Going beyond Compliance

Materiality topics

> Regulatory Compliance

> Anti-Corruption and Privacy

> Risk awareness

> Integrity

> Governance

> Anti-Competitive Behaviour

We have a robust and resilient approach to governance, in harmony with client expectations that their investments are protected, by being safe, secure and compliant. However, having the necessary risk and control frameworks in place is only a minimum standard and we set the bar high for their effectiveness, to ensure clients’ peace of mind. Across the business we aim to have high risk awareness and compliance embedded into everything we do.


2017/18 Highlights

Compliance CSR
Programme to promote
risk awareness across the company
Compliance CSR 2
Education and training
to enhance cybersecurity

Developing our risk culture

We have a strong culture of risk awareness across the business. Following a culture assessment recommended in a 2014 internal audit, we have taken a number of steps to enhance and measure risk culture throughout the business. This is reflected in 2017’s employee engagement results, which showed a very high awareness from staff of risk and the regulatory environment.

In 2017/18 we made steps to further strengthen this culture, designing and deploying a series of controls and training. These are monitored through quarterly metrics which are reported to our Board Risk Committee.

95

Of staff understand the regulatory environment and risks relevant to their role.

93

Believe effective risk management is integral to their day-to-day decision making

93

Understand how their decisions impact on the risk profile of the company


Other significant risk awareness work in 2017/18:

Glasgow Caledonian University’s Risk Faculty

Held initial discussions with the Glasgow Caledonian University’s Risk Faculty, to explore what we can learn from academia to further our work on risk culture.

Enterprise risk

The Enterprise Risk team regularly updates our intranet pages with information and explanation on all areas of the risk framework, including error management, assessing risk appetite and self assessments.

E-learning

Staff complete mandatory e-learning training modules and assessments in subjects including anti-bribery, data protection, market abuse and conflicts of interest.

The next area of focus will be enhancing our risk culture scorecard, and reporting. The dashboard covers the themes of organisation, risk competence, motivation and relationships. Behind each of these themes are a suite of key indicators that are assessed on a quarterly basis.

Having the necessary risk and control frameworks in place is only a minimum standard and we set the bar high for their effectiveness, to ensure clients’ peace of mind. Across the business we aim to have high risk awareness and compliance embedded into everything we do.

Roger Miles

Risk aware sessions with

Dr Roger Miles

Head of Behavioural Risk, BP&E Global Ltd.


We partnered with leading risk-management academic and practitioner Dr Roger Miles, who specialises in advising Boards on their governance responses to behavioural risk and other intangible threats to capital value. Besides counselling private and public-sector leaders, he researches and teaches these aspects of risk at a postgraduate level.

"I led the development and delivery of a series of Risk Aware Working sessions, using highly topical case studies that engaged Martin Currie people personally in pausing to reflect on day-to-day experiences with risk in the company and the industry.

Starting from real-life scenarios, these tested how participants made sense of various risks facing them; how would they respond and make decisions, as risk managers and as human beings? During the workshops, participants explored:

  • How, in practice, behavioural biases may mislead us and our clients
  • How regulators see us, and we them – it is not always clearly on either side
  • And, how these and other factors may induce conduct risk with clients.

With Martin Currie’s senior risk team leading the way, participants including the Martin Currie Executive team and Board Risk Committee, put a ‘behavioural approach’ into practice to make their own personal risk decisions clearer. It’s typically thoughtful of Martin Currie to use innovative, participative thinking to build risk-awareness and resilience, and so business value. It’s good to see the word continuing to spread across the financial services sector."


Protecting against cyber attacks

With the increase of cyber attacks globally, protection against data breaches is a growing concern for investors. With notable attacks, such as WannaCry, which affected more than 200,000 computers across 150 countries, there is greater scrutiny on how companies are addressing the issue.

In this environment, our clients naturally want assurance over their investments. We recognise that people are often the weakest link in this area and we have continued to engage with staff, helping them to fully understand the threat landscape, the potential impact on our clients and our robust plans to respond to any security-related incident. In 2017/18 we enhanced our engagement with staff on this issue.

To bring the issue to life, we partnered with an external firm to run several sessions with employees from across the business, including our Executive team. These sessions simulated several cyberattack scenarios in a fast-paced, head-to-head digital game.

Employees took on the roles of both a company subjected to an attack and the hackers. Taking both perspectives enabled participants to explore strategies, familiarise themselves with cyber terminology and, most importantly, make mistakes and learn in a safe environment, ultimately with the aim of improving our controls and response.

We have a mature cybersecurity framework in place, aligned to the National Institute of Standards and Technology (NIST) standards, and overseen by effective corporate governance up to Board level.

At an investment level, we have been working closely with the PRI on its initiative focusing on cybersecurity and companies in the financial, healthcare and retail sectors. The project commenced in 2017, with letters sent out to target companies. We are leading the engagement with five of the businesses included.

Staying ahead of the hackers

Space Invader

We carry out ‘phishing’ tests regularly on all Martin Currie staff, sending out emails similar in appearance to scam emails which are often used by hackers to gain access to IT systems.

We record whether recipients open attachments, follow embedded links, input user credentials – or report the email to IT. In cases where we identify weak practice, employees may be required to retake training modules.