Pack P - Mock Q's Flashcards
(40%)
Rasim Hamid asks you to join him in his office:
‘I have brought you an extract from a Board minute. This matter is highly confidential. I need your advice on the following so that I can prepare for the next Board meeting:
- Evaluate the respective roles and responsibilities of Daistruk’s executive and non-executive directors at this stage of Carree’s acquisition of control.
Extract:
Mabalemi Maleka, Non-Executive Chair, reported that she had just been informed that Carree has acquired 85% of Daistruk’s equity and so has acquired control. She intended to contact her
counterpart at Carree in order to offer the Board’s support. Ms Maleka said that she anticipated that Daistruk’s non-executive directors services would no longer
be required and that the futures of the executive board members would be considered on a case-by-case basis.
Same position
All directors are in the same position as they were prior to Carree taking control. Board members will remain in place and are subject to the same contractual rights and duties as they were. Effectively, they continue to be responsible for Daistruk’s strategic management and must act to maximise shareholder wealth.
Assistance in takeover
It would be sensible for the CEO to contact his counterpart in Carree and ask how Daistruk’s directors can assist in the transitional period while the company is incorporated into the Carree group. Carree is likely to need information and advice about the management of Daistruk and about its operations.
Responsibilities to stakeholders
The board also has responsibilities to other stakeholders, particularly Daistruk’s employees. It should take whatever steps it can to ensure Carree intends to retain staff. The directors may feel they have personal responsibility to protect their jobs and make themselves valuable to Carree so they stand a better chance of being retained.
Responsibilities to clients
The Board also has responsibilities to clients. Initially clients may worry about the impact of the takeover on service levels, prices and continuity of the service. The Board should reach out to key clients to discuss the takeover and provide assurances in order to steady business.
NEDs
The non-executive directors are in a more complicated position because it’s unusual for a subsidiary to have non-executives and so their services may no longer be required. In the short term, while they are contracted by Daistruk, their primary role is to offer oversight and monitor the integrity of the governance procedures.
NED’s oversight during the takeover
The executive directors may be tempted to manipulate reports and records submitted to Carree in order to enhance their prospects of being retained by the Group. The non-executives should be wary of this, and report any such behaviour.
Non-controlling interest
The non-executives may feel a sense of responsibility towards the 15% non-controlling interest, at least in the short term. It would be logical to persuade Carree to buy any such minority out so that the group has greater freedom to pursue profitable strategies.
Offer governance advice
The non-executives may also be in a position to offer advice about governance matters to the board of Carree, bearing in mind that those serving on Board committees would have a good understanding of the executives’ strength and weaknesses.
(30%)
Rasim Hamid asks you to join him in his office:
“Have you seen this article in this week’s newspaper? The board is really concerned that the proposed change in legislation will seriously harm our ability to trade. Changes to driving legislation have been
suggested previously, but it seems the Roundland government could be very serious this time. We have engaged a firm of professional consultants based in Roundland to assist us in persuading the
Roundland Government to not proceed with the legislative changes. The consultants were unable to persuade the Minister for Transport to consider an immediate halt on the change in law, so they briefed an opposition member of parliament who raised their concerns in Parliament. I need the following from you:
- Evaluate the ethical implications of Daistruk’s attempts to halt Roundland’s proposed legislative changes relating to the requirements you need to obtain heavy goods vehicle licenses
Extract:
Roundland government are proposing new legislative reform to increase the driving age to a minimum of 21 and more stringent rules for anyone looking to obtain their heavy goods vehicle license. To obtain a HGV license, individuals would now need to have a full car license, be over 25 and get a professional driving qualification called the Driver Certificate in Professional Competence. Government
officials are arguing that this will cut the number of deaths on our roads, reduce congestion, and the chance of young drivers overestimating their skills. The acute shortage of HGV drivers has become a flashpoint in Roundland’s staffing crisis, leading to gaps on supermarket shelves and a string of warnings from large businesses about shortages of stock and even forced closures of their outlets. The shift to online shopping has created an
insatiable appetite for drivers, warehouse
workers and other staff to keep the logistics industry on the road. Yet this growing need for a bigger pool of qualified drivers has collided with this change in government legislation.
Objectivity
Daistruk’s board should pursue its responsibilities in an objective manner, without bias or influence. In this case, that suggests Daistruk should be free to work towards maximisation of shareholder wealth by offering Roundland’s government the opportunity to consider an updating of the law. The government has been elected and should be permitted to fulfil its democratic dutiesm but that does not imply Daistruk should be forbidden from seeking changes in the law that may benefits the country. Governments often need to be alerted to the limitations of present legislation and the problem that it creates, so companies should be free to make suggestions and seek change.
Integrity
The concept of integrity would require Daistruk to be straightforward and honest in its dealings with the government. This doesn’t mean it would be unacceptable to lobby, but merely it shouldn’t be done under false pretenses. For example, it is clear that Daistruk has an interest in bringing about this change to law. The government will be aware of that interest and can take it into account in any interactions with the company and the evaluation of its arguments. The information provided by Daistruk should always be truthful, but this does not prevent Daistruk from presenting its case in the manner that suits best.
Professional behaviour
The concept of professional behaviour would require Daistruk to comply with relevant laws and regulation, and avoid any action that would adversely affect the reputation of the profession. The company may already be in breach of this, given the persuasion of an opposite member of parliament to act on its behalf. Political lobbying is an acceptable part of the democratic process, but only if those being lobbied are aware of the attempts to persuade them. It could be argued it was unprofessional to persuade the politician to speak out in this way and to do so without stating the influence that Daistruk had brought to bear.
(60%)
“This article summarises the latest position with regard to our acquisition of HE Solutions. This is the first time we have had to deal with a subsidiary company that was previously an independent quoted
company. It is also the first time that Daistruk has had to deal with minority shareholders. Our other subsidiaries are 100% owned and were established by Daistruk. I need the following from you:
- Discuss the governance challenges that the Board will face after the acquisition of HE Solutions, which was previously an independent quoted company.
Extract:
Daistruk has obtained a controlling interest of 83% of the equity of HE Solutions, the hydrogen electric vehicle manufacturer, they are the only company to manufacture a zero-emission hydrogen-electric Heavy Goods Vehicle (HGV) will have a range of up to 370 miles coupled with, what it claims, is an industry-leading refuelling time of just 15 – 20 minutes.
Daistruk had made a share for share offer that valued HE Solution’s shares at a 12% premium over the price immediately before the bid was announced. Mabalemi Maleka, Daistruk’s Non-Executive Chair,
commented that she was disappointed that a significant minority of HE Solutions shareholders had chosen not to take
the offer, but she was satisfied that Daistruk’s Board had a controlling interest. She was confident that the minority
shareholders, most of whom are employees of HE Solutions, would be impressed at the improvements that Daistruk had planned for the Group as a whole. Neither company law nor stock exchange requirements in Roundland give minority shareholders with less than 20% of a company any specific rights. A parent company must own at least 90% of a
subsidiary before it can force minority shareholders to sell it their shares.
Organise the subsidiary’s board
The most immediate challenge is to organise the subsidiary’s board so there is no doubt as to leadership and responsibility for strategic direction. The acquisition does not directly affect the appointments of HE solutions board, who will remain in post in accordance with their contracts of employment. HE Solutions directors may not wish to remain in post, because the acquisition will cost them their autonomy. They will now be directly accountable to a parent company board.
