Sr sep11 lr by Nathan Hambrook-Skinner

VIEWPOINTS [ PEOPLE ] Amrae’s new president on French risk managers’ greatest concerns GOVERNANCE [ ETHICS ] A damning new report explains why some companies don’t seem ﬁt to govern themselves

European risk and corporate governance solutions

www.strategic-risk.eu [ September 2011 ] Issue 72 €25

NEWS FEATURE [ HACKING ] Companies still aren’t investing enough in information security THEORY & PRACTICE

NEWS & ANALYSIS » Murdoch’s reputation hit » Another ﬁne mess for brokers » Sovereign debts spiral

[ BEST PRACTICE ] Steps to help with frontier risk management as companies seek out growth

PLUS Captives 2011

www.strategic-risk.eu [ September 2011 ]

Going places Which strategic factors are at play for a company electing to set up a captive, and what inﬂuences the all-important decision of where to domicile?

Managin yourg claim s A GUID

E TO

Top 10 essential online stories 06 04

01 WATER SHORTAGES

Where is water most stressed?

10 03

01 07 08

Reuters

Demand for water is becoming more and more intense. As a large water supply is fundamental to so many industries, water shortages pose a threat for a huge number of businesses. Maplecro recently released a water stress index, which identiﬁes Bahrain, Qatar, Kuwait and Saudi Arabia as the world’s most water-stressed countries. Outside the MENA region, water stress is a major issue for large emerging economies such as India, South Korea and China. The European countries at most risk from water scarcity are Malta, Spain, Belgium, Portugal and the Netherlands. Increasing demographic and economic pressures suggest that the signiﬁcance of water security will only increase with time. web. /goo.gl/uYMbO

02 GLOBAL LINKS

More uncertainty over oil prices Hugo Chavez’s battle with cancer may have added to pressures on oil markets and caused increased disruption or higher prices for businesses. The fact that Venezuelan president Hugo Chavez had an extended stay in a Cuban hospital heaped pressure on world oil markets and caused disruption for international business. It is a strange example of how interconnected the world’s risk landscape is. Chavez recently underwent an operation in a Cuban hospital to remove a cancerous tumour. He has since appeared in state media looking ﬁt and healthy. However, continued uncertainty over Chavez’s health and his prospective successor may have adverse effects on world oil markets. Analysts believe that Chavez may seek to subjugate the stateowned oil company PDVSA in order to stay in power longer. His recent illness could encourage him to act sooner. web. /goo.gl/RcH2b

03 CIVIL UNREST

Foreign mining projects lead to deadly protests in southern Peru Protests against foreign mining projects resulted in the deaths of at least two people in June when activists stormed an airport in southern Peru. The indigenous Aymara people have been protesting for months over the negative effects that mining is having on the local environment. Following the protests, the government revoked the mining concession of Canadian company Bear Creek in a bid to appease protestors, global news agency AFP reported. “Protests have increased in Peru, as a nationalist party that is hostile to foreign mining companies won the recent elections there,” JLT head of political risk analysis Elizabeth Stephens said. President-elect Ollanta Humala’s campaign was based on promises to end conﬂicts between the Peruvian people and foreign energy and mining companies. These protests demonstrate the importance of engaging with all stakeholders, especially in the context of energy and mining projects. web. /goo.gl/sDqnJ

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

04 INVESTIGATION

Italian police raid rating agencies Police have raided the offices of Moody’s and Standard & Poor’s as part of an investigation into suspected “irregularities”. The chief prosecutor of Trani, a small Adriatic port, is leading the investigation into the agencies’ valuations of Itay’s debt and the effect that this had on markets. Italy’s debt is equivalent to 118% of its GDP and is second only to Greece in the EU. In a statement, Standard & Poor’s said that the investigation had no basis and that, “we will strenuously defend our business, our reputation and the reputations of our analysts”. “The ‘three sisters’ – Standard & Poor’s, Moody’s and Fitch – are an errant danger to economic and ﬁnancial state sovereignty,” said Elio Lannutti, president of Adusbef, a consumer group that instigated the investigations. web. /goo.gl/goo.gl/IuUbN

LINKS TO THE WEBSITE About goo.gl Type the goo.gl address into your web browser to access our recommended articles from strategic-risk.eu

06 CORRUPTION

‘No more regs’ says Ferma

UK fraud exceeds €1bn

Ferma said no to more corporate governance rules from the European Commission. It responded to a corporate governance Green Paper saying “implementation and robust enforcement” of existing corporate governance rules are needed, rather than a new directive. Ferma is opposing any further obligations for companies to publish information on their risk appetite. It also re-emphasised its belief that the board should ensure proper oversight of the risk management process. web. /goo.gl/21qr9

UK fraud reached €1.24bn in the first six months of 2011, up from €685m in the same period last year, according to a KMPG report. The average case value of private sector fraud has gone from €2.81m in 2010 to €4.73m in 2011. “The evolution of e-commerce as well as increased reliance on automated payment systems has swollen overall UK fraud figures,” KPMG UK partner Hitesh Patel said. Patel added: “For SMEs, fraud can o en lead to significant cashflow problems, resulting in redundancies and at worst a fight for survival.” web. /goo.gl/sCi0M

07 INTERNATIONAL BUSINESS

Reuters

Economic sanctions on the rise

10 FINANCE

Reuters

05 EUROPE

Pensions next ﬁnancial crisis

08 WAR

Increasing tensions in South Sudan Fears have grown that the newly formed Republic of South Sudan could descend into civil war. The Republic of South Sudan became an independent state on 11 July, officially separating from the North, but analysts believe that deep-rooted tensions between the north and south will increase the risk of war and terrorism. Companies with interests in Sudan face a lack of security, inadequate infrastructures and growing corruption. Rivalries between South Sudan groups could escalate, as there is no longer a need to present a united front against the North, according to an Exclusive Analysis report. web. /goo.gl/k1u2h 09 ECONOMY

European debt crisis engulfs Italy The international community recently increased sanctions against Iran and Libya. Economic sanctions are aimed at countries that are on the edges of the international community. They are designed to neutralise key threats by undermining their political and economic systems. From a risk management perspective, a whole range of international businesses can ﬁnd themselves caught up in sanctions through their own operations or links to subsidiaries and suppliers. As the number of sanctions increases, so does the chance that businesses will inadvertently break them. Breaking sanctions can have serious ﬁnancial and reputational consequences. web. / goo.gl/0412R

Huge increases in Italy’s borrowing costs have sparked fears that the European debt crisis will continue to spread. Italian stocks fell on 8 and 11 July, raising concerns that the country would no longer be able to manage its €2.85 trillion debt. The Italian government is forcing through a €40bn austerity package. The IMF stated that its “directors stressed that decisive implementation of the package is key and a number of them felt that more front-loaded spending measures would have a positive effect on market sentiments”. web. /goo.gl/1Dkyr

Pension schemes represent a risk that companies can no longer ignore. As the baby-boomers retire in their droves, the pension system is beginning to buckle under its own weight. “We have a real problem,” said Ferma vice-president Jorge Luzzi. “Life expectancy is much higher now than in the past, when these pension schemes were established.” Luzzi underlined the causes of the problem, which is that, at current pension rates, the working population is too small to support the retired population. Pension risk was concealed in the past by assumptions that the liabilities would be smaller. But some commentators now believe pensions could be the next major threat to the ﬁnancial system. web. /goo.gl/PclBp

Online contents Most read stories China rocked by train crash scandal web. /goo.gl/gFQSj Spain and Italy struggle with debt burden web. /goo.gl/BkQeL US debt problem is ‘neon swan’ web. /goo.gl/5TRe3 Top three non-modelled risks web. /goo.gl/ MRr Social media threat warning web. /goo.gl/xlz9H

Online analysis The public’s perception of risk is dependent on the media, and this has serious reputational and branding implications for companies. Since the ﬁnancial crisis began, this issue has become more relevant to risk managers. New media can distort how the public perceives risk, and companies need to know how to react. As technology develops, we are consuming more media in different ways and news stories can spread like wildﬁre on social media and in the blogosphere. web. /goo.gl/GHZ2e

www.strategicrisk-.eu [ SEPTEMBER 2011 ] StrategicRISK

RISK INDICATOR [ VISUALISING DATA AND TRENDS ]

Five future risk scenarios according to Eurasia Group

FUTURE RISKS

What next for global business? Five of the biggest issues on the risk landscape

BIG OPPORTUNITIES IN CENTRAL AND EASTERN EUROPE Central and eastern European economies present a major opportunity for multinational businesses, according to Eurasia Group. In 2010 the GDP of central and eastern Europe increased by 4%, according to the IMF, while imports rose 12% and exports increased 10%. Growth in the region is heavily dependent on membership to the EU, however, and countries like Poland and Hungary have seen setbacks to their plans to join the euro.

CHINA’S FIVE-YEAR PLAN China’s new ﬁve-year plan focuses on domestic consumption and improving the country’s infrastructure, according to Eurasia Group. China plans to base a big portion of its economy on cutting-edge technologies like electric-powered vehicles, renewable energy and biotechnology, but interested companies should consider the risk of intellectual property the through industrial and cyber espionage, which is an issue there.

1. Big opportunity in central and eastern Europe

(10,000 persons)

ALTERNATIVE ENERGY BOOM New extraction technology and high fuel prices are creating a boom in energy from unconventional sources, such as shale gas and tight oil, Eurasia reports. The USA’s Energy Information Administration claims that the number of horizontal wells producing shale gas increased by more than 4,000% between 2004 and 2009, yet China has the largest reserves of shale gas in the world at around 1,275 trillion cubic feet. Key risks involved in the new energy boom include security of the intellectual property for mining processes and signiﬁcant costs to establish a mine.

MIDDLE EAST IN TRANSITION Instability in the Middle East and North Africa will create sustained risks for business in the region, says Eurasia. “The Middle East is the only region outside sub-Saharan Africa where the number of malnourished people has risen since the early 1990s,” says JLT head of credit and political risk Dr Elizabeth Stephens. The rising cost of bread was one of the key drivers for revolution in Egypt. As such, the continued risk of civil unrest increases the possibility of damage to business assets or business interruption.

TOUGH FINANCIAL REGULATIONS Different interpretations of the ﬁnancial crisis by individual countries have resulted in a lack of co-ordination at a global level. Increased regulation means that transaction, disclosure and compliance costs will all increase for international companies.

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

2. China’s next ﬁve-year plan

TOPIC ARER

Top ﬁve [ RECENT CIVIL UNREST ]

3. New energy boom

2. Shale gas and tight oil resources

3. 4.

Syria (March 2011-ongoing) So far 2,400 people have been killed in protests against president Bashar al-Assad’s regime. London (6 August 2011) A peaceful protest against the death of Mark Duggan, who was shot dead by police on 5 August, escalated into riots and looting. Israel (14 July 2011-ongoing) Hundreds of thousands of people have been protesting in Israeli cities against rising living costs. Spain (15 May 2011-ongoing) Tens of thousand of ‘los indignados’, or the indignant ones, have been protesting across Spain against unemployment and austerity measures. Chile (13 May 2011-ongoing) Initially peaceful protests against state education policies degenerated into violence in Santiago and other cities in Chile.

OVERHEARD

“Soundbites” ‘Europe has been the target of radical terrorism for some time and we continue to manage this risk as a major priority, above all a er the death of Bin Laden’ Daniel San Millán Risk manager at Spanish transport and infrastructure company Ferrovial, and president of Igrea, the Spanish risk management association >> see News Analysis page 10

4. Middle East in transition

‘Italian pension funds are in a better position than in many other countries’ Paolo Rubini Telecom Italia risk manager and president of Italian risk association Anra >> see Risks page 23

5. Tougher ﬁnancial regulations

‘Cyber isn’t more of a worry for businesses than other risks, but it is a new problem’ Source: Eurostat, National Bureau of Statistics of China, US Energy Information Administration

Michel Dennery Ferma board member and risk management director at GDF Suez >> see Risk Atlas pages 32

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

Reuters

NEWS ANALYSIS [ CONTEXT & INSIGHT ]

On my watch: Rupert Murdoch accepted Rebekah Brooks’ resignation as chief executive following phone hacking allegations during her editorship at the News of the World

Absolute power corrupts With phone hacking investigations now extending across the pond to September 11 victims, News Corporation has more and more to answer for. But bosses’ attempts to plead ignorance won’t wash – corporate culture is led from the top

therefore very unhappy, yet the way the company is structured makes it difficult for them to gain a majority. News Corp has two types of shares. Class A shares do not carry a vote. Class B shares do, with one exception – the chairman of Saudi company Kingdom Holding, who owns 7%. The voting shares are otherwise split fairly diversely between investors, leaving the Murdochs holding around 38%. And yet, before the current scandal, some discontented shareholders had already instituted a D&O claim, in respect of News Corp’s decision to buy UK television production company Shine – majority-owned by Rupert Murdoch’s daughter Elisabeth – for $675m (€475m). They believed this to be a clear case of overpayment due to nepotism. But, though the D&O suits are a concern, the company is reportedly well insured. A more alarming development for News Corp is a possible action under the FCPA.

