia.

LearnX also awarded us platinum for Best Learning Model (Bespoke/Custom) for our work with Western Australia’s Department of Mines, Industry Regulation & Safety (DMIRS) on a suite of continuing professional development (CPD) e-learning modules.

DMIRS needed to transform its existing face-to-face training manuscripts into fully fledged online training. This involved drawing on GRC’s writing and editing expertise, as well developing voiceovers and interactions.

Managing Director Julian Fenwick says the accolades consolidate our place as “leaders in governance, risk and compliance training”, and reflect the “high standards” of our in-house account management, content development, legal and client services teams.

Congratulations to our clients ABA and DMIRS, and to all the winners!

Protecting whistleblowers isn’t just a compliance exercise, it’s good for business

Some of the world’s most significant cases of corporate fraud and misconduct first came to light as a result of whistleblower disclosures.

Sherron Watkins and Cynthia Cooper, then-employees of Enron and Worldcom respectively, were key to exposing the massive accounting fraud schemes underlying the businesses.

Jeffrey Wigand was Vice President of Research and Development at Brown & Williamson Tobacco Co. when he blew the whistle on the true addictive quality of cigarettes and exposed deeply unethical business practices within the industry.

In Australia, Jeff Morris was a former financial planner at the Commonwealth Bank of Australia who in 2008 reported his experiences of corruption to the Australian Securities and Investments Commission (ASIC). This disclosure is often credited with instigating what would become the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (also known as the Banking Royal Commission or the Hayne Royal Commission).

Multiple studies across the private and public sectors in Australia and overseas have shown that whistleblowing is the most effective way of identifying wrongdoing in organisations. A PricewaterhouseCoopers survey of 3,000 in 54 countries found that whistleblowers were the most common source of identification of internal wrongdoing. Research from universities including the Chicago School of Business and the University of Toronto, supports a similar conclusion, with findings that employees were the number one fraud detection mechanism when it came to corporate wrongdoing.

The Australian government has enacted new amendments to strengthen the protections for whistleblowers across a range of circumstances. Under the new laws, public companies, large proprietary companies and registrable superannuation entities must have a whistleblower policy containing specific information about how disclosures can be made and will be dealt with. Those entities will also be required to ensure that persons who make disclosures that are within the scope of the law do not suffer a reprisal as a result of having made the disclosure.

But protecting whistleblowers should be more than a matter of statutory compliance. Early identification of misconduct is key to minimising adverse impacts on the organisation, but staff and third parties are less likely to report if they feel like they’ll be subject to retaliation. So it’s in all businesses’ best interests to remove barriers to making internal disclosures and ensure whistleblowers’ safety and, if relevant, anonymity.

Contact GRC Solutions today to learn more about training your staff on how to deal with and make whistleblower reports.

7 Tips for Creating a Successful Compliance Training Program

In this blog post, Justin Muscolino, GRC Solutions’ Head of Compliance Training in North America, gives tips on how to create a successful compliance training program. This blog post has been created in partnership with eThink Education.

Many organisations struggle with constructing a solid compliance training program. It’s not a hard chore, but it requires attention and research. The common perception is that we need to do what the regulators want and focus less on the real risks that are paramount to an organisation. Regulators want organisations to mitigate risk and control it in such a fashion that there are no concerns. Sometimes regulators will suggest or recommend a topic for inclusion, but if it doesn’t make sense from an organisational structure then why include it? A few regulators will require certain training topics, which obviously need to be included, but beyond that, it’s purely about the risk profile of an organisation.

It’s one thing to have all the components in a training plan from a risk perspective, but you still need to build effective training.

Building effective training doesn’t have to be difficult, but in order to achieve the main goals of mitigating risk and increasing employee learning retention, you want the materials to be impactful and meaningful. Include these elements to ensure a memorable compliance training program.

How to Create Impactful and Meaningful Compliance Training

  • Retention. The best way to grasp this concept is to look at the Learning Pyramid. This shows how people best retain information. Utilise an approach that works best for your target audience.
  • Creativity. With every training, regardless of if it’s classroom or online, you want to be creative with the subject. Try incorporating pertinent case studies or regulatory actions that best suit the audience.
  • Interactivity. Engaging your audience is important. It not only helps with retention, but it allows them to be part of the training delivery. Exercises that incorporate real-life examples and get employee involvement are also crucial.

Increase Efficiency

Another consideration in a solid training plan is to create efficiency. Here are a couple of things to keep in mind to make the efforts efficient:

  • Budget. Always ask for more funds than needed. During the year, the training plan will change, and you might be asked to add more initiatives due to regulatory changes, updated policies and procedures, new products and services offered, new systems and management mandates.
  • Exclusivity. Review all the training entries to determine if there are any overlaps of topics between departments. It’s always a great idea to train more than one department at a time if there is a workflow that impacts both areas. It’s also great for relationships between departments.
  • Time-saving. The goal is also to save time since you are taking staff members away from their desk. So, if you can produce one training that covers multiple topics and they are related, your audience will appreciate it. For example, if you have two regulations to discuss and they are somewhat intertwined, it’s better to have an hour and a half spent than two hours.
  • Avoid overtraining. Determine which topics as a percentage of the training plan are included. The goal is to see if there were any concentrations that may lead to overtraining.

Creating an efficient training program is not a difficult chore, but it must be done right and you have to put forth the appropriate due diligence for it to be successful. Remember, after you create a training plan it becomes a living document. Meaning, during the course of the year it will change based on new rules & regulations, industry advances and don’t forget, changes internally. And lastly, the ultimate goal of a training program is to have a positive shift in compliance culture.

An article written by Justin Muscolino
Head of Compliance Training
North America

Ausdrill’s missing $10 million

AAusdrillusdrill, Australia’s second largest mining services company, dismissed an Australian-based employee after uncovering a scheme involving $10 million in fraudulent payments. The employees’ misconduct went undetected for eight years as the employee authorised and concealed payments to an unrelated invalid supplier. Police are now investigating the matter and conducting a criminal examination against the employee. Ausdrill is not providing further information about the fraudulent conduct while the police investigation is underway.

Ausdrill’s managing director Mark Norwell says that the fraudulent activity was uncovered through regular checks in compliance with the company’s policies and procedures. Ausdrill subsequently hired EY to conduct a thorough investigation. The company is now completing a comprehensive review to understand how the fraud occurred and how it can better protect itself in the future.

The long-term, sophisticated nature of the fraud highlights the need for companies to have appropriate systems and checks in place to help prevent against internal and external fraud.

The case also puts a spotlight on the high risk presented by internal and supplier fraud. A well-designed protocol to investigate fraud will increase the possibility of catching fraudulent behaviour and decrease the losses from the crime. More than that, fraud should be something companies actively try to prevent through training and awareness-raising.

GRC Solutions offers award-winning compliance training in a range of areas, including fraud awareness. To learn more about our courses, contact us today.

Source: Australian Mining, ASX Exchange Notice

1MDB case: Trial into global corruption scandal begins

The trial against former Malaysian Prime Minister Najib Razak has continued to unveil the depth of corruption involving 1Malaysia Development Berhad (1MDB). Over two hearings at Malaysia’s High Court, Mr Razak has so far pleaded not guilty to seven charges relating to criminal breach of trust, money laundering and abuse of power surrounding the theft of US$10.3 million from 1MDB subsidiary SRC International (SRC). With a total of 42 charges levelled against him and multiple companies involved worldwide, the repercussions are set to be ongoing.

