What are the material issues the company has identified?

In its 2019 Sustainability Report Alperia identified a range of material issues, such as security of supply, innovation, research and development, health and safety at work, asset integrity, energy consumption. Among these, promoting cybersecurity stands out as a key material issue for Alperia.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Alperia engages with:

Stakeholder Group

Customers

Workforce

Suppliers

Owners and Investors

Interest groups

Citizens

Research institutes

Community

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics Alperia engaged with its stakeholders though an anonymous online survey which 176 participants answered.

What actions were taken by Alperia to promote cybersecurity?

In its 2019 Sustainability Report Alperia reports that it took the following actions for promoting cybersecurity:

• Introducing new and better performing management systems
• In 2019, Alperia introduced new and better performing management systems both inside and outside the Alperia world, also including Artificial Intelligence (AI) platforms. Attacks are becoming more frequent and high risk. Most are perpetrated by extremely sophisticated AI software, which is why it is necessary to use the same language in defence. In 2019, Alperia did not suffer from any significant cybersecurity incidents, but is aware of how important it is to protect yourself with increasingly sophisticated barrier systems. This is why Alperia introduced a double layer antivirus system for email and all the documents are classified according to a specific confidentiality level (public, restricted, confidential). Updating activities continue with trials of the disaster recovery plan and adoption of protection systems against ransomware threats.

• Renewing the ISO 27001 certification
• In 2019, Alperia renewed its ISO 27001 certification, which was extended to include even more stringent checking. This international standard recognises the group’s adoption of a secure system for the management of company information systems (IT and documentary), to monitor and reduce management costs, ensure adequate service levels and monitor and reduce the risk of possible outages. The certification is subject to an annual audit, with additional checks carried out by the group’s Internal Audit. During 2019, Alperia’s business continuity plan was also developed to be activated in the event of attacks. In compliance with the requirements of Europe’s GDPR regulation, a Data Protection Officer (DPO) was appointed external to the IT department. A new privacy-by-design procedure was developed, to be carried out at the start of each new project in order to check if it meets the standards set by privacy and GDPR legislation.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

• Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
• Targets: 16.3, 16.10

 

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

7 GRI sustainability disclosures get you started

Any size business can start taking sustainability action

GRI, ISEP, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom  (venue: London School of Economics)

• Exclusive FBRH template to begin reporting from day one
• Identify your most important impacts on the Environment, Economy and People
• Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP. 
• Benchmarking methodology to set you on a path of continuous improvement

See upcoming training dates.
References:

1) This case study is based on published information by Alperia, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to Alperia: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.

What are the material issues the company has identified?

In its 2019 Corporate Sustainability Report Sempra Energy identified a range of material issues, such as reliability, affordability, greenhouse gas emissions, public safety, disaster preparedness and response. Among these, promoting cybersecurity stands out as a key material issue for Sempra Energy.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Sempra Energy engages with:

Stakeholder Group	Method of engagement
Customers	·      In-person meetings or phone calls ·      Open houses, town hall meetings ·      Ethics & compliance helpline ·      Website content ·      Surveys ·      Print or social media
Communities	·      In-person meetings or phone calls ·      Open houses, town hall meetings ·      Ethics & compliance helpline ·      Website content ·      Corporate sustainability report ·      Facility tours ·      Surveys ·      Print or social media
Employees	·      In-person meetings or phone calls ·      Open houses, town hall meetings ·      Ethics & compliance helpline ·      Website content ·      Corporate sustainability report ·      Facility tours ·      Surveys ·      Print or social media
Investors and shareholders	·      In-person meetings or phone calls ·      Open houses, town hall meetings ·      Ethics & compliance helpline ·      Website content ·      Corporate sustainability report ·      Facility tours ·      Print or social media
Regulators, elected officials, community leaders	·      In-person meetings or phone calls ·      Open houses, town hall meetings ·      Ethics & compliance helpline ·      Website content ·      Corporate sustainability report ·      Facility tours ·      Print or social media
Suppliers, contractors, business partners	·      In-person meetings or phone calls ·      Open houses, town hall meetings ·      Ethics & compliance helpline ·      Website content ·      Corporate sustainability report ·      Facility tours ·      Print or social media

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics Sempra Energy interviewed stakeholders to gain their perspectives on current and emerging priorities.

What actions were taken by Sempra Energy to promote cybersecurity?

In its 2019 Corporate Sustainability Report Sempra Energy reports that it took the following actions for promoting cybersecurity:

• Establishing an information security team
• Sempra Energy’s information security team conducts regular penetration tests and analyses the results to improve existing controls and identify opportunities for improvement. Members of this team also participate in department staff meetings, safety stand downs and safety congresses to provide perspective and training on cybersecurity issues. Individual employees across the company support these efforts as “cybersecurity champions,” sharing relevant information with their teams.

• Implementing an information security awareness programme
• Sempra Energy’s information security awareness programme includes periodic communications, companywide events and campaigns, mandatory annual web-based training, facility-specific town hall events and a cross-business advocacy programme. Sempra Energy supports these efforts with articles, webpage communications and digital signage.