S THE MURDOCHS DEFEND THEIR position in relation to News Corporation subsidiary News International’s telephone hacking scandal in the UK, the greatest threats now appear likely to come from the other side of the Atlantic. The company is already subject to one US D&O law suit, but more are now on the horizon, along with possible action under the US Foreign Corrupt Practices Act (FCPA). The damage to reputation goes without saying. In the UK, much hinges on who knew what and when at the company’s News of the World, with regards to hacking into voicemails to obtain stories on various people in the public eye. It is hard to believe the senior editorial team were unaware at the time of how stories were being sourced. Despite the adage that journalists don’t disclose their sources, this rarely applies to their editor – or in-house legal advisers. These revelations point to questions of governance and corporate culture. A number of individuals involved in a criminal act within an organisation, going undetected and/or unpunished, is a sign that the organisation condones such behaviour. Corporate culture works from the top down.

Shareholders’ displeasure The scandal has resulted in the closure of the newspaper and has effectively scuppered – in the short term at least – News Corp’s plans to take over BSkyB. Investors are

The USA gets involved According to The New York Times, the FBI is investigating suspected efforts to obtain voicemails and telephone records of victims of the 9/11 attacks and their families. It is

Despite the adage that journalists don’t disclose their sources, this rarely applies to their editor, or in-house legal advisers

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

also looking into a claim that a former New York City police officer was offered money for information about 9/11 victims. The newspaper said: “If phone records were accessed, that could be a violation of the Telephone Records and Privacy Protection Act, 18 USC 1039, which prohibits making false or fraudulent statements to obtain another person’s telephone records.” News Corp relocated from Australia to the USA in 2004, and therefore is subject to US laws. But, as the statute did not come into effect until the end of 2006, much depends on when transgressions took place. It is more likely that the USA will try to invoke the FCPA over the police payment claim. Proved payments to UK police officers for information may not apply, as they cannot be classed as a bribe for the direct purpose of gaining business. But the USA tends to be fairly zealous in pursuing suspect offshore-based shenanigans. Of course, any falsiﬁcation of accounting records to conceal payments would be actionable and dealt with by the Securities and Exchange Commission. With so many potential D&O actions and lawsuits facing News Corp, its reputation is in tatters. Rupert Murdoch, once courted by governments, is now persona non grata. It’s fair to assume that any future corporate structure that gives so much power to one family – with restricted voting rights to many shareholders – is likely to come under somewhat greater scrutiny. SR

The Corp’s code ON ITS WEBSITE, NEWS CORPORATION outlines its corporate governance code, saying that it has adopted standards of business conduct that conﬁrm the company’s policy to conduct its affairs in compliance with all applicable laws and regulations and observe the highest standards of business ethics. “The company intends that the spirit as well as the letter of those standards is followed by all directors, officers and employees of the company, its subsidiaries and divisions. This is communicated to each new director, officer and employee, and has already been communicated to those in positions at the time the standards of business conduct were adopted.”

Know more. Achieve more. Building the world’s largest passenger aircraft – the A380 – is a challenge that requires a trusted partner. That’s why Airbus, an EADS company, trusts in the expertise of Allianz Global Corporate & Specialty – covering the most complex business risks worldwide. www.agcs.allianz.com

With you from A-Z Ingo Zimmermann, Head of EADS Corporate Insurance Risk Management

NEWS ANALYSIS [ CONTEXT & INSIGHT ]

RISK ATLAS Terrorism A snapshot of the perceived threat level across the globe >>see page 32

TERRORISM

Beware the growing threat of lone terrorists Reuters

The recent attacks in Norway are a stark reminder of a new terrorist threat that countries right across the world must get to grips with

the attack in Madrid in 2003 is the horror and barbarity of killing people for fanatical beliefs. We believe the sources of the attacks are very different.” The attacks in Norway have caused many to question the effectiveness of European anti-terrorist intelligence and security measures. JLT head of war and terrorism Kelly Crouch says: “These territories all have counter-terrorism units but what we don’t know is how many events they prevent. So one event happens and suddenly there are questions over their effectiveness.” On the other hand, the weakening of al-Qaeda’s infrastructure and the killing of Osama Bin Laden demonstrate the success of some western anti-terrorist activities. “One of the reasons we haven’t seen a big Islamic terrorist attack in the UK since 7/7 is because the western European governments and the USA have been so effective in disrupting the training networks of al-Qaeda and its affiliates,” Stephens says.

Knock-on effect Building bridges: an imam meets two US chaplains at an Islamic centre in Texas

XPERTS BELIEVE HIGH YOUTH unemployment in Europe and low economic growth could be contributing to an increased threat from lone, radicalised terrorists. Following the terrorist attacks in Norway on 22 July, many risk managers are asking themselves how the risk of terrorism is changing. The Arab spring, the death of Osama Bin Laden, economic and demographic pressures in Europe and the USA have all had a signiﬁcant effect on the source and type of terrorist attacks.

It is a concern that has not gone unnoticed in the risk management community. Spanish infrastructure company Ferrovial’s risk manager, Daniel San Millán, who is also president of Spanish risk management association Igrea, says: “We have considered terrorism to be a critical risk for a long time, above all in Spain where the threat of terrorism has been very present for the past 30 years. Fortunately, there continues to be a competitive insurance market that allows us to transfer the risk.” Attacks from Basque separatist group ETA and the terrorist bombings in Madrid in 2003 have long made Spanish risk managers aware of the risks. But Millán adds: “The only similarity between the attack in Norway and

Radicalisation climate High youth unemployment and low economic growth are combining to create an ideal environment for the radicalisation of individuals. “During times of economic stress, there can be an increasing risk of radicalism. Certain sectors of society can ﬁnd it harder to ﬁnd work, leading them to feel disenfranchised, which can increase the appeal of radical ideology,” says JLT head of credit and political risk analysis Elizabeth Stephens.

As the dynamics of terrorism change, companies need to be aware of the risks coming from within the country as well as internationally

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

But this disruption increases the likelihood of attacks coming from lone individuals such as Anders Behring in Norway, she says. The attacks in Norway show that companies and countries cannot allow themselves to be blinded to attacks from other sources. “Europe has been the target of radical terrorism for some time and we continue to manage this risk as a major priority, above all a er the death of Bin Laden,” San Millán says. “New technologies are going to play an increasingly important role in the prevention of terrorism and we are disposed to make signiﬁcant investments in this area.” As the dynamics of terrorism change, companies need to be aware of risks coming from inside the country as well as internationally. “There is a change in the perception of the origin of these terrorist threats. For example, the US government is working hard to prevent the radicalisation of Muslim-American citizens and that’s quite a new move in America,” Stephens says. Companies’ terrorist risk management should not be changed impulsively following the events in Norway. But risk managers need to understand how the threat of terrorism could be changing and how this will affect their businesses. SR

Â³0LOOLRQV VDZ WKH DSSOH IDOO EXW 1HZWRQ DVNHG ZK\ Â´ %HUQDUG %DUXFK

/RFNWRQ $VN ZK\ ZH DUH GLIIHUHQW

6SHDN WR XV IRU DOO RI \RXU LQVXUDQFH QHHGV RQ 7 : ZZZ ORFNWRQ FRP /RFNWRQ &RPSDQLHV //3 LV DXWKRULVHG DQG UHJXODWHG E\ WKH )LQDQFLDO 6HUYLFHV $XWKRULW\ $ /OR\GÂ¶V %URNHU

NEWS ANALYSIS [ CONTEXT & INSIGHT ]

Debt struggles compromise all

Reuters

ECONOMIC RECOVERY

Heavy sovereign debts restrict recession recovery progress

ESPITE ATTEMPTS TO RECOVER from recession, some countries, notably Greece, Portugal, Italy and Spain, are having problems with servicing their sovereign debt. Even more worryingly for the global economy, in August Standard & Poor’s downgraded America’s credit rating to AA a er 100 years of perfect AAA rating. The situation is of immediate concern to investing financial institutions: sovereign debt can be subject to compulsory rescheduling, interest rate reduction, or even repudiation. But it is not only bank risk managers who face increased challenges from the current crisis. A key concern for some multinational companies is heightened counterparty risk. Those that have contracts with state-owned and quasi state-owned organisations in the European countries most affected fear that these may not be able to meet contractual obligations. In addition, worsening economic conditions and austerity measures lay the basis for civil unrest, as demonstrated by recent protests in Spain. Domestic markets in Europe’s beleaguered countries are likely to shrink. Reduced profitability could mean that companies may reduce investment in risk management measures, with some looking to cut their risk management teams or even dispense with risk managers altogether – an apparent recession trend. The Greek economy is just 2.5% of the Eurozone economy but is proving a thorn in the side of EU recovery, says Société Générale Private Banking Hambros group chief investment officer Martin O’Hare. But there is hope. “While we acknowledge that the risk environment has intensified, we believe the recovery wheels will turn,slowly, again in the second half of 2011.” SR [READ MORE ONLINE] To see our story ‘Italian police raid rating agencies’, go to strategic-risk.eu or goo.gl/fU0gr

Civil unrest: People took to the streets in Spain in May to protest spending cuts and unemployment

BRIBERY

Willis fine reflects a renewed focus on bribery FSA hopes huge fine on ‘disappointing’ Willis will serve as a deterrent, while experts predict increased action against crime, laundering and bribery

XPERTS SAY ORGANISATIONS CAN EXPECT TO see significantly more action from the UK’s FSA on financial crime, anti-money laundering, sanctions breaches and bribery. Indeed, on 21 July, Willis Limited was slapped with the highest fine yet by the FSA for failing to prevent bribery overseas. The FSA handed Willis a £6.9m (€7.87m) fine following an investigation that unearthed “suspicious payments to counterparties in Egypt and Russia”. It’s an even bigger fine than the £5.25m penalty that Aon received following similar offences, which caused a huge stir in January 2009. Willis was found to be making payments to oversees third parties, which helped them to win business without adequate anti-bribery and corruption controls in place. “Willis Limited failed to take the appropriate steps to ensure that payments it was making to overseas third parties were not being used for corrupt purposes,” stated FSA acting director of enforcement and financial crime Tracey McDermott.

StrategicRISK [ FEBRUARY 2011 ] www.strategic-risk.eu

The scolding is particularly embarrassing considering Willis chairman and chief executive Joe Plumeri has been so vocal about his principled stand and moral commitment to reject contingent commissions, which are seen by many as a type of kickback. The FSA was clearly disappointed with Willis and said as much in its statement: “This is particularly disappointing as we have repeatedly communicated with the industry on this issue and have previously taken enforcement action for failings in this area.” For its part, Willis said it has taken “comprehensive and effective action” to remedy the shortfalls in its overseas payment controls uncovered by the FSA. “We recognise the importance of such measures in assuring ourselves and stakeholders that the risk of wrongdoing is designed out of the way we do business,” said Willis Limited chief executive Brendan McManus in a statement. The latest ﬁne follows a sector-wide regulatory investigation in 2009 that found “signiﬁcant

‘Experience is something that you can only acquire with time’ Gilbert Canameras AMRAE president >> see Viewpoints page 20

weaknesses” in brokers’ business practices and their anti-corruption measures. It was a clear early warning sign that the FSA was serious about cracking down on brokers and their methods to prevent bribery. Unfortunately, the signal seems to have been missed, or ignored. The FSA hopes that big fines – such as the one doled out to Willis Limited – will serve as a better deterrent. This is just the latest action by the FSA; organisations can expect to see significantly more emphasis from the watchdog on financial crime, anti-money laundering, sanctions breaches and bribery, according to compliance experts. Responding to the news of Willis’s FSA fine, Howard Sklar, senior corporate counsel at Recommind, says that had these events occurred more recently (the fine relates to actions between January 2005 and December 2009), they might have been a good candidate for a UK Bribery Act test case, given the new anti-bribery legislation.

‘Even today, implementing controls for these kinds of payments is extremely difficult’ Howard Sklar Recommind But Sklar also defends Willis by saying that in 2005, long before the UK Bribery Act was passed, “no one was paying attention” to anti-bribery measures, and procedures were “virtually non-existent”. “Even today, implementing controls for these kinds of payments is extremely difficult,” he says. “Plus, the jurisdictions involved here, Egypt and Russia, are considerably risky places to do business.” “One of the greatest compliance challenges companies face is gaining a full understanding of the activities and methods of intermediaries acting on their behalf,” says Matteo Bigazzi, managing director of K2 Global Consulting.