Both the US Department of Justice and Malaysian prosecutors have taken legal action, with an estimated $US4.5 billion in total misappropriated from the state investment fund 1MDB. In his capacity as both prime minister and finance minister, Najib was able to use his position to allegedly divert funds into personal accounts and provide for a lavish lifestyle. US-based investment bank Goldman Sachs has also been brought into the scandal. Former employees are said to have falsified statements relating to illegal bond transactions with 1MDB and taken advantage of lenient compliance procedures.

The assistant registrar at the Companies Commission of Malaysia gave technical evidence on corporate records during the first day of the trial. SRC, its subsidiary Gandingan Mentari and Ihsan Perdana, which was a corporate social responsibility partner for 1MDB, have also been implicated. But while many officials involved in the money laundering have been caught, the suspected mastermind behind the entire scheme, Jho Low, remains at large. A second trial will begin in November, focusing on reports that Razak deliberately tampered with the final audit report for 1MDB to mislead the Public Accounts Committee and avoid criminal action. But with 3000 pages of evidence submitted by the prosecution, it appears that this expansive corruption case is unlikely to go unpunished. It serves as a reminder to all government and financial organisations that checks on power and due diligence over where funds are being directed cannot be underestimated.

GRC Solutions is an award-winning provider of compliance training. To find out more about our anti-bribery and corruption or anti-money laundering courses, contact us today.

Source: Channel News Asia, Malay Mail

GO1 & GRC Solutions Partner

GRC Solutions is excited to announce a partnership with GO1. This collaboration brings together one of the leading providers of compliance training with one of the world’s fastest growing marketplaces for eLearning.

GO1 Premium users will now have access to an ever-growing list of titles from GRC Solutions that address critical governance, risk and compliance topics. GRC Solutions makes learning interventions that are suitable for Australia, New Zealand, Singapore, Malaysia, Hong Kong and the United States.

As global leaders in governance, risk and compliance training, GRC Solutions aims not only to train staff, but also to develop and improve the compliance culture across a business. “The GRC Solutions team is excited to be working with GO1! This collaboration will help advance our message around the importance of education in supporting positive workplace cultures”, said Dean Rogers, GRC Solutions’ Head of Sales and Marketing.

About GO1

Go1 Logo partnership
GO1 is  an established leader in online learning and education, and works alongside some of the largest companies in the world covering a wide range of industries and regions. Inspiring education and learning is at the very core of what they do. Their mission is to unlock positive potential through a love for learning.
To learn more about GO1, please visit www.go1.com.


GRC Solutions’ March Compliance Forums a success

Every six months GRC Solutions hosts Compliance Forums in Brisbane, Sydney, Adelaide and Melbourne. The forums attract participants from around Australia, including many regional attendees. The first half of 2019’s forums concluded last Friday 22 March in Melbourne, with key compliance and risk employees from many ADIs leaving with to-do lists and regulatory changes to be addressed in the coming year.

The forums are a valuable event in the life of compliance and risk individuals because not only do they get to hear about regulatory updates but also, more importantly, they are given an opportunity to speak to one another and understand what other organisations are doing regarding certain regulatory challenges.

Steven Kearney, Compliance Manager from BankVic, said, ‘GRC Solutions’ Compliance Forums provide a good opportunity for networking amongst our peers and other mutual ADIs. (There is) always great content about the ever-changing regulatory landscape.’

Some of the key issues discussed were:

  • Responsible lending
  • ASIC review of IDR and new reporting requirements
  • Open banking developments
  • Practical governance, risk and regulation insights from the FS Royal Commission
  • Regulation change overview with key areas to consider when planning the year ahead
  • AUSTRAC advanced findings from the mutual banking sector risk assessment

Speakers included Michael Funston (Senior Lawyer and Manager, GRC Solutions), Sam Carroll (Director, Governance, Compliance and Regulation, Ash St.) and the team from AUSTRAC, Sarah Webster (A/g Manager, Risk Assessments) and Cameron Just (Senior Analyst).

The recent Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry highlighted the growing importance of risk and compliance roles in the financial services industry. GRC Solutions will continue to provide a platform for risk and compliance employees to engage in and drive good governance by ensuring appropriate risk and compliance for the sector. The next series of compliance forums are planned for October 2019.

Simo BuzaninKey Account Manager for the Financial Services Sector at GRC Solutions, said, ‘Everyone I speak to loves attending these forums. Attendance increased by 30% from last year which is a credit to Michael Funston, the top notch speakers he assembles and the great atmosphere in general’.

As the banking sector comes to terms with the 76 recommendations issued by Commissioner Kenneth Hayne, it’s likely we will see increased powers for regulators, with more significant consequences for financial services organisations that are found to possess poor compliance standards. This brave new regulatory landscape presents unique challenges to the sector but also provides exciting opportunities for individuals working in risk and compliance.

The next round of GRC Compliance Forums will be held in October 2019. Please email simo.buzanin@grcsolutions.com.au to be personally notified of future events.

March Compliance News

Enforceability of Financial Industry Codes

The Government has begun the process of developing a new regulatory framework for financial services industry codes, with the publication this month by Commonwealth Treasury of a consultation paper Enforceability of financial services industry codes: Taking action on recommendation of 1.15 of the Financial Services Royal Commission.

The paper, which responds to a set of recommendations (Rec. 1.15) of the Financial Services Royal Commission Final Report, seeks feedback on several questions including issues associated with codes containing ‘enforceable code provisions’, whether subscribing to approved codes should be a licensing condition, and in what circumstances the government should prescribe a mandatory code. Other issues include how codes should be monitored, and what should be appropriate enforcement powers and remedies for breaches.

Feedback in response to the consultation paper is sought by 12 April 2019.


Background – the current self-regulatory regime

Codes of conduct or practice, developed by industry on a voluntary basis, have operated in financial services since the 1980s when the Code of Banking Practice, the Credit Union Code of Practice and the Building Society Code of Practice were first launched. Other codes have followed, and there are currently eleven industry-developed and administered codes covering banking, general insurance, superannuation, and wealth management.

In addition, there is the ePayments Code, addressing electronic payments issues. The ePayments Code differs from the other financial services codes in that, although a voluntary code, it was developed and is administered by ASIC (ASIC recently commenced a review of the ePayments Code).

Approval of financial services industry codes is currently voluntary. Until last year, no codes had been approved under the RG183 regime — largely reflecting the fact that industry groups did not see a net benefit in seeking RG183 approval of their codes. This situation changed, however, with the Australian Banking Association’s application for approval of its 2019 Banking Code of Practice (BCP). After an extended negotiation process, the 2019 BCP, which comes into operation on 1 July this year, was approved by ASIC in July 2018.


Implications for the mutual Banks

The proposed reforms to industry codes’ regulation will have implications for the Customer Owned Banking Code of Practice, a review of which is currently being conducted.

Assuming Commissioner Hayne’s recommendations are legislated, as both the major political parties have promised, the revised Code will need to identify all its enforceable provisions—and subscribers will need to be very cognisant that breach of any of these provisions could prompt ASIC regulatory intervention!

