So what risks do people particularly want to monitor? Again, we don't think it's unsurprising but noteworthy nonetheless, IT and data security, which is an item that gets a big proportioned amount of news coverage, and clearly it's top of mind with the majority of people. So it's not an unexpected result. Mid-sized firms report the most sensitivity to this risk but smaller firms would on average rank this and the risk of corruption, so smaller firms saw corruption as one of the bigger issues. Banking is more likely to look out for corruption as well, so there was a correlation there. Smaller firms and their perceived exposure to operational risk was noteworthy as well.

So I think overall when you look at this, there's a wide range of risks that need to be managed, and again, it's kind of underlined the complexity and the difficulty in managing these programs. So [inaudible 00:24:36] risk management program needs to be capable of dealing with the worst set of issues, if it is to be practical and effective in protecting the organization, financially and reputationally. Then we have the question. Let's see here now. So we're going to ask you a poll here. What risks do you ... And this is the last polling question, so thank you for bearing with us.

What risks do you think are the most important to monitor? So from your perspective, and you can select up to three here, if you'd like, corruption, financial, IT/data, operational, or contract risk. ... So we're getting lots of votes here and some very strong responses in relation to one area. ... All very good. So we'll close there now and you will see the results just coming up. Okay. Very clearly, IT and data security way ahead of everybody else, disproportionate to the response items we have, but nonetheless, approximately the relative scores are about the same. Operational, financial, and corruption, they're all pretty much in the same order, so that's pretty clear. Thank you for participating there.

Okay. We'll move on to the next section. ... This is an important area because as we build through this presentation, now we only have a few more slides to go, there are lots, obviously, of issues to manage, lots of risks to take care of, regulators to look out for regulations, commerce and [inaudible 00:26:28], so there's a lot of difficulty in managing the risks. So we asked people in relation to that, and I'll read through the list. Because this relates really to the operational elements of a program, [inaudible 00:26:38] can you maintain a full list of all the firms' vendors. It sounds like a very easy thing to do but we know an operation is not.

Are you capable of gathering the necessary data to classify the risks represented by those third parties? That can often involve engagement with the third party, and trying to get responses and participation from them. Can you consistently score those vendors? So after you've got the vendors, and you've got the information, is there a consistent application of risk scoring and assessments? From that and your classification of vendors according to the level of risk that your program puts them at, how do you conduct screening and watch lists and so on? How is that being done, or is it difficult?

The ongoing due diligence, how's that look [inaudible 00:27:28] we see? At the Mondelez case, as we mentioned earlier on in relation to Cadbury, [inaudible 00:27:34] ongoing. In fact, in this instance or in that instance, a 100,000 payment to a third party by an organization that they bought led to a fine of, I think it was 13 million for them, even though it happened previously. Also, a difficulty's around managing the issues highlighted by the risk management program. So one of the things we've seen in enforcement actions is that if you've identified risks, you have to put a program of action in place to mitigate that risk. You have to do something as a result of the discovery.

Managing contracts is a fundamental element and we've seen it in what you just polled on there a moment ago, and it's critical because it's such a practical element of all relationships, and getting third parties to sign off on code of conduct and other attestations. We know that everybody has a difficulty in relation to this. What you notice is one of the findings here, they're all neck and neck, all of these issues are difficult to manage, and that in itself really is the finding. It is complicated and there's a lot of different things to be done. So no one thing really stands out. Obviously, there's a marginal here on the very first side on the full list of all vendors.

You can download the research report discussed here