Law firm Eversheds partner Neill Blundell adds: “The new Bribery Act is clearly not going to be the first port of call when dealing with regulated businesses falling short, partly because the FSA lacks the power to criminally prosecute under it. Instead, the FSA will use its regulatory powers to good effect, going a er the failings in systems to prevent bribery and corruption.” It is easier for the FSA to get results this way because there is no need for it to prove an actual offence, he says. The FSA has published a financial crime guide that aims to improve firms’ understanding of their requirements on anti-money laundering, terrorist financing, fraud, data security, bribery and corruption, sanctions, and weapons proliferation financing. SR [READ MORE ONLINE] For more on this story, go to strategic-risk.eu or goo.gl/y8nUA

Catastrophe Modelling 2011 A one day seminar hosted by the International Underwriting Association America Square Conference Centre 17 Crosswall, London EC3N 2LB

Friday 14th October 2011

Register now! For registration and sponsorship forms contact Deborah Finch on 020 7617 4451 or email : Deborah.ﬁnch@iua.co.uk CONFIRMED SPEAKERS:

GUEST SPEAKER:

• • • • • •

• Mr Michael Fish, MBE – BBC Weather Reporter

Lars Schmid – Head of Exposure Management, R J Kiln & Co Ltd Dickie Whitaker – Director, Financial Services Knowledge Transfer Network Flemming Jensen – CPA Partner, Matson Driscoll & Damico UK LLP Dr Anselm Smolka – Head of Geo Risks, Corporate Underwriting, Munich Re Rachael Hill – Strategic Development and Flood Risk Manager, Environment Agency Dr Sue Loughlin – Head of Volcanology, British Geological Society

MODELLING FIRMS: PANEL DISCUSSION • Mr James Webb – Product Market Leader, EQECAT • Mr Steve Jewson – Vice President, Model Development, RMS • Mr Milan Simic – Managing Director, AIR Worldwide Ltd

Full programme to be available on our website in due course: www.iua.co.uk/catmodelling Sponsors

IUA Member Registration fee: £290+VAT

General Registration fee: £390+VAT

NEWS FEATURE [ COVER STORY ]

Artwork: ‘Kong’ by 8-bitscapes (www.8-bitscapes.com) ©Sneddon/Rozario-Johnson

Can you spot the Nintendo game character hiding in this picture?

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

INFORMATION SECURITY

They’re laughing at you Hacktivist groups are out to expose, embarrass and damage businesses, and it can only take one small mistake in coding to leave a company vulnerable to a hacking attack. So why are businesses still not investing in their data security, and what should they be looking out for?

Key points 01: Recent high-proﬁle hacking incidents are only the tip of the iceberg, as many attacks are conducted by more private groups, and companies are unlikely to publicise such problems. 02: A breach of security can damage reputation with customers, potentially eroding share price and net value. 03: Attacks are o en motivated by revenge – o en in support of WikiLeaks or others in the internet community – or just to embarrass large companies. 04: Most cyber attacks take the form of an overload of a website to stall operations or the inserting of programming scripts into site databases to steal information, such as customer data.

HERE ARE MANY REASONS WHY A managing director might dread their work mobile phone waking them in the middle of the night, but a call from a frantic chief information officer telling them that their website has been knocked out and all the company’s confidential customer data is already available for download on The Pirate Bay must rank among the worst. In recent months, a string of attacks by high-profile ‘hacktavist’ groups, Anonymous and LulzSec (see box ‘The hacktivists only in it for the “lulz”’, overleaf), along with strikes on Google, possibly by Chinese hackers, have shown that security is something that no company can take for granted. If anything, the hacks that have made the news may only be the tip of the iceberg. “We’re aware of the high-profile break-ins that have been announced by the publicity-seeking hackers,” says internet security expert Tom Scott. “[But] how many of those companies would have gone public themselves if they were compromised by more private, ‘black hat’ groups? How many would even have noticed the intrusion? It’s impossible to quantify the ‘real risk’ other than as vague, meaningless estimates.”

But while the threat is hard to quantify, the potential for damage is easy to see. “The main risks to a company are brand damage, losing customers – which can have a knock-on for share value and net value – losing intellectual property and losing their competitive advantage,” Trend Micro director of security research and communication Rik Ferguson says. “It’s clear that we are seeing more and more attacks, although this is partly driven by the fact that, after Google went public about being hacked, more companies are following their lead. We still don’t have full disclosure, but legislation in the USA now obliges companies to tell their customers if they feel that their customer data has been compromised.” Many of the current attacks seem to be acts of revenge. In May 2011, LulzSec targeted Fox.com, after a presenter called the rapper Common ‘vile’, and managed to leak passwords, LinkedIn proﬁles, and the names of 73,000 X Factor contestants. In June, LulzSec hit Sony in retaliation for its prosecution of a computer expert for ‘cracking’ the Playstation 3, promising it would be the “beginning of the end” for the company. The group claims to have compromised over a million Sony customer

PayPal comes under attack ON JUNE 5, ANYONE WHO FOLLOWED online payment company PayPal on Twitter had a shock: “PayPal can freeze your funds for no reason, do not use PayPal!!” came the tweet. This was the followed by: “All your PayPal accounts are now frozen while we clean up this mess.” There were also multiple links to PayPalSucks.com, a website that campaigns against the company. It is widely suspected a disgruntled customer was behind the attack – Twitter accounts are

protected by a simple password that can sometimes be guessed, or stolen. What damage the attack actually did to PayPal is impossible to quantify. Although the company quickly suspended the account, confirmed it had been hacked and sought to reassure its customers that their data was safe, the web was already aflame and their brand – so critical in financial services – has undoubtedly been compromised.

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

NEWS FEATURE [ COVER STORY ]

» accounts, although Sony

only one mistake while coding a site for that door to be unlocked. “For 99% of people and businesses, the main threats are bitter ex-partners, business rivals, and so on – and they’re more likely to try to guess your Facebook password than to leak your customer list.”

says the number was actually 37,500.

How they do it

The majority of hacker attacks are either massive DDoS (distributed denial of service) attacks – where thousands of malwareinfected ‘zombie’ computers are prompted to Answer: the grey contact a website over and ‘building’ in the The personal over again until it breaks centre is Nintendo approach down – or alternatively character Kong It’s worth remembering off-the-shelf programming that hacking isn’t only a scripts are inserted into site technical problem, and a databases to steal company’s workforce can information. The latter, in also become an unwitting theory, should be far easier ‘“They probably aren’t interested in me” isn’t conduit for an attack, to defend against. an excuse. Making sure you have good security something hackers refer to “If [a ﬁrm’s] website as ‘social engineering’. contains customer data, it for your customers’ data is a legal requirement “If someone is should ask its web team under the Data Protection Act’ targeting your company about the phrases ‘SQL speciﬁcally, there are many injection’ and ‘cross-site Tom Scott Internet security expert ways they could get scripting’,” Scott says. customer details,” Scott says. “[They could] mail someone in “Those are the names of the most common attacks – the lowyour company a malware-loaded USB key, call up and pretend hanging fruit. If your web team doesn’t understand what those to be your technical support and try to sneak onto your mean and how to defend against them, you can start worrying.” wireless network. As with any business risk, the key is a methodical assessment. “There are two million or so registered businesses in the UK, “Effective penetration testing by a third party, both internal and and the fact is that most of them really aren’t that interesting to external, is essential,” Ferguson says. “This is especially important, hackers. But someone’s going to be unlucky of course, and ‘they going forward, as more and more companies are relying on public probably aren’t interested in me’ isn’t an excuse. Making sure you and private cloud virtualisation. Don’t start at the server, start at have good security for your customers’ data is a legal requirement the edge of the data and build out. Use plenty of encryption.” under the Data Protection Act.” Where attacks that compromise data hit hardest seems to be In the end, data security is a matter for every single employee where corners may have been cut. “I’d wager that SQL injection – not just the IT department – and managers need to understand attacks have been successful because websites have been launched just how broad their company’s vulnerabilities are. under budget, without testing, and without proper thought to Otherwise, they could be getting that unwanted late-night call. SR information security,” Scott says. “In the worst case, it can take

The hacktivists only in it for the ‘lulz’ IN TRYING TO UNDERSTAND THE ORIGINS OF the recent storm of high-proﬁle hack attacks – which have compromised sites belonging to Sony Pictures, the CIA, and many more – two websites are important: the messageboard 4Chan, and WikiLeaks. The former was originally set up as a discussion site for fans of Japanese anime, but evolved into the online home of a substantial subculture of tech-savvy kids with a sharp sense of humour and a taste for mayhem.

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

Most chose ‘Anonymous’ as their avatar on the site and the name gradually became a banner under which they united to launch loosely co-ordinated hack attacks on anyone who annoyed them – or just for the ‘lulz’ (laughs). Then came WikiLeaks, and Anonymous suddenly found a common cause to rally behind, with a more political edge. They now frequently act in defence of Julian Assange’s whistleblowing site, attacking Barclaycard and Amazon a er they cut services from his site, as well as targets connected

with copyright control. Even the Arizona police were hit for what the group claim are ‘racist’ policies. More recently, from within Anonymous has emerged LulzSec (“Laughing at your security since 2011”), a smaller group that specialises in targeting companies’ systems in order to deliberately embarrass its targets. Again, their hacks are mainly political, including striking US TV channel PBS’s website in retaliation for what the group saw as an unfair Frontline documentary about WikiLeaks.

Viewpoints

[ PEOPLE ] [ OPINION ] [ COMMUNITY ]

PROFILE

The long road Paul Taylor’s risk management career has spanned nearly 40 years and has taken him across Europe, with some of the largest companies in big business. Who better, then, to take the reins as new Airmic chair?

> In my opinion Pensions ....... 19 What are the implications of today’s ageing workforce? > Q&A Gilbert Canameras ....... 20 talks about the challenges that face French risk managers today

IRMIC’S NEW CHAIRMAN PAUL TAYLOR HAS MOVED through his career in risk management at lightning speed. Moving from one challenge to the next, he has always had his sights ﬁrmly set on embedding a culture of risk management deep within the roots of a business. Going back to the start, Taylor joined FM Global in the USA as a loss control engineer after completing a degree in mechanical engineering. From the early 1970s, he worked for the monoline insurer for two decades before moving into the corporate sector. He still counts it as one of his most formative professional experiences, where he learned a great deal about risk engineering and loss prevention. “FM Global started out life as a mutual for textile mill owners in the USA,” Taylor explains. “They got together because their insurance companies wouldn’t give them credit for loss control initiatives. So they set up and created one of the ﬁrst risk engineering services.”

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]

Life with FM Global took Taylor to France in the mid 1980s, where he broadened his skill base working as an underwriter. “I’d gone through all the disciplines apart from loss adjustment,” he says. Taylor then moved into risk management with Argo Wiggins Appleton, a multinational paper company. “I really wanted to start doing risk management in a company. It was a logical step.” When he joined, Argo had seen its fair share of ‘incidents’, says Taylor, and the Anglo-Franco-American leadership wanted to see what they could do to improve their risk management. “I put in place an approach to improve the protection and control of risks in the paper facilities,” Taylor says. Going through a radical cultural ‘People think money change in the business was a major spent on risk challenge, but one occasion in particular sticks out in his mind. management is dead “One of the senior business money. If they haven’t managers stood up in a meeting and said something along the lines of: had a recent incident ‘When I ﬁrst looked at what Paul was they think it won’t doing I thought it was a complete load of rubbish, but gradually I happen to them’ started to understand it.’ Getting Paul Taylor Airmic hearts and minds onside is really important. Without that, risk management doesn’t really work. “It’s hard though, because people think money spent on risk management is dead money; they think it’s better to invest in something else like better equipment. If they haven’t had a recent incident, they think it won’t happen to them.”

Wheels in motion Taylor enjoys the challenge of entering a company and embedding a new approach to risk management, but he believes that once things get going the business itself should be able to give it the momentum it needs to run. “I’ve been lucky with all the companies I’ve worked for to be able to come in with a mandate to make some important changes,” he says. “But once those major changes have been made, the role becomes more of a routine, and that requires a different skill set. At that point, it becomes slightly less interesting for me because the majority of the risk management should be managed from within the business. “It can take from two to ﬁve years to put the basic processes in place so that you have a level of maturity that is self-sustaining. To really embed risk management in the psyche of the business and optimise the beneﬁts, you can add on a few more years to that.”

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

Taylor’s next move took him to Excel Logistics, where the chief executive asked him to go and stabilise one of the group’s businesses in France: a network of food distribution warehouses across the country. “The business was in a bad financial state and it was haemorrhaging people,” Taylor says. “I was completely out of my comfort zone and it was a trial by fire. But I worked with the general manager and we managed to get things back on track. “I enjoyed it in a masochistic kind of way. It was the most stressful part of my career. Every decision was a fire-fighting decision. It was absolute chaos and I made some good decisions and some bad ones. It was a real insight into the stresses and challenges of managing a business.”

