Deloitte SA Blog

The corporate world is currently debating the Protection of Personal Information Bill (PPI) which will soon be promulgated. Much of this debate centres on how onerous the minimum requirements for compliance will be, how long organisations will be given to comply and what the cost implications are likely to be.

Want to learn more about the Protection of Personal Information Bill? Visit the Deloitte Protection of Personal Information Bill website or contact Dean Chivers at dechivers@deloitte.co.za or Daniella Kafouris at dkafouris@deloitte.co.za.

Some companies have chosen to take a ‘wait and see’ approach. “Those companies that see regulatory changes as an opportunity for increasing business value adopt a more positive, proactive approach and also spend considerably less in achieving compliance over the long term,” comments Dean Chivers, Director Deloitte Legal, at Deloitte. “They are able to link compliance requirements to the entire value chain of the business so that each functional area buys into its importance, realises the value that can be delivered to the business and collectively bring about change to realise this value.”

Chivers cautions that companies should implement PPI compliance as prudently as possible. “Be realistic – your organisation may not be completely compliant by the time the Act is promulgated. PPI is not exclusively an IT or legal or a process or a security issue, it’s a combination of all of these. Create the framework within which PPI will be managed within your organisation, and then build awareness amongst staff around both PPI and your entities PPI compliance framework. This will start to drive PPI issues into your framework, thereby facilitating a proactive, self-regulating model.

Chivers recommends that a response strategy be established, with the responsible person being one who understands what the law requires.

“Decide on your corporate ethics policy and define and communicate it, teaching your organisation to look out for problems,” says Chivers. “If and when a problem arises, react quickly and correctly to deal with it and close the loophole. Look for triggers that indicate your processes are not working properly.”

According to Chivers, the PPI Bill will be the catalyst for companies to add value while achieving compliance. They should engage with their customers in the process and use it as an opportunity to build customer trust in the company by highlighting the company’s efforts to treat customer’s personal information with respect and confidentiality.

The following are just some of many opportunities:

There is tremendous advantage to be gained from proactively engaging customers ahead of promulgation, for example:

• Positive customer approvals are more likely to be obtained prior to promulgation and prior to the market being flooded with requests
• Valuable insights can be obtained from a company’s existing customer database now, ahead of customer requests for data deletion.
• Customers will become aware of the fact that PPI  will result in the protection of their personal information, something most  people will appreciate.
• Companies who lead the market in becoming PPI  compliant will gain customer respect and loyalty.

PPI can also deliver many potential positives within a company, to name a few:

• Technology gets the budget go-ahead for  middleware and data warehouses, new SAP modules, data security upgrades, etc, which  add value when linked to the overall business strategy.
• Data analysis of personal information for  purposes of PPI compliance can yield significant useful information around  customers and markets.
• Provides positive motivation to interface with  customers, alumni, potential employees, personal networks.
• Employee files get updated and remain up-to-date.
• Contracts are reviewed and updated and may even  be better than before.

Chivers recommends that the initial step should be a quick  start process prior to promulgation, followed by detailed design and implementation of value-adding initiatives. This will allow the company to gain  momentum and build a platform for future opportunities. Firstly, understand the  extent of PPI impact on customer and channel strategy, brand positioning and  employee proposition; determine possible impacts on people, processes,  technology and systems; and define key data requirements for business  sustainability.

Thereafter, look at the following opportunities:

• Identify value-adds beyond minimum compliance
• Design customer interactions to increase market share
• Realign processes for a more customer focused organisation
• Link to other initiatives such as process streamlining, productivity improvement and employee communication
• Select technology to support more than just data integration, e.g. non-intrusive technology options ranging from cloud technology, to separate software and simple upgrades
• Build the customer focused organisation by digging deeper into existing customer data
• Use an approach that first establishes the organisational needs and gaps before moving to an ‘all ends at once’ implementation
• Adopt a ‘build to last’ approach for ongoing organisational sustainability

In summary, organisations can gain measurable business performance improvements by approaching the Protection of Personal Information Bill as a strategic opportunity rather than an onerous compliance cost. Realising this potential value from the Bill, however, requires a shift in organisational mindset.