• Using an automated SPAM reporting button
• An automated SPAM reporting button in Microsoft Outlook allows easy one-click reporting of suspicious and unwanted emails. In fact, to keep this reporting option top-of-mind, Sempra Energy’s cybersecurity team utilises “fake” phishing attempts and sends congratulatory messages when employees take the correct action by clicking the SPAM button. Sempra’s 24/7 Information Security Operations Centre (SOC) also responds to reports of suspicious email. The SOC can pull a suspicious email from the enterprise, reducing the risk of infecting other users or devices.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

• Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
• Targets: 16.3, 16.10

 

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

7 GRI sustainability disclosures get you started

Any size business can start taking sustainability action

GRI, ISEP, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom  (venue: London School of Economics)

• Exclusive FBRH template to begin reporting from day one
• Identify your most important impacts on the Environment, Economy and People
• Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP. 
• Benchmarking methodology to set you on a path of continuous improvement

See upcoming training dates.
References:

1) This case study is based on published information by Sempra Energy, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to Sempra Energy: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.

What are the material issues the company has identified?

In its 2019 Sustainability Report SCB identified a range of material issues, such as corporate governance and risk management, customer experience, financial inclusion, responsible lending. Among these, promoting cyber security stands out as a key material issue for SCB.

Stakeholder engagement in accordance with the GRI Standards                        

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups SCB engages with: 

Stakeholder Group	Method of engagement
Customers	·      Customer relationship-building activity ·      Information sessions on SCB financial products and services ·      Providing financial advice and knowledge to customers through online media, branch network and other electronic channels ·      Customer satisfaction surveys through telephone, questionnaire and electronic channels ·      Complaint and service channels through Customer Centre, Branch network and SCB Easy app
Employees	·      Meetings and online channels for policy and news announcement ·      Employee meetings, seminars and CSR activities ·      Annual performance evaluation ·      Employment engagement survey ·      Employee development programme ·      Employee recognition programme ·      Employee hotline
Shareholders	·      Annual general meeting ·      Extraordinary general meeting ·      56-1 Report ·      Annual report (Form 56-2) ·      Press release ·      Quarterly financial report ·      Investor meeting/conference ·      Investor call ·      Equity analyst meeting ·      Global roadshow event
Society and Environment	·      Projects and initiatives by SCB and the Siam Commercial Bank Foundation ·      Community and social surveys ·      Community engagement activities
Regulators	·      Assign Compliance unit to serve as SCB’s regulatory liaison ·      Attend meetings and hearings on regulatory policies and guidance from relevant authorities ·      Attend forums on regulatory compliance ·      Seek feedback and guidance on regulatory compliance ·      Offer feedback on regulations through public hearings ·      Prepare and provide support for regulatory audit

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics SCB conducted in-depth interviews with selected groups of stakeholders to collect suggestions, feedback and information on economic, social and environmental material topics.

What actions were taken by SCB to promote cyber security?

In its 2019 Sustainability Report SCB reports that it took the following actions for promoting cyber security:

• Implementing an Information Security Policy
• Based on the Confidentiality-Integrity-Availability (CIA) triad, the SCB Financial Group Information Security Policy is communicated to all employees, including those in probationary periods and on temporary contracts, suppliers and consultants, from whom strict compliance is expected. The Policy also assigns the Audit Unit to perform an audit and make recommendations for further improving cyber security. SCB has adopted a proactive approach to cyber security by focusing on developing technology and processes for cyber threat detection, such as the Cybersecurity Threat Intelligent Surveillance system and machine learning technology to study the pattern of cyber-attacks, both internally and externally. This proactive approach enables SCB to assess the situation and be ready to respond and prevent potential losses. Additionally, for data storage with comparable effectiveness to on-premise storage, SCB uses Cloud Computing Technology to keep potential risk under its risk appetite level, to increase operational speed, and to lower the cost of maintaining the internal computer network and systems. Moreover, cyber security performance is regularly reported to senior management in a dashboard format. To be ready for an emergency situation and make sure that systems can be recovered back to normal service and operation in an appropriate timeframe, SCB has also established a policy and guideline for preparing an IT Contingency Plan, which is aligned with its Business Continuity Plan. This contingency plan defines processes, practices and the roles and responsibilities of the relevant business units in executing, testing, reviewing and revising the IT Contingency Plan according to the business context.

• Integrating cyber security into software development and operations
• In 2019, SCB upgraded its software development approach from DevOps to DevSecOps (Development Security Operations), whereby cyber security is integrated as part of SCB’s development and operations life cycle. This means that cyber security control measures are embedded throughout SCB’s software development life cycle to enhance the ability to create innovation and make further product and service improvements to deliver even greater speed, effectiveness, and security. Through this approach, SCB added security automation tools in the software development process to make security testing faster and more effective. The automation tools allow SCB’s software developers and system administrators to perform security testing on their own and detect any vulnerability after the software launch, receiving timely reports on potential problems.