It is also clear that the mutual banking institutions that do not currently subscribe to an applicable industry code will have to do so.


The business of ethical decision-making

What do we mean when we talk about ethical decision-making in a professional context, such as business ethics?

‘Ethics’ is really just a set of rules for behaviour.

They may be specific rules, such as “Always declare any conflict of interest before your board starts discussing a relevant issue”. They may be general rules, such as “Always try to look after your client’s best interests”.

You can say that ‘ethics’ is a set of rules/standards that are applied to evaluate the ‘rightness’ or ‘wrongness’ of actions in a particular context. For example:

  • Medical ethics refers to the rules of behaviour which apply in the health care sector.
  • Legal ethics refers to the rules of behaviour which apply to lawyers.

Ethical rules differ from legal rules:

  • There is often no explicit punishment, penalty or right to sue associated with a breach of ethical rules – whereas there are with legal rules.
  • Ethical rules are – to an extent at least – adopted voluntarily by people they apply to – but you can’t opt out of legal rules.

That doesn’t mean that legal rules and ethical rules necessarily cover different subjects. Sometimes there are ethical rules and legal rules that are the same as each other.

But even if they don’t lead to explicit punishment, breaches of ethical rules can have consequences:

  • If you breach the ethical rules of a profession, you might be fined or even disbarred from practice by the profession’s governing body.
  • If you behave unethically in society, you can be shamed, shunned, reviled, held up to ridicule, lose your customers, lose your advertisers, lose your sponsors, lose your staff, or suffer productivity loss due to loss of staff morale.


GRC Solutions offers award-winning compliance training in a range of areas, including ethical decision making. To learn more about our courses, contact us today.

Insurance through superannuation – where to from here?

In this excerpt, Senior Compliance Training Consultant, Deidre Grover, flags the raft of recent reviews and proposed legal and regulatory changes impacting insurance through superannuation. 

Over 11 million Australians have insurance (life, total and permanent disability and/or income protection cover) through their superannuation. Group insurance arrangements deliver many of these people much more affordable insurance than they would be able to obtain outside of superannuation. As many of these group policies are provided on an opt-out basis, the large share of low-risk members in the pool acts to keep insurance premiums down for everyone. However, the deduction of insurance premiums from superannuation savings can be a key driver of superannuation account balance erosion and this erosion is heightened by the provision of duplicate insurance within group superannuation.

In a little over 12 months, insurance though superannuation has been considered by the Parliamentary Joint Committee on Corporations and Financial Services, the Australian Securities and Investments Commission, the Productivity Commission, the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, and by the Australian Prudential Regulation Authority. In addition, the Insurance in Superannuation Voluntary Code of Practice which sets standards aimed at providing clearer accountability in relation to insurance through superannuation commenced on 1 July 2018. Furthermore, the recently enacted Treasury Laws Amendment (Protecting Your Superannuation Package) Act 2019 will require from 1 July 2019 a trustee to stop providing insurance on an opt-out basis to a superannuation fund member who has had a product that has been inactive for 16 months or more.

On 30 April 2019, APRA released an information paper relating to its superannuation prudential framework review. Chapter 7 of the information paper specifically relates to insurance. The review concluded that through the introduction of Superannuation Prudential Standard 250 and Superannuation Prudential Guide 250, registrable superannuation entity licensees have improved their practices in relation to all aspects of their insurance arrangements; but that many licensees continue to find insurance strategy, design and risk management challenging. APRA will be considering the most appropriate way to implement the enhancements identified in the review as it progresses its superannuation policy and supervision priorities for the next 12-18 months.

Legislative and regulatory changes to alleviate superannuation account balance erosion caused by deduction of insurance premiums may result in an upward pressure on insurance premiums. In addition, superannuation trustees will need to ensure that all necessary administrative changes are put in place in order to comply with the relevant provisions in the Treasury Laws Amendment (Protecting Your Superannuation Package) Act 2019 relating to the deduction of insurance premiums from accounts that have been inoperative for 16 months or more.

You can read the full whitepaper here: ‘Insurance through superannuation – where to from here?’

Written by Deidre Grover
Senior Compliance Training Consultant


How to develop a summary for your training needs analysis

In this excerpt, Justin Muscolino, GRC Solutions’ Head of Compliance Training in North America, explains how to develop a summary for your training needs analysis.

When creating your summary for a needs analysis, you need to understand the organizational goals and objectives as well as regulators’ expectations. In the financial industry there are several regulators, but your organization will only have a certain number depending on the products and services offered. Your summary should include which regulators are applicable and what products or services need to be covered.

Do your regulators require certain compliance training topics to be trained on? This should be identified in your summary, along with the relevant rules and regulations. In addition, organizational locations should be cited.

You will also need to identify how you will handle non-Full Time Equivalents (non-FTEs) in addition to existing staff. Will new hires, consultants, contractors and part-time staff be trained the same as FTEs or will there be a separate curriculum?

Lastly, you should outline the methodology that you adopt to perform our needs analysis. Is it a risk-based approach? If so, provide some details about your approach. For example: ‘a risk-based approach was used to identify the key risks within the organization, prioritizing the compliance training program around these risks.’

The summary should be detailed, providing an overall view of what and how you are targeting full compliance coverage through training.

The data derived from your needs analysis should be featured in your training plan. There should be a column devoted to acknowledging the sources from which the training entries originated (i.e. risk assessment, audit, or examination). This is covered in detail in the training plan section.

The key is to show a linkage throughout the process. If an audit or regulator conducts an examination, you will be able to show a detailed audit trail of each training entry.

You can find the full whitepaper here: ‘Conducting a Needs Analysis and Developing a Training Plan


Written by Justin Muscolino
Head of Compliance Training
North America

University admissions bribery scandal

In the US, an FBI investigation known as ‘Operation Varsity Blues’ has found a network of celebrities, business executives and other powerful figures at the centre of an Ivy League bribery and corruption scandal.

A Californian tutoring organization called the Key is alleged to have made $US25 million by charging parents to secure their children spots in elite Ivy League schools. The Key’s founder, William Singer, is believed to have set up a separate sham charity to launder the money he collected, which he used to help his students cheat their way into securing spots in prestigious colleges.

Singer has pleaded guilty to all his charges, including fraud and two forms of bribery. However, Singer is not the only one under scrutiny. The bribery ring is bringing down multiple parties, including parents and universities. Some parents paid hundreds of thousands, sometimes even millions of dollars per child, to a fixer who would channel that money to bribe certain college officials.

The accused parents include American television stars Felicity Huffman and Lori Loughlin who have lost contract deals and suffered immediate reputational damage as a result of the scandal. Some prominent business executives have been suspended from their positions while their children, now students, find themselves in an uncertain limbo regarding their continuing enrolment.

Universities such as Yale, Stanford and Georgetown are also facing lawsuits from students claiming that they and others were denied a fair chance at admission. The universities are accused of failing to maintain adequate protocols and security measures that would guarantee the sanctity of the college admission process.

A civil lawsuit has brought allegations against the parents, coaches and university administrators involved in the bribery ring. The scandal has cast an astonishingly wide net over different individuals and institutions, highlighting the pervasive, broad-ranging nature of bribery itself. Bribery isn’t just a white-collar crime; almost anybody in any industry, including the education sector, could engage in it. They can also be held liable for it and face grave penalties as a result.