Practice makes perfect Taylor came back to the UK in 2002 for a role with retail group Kingﬁsher, where he had much more responsibility for corporate governance and compliance, but in 2003 he was made redundant in a restructure. His next role took him to Switzerland, working for food processing and packaging company Tetra Laval. “The methodology I picked up at Kingﬁsher was developed and improved. That was branded as ‘Tetra Risk’ and I put that in

Sue Copeman,

EDITOR-IN-CHIEF, STRATEGICRISK IN MY OPINION

An old-age concern The long-term effects of an ageing workforce are under debate, but the pension crisis is a certainty

place. My group team was beefed up to five so we could drive that into the business.” Taylor spent five years at Tetra Laval and he remembers it fondly. “I worked in Lausanne and I had a five-mile drive to work with a view of Lac Lemon. It was a wonderful place for cycling, skiing, and the Swiss wine is pretty good.” In 2008, Taylor once again returned to home shores and joined Morgan Crucible, a FTSE 250 company that makes ceramic and carbon components. Here, Taylor sets the strategy for risk management control. With good risk management, Taylor believes companies can produce a discipline for thinking about risk and reward. “With it people make better decisions,” he says. “So you get more predictability about achieving business plans because you’ve thought about what can knock you off your course and you avoid unwanted surprises. That’s why a company has to ensure that its risk controls are embedded and effective.” As the new chairman of Airmic, Taylor is looking for ways to help his profession survive and thrive in the future, and knowing what he knows about a career in risk management, Airmic is in safe hands. SR

UROPE’S PENSIONS CRISIS HAS BEEN MUCH IN THE NEWS recently – and once again sovereign debt is coming in for some of the blame. The Pension Risk Transfer Index, published on 25 July by Pension Insurance Corporation London, warned that defined benefit pension funds could be hit hard if the European sovereign debt crisis creates a re-run of the credit crunch. “Should gilt yield fall back 30 bps [basis points] and equity markets drop 20% following a sovereign default, deficits could grow by 45%, costing an estimated £190bn [€215bn], placing additional strain on corporate sponsors at a time when the economic outlook is uncertain,” says the report. Investment risk is not the only uncertainty, said OECD economist, pension policy analysis, Anna D’Addio. Speaking at a European conference on the pension crisis, she cited the challenges of changing old-age dependency ratios, and increasing life expectancy at pensionable age. “The two priorities – financial sustainability and adequacy of pensions – are difficult to balance,” she said. With some European countries trying to solve the crisis by reviewing their default retirement ages – the UK default retirement age will be abolished later this year – risk managers need to consider potential new challenges from an ageing workforce. For example, the physical demands of some jobs could produce increased risks of accidents and health impairment, although the UK Health & Safety Executive reported this year that overall there is no evidence that older workers are more at risk of workplace accidents or injury than their younger counterparts. QBE’s Issues Forum predicts a rise Might it be worth in disease claims and conditions employing the odd generally more prevalent in older workers, warning: “It is likely that freelance hacker to stress reserves, particularly for larger value test a system, in a case claims, will increase.”

To catch a cyber thief

of ‘it takes a thief to catch a thief’?

Cyber crime also continues to hit the headlines on a weekly, if not daily, basis. One of the latest incidents is the alleged theft by researcher Aaron Swartz of more than four million documents from the Massachusetts Institute of Technology’s online archive of scientiﬁc journals. This follows on the heels of data theft reports from a raft of companies including Bank of America and Sony Corp, suggesting that even the largest organisations are not taking cyber crime seriously enough and even if they do, they don’t know how to protect themselves against it. Perhaps the problem is the intangibility of cyber assets. Physical protections may be good enough for the boardroom Van Gogh but a knowledgeable criminal need not even step through the corporation’s door to be inside its IT system. Few risk managers are tech experts so they have to take the word of their IT security teams that the company is adequately protected. But might it be worth their while employing the odd freelance hacker to stress test the system, in a case of ‘it takes a thief to catch a thief’? Conventional methods don’t seem to be paying off. SR [READ MORE ONLINE] Sue Copeman writes a regular column online at www.strategic-risk.eu

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

VIEWPOINTS [ PEOPLE ][ OPINION ][ COMMUNITY ]

Gilbert Canameras, DIRECTOR OF RISKS AND INSURANCE, ERAMET, AND PRESIDENT, AMRAE IN MY OPINION

Q&A with Amrae’s president What’s the most important lesson you have learned in your career? The most important thing that I have learned is that everything is negotiable, especially in the context of risk coverage. What are the biggest threats that risk managers face at the moment? You can answer this question in two ways. The first is that risks vary in intensity from one time to another. Twenty years ago, people were hardly aware of environmental risk and in the past five to 10 years, this has become a very pertinent subject. Today it’s known that risk has to be managed. Risks appear and disappear and change intensity with time. Risks today are often associated with the internet. Reputation risk, cyber criminality and all the rumours that circulate on the internet can be risks that are difficult to control. How will the European debt crisis affect risk managers? The debt crisis is a clearly identified financial risk and it’s important to understand the consequences it will have on companies. It’s a risk that is topical and in the news at the moment just like the internet bubble in 2000, or the property market crash a few years ago, or the debt of emerging countries in the 1980s. I would say that financial crises are cyclical and they regularly reappear; so the job of the risk manager is to anticipate these risks so they can help to reorient the activity of their company while the crisis is evolving. Do pensions and retirement represent a big risk? I think the error that has been committed in the past 20 years is to believe that people who were going to be able to retire at 50 would help others progress in their careers. This is a fundamental mistake. Experience is something that you can only acquire with time. The more experience you have, the more you can help your company succeed. Today the most important issue in companies is the transmission of knowledge and know-how. In companies you often have gaps between people who are 50-60 and the people who have just arrived in the organisation and there is a lack of communication between the two. How can older risk managers use their experience to inform younger risk managers? At Amrae we have developed an education module that aims to educate young people about risk

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

management. But it’s clear that a risk manager is not a junior employee; risk managers are all senior employees who have a lot of experience and know all the sectors and how to balance the different needs that exist within the company. It’s this kind of knowledge that has to be passed on to the next generation of risk managers. There have recently been significant increases in commodity prices (for example, oil and copper). How does this affect risk managers? Everything depends on the company and the industry that the company operates in. But I wouldn’t say that it’s the increase in the price of commodities, it’s the extreme volatility of prices that is the problem. How can you make a five-year business plan if the price of a barrel of oil quickly moves from €80 to €120, only to go back down to €95? The volatility of primary materials is a worrying issue for companies. How do you see the profession in five years? I think the profession will become more and more recognised. There has already been a notable evolution in the risk management industry. Twenty years ago, people only talked about insurance, and insurance buyers were often connected to the commercial director. Then companies realised that this was a complex subject that demanded some judicial or compliance knowledge and so insurance management became linked to compliance. After another few years, companies realised that there was not only a judicial side but also a financial side to risk that was becoming more and more important. In my personal case, I went from being an insurance director to a risk manager. In the near future, the risk manager will be someone who is connected to the chief executive or the general management and will give a global perspective not only of risks but also of how risks can be managed. Do you think it’s difficult to measure the performance of a risk manager? I think you have to put in place an evaluation method. A risk manager should be evaluated by how they mitigate and prevent risks. The job of the risk manager is not to eliminate risk – a risk level of zero is impossible. Their job is to diminish the level of risk and that’s what is important. SR

Airmic (UK) At this year’s conference in Bournemouth, Airmic launched a mentoring scheme that is being co-ordinated by board member Elaine Heyworth. The scheme will enable people who are new to the industry to be mentored and guided by experienced risk managers. All of the Airmic board members will be participating in the scheme. Heyworth believes it will be beneﬁcial to both mentors and protégés, with knowledge, experience and insight being shared between both parties. Heyworth explained that there is a lack of transmission of knowledge between experienced risk managers and young people beginning their careers. She suggested that this causes an employment gap between risk managers approaching retirement age and those coming up in the industry, which can make it more difficult to recruit young risk managers. “Mentoring is something I am very passionate about,” said Heyworth, who has experience in this ﬁeld having set up mentoring programmes at the European Professional Women’s Network.

Alarm (UK) Alarm is a risk management association in the UK and offers free membership to students studying full time for a qualiﬁcation in risk management. This year, Alarm also offered complementary places for students to attend its Learning & Development Forum and has started building links with universities, working with course directors to circulate information on risk management. Chief executive of Alarm Dr Lynn Drennan said: “Despite the huge budget cuts that are taking place in the public sector, we must not lose sight of the need to encourage and develop the risk managers of the future.”

Education initiatives

Apogeris (Portugal) Portugal’s risk management association Apogeris encourages anyone interested in risk management to attend their conferences. These conferences aim to inform and educate the association’s members and allow more experienced people in the industry to pass their knowledge on to younger risk managers. “Younger people in Portugal are becoming more aware of the industry and I think we should increase the availability of training and courses in risk management,” said Apogeris secretary-general António Negreiros Fernandes. Apogeris is currently working on a full programme to encourage young people in this industry but this can be difficult for smaller risk management associations, which have limited budgets. “We will need a European solution for this issue,” commented Fernandes.

Agers (Spain) The Spanish risk management association Agers aims to serve as a medium allowing risk managers to exchange ideas and experiences. Agers

organises seminars that are aimed at both risk managers and people who are interested in joining the industry. The association is currently creating a group speciﬁcally for young people who are interested in risk management. Agers has links with universities that support students who are doing doctorates in risk management. It invites students who are doing Masters or PhD studies in risk management to attend their conferences. It also provides a grant allowing a student to attend Ferma’s annual conference, as well making career advice available to everyone. Agers executive manager Mercedes Prieto told StrategicRISK: “The association has future plans to promote risk management to pre-university students.”

Carm (France) The French risk managers association Carm encourages students to get into risk management by offering diplomas in the subject. The Carm Institute teaches a variety of modules on risk management, which consist of a series of seminars followed by an exam. Unlike France’s main risk management association Amrae, Carm

Ferma (Brussels)

concentrates on education and certiﬁcation in risk management. The Carm Institute, together with the teaching team of the Masters in ‘Management of global risks and crises’, puts on a series of free lectures on subjects that matter to the industry. These events allow students to mix with graduates of the Carm Institute and learn about risk management. Carm emphasises the academic side of risk management with the goal of promoting the Arm, Erm and Efarm diplomas and furthering research in the ﬁeld.

Narim (Holland) The Dutch risk management group Narim invites 30 insurance professionals from the Young Insurance Group to its annual conference in order to encourage young business professionals to take an active interest in risk management. Young Insurance is a group on LinkedIn for professionals in the insurance industry who are under the age of 35. The group was set up by Sjaak Schouteren of De NieuwBouw, which is an independent network for the Dutch construction and infrastructure industry.

Ferma promotes risk management and insurance education in Europe by sponsoring students to attend its forum and seminars, as well as supporting universities in their own risk management programmes. Risk management education is one of Ferma’s main priorities, fostering talent within the industry and increasing awareness of the discipline. Ferma invites one student – who must have completed some kind of educational programme in risk management – from each European association to attend its annual forum. This initiative motivates students in the risk management ﬁeld and gives them an opportunity to create contacts within the industry. In association with Ferma, Lloyd's will host a development programme for risk managers with three to ﬁve years' experience in the industry. Lloyd's will host participants at the company’s headquarters in London in April 2012, October 2012 and April 2013. “Ferma also supports the other educational programmes that our partner associations provide as they improve visibility of our industry,” Ferma’s director of education Edouard Thys said.

Finnrima (Finland) The Finnish risk management organisation, Finnrima, emphasises training, education and ERM in the seminars it provides for its members. Finnrima provides scholarships of up to €2,000 for students in risk management and invites them to present their thesis at one of the association’s seminars. “In Finland, studies are still based around insurance and ﬁnance. There is no integrated risk management programme … so risk managers o en do not have a lot of business skills,” Finnrima president Lassi Väisänen said. The association aims to use education to grow the industry, improve risk managers’ key skills and increase their inﬂuence at board level. SR