• Building a data and cyber security culture
• In parallel with continuously investing in technology and developing cyber security systems that meet global standards, SCB is committed to building a data and cyber security culture for employees at every level. SCB uses work processes, training and internal communication to promote awareness on appropriate and secure data handling, data protection, cyber risk, and cyber threat prevention. Accordingly, SCB provides a data classification training course on its e-learning system to promote appropriate and secure data usage throughout the organisation and offers a cyber security course to senior executives which covers topics such as causes of cyber-attacks and impacts of cyber threats. Employees at all levels are also required to take the mandatory course on cyber security on the system which focuses on basic knowledge regarding data protection, on understanding the forms and impacts of cyber threats through simulation, and on how to prevent and report an incident. Throughout 2019, SCB organised “Don’t Let It Happen” activities to promote awareness on cyber threats, cyber risks, and data security protection with an emphasis on safeguarding the data of both customers and SCB and building awareness on risk behaviours that may cause damage to the business or SCB ‘s One of the highlights that attracted many participants was the “Cybersecurity Awareness Day 2019,” which featured talks by external experts regarding cyber security on topics such as knowing tricks of cyber criminals inside out, understanding data risk, and using personal information on social media.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

• Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
• Targets: 16.3, 16.10

 

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

7 GRI sustainability disclosures get you started

Any size business can start taking sustainability action

GRI, ISEP, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom  (venue: London School of Economics)

• Exclusive FBRH template to begin reporting from day one
• Identify your most important impacts on the Environment, Economy and People
• Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP. 
• Benchmarking methodology to set you on a path of continuous improvement

See upcoming training dates.
References:

1) This case study is based on published information by SCB, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to SCB: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.

What are the material issues the company has identified?

In its 2019 Sustainability Report MKB identified a range of material issues, such as customer satisfaction, increasing the accessibility of services, economic efficiency, professional development and training of employees. Among these, promoting information security stands out as a key material issue for MKB.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups MKB engages with:

Stakeholder Group	Method of engagement
Customers	·      Customer service, including development of the network of branch offices ·      Receiving queries ·      Remote banking service (mobile banking, contact centre, internet banking) ·      Information about bank products, reporting, availability of branch offices of the Bank, environmental plans and actions, and other important information as published on the MKB website (Russian or English version) ·      Analysis of customer satisfaction
Employees	·      Advanced training ·      Benefits package ·      Support and assistance in developing internal corporate sports clubs and events for the company employees ·      Participation in sports events, charitable, and other public and environmental events ·      Corporate portal ·      The hotline that allows sending complaints and queries to the members of the Audit and Risk Committee under the MKB Supervisory Board
Society	·      Participation in social and environmental projects of the Russian Government, other governmental bodies, and development of its own projects ·      Development of financial products for different categories of people ·      Support of small and medium business entities ·      Development of a regional network of offices and creation of additional jobs in the regions ·      Interaction with higher educational institutions, probation programmes, training
Shareholders and investors	·      Meetings of shareholders ·      Communication using different channels (including conference calls, meetings, correspondence via email, webcasts) ·      Disclosure of information important for shareholders and investors on the electronic page for investors (in Russian and English) ·      Publication of financial and nonfinancial reports
Counterparties and partners	·      A transparent competitive procurement system
Governmental bodies and regulators	·      Information disclosure and compliance with all legislative requirements in the field of banking activities ·      Participation in projects and work meetings on the improvement of laws in different areas (expert councils, work groups, round-table discussions, and other forms of communications) ·      Contribution to the development of regions with the extension of the regional network of presence
Mass media	·      Regular communications with the key media, prompt response to incoming questions ·      A high level of content mobility on the MKB website, in social networks, and other sources of communication

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics MKB engaged with its stakeholders through an interactive survey tool.

What actions were taken by MKB to promote information security?

In its 2019 Sustainability Report MKB reports that it took the following actions for promoting information security:

• Combating fraud
• MKB pursues a zero-tolerance policy toward illegal actions against its customers. For this purpose, MKB:
  • has implemented and maintains fraud monitoring processes for remote banking;
  • investigates any attempts of stealing funds from the bank’s customers;
  • interacts with the Bank of Russia and other credit institutions, communication service providers, and law enforcement agencies for the exchange of information about the actions of fraudsters and for the timely prevention of fraudulent activities;
  • implements the programme for enhanced protection of systems and data, which is reviewed annually and updated completely every three years.
• The above activities resulted in dozens of prevented attempts of stealing funds from legal entities and individuals, which saved them dozens of million rubles. The only loss by a legal entity because of the fraudster’s actions in the remote business education system (RBES) in 2019 amounted to RUB 3,000; the transaction was marked as suspicious but was additionally confirmed by the customer itself.

• Promoting cybersecurity
• MKB pays much attention to information security and resistance to cyber threats. The following biggest threats for MKB were identified within the frames of its information security strategy:
  • External attacks as a result of actions of hacker groups, which are aimed at stealing data or money via payment systems
  • Attacks aimed at customers and stealing customers’ funds via remote banking services
  • Fraudulent actions of the bank’s employees or counterparties, which may cause data leaks or thefts using authorised access to MKB’s information systems
  • Logical attacks at ATMs (use of special software for money disbursement without using cards and for debiting accounts) and payment terminals (use of special software to reload cards without cash)
• The following projects were initiated and successfully finished for the implementation of measures to prevent the materialisation of threats:
  • Implementation of the next generation firewall as a basic element of protection against external attacks
  • Implementation of a solution to counter targeted attacks made using malicious emails or malicious websites, which use 0-day vulnerabilities and are not detected by standard means of protection, for example, antivirus software (as a result of system operation, over 650 targeted attacked were repelled)
  • Implementation and development of the personnel training system simulating sending of malicious attachments and fishing links by hackers and appointing testing automatically if an employee opens such attachments or types a password to their account on the websites available at the fishing links
  • Development and implementation of an antifraud system to identify abnormal and illegal payments sent to the Bank of Russia or to the international data transfer and payment system SWIFT