Less prestigious
HE solutions’ board may feel remaining in charge of a subsidiary is less prestigous and they have to leave for the sake of long-term career progression. Daistruk’s non-executive chair should meet with HE solutions board as a matter of urgency to determine their immediate intentions. A succession plan will have to be put in place for any HE solutions directors who intend to leave.
Board structure
The positions of any HE Solutions directors who wish to stay will have to be considered carefully and ratified appropriately. Directors cannot remain simply because they want to stay there, the nomination committee should review the structure of the Daistruk board to consider whether it would be appropriate to make a new appointment to the parent company board. It may be considered necessary to have a director with some manufacturing experience to ensure HE Solution’s operations are integrated at a strategic level.
Restructuring
The nominations committee should also consider HE Solutions Board needs to be restructured as most strategic decision-making will be taken over by the parent company Board in any case. For example, it may not be necessary for HE Solutions to retain a full complement of full-time directors because the main Board can deal with strategic management of, say, finance for the group as a whole.
Parent’s direct responsibility
HE Solutions is joining the Daistruk group and so the parent company Board has direct responsibility that the new subsidiary’s operations are properly managed and controlled. The Board should consider having HE Solutions senior management team create a briefing about the business and its current strategy. The board should work with the management team to establish whether there should be a change in strategy in order to ensure the acquisition’s success.
Internal Audit
The board should request a thorough examination by Internal Audit to review controls and report any compliance issues to the Audit Committee. Ideally, there should be a consistent set of controls across the group and so Internal Audit should also be asked to determine the extent of any adaptation to Daistruk’s existing rules that will be required to cover any specific matters required by HE Solutions. The Board should then ensure any changes to the control system are communicated positively, so the staff are made aware they have the Board’s support and so compliance is mandatory.
Maximise shareholder wealth
Daistruk’s board has a responsibility to maximise shareholders’ wealth. Daistruk’s share price will reflect market expectations concerning the acquisition, which would have been informed by the Board at the time of acquisition. The Board has a duty to ensure synergies and other benefits promised in advance of the acquisition are delivered, otherwise the market will be disappointed and the share price will fall. Prior expectations will allow for the possibility that some expectations cannot be met, but the Board should do its utmost to achieve and, if possible, exceed benefits that were announced during the acquisition process.
Lost confidence
Apart from maintaining the share price, any failure will undermine confidence in the Board’s competence and integrity because it may create the impression the Board exaggerated the potential benefits to be obtained from acquisition in order to expand. In the event of any unavoidable disappointments, the Board should take care to ensure the facts are reported promptly and accurately.
(60%)
Rasim Hamid asks you to join him in his office:
“This Board minute extract summarises the latest position with regard to our acquisition of HE Solutions. I need the following from you:
- Discuss the key risks (other than currency risks) that may arise from Daistruk now diversifying and having a manufacturing facility for hydrogen electric heavy goods vehicles in Eastland and recommend suitable responses.
Henrik Gerding, Chief Executive Officer, reminder the Board that no decision has yet been made with respect to the acquistion of HE Solutions, the hydrogen electric vehicle manufacturer. They are the
only company to start to manufacture a zero-emission hydrogen-electric Heavy Goods Vehicle (HGV) which will have a range of up to 370 miles coupled with, what it claims, is an industry-leading
refuelling time of just 15 – 20 minutes, the acquisition would give the company first rights to these vehicles and implementing them into their service offering. Doreen Sumpat, Chief Operating Officer commented that HE Solutions Head Office is located in Media City in Westland but that all manufacturing is at the company’s factory in Eastland, where labour costs
are low. The manufacturing process is primarily slower and 45% more expensive than manufacturing an internal combustion engine. Labour accounts for 60% of this additional expense and battery costs comprising of another 30% of this difference are imported to Eastland. Programmers are on site to support the significant use of technology within the manufacturing process. Daistruk already has a programming centre in Eastland, focussing on software design for our inventory management systems such as the enterprise resource planning, warehouse management systems and
the development of software to manage loads and select the most efficient routes for our transportation staff to take, where labour costs are high. Rasim Lopes, Chief Finance Officer, pointed out that Eastland’s currency, the E$, is very volatile.
Reputational Damage
If it’s suggested the company is exploiting employees at a factory based in a low-wage country we could risk our reputation and hence a loss of revenue if clients are discouraged from using our services. We should be using fair labour practices to support worker retention, equality and satisfaction. Any such boycott could affect all of its products, including inventory management, outsourced warehouse management or shared usage transport because any concerns will affect the company as a whole. The fact Daistruk own the factory directly will make apparent that any underpayment is significant because it cannot claim to have been misled over staff welfare, say, by a third-party supplier.
Reputational damage - recommendation
The first thing Daistruk should do following acquisition is announce a review of operations at the factory, including wages. It should ensure all employees are paid a realistic living wage so there are no grounds for criticism. The intention to conduct this review should be published and a credible independent observer should be appointed to report on the process and outcome of the investigation.
Difficult to divest
It will be difficult to downsize or divest the factory at any time in the future, which could prove costly for Daistruk in the medium or long-term. Closing the factory and making staff redundant in a low-wage country could lead to significant hardship which will be highly damaging to Daistruk’s reputation. This could mean Daistruk is committed to the production of hydrogen electric HGVs in Eastland even if demand is disappointing.
Difficult to divest - recommendation
This risk can only be addressed pre-acquisition. Daistruk’s Board will have to conduct detailed scenario planning to evaluate the likelihood that the factory will be a successful element of the acquisition. Once the acquisition is complete, Daistruk will have to accept the risk of disappointing performance unless matters deteriorate to the point where the company can justify its disposal.
Industrial action
The programming staff at Daistruk’s Eastland programming centre for its ERP/WMS systems may use any pay increases at the HGV factory to seek an increase in their rates of pay. That could lead to a deterioration in morale and even the threat of industrial action at the programming centre, which could delay the completion of crucial software updates and cause an increase in programming errors. The fact that any increase at the factory would be to remedy underpayment by previous owners would not necessarily prevent dissatisfaction at the programming centre.
Realistic and competitive salary scale
Daistruk should ensure the salary is competitive at its Eastland centre, taking a fair and defensible account of the local cost of living and allowing for the qualifications and experience required of staff at different levels. That salary scale can then be used as the basis for salaries paid to staff at the factory, seeking equivalence between roles and backgrounds. That should prevent the programming staff from complaining about underpay in comparison to the factory staff.
Concerns over job security
Programming staff at Eastland may be concerned that acquiring this factory could affect their job security and career prospects in the medium-term because Daistruk’s Board may feel they have an incentive to promote the use of hydrogen electric vehicles rather than its original service offering. The programming staff at the two locations mat feel they are effectively in competition with one another.
Concerns over job security - recommendation
The Board should develop long-term plans for the programming staff at both locations, making it clear the companies reasons for acquiring HE Solutions and that they believe there is a viable market for all of its offerings. It should also be made clear it would be unrealistic to exchange the functions of the two programming centres because different hardware devices require different programming languages and so staff at both locations would require retraining.
(40%)
‘’As you may have heard, we moved our data processing and storage to Cloudharr, a cloud services provider six months ago. I have brought you an extract of the board meeting minutes, I have had several Board members ask me for clarification. I need the following from you:
- Recommend the disclosures that we should make in Daistruk’s annual report on principal risks with respect to our switch to Cloudharr.
Extract:
Daistruk has two major data centres: a primary processing facility and a hot back up. The primary data centre is located on the outskirts of Capital City in Roundland.
