22:52 | Tom Scampion
Well, it's a good question. I think there's a natural sequence of events here. The first thing to
do is to determine a policy. So, I think that any organization in any industry, the first thing you
do is you determine what's your policy, because into your policy, you'll be able to say, "what is
my risk appetite?", against which you'll then be able to assess whether or not the business
that you're doing is inside or outside of your risk appetite. Then you can look at the
effectiveness of your controls and you can decide, "Ok, I'm where I need to be or I'm not", and
you can make changes. But I think being deliberate is really important.
So, for example, let's say you're a telco. You will then have a number of customers and you
can make a call, not just a legal call, there'll be regulatory requirements, of course, but you can
make a call as to whether you wish to have businesses, customers that are in any way
connected to the sanctioned entities. And you can go through the classic sanction screening
approach to understand the nature of these folks and decide whether or not they're people
that you want to have as your business, as your customers. But I think the first thing that you
really need to be focusing on is what is your policy, what is the position you wish to take?
Because, actually, you could argue some of the restrictions are very much manageable for the
non-financial institutions, but there could be consequences elsewhere, especially if you are
perceived to be transferring value, which some of the, for example, telco organizations would
be doing.
So, I think be deliberate, have a policy, set a risk appetite, and then look at the effectiveness of
that risk appetite being controlled through your different business operations, your customers,
your supply chain, your investors and so on. That would be my immediate reaction to that
question.
24:39 | William Lewis
Great, ok, well, you more than answered Fahad's question, so thank you. Wendy, can I just
come back to you then, just on the Asian perspective? So, for businesses this must be very
difficult if you've got different rules in different territories, you're a global enterprise, which
rules rule? I remember it being Singapore in the old days, but who do we look to never break
their rules and worry less about others?
25:12 | Wendy Wysong
Obviously, you know, you never break anybody's rules. There's a calculation that you have to
make. And, I want to go back a second with Tom's question with the screening and making
sure that you've got all of your folks, you know who your customers are, you know who has
access to your data, you know all of that.
The other thing is you have to consider who all of your business partners are. You know, you
may think that you don't have any connections and that you're safe, but if you can't get your
business partners to allow you to do your business, your banks might not have the same risk
appetite you've got. Your supply chain, your logistics providers, all of those folks, you've got to
consider what the practical impact is even though you're insulated. You have to think about
how are you actually going to be able to do the business that you're entitled to do.
And then in terms of figuring out, you know, if you have to make a choice, if you have to figure
out, do I go with the Western sanctions? Am I more concerned about blocking statutes and all
of that? Obviously, the United States has a long history of enforcement. And so, you need to