• Identifying and eliminating vulnerabilities
• To minimise the probability of merely technical vulnerabilities typical of information systems and logical vulnerabilities affecting customer service processes and products, MKB started supporting the following processes in 2019:
  • External scanning of vulnerabilities; full coverage was reached for all 179 publications of MKB’s services on the web and external networks, scanning results are recognised by auditors as performed by the Approved Scanning Vendor as part of the PCI DSS (Payment Card Industry Data Security Standard) standard conformity audits.
  • A red team was set up—that is, a group of specialists with qualifications similar to hackers, whose main task is to conduct penetration tests and identify vulnerabilities through the eyes of hackers for the purpose of thorough identification of vulnerabilities that cannot be identified instrumentally.
  • The Information Security Department participates in, and controls, all tasks of IT development, including the following:
    • Analysis of business requirements
    • Analysis of technical assignments
    • Formation of a set of requirements for the implementation of security-by-design and security-by-default concepts for all services and products developed by MKB
    • Verification of the fulfilment of requirements before bringing the implemented tasks in action
    • Participation of red team specialists for the purpose of vulnerability analysis in any services published on the web and in any payment applications
  • External penetration tests organised by the internal audit are performed by specialised companies with highly proficient specialists.

• Responding to information security incidents in a timely manner
• To monitor and provide timely response to information security incidents, MKB has a security incidents response team. In 2019, the work of this team, operating as part of the Information Security Department, resulted in the creation of the monitoring system architecture, implementation of the subsystem of collection and primary analysis of incidents, implementation of the incident response platform, and automation of the formation of any incidents as tasks for the team members in the implemented platform. The ongoing processes are built so that the time from the attack to the analysis of the processes within the attack and to the termination of the attack usually does not exceed 4 hours.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

• Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
• Targets: 16.3, 16.10

 

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

7 GRI sustainability disclosures get you started

Any size business can start taking sustainability action

GRI, ISEP, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom  (venue: London School of Economics)

• Exclusive FBRH template to begin reporting from day one
• Identify your most important impacts on the Environment, Economy and People
• Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP. 
• Benchmarking methodology to set you on a path of continuous improvement

See upcoming training dates.
References:

1) This case study is based on published information by MKB, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to MKB: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.

What are the material issues the company has identified?

In its 2019 Sustainability Report Bank Muscat identified a range of material issues, such as customer relationship management, employee training and development, responsible investing, Anti-Money Laundering and Anti-Financing of Terrorism (AML and AFT). Among these, promoting cybersecurity stands out as a key material issue for Bank Muscat.

Stakeholder engagement in accordance with the GRI Standards             

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Bank Muscat engages with:                    

Stakeholder Group	Method of engagement
Employees	·       Annual performance reviews ·       Regular dialogue and interaction with employees ·       Training and education programmes ·       Grievance mechanism ·       Polls and survey
Customers	·       Call Centre Feedback Management System (FMS) ·       Company website ·       Focus groups ·       Customer networking events for specific customer segments ·       Branches and access points including ATMs and CDMs ·       Media and social media channels ·       Annual report and sustainability report ·       Other bank publications including investor presentations
Government (Including Regulatory Bodies)	·       Government Business Division ·       Investment in the national economy ·       Supporting initiatives of national importance
Correspondent / Other Banks / International Entities	·       Financial Institutions Group (FIG) ·       Company website and other publications ·       Roadshows and presentations
Shareholders/ Investors	·       Investor Relations Department ·       Shareholder meetings ·       Roadshows and presentations ·       Company website and other publications
Local, Regional & International Media	·       Media, social media and other publications ·       Press conferences ·       Media networking events

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics Bank Muscat engaged with its stakeholders through interviews and surveys.

What actions were taken by Bank Muscat to promote cybersecurity?

In its 2019 Sustainability Report Bank Muscat reports that it took the following actions for promoting cybersecurity:

• Identifying and addressing cybersecurity risks
• Bank Muscat continuously invests in maintaining and updating the systems and processes that are designed to ensure the security of the Bank’s computer systems, software, networks and other technology assets. Bank Muscat’s information/cybersecurity risk management function focuses on the following key aspects:
  • Cybersecurity incident response plans in order to implement effective management of cybersecurity incidents
  • Information security governance through security policies, procedures, guidelines and standards
  • Information security monitoring using the latest solutions and tools, including real time as well as fixed frequency monitoring
  • Implementing a robust security defence network as well as maintaining strong internal controls
  • Information security reviews comprising new and existing technologies, solutions, networks and also the various processes/ operations within each and every department of the Bank

• Improving cybersecurity measures
• In 2019, Bank Muscat partnered with the Information Technology Authority (ITA) to improve cybersecurity measures. The Bank took part in a series of cybersecurity events organised by the ITA, including the 8th Regional Cybersecurity Summit, FIRST & International Telecommunication Union Arab Regional Cyber Security Centre (ITU-ARCC), and the 7th Regional Cyber Drill. Bank Muscat also participated in the Cybersecurity Readiness drill, held under the theme “Intelligence of Malware” and organised by the National Computer Emergency Readiness Team (OCERT) to assess cybersecurity readiness in Organisation of Islamic Cooperation (OIC) countries.

