Industry Insight No. 9: Ethics in the construction industry part 2
This article was first published on Lexis®PSL Construction on 22 June 2016
Construction analysis: Sarah Schütte of Schutte Consulting Limited sets out the final five of her ten industry ethics issues for construction professionals, looking at the Corruption Perceptions Index (CPI), cyber attacks and ransomware, the security risks of building information modelling (BIM), employee fraud, and the importance of a robust compliance programme.
In May 2016, in part 1 of my ethics roundup, I set out topics 1–5 of my top ten current industry ethics issues for industry professionals. This article sets out topics 6–10. As I did last month, I also suggest practical tips on how those working in procurement, compliance, risk and legal can navigate through this challenging and sensitive territory.
6. Independent global analysis—the CPI by Transparency International
This annual survey has been conducted since 1995, so it celebrated its thirtieth anniversary in 2015. Transparency International is an independent organisation and its CPI is a tool for readily seeing the current corruption status of certain countries. The CPI map makes fascinating reading and there are always surprises as to which countries climb or fall down the league table. The UK is currently ranked tenth, according to the 2015 survey, and has steadily climbed up the rankings during the past few years. This may be in part due to its strong legal compliance framework (see the opening comments to Industry Insight—ethics in the construction industry part 1, especially the series of measures introduced since the financial crisis of 2008–09, for example the Bribery Act 2010).
UK-based organisations with international operations should be particularly alert to ethical issues and adapt their anticorruption programmes accordingly. In my experience, a programme which is fluid and flexible, but with a clear structure for managers and employees to implement and follow, together with regular refresher training to keep up to date and guard against complacency, is the best way to keep abreast of the markets in which your organisation operates. Organisations need to be ready to react appropriately, whether this be extra resource into, or withdrawal from, the particular national market.
Notes for construction professionals:
read the CPI report and bookmark the website, as it provides useful information on each country
ensure your anticorruption processes are fit for purpose by reflecting the markets and jurisdictions in which your organisation operates
subscribe to a more detailed information service if a sizeable proportion of income comes from non-UK and non EU/EEA activities, and/or if income derives from markets which are new or untested for the organisation
ensure training is up to date, so that employees working in or around these jurisdictions are up to speed on the latest trends and, so that you, as the employer, secure their safety in exercising their employee functions
7. Cyber threats and ransomware
Cyber attacks are on the increase and are increasingly sophisticated. Of all the different forms which cyber attacks take, ransomware (ie cyber blackmail malware) attacks are in an upward trend and now represent the biggest cybersecurity threat to businesses, according to hot-off-the-press expert analysis by Kaspersky Lab (Quarter 1 2016 report, May 2016). Ransomware has overtaken targeted attacks (ie those aimed at individual businesses) as the biggest type of cyber attack (Kaspersky counted 228 million attacks across 195 countries during Q1 2016). The most serious recent ransomware attack caused the Ukrainian power distribution system to go down. Prior to this, the attacks on Ashley Madison (US, July 2015), Sony Pictures (US, July 2014), Talk Talk (UK, October 2015) and Code Spaces (UK, June 2014) were the most prominent. In the Code Spaces’ case, the attack caused the company to become insolvent and stop trading.
Clearly, security of organisations and their operations is essential. I am especially concerned about public infrastructure because:
historically there has been a lack of investment into owner (public sector) IT systems
the owner and operator are often not the same organisation, so there are naturally gaps in processes and therefore vulnerability
the essence of infrastructure is that it is vital and society cannot operate meaningfully without it
there may be no ‘plan B’—if a sewer system goes down, there is no alternative (there is often, however, a secondary, temporary, power system)
contingency planning, although better since the London Underground attacks in 2005, is still rarely a dedicated discipline within risk management with appropriate funding
IT chiefs in 2016 are happily reporting an increase in their budgets to tackle cyber security problems, but, to my mind, investment is better made at the ‘front end’ (ie prevention of attack and security/integrity of systems, including employee training, and development and implementation of protocols on use of portable data devices (ie USB sticks, Bring Your Own Device)), rather than the ‘back end’ (ie reacting to an attack).