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

IMPORTANT INFORMATION FOR AVIVA POLICYHOLDERS and CLAIMANTS – SIMPLIFYING OUR LEGAL STRUCTURE THE FOLLOWING INFORMATION WILL BE OF INTEREST TO YOU IF YOU ARE A POLICYHOLDER OF OR ARE MAKING A CLAIM UNDER A NON-LIFE INSURANCE POLICY ISSUED BY AN AVIVA COMPANY. Aviva has sold insurance under several brands and names – please read “Are you an Aviva policyholder or Claimant?” below. Notice of proposed Transfer Later this year, we’re proposing to consolidate our non-life insurance businesses into one main insurance company, Aviva Insurance Limited. At the same time we are also proposing to consolidate Aviva’s specialist London market business into one main company The Ocean Marine Insurance Company Limited. These changes will help to simplify our legal structure and help us work more efficiently for our customers. Please be assured this won’t affect how we deal with your policy or claim or how you can contact us. The transfer of business will be carried out under two insurance business transfer schemes (“Schemes”) under Part VII of the Financial Services and Markets Act 2000 (“the Transfers”). We’ve made an application to the High Court in London for an order approving the Transfers so far as they relate to the transfer of the business of the companies listed in the section titled ‘Summary of the English Transfers’ (the “English Transfer”). The application for the English Transfer will be heard before a Judge at the Royal Courts of Justice, Strand, London WC2A 2LL, on Wednesday 5 October 2011. We’ve also made an application to the Court of Session in Scotland for an order approving the Transfers so far as they relate to the transfer of the business of the Scottish Boiler and General Insurance Company Limited or CGU Bonus Limited (the “Scottish Transfer”). The application for the Scottish Transfer will be heard before a Judge at the Court of Session at Parliament House, Parliament Square, Edinburgh EH1 1RQ on Thursday 6 October 2011. The Scottish Transfer will be in substantially the same terms as the English Transfer and conditional on the English Transfer. Subject to the approval of the High Court and the Court of Session (the “Courts”), the Transfers will take effect on 14 November 2011 and will automatically move across all of the rights, liabilities and obligations under all affected policies together with any claims, so there will be no need to reissue policies or sign any transfer document. Protecting customers’ interests We’ve taken great care to make sure that our customers’ interests are safeguarded, and that the security and benefits provided to Aviva’s policyholders will not be adversely affected by the Transfers. We’ve followed a strict legal and regulatory process that includes consulting with the Financial Services Authority and obtaining an assessment of the Transfers, carried out by an independent expert, Stuart Shepley FIA. The duty of the independent expert is to review the impact of the changes against the interests of all affected policyholders and claimants, and to write a report on his findings for the Courts which will also be provided to the Financial Services Authority. Further Information Further information about the Transfers, including statements setting out the terms of each Scheme and containing a summary of the independent expert’s report and a copy of the full independent expert’s report, is available free of charge on our website, www.avivatransfer.co.uk or by writing to Aviva Transfer, PO Box 3062, Bristol BS2 8QY. Any further news about the Transfers will be posted on the website so you may wish to check for updates. You can also request free copies of any of these documents, or ask any questions you may have, by calling us on 0800 210 0035*. This number is for enquiries about the Transfers only, so if you have a general query about your policy or claim, please contact us on the numbers set out in your policy documents. Your rights We don’t anticipate that the Transfers will have any material effect on any policy or on any claim, and there’s nothing you need to do. If you have a policy or claim with any of the companies listed under the English Transfer and/or you are an existing policyholder or claimant of Aviva Insurance Limited and you believe the English Transfer may adversely affect you, you’re entitled to either make a written representation to the High Court or to be heard (either in person or by a legal representative) at the hearing on Wednesday, 5 October 2011. Any person who intends to appear at the High Court, or to make representations in writing, is requested to notify our solicitors in England as soon as possible, and by no later than 28 September 2011, to Ref CMS/EJXG/70-40495851 Clifford Chance LLP, 10 Upper Bank Street, London E14 5JJ. Aviva will ask the Court of Session in Scotland to approve the Scottish Transfer at a hearing to be held on Thursday, 6 October 2011. If you have a policy with, or a claim against, either the Scottish Boiler and General Insurance Company Limited or CGU Bonus Limited and/or you are an existing policyholder or claimant of Aviva Insurance Limited or you otherwise allege that you would be adversely affected by the Scottish Transfer, you are entitled to be heard by the Court of Session, as is the Financial Services Authority. If you wish to object to the Scottish Transfer you should lodge written answers (formal written objections) with the Court of Session at Parliament House, Parliament Square, Edinburgh EH1 1RQ by no later than 28 September 2011. While representations may be heard, if answers are not lodged in advance, anyone who does not lodge answers is strictly heard at the Court’s discretion. If you intend to come to the hearing at the Court of Session, please give not less than five working days’ written notice of your intention to attend the hearing, and the reasons for any objection to the Scottish Transfer, to Aviva’s solicitors in Scotland, Dundas & Wilson CS LLP at Saltire Court, 20 Castle Terrace, Edinburgh EH1 2EN, quoting PM/AVI007.001. Summary of the English Transfer Under the English Transfer, the following companies will transfer their General Insurance and Health business to Aviva Insurance Limited: • Aviva Insurance UK Limited • Aviva International Insurance Limited • CGU Underwriting Limited • Hamilton Insurance Company Limited • London and Edinburgh Insurance Company Limited • The Ocean Marine Insurance Company Limited This covers most of Aviva’s non-life General Insurance and Health business. This includes, for example, car, home and travel insurance, private medical insurance and commercial all-risks insurance. The Scheme excludes a limited number of Global Aerospace policies written in Canada by Aviva International Insurance Limited. Also included as part of the English Transfer is a transfer to consolidate Aviva’s specialist London market business into one main company, The Ocean Marine Insurance Company Limited. “London market” business refers to business reinsured to National Indemnity Company and written on or before 31 December 2000 (including any contractual renewals of such business) (i) through the International Underwriting Association of London (“IUA”) or its predecessors (being the Institute of London Underwriters (“ILU”) and the London Insurance and Reinsurance Market Association (“LIRMA”)) ; and (ii) business identified as ‘Global Risks’ which was written by the companies below and placed through the London market. The following companies will transfer their London market business to The Ocean Marine Insurance Company Limited: • Aviva Insurance Limited • Aviva International Insurance Limited • London and Edinburgh Insurance Company Limited • The World Auxiliary Insurance Company Limited Are you an Aviva policyholder or Claimant? You will be a policyholder of or claimant under an Aviva policy if your policy was issued by any of the companies listed above in relation to the English and/or Scottish Transfers. Please note that many policies issued by Aviva may carry branding of intermediaries such as banks, building societies, supermarkets and retailers, insurance brokers and affinity groups. Your insurance documents should identify who the actual insurance company is. Please also note that Aviva’s insurance companies often have long histories and may have traded under other names in the past – you can check this on our website www.avivatransfer.co.uk *We’re open 8am to 8pm Monday to Friday and 9am to 5pm Saturday and 10am to 4pm Sunday. Calls may be recorded or monitored and will be free from a BT landline. Other operators may charge and mobiles will be considerably more. If calling from outside the UK please call +44 117 915 1983

IWLKD1540_88370_ADU_INF_57.indd 1

27/7/11 13:23:16

[ THREATS ] [ OPPORTUNITIES ] [ MANAGEMENT ]

> Risk Atlas Terrorism .............. 32 The threat from self-radicalised individuals is on the rise

Corbis

Risks

> Risk Financing Renewables ...30 The renewable energy sector is a big growth area for insurers

ECONOMY

The pension problem With the end nigh for ﬁnal-salary schemes, and ever-rising life expectancy, employers » and employees face an uncertain future

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

Reuters

RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

ENSIONS HAVE NOT historically been a big news issue, but recently they have made the headlines, causing strikes, protests and furious debate – not just in Britain but all over Europe. Living longer, and retiring early, would not be a problem if the supply of workers was increasing. But declining fertility rates imply that, by 2050, France, Germany and Italy will respectively have just 1.9, 1.6 and 1.5 workers supporting each pensioner. The OECD average is currently four workers for every one pensioner. The issue is global: just as the European debt crisis is reﬂected in the USA, there too the pensions shortfall is staggering. The US Congress is now proposing a federal approach that could enable states to declare bankruptcy as a way to duck their promises to pensioners and bondholders. Illinois alone has paid only 54% of what it owes to state pension funds, a shortfall of more than $85bn (€59.7bn). OECD economist on pension policy analysis Anna D’Addio says that the many risks and uncertainties affecting pensions have been compounded by the ﬁnancial crisis. “No country or pension system has avoided the effects,” she says. “Pensions are a long-term issue, but investment risk is not the only uncertainty. The crisis is also exacerbating the challenges of changing old-age dependency ratios, and continuously increasing life expectancy at pensionable age.”

State intervention Most governments are already planning increases in the retirement age to counter this. The USA is heading for 67, the UK for 68. Others are moving more slowly. Belgium allows women to retire at 60, for instance, and has no plans to change that. Under current policies, the mean retirement age by 2050 will still be less than 65, barely higher than it was after the second world war. But moves by governments to stem the deﬁcit in pensions can only work up to the point that the state is involved. In some countries, such as Italy, pensions have been tightly controlled, with the state largely in the driving seat, according to Telecom Italia risk manager and the president of Italian risk association Anra, Paolo Rubini. He says: “Italian pension funds are in a better position than in many other countries: the private pension schemes are only in excess of the public pension system, and have a strong regulator that imposes strict rules to the boards and the managers of the funds. The funds managed by insurance companies are still playing

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

Fall of the final-salary scheme In April this year, Unilever announced it is to close its final-salary pension scheme citing “unsustainable” costs, joining a list of other recent big names, such as sugar giant Tate & Lyle, publisher Trinity Mirror and Asda. But some of the exisiting schemes have staggering deficits. The worst 10 of the FTSE 100 companies this year include supermarket giant Tesco, which has a staggering £1.8bn (€2bn) deficit – the product of massive £6.5bn liabilities. Yet, with assets of £4.7bn, Tesco’s 72% funding level is healthier than brewer SABMiller (deficit of £109m/ funding level 68%); real estate company Hammerson (£77m/66%); building materials outfit Wolseley (£1.5m/63%); and mining company Vedanta Resources (£46m/47%).

Statistics

6.5% GDP spent on public and private pensions (OECD average)

20.8

Number of pensionable years for an average citizen (OECD average)

2:1

Expected old-age support ratio by 2050 (OECD average). Currently the ratio stands at 4:1, meaning there are four working people for every pensioner.

148m

Number of European citizens aged over 65 by 2050 Source: Eurostat, EUROPOP2008

‘A shift in attitude is needed towards a more positive view of older workers. Employers must stop believing in the negative stereotypes that prevail’ Chris Brooks Age UK

a major role, under the control and surveillance of another regulator.” As a result, he says that in Italy the contribution of the pension funds to the capital of private businesses is still very limited. That is not the case in the UK, where the demise of final-salary pensions – see box ‘Fall of the final-salary scheme’ – leaves employees facing two big risks: that falling markets will undermine their retirement planning, and that they will outlive their savings. One in five workers is saving nothing at all and this has remained static for the past five years.

Changing attitudes The problem is one that clearly needs to be addressed by the employers. Ralf Jacob, the head of the unit on active ageing and pensions in the employment unit of the European Commission, says that retirement age can only go part of the way to solving the crisis, but adds: “There need to be accompanying measures in the employment sphere to achieve that goal.”

First, even if workers are prepared to work on later in life, employers are not always convinced of the beneﬁts. Too few companies recognise the value of employing older workers. Policy adviser on employment at charity Age UK Chris Brooks says: “A shift in attitude is needed towards a more positive view of older workers. Employers must stop believing in the negative stereotypes that prevail.” Western managers will need to overcome fears about the quality of older workers. In physically demanding occupations, some may be unable to work into their late 60s. But this should be less of a problem than it used to be now that economies are based on services not manufacturing. In knowledge-based jobs, age is less of a disadvantage. But employers must weigh up the greater experience held by older workers with the fact that most people’s productivity does eventually decline with age. This requires the implementation of more sophisticated pay-scale systems that cater to varying work capabilities. Traditional seniority systems, under which people get promoted and paid more as they age, need to be addressed by management. Swiss Re head of life and health products Alison McKie says it is not simply a matter of people living longer but the uncertainty of not knowing how much longer that creates the challenges for business. Life expectancy statistics both within workforces and in states have been consistently underestimated for decades, she says, and this is a signiﬁcant issue for insurers and risk assessors. If governments are to join the private sector to support a market where risk can be transferred more broadly, this will require regular, credible, consistent data on ageing and working capacities. After all, age is much more than just a number. SR

PUBLIC SECTOR PROTESTS

Teachers takes to the streets Hundreds of thousands of UK teachers and civil servants went on strike in May against moves to cut pensions for state employees. The strikes closed many schools and public offices. This was only the opening salvo in a longer-running battle – one that will take place largely behind closed doors, in detailed negotiations. But leader of the Public and Commercial Services Union Mark Serwotka said that up to four million workers could strike in the autumn if the row is not resolved. If the pensions issue causes further industrial unrest, markets that have reacted positively to the UK government’s deﬁcit-cutting plans could take fright, either at signs of production blockages or if there were any signs of a government climb down.

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

a n i h C h t u o S s t n i i n n u o y o r h o t p c y a f , “A t s e n i l r e w o p d e a k f c o e r r e w e r a c e h ’ t ’ n d o n d a n o L n i r e g a n a m k ris

A typhoon doesn’t just wreck buildings, it destroys production targets, goodwill and reputations. That’s why FM Global believes that the best insurance is the kind you never need. So, we don’t just insure, we help you to prevent. At our US $123 million research centre, we test just how well your buildings will stand up to a typhoon. We visit critical sites in your supply chain to make sure they’re structurally sound. And we work with you on a long-term strategy to lower risk. In short, we don’t just help to secure your roof, we help secure your future. Speak to your FM Global representative or contact your broker, and visit www.fmglobal.co.uk/touchpoints to read our latest White Papers.

Secure the value you create

RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

sid

RESEARCH

Trading places

Do g

Re envgulat iro or y nm

Ma yc t he o n s i d nex er b t ﬁ eyo ve yea nd rs

in s er ear sid e y on ﬁv y c xt M a e ne th

tation Repu micile of do

32%

What were the top three considerations in selecting a captive domicile?

32% tion e r ac (int Tax home with ry ’s rules) c ou n t

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

Country of residence Europe 49% UK 36% Rest of world 15%

55% 12% 33%

m Ha s t s pa

Respondent type Captive owners Those who may consider a captive in future Captive managers

12%

Has the business moved (or might it consider moving) its captive domicile?

Respondent proﬁle (sample size: 107)

StrategicRISK has conducted a large-scale survey to understand what factors influence captive domiciliation and re-domiciliation ARLIER THIS YEAR, STRATEGICRISK conducted reader research to understand the trends and demographics of captive insurance companies. We wanted to understand their attitudes and behaviour, particularly towards domiciliation and re-domiciliation. We sampled 107 risk managers and captive managers through an online survey, alongside detailed one-on-one interviews. The first captives were set up more than 50 years ago and some corporates in this research have operated one for 30-plus years. While several of those interviewed were not involved in the decision to set up a captive decades ago, they have managed the consolidation and relocation of captives more recently, especially post-merger. As one respondent explained, closing down a captive can be a costly and complex undertaking. Captive managers typically face a stiff challenge in persuading cautious boards of the benefits of setting up a captive. One pointed to a lack of understanding of the process involved “and, prior to that, overcoming the fear as to whether or not the captive would be beneficial”. The decision to establish a captive is in most cases based on wide strategic considerations. One owner said: “We moved the captive once because of changes in regulations. We’re thinking of moving our captive in the next year based on travel difficulties, regulations, opportunity to manage ourselves and the attitude in Europe to our present domicile.” Changes in the regulatory environment, such as Solvency II in Europe, have a big influence on domicile choice, but far less of an impact on the decision to operate one at all long term. SR

n’

n tk

Oth

17%

ts uc e d n w th n s co vie he i ne s i c r e W us teg b stra a

Key ﬁndings of the research

What drives the business to review the decision to form/move a captive?