• Launching an anti-fraud public awareness campaign
• In 2019, the Royal Oman Police (ROP) and Bank Muscat launched an anti-fraud public awareness campaign. The campaign focused on educating the community not to share their personal details or their banking/card details with anyone over the phone, and not to input them on links received through social media or messaging.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

• Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
• Targets: 16.3, 16.10

 

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

7 GRI sustainability disclosures get you started

Any size business can start taking sustainability action

GRI, ISEP, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom  (venue: London School of Economics)

• Exclusive FBRH template to begin reporting from day one
• Identify your most important impacts on the Environment, Economy and People
• Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP. 
• Benchmarking methodology to set you on a path of continuous improvement

See upcoming training dates.
References:

1) This case study is based on published information by Bank Muscat, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to Bank Muscat: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.

What are the material issues the company has identified?

In its 2020 ESG Report Wells Fargo identified a range of material issues, such as business ethics, climate risk management, community development, environmental and social due diligence, fair and responsible lending and pricing. Among these, promoting cybersecurity stands out as a key material issue for Wells Fargo.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Wells Fargo engages with: 

Stakeholder Group

Customers

Employees

Community members

Suppliers

Shareholders

Regulators

Media

Analysts

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics Wells Fargo interviewed internal and external stakeholders, including more than 30 Wells Fargo leaders and subject matter experts from across the company and members of its external Stakeholder Advisory Council. Wells Fargo also included content from stakeholders representing Wells Fargo customers, employees, ESG (Environmental, Social and Governance) investors, government, media, NGOs, and financial peers.

What actions were taken by Wells Fargo to promote cybersecurity?

In its 2020 ESG Report Wells Fargo reports that it took the following actions for promoting cybersecurity:

• Implementing the Information Security Programme
• Wells Fargo’s Information and Cyber Security (ICS) organisation aims to protect Wells Fargo systems, networks, and customer data through the design, execution, and oversight of its Information Security Programme (ISP). ICS is led by Wells Fargo’s chief information security officer, who reports to the head of Wells Fargo Technology. The Wells Fargo Board of Directors annually approves the ISP and is kept informed of the ongoing status of the programme. Wells Fargo organisations and employees, as well as vendors, nonemployees, and third parties with access to its systems or sensitive information, must adhere to the ISP’s policies, procedures, and requirements. Those requirements are designed to help make certain that information security risks are effectively identified, assessed, mitigated, and reported throughout Wells Fargo. The Wells Fargo ISP is designed to comply with applicable laws and regulations, and uses guidance from many industry best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the International Organization for Standardization (ISO) 27002 standard, the Payment Card Industry Data Security Standards, and COBIT 5.

• Increasing cybersecurity awareness
• From malicious software to phishing emails, cyberattacks on the internet have created an urgent need to increase Wells Fargo’s cybersecurity awareness. Wells Fargo’s ICS Cyber Threat Management team supports threat and vulnerability management, and intrusion detection policies. It also develops best practices based on an assessment of the internal and external threat landscape, and leads companywide efforts to reduce Wells Fargo’s exposure through continuous monitoring of several key information security control areas, including:
  • Management of security patches and security configurations
  • Condition and activity monitoring
  • Threat and vulnerability management
  • Patch management processes
• Wells Fargo’s defense strategy includes continuous monitoring, integrated risk management, identification of human risk factors, enhanced customer awareness, and external engagement on best practices. Wells Fargo prepares the enterprise for cyberattack scenarios through education, training and simulations, also conducting cyber exercises with other financial services companies and government agencies to help build a stronger, more secure environment for the entire industry. Effective data protection reduces Wells Fargo’s risk from incidents related to information theft, loss, or disclosure. Wells Fargo requires hard drive encryption on all laptops and also requires email encryption for all sensitive data. USB ports are locked down and only available for use with a company-approved encrypted thumb drive. Wells Fargo has also implemented data loss prevention technology across the enterprise to help identify or block the transmission or release of confidential customer information.

• Implementing a Third-Party Information Security Risk Management Programme
• Wells Fargo has an established Third-Party Information Security Risk Management Programme that reviews and assesses third parties prior to engagement and throughout the third-party relationship. The programme also requires periodic risk assessments to be carried out throughout the term of the engagement, the type of interval of which are driven by the risk associated with the engagement. In providing products and services to Wells Fargo, third parties and their employees are required to adhere to information security standards and requirements. These standards also apply to third parties located outside of the U.S. who have access to company and consumer information for purposes of delivering products or services to or on behalf of Wells Fargo. As part of this compliance obligation, Wells Fargo has contracts in place with third parties that include confidentiality language, nondisclosure obligations, and security provisions.

• Training employees to protect customer information
• Employees and contingent resources with access to Wells Fargo’s systems or customer information are required to complete annual training on customer information protection and Gramm Leach Bliley Act (GLBA) 501(b) compliance. They are also required to abide by Wells Fargo’s Code of Ethics and Business Conduct, including its provisions related to the treatment of confidential information. Wells Fargo regularly updates companywide training, policies, and information-handling standards to help employees understand their role in protecting customer information. Wells Fargo also performs employee background checks, which it also requires for nonemployees and third-party service providers who handle Wells Fargo’s customer information.

