Crane Capital Risk & Compliance Training 2025

Questions and Answers

What is one of the criteria for incident closing when reported to WSIB?

• Conducting employee surveys
• Preparation of a financial summary report
• Completion of all internal audits
• Meeting with WSIB’s Director of Operations (correct)

Which of the following is crucial for incident closure?

• Internal control verification and completion of tasks (correct)
• Notification of all stakeholders
• Public announcement of the incident
• Incident report submission only

What is emphasized in communication effective for stakeholders after an incident?

• Uniform communication for all stakeholders
• No communication required until the incident is resolved
• Tailored communication plans for different stakeholders (correct)
• Only formal communication with external parties

What should be completed before considering incident closure?

Completion of a post-incident review (C)

What role does the Investment Operational Due Diligence Officer play in the incident closing process?

They attend the closure meeting with WSIB. (D)

What does the policy prohibit in relation to hospitality during a tender?

Offering gifts to gain influence (A)

Which situation is considered inappropriate according to the prevention measures?

Hospitality exceeding established thresholds (D)

What is required for gift purchases according to the Travel & Expense Reimbursement Policy?

Gifts must be submitted through Concur and approved (C)

Which of the following practices is prohibited under Crane Capital's bribery and corruption policies?

Making donations to political organizations (A), Providing gifts to foreign public officials (D)

What action should be taken if a potential bribe is identified?

Report it according to the Whistleblowing Policy (A)

According to the provided information, which of these roles are specifically mentioned in the escalation process for red flags noted during due diligence?

Operations Director and Risk & Compliance (C)

Which of the following is NOT explicitly mentioned as a step in the due diligence process for suppliers/vendors?

Red Flag Escalation (D)

What is the purpose of a Non-Disclosure Agreement (NDA) in the context of the provided information?

To protect confidential information shared between the parties (B)

According to the information provided, what is the primary responsibility of 'Third Party Risk Rating and Due Diligence'?

To assess the risks associated with engaging third parties and ensure their suitability (C)

What does the phrase 'prior to engagement of third party' signify in the context of the provided information?

All necessary approvals and documentation should be finalized before engaging with a third party (A)

What level of severity is indicated by an uncontained incident impacting multiple countries?

Level 2 - ORANGE (B)

Which of the following responsibilities does the Crisis Management Team (CMT) hold?

Ensure Crane Capital can continue operating during a crisis (D)

In a Level 3 - YELLOW incident, what is primarily impacted?

A single site or location (C)

Which member is listed as the CMT Lead for Crane Capital?

Ricky Lau (B)

What level indicates a moderate risk requiring external agency responses?

Level 2 - ORANGE (B)

Which of the following is NOT a responsibility of the CMT?

Keeping the company informed about external threats (D)

What defines Level 2 - ORANGE incidents?

Moderate risk to life, reputation, or operations (C)

What is indicated by a Level 3 - YELLOW incident?

Contained incidents with controls in place (D)

What is the primary goal of Business Continuity Planning?

To ensure operations continue during and after a crisis (B)

What does Disaster Recovery primarily involve?

Restoring IT infrastructure and data access after a disaster (A)

Which team is primarily responsible for Communication with Clients during a crisis?

Investment (C)

What is an example of an alternate recovery strategy for IT equipment?

Contact managed service provider. (A)

How is a Level 1 RED crisis classified?

Wide-scale threat to life, reputation or operations (B)

What does Crisis Management primarily focus on?

Responding to unexpected events to minimize impact (C)

What is an important aspect of a Recovery Strategy?

Establishing a detailed communications plan (C)

In the context of Business Continuity, where does the Accounting/Finance team typically operate during a crisis?

At home (B)

What is a key factor in restoring internet connectivity after a disaster?

Collaborating with internet service providers (A)

Which of the following is NOT a focus of Business Continuity Planning?

Responding to customer complaints (D)

Which of the following methods is NOT mentioned as a way criminals can manipulate property values to avoid scrutiny?

Using funds generated illegally overseas to conceal from authorities in their home jurisdiction (B)

What is a common method criminals use to distance themselves from the property they own?

Using shell companies, trusts, and company structures (A)

Which of these actions is NOT necessarily a red flag for possible criminal activity?

Making renovations and improvements to a property (D)

What is a reason criminals might structure cash deposits in multiple smaller transactions?

To avoid triggering transaction reports and detection by authorities (B)

Which of the following is a method criminals might use to cover up the source of their illicit funds?

Using rental income to legitimize illicit funds (D)

What is the maximum amount an employee can spend on a gift without requiring approval?

US$100 (B)

What is a requirement for an employee to make a gift expenditure?

The recipient company must be listed in the gift request (A)

Which of these is stated as a requirement for gifts exceeding US$100?

