The mining company’s former global head of compliance speaks about the risk management challenges when four staff in Asia ended up in prison

Rio tinto mining 2

The major risk management implications of an espionage case which rocked Asia have been unveiled by the former compliance chief of the firm.

The Rio Tinto espionage case first came to light in 2009 and involved four staff members of the mining company who were accused of bribery and espionage. They included Australian Stern Hu and three Chinese colleagues from the Shanghai office - Wang Yong, Ge Minqiang and Liu Caikui. 

In March 2010, the four employees were convicted of accepting bribes totalling about AU$14 million and stealing trade secrets.

Hu was sentenced to 10 years in prison and his Chinese colleagues were given jail terms of 14, eight and seven years.

Speaking at the 3rd Regulatory Summit in Sydney this week, Neville Tiffen, who was global head of compliance at Rio Tinto during the incident, spoke about the key risk management considerations that arose from the situation.

“The arrest and eventual conviction in China had an enormous impact on the company,” says Tiffen, who now runs his own consultancy Neville Tiffen & Associates.

“When we first heard about the detention [of the employees] I was scurrying around to find family trust trading records, so we had no idea that it was about bribery and commercial information.

“As it was commercial information we made some very strong statements about supporting our people [at first].”

But Tiffen says as time progressed, media reports suggested it was Rio Tinto that was paying the bribes to the four employees.

“As it was, it was the employees receiving bribes as well as alleged misuse of commercial information. To this day Rio Tinto does not know what that information was,” he says. Hu and his colleagues later admitted they accepted bribes from steelmakers.

“In terms of the impact on the company, as soon as it came to light that these employees had accepted bribes, the impact right around the globe on the company was enormous.

“I do not think there was a part of the company that was unaffected by that particular incident.”

Tiffen says that such incidents have an enormous effect on staff morale and the way staff go about their business. Following the incident, Rio Tinto reviewed how it dealt with trade information and how it gathered information from third parties.

Company culture

“I know ‘culture’ can be bandied around a lot … [but such incidents are] a failure of culture and this is where boards, and particularly independent directors, really need to start stepping up,” Tiffen says.

“If anyone is responsible for setting the culture in the organisation it starts with the board and it really flows from there.

“I doubt there are many independent directors who have asked their CEO, ‘tell us what the culture is’ and I doubt there are many CEOs who would go to the board and say, ‘the culture is shocking’, but that’s where it all starts.”

Tiffen says that even if a firm has a good compliance program on paper, it is only effective if senior management support it.

“It is not just the reputation risk and fines [when such incidents happen], it is also management time and management distraction, so diverting attention away from running the business,” he says.

“This has a huge impact on the business in those circumstances and while the size of the fines make the headlines, alongside the legal costs and the forensic costs, there is also the management time [taken up] determining the impact of some of the sanctions.”


Tiffen says while he was at Rio Tinto he was given the responsibility for a compliance program called Speak Out.

“If there is a proper whistle blower program it needs to be given credit by senior management. That is absolutely vital,” he says.

“We would much rather people raise issues directly with management obviously but [the whistle blowing program] is a huge safety valve. If I was a director of any company I would be absolutely insisting on a whistle blower policy.”

Tiffen says while at the firm he also changed the name of the compliance program to the ‘Integrity and Compliance Program’.

“We emphasised integrity, so the messaging from the CEO just spoke about integrity. It’s those little things that really count,” he says.