• Educating customers on digital security
• Wells Fargo encourages digitally active customers to protect their accounts by offering security options like two-factor authentication, biometrics, and the ability to turn debit cards on and off. Wells Fargo’s online security centre provides customers with resources to explore security options, spot scams, report fraud, and more. Wells Fargo also provides educational materials that encourage customers to create strong passwords, avoid suspicious links, keep their software updated, limit the personal information they share online, and use a screen lock on mobile devices.

• Protecting data in open banking environments
• With the growing number of apps designed to help customers lead healthier financial lives, there’s an increased chance that customers’ banking information can be accessed and used without their knowledge or permission. Wells Fargo believes it’s important to support its customers’ ability to use these apps to share their Wells Fargo account information in a seamless and more secure way. So far, Wells Fargo has reached data exchange agreements with at least 15 platforms, including Plaid and Intuit. This gives its customers greater control over the bank account information they share with supported apps, including the ability to turn data sharing on or off through Wells Fargo’s Control Tower℠ digital experience.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

• Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
• Targets: 16.3, 16.10

 

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

7 GRI sustainability disclosures get you started

Any size business can start taking sustainability action

GRI, ISEP, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom  (venue: London School of Economics)

• Exclusive FBRH template to begin reporting from day one
• Identify your most important impacts on the Environment, Economy and People
• Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP. 
• Benchmarking methodology to set you on a path of continuous improvement

See upcoming training dates.
References:

1) This case study is based on published information by Wells Fargo, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to Wells Fargo: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.

What are the material issues the company has identified?

In its 2019 Corporate Sustainability Report CAL identified a range of material issues, such as financial performance, flight safety management, climate change mitigation and adaptation, risk and crisis management, governance and integrity management. Among these, promoting cyber security stands out as a key material issue for CAL.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups CAL engages with: 

Stakeholder Group	Method of engagement
Employees	·      Labour-management meetings ·      Labour unions ·      Employee suggestion boxes ·      Employee feedback website ·      China Airlines newsletter ·      China Airlines Retirees Portal
Customers	·      Customer satisfaction survey ·      Global business meetings ·      Taiwan business meetings ·      Discussions with travel agencies ·      CAL’s website, CSR website, Facebook, e-mail, and text messages ·      Customer service hotline ·      Corporate customer visits
Investors	·      Shareholders’ meetings ·      Shareholder’s hotline / mailbox ·      Road shows ·      Interviews
Government	·      Missives ·      Visits ·      Participation in projects ·      Participation in public hearings, seminars, conferences, and negotiation forums ·      Participation in initiatives ·      Audits
Partners (Suppliers and Contractors)	·      Telephone ·      E-mail ·      Coordination meetings ·      Business visits ·      On-site audits
Community	·      Charity events ·      Community activities ·      News releases ·      Online mailbox
Media	·      News releases ·      Press conferences ·      Interviews ·      Active communication of industry information
Associations (including Aviation Organisations)	·      Participation in project meetings ·      Participation in work seminars ·      Organising or participating in summits, executive summits, committees, and coordination meetings ·      Participation in government-convened meetings ·      Telephone, e-mail, and exchange platforms

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics, CAL engaged with its stakeholders through 307 questionnaires.

What actions were taken by CAL to promote cyber security?

In its 2019 Corporate Sustainability Report CAL reports that it took the following actions for promoting cyber security:

• Carrying out regular evaluations and exercises
• In accordance with the Cyber Security Management Act regarding cyber security responsibility levels, CAL conducts risk assessment of information and information and communication systems every year, and evaluates the cyber security responsibility levels of the core information and communication systems with regard to confidentiality, integrity, availability, and compliance. CAL also developed a business continuity plan for the core information and communication systems and carries out a business continuity drill every year, to control relevant operational risks. Risk response mechanisms are also reviewed and adjusted to minimise potential losses.

• Providing cyber security training
• Each year, for CAL’s Cyber security and Information Technology personnel, at least 4 persons receive the cyber security professional programme training or the cyber security competence training for not less than 12 hours. For general user and officer, each person receives the general cyber security education training for not less than 3 hours. CAL requires every employee to take basic cyber security training to master cyber security risks and self-discipline and communicates cyber security policies and goals to all employees every year, through education and training, internal meetings, and announcements. CAL has also incorporated ethical corporate management into employee performance evaluations and human resources policies and established clear and effective rewards and disciplinary actions. Compliance with the Employee Code of Conduct is also a criterion used in annual performance evaluation. If employees do not comply with or violate the Employee Code of Conduct, they, depending upon the severity of the case, will have to undergo disciplinary action as per internal regulations. The Information Management Division carries out self-inspections and compliance self-assessments every half year, to effectively control cyber security. Audits are carried out by the audit unit independently, to ensure the overall mechanism operations.

• Implementing a cyber security incident notification and response mechanism
• CAL’s cyber security incident notification and response mechanism is initiated based on the level of cyber security incidents and emergency preparedness. Notification and response procedures are in place to control their impact and post-incident recovery. In this regard, CAL develops the security incident notification & contingency drill plan at the beginning of each year, and completes the internal cyber security exercise by the end of each year. Through cyber security exercises, CAL can evaluate the relevance of incident notification and response procedures and familiarise units in charge and support units with their roles and functions during rescue and equip them to respond to cyber security threats quickly and effectively, to minimise their impact on CAL’s customers and the company as a whole.