Notes for construction professionals:
• ensure that IT budgets are reflective of the increased responsibility and vigilance of the IT department, and the likely impact of a cyberattack. It will happen sooner or later to most organisations—around twothirds have been targeted
according to recent UK government research
the UK desperately needs more experts in coding to look after organisations and help to prevent attacks—look after your in-house experts.
make risk management and IT more coordinated on cyber security matters
insurance has a place because of the significant impact on business operations and costs consequences of an attack— it is still a developing industry but there are specialist brokers who can advise you on suitable products and strategies
8. Cyber security and BIM
Around the world, the construction and engineering industry has to get to grips with BIM and then develop and implement BIM systems. A BIM system is one which generates and manages digital representations of physical and functional characteristics of buildings. It is a tool for understanding how a building is constructed, where systems are and how they integrate and operate. BIM is effected via a 3D model on a computer. The most sophisticated modelling can zoom in on individual components of a building or system, and can be viewed from a 360 degree angle. One smartphone app I have experimented with uses Qcard technology to turn 2D drawings into a 3D model.
The UK government’s 1 April 2016 mandate, requiring all public projects to be BIM Level 2 compliant, brings BIM to the top of the industry’s agenda. Many other countries are also wrestling with BIM. The technology is mindblowing, and there will be many benefits to the operation and maintenance (function, longevity of component life (whole life cost) etc). But the flip side of knowing all this information is also its weakness—the system in which the information is held, accessed and distributed. Legal liability is unknown, and a minefield at this stage. I foresee, and am concerned about, the potential for BIM systems to be exploited or targeted by cyberthieves, although talking to clients and contacts anecdotally, no-one seems to be particularly worried right now. I think they are still trying to work out what BIM Level 2 is all about.
Notes for construction professionals:
If you work on public projects, you need to be up to speed on BIM, whatever your discipline and whether a user or not— invest in specialist training if you don’t feel confident—the projects leading the field are public ones
If you only work in the private sector, it is still a good idea to have some knowledge about BIM, because it is only a matter of time before its principles become mainstream
Risk management should work with technical teams on using BIM, for example developing a protocol for storage of information (data), controls on backup, distribution and sharing, with focus on damage limitation
if you are responsible for insurance in a business using BIM, take advice from your broker on your professional indemnity cover
9. Employee fraud
Research shows that around one in five UK employees has defrauded his or her employer at some point. Given that the basis of employment is not only technical skill, but also trustworthiness to represent and promote the business, this is a sensitive ethical area. Small and mediumsized enterprises are particularly impacted, as employee fraud stifles growth and can directly affect their viability. Employee fraud can take the form of smallscale expenses dishonesty to large or systematic data or intellectual property theft (eg from a customer contacts database). Rather than put employees under Kafkaesque surveillance in the hope of stamping it out (which is an option, but won’t really work in the longterm), organisations should do what they can to manage the risk of employee fraud.
Notes for construction professionals:
Undertake thorough pre-employment checks, including checking public databases containing details of prosecutions, fines, judgments etc, which is a necessary step but seldom reveals concrete evidence of fraudulent behaviour—HR should always contact the named referees provided by telephone and in writing
HR professionals could usefully work with risk management on processes for upholding the ethical standards and minimisation of fraud.
Implement a strong internal audit function and undertake regular spotchecks of expenses claimed by persons at all levels of the organisation
Impose a limit on the size of an electronic file which can be transferred, so a series of emails will flag up on the IT security system and can be swiftly stopped, and investigated
Invest in employees—offer regular (compulsory) training in ethical behaviour to instil a culture of honesty, and integrity and make the link between employee fraud and company health (and wealth)
10. Importance of compliance programmes
My number ten pulls together all this month’s and last month’s analysis (see Industry Insight—ethics in the construction industry part 1). Every organisation should prioritise the development, implementation and maintenance of robust anticorruption compliance programmes in order to safeguard company health and wealth, and therefore value to shareholders, stakeholders and investors, whether they be the private sector or the public taxpayer, with operations solely in the UK or more widely.
There is big news (and bad PR) for the industry in data leaks, whistleblowing and substantial fines and prison sentences for violations of anticorruption laws, as well as the effect on individuals. Transparent procedures and employee training both tie into making a compliance programme effective, but they cannot be effective without strong leadership and rolemodels at the top, plus robust independent governance overseeing the C-suite executives. In other words, everyone should play their own, small, part in eradicating corruption and unethical practices.