“Don’t be limited or restricted by your existing database,” says Chivers. “Use it as a contact list and first cut segmentation, design a meaningful database for future strategy and populate it by means of an automated permission campaign; don’t be restricted to a single tool or methodology – select those which are most appropriate for your needs; ensure your approach is strategic. Include change management in your implementation; don’t be purely focused on data analytics, ensure that your approach is aligned to your business priorities as well as people, process, technology and system enablers.

Chivers goes on to say “Understand how PPI affects your IT, legal, process and security options before jumping on the analysis bandwagon. Analyse the options and consider the best process for your company. There are a number of options, so give yourself the best chance of adopting the most appropriate one for your company.”

Want to learn more about the Protection of Personal Information Bill? Visit the Deloitte Protection of Personal Information Bill website or contact Dean Chivers at dechivers@deloitte.co.za or Daniella Kafouris at dkafouris@deloitte.co.za.

Is there anything you would like to add? We value your feedback and comments! Please share this article with your network!

Any experienced leader knows that little is accomplished by those who try to get things done. That’s because good leaders don’t confuse effort with results. Yet when it comes to security risks associated with technology, where a critical breach can bring a business to its knees, there’s a great deal of trying going on. And not nearly enough doing.

Not surprisingly, many executives today believe their organizations are well-protected. With broad policies in place for technology governance, risk and compliance, most have assigned responsibility for security to their IT shops, confident that their fiduciary and legal obligations are being met. But a closer look at the real risks and threats reveals a different picture. Organizations that take a compliance-oriented approach to enterprise and IT risk may not be managing many of the threats that matter most.

It’s not uncommon for companies to equate compliance and security. That’s what happened recently when a major retailer was hacked, exposing several million debit and credit card numbers to the risk of theft. The company appeared to have a rock-solid compliance program in place, asserting that they followed all the security requirements mandated by the credit card brands and others. But that wasn’t enough. A number of back-end systems were left unpatched, leaving some of their software vulnerable to exploitation. Hackers were able to penetrate the company’s systems despite their most diligent compliance efforts. Thousands of cases of fraud were linked to the breach, exposing the company to legal, reputational and financial risks.

A risk-based approach using a layered defense could have helped prevent such an incident.

Download the full article . . . .  Evolve or fail

We welcome you to visit the Deloitte South Africa Technology Risk Advisory website. If you have any questions or require a more detailed conversation, contact Cathy Gibson at cgibson@deloitte.co.za

Your feedback and comments are most welcome. Please share this article!

Any number of pandemic threats such as power outages and floods, pose a threat to your business. The question is: is your company ready?

“Risk Intelligence in the Age of Global Uncertainty: Prudent Preparedness for Myriad Threats” suggests that responding to the threat of a pandemic is not something effectively done in isolation. Rather, it should be viewed in a larger assessment of potential business impacts – such as people, supply chain, and finances – and alongside the development of appropriate risk management plans.

Companies that take steps to improve their shock resilience before an event takes place will clearly have an easier and faster recovery, as well as competitive advantage in the marketplace. This white paper contains essential reading for companies that hope to successfully navigate the business challenges of the 21st century. The stakes are enormous, because we believe organisations that are most effective and efficient in managing risks — both to existing assets and to future growth — will outperform those that are less so.

Download the paper . . . .  Risk Intelligence in the age of global uncertainty

For more information contact Cathy Gibson at cgibson@deloitte.co.za or Braam Pretorius at abpretorius@deloitte.co.za.

Did you find this article interesting? We welcome your feedback and comments! Please use the sharing options below to share this article with your network! 

Rapid technology developments in wireless connectivity and mobile devices marked the beginning of the mobility revolution. Next came the apps renaissance, when intuitive, engaging pieces of software, tailored for smartphones and tablets, began to change our day-to-day lives. The revolution has now reached business. Many organizations today find mobile initiatives popping up in every business unit, in every region and in every department. The floodgates have opened. Now what?

For some, the path forward might begin by pushing existing solutions and processes to mobile channels, without blue-sky thinking of how business might change if location constraints disappeared. For others, disciplined experimentation can reveal compelling scenarios, which can lead to doing traditional things differently, as well as doing fundamentally different things. When left to its own devices, each faction – individual, department or organization – will struggle through the learning process towards its own vision of mobile enlightenment.