Feedback from 107 online respondents – 72 captive owners or potentials and 35 captive managers – as well as detailed discussions with four senior risk managers from global captive owners, led to the following ﬁndings: • Captives are almost always established a er detailed strategic reviews, and their performance is evaluated and re-assessed at least twice yearly in most cases.

W tor is a c hen t ye nvi hang here ron e in me nt

ed in mov years t ﬁve

• Senior management has become more accustomed to captives, partly because of merger and acquisition activity among major corporates.

reg

ula

• The decision to establish a captive is initially driven by ﬁnancial considerations, but also for a range of strategic reasons: gaining access to specialist cover; smoothing costs to the business during harder and so er market conditions and minimising volatility; independence from the market; and better protection of the corporate brand.

Yes

• The great majority of owners and managers believe that establishing a captive is of considerable benefit. Owners report a wide range of strategic benefits to their organisations and managers focus on the longer-term financial upside. Both are realistic about the impact of hard-so insurance sector fluctuations on short-term financials, but feel certain that longer-term benefits accrue.

% 58

CAPTIVE VIEWPOINTS

Is Solvency II causing you to rethink your captive strategy overall or speciﬁcally the location of your captive?

Don ’t k n

• The value and performance of a captive is assessed in a variety of ways, with few consistent metrics or models used. Owners use their managers and auditors to measure a captive’s success. Managers are also regularly monitored, but most owners tend not to change captive management arrangements o en and praise managers highly.

• A captive domicile is selected and reassessed primarily on the basis of regulatory environment ahead of purely taxation reasons. This is because few corporates see a captive as primarily a tax-saving mechanism. • Location choice is also driven by other factors, such as proximity to key markets and parent head office. These may change over time and inﬂuence location choice. • Good management staff and solid local reputation are also factors inﬂuencing domicile choice. We found evidence of a trend towards ‘more serious’ locations rather than those that can be viewed as ‘exotic’.

[READ MORE ONLINE] For the full research, download StrategicRISK’s Captives Report at www.strategic-risk.eu or goo.gl/WXlFU

• The Solvency II regime in Europe may result in one-third of captives reconsidering their location. Some owners are awaiting the ﬁne detail and the position of the local regulator, especially those domiciled to Guernsey.

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

RISK FINANCING RENEWABLE ENERGY SOURCES

Renewable risks

Europe, the Middle East and North Afria. For offshore wind development, while the UK and Denmark have led the way (holding a 44% and 30% market share within Europe), mega-projects are planned off the coasts of China, Hong Kong and northeast USA among others.

The renewable energy industry is booming, but many insurers are reluctant to underwrite much-needed key projects

Cable claims

ITH AN ESTIMATED $211BN INVESTED IN RENEWABLE energy last year (according to the UN Environment Programme) – a 32% rise on the $160bn invested in 2009 – the sector is attracting huge attention around the world. Further growth is anticipated this year, with government funding and the falling cost of renewable technology driving the development of large-scale renewable projects, including offshore wind and solar thermal power. Yet despite the phenomenal growth, the renewable energy sector continues to face numerous challenges, not least of which is securing insurance coverage. Many carriers – particularly the more traditional construction and energy underwriters – remain reluctant to provide insurance for manufacturers and products that do not have an established track record. While premium rates across the renewable sector in general have been reducing, a spate of claims in the offshore energy market has caused some insurers to pull back their capacity. “From an insurance perspective, there is a growing renewable energy insurance appetite to underwrite renewable energy projects,” says Tim Halperin-Smith, divisional director of renewable energy at Willis. “Although the insurance market for renewables is wide, with many traditional construction markets underwriting the risks, specialist renewable energy insurers – with bespoke wordings – are still fairly limited.”

On the up However, insurance capacity for the renewable energy sector – including a number of specialist underwriters – continues to grow and cover is widely available and affordable for more mature technology, such as onshore wind and solar PV. Innovative products have been released, and some risk has been transferred to the capital markets or self-insured through captive insurers. “There are some insurers that will pick up the extended warranty technology performance risks, Munich Re and Swiss Re being two. These products can be structured as either insurance, ﬁnancial lines (surety and performance bonding) or a mixture of the two,” says James Green, renewable energy practice leader at JLT Specialty. “But only the largest (re)insurers with sound ﬁnancial ratings can offer products like that, because they’re putting their capital at risk for up to 25 years.” The biggest values-at-risk at present are for offshore wind and solar thermal, where there are some sizable projects in the pipeline. Solar thermal power stations are being developed in many of the world’s deserts including the Desertec initiative – an incredible $555bn bid to develop concentrated solar power (CSP) in

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

2030 2027 2024 2021

Many of the risks associated with offshore wind occur in the construction phase, where hundreds of kilometres of cables need to 15 0G be laid along the sea bed. “The offshore wind insurance sector is W more limited, with only a handful of experienced lead insurers with an appetite to insure the projects,” Halperin-Smith says. “It is well documented that cables claims are the most frequent in offshore wind, yet still they occur in almost 100 all projects,” he continues. “There are encouraging GW signs that this is being addressed, such as recently at the Ormonde project [in Northwest England] where they successfully laid and buried in one uninterrupted operation the 42km export without any joints, which is probably a UK ﬁrst.” However, cable claims continue to occur and the 50 GW limited number of cabling vessels and experienced cable contractors means they can cost millions of pounds. “Insurers are looking closely at the experience of cable-laying contractors on previous projects when considering new wind farm risks and 0 GW Gigawatt, expecting greater deductible retention on cable million units claims,” says Halperin-Smith. He thinks it is important to produce workable risk management and insurance solutions. Reducing cable claims is a priority, and can be better tackled by ensuring best practice. Many insurers are now recommending that marine warranty surveyors remain on site while all the cables are laid, rather than moving on a er the ﬁrst job is completed as is the current practice. In addition, the renewable industry should look to work more collaboratively to understand the exposures faced, with ideas for the offshore wind sector being posited at the recent conference. “Because the utility companies are competing against each other, they haven’t always been as open as they should be,” Green says. “But because these risks are so prevalent across the industry, especially with cables, we’re saying they should look to share spares for instance … this can help to reduce the business interruption exposure.” SR

Top ﬁve countries’ existing capacity as at the end of 2010 Rank

Geothermal

Wind

Solar PV

Biomass

USA

China

Germany

USA

Philippines

USA

Spain

Brazil

Indonesia

Germany

Japan

Germany

Mexico

Spain

Italy

China

Italy

India

USA

Sweden

Source: Renewables 2011 Global Status Report

IN ASSOCIATION WITH

W 350 G

W 0G 30

25 W 0G

European renewable power generation capacity

Tim Halperin-Smith Willis Group

Nuclear 3%

es bl a w

% 60

sh a

Source: Renewables 2011, Global Status Report, Bloomberg and Munich Re, ﬁgures for the whole of Europe

17 n re Biomass of g tio p m lobal energy consu

Win gy er en ble

a Renew

Renewable electricity by source

Solar 1%

Hyd ro

Geothe rma l1

Fossil fuels 81%

2018 2015 2012 2009 2006 2003 2000

Re ne

‘Specialist renewable energy insurers – with bespoke wordings – are still fairly limited’

WINDS OF CHANGE ONE OF THE FASTEST DEVELOPING RENEWABLE sectors is offshore wind energy, with the UK currently the global leader. The UK government plans to create 25GW of new energy generation capacity through the Crown Estates’ Round 3 offshore wind farm programme (compared to the 8GW generated by earlier Round 1 and 2 projects). Nine offshore projects are already operational in the UK, with a combined capacity of 688MW from 228 turbines. A further 1156MW is under construction. “Five to six years ago you were seeing 100MW projects and you’re now talking about 1GW plus projects,” says JLT Specialty’s James Green.

Probably the best-known project is the London Array, a wind farm 20km off the coast from the mouth of the River Thames. Phase one of this joint venture between renewable energy ﬁrms E.ON, Dong Energy and Masdar is due to be completed in 2012. When fully operational, the 341 turbines covering an area of 230 sq km will provide up to 1GW of electricity. It is understood that the commercial insurance market has taken on at least 50% of the exposure for the wind park, with one insurer offering all the €2bn of construction cover needed.

EXPERT VIEW

Klaus Hoffman, manager, engineering, AXA Corporate Solutions

Insuring innovation Following in the footsteps of established renewable energy methods, such as onshore wind and photovoltaic installations, comes concentrated solar power (CSP) plants, especially in southern Europe and northern Africa. There are also mega offshore wind parks with up to 80 wind turbines in the North Sea and Baltic Sea. Certain manufacturers and operators in the area of hydro-energy are also testing wave and tidal power plants. All these projects present an enormous challenge for the insurance industry in supporting the development process through to the actual generation of renewable and environmentally friendly energy with innovative and adequate insurance. The assessment of the technical risk of individual plants as well as possible serial loss scenarios plays a crucial role. The AXA Group and subsequently AXA Corporate Solutions has set its focus on the sector of renewable energy at an early stage and has also declared support for this area. Our team of specialised engineers has been evaluating the rapid technical developments within the various methods of power generation and has been providing advice to our clients. Our concept provides the risk-relevant support from the beginning of the project in the planning, delivery and construction phases, right the way through until the start-up and operational phases. In order to provide the manufacturers and also the operators of renewable energy plants with insurance concepts suitable to their respective risks, AXA has developed an innovative product: the Technicla Innovation Pool, with which AXA CS is able to offer innovative forms of coverage – completely independent from reinsurance.

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

RISKS [ THREATS ][ OPPORTUNITIES ][ MANAGEMENT ]

RISK ATLAS TERRORISM

Without warning Acts of terrorism are impossible to predict, especially at the hands of lone terrorists

HE PROBLEM WITH TERRORISM RISK MAPS IS THAT THEY are only as good as the intelligence behind them. Terrorists that slip though the intelligence net are unlikely to have been identified already (one of the reasons why they are able to succeed). It’s therefore difficult to predict their targets. A terror risk map is still useful, though, if nothing more than to give a snapshot of the perceived threat level across the globe, allowing insurers to assess risk and therefore price their products. Aon’s terrorism risk map, which is illustrated here, ranked the risk of a terrorist attack in Norway as ‘negligible’ when it was first published in June this year. But long before Anders Behring Breivik killed 77 Norwegians in July the Nordic countries had been identified as a possible terrorist target. It was the threat from Islamic extremists that was seen as most pressing – particularly with Norwegian soldiers serving in Afghanistan. But, as the News Analysis story on page 10 explores, the threat from lone terrorists such as Breivik appears to be eclipsing the risks posed by groups of extremists such as al-Qaeda. One reason for that could be because lone terrorists are harder to spot, as they don’t work with others. There is a four in five probability that a conspiracy involving five or more operatives will be interdicted by the intelligence services, says Gordon Woo, chief architect of the RMS Terrorism Risk Model. On the other hand, the smaller the conspiracy, the less chance that it will be thwarted by intelligence. Western security services have been fairly successful at curbing al-Qaeda and its affiliates because they have been able to infiltrate the extremist groups using agents or informers, and because of the international nature of the Muslim diaspora, a lot of the communication between Islamic extremists is done over the internet, making it easier to spot. US authorities have had considerable success tackling al-Qaeda and preventing an attack on US soil since the Twin Towers in 2001. In fact, the largest single terrorist attack in the USA since 9/11 was committed by a single man, Major Malik Nadal Hasan, at a military base (Fort Hood). It serves as a reminder of the dangers posed by individuals who become radicalised by extremist ideology, which fuels acts of extreme violence. SR

‘Lone terrorists are harder to spot, as they don’t work with others’

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

Top 10 countries most afflicted by terrorism Rank Country 1

Iraq

Pakistan

Afghanistan

India

Nigeria

Somalia

Israel

Colombia

Thailand

Yemen

[READ MORE ONLINE] Download a PDF of this risk map at www.strategic-risk.eu or goo.gl/joFlH or go to maplecro .com for more maps and indexes

IN ASSOCIATION WITH

Key 2

Very high risk High risk Medium-high risk Medium risk Medium-low risk Low risk

Source: Aon’s 2011 Terror Risk map

1 4

Nigeria

USA

A Nigerian election office was bombed 1 in April killing 10 people and injuring many more. The attack took place in Suleja, northwest of the capital Abuja. Many similar attacks in Nigeria have been attributed to MEND, a militant group that demands fairer distribution of Nigeria’s oil wealth.

including chief US district court judge John Roll. Gabrielle Giffords, a Democratic member of the US House of Representatives, was severely injured. The attack took place at a political meeting outside a supermarket.

Russia

Ivory Coast

In January a bomb in Moscow’s

2 Domodedovo international airport killed at least 35 people and injured more than 100. The attack severely damaged Russia’s busiest airport. State TV said the attack had all the hallmarks of militants from the North Caucasus region.