The primary facility was in desperate need of an upgrade and the hot backup system was already close to full capacity and would not have been able to cope with any further expansions. Daistruk employs a large number of IT professionals, such as programmers and analysts who maintain
and update Daistruk’s software, as well as IT technicians and engineers which monitor and maintain the hardware at the data centres and their network connections. Therefore, it was approved that data storage and processing be transferred to a cloud services provider. The Board expressed its thanks to Andrea Lopes, Chief Information Officer for her hard work on moving Daistruk’s IT function to Cloudharr, a cloud services provider. Cloudharr was established five years ago, and it has grown steadily since. It is based in the country of Northalia, which has
excellent infrastructure to support data processing operations. Andrea Lopes delivered a briefing on some of the implications of the switch to the cloud. These included the fact that Cloudharr paid an independent accounting firm to investigate and report on the security and control systems that operate within Cloudharr’s data centres. As is common in this industry, Cloudharr does not permit its client to conduct their own investigations.
The below recommendations are based on AICPA guidelines, not the law, which is considered best practice.
Data recovery
It is already acknowledged Daistruk is heavily dependent on its IT systems in order to remain operational, ensuring all movements of goods are planned and executed on time and as efficiently as possible. Data recovery needs to be an important element of Daistruk’s corporate disaster recovery plan, as any system downtime would be disastrous for all operations of our business and client operations if we manage their warehouse or they use our software to manage their inventory and transport, that risk will have to be expanded upon to reflect the fact that the management of the servers has been delegated to a third party.
Ongoing monitoring
The shareholders will have to be warned that Daistruk’s board has no direct access to the servers and cannot monitor Cloudharr’s operations. These risks are mitigated by the fact there are formal standards relating to risk management and that those can be used to measure the potential effectiveness of control systems. Cloudharr publishes regular reports on its adherence to those formal standards.
Security of client’s data
Daistruk will be entrusting the security and privacy of our client’s data to a third party that is based in a foreign country whose data protection laws may differ from Roundland’s. If Cloudharr abuses Daistruk’s data it could leave Daistruk exposed to legal action under Roundland’s legislation, which could result in the region of R$40M based on 2022 revenue and customers would likely flee to our competitor Carree. Cloudharr could agree to respect the laws as they prevail in both Roundland and Northalia. (2% of rev)
Legal advice
Daistruk could take legal advice to check the two countries’ laws are not in conflict on any material issue. The risk can be mitigated by setting detailed service-level agreements that specify the safety and security of all data in Cloudharr’s possession. It will also cover levels of reliability, availability and responsiveness to systems and applications; specifies who governs when there is a service interruption; and describes penalties if service levels are not met. E.g. Cloudharr guarantee 99.999% availability of its services.
Location
The data centres are located in Northalia which could prove a problem if there are technical difficulties that affect data connections in Roundland. This risk could be mitigated by obtaining a detailed report on the infrastructure that enables Northalia to communicate with the rest of the world. It should be sufficient to establish that it would take more than the failure or destruction of a single cable/hub to sever links to Roundland.
Risk of liquidation
If Cloudharr goes into liquidation, its support of Daistruk’s operations would cease immediately. Cloudharr would have sole possession of Daistruk’s data files, which could create significant difficulties in terms of ensuring their safe return. Daistruk should ensure it retains legal ownership of various software licenses for the programs used by Cloudharr and ownership of the data itself. This should enable Daistruk to seek the return of its data and the immediate establishment of a replacement system with a different cloud-service provider with the least possible delay.
(40%)
Rasim Hamid asks you to join him in his office: “As you may have heard, we have unfortunately been victim to an act of fraud carried out by one of our own employees. I have printed an extract of the board minutes from our discussion of this issue however I have another meeting to attend and so require your help. I need the following from you:
- First, recommend and justify internal controls that we might introduce in order to prevent a recurrence of the fraud described in the board minutes?
Board minutes:
The Chief Internal Auditor provided the board with an update in relation to the misappropriation of goods by a Daistruk employee. As you know, Daistruk operate 90 warehouses belonging to clients, providing both the labour and all aspects of inventory handling covering storage space optimisation, fast order fulfilment, reduction in waste and they get to utilise our advanced software. The big bonus is that we can ultimately ensure they can focus on their own core business. Within a warehouse environment, damage to goods can happen, especially in warehouses that deal with a large amount of inventory and heavy-duty equipment. While it’s difficult to completely avoid damage, Daistruk are always looking at ways to reduce it, but from time to time these things happen and there is a need for us to right inventory off.
Last week, we received a call from one of our clients RapidWash, who we manage their 4 warehouses for them, they had noticed a significant rise in the value of write off’s in their financial statements and
were very concerned when a customer had tried to call their customer service team wanting to claim a guarantee which comes with every sale of their washing machines. RapidWash requested proof of
purchase or delivery, or the paperwork available in the instances whereby a customer purchased a new build property which contained RapidWash products. This customer was unable to provide this,
but the customer did provide the serial number on the washing machine, which did raise concerns. It transpires the serial number tracks back to an event in one of the warehouses where washing machines sustained damage and were in fact written off. When being questioned on where the customer had purchased the washing machine, the customer claims they paid good money for the machine from a local marketplace website, but soon hurried off
the phone! Upon reviewing the CCTV in all 4 clients’ warehouses, it flagged one warehouse had a number of unusual events occurring, there have been numerous unidentified vans coming and going, despite the fact there are gates with an intercom system! It also been noted that on occasion CCTV in certain parts of this warehouse have been turned off,
interestingly after 6pm when senior managers have usually gone home and only a few staff members with things to finish off are left. Daistruk questioned the 24hr security team, who claimed to know nothing about CCTV being turned on and off and claim that only authorised vehicles are ever permitted onto the site. Security claimed that sometimes CCTV can be unreliable due to network issues and insufficient power. Other staff throughout the warehouse have also been questioned and again, all claim to know nothing.
Write off process
A stronger process for the writing off of any products which are not saleable should be implemented. It’s clear that employees have been able to gain access to written off inventory and somehow remove these units from Client’s warehouses and sell them online. The process for writing off could be undertaken by management alone with only management awareness of where defected units are stored and an added layer of security of removing serial numbers so customers would know, upon purchase, that it’s not a legitimate product.
Destroy defected products
Following on from the write off process, it may be a better solution to destroy any unsellable products from Rapidwash or other clients. This removes the threat of products being stolen and sold fraudulently. Whilst the wastage isn’t ideal, the products could be stripped of the re-usable material prior to being disposed of.
CCTV
It’s clear better controls are needed for CCTV. A back up should be implemented which kicks in when there’s any CCTV downtime. If there are network/power supply issues this should be addressed. Controls should be in place that require the security team to escalate these issues to avoid recurrence.
Visitor log
Given there’s unidentified vehicles entering and leaving the premises, we should incorporate a visitor log or require managerial approval for workers staying late to ‘finish bits off’. Employees should also not be staying after their shift as this is not the culture we want to embrace at Daistruk and in an ideal world, all employees would finish together.
Manager oversight
Following on from the above, we could require a manager on-site at all times to supervise any necessary overtime and only leave once all other employees have left the premises. No employees should be left in a warehouse without managerial presence, which would be taking away the opportunity necessary for theft.