A valid explanation must be provided (D)

Flashcards

Non-disclosure agreement (NDA)

A legal contract preventing sharing of confidential information.

Contractors/Sub-Contractors

Entities or individuals contracted to provide services or products.

Due diligence procedures

Investigative process to assess risks before engaging third parties.

Red flags in due diligence

Warning signs indicating potential issues with a third party.

Third Party Risk Rating

Assessment measure to evaluate potential risks from external vendors.

Undue Influence

Attempting to manipulate decisions through gifts or hospitality.

Bribery Prevention Policies

Guidelines to avoid gifts or donations perceived as bribery.

Gift Approval Process

A requirement for approving gifts through management before purchasing.

Red Flags

Warnings that indicate potential unethical or illegal actions.

Whistleblower Protection

Safeguards for individuals reporting unethical behavior.

Incident Closing Criteria

Requirements that must be fulfilled before closing an incident, including reporting and investigation.

Incident Report Submission

The formal process of documenting an incident for review and analysis.

Communication Plans

Strategies to inform internal and external stakeholders about an incident.

Post Incident Review

A process to analyze the incident and implement corrective actions after it occurs.

Corrective Action Verification

Ensuring that changes made after an incident are effective and address the root cause.

Undisclosed cash payments

Payments made in cash that are not reported to authorities.

Structuring cash deposits

Breaking down large deposits into smaller amounts to avoid detection.

Legitimizing illicit funds

Using legitimate sources, like rental income, to mask illegal money.

Shell companies

Fictitious companies used to hide true ownership of assets.

Overseas investment

Foreign criminals buying properties to hide illicit gains from their home countries.

Gifts Declaration

A process to request and approve gifts in business exceeding $100.

Value cap on gifts

Gifts must be below $100 unless justified and approved.

Listing recipient details

The need to specify names and amounts for each gift in a request.

Level 2 - ORANGE

Moderate risk, impacting one or more offices/sites, may need external agency response.

Level 3 - YELLOW

Low risk, impacts a single location, may not require external response, contained incident.

Crisis Management Team (CMT)

Group responsible for ensuring operations continue during and after a crisis.

CMT Responsibilities

Coordinate response to disruptions and plan for uninterrupted business operations.

External Agencies

Organizations outside of Crane Capital that may assist during a crisis.

Contingency Planning

Planning for continued operations during crises or unexpected disruptions.

CMT Members

Key individuals from Crane Capital designated to manage crisis responses.

Incident Impact

The effect of a crisis on operations, reputation, or life.

Business Continuity Planning

Ensures operations continue during and after a crisis.

Disaster Recovery

Restores IT infrastructure and data after a disaster.

Crisis Management

Responding effectively to minimize damage during crises.

Crisis Classifications

Levels of threat assessment during a crisis.

Level 1: RED

An imminent, wide-scale threat to life or operations.

Office Premise Compromise Strategy

Work from home or alternative location if the office is unsafe.

Information Service Team

Responsible for IT support and services.

Communication with Clients

Investment team handles client communication during a crisis.

Data Restoration Process

Steps taken to restore data after loss due to disasters.

Human Resources Recovery

Ensures HR processes continue during a crisis.

Study Notes

Crane Capital Risk & Compliance Training - February 2025

• Training Focus: 2025 Crane Capital's key risk and compliance focus

• Agenda Topics:

  • Policies, Procedures, and Guidelines
  • Third-Party Risk Management Program
  • Anti-Fraud, Corruption, Money Laundering, and Terrorism Financing
  • Data Privacy and Cybersecurity Hygiene
  • Business Continuity and Crisis Management
  • Incident Reporting
  • Quiz
  • Closing Remarks

2025 Crane's Key Risk & Compliance Focus

• Focus Areas:
  • Reinforce Compliance Commitment
  • Foster a Culture of Accountability
  • Strengthen Internal Controls
  • Adapt to Evolving Risks
  • Enhance Crisis Management and Resilience
  • Cybersecurity and Data Protection

Third-Party Risk Management (TPRM) - Lifecycle

• Stages: Onboarding, Ongoing, Offboarding
• Components: Risk Assessment and Due Diligence, Procurement and Sourcing, Vendor Creation, Vendor Maintenance (Governance), Vendor Monitoring, Oversight and Accountability, Documentation, and Reporting, Independent Review, Termination, Exit Strategy, Third-Party Closure

Third-Party Risk Management (TPRM) - Workflow

• Processes: Identification of Third Parties, Assessment, Due Diligence, Policies and Procedures, Tools (outsourcing policy, materiality assessment, procurement policy, vendor management policy, due diligence questionnaire, etc), Other Compliance Requirements, Supplier Code of Conduct Letter of Commitment, Procurement Request Form