Jared Lee Loughner killed six people in

3 a ﬁrearm attack in Tucson, Arizona,

A er the incumbent president

4 Laurent Gbagbo refused to recognise that opposition leader, Alassane Ouattara, had won this year’s election, disputes over the results led to a series of violent attacks that amounted to a civil war.

Northern Ireland In April a car bomb killed a police

5 officer outside his home in Omagh and dissident republicans were blamed for the attack. The amount of terrorist attacks in Northern Ireland has increased in the past two years.

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

XL Insurance is the global brand used by XL Group plc’s insurance companies.

The expertise to insure from cyber orders to real-time shipping Whether your company stores client data, takes orders over the internet or ships goods around the world, you need specialist insurance cover you can rely on. Our underwriting expertise, global network and strong focus on client service can support you at every stage – from order taking to order delivery. Cyber liability Property Casualty Marine Cargo XL WorldPass For more information please contact your local XL Insurance ofﬁce. www.xlinsurance.com

Special Report

INTRODUCTION

HIS SPECIAL REPORT IS INTENDED TO GIVE YOU A better understanding of the many corporate threats born out of the digital age, usually referred to as cyber risks. StrategicRISK has picked out a number of potential risk scenarios that could threaten your organisation, which are depicted with an impact and likelihood score on the graphic over the page. In reality these only represent the tip of the iceberg. A recent report from Detica, commissioned by the UK government, estimated that cyber crime costs the UK economy alone £27bn (€30.5bn) a year. The lion’s share of this ﬁgure (£21bn) is stolen from the private sector. Companies that rely on the internet to do business are most vulnerable to cyber attacks by criminals, competitors or disenchanted employees. Intellectual property theft or industrial espionage – which Detica says costs UK businesses £9bn a year – is also a big worry for risk managers. Recent regulatory changes are increasing the risks. Dawn Simmons, senior underwriter professional lines for XL Insurance, says: “The combination of more sophisticated criminals and stricter data breach laws results in companies facing increasing ﬁnancial and reputational exposures. The average cost of a data breach in Europe in 2010 was approximately £1.9m and we expect that number to rise in the future.” “Reputation risk, cyber criminality and all the rumours that circulate on the internet can be risks that are difficult to control,” says Gilbert Canameras, director of risks and insurance at Eramet and president of French risk management association Amrae. “I saw recently that the Fox news feed on Twitter was hacked and that it announced the death of Barack Obama. An important risk is that of a cyber attack that paralyses a company’s computer system, making it impossible for them to receive orders and queries or buy materials for days on end.” Ferma board member and GDF risk management director Michel Dennery accepts that hacking and data loss is a threat, but he is a little less troubled by cyber issues. “Companies have faced bigger risks in the past, so cyber isn’t more of a worry than other risks, but it is a new problem.” Dennery also highlights the business opportunities. “There is a whole new industry that is establishing itself around this new

media that technology has provided. The question for businesses is to know how to anticipate this new business and harness it, and protect your brand image and your market share by using these new media to engage with clients and stakeholders.” Fortunately, insurers are responding with solutions designed to protect companies. On 6 June, for example, XL Insurance (sponsors of this special report) announced the launch of XL Eclipse, a cyber risks insurance designed for European businesses. The cyber liability cover includes costs associated with mandatory data breach notiﬁcations to customers and authorities, as well as civil regulatory ﬁnes and penalties. Other insurers have launched similar products.

Contents [ CYBER RISKS ]

36 37 38

Eight cyber risk scenarios How susceptible is your company? The mechanics of cyber crime Knowledge is a powerful defence Cyber legislation How cyber protection laws are changing

SPONSORED BY

This special report has been produced with input from XL Insurance: Dawn Simmons, senior underwriter professional lines, XL Insurance

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

SPECIAL REPORT [ 2011: LESSONS LEARNED SO FAR ]

Eight cyber risk scenarios 1 – Social networking slip An employee who is responsible for the corporate Twitter or Facebook account accidentally writes an embarrassing or offensive update. The story blows up online before the company even realises there’s a problem, leaving the company looking a little red-faced. 2 – Social media gossip One or more persons or forums online start malicious rumours regarding a company’s products or services. These rumours go viral, spreading worldwide and into the mainstream media, threatening a company’s reputation. 3 – Social media account hijacked Malicious hackers hijack a company’s social media accounts (Twitter or Facebook) by guessing the account passwords. For a few hours of the day (while the account is in their hands), they write embarrassing and offensive messages. 4 – Corporate website hacked A group of hackers attack a company’s website because they are aggrieved by the company’s recent actions or behaviour. Using distributed denial of service (DDoS) attacks, they manage to shut down the website for more than a day, causing serious disruption. 5 – Cyber espionage A business competitor based in the Far East uses online channels to access and steal private company information pertaining to a new corporate strategy, investment or product. The incident threatens the victim’s competitive edge and could even enable the attacker to leapfrog ahead in competitiveness. 6 – Data loss A company mistakenly loses, through procedural error, the credit card information or personal details of a signiﬁcant number (maybe millions) of its customers. The media gets hold of the story, because the company is required to fess up, and the incident severely tarnishes its corporate reputation. 7 – Cyber the A criminal organisation, based in eastern Europe, manages to break through a company’s online defences and steals customer credit card information or personal data from its private database and posts them for sale online. Customers rapidly lose faith in the company’s security systems and take their business elsewhere as a result. 8 – Cyber war breaks out Two or more nations engage in all-out cyber war. A country in the Middle East attempts to disable its neighbour’s computer networks and the neighbour threatens to respond with conventional warfare. As well as potentially disrupting the region’s internet connections, effectively shutting down e-commerce, the conﬂict threatens to spill over into full-blown war.

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

Likelihood of risk: low

high

Impact of risk: low

high

CYBER CRIME

The mechanics of cyber crime Despite a wave of high-proﬁle cyber attacks, many companies remain ignorant of the risks

YBER CRIMINALS ATTACK IN MANY DIFFERENT WAYS, all of which have the potential to compromise your business. Organised crime is responsible for a big chunk of cyber crime, but there are many other perpetrators. Anyone can download malware toolkits and use them to extort money from consumers and businesses. Even the stuxnet virus is available to download online. Cyber crime can be lucrative and the anonymity that the technology affords makes it even more appealing for criminals. Consequently, anyone can be a cyber criminal regardless of location or socio-economic background. Companies are increasingly falling foul of botnets. A botnet attack basically refers to a network of computers that have been infected with malicious software and can be manipulated by cyber criminals. A computer becomes infected with malicious software or malware when a user accesses a website that has been targeted by hackers. USB sticks can also be used as a means of transmitting this malicious software. When a user accesses a site that has been compromised, malware is downloaded without their knowledge and the victimised computer becomes part of the botnet. Botnets are used in a variety of ways to attack companies. Cyber criminals can steal sensitive information by taking screen shots, switching on microphones and activating key loggers on infected computers. “One side of cyber criminality is espionage, accessing company data, sensitive financial information, trade secrets and intellectual property, which can all be sold or used to blackmail the company,” says Massimo Cotrozzi, an internet security consultant at KCS Group. “The other side is stealing money from bank accounts. The two biggest botnets currently operating at the moment, ZeuS and SpyEye, account for 70% to 80% of financial crimes.” Due to the stealthy nature of these attacks, they are often not flagged up until serious damage has been done. “Most of these attacks go unnoticed for months. If you take the famous example of the stuxnet computer virus, it went unnoticed for at least a year,” Cotrozzi adds. The stuxnet virus was designed to attack certain key

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

SPECIAL REPORT [ CYBER RISKS ]

» nuclear facilities in Iran and was discovered in July 2010. Even more worryingly, conventional anti-virus software does not block all kinds of malicious software. “Around 60% of malware will get through all traditional anti-virus products,” says John Vigoroux, chief executive of M86 security. “Small and medium-sized companies often have a false sense of security, as they think that, because they are running Symantec or MacAfee, they’ll be ﬁne. But this couldn’t be further from the truth.” Anti-virus software works by recognising malicious programmes, but because malware is constantly evolving it’s difficult to keep the anti-virus software sufficiently up-to-date. Although malware is becoming more and more sophisticated, major thefts often still require an internal contact. “The biggest frauds that we’ve identiﬁed have always had an internal sponsor or support,

‘Around 60% of malware will get through all traditional anti-virus products’ John Vigoroux, M86

whether they were complicit in the crime or not,” Cotrozzi says. Companies should address their anti-corruption policies to mitigate the risk of an employee collaborating with criminals. As cybercrime becomes increasingly viable for criminals, the damages and costs for companies also grow. “The direct costs of a data breach are on the rise and include costs for IT forensic experts, costs from civil ﬁnes and penalties for being in violation of the data protection laws, and the cost of hiring a PR team to deal with the press. Then you have the indirect costs, such as business interruption, reputational damage and loss of customers, which amounts to around 45% of post-data breach costs for companies,” says XL Insurance senior underwriter Dawn Simmons. As risk managers improve their understanding of cyber crime, they should be able to engage with tech experts and insurers more effectively. This improved knowledge should allow them to better manage cyber risk in the context of their own companies. SR

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

LEGISLATION

Cyber legislation Unlike Europe, US law requires notiﬁcations of data breaches – is this why US companies are ahead of the game with cyber vigilance?

T SECURITY REGULATIONS ARE evolving to keep up with cybercrime, and companies need to understand the implications for their businesses. Most European economies do not have the legal frameworks to deal with cyber crime effectively, making the already difficult task of convicting a cyber criminal almost impossible in many jurisdictions. However, a new European law came into effect in May 2011 that requires all telecoms companies to inform their clients if their data has been breached. Elsewhere, the US justice system is leading the way. “Over 10 years ago California enacted the first state data protection law that required mandatory notification to subjects following a data breach. Since then, a majority of US states have adopted mandatory notification for data breaches,” says XL Insurance senior underwriter Dawn Simmons. Simmons goes on to explain that it was these mandatory notification requirements in the USA that “spawned heightened awareness and interest in cyber insurance products”. For these reasons, there is a significant disparity between how US and European firms approach cyber risk, Simmons says. “Most US clients have heard about cyber risk:

The cost of cyber crime to the UK economy Identity the IP the Espionage Customer data loss (reported) Online the from business Extortion £0

£2bn £4bn £6bn £8bn £10bn

they either have some element of cyber risk coverage in their insurance portfolio or have considered buying one. In Europe it’s brand new. We explain to our clients what the risks are, how their exposures are increasing and that there is an insurance solution for them.” In the past, European companies preferred to pay the price of an occasional cyber attack, rather than spend money on managing their IT security. With mandatory notiﬁcation of data breaches coming into force, this approach is no longer so ﬁnancially viable. In any case, a data loss now has serious reputational implications. “I think the Data Protection Act and the powers that were given to the Information Commissioner’s Office [ICO] in April last year have woken up a number of organisations to cyber crime because of the risk of public disclosure. While the ICO has concentrated on the public sector traditionally, it is now looking at all other commercial sectors,” says Neira Jones, head of payment security at Barclaycard. A problem that many European multinationals encounter is the diversity of legislation in different European countries. “Lack of co-ordination in European legislation can make insurance a lot more challenging, as every country has its own different laws and regulations. So I’m very excited about proposed plans to harmonise the EU data protection laws,” Simmons says. As technology now pervades almost every aspect of business, other regulations affect the cyber risk landscape. “The new UK Bribery Act has big implications for cyber security, because the act requires that companies actively prevent frauds from happening,” says Massimo Cotrozzi, internet security consultant at KCS Group. “The cost of preventing cyber fraud has to be put on a balance sheet and measured against the risk of being caught. I don’t think companies are aware of these implications.” SR

www.ferma-forum.eu

Photos : Creatas, Photodisc, Enrique Algarra/PIXTAL, DigitalVision, Juliet White/Gettyimages -

a redeďŹ ned vision of service

a reliable company available teams attentive advice

www.axa-corporatesolutions.com

Getty Images

Governance

[ ETHICS ] [ COMPLIANCE ] [ REPORTING ]

‘It sounds obvious that the leaders of a business should have the skills that are necessary to understand it and run it. But some leaders do not’ Airmic report

Taboo subject: Many risks posed to companies stem from within the organisation itself

BUSINESS SURVIVAL RISKS

An inside job New research has shown that some of the most serious risks a business can face originate from poor management practices and communication failures within the company itself

OT ALL RISKS CAN BE MANAGED. IN FACT, IT TURNS out that there are quite a few business issues that risk managers themselves have absolutely no inﬂuence over and yet pose a serious threat to their organisations. In many cases, these are problems created or exacerbated by the senior leadership within a business ... and are therefore completely outside the remit of the average risk manager. This is one of the principal ﬁndings of a major piece of research commissioned by Airmic and carried out by the Cass Business School earlier this year. The research, which looked at over 20 major crises to strike companies around the world in the past 10 years, throws a spotlight on corporate governance problems and how senior executives oversee their companies. “It sounds obvious that the leaders of a business should have the skills that are necessary to understand and run it,” said the report. “But some of our studies suggested that the leaders did not.”