Anti-fraud culture
Daistruk should place a greater emphasis on anti-fraud culture and risk awareness. Employees should understanding their reponsibility in identifying risks and annual training should be provided for this on how to prevent and detect fraud. Employees should be asked to confirm they have read and understand anti-fraud policies and procedures Daistruk has in place. This should be made mandatory for all employees.
Whistleblowing policy
Daistruk should have a formal whistleblowing policy in place. This would allow employees to raise concerns whilst remaining anonymous. Any concerns should be reviewed and followed up by the board. This could also be supported by managers operating an open-door policy where employees feel comfortable in raising their concerns with managers to ensure potential cases of fraud are reported in a timely manner without the fee of reprimand. This should also form part of the annual training.
(50%)
Hi,
I’ve just come out of an emergency board meeting. It was not a pleasant experience I can tell you! I had to make the board aware of an ‘issue’ that has arisen in relation to our relationship with our customer Haven Homes. Haven Homes are currently Roundland’s largest building firm, and previously, they were looking to find a strategic partner that could facilitate the smooth and efficient running of their 5 warehouses across Roundland – providing both labour and all aspects of inventory handling. At the time, members of the Haven Homes’ Board had raised concerns about our ability to ensure the right goods were at the correct building sites and to meet the tough deadlines imposed in the building project. In December 2022, the Board of Haven Homes dropped their concerns and subsequently signed the
contract with us, guaranteeing us company a huge influx of revenue. Last week, however, a junior member of our finance team was reviewing our costs for the Board of Directors from 2022 to understand some large changes to the budget for the latter half of 2022. They
noticed some unusual payments that had been authorised by a Client Liaison manager. These included a weekend of ‘entertainment’ in Monaco in October 2022 for two members of the Haven Homes
Board and two members of our client liaison team. The total cost was R$5,500 per person. Upon further investigation, the junior member of our finance team discovered that the client liaison manager who had authorised these payments had used the weekend away as an opportunity for us to ‘convince’ the two Haven Homes directors to vote for Daistruk to be their outsourcing partner for inventory management. When Henrik Gerding heard about this at the board meeting, he went nuts! He said that these payments were unethical and could significantly damage our reputation if they become public
knowledge. He asked me to look into how these payments could have been made.
We have another board meeting planned for this afternoon. To prepare for the board meeting I would like your advice in relation to the following please:
- Evaluate the argument that Daistruk has behaved unethically by offering a weekend of entertainment to a prospective client and recommend how Daistruk should respond accordingly.
Objectivity
The payments would be considered unethical if they breach any of the principles or considered to be illegal. This weekend of entertainment could be considered a breach of objectivity. This is because objectivity means acting in a completely unbiased way. It seems the intention of the weekend was to encourage two Haven Homes board members to act in a biased way when awarding the contract in relation to the outsourcing of inventory management.
Integrity
Integrity is straightforwardness and honesty. The weekend could be considered a breach of integrity in that it was designed to persuade two board members to overlook concerns of Daistruk’s ability to meet the tough deadlines imposed on building projects. If these concerns are overlooked as a result of the weekend then build deadlines for new homes may be compromised, which could be considered a lack of fairness for the customers.
Professional behaviour
Any illegal payment would be considered to be unethical. The weekend of entertainment can be seen as an incentive to encourage directors of Haven Homes to use their power to ensure they award the contract to Daistruk. A bribe is an act of giving or receiving something of value in exchange for influence or action which would not have otherwise taken place. A bribe is also a type of fraud and illegal activity, it is therefore unethical and would breach the principle.
Offering this weekend also demonstrates a lack of professional behaviour. To act with a lack of integrity and offer illegal incentives means those responsible are not acting in a professional way. The fact Daistruk’s internal control systems has allowed this situation to arise indicates Daistruk has failed in our duty to act professionally. It indicates Daistruk’s culture and training does not sufficiently promote ethical behaviour and should be addressed.
Responding to the situation
High ethical standards are fundamental to Daistruk and any lacking of ethics could damage Daistruk’s reputation. This could result in our customers seeking alternative service provides, like Carree, or simply reduced the likelihood of customers working with us in general. Our response must be transparent, thorough, and honest to avoid reputational damage. It should include the following steps:
Investigation team: this should be led by Daistruk’s internal auditors or an external team of specialist auditors. The team should not include anyone who have nee involved in the incident or have any preference over the outcome. Hence, the client liaison team should not be included.
Commence investigation: the team should be given resources and time to establish how and why the decision for the weekend of entertainment was made, also including who knew about the arrangement. Daistruk need to establish if this was an isolated incident or systematic issue. The team will look to establish if other similar incentives have been offered to Haven Homes or other suppliers.
Communication with Haven Homes: Daistruk should openly communicate with Haven Homes Board. They should inform the board about how the weekend may have impacted on the integrity of choosing a strategic partner to manage their warehouse. The Haven Homes Board will likely review the decision made and if the weekend was not disclosed by the two board members they may initiate disciplinary action.
Press release: we should ask Haven Homes to release a joint statement with Daistruk to openly admit our concerns, advise our findings and most importantly explain what we are doing differently going forward to ensure no questionable behaviour reoccurs in the future. This will show all stakeholders Daistruk take out ethical responsibility seriously and are not afraid to admit and rectify mistakes.
(50%)
Hello,
I have attached to the email a news report that has just gone online. The Board decided not to pay the ransom and are meeting this afternoon to discuss some of the implications of these events. As you know our core cyber security objectives are that of confidentiality and availability.
I need your advice. Please could you:
- Discuss Daistruk’s core cyber security objectives given the implications of the ransomware threat, and analyse potential implications/shortcomings which could be rectified?
Extract:
Detectives from Roundland Police service have arrested three people who are suspected of attempting to extort a R$150million ransom from Daistruk, the logistics company. The office in charge of the case revealed that Daistruk
had contacted the Police rather than paying the ransom. The Police Service’s Cyber Crime Division were able to track emails between Daistruk’s Board and the blackmailers and managed to determine their location. The threatened encryption of Daistruk’s data had actually been a bluff!
One of the suspects had previously been employed at Daistruk’s data centre and she had provided details of its operations that had enabled her accomplices to make a convincing threat.
Availability
There is a need for Daistruk’s IT systems to be available 7 days a week, 365 days a year, for our operating hours so we can track client inventory in real time, respond to handling needs and manage loads for delivery with our transportation staff, to just name a few. If any of these systems break down it could impact our relationship with customers, as their own operations would be put in jeopardy and it would reduce the trust in Daistruk to deliver sustainable supply chain strategies and services, causing customers to potentially consider using a different service provider like Carree.
Further layer of security
Thought will need to be given to add a further layer of security so the threat arising from the linkage of our systems and client systems are countered. Presently, our IT managers are vigilant with monitoring potential threats, emerging vulnerabilities and keeping security software up to date but it may be more appropriate to make backup copies of data files at regular intervals and for these to be scanned thoroughly for malware. We could also consider maintaining a hot backup at a remote site. In the worst possible case, this hot backup could be activated and brought online almost instantly, so no business will be lost.
Downtime
If our systems are compromised, it’s likely there will need to be downtime on our iT software such as our IT based inventory management software, and we will be unable to continue to manage customers inventory and enhance efficient transport. Our storage handling/warehouse management would come to a standstill, leading to a loss of company productivity, increased cost of labour, cashflow problems and more than likely a loss of income as we may lose key customer goodwill like Muddocks supermarkets. We must ensure we have appropriate firewalls, encryption, and other cyber protection to best protect our customer neywork and servers from a breach.