In this chaotic environment, CIOs face three challenges. First, they need to build capabilities to deliver intuitive, user-friendly mobile applications that can meet or exceed expectations set by consumer technologies. Mobile delivery requires new skills, new mindsets, new application architectures, new methodologies and new approaches to problem-solving. Above all, solutions must focus on usability – design-led thinking with mobile mentalities. Scope should be reined in to create well-defined, elegant solutions that address explicit problems, not broad collections of functionality. User experiences should be mobile-centric, based on touch/swipe/talk, not point/click/type. Leonardo da Vinci’s description of simplicity as the ultimate form of sophistication might be a foreign concept to many central IT departments today, but it is also a prime directive. As mobile becomes increasingly important in customer and employee interactions, the complexity of applications, or apps, will naturally grow with heightened integration, security and maintenance needs.

The second challenge for CIOs is to help the business deliver innovative applications with significant potential for positive disruption. Experimentation can be a good way to show progress and help crystalize opportunities, but many use cases remain uncharted. Until users interact with an early prototype, they may not know what they want, much less what they need. CIOs can become beacons of big-picture thinking and tactical adjudication by embracing the proliferation of mobile initiatives, and accelerating the mobile adoption learning curve across the organization.

The third challenge is that mobility introduces yet another level of complexity that CIOs must manage and support at an enterprise scale. What’s an effective way to deal with pressure to get behind each “next big thing”? Should employee-owned devices be allowed on enterprise networks? And if so, what data, applications and services should they be permitted to access? How should IT practices change to support mobile applications? True enterprise-class mobility requires governance, security, privacy and compliance policies – with effective management of mobile devices, enterprise app stores, mobile middleware and more. The trick is to build a solid foundational infrastructure without throttling the business. As you likely know, the business can’t – and won’t – wait for a fully formed mobile enablement roadmap to be defined and put into place.

If you have any questions relating to this article, or require a more detailed discussion, contact Kamal Ramsingh (Head of Technology – Deloitte South Africa) at kramsingh@deloitte.co.za

Would you like to read the full article? Click Here to download Deloitte Tech Trends 2012

Do you have any comment or feedback? We would love to hear from you!

Black swans are low-probability events that have far-reaching impact. Such events used to be exceedingly rare, but in today’s hyperconnected world, they are increasingly common and have enormous destructive potential. The euro crisis is a textbook example of how increased connectedness, interdependence and scale can turn a local problem into a global threat. Other recent examples include the following:

• The 2008 financial crisis that began with subprime mortgages in the United States but eventually triggered a worldwide recession
• The Gulf of Mexico oil spill that sent shock waves through global energy markets
• The tsunami in Japan that disrupted global supply chains and caused countries around the world to reconsider their use of nuclear power
• The Arab spring uprisings that are continuing to reshape the world’s political landscape
• Local flooding in Thailand that caused a worldwide shortage of hard drives

On the surface, none of these events would be considered a people-related risk. But as organizations dig deeper, it becomes clear that people are at the core of each major risk — if not as part of the problem, then as part of the solution. To help navigate this increasingly uncertain environment, many leading organizations are expanding the role that HR leaders play in managing risk across the enterprise.

HR’s role in risk management used to focus on the tactical, administrative, legal and regulatory risks that were directly under its domain — such as ERISA (Employee Retirement Income Security Act) compliance, workplace discrimination and sexual harassment — and on making sure its own systems and processes passed the annual risk audit. Now, forward-thinking HR organizations are partnering with the core risk functions — e.g., Risk, Legal and Internal Audit — to better identify, prioritize and monitor people-related risks, including black swan events that could threaten the entire business.

What’s driving this trend?

• Black swans are becoming less rare. In a hyperconnected world, small trigger events that in the past might have been locally isolated now have the potential for global impact. Also, the dizzying pace of change increases the number and frequency of trigger events, making it hard for organizations to stay on top of all the risks they are facing.
• People risks are headline news. Whether it’s a management team that cooks the books or a nationwide shortage of math and science talent, the tremendous impact that people-related risks can have on a company’s bottom line, market value and prospects for future growth is becoming better understood by business leaders.
• The view of human capital risks is expanding. HR risk management used to revolve around regulatory compliance and the avoidance of lawsuits. Now, the focus is expanding to include the broad range of people-related risks that can undermine a company’s performance and prevent a business from executing its strategy. The growing significance of these risks has raised expectations about what HR can and should be doing to identify, prioritize, monitor, mitigate and report on people-related business risks.
• Regulation is increasing. Although regulatory compliance is no longer the sole focus of Risk Management, it remains an important catalyst for action. In many cases, new regulatory requirements provide the initial impetus for broader improvement efforts. Also, regulators today are making examples of companies that fail to comply. The growing complexity of HR regulations and associated financial penalties, as well as the reputational risk for noncompliance, are raising the stakes and increasing the degree of difficulty in managing these nonnegotiable risks.