GRC Solutions is an award-winning provider of compliance training. To find out more about our Anti-Bribery and Corruption course, contact us today.

Source: ABC NewsThe Atlantic

National Day of Action Against Bullying and Violence 2019

15 March 2019 marks the ninth annual National Day of Action (NDA) Against Bullying and Violence. NDA is an initiative created by education authorities in the Safe & Supportive School Communities Working Group. Although the main focus of the day is to prevent bullying in schools, the message is still relevant to workplaces. As role models, parents and adults, we have a key role in modelling appropriate behaviour to young people.

This year the NDA’s theme is ‘take action every day.’ This builds on last year’s theme – ‘imagine a world free from bullying’ – and asks us to turn ideas against bullying into everyday practical actions.

Raising awareness through the campaign is crucial to demonstrating what constitutes bullying, the impacts it can have and how common it still is. Whether it’s at work or in the classroom, and whether it’s open or covert, bullying is an ongoing misuse of power in a relationship. This could be as simple as an older child picking on a younger peer, or unfairly assigning unpleasant tasks to a colleague.

The campaign relies on key academics, including Professor Donna Cross from the University of Western Australia, to help spread the message that cultivating friendly schools and workplaces is one of the best ways to eliminate bullying and violence. Professor Cross points out that a world without bullying is a world in which people relate to each other through open conversations and friendly exchanges. The best way to combat bullying is to adopt a strategy of pro cooperation, by encouraging people to create an environment that doesn’t support bullying behaviour. Campaigns such as NDA aim to achieve this by bringing bullying to the discussion table and enabling people to feel comfortable with speaking about their experiences.

The NDA spreads the message that bullying and violence at school, university or the workforce is never acceptable.

GRC Solutions is an award-winning provider of compliance training. To find out more about our Diversity and Equality course, contact us today.




National Day of Action against Bullying and Violence


Responses to the Hayne Royal Commission’s Recommendations Regarding APRA

APRA plans to implement Hayne Final Report


APRA has responded to some specific recommendations by Commissioner Hayne in his Royal Commission’s Final Report:

The Royal Commission has recommended a strengthening of APRA’s prudential and supervisory framework in a number of areas. APRA is committed to implementing the recommendations expeditiously.

There are 10 recommendations requiring APRA’s direct attention. Of the 10, it is expected that nine will be completed by the end of 2020; of those, four are expected to be completed in 2019.

A link to a table outlining APRA’s plans to adopt specific recommendations contained in the Final Report of the Royal Commission can be found here.

Some of the key aspirations noted in the table are:

  • Imposing new requirements for accountability under the BEAR for product management and customer remediation. Proposed requirements will be released in the second quarter of 2019, with a view to finalising a requirement by end 2019
  • Proposing revisions to Prudential Standard CPS 510 by mid-2019 to give effect to the Principles, standards and guidance set out in the Financial Stability Board’s publications concerning sound compensation principles and practices
  • Developing the capacity to supervise governance, culture and remuneration in light of lessons from its supervisory activities
  • Implementing lessons from its supervisory activities, CBA Prudential Inquiry and associated self-assessments by other entities and its 2017-18 review of remuneration practices at large financial institutions
  • Applying BEAR accountability obligations to APRA’s management structure including developing and publishing accountability statements

APRA notes that is also examining each of 12 matters relating to individual financial services entities that were referred to it by the Royal Commission. These cases are being examined in parallel with APRA’s broader Enforcement Review conducted by APRA Deputy Chair John Lonsdale and supported by APRA staff and an external expert panel (see CN 2018.206).

Samuel Capability Review Underway

While APRA undertakes its Enforcement Review under the direction of John Lonsdale, the Federal Government has appointed former competition regulator Graeme Samuel to conduct a separate capability review of the prudential regulator, commencing in March. That review is in line with recommendations by the Hayne Final Report that “a capability review should be undertaken for APRA as soon as is reasonably practicable.”

The Samuel Capability Review will report to the government by June this year. Its panel will examine APRA’s capability to regulate superannuation entities for the benefit of members, the role of enforcement activities and coercive powers and the supervision of culture, governance and remuneration in regulated institutions.

It will be interesting to observe whether there are significant divergences between APRA’s self-assessment under Lonsdale and the findings of the Samuel Capability Review panel, concerning APRA’s culture and enforcement strategy. Some of the key questions will centre around issues of when to hold individuals to account, when it would be appropriate to take enforcement action to achieve deterrence in appropriate cases, and the application of the BEAR to APRA’s own governance and accountability for its enforcement decisions.


GRC Solutions is an award-winning provider of compliance training. To find out more about our online BEAR training course which details what your business and your accountable persons need to do and to know in order to comply with their BEAR obligations, contact us today.

We also offer facilitated training for Boards on BEAR, and Responsible Managers training for ACL and AFSL licensees.

Key themes from the recommendations in the Hayne Final Report

As the industry digests the Hayne Royal Commission Final Report, it is worthwhile taking a step back and reviewing the Report’s key themes. They include recommendations around:

Financial and credit products

  • Extend Design and Distribution Obligations to all financial and credit products regulated by ASIC.
  • Remove exemption for certain low value insurance products from definition of financial product and extend ASIC consumer protection provisions to these products.
  • Repeal grandfathering provisions for conflicted remuneration for financial products excluding insurance on 1 January 2021.

Financial advice

  • Require advisers not entitled to use restricted words ‘independent, impartial or unbiased’ to provide a written disclosure before providing personal advice to a retail client, explaining why they are not independent, impartial or unbiased.
  • Require a review of the “best interests” duty by no later than 31 December 2022. (If in significant respects it is found to be ineffective, then repeal the safe harbour exemptions).
  • Require ongoing fee arrangements to be thoroughly documented and renewed annually by the client. (No fees deducted from any account held by the client except with the client’s express written authority renewed annually).
  • Establish new disciplinary system for financial advisers.


  • Greater board scrutiny of remuneration outcomes and more meaningful information to be provided to boards.
  • APRA to revise prudential standards and guidance on remuneration to ensure remunerations systems are used to reduce risk.
  • Remuneration systems to focus on non-financial risks and misconduct – not only financial metrics. APRA to set limits on the use of financial metrics.
  • Annually review design and implementation of remuneration systems for front-line staff (“ensure that the design and implementation of those systems focus on not only on what staff do, but also how they do it “).
  • Banks to fully implement recommendations of the Sedgwick Report.

Superannuation and insurance

  • BEAR to be extended to insurers and superannuation funds.
  • Civil penalties for superannuation fund trustees who fail best interests duty.
  • Unfair contract terms regime to apply to insurance policies.

Mortgage brokers

  • Mortgage brokers to be subject to the same laws that apply to financial advisers including a best interests duty.
  • Mortgage broker fees and commissions framework significantly overhauled.
  • Mortgage brokers be regulated in the same way as financial advisers, after a transition period.

Farm debt mediation

  • Establish national farm debt mediation scheme.
  • Ensure farm debt mediation is managed by experienced agricultural bankers.