Confidentiality
The nature of Daistruk’s business means it would not be possible to guarantee the absolute protection of confidentiality at all times. The systems we use are accessible through websites and apps and in the case of inventory/warehouse management those systems are linked to the client’ systems too. These linkages make it difficult to ensure unauthorised access to data will never occur. It may be necessary for Daistruk to plan for the possibility of minimising disruption associated with breaches on confidentiality. For example, stored payment details might include customers’ credit card numbers, but not the three digit reference number on the back of the card, making it difficult for hackers to abuse personal data.
Sensitive information
Daistruk holds a significant amount of personally identifiable information, including the names, addresses, tax and national insurance numbers and payment details of 22,000 employees. Therefore, we must employ with GDPR.
Significant penalties
Daistruk must ensure confidentiality is maintained to the fullest extent, as any breach will likely lead to a loss of business if customers have personal/commercial data abused. Any breach is also likely to have a significant financial consequence for Daistruk. We could be subject to fines, lawsuits and settlements significant in value. For example, any cyber security breaches that result in a data breach are subject to a fine for breaching legislation of up to 2% of global income for failing to maintain appropriate security. Based on 2022 revenue, this could be up to R$40M for Daistruck.
Reputation damage
If our systems are compromised, it’s likely our brand value will be adversely affected as a result, leading to a loss of customers who would most likely transfer to our competitors. This reputational damage will therefore cause a significant loss of revenue and have significant short and long-term implications on Daistruk’s share price, which is currently rending at R$9.
(40%)
Rasim Hamid stops by your workspace and hands you a letter:
‘’As you are aware we had a cyber security breach last month, and the Board have been looking at options to use Cyber Security consultants to manage this risk. I have brought you a copy of their proposal. As you can you see, it’s very expensive to use them!
- Can you please evaluate the claim by CyberSecure that it can prevent any further unauthorised access to Daistruk’s system.
Proposal:
Dear Henrik,
Proposed consultancy agreement
It was a pleasure to meet with you and to discuss your cybersecurity needs following Daistruk’s recent data breach. As discussed, CyberSecure is Roundland’s foremost cybersecurity company. Our
consultants are acknowledged experts, having been recruited from military and intelligence service backgrounds.
- We propose that we will design and install a security system that will prevent any further unauthorised access to Daistruk’s data.
- We will conduct an annual review and will upgrade the system in response to emerging threats.
- In the interim, we will conduct penetration tests that will involve our consultants attempting to obtain unauthorised access to your files.
- We will report our findings and will remedy any vulnerabilities that our tests reveal. Our charges will be as follows:
- Initial design and installation R$2 million
- Annual review and upgrade R$1 million
- Penetration testing and responses R$150,000 per month
We look forward to doing business with you.
Yours Sincerely,
Sam Meakin
Unknown Threats
CyberSecure has an incentive to sell its service for its own self-interest so may be guilty of exaggerating its ability to prevent ANY recurrence of data breach. It could be argued hackers always have the initiative and so they will always have an advantage over IT security providers. Information technology is constantly changing, which means new hardware and software is constantly being developed to assist hackers. There is always a risk that an unknown threat will merge and succeed in breaching the security measures, despite CyberSecure’s promise.
Regular updates
The fact CyberSecure are offering to conduce regular updates and ongoing reviews confirms the above point that new threats are constantly emerging. These reviews will only prove effective if the consultants are aware of specific threats being developed so they can identify vulnerabilities before they can be exploited. The hackers are likely to always be ahead and so CyberSecure may have to rely on reported cases to keep updated, hopefully allowing Daistruk to benefit from other companies misfortunes but this ignores the earlier mention that Daistruk may be an early victim of a new threat.
Emerging threats
A company victim to data breach may not want to publicise in case it encourages other hackers to attempt hacking of its systems or it may want to avoid further adverse publicity. Therefore, IT security companies can only deal with threats they know about, which could be a problem if emerging threats are not shared, and it could be CyberSecure and Daistruk’s internal security staff may not be aware of serious threats until long after they are deployed as nobody has incentive to share data breach information. It’s likely a company may only discover a new threat after it has been a victim of it, particularly in fast-paced companies implementing automation with complex IT systems. This makes Daistruk more exposed to emerging threats.
Spyware
Some breaches of IT security are designed to never be uncovered and remain undetected. For example, a hacker may wish to gather valuable information, such as pricing details for real time tracking of Daistruk’s clients’ inventory on behalf of a competitor, like Carree, and avoid any activities that would come to the attention of Daistruk. CyberSecure’s guarantee is only worthwhile if the consultancy is certain it’s aware of all low-key threats.
Staff incompetence/dishonesty
CyberSecure cannot prevent against incompetency or dishonesty by its staff. Individuals may be persuaded to reveal secure and confidential information, such as usernames and passwords. This could be apparent on the back of penetration tests, where Daistruk staff may offer a weakness in the system to a potential hacker. Daistruk staff could also fall short to phishing emails by hackers, compromising user credentials and data held on the enterprise resource planning systems/warehouse management systems used for Daistruk to manage customer inventory.
(50%)
Hello,
Doreen Sumpat provided me with some information about a proposed investment for Daistruk today (see attached memo). The aim is to ultimately expand our offering so that we can deliver direct to the end consumers. This looks like a sensible investment opportunity, although it will obviously involve significant set-up costs. We need to evaluate this in more detail. Please identify and evaluate the strategic risks that Daistruk will face in the proposed investment and recommend how they might be managed.”
Proposal:
Dear Rasim,
I have completed my initial report on the proposed investment, Daistruk will be pioneering an exciting new concept: drone deliveries. Daistruk will be able to start offering business to consumer
deliveries with the use of drones, ensuring that the delivery costs are cheaper to the end user, and they give quicker delivery times. By taking advantage of the open sky above, Daistruk will be able to reduce the size of their road-bound delivery fleets, reducing congestion on Roundland roads and less emissions. The first stage of the investment will involve purchasing land that is currently for sale in the remote region FarAway in Roundland and building a transportation holding facility, which is where goods will be first delivered to using conventional transportation and from here the last mile delivery officially starts i.e., the drone
takes over. The drones will be able to carry up to 5 pounds and can travel at a speed of up to 50 mph at 400 feet. Daistruk Plan to partner with Muddocks Supermarkets to offer food delivery to customer’s doorsteps in rural areas in Roundland. This will hopefully enhance our consumers belief in our vision to have a positive impact on all stakeholders through the provision of sustainable supply chain strategies and services. This is a summary of the key findings from the report:
- We will purchase the land for R$5 million and there will also be a comprehensive programme of building work with significant costs needed to convert the land into a state-of-the-art
transportation holding facility. The costs associated could change depending on the building regulations. - Daistruk has never offered this type of delivery before so will need to partner with a commercial drone manufacturer and hire individuals capable of remotely piloting them. We envisage that will cost a further R$2m. This includes the need to get Max’s teams involved.
- The proposed development of a transportation holding facility would be subject to planning permission. We do not envisage Roundland government having any objections to our plans.
- To be able to offer drone deliveries, Daistruk will need to secure approval from the Federal Aviation Authority (FAA) to begin carrying out test deliveries. If approval is granted, Daistruk will be given the same certifications as smaller airlines, they will be allowed to charge for deliveries of goods to clients in City Centre, where we plan on conducting its initial pilot with retailer Muddocks supermarkets.
