The case for CSR/ Sustainability Reporting Done Responsibly


IDENTIFY - MEASURE - MANAGE - CHANGE

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How Investec promotes information security

Case study: How Investec promotes information security

Investec is an international specialist bank and asset management group that provides a diverse range of financial products and services to a select client base in three principal markets, the UK and Europe, South Africa and Asia/Australia, as well as certain other countries. Investec builds information security and IT risk management capabilities across the group while promoting the responsible handling of personal data, so as to enable business continuity while protecting information assets by proactively identifying and mitigating threats to its people, processes, technology and data.

This case study is based on the 2019 Corporate Sustainability and ESG Supplementary Report by Investec published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

Investec recognises that information and technology resources are critical business assets  Tweet This!, which need to be appropriately managed and secured. In order to promote information security Investec took action to:

  • provide information security training
  • promote cybersecurity

What are the material issues the company has identified?

In its 2019 Corporate Sustainability and ESG Supplementary Report Investec identified a range of material issues, such as gender, diversity and transformation, auditor independence, improving and sustainable returns, impact of the political and economic environment. Among these, promoting information security stands out as a key material issue for Investec.

Stakeholder engagement in accordance with the GRI Standards

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Investec engages with:

To identify and prioritise material topics Investec engaged with its stakeholders through the following channels:

Stakeholder Group                Method of engagement
Employees

 

 

 

·      Quarterly magazine

·      Staff updates hosted by executive management

·      Group and subsidiary fact sheets

·      Tailored internal investor relations presentations

·      Induction training for new employees

·      Regular staff communications

·      Dedicated comprehensive intranet

·      Senior management engagement breakfasts

Investors and shareholders

 

·      Annual general meeting

·      Four investor presentations

·      Stock exchange announcements

·      Comprehensive investor relations website

·      Shareholder roadshows and presentations

·      Regular meetings with investor relations team and executive management

·      Annual meeting with investor relations, group company secretarial, the chairman of the board, senior independent director and chairman of the remuneration committee

·      Regular email and telephone communication

·      Annual and interim reports

Clients

 

·      Client relationship managers in each business

·      Regular face-to-face, telephone and email communications

·      Meetings with senior management

·      Comprehensive website and app

·      Industry relevant events

·      Client marketing events

Rating agencies

 

 

·      Meetings with investor relations team, group risk management and executive management

·      Tailored rating agency booklet

·      Tailored presentations

·      Regular email and telephone communications

·      Annual and interim reports

·      Four investor presentations

·      Comprehensive investor relations website

Government and regulatory bodies

 

 

·      Active participation in a number of policy forums

·      Response and engagement with all relevant bodies on regulatory matters

·      Consulted with industry bodies

Equity and debt analysts

 

 

 

·      Four investor presentations

·      Stock exchange announcements

·      Comprehensive investor relations website

·      Regular meetings with investor relations and executive management

·      Regular email and telephone communications

·      Annual and interim reports

Media

 

·      Regular email and telephone communications

·      Stock exchange announcements

·      Comprehensive website

·      Meetings with executive management, economists and industry spokespersons

·      Dedicated third party public relations teams

Suppliers

 

·      Centralised negotiation process

·      Ad hoc procurement questionnaires requesting information on suppliers’ environmental, social and ethical policies

What actions were taken by Investec to promote information security?

In its 2019 Corporate Sustainability and ESG Supplementary Report Investec reports that it took the following actions for promoting information security:

  • Providing information security training
  • During the reporting year Investec ran a modular computer based training (CBT) information security awareness campaign, aimed to educate staff about the threats to Investec’s information, give them insight into the potential risks of data compromise, and to arm them with the knowledge they need to safeguard Investec’s (and their) data. A total of 81% of staff completed the training during the year. The campaign covered a broad range of topics consisting of the following modules:
    • Module 1 – Data protection: The different classifications of information, the importance of protecting it, and how to securely handle the information you access in your role
    • Module 2 – Cybersecurity: The threats you may face when you are online, the dangers of tricks and techniques used by cyber criminals, and how to guard against these
    • Module 3 – Mobile devices and social media: The risks associated with using mobile devices, the potential dangers of social media, and what you can do to keep your data and devices safe
    • Module 4 – Beyond the office: The importance of being vigilant and how to protect information when out of the office – be it at home, in public places, or while travelling
    • Module 5 – Security essentials: The fundamentals of information security, social engineering, and secure use of IT resources to safeguard both corporate and personal data.
  • Promoting cybersecurity
  • Investec maintains a risk-based strategy incorporating prediction, prevention, detection and response capabilities, to ensure the group is adequately protected against advanced cyber attacks. Continual monitoring provides visibility and enables proactive response to evolving cyber threats. Investec maintains active participation in the global cybersecurity industry to stay current and relevant. Targeted attack simulations by external specialists are performed, to measure and improve cyber defences. These are complemented by non-technical exercises involving the board and senior leadership to evaluate and improve cyber incident response and crisis management.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

 

80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.



FBRH GRI Standards Certified, IEMA & CIM recognised Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI Standards Certified, IEMA & CIM recognised course you will be taking the first step in gaining the many benefits of sustainability reporting.

Most importantly, you will gain the knowledge to use the GRI Standards, project manage your own first-class sustainability report and:

  • Identify your most important impacts on the Environment, Economy and Society
  • Begin taking solid, focused, all-round sustainability action ASAP

 

References:

1) This case study is based on published information by Investec, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to Investec: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.