  • Core tenets of BEAR to be extended to ASIC and APRA management structures.
  • Extended to apply to all APRA regulated financial institutions (including insurers and superannuation funds). Extend the regime to AFSL and ACL holders, market operators and clearing and settling facilities.
  • Jointly administered by ASIC and APRA, with ASIC overseeing consumer protection and market conduct and APRA overseeing prudential aspects.
  • APRA to determine, under section 37BA (4) of the Banking Act 1959, an additional responsibility of accountable persons for end-to-end management of product design, delivery, maintenance and remediation.
  • To be amended so that ADIs and accountable persons must deal with ASIC in an open, constructive and co-operative way.


  • ASIC to endorse new “why not litigate” approach to enforcement.
  • Enforceable undertakings, infringement notices and non-enforcement contact to be limited to administrative matters.
  • To have power to approve industry codes including codes relating to all APRA-regulated institutions and ACL holders.
  • To be given oversight of those parts of the BEAR that concern consumer protection and market conduct matters.


  • ASIC to be primary conduct and disclosure regulator and APRA to have prudential responsibility.
  • Independently-chaired regulatory oversight body for ASIC and APRA to be established.
  • Apply accountability principles consistent with the BEAR, to ASIC & APRA.
  • Regular capability reviews of both regulators.

Breach reporting

  • Extension of the breach reporting regime to Australian credit licensees.
  • Significant breaches (and suspected breaches still under investigation) to be reported with 30 days.
  • Law to be amended to clarify that significance is an objective concept.
  • Increased criminal penalties and new civil penalties for failure to breach report.

Industry Codes

  • Industry codes of conduct approved by ASIC may include ‘enforceable code provisions’, contravention of which will constitute a breach of the law.
  • Provisions of the new Banking Code (2018) relating to contract between bank and customer /guarantor designated as ‘enforceable code provision’.

Criminal charges

  • Twenty-four referrals to Commonwealth DPP including three major banks relating to fees-for-no-service.

Leave unchanged

  • Key concepts in responsible lending process and exemption for small business lending.
  • Vertical integration as a product and advice model in the financial system.
  • ‘Twin peaks’ model of financial system regulation.
  • Absence of non-executive and independent directors in ASIC and APRA executive structures.



The Hayne Final Report is stinging in its condemnation of a culture of non-compliance with the law and industry codes by major banks and the businesses they own, in the financial advice, superannuation and insurance sectors.

But it is also proportionate in its detailed menu of recommendations to reform financial services law, reduce conflicts of interest in the provision of financial services, and improve the effectiveness of regulators to deter and punish misconduct or conduct which falls below community standards.

There are welcome recommendations to establish a new, independent oversight authority for ASIC and APRA, to apply the BEAR accountability obligations to both agencies and also subject each to regular capability reviews.

The report is particularly interesting in its analysis of:

  • The six norms of conduct underlying the general obligations of AFS and ACL holders, and their piecemeal reflection in the Corporations Act and NCCP Act.
  • The cultural reasons within the ASIC and APRA for past inertia when faced with recalcitrant banks and financial services firms.
  • Managing conflicts of interest in relation to financial services intermediaries, notably mortgage brokers, in the interests of better consumer outcomes
  • The effectiveness and enforceability of industry codes.
  • How boards should now understand the close connection between compensation, incentive and remuneration practices and regulatory, compliance and conduct risks.


GRC Solutions is an award-winning provider of compliance training. To find out more about our online BEAR training course which details what your business and your accountable persons need to do and to know in order to comply with their BEAR obligations, contact us today.

We also offer facilitated training for Boards on BEAR, and Responsible Managers training for ACL and AFSL licensees.

eThink Education & GRC Solutions Partner

GRC Solutions is excited to announce a partnership with eThink Education, a leading Learning Management System (LMS) solutions provider. Through this alliance, eThink will be able to offer clients the ability to deploy highly effective compliance eLearning which can be customised to suit their employee training strategy.

As global leaders in Governance, Risk and Compliance training, GRC Solutions aims not only to train staff, but also to develop and improve the compliance culture across a business.

GRC Solutions creates modular compliance training programs designed to suit a range of job roles and levels within organisations. They believe that one size doesn’t fit all and that attaining speed to competence – becoming proficient in key concepts quickly – is essential for staff. Courses can be developed in micro and adaptive learning formats. They are fully mobile enabled and also offer text-to-speech narration.

GRC Solutions works closely with clients to customise training in accordance with organisational compliance policies and corporate culture. This helps to make practical legal and compliance topics relevant and engaging to learners. Courses developed on GRC Solutions’ platform can be delivered through eThink’s LMS environments, incorporating both the in-line multilingual feature as well as client-side edit capability.

eThink Education provides a fully managed eLearning solution for open-source Moodle and Totara, covering all LMS needs including implementation, cloud hosting, integration, consultation and management services. Because eThink Education and GRC Solutions both employ a value-driven and service-oriented model, this partnership ensures total client satisfaction in LMS design, course creation, and eLearning efficacy.

“We are excited to be working with eThink Education, a company that has highly personalised customer service at its heart. We hope the addition of our compliance training expertise and software platforms will enhance eThink’s client offerings substantially,” said Justin Muscolino, GRC Solutions’ Head of Compliance Training North America.

“GRC Solutions provides premium compliance eLearning courses, written by legal and regulatory experts, that are effectively tailored to meet the needs of our clients,” said Brian Carlson, CEO & Co-Founder of eThink Education. “We are proud to add GRC Solutions’ fully customisable content and platform solutions to our growing network of partner resources for our clients to take advantage of.”


About eThink Education 

eThink Education provides a fully managed e-learning solution including implementation, cloud hosting, integration, consultation, and management services for open-source Moodle and Totara. Managed by experts, eThink’s total solution provides a dynamic and customisable platform to meet specific institutional and organisational needs. With clients in various industries including healthcare, education, nonprofit, government and corporate, eThink can help all types of organisations to maximise the effectiveness of their e-learning programs for improved business outcomes. To learn more about eThink Education, please visit ethinkeducation.com.


How to begin developing a training needs analysis

A needs analysis should not be taken lightly. The overall goal is to ensure from a compliance training standpoint that all organizational risks are covered. During the needs analysis stage, the key is to gather as much data as possible to formulate your training plan. If certain data is missed, the organization, the Chief Compliance Officer (CCO), and you could be held accountable if the regulators come in for an examination. To cover all your bases, a solid project plan must be in place. Think of yourself as being a project manager: you need to lay out the approach, timelines, milestones, and the approval process.

There are four steps for conducting a thorough needs analysis:

  1. Understand the organizational goals and objectives
  2. Collecting data
  3. Analyzing data
  4. Discussions with key stakeholders

Understand the organizational goals and objectives

When creating your summary for a needs analysis, you need to understand the organizational goals and objectives as well as regulators’ expectations. In the financial industry there are several regulators, but your organization will only have a certain number depending on the products and services offered. Your summary should include which regulators are applicable and what products or services need to be covered.

Do your regulators require certain compliance training topics to be trained on? This should be identified in your summary, along with the relevant rules and regulations.

In addition, organizational locations should be cited.

You will also need to identify how you will handle non-Full Time Equivalents (non-FTEs) in addition to existing staff. Will new hires, consultants, contractors and part-time staff be trained the same as FTEs or will there be a separate curriculum? Lastly, you should outline the methodology that you adopt to perform your needs analysis. Is it a risk-based approach? If so, provide some details about your approach. For example: ‘a risk-based approach was used to identify the key risks within the organization, prioritizing the compliance training program around these risks.’