Staff recruitment
Drone pilot operators require a remote pilot certificate to operate a drone, be competent in designing flight paths, consider weather conditions and be aware of local drone regulations, possible obstacles or how to respond in a hazardous situation. Through incorrect recruitment there is a risk we inadvertently hurt someone or cause accidents with larger aircrafts. This would ultimately result in poor reviews/word-of-mouth feedback and negatively impact the reputation of the drone delivery service. To mitigate this risk, Daistruk’s Board should involve Max Foster in a stringent recruitment policy, ensuring all due diligence is carried out on prospective drone operators. Daistruk also needs to ensure they are providing the opportunity for feedback from customers on their opinions/concerns relating to the drone delivery service.
Level of demand for drone deliveries
It’s unclear the demand for this service, and there is a risk demand is too low to warrant the business case for drone delivery services. Drone delivery has never been used in Roundland before hence customer buy in maybe low due to the fear of the unknown. Significant costs of an estimated R$7M would be incurred to partner with a commercial drone manufacturer, train staff, ready land and operate transportation, with little mention of the recurring ongoing costs. Resource time and money could be wasted and Daistruk need to consider the opportunity cost and other growth opportunities before going ahead with such a venture. This risk can be mitigated through market research into whether potential customers would utilise the drone delivery service and how much they would be willing to pay. This information may help with clarity on the proposal and going ahead with the investment. To carry out the market research, employees could field questions from the public at Muddocks’ store (who would be the potential customer base) and conduct demonstrations to help build confidence in the new service.
Planning
It’s stated in the proposal that the Roundland government wouldn’t have any concerns with approval for the proposed facility. This may be the case but there is a risk the planning process will be more complicated than envisaged with significant costs, as the government will need to consider the impact on the local economy, impact to the environment and the sustainable needs of future communities. Failure in the planning process could deem the entire proposal worthless. To mitigate this, Daistruk could hire a professional in multidisciplinary architecture to produce quality designs that comply with Roundland’s laws and regulations in relation to a transportation holding facility, as well as monitoring Daistruk’s application as its being processed. A planning and architecture firm can handle all technical issues that may arise in the application process and have knowledge of relevant parties who may be affected by the development to prevent any issues that may arise.
Public safety risk
A delivery drone, capable of flying up to 50mph, has sufficient power to seriously injure someone via brute impact or propeller blades. As the weight increases, (to the limit of 5lb) this becomes more dangerous and there are numerous risks associated with a drone failure such as gearbox, motor, battery, sensory failure or general malfunction which could cause blind flying and damaging people or property. This would significantly affect Daistruk’s reputation and litigation could be taken against them. To operate drones safely, safety measures need to be installed, such as redundant sensors, logic controllers, reserve battery tanks, each adding further cost to the device. Daistruk would also need to focus on flying over unpopulated, low-density areas to minimise safety issues.
Costs
There is a serious risk the costs of the project are understated, and it’s clear Doreen is still identifying how the new space would be utilised. If actual costs are significantly over the budget there could be serious financial risk for Daistruk including liquidity concerns and ability to meet financial obligations. To mitigate this, a clear design plan should be produced with detailed budgets for each component. This should be done prior to any progression, as costs need further clarity before this is proposed to the Board.
(40%)
Hi,
Daistruk was established in 1958 as a transport company to move building materials for the construction, having grown rapidly in 1978 was listed on the Roundland’s stock market. As such it
needs to comply with Roundland’s Corporate Code of Governance. Can you please:
- Firstly, evaluate the strengths and weaknesses of the current board structure of Daistruk and recommend changes or improvements which will help Daistruk comply with good corporate
governance practice?
Strengths - board committees
Good corporate governance requires audit, remuneration and nomination committees as a minimum. Daistruk have all of these, as well as a risk committee. Regarding remuneration, a key principle is no director sets their own remuneration. The remuneration committee should also only consist of Non-Executive Directors (NEDs) which Daistruk also adheres to.
Strengths - senior independent director
Professor Hongyu Liu acts as Senior Independent Director, effectively a sounding board for the Chairman, someone whom he can test out ideas and seek a second view. Hongyu will also serve to act as an intermediary for other directors, particularly if there is an issue concerning the chairman e.g. lack of independence. The Senior Independent Director will also be available if shareholders have concerns that have not been resolved by other members of the Board of Directors. This role helps provide transparency, accountability and disclosures in the working of Daistruk, gaining trust of stakeholders.
Weaknesses- balance on board
There is currently 3 independent NEDS, excluding the chairman, to 5 executive directors on Daistruk’s board. This means, the executive directors and Chairman (who doesn’t appear to be independent) can outvote them. Good corporate governance recommends there is a majority of independent NEDs on the board, including the Chairman, and so Daistruk should appoint at least two more NEDS to maintain an appropriate balance.
Weaknesses- audit committee
It’s likely the Roundland Code of Corporate Governance will suggest at least one member of the Audit Committee should have recent and relevant financial experience. The current members are Mabalemi Maleka, Professor Hongyu Liu and Khaled Abbas, none of which seem to have up to date knowledge of current accounting standards/issues. It’s therefore imperative Daistruk add a new NED to the board, and to this committee, who has recent financial experience.
Weaknesses- Chairman
The committees should not be chaired by the non-executive Mabelemi Maleka, it’s not clear who chairs the committes but Mabelemi sits on the Audit, Risk and Nomination committees. The non-executive chair can be a member, but if he is chairing this needs to be changed to another committee member.
Weaknesses- Internal Audit
Daistruk does have a Chief Internal Auditor and we should ensure the auditor is supported by a separate internal audit department with appropriate resources. In turn, this will provide Daistruk with an independent and objective assurance activity designed to add value and improve an organisation’s operations. Internal auditing improves an organisation’s effectiveness, efficiency and supports the audit committee.
(50%)
Hello,
As you know all our operations are heavily dependent on IT systems for financial recordings ensuring that all movements of goods are planned and executed on time and as efficiently as possible. We have access to thousands of employees’ personal identifiable information, as well as our client’s data. The risk committee of Daistruk have just informed me that they have identified a significant risk relating to sensitive data stored in our database.
Significant and adequate controls are in place to prevent hackers or other external parties from accessing the records that are on Daistruk’s system but the controls relating to staff are far weaker. Unfortunately, we have paid the price of weak controls here. A disgruntled or dishonest member of staff seems to have accessed the system and obtained data regarding where and when high value
goods will be in transit to a criminal gang that have subsequently carried out a series of well-planned thefts on inventory in transit. It seems the criminal gang were in possession of real time data and now
questions are being asked as to how this came to be. I need your help:
- Evaluate the arguments for and against asking our Internal Audit Department to identify the person whose actions provided the attacker with the file of spectator e-mail addresses.
Role of internal audit
The internal audit department is available to the Board to conduct investigations and reviews in any manner the Board seems fit. The Board should have sufficient experience of working with Internal Audit and relying on their reports to trust them with this task. An internal audit team could be assembled quickly because the team members will already be familiar with Daistruk’s systems and locations (including warehouses).
Advantage over an external consultancy firm
One big advantage is Daistruk employees should of already had background checks, whereas external contractors would need these alongside draft contracts to ensure the work is completed to a sufficient standard. The consulting fee would be significant relative to the construction of an internal team.
Independence of the Internal Audit Department
Internal Audit staff will be able to maintain some distance and independence of staff when they conduct their review. If the IT department were to conduct the investigation, IT managers might be reluctant to accuse colleagues of incompetence or dishonesty with regard to the management of customer data.