• Carrying out cyber security audits
• CAL’s Cyber Security Team conducts an internal audit at least once a year to make sure that all employees comply with the Cyber Security Management Act and CAL’s standard operating procedures, and effectively implement and maintain the management system. System reliability is constantly enhanced by refining security designs, including network regions, access control, vulnerability management, and other security protection strategies. In 2019, the Information Management Division reviewed the monitoring of data and warnings for cyber security threats detected by defence systems and found no cyber security threats by cyber-attacks or viruses.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standards addressed in this case are:

1) Disclosure 206-1 Legal actions for anti-competitive behavior, anti-trust, and monopoly practices

2) Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

 

Disclosure 206-1 Legal actions for anti-competitive behavior, anti-trust, and monopoly practices corresponds to:

• Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
• Targets: 16.3

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

• Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
• Targets: 16.3, 16.10

 

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

7 GRI sustainability disclosures get you started

Any size business can start taking sustainability action

GRI, ISEP, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom  (venue: London School of Economics)

• Exclusive FBRH template to begin reporting from day one
• Identify your most important impacts on the Environment, Economy and People
• Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP. 
• Benchmarking methodology to set you on a path of continuous improvement

See upcoming training dates.
References:

1) This case study is based on published information by CAL, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to CAL: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.

What are the material issues the company has identified?

In its 2018 Annual Sustainability Report USPS identified a range of material issues, such as customer service and satisfaction, optimising delivery and network operations, financial stability, employee health, safety and wellness. Among these, promoting cybersecurity stands out as a key material issue for USPS.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups USPS engages with:

Stakeholder Group

Employees

Customers

Suppliers

Industry groups

Non-profit associations

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics USPS engaged with its stakeholders (USPS customers) through focused surveys, with over 75 respondents providing input on the relative importance of sustainability topics.

What actions were taken by USPS to promote cybersecurity?

In its 2018 Annual Sustainability Report USPS reports that it took the following actions for promoting cybersecurity:

• Providing cybersecurity training
• During FY 2018 USPS’s CyberSafe at USPS team trained more than 220,000 employees and contractors on cybersecurity fundamentals. The team also engages employees using interactive touchpoints, including monthly phishing simulations to help employees recognise and report cyberscams. Related events include the Annual Cyber Security Awareness Fair at USPS’s national headquarters, which promotes best practices to employees and USPS contractors.

• Implementing the “Cyber Guardians” programme
• USPS also initiated the “Cyber Guardians” ambassador programme, empowering USPS field employees to serve as the eyes and ears of USPS’s cybersecurity programme. These individuals facilitate the exchange of critical cybersecurity information between the Corporate Information Security Office (CISO) organisation and co-workers within their local offices. By year end 2018, CISO had enlisted 55 Cyber Guardians across 19 states. 

• Raising cybersecurity awareness
• USPS’s CISO continues to promote its website, CyberSafe at USPS, which provides employees, customers and suppliers with information they need to stay safe online. Visitors can learn more about cybersecurity best practices, and how USPS safeguards their personal and financial information. Throughout the year, CyberSafe at USPS features content that raises awareness and promotes safe online behaviours on a range of topics, which include:
  • Texting scams involving bank notifications, IRS (Internal Revenue Service) notifications and contests.
  • Tech support scams that involve individuals impersonating information technology employees.
  • Risks from using public Wi-Fi in airports and coffee shops.
  • Risks of ransomware and other malware attacks through email attachments.
  • New “Report to CyberSafe” button in Outlook to make reporting suspicious emails easier.
  • Dangers and consequences of sharing user logins, passwords and accounts.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

• Sustainable Development Goal (SDG) 16: Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels
• Business theme: Compliance with laws and regulations, Protection of privacy

 

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

7 GRI sustainability disclosures get you started

Any size business can start taking sustainability action

GRI, ISEP, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom  (venue: London School of Economics)

• Exclusive FBRH template to begin reporting from day one
• Identify your most important impacts on the Environment, Economy and People
• Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP. 
• Benchmarking methodology to set you on a path of continuous improvement

See upcoming training dates.

 

References:

1) This case study is based on published information by USPS, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to USPS: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.

What are the material issues the company has identified?

In its 2018 Sustainability Review ANZ identified a range of material issues, such as fairness and ethical conduct, responsible business lending, financial system stability and regulation, climate change, labour rights end employee wellbeing. Among these, promoting cyber security stands out as a key material issue for ANZ.

Stakeholder engagement in accordance with the GRI Standards

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The organization should identify its stakeholders, and explain how it has responded to their reasonable expectations.”

Stakeholders must be consulted in the process s of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups ANZ engages with:

Stakeholder Group	Method of engagement
Customers	·      ‘Your Say’ Research Community online customer panel ·      Customer research and focus groups ·      ‘Voice of Customer’ platform ·      Customer Advocate Office ·      Complaints Resolution Centre ·      Social media ·      Australian Bankers’ Association (ABA) survey of trust in banks and banking industry reform program
Employees	·      ANZ Jam, a bank-wide digital conversation, engaging employees about ANZ’s purpose and values ·      ‘My Voice’ pulse survey of employee engagement ·      ‘ANZ Way’ People Leaders’ quarterly webcasts with CEO and Executive Committee members ·      ‘ANZ Way’ Podcast series ·      Direct communication and formal twice-yearly performance appraisals with line managers ·      ANZ intranet, MAX, a resource for employees to receive updates and information about developments and initiatives at ANZ ·      ANZ’s internal collaboration tool, MAX Connect, which connects ANZ’s people in real-time ·      Meetings with the unions representing ANZ employees, including the Finance Sector Union of Australia and FIRST Union in New Zealand ·      ABA survey of employees about trust in banks and banking industry reform program
Shareholders	·      Results briefings ·      Strategy briefings and other market updates ·      Annual General Meeting ·      Disclosure documents, including results announcements, investor presentations, annual reports and other ASX lodgements ·      Electronic communications and webcasts ·      Dedicated ANZ shareholder website
Government and regulators	·      Regular meetings with political stakeholders, officials and regulators by ANZ’s CEO and senior executives ·      Submissions to parliamentary committee inquiries and other government and regulatory consultations ·      Participation in industry engagement and forums ·      Meetings with trade negotiators regarding free trade agreements ·      Providing information and technical advice on international practices to regulators in developing countries ·      Meetings with departmental representatives responsible for implementation of programs aligned with or co-funded by ANZ
Industry associations	·      Participated in the development and implementation of the industry consumer protection reform program in Australia ·      Participated in industry discussions about sector issues and broad industry strategy ·      Participated on the Business Council of Australia’s (BCA) climate change policy working group ·      Provided input into industry association responses to parliamentary inquiries and government consultations
Non-government organisations (NGOs)	·      Direct engagement with relevant human rights, consumer and environment NGOs and academics ·      Regular engagement with peak bodies for professional community services such as financial counselling ·      Regular partnership meetings with community organisations delivering MoneyMinded, Saver Plus and MoneyBusiness programs ·      Engagement with NGOs providing oversight of key social commitments such as ANZ’s Reconciliation Action Plan, Accessibility and Inclusion Plan and Financial Inclusion Action Plan ·      A regular program of CEO and senior executive meetings with civil society leaders to exchange ideas and discuss material social, economic and environmental issues of mutual interest ·      Consultation with a wide variety of external stakeholders to refine ANZ’s approach to its purpose and with particular focus on financial wellbeing, environmental sustainability and housing ·      External steering committees for flagship programs and research related to financial capability and wellbeing

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics ANZ conducted a survey among both internal and external stakeholders, who ranked material topics according to their importance, and also carried out one-on-one interviews with 29 stakeholders who informed its understanding of the current and future context of each topic.

What actions were taken by ANZ to promote cyber security?

In its 2018 Sustainability Review ANZ reports that it took the following actions for promoting cyber security:

• Raising cyber awareness among customers and employees
• In response to the rapid increase in cybercrime, ANZ implemented, in 2018, a range of initiatives to raise the cyber security awareness of both its customers and employees, which included the following:
  • the introduction of ‘TECH Talks’, facilitated by employees within ANZ’s Australian branch network, where cyber security and technology related topics are discussed with customers;
  • presentations to small business, corporate and commercial customers carried out by regional and local bankers as part of a wider series of client engagement sessions;
  • in-application pop-up cyber security messages in the Wholesale Digital Transactive banking platform, which customers must acknowledge before being able to proceed;
  • the launch of a new cyber security alert page on anz.com, providing examples of the latest cyber threats that could impact customers;
  • the commencement of a ‘Change Champion’ Cyber Security Ambassador Programme within the New Zealand and Australian Operations teams to improve cyber security capabilities among employees, while also acting as an advocate for cyber security within their respective areas;
  • the implementation of an internal phishing email ‘triage service’ (suspicious email sorting capability) to ensure a timely response to potential cyber attacks on ANZ;
  • the establishment of an executive education programme to improve cyber knowledge;
  • the development of ANZ’s new cyber security campaign to raise awareness on simple steps customers and employees can take to protect their virtual valuables.

• Participating in industry collaborations to address the skills shortage in cyber security
• During 2018, ANZ participated in various industry collaborations to help alleviate the skills shortage in cyber security and to support a cyber-smart community. These included:
  • a partnership with Deakin University to sponsor graduate roles into ANZ’s Security Domain to address resourcing gaps, while developing talent;
  • a leadership role through the Australia Women in Security Network (AWSN), which aims to increase the number of women in cyber security across Australia;
  • delivering a research programme to investigate human susceptibility to phishing emails in conjunction with Data61, CSIRO’s (Commonwealth Scientific and Industrial Research Organisation) data, technology and innovation industry body;
  • a partnership with the Australian Computer Academy (Sydney University), ANZ’s Australian banking peers, British Telecom and Aust Cyber (a not-for-profit organisation promoting Australian cyber security industry and innovation) to write the cyber security content for the national digital curriculum for Australian high schools (Years 7–10);
  • collaboration across industry and government to deliver content for Safer Internet Day, National Scams Awareness week, Stay Smart Online week and International Cyber Security month.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed? 

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

 

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

• Sustainable Development Goal (SDG) 16: Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels
• Business theme: Compliance with laws and regulations, Protection of privacy

 

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

7 GRI sustainability disclosures get you started

Any size business can start taking sustainability action

GRI, ISEP, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom  (venue: London School of Economics)

• Exclusive FBRH template to begin reporting from day one
• Identify your most important impacts on the Environment, Economy and People
• Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP. 
• Benchmarking methodology to set you on a path of continuous improvement

See upcoming training dates.

 

References:

1) This case study is based on published information by ANZ, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to ANZ: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.