The summary should be detailed, providing an overall view of what and how you are targeting full compliance coverage through training.

The data derived from your needs analysis should feature in your training plan.

There should be a column devoted to acknowledging the sources from which the training entries originated (i.e. risk assessment, audit, or examination). This is covered in detail in the training plan section.

The key is to show a linkage throughout the process. If an audit or regulator conducts an examination, you will be able to show a detailed audit trail of each training entry.

This is an excerpt from our new whitepaper, ‘Conducting a Needs Analysis and Developing a Training Plan


Written by Justin Muscolino
Head of Compliance Training
North America



If the Corruption Perceptions Index (CPI) results for 2019 prove anything, it’s this: no country is immune to corruption. In fact, out of 180 countries, not one earns a perfect score, with the average global score being 43 out of 100. Australia has gradually slipped down the CPI since 2012, ranking 13th on the global scale, while the USA dropped out of the top 20 countries altogether.

Transparency International (TI) started the CPI in 1995 and is the leading global indicator of public sector corruption. The CPI scores 180 countries with their perceived levels of corruption based on data about specific corrupt behaviour including bribery, diversion of public funds, use of public funds for private gain and nepotism. The CPI uses a scale of zero (being highly corrupt) to 100 (very clean) to rank countries.

China, India, Indonesia and the USA – all key trading partners of Australia – slipped down the list. China fell from 77th place to 87th place with a CPI of 39 out of 100.

The 2018 Exporting Corruption report highlights that even when countries are perceived to have relatively low levels of corruption, they may fail to investigate and punish companies implicated in paying bribes overseas. Even if corruption isn’t prevalent within our borders, our presence in countries that are rife with corruption still has the potential to taint us.

TI also notes the way weak institutions and unresponsive political systems that lack a focus on compliance with anti-corruption laws can undermine democracy. In a context of international trade of goods, this failure to support democratic principles of governance perpetuates a culture of corruption and leads to over $2.6 trillion in loss annually.

No country should take a good score alone as a sign that they are doing enough to combat corruption. The CPI sends a powerful message about the need for constant monitoring and vigilance when it comes to stamping out corruption in public structures – and this of course has ramifications for the private sector, too.


GRC Solutions is an award-winning provider of compliance training. To find out more about our Anti-Bribery and Corruption course, contact us today.

Source: Transparency International

Main provisions of the Commonwealth modern slavery legislation commenced on 1 January 2019

Prepare to meet new modern slavery reporting requirements if your organisation has an annual consolidated revenue of more than $100 million.

The Modern Slavery Act 2018 (Commonwealth) requires reporting entities to submit a modern slavery statement to the Minister for Home Affairs within six months after the end of each financial year. For most reporting entities, the first modern slavery statement will relate to the 2019/20 financial year and should be submitted by 31 December 2020.

You can view the legislation here.

The Minister will maintain an online public register of these statements. Under the Act, modern slavery includes human and orphanage trafficking and slavery-like practices such as servitude, forced labour, debt bondage and the worst forms of child labour.

The Act applies to entities based or operating in Australia with an annual consolidated revenue of more than $100 million. Under the Act, other entities based or operating in Australia will be able to report voluntarily. The statements on the online public register will be able to be accessed by the public free of charge via the internet.

Under the Act, modern slavery statements must:

1. describe the structure, operations and supply chains of the reporting entity

2. describe the risks of modern slavery practices in the operations and supply chains of the reporting entity (and any entities that the reporting entity owns or controls)

3. describe the actions taken by the reporting entity (and any entity that it owns or controls) to address those risks (include due diligence and remediation processes)

4. describe how the reporting entity assesses the effectiveness of its actions.

The modern slavery statement must be approved by the principal governing body of the reporting entity and signed by a responsible member of the entity authorised to sign it.

If a reporting entity fails to submit a modern slavery statement, the Minister may request that the reporting entity provide an explanation about this failure and/or undertake specific remedial action to address the non-compliance.


Modern Slavery Act 2018 (NSW)

On 27 June 2018, the Modern Slavery Act 2018 (NSW) received assent. Its substantive provisions have not yet commenced operation and the NSW legislation is different to the Commonwealth legislation in some significant respects. For example, the NSW legislation will also provide penalties for non-compliance and will establish an Anti-Slavery Commissioner.

In addition, the NSW legislation will apply to any corporation or association having employees in New South Wales that have a financial year turnover of at least $50 million. However, the NSW legislation provides that its mandatory reporting requirements will not apply to commercial organisations covered by the Commonwealth legislation.

You can view the NSW legislation here.


GRC Solutions is an award-winning provider of compliance training. To find out more about our upcoming Modern Slavery course which details how your business can prevent modern slavery occurring in your supply chain, and specifically what you need to do to comply with the new Commonwealth legislation, contact us today.

Workplace bullying more common than you think

A missed invitation to the annual staff celebration. A group of colleagues snickering as you walk past. A snide remark about what you’re wearing as you sit down at your desk. By themselves, it would be easy to dismiss each of these incidents as the usual obstacles of navigating your workplace’s social hierarchy. But together they paint a different picture, illustrating that bullying at work is rarely obvious at first glance and so requires strategies to combat it which alter the culture and behaviour of employees at their core. Its impact on productivity and employees’ psychological wellbeing can’t be ignored, with the Productivity Commission reporting that workplace bullying costs the economy up to $36 billion annually.  Below are a couple of common misconceptions you may have heard about the topic:

“No one looks upset at work, so everyone must be getting along”

While you may be able to recognise someone being bullied if they’re being repeatedly shouted at by another colleague in the middle of the office, most bullying happens behind closed doors. Employees who are the targets of continuous anti-social and intimidation tactics both at work and/or online, could be too afraid to speak up. ‘Not wanting to cause a fuss’ or feeling as if their complaint will be ignored are some key reasons behind bullying being left unreported, which perpetuates a culture of silence and validates bad behaviour.

Mindset switch:

  • As a manager, be proactive in ensuring that communications between employees are respectful and be aware of toxic ‘office politics’ which may indicate some employees don’t feel safe at work. Emotionally intelligent bosses make themselves approachable and knowledgeable about not only the tasks allocated to each team member, but also how they interact with each other and they will step in to resolve conflict where required.

 “I was just providing necessary criticism”

At some stage in your career, you’re bound to face some critique of your work. This should be with the aim of helping you improve and not directed as a personal attack. Bullies can mask their overly degrading commentary as ‘constructive criticism’, when its real impact was to damage the victim’s self-esteem and embarrass them in front of other colleagues. While a one-off comment from a manager about your output needing to be of a higher standard may not constitute bullying, assigning meaningless tasks unrelated to the job or unnecessarily overloading someone with work and berating them for not completing it on time could be.

Mindset switch:

  • If you have constructive feedback about someone’s work, have an open dialogue with thoughtful advice on how they can improve. Never make aggressive or unsubstantiated statements which criticize a team member personally.

Encouraging inclusive workplace practices and taking a zero-tolerance approach to bullying will keep employees happy and deliver positive results overall. As a study by PricewaterhouseCoopers shows, each dollar spent on training programs and wellbeing checks provides $2.30 in benefits such as a reduction in absenteeism and compensation payouts.