Internal Audit- knowledge of identifying vulnerabilities
Internal Audit staff should be experienced in the design of tests and identification of vulnerabilities, these skills would be brought to the investigation. Knowing how the system works will allow an efficient approach to the investigations. For example, the internal audit team may be aware of which colleagues were in the position to release the data and those who were not, quickly narrowing down the potential perpetrators.
Damage relationship between departments
Using the internal audit team in this way could risk harming the relationship between internal audit and IT and undermine the effectiveness of future audit work. Internal Audit generally presents itself as a constructive service, aiming to reassure the departments under investigation and assist them to comply with rules and regulations.
Impact on future internal audit work
If internal auditors conduct a formal investigation into the possibility of an internal perpetrator relating to dishonesty or incompetence then future internal audit investigations will be affected by concerns that staff are under suspicion. This risk will be enhanced if disciplinary action against the employee is conducted following investigation.
Criminal investigation
Internal audit staff are not generally experienced in conducting criminal investigations as this is out of their scope of responsibilities. Therefore, using Internal Audit could lead to problems if the guilty party is identified but rules relating to criminal evidence are not followed. Any mistakes in the collection of evidence may result in it being inadmissible in court if Daistruk presses charges against the member of staff. It may be preferred to present police with initial grounds for suspicion that a member of staff behaved dishonestly in hope that the police agree to investigate.
(50%)
Hello,
As you will be aware we are always looking for new and innovative ways to use automation and technology to boost supply chain efficiency and deliver excellent service at all times within Daistruk. Over time, robots will be introduced into roles that are specific to business functions, such as admin roles, customer service and human resources. They can even handle speaking in 20+ languages. The idea will be to automate more manual and repetitive tasks, this will eliminate some existing jobs but could also enable some workers to focus on higher value, more rewarding and creative work by removing the monotony from their day jobs. The biggest benefit in the use of robots is that we would deploy them within our warehouse processes, they have capabilities to deliver inventory all over the warehouse, place and retrieve loads from set locations and will take over dangerous jobs such as getting items from high racks or storage spaces. It requires superhuman abilities to repeat the same repetitive, demanding, or dangerous jobs over and over again for many hours with exactly the same precision. Automating roles like picking and packing allows for a reduction in human errors, increased delivery
speed and of course improved safety for our workers. It will be far more reliable, accurate and dependable than humans, and could enable us to reduce the storage space needed by clients in our shared user storage spaces. It will allow for stock picking in a more vertical and densely packed space, enabling Daistruk to share some of these cost savings with our clients but more importantly sell the
freed-up space. We know our main competitor Carree currently doesn’t use automation within its warehouse management, this would really give us a competitive advantage. However, please see the attached news article, it looks like our potential plans have made their way into the media! I need your help:
- Please identify and evaluate the business risks that Daistruk will face in launching robotics in the warehouses and recommend how those risks might be managed.
Attachment:
Daistruk, the largest 3PL logistics provider in Roundland, is considering plans to replace a large percentage of its warehousing staff with robots, the company has already just completed the
modernisation of both of its inland ports to be fully automated, meaning fully automated straddle carriers load, unload, and carry fully laden shipping containers to the desired location. Daistruk now plans to implement the robots throughout its 35 shared user and storage handling
warehouses, then rolling it out to the 90 warehouses it operates on behalf of its clients, but the biggest impact is using them to undertake warehousing activities. Some employees have already about the use of robots in Daistruk’s warehouse located in Roundland’s central city, where the business has been trialling the use of robots specifically focusing on the benefits to oneof their largest clients, Muddocks Supermarkets. Employees have stated they felt anxious that they would make mistakes and be replaced by a machine, they are now extremely concerned for their job security, and their ability to put food on the table. We also hear that Daistruk is also planning to use robots to undertake roles within the
organisation’s office and they can even act like spy cams, secretly recording and analysing staff and any visitors without their awareness. The robots will also be doing security patrols and have the ability to taser any occupants if they feel that they are acting suspiciously. A spokesperson for Daistruk admitted that this would hopefully enable the company to directly reduce staff costs, reducing the heavy dependence on employees for picking and packing, and increase the company’s ability to compete on price with its direct competitor Carree.
Reputational risks
Clearly there is a negative spin on the news article relating to the potential plans and therefore, if this is an option, we need to be very careful to consider the reputational impact this could have in the immediate aftermath.
Reputational risks - manage the risk
It would be prudent for Daistruk to manage the risk by having good and clear communications with all stakeholders throughout the project in order to be transparent. It’s key stakeholders understanding the strategic reasons for pursuing this strategy and that clients understand this would have no adverse impact on their levels of client service.
Costs overrunning
Daistruk must consider the significant cost of such a project, including staff training, redundancy payments and a budget for unforeseen costs. There will be also on-going maintenance costs for the robots, and there’s a real risk the costs will be significantly higher than anticipated, robot process automation does not usually come cheap.
Costs overrunning - manage the risk
To combat this, Daistruk could implement very strict budgets for each stage of the project. Daistruk can review the typical outlay in relation to maintenance costs and put these out to tender in the open market to secure a reliable third party at a competitive price.
IT compliance
Daistruk need to consider information security, data protection, regulatory and control impacts that the robotics implementation will have. The robots will require integration with Daistruk’s IT systems so it presents a risk to IT compliance.
IT compliance - manage the risk
From a risk and controls perspective, robots should only have the minimum required level of access to perform their role, similar to what a human user would have performing the same process. The IT department and risk committee should critically evaluate the appropriate levels of robotic implementation and what potential problems/risks we may face.
Internal skills
From a business risk perspective, Daistruk may consider the robotic implementation to be a good strategic move. From an operational perspective, Daistruk needs to consider whether they have sufficient internal resource to deal with the robots on a day-to-day and know how to operate and maintain them effectively.
Internal skills - manage the risk
Daistruk can mitigate this risk by investing heavily in sufficient training at the outset. it may be beneficial to bring in external advisors for support in the initial stages of the project, where they can be called upon for operational support with resolving issues. Whilst some staff are inevitably going to lose their jobs, some could be retrained to undertake maintenance, however it may be ideal to recruit externally for people with experience in this field.
Robots do not work as required
A key risk is the robots do not operate as intended, a likely outcome if the operating model is rushed. If Daistruk make lots of redundancies and find the robots are not as effective, they may find themselves unable to fulfil orders and lose reliability.
Robots do not work as required - manage the risk
Similar to the previous solution on managing risk for internal skills, sufficient training from the outset regarding roles and responsibilities relating to the oversight of robots will help manage the risk. It would be ideal for Daistruk to have a prolonged testing period to gain confidence the risk is not significant before actioning redundancies. Compiling a contingency plan may also be helpful, perhaps a contracting agency Daistruk can call to help with workload if the worst case scenario arises and the robots are ineffective.
(50%)
Hi,
I have forwarded you an article that went online this morning. Needless to say, it has caused a great deal of embarrassment for Daistruk’s Board, significantly upset staff and morale is at an all-time low. The story distorts the facts. As you know, the Board want to ensure we take care of our employees, so
have agreed for a project team to investigate pay inequality within Daistruk.