Money Laundering Red Flags

• Use of Third Parties: Using a friend or family member to purchase property on behalf of the owner, settling differences with undisclosed cash payments, and using multiple banks for deposits to avoid transaction limits
• Manipulation of Property Values: Buying and selling property at a price exceeding or falling below market value
• Use of Illicit Funds: Paying for unneeded renovations and improvements
• Shell Companies/Trusts: Using shell companies or trusts to disguise ownership

Real Estate – Prime Target for Money Laundering

• Reasons for Attractiveness: Ease of cash transactions, stability, and reliability as investment, and the ability to improve property value
• Targeting of Regions: Regions with opaque real estate markets and limited regulatory oversight

Gifts Declaration

• Gift Policy: Gifts to external parties must be under US$100. Any exceeding US$100 requires a valid reason stated in the request and approved by the Managing Partner.
• Company Recipient Specification: Recipient company must be specified in the gift request. If gifts are to individuals within the company, individual names and gift amounts need listing.
• Restrictions:
  • Offering gifts or hospitality may be seen as influence-seeking.
  • Gifts/hospitality offered during tenders or contract renewals to foreign officials.
  • Gifts exceeding company thresholds.
  • Using vouchers/discounts to circumvent rules
  • Donations or sponsorships may appear as undisclosed bribes.
  • Actions disregarding red flags.
  • Actions that are inappropriate in nature.
  • Actions taken during pending business decisions.
  • Violations of laws or regulations
• Prohibited Activities: Crane Capital does not support charitable or political donations.

Prevention Measures

• Fraud Prevention: Information Technology Policy Framework and Procedures, Multifactor Authentication, Biometric authentication, Segregation of Duties, Invoice and Cash Management, Whistleblowing Policy, Whistleblower Protection
• Bribery & Corruption Prevention: Policies for gift allowance, zero tolerance for bribery, due diligence screening for adverse news reports, anti-fraud, corruption, money laundering, and terrorism financing policy and global compliance regulations

Key Fraud, Bribery, Corruption, AML/CFT Cases of 2024

• Evergrande: China property giant and its founder accused of $78bn fraud
• Mas Imposes Composition Penalty: S$2.5M on Swiss-Asia for AML/CFT Breaches.
• TD Bank: Hit with record $3 billion fine over drug cartel money laundering
• UK Engineering Firm Arup: Victim of a £20 million deepfake scam
• Deepfake Elon Musk: AI-generated scams contributing to billions in fraud

Cybersecurity Hygiene

• Problems: Weak passwords, ignoring updates, clicking on suspicious links, not backing up data and sharing too much online.
• Solutions: Regular software updates, strong passwords, phishing awareness, secure Wi-Fi practices, system & network security, regular patching, secure third-party access, monitoring

Business Continuity

• Business Continuity Planning: Ensure Crane Capital can continue operating during and after a crisis, plans for uninterrupted business operations
• Disaster Recovery: Process of restoring IT infrastructure and data access, reestablish access to applications and data quickly
• Crisis Management Response: Focus on responding effectively to unexpected events

Crisis Management Team (CMT)

• Responsibilities: Ensuring continued operations, response-to-disruptions, allocating resources, providing updates to board, coordinating crisis-related tasks, implementation of communication plans with stakeholders

Information Security Incidents:

• Types: Unauthorized disclosure of sensitive information, theft/loss of devices, virus/malware outbreaks, denial-of-service attacks, unauthorized access to systems/data, compromised user accounts from phishing attempts by criminals.
• Reporting Process: Report to the Crisis Management Team (CMT)

Incident Reporting

• Key Elements: Incident Types (fraud, theft, cyber threats, operational disruptions, financial reporting irregularities, etc), Response Strategy (timely notification to CMT, investigation, validation, communication to WSIB), Incident Notification Process (who, when, where, why, how data received, how reported to CMT), Incident Investigation, Reporting (escalation process, reports to WSIB), Incident Closing and Follow-Up

Data Protection Principles

• Data Protection: Technologies, processes, practices for data availability
• Data Security: Protecting data from theft, corruption, unauthorized access throughout its lifecycle
• Data Privacy: Ensuring data users and sources understand data collection, usage, management, and monetization of sensitive data.
• Data Minimisation: Only the necessary data is collected.
• Principle of Least Privilege: Only authorized users get necessary access, reducing compromise risks
• Data Classification: Categorizing data based on sensitivity (personal, work, protected, confidential, highly confidential) for prevention
• Encryption: Protecting data using encryption techniques

Closing Remarks

• Reduce Risk: Reduce likelihood of misconduct, regulatory violations, and reputational harm
• Promote Ethical Culture: Foster a workplace culture of integrity, honesty, and transparency.
• Employee Engagement: Engage employees in ethics and compliance, making them more likely to act responsibly.