GRC Solutions is an award-winning provider of compliance training. To find out more about our Diversity & Equality course which details how your workplace should manage and prevent bullying, contact us today.

Source: Fair Work Commission, Safe Work Australia, PricewaterhouseCoopers

Justin Muscolino joins GRC Solutions’ US operations 

GRC Solutions is pleased to announce that Justin Muscolino has joined our New York operations as Head of Compliance Training Operations in North America.

Justin draws on his longstanding experience in compliance, training and regulation for the banking sector. He was Macquarie Group’s Head of Americas Compliance Training and JP MorganChase’s Compliance Training Manager. More recently, he served as Head of Compliance Training at Bank of China.

Justin has also worked at the US regulator FINRA, where he helped create Examiner University, seeking to nurture and develop examiners’ skills to deal with financial institutions.

“I’m excited to join GRC after more than 20 years in corporate. After dealing with vendors throughout my career, I can lend my expertise to GRC on best practices when dealing with financial institutions,” Justin says.

“GRC is well-placed to provide premium quality compliance consulting and training to the financial services sector which attracted me to this opportunity.”

In January 2016 GRC Solutions opened our New York office with our unique adaptive e-learning technology. In Australia we have continued to win awards at the industry LearnX Awards for many years, including Best Compliance Program and Best Custom Project in 2018.

GRC Solutions was the recipient of a prestigious Brandon Hall Group’s Excellence Award and was a finalist at the Premier’s NSW Export Awards.

Three tips for your new year’s compliance checkup

Check list

January may signify the loss of sun-drenched beachside holidays as you readjust to business as usual, but it’s also an opportune time to refresh your organisation’s objectives and check in with staff to begin the year on a positive note. Setting ambitious sales targets and devising strategies for new clients may be top of the agenda, though it pays to do a compliance checkup along the way with these tips in mind:

1. Identify gaps in learning and compliance training

A training needs analysis may not seem like the most exhilarating activity at first glance. But it can go a long way towards ensuring that your training covers all the relevant areas and does more than just ‘tick a box’. Ensuring that company procedures are published and updated and that staff at all levels have completed their relevant compliance training will mean everyone is on the same page with common goals.

 2. Make your teams aware of compliance contacts and their responsibilities

Who can employees go to if they suspect an IT scam is making the rounds? What if simmering tensions between a few workers haven’t mended over the holiday break? It’s important that staff know what the Compliance Officer is responsible for and are comfortable enough to approach them or management when these types of issues arise. It goes back to establishing a culture that promotes clear lines of communication, but also the old saying that “prevention is better than cure”. This brings us to the third tip.

3. Review risk management procedures through assessing your workplace culture

“Risk management” and “due diligence” always come up when talking about compliance procedures. Your organisation’s workplace culture is where risk management starts – if employees are in an environment where their peers are acting with a compliance mindset, they’re more likely to follow suit. Implementing programs which demonstrate real-world scenarios that your employees can directly relate to is a great place to start. Bringing together multiple departments through workshops or discussion groups about their approaches to high-risk areas like fraud awareness are also a good way to check that your compliance policies are being adopted. Further training can then be adapted as required to fill any gaps in knowledge and embed compliance as a fundamental part of how workers carry out their everyday tasks.

Some key checkpoints:

  • Are new employees briefed on the importance of a collaborative and diligent workplace culture led by example?
  • Does your company have a fraud awareness plan and social media policy?
  • Do your meetings just focus on the numbers or is there also a focus on establishing good business ethics?

GRC Solutions provides a large library of award-winning online compliance training, as well as customisation and bespoke development services.

Top compliance tips for retailers over Christmas

compliance tips ChristmasIt’s that time of the year again. Christmas carols are in full swing, extended shopping hours provide the opportunity to grab those last-minute presents and sales are booming. For retailers, the festive season sees profits soar as consumers get into the gift-giving spirit. But there are areas businesses should watch out for to ensure they’re doing the right thing by their customers. From advertising products, selling on the front line or dealing with refunds, here are some top tips to remain legally compliant:

Advertising and marketing teams

While it’s common practice to use some fine print, there are rules which protect consumers against advertising that may be deceptive or misleading. If there are unfair exclusions to a promotion, or statements that contradict the main message of marketing materials, you may be in breach of the Australian Consumer Law. For example, it would be prohibited to make a representation of a ‘gift with every purchase’ when the fine print says ‘gift is at the additional cost of $10’.

Sales staff

Sales staff who are a retailer’s main point of contact with consumers should be well-informed of their basic legal obligations. There may be temptations to stretch the truth when closing a deal, particularly on those big-ticket items like electronics or sporting equipment. But if the salesperson tells a customer that electric scooter with “intuitive braking and a battery that lasts for a full day” will meet all those needs and it fails, the customer will be entitled to a refund.

Refunds and returns

It’s important to make sure that a store’s returns policy is clear and in line with the Australian Consumer Law. While retailers don’t have to refund for a ‘change of mind’, they are obligated to provide a remedy if a product is faulty or not fit for purpose. Signage at a store level is a key issue to consider – for example, a sign which says “no refunds on sale items” would be considered illegal because it undermines a consumer’s inherent statutory rights.

GRC Solutions creates award-winning training programs on a range of legal compliance areas. For more information on our Competition and Consumer Protection course, contact us today.

Why compliance professionals need more than just legal knowledge

As the Financial Services Royal Commission continues, it’s more important than ever that organisations implement compliance policies that go beyond ‘ticking boxes’ in order to comply with the law. Instilling in employees everyday work practices habits that aren’t just legally compliant but also ethically sound starts from the ground up.

Nowadays compliance teams are drawing on experiences from the fields of technology, governance and HR. To make these changes effective in the long term, compliance professionals are finding it useful to have interdisciplinary skills that extend outside the scope of a lawyer or accountant.

Compliance professionals stand to benefit from having a tech background that will help communicate their message to the company at large. Michelle East from Certainty Compliance states that “people that have really strong change management skills and information management skills” are particularly useful. Compliance staff don’t need to be IT experts, but a working knowledge of regtech – the intersection between regulation and technology – and how it improves the transparency of operations between different sections of the business will mean they can mitigate risks where they see them.

‘Soft skills’ such as emotional intelligence which directly influence organisational culture and the willingness of employees to adopt compliance programs are just as important. James Beck from Effective Governance writes that hiring compliance staff who can adopt “HR, organisational psychology, and governance” skills are better able to discern the ‘grey areas’ between legal and ethical compliance. For example, the need to make complex decisions can often arise during business transactions that challenge the balance between profits, stakeholders and community expectations. When this happens, a technical knowledge of the law combined with a thoughtful approach to ensuring employees know how to act will provide the most holistic response.

New regulations are being introduced and the burden of compliance requirements will continue to expand. As Commissioner Hayne puts it, “Culture and governance are affected by rules, systems and practices but in the end they depend upon people applying the right standards and doing their jobs properly.”

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses. Contact us today for more information.