Download the full article . . . . People risk is risky business!

Did you find this article interesting? We would love to hear from you! Please share with your colleagues and network!

I have provided an introduction below to a publication (which applies to all members of the C-Suite) prepared by the Deloitte Integrated Reporting and Sustainability team, which discusses the state of Integrated Reporting practices in South Africa. The publication contains the key findings of the empirical research conducted on 100 companies listed on the Johannesburg Stock Exchange.

The analysis covered 7 subjects, 58 principles and 160 questions seeking to assess actual performance against good practice. The publication includes practical observations on certain topical subjects which appear to be a challenge for companies. I have provided an excerpt below and will send you the full report upon request.

If you would like to discuss the contents of the report in more detail, please contact Bertie Loots (bloots@deloitte.co.za), Nina le Riche (nleriche@deloitte.co.za), Johan Erasmus (jerasmus@deloitte.co.za) or Jaco Pretorius (japretorius@deloitte.co.za).

Integrated Reporting: Navigating your way to a truly Integrated Report

Integrated Reporting is the new kid on the block … and like many new kids there are great hopes for its future including the ultimate achievement of embedding a strategy that preserves long-term value, simplifying reporting and adding more meaningful information to a wide range of users. But where does the idea come from? What is it trying to do? And what is the current state of development?

And before you think this is just for the accountants, think again. Integrated Reporting aims to incorporate everything from strategy through to risk management; from financial reporting to the inclusion of usage of other capitals (think societal and environmental impacts). And it aspires to meet the needs of a wider group of stakeholders – employees, customers, suppliers and others. So everyone associated with an organisation in a significant way is likely to be touched by it.

At Deloitte, we see Integrated Reporting as enabling a process which enhances and preserves long-term sustainability in all its dimensions, without unduly sacrificing short-term performance. The Integrated Report is in turn an annual report that comprises a holistic and integrated representation of the entity’s efforts to enhance and preserve long-term sustainability in all its dimensions, without unduly sacrificing short-term performance.

Deloitte has released its second quarterly report on the state of Integrated Reporting in South Africa. The report reveals that Integrated Reporting standards have been adopted by more than half of South Africa’s listed companies. Although it is now necessary for these JSE-listed companies to include a statement of compliance with the principles set out in the King Code on Governance Principles (King III) in their annual reports, many companies are still scoring surprisingly low on corporate governance matters.

Download the publication . . . .  Integrated Reporting – Navigating your way to a truly Integrated Report

We value your comments and feedback. If you have any questions, do not hesitate to contact us!

This article, written by Mimi le Roux and Carla Clamp of Deloitte Risk Advisory, discusses the use of combined assurance to extract real value from the information your organisation pays so much to gather. If you have any questions or require additional information, contact Mimi at mleroux@deloitte.co.za or Carla at cclamp@deloitte.co.za.

Combined assurance – Taking organisations to the next level of maturity

Simply put, assurance providers are the internal and external people who tell managers what is on track and what is not within the company. They provide managers with information about the risks (hazards and opportunities) that have been identified within an organisation. They provide information about the measures that have been put in place to prevent hazards from occurring and reduce their negative impact if they do.

Further, they report on opportunities, particularly those in line with the company’s strategic objectives, and the steps that have been taken to encourage these positive events. Both functions are vital to an organisation’s health, heading off dangers and controlling damage while also eliminating the risk of not achieving strategic objectives.

However, assurance providers create a mass of reports, generating so much information that much of its value is lost as managers battle to account for it in their decision making processes; while duplication and overlaps reported from several perspectives often skews the view.

Read the full article . . . . Combined assurance – Taking organisations to the next level of maturity

We will appreciate it if you share this article with your network and provide comments!