The tablet computer belongs to Doreen Sumpat, Daistruk’s Chief Operating Officer, who had been travelling on business with me late last week. We had a series of meetings lined up over two days in relation to how we can put a robust approach in place to measure jobs and salaries to diagnose, understand and address salary variances in our workforce. We want to ensure that we keep our
22,000 employees motivated and happy to work at Daistruk, to ensure there is no reduction in our core value of delivering excellent service at all times. We stayed and ate in Hotel Harvard for the two nights we were away. The tablet is her own personal property. She uploaded some files and emails to it before travelling out of town for this business
meeting and the tablet was not in her briefcase when she got home, leaving her unsure whether it had been stolen or whether she had left it somewhere over the course of the business trip. Daistruk’s CEO has reminded me that we have a strictly ‘zero tolerance’ rule concerning data security and has warned me that Doreen may face dismissal.
- Please recommend, stating reasons, the controls that Daistruk could put in place to prevent a recurrence of this loss of compromising data.
Article:
Roundland Telegraph have come into possession of a tablet computer that contains confidential records in relation to Daistruk’s 22,000 full time staff remuneration. The tablet computer was found abandoned in a bar in Roundland’s Hotel Harvard. The machine was found by an unnamed member of the public who left it with the Roundland Telegraph
reception desk. Roundland Telegraph’s Business Correspondent reviewed the files and concluded that Daistruk has
significant pay inequality amongst all its workers, especially amongst staff involved in the transportation side of the business, specifically those holding heavy goods vehicle licenses. Staff involved in inventory management and warehousing functions are paid significantly less than the staff working in transportation, is this a sign that Daistruk sees no future use for humans in their warehouse storage and handling processes! Imagine the demotivation to staff at the company and the boost to company morale when everyone knows they are being paid fairly regardless of age or gender or how brazen they are during salary negotiations. Daistruk pride themselves on trusting and respecting its employees, and most importantly that they take care of their employees by ensuring a safe working environment. So why not pay ALL workers fairly?! Hopefully shining a spotlight on Daistruk’s pay discrepancies will spur on some action!!
Personal Devices
No member of staff should be permitted to store or access files on any personal device, including mobile phones, tablets and laptops. If members of staff, like Doreen, require remote access of files then they should be issued with equipment that has been evaluated by Daistruk’s IT department.
Issue with personal devices
Personal devices will not be registered, and may be insecure, meaning the company will be unaware of the scale of any vulnerability. Daistruk will also be able to recover any such devices from staff who leave the company and so it will not rely on ex-staff to delete files they had copied to personal devices.
IT Security Training
All staff should have a full induction and training on IT security before they are provided with a username and password, this training should be refreshed annually. The training should highlight Daistruk’s legal duties to protect data and the extent of threats arising from unauthorised access. This will ensure staff understand their duty to protect data and will realise any carelessness could leave them facing disciplinary action.
Policies for staff
Staff should be held accountable for portable devices being left unattended outside of their office or home. It should be made clear any IT equipment which can access Daistruk’s data/connect to systems should be left in a position where there is opportunity for theft. Doreen seems to be unsure on where she left her tablet, indicating she may have a habit of leaving the device unattended.
Disciplinaries and a code of conduct
A serious disciplinary policy would assist in making staff more mindful of properly securing their devices. Similar to the training, staff should have to confirm annually they have read the employee code of conduct and understand it.
Hardware controls
All IT equipment should be secured by a combination of hardware and software that has been specified by our professionals in IT that offers a proportionate level of security in relation to the data that can be accessed. Hardware controls include encryption of devices, passwords to access and biometric controls to gain access to any corporate devices.
Software controls
This includes any software that wipes Daistruk corporate devices if a user proceeds to enter a password or force gain access to this device. Similarly, we should have the ability to issue a wipe command, applicable to any corporate device that has been reported as lost. Each device should be set up with two factor authentication and hence a user would need their own credentials and a token with a randomly generated number to gain access.
Data loss controls/protection
This specific loss of data has been made possible by Doreen’s ability to remove data from Daistruk’s system onto a personal device. Daistruk’s IT department should implement data loss controls that stop an employee being able to send certain types of data outside the organisation. This could include software stopping external USBs being able to read and used within Daistruk, uploading information to websites, and limiting access to sensitive data.
(50%)
Rasim Hamid returns from a Board meeting that was called to discuss a possible data breach. He asks you to join him in his office and hands you a document:
“I have brought you an extract from the minutes of this morning’s Board meeting. I need your assistance:
- Please evaluate the possible criticism that the data breach arose because of poor governance by the Board
Extract:
Joel Williams, Head of IT, updated the Board. To meet the changing landscape of inventory management, a number of years ago Daistruk created their own client user interface (a dashboard) which can be accessed through any web browser/mobile app, the platform allows clients to access information relating to their inventory, electronically instruct Daistruk to organise movements of goods
and enables smaller clients to organise one off shipments. It puts all information client’s need to manage their orders and inventory at their fingertips, it
establishes real-time inventory visibility across the supply chain including on-hand, on-order, and intransit, providing greater inventory accuracy and assurance.
It has now been confirmed that a large number of client accounts were accessed this morning from a blacklisted IP address. It seems that the hackers had tried to force the clients to re-enter their
credentials, and while doing so prompting them to set a new password for their account. Access to client accounts to manage inventory was suspended immediately after the Head of IT Security
suspected that there had been a data breach. Our client liaison department is currently drafting an email that will be sent to each of the clients whose
accounts were accessed. It will warn them that confidential business information may have been accessed. The email will also advise them to seek advice from their bank as a matter of caution too. The Board debated how to respond and have decided to email all users to warn them that there have been some “IT problems” and advise them to be very careful if ever asked to unexpectedly change their
password.
Ultimate Responsibility
The board is ultimately responsible for everything that happens within a company, and so are responsible for the data breach. This responsibility is not passed on if tasks are delegated, for example maintenance of the risk register by the risk committee is still the responsibility of the board.
Expectations of stakeholders
Many stakeholders have exaggerated expectations of the effectiveness of control systems, especially where IT is concerned. They are aware of the safeguards that manage their access, they believe the procedures in place should be enough to protect their details and they do not think a data breach will happen to them.
User Responsibility
From the minutes, it looks like the breach was only possible due to clients acting carelessly with user credentials however this will only make the board more deserving of the blame. The clients are likely to suffer losses and inconvenience, and could potentially seek compensation. On the other hand, the fact they fell into the hackers trap may undermine their case, unless they can press Daistruk to accept liability.
Blame Daistruk
It’s in the clients best interest to blame Daistruk and poor governance, i.e. a slack control environment. The argument will be relatively easy to sustain as press coverage will likely focus reporting on the victim which is the client in this instance.
Obvious weakness
The risk was completely foreseeable so the board may be liable to the criticism for not addressing the threat. This is a common problem in the aftermath of many crises because the quality of governance is evaluated on the outcome rather than the information available to management at the time. Boards often tolerate risk if there is no cost-effective way of mitigating them, but in this instance even a simple email with guidance on how to protect themselves could’ve mitigated the risk from Daistruk.
Mixed messages
There is no question the message being sent to clients will come to the attention of the media and the conflicting messages to clients will make any criticism of governance even worse. There could be some customers who provided some details to the fake website but their accounts not accessed and so they will feel Daistruk’s response is unhelpful.
Lack of transparency
Daistruk risks putting the directors under greater pressure because it is issuing limited information on a need-to-know basis which could come off as lacking transparency. This would be in breach of one of Daistruk’s core values of acting with integrity when dealing with stakeholders and could lead to a damaged reputation and loss of revenue.