Source: Sydney Morning Herald

Briefing Sessions for Boards and Senior Management

Does your Board, CEO and senior management understand their new accountability obligations under the new Banking Executive Accountability Regime (BEAR)? GRC Solutions offers face-to-face interactive presentations  to assist your directors and executives in their new role as ‘accountable persons’ as they meet the challenge of embedding the BEAR within your organisation. GRC Solutions’ interactive sessions will cover:

  • the scope and purpose of the BEA
  • your ADI’s accountability obligations
  • your ADI’s key personnel obligations
  • your accountable persons’ accountability obligations

Our face-to-face sessions will tell what you need to know if you are paying variable remuneration to your directors or other accountable persons and how and when you will have to deal with APRA.

The sessions will also offer practical guidance on how your board and senior executives can embed a culture of BEAR compliance within your ADI. Practical information, not available from the legislation, will guide your board  setting standards of conduct designed to reduce reputational and other risks to the prudential standing of your ADI.

Guy Griffin, Senior Lawyer

Guy specialises in financial services and credit licensing compliance . His other areas of practice include prudential risk and compliance for ADIs and advising on all aspects, legal and non-legal, of effective board governance for ADI directors.


Liam O'Brien, Senior Consultant. Liam is a vital member of the GRC Solutions team.Liam O’Brien, Senior Consultant

Liam is a highly regarded risk and compliance expert and workshop presenter. He helps organisations develop a successful risk and compliance program by converting a strategy into an operational program of work.


GRC Solutions is designing and facilitating learning and development solutions to assist you to understand the implications of BEAR and how to prepare for compliance with the new laws.

 Contact Guy Griffin, Senior Lawyer at GRC Solutions for further information: guy.griffin@grcsolutions.com.au

Compliance Forums – Save the date

GRC Solutions popular Compliance Forums will be held again this March. There will be a full analysis of the Financial Services Royal Commissions Final Report. AUSTRAC has also agreed to present on its review of AML/CTF risk in the mutual banking sector.

The dates for the first round of GRC Solutions Compliance Forums for 2019 have now been confirmed: Compliance Forums

  • Thursday, 14 March – Brisbane
  • Friday, 15 March – Sydney
  • Thursday, 21 March – Adelaide
  • Friday, 22 March – Melbourne

Forums will cover key regulatory developments impacting the mutual banking industry, including a full analysis of the Final Report of the Financial Services Royal Commission, scheduled to be delivered to the Government on 1 February.

We are pleased to announce that Austrac has agreed to again present to participants, following their successful involvement in the February/March 2018 round. AUSTRAC is currently consulting mutual sector stakeholders on the draft report of its Australia’s Mutual Banking Sector ML/TF Risk Assessment. It will use the Forums to engage with the sector on the Assessment Report post-publication.

We also are delighted to announce that Samantha Carroll, Director Governance Compliance Regulation at Ash St., will provide her perspectives on the Financial Service Royal Commission Final Report and an overview of impending regulation changes. Samantha is a governance, compliance and regulation expert with 10 years’ experience in the Governance and Compliance division of a top-tier law firm, and three years as the Head of Compliance for a mid-tier bank. There’s more about Samantha and her colleagues on the Ash St site here.


Register your interest by emailing bill.tarrant@grcsolutions.com.au to receive a full agenda and location details for the March 2019 Compliance Forums.




Sexual harassment at work: clear procedures for support and accountability

Sexual harassmentEveryday sexism and harassment has drawn increasing media attention in recent times. The existence of legislation protecting against sex-based discrimination in the workplace, set against the backdrop of initiatives such as the #Metoo movement, have brought the topic under the scrutiny of the public’s gaze. Despite these developments reflecting general community expectations, when incidents occur it is often the complainant left dissatisfied with how the situation was handled in their professional environment from the outset.

Employees face increased pressure to translate the legal protections under the Sex Discrimination Act into procedures at a grassroots level, and to know what practical avenues are available to them if they have experienced sexual harassment at work.

Employers must have adequate systems in place that genuinely acknowledge a complainant’s concerns. They should also provide viable steps towards holding perpetrators accountable. After landmark decisions such as the 2014 Richardson v Oracle Corporation Australia Pty Ltd case, the vicarious liability of employers and increased scope for payable damages places even greater emphasis on the need to acknowledge that sexual harassment exists in workplace cultures.

As many of these incidents remain unreported due to the stigma surrounding speaking out and complicit behaviour from fellow colleagues encouraging a ‘culture of silence’, clear boundaries need to be communicated on the line between well-meaning camaraderie and inappropriate advances. Fostering an open discussion and promoting effective internal avenues of redress are the first steps to cultivating a workplace that is safe, inclusive and respectful.

GRC Solutions offers a range of customisable training to ensure that employees are aware of policies in place about what constitutes sexual harassment in the workplace and how it can be prevented.

To learn more about our Diversity & Equality course and how it could benefit your organisation, contact us today.

Source: The Conversation

A snapshot of domestic violence

domestic violenceOne woman is killed every week by her partner in Australia. Around one in six female workers will be affected by domestic violence in their lifetime. These statistics paint a shocking picture of how prevalent the problem of domestic violence is today.

Domestic or family violence can occur between intimate partners (including same-sex couples), relatives, family members, carers and children.

GRC Solutions takes a look at how Australian workplaces can support and empower employees and colleagues.

Domestic violence and the workplace

Violence is more than a private or personal issue. The impacts can be seen and felt throughout the workplaces of those affected. It can also happen within the workplace.

A Human Rights Commission survey found that 25% of women had experienced sexual harassment in the workplace. It also identifies that intimate partner violence is the leading contributor to death, disability and illness in women aged 15 to 44 years in Australia. “Within the population of women who have experienced violence, or are currently experiencing violence, the Australian Bureau of Statistics estimates that between 55% and 70% are currently in the workforce.”

Going to work each day often offers no solace for domestic violence victims as the harassment can continue through phone calls, emails, text messages and even visits by the offender.

What can you do to help?

Firstly, it’s important to recognise the signs of abuse.

Abuse victims may hide their abuse from co-workers, but the following signs may be an indication that abuse is occurring:

  • Frequently missing work without a valid explanation
  • Wearing sunglasses indoors or long sleeves on a hot day
  • Frequently arriving to work very early or late
  • Avoiding social functions
  • Decreased productivity
  • Tension around receiving repeated personal phone calls

Secondly, respond to any concerns you identify. Speak up and voice your concerns in a sensitive and confidential manner to the victim. For example, “I’ve noticed you have been running late the past few weeks. I know it’s unlike you and I’m worried about you. Is everything okay?” While they may be defensive or not want to disclose any information, you should always remain supportive.

Thirdly, refer them to any support services available to them. Empower victims by providing them with emotional support as well as the resources to speak up.

Your organisation should provide a safe working environment in which staff can refer any concerns they have without fear of retribution or breach of confidentiality. It should also be clear to all employees that there is a zero-tolerance approach to violence.

Support services you could refer victims to include:

  • 1800RESPECT
  • Aboriginal Family Domestic Violence Hotline
  • Relationships Australia
  • Lifeline

White Ribbon Workplace Accreditation Program

Your organisation can take an active part in promoting respectful relationships and gender equality within the workplace and demonstrating a culture of zero tolerance of violence by joining the White Ribbon Workplace Accreditation Program.

For more information on the White Ribbon Workplace Accreditation Program, visit: https://www.whiteribbon.org.au/stop-violence-against-women/get-workplace-involved/workplace-accreditation/

GRC Solutions develops training on violence prevention and awareness. Contact us today for more information.