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

Corbis

GOVERNANCE [ ETHICS ][ COMPLIANCE ][ REPORTING ]

It draws attention to seven risk areas that pose survival threats to companies and that are beyond the realm of the traditional risk management process, but which the report recommends should be drawn within its scope. These issues arise from the board’s ineffective oversight of risks, poor company cultures and inadequate risk communication (see the full list of threats in the box below). The paper also warns boardrooms that without listening to views from outside they are blindfolding themselves to risks within the business – and uses examples to demonstrate this. In the report’s words: “The studies contain a valuable and extensive opportunity to learn painlessly from the misfortune of others.” In this feature we’ve highlighted some of the lessons learnt from three of the case studies used in the report. Don’t make the same mistakes. SR SPOTLIGHT

Seven survival threats Many of the seven over-arching risk areas highlighted by the Airmic/Cass report are almost taboo because they touch on the behaviour, decisions, performance and perceptions of the senior echelons. They are: 1. BOARD SKILLS AND NON-EXECUTIVE CONTROL: Risks arising from limitations of board skills and competence and an inability in the non-executive directors (NEDs) to effectively monitor and, as necessary, control the executive arm of the company. 2. BOARD RISK BLINDNESS: Risks from board failure to recognise and engage with risks inherent in the business – including those to business models, reputation and ‘licence to operate’ – to the same degree that they engage with reward and opportunity. 3. INADEQUATE LEADERSHIP ON CULTURE: Risks from a failure of board leadership and implementation on ethos and culture. 4. DEFECTIVE INTERNAL COMMUNICATION: Risks from the defective ﬂow of important information within the organisation, including up to board level. 5. RISKS FROM ORGANISATIONAL COMPLEXITY: This includes risks following acquisitions. 6. RISKS FROM INCENTIVES: This includes effects on behaviour that result from both explicit and implicit incentives. 7. RISK ‘GLASS CEILING’: Risks arising from the inability of risk management and internal audit teams to report to and discuss, with both leaders and NEDs, the risks emanating from higher levels of their organisation’s hierarchy. Airmic believes the scope of risk management needs to be ”re-thought” in order to capture some of these risks not addressed by current techniques. It says that at least some risk professionals need to extend their skills so that they feel comfortable identifying risks that extend from their company’s ethos and their leaders’ behaviour.

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

BP Texas refinery explosion In March 2005, an explosion and fire at BP’s Texas City Refinery killed 15 people and injured many more. The compensation bill came to over $1.6bn (€1.1bn). It was one of the most prominent safety failures to hit BP in North America, trashing its reputation even before the Deepwater Horizon disaster in 2010.

LESSONS

1 2

RAPID GROWTH LED TO TOO MUCH COMPLEXITY: BP doubled in size during 1998-2000, resulting in a complex management structure.

3 4

HEED THE WARNING SIGNS: Before the Texas explosion, there had been 23 deaths at the reﬁnery, four since BP had taken over.

WALK THE WALK, DON’T JUST TALK THE TALK: While the board talked up BP’s safety measures, outside consultants said cost-cutting was prioritised over safety.

LISTEN TO YOUR STAFF: Chief executive Tony Hayward has since written on BP’s internal website: “The top of the organisation doesn’t listen hard enough to what the bottom of the organisation is saying.”

IT’S MORE THAN JUST COMPLIANCE: The Baker report, commissioned a er the accident, said that the main focus of BP’s safety audits was on satisfying legal requirements, not on improving overall safety performance.

ACT ON REVIEWS: The same report claimed that BP repeatedly failed to “follow through” with improvements following the safety reviews.

Getty Images

Maclaren pushchair recall Problems were spotted in the design of Maclaren’s pushchairs in the USA a er 12 children lost the tips of their ﬁngers when their parents folded or unfolded the pushchairs. The company issued repair kits in the USA to prevent the problem but failed to do the same for its customers in Europe and the UK. This decision provoked strong reaction from the UK media and customers, with accusations of applying double standards and trying to save money.

LESSONS

REPUTATIONAL DAMAGE IS MORE LIKELY WHEN IT INVOLVES A CORE COMPETENCE: People appreciate that even the best organisations have problems from time to time but they are less tolerant when the problem arises from a perceived ‘core competency’.

CONSIDER HOW ACTIONS ARE PERCEIVED FROM THE OUTSIDE: In the modern world, events no longer happen in isolation. People will be unimpressed if they believe that different standards are being applied to different parts of the world.

SOCIAL MEDIA IS A POWERFUL COMMUNICATION CHANNEL: Maclaren had beneﬁted from positive testimonials about its products on social networks before the event but it also suffered from complaints a erwards.

RECALLS ARE DIFFICULT TO MANAGE: Maclaren underestimated the volume of telephone and internet traffic that would be generated by its recall.

Société Générale’s rogue trader In 2008, one of Société Générale’s French traders, Jérôme Kerviel, engaged in high levels of unauthorised derivative trading, making bets that were larger than the bank’s total market capitalisation. Société Générale eventually managed to close out the trades at a cost of around €5m. The rogue trader has been widely accused of being a dominant factor in the bank’s credit rating downgrade.

LESSONS These lessons are drawn from the ﬁndings of an internal preliminary report by a panel of three non-executive directors, published on 20 February 2008:

DON’T IGNORE THE WARNING SIGNS: A report a er the event noted that 75 alerts, which should have warned managers about the unauthorised trading, were ignored.

FOLLOW PROCEDURES AND ESCALATE PROBLEMS IF IT IS NECESSARY: The same report found that control procedures weren’t being followed properly and that compliance officers weren’t informing their bosses about anomalies, even when huge sums of money were involved.

BEWARE THE LONE FRAUDSTER: Formal investigations a er the event found no evidence of embezzlement or external complicity. Some bank officials had claimed that Kerviel could not have managed his thousands of trades without assistance.

www.strategic-risk.eu [ SEPTEMBER 2011 ] StrategicRISK

STRATEGY

How to communicate with the board

Getty Images

Theory & Practice

[ INSIGHT ] [ CASE STUDIES ] [ BEST PRACTICE ]

Risk management is crucial to the survival of every business, yet few boards have a strong working knowledge of the area. Here are some key steps you can take to rectify this

N AN IDEAL WORLD, THE BOARD reviews risk on a regular basis – at least quarterly – and sets out its policy clearly so that this can be implemented by managers on a day-to-day basis. But there is evidence that, in some companies, the only attention given by boards to risk is a passing nod when receiving reports from the audit committee on its annual review of the effectiveness of the company’s system of internal controls. As recent events such as the banking crisis have shown, it is essential that the process of establishing the company’s risk appetite and its oversight of risk management is considered a primary function of the full board. However, according to a recent report from Airmic (see page 42 for details), there’s still a major gap in the board’s understanding of operational risk. Some boards and executive management are simply unaware of what is happening at the coal face. Here are some steps risk managers can take to narrow the information gap and communicate effectively with the board:

USE A BOARD-FRIENDLY FORMAT TO OUTLINE RISKS Every board has different expectations and risk managers should ﬁnd out what works for their board. Risk reports to the audit/ risk committee must be both comprehensive and understandable. In particular, non-executive directors (NEDs) need to ensure they understand the reports they are receiving. If not, they should be encouraged to ask for more information and/or ask for reports to be presented in a format they can understand. All papers that go to the board to get their go-ahead – launching a product or making an acquisition, for example – should include a section on the risks

involved in the proposal. When the board is going through its decision-making process, the paper should be presented by a member of the senior management team making the proposal and the board should question them on the risks. The board should also ask senior managers or executive directors from other areas of the business about the risks they have identiﬁed.

GET DIRECT ACCESS TO THE BOARD For governance to work properly, the entire risk agenda must be brought to the attention of the board. Risk managers should use this argument in order to get direct access to the risk or audit committee chairman. They should have a meeting with the committee once or twice a year and ensure his/her appointment or removal is a matter for the committee. Essentially, the company’s risk officer should have the same status as head of internal audit.

ENSURE THE BOARD HAS A GOOD LINE OF SIGHT TO RISK Make sure the board has a full grasp of the nature, and extent, of the signiﬁcant risks the company is willing to embrace in implementing its strategy. There should not be any no-go areas that prevent directors from overseeing risk management. The glass ceiling that o en discourages or even stops managers talking directly to the board must be circumvented. To help directors better understand the business and therefore the risks faced – bearing in mind that executive directors themselves may not be appropriately familiar with operations – directors, and non-executives in particular, should be encouraged to visit different parts of the business.

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

Committee hearing: some boards overlook the possibility of the aggregation of risks. If the risk manager works with the audit or risk committee to assess the types of risks the company is facing, including risk to reputation, the possible knock-on effects can become clearer

These visits should not be stagemanaged by executive directors but should allow interaction among non-executive directors and other business managers below board level, and allow direct relationships to be fostered.

AGREE A COMMITTEE STRATEGY There’s an assumption in too many boardrooms that as long as one of the board committees has looked into a particular issue, the directors can be discharged of their responsibility. Work with your board to set up a system that ensures all committees report back on their deliberations. The board should then decide collectively on the action to be taken on the risks identiﬁed by the committee.

TELL THE WHOLE STORY The board won’t be able to make decisions on risks unless they have the whole picture. That means it’s vital for risk managers to highlight all possible risks, especially those that are unlikely but would have a big impact. Risks that cannot be tolerated can then be used to inform the strategic agenda. SR

Seamus Gillen is director of policy at the Institute of Chartered Secretaries and Administrators

THE KNOWLEDGE BP drops the ball in Russia BP’s strategy backﬁred spectacularly in Russia recently. The company tried and failed to form an $18bn partnership with state-controlled Rosne . The mistake? They gambled everything on deputy prime minister Igor Sechin, who is also Rosne ’s chairman, assuming his inﬂuence could overcome legal issues. It didn’t. Local partners prevailed in blocking the deal in a huge embarrassment to BP.

BUSINESS ABROAD

Foreign policy for corporates Engaging with business abroad can prove rife with barriers and challenges, yet in our globalised economy it’s increasingly necessary. How can you get it right?

OREIGN POLICY USED TO BE A cra practised by diplomats and statesmen. No longer. In an increasingly globalised economy featuring the disruptive presence of state-owned companies, sovereign wealth, and trends of resource nationalism, the foreign investor ﬁnds it necessary to seek out new tools, expanding beyond the traditional set of responses to meet political risk. In today’s economy, the question is no longer whether or not corporations should have a foreign policy, but rather what principles should guide a corporation’s engagement abroad. Below are ﬁve practical tips that have evolved from our experience in emerging markets:

SPEAK THE LANGUAGE OF CSR, BUT USE THE METHODS OF CFP (CORPORATE FOREIGN POLICY) There already exists extensive literature on the values that a company’s foreign policy should emphasise, including respect for human rights, anti-bribery, prodemocracy, and access to remedies. A er six years of development, this past June the United Nations Human

Rights Council formally endorsed special representative John Ruggie’s framework for guiding principles on human rights and business, otherwise known as the Protect, Respect, and Remedy Doctrine. These concepts are smart and well intentioned. However, the CSR narrative has debilitating shortcomings in that it is 1) designed for implementation in a legitimate rule of law state, and 2) is overwhelmingly concerned with regulatory compliance. CFP, on the other hand, is what is needed for our clients operating in countries where the rule of law is an ongoing question, and where, in addition to compliance issues, there are also possible instances of the host government and competitors using unlawful measures against the interests of the company. A good strategy should be about more than just PR; it should be an actionable set of programmes and relationships that are felt by local communities.

DIVERSIFY YOUR RELATIONSHIPS One of the great mistakes made by many foreign investors is their unshakeable belief that a good relationship with a president or other

political leader protects them (see ‘The knowledge’, above). But even the most entrenched and seemingly popular leaderships can quickly change, and the next government may not be eager to offer the same conditions to a company that had ignored their plight for the previous years. It is a much better strategy to remain in touch with all political parties, interest groups and civil society movements.

GO LOCAL When a foreign investor encounters difficulties in an emerging market, too much is made of foreign recourse and the imposition of foreign norms, sometimes to the point that it overtly backfires. There is a tendency by many general counsel to simply hire one of the big international law firms, when in fact so much more could be learned from a local veteran criminal lawyer, who would know exactly: where all the fissures lie in the leadership; who you should (and should not) be doing business with; and how results are accomplished particular to the local system. Local remedies may o en surprise. Finding good local counsel, local lobbying, and local public relations teams

are essential to understanding the business environment.

THINK OUTSIDE THE BOX, BUT ACT WITHIN THE SYSTEM A foreign investor should understand and explore the full universe – no matter how unrelated it may seem – of local and international legal options, including the o en overlooked areas of administrative law, criminal law, environmental law, investment law review, extra-territorial application of US/UK law, bilateral investment treaties, human rights, and constitutional law. For example, many corporations do not realise the potential leverage and beneﬁt of lobbying in their home country to solve their issue, apply pressure, or even assist the host government in achieving a goal.

SEEK SUSTAINABLE SOCIAL PROGRAMMES What a government wants, and what it may ask the foreign investor to provide as part of its CSR programme, is o en very different from the needs of the local community. The Chinese have experienced this several times in Africa, and have suffered a declining reputation among officials who do not appreciate unfulﬁlled promises. Corporations need to listen to the needs of the local community and focus on doing more altruistic projects, rather just talking about them. SR

Robert Amsterdam is a founding partner of the law ﬁrm Amsterdam & Peroff

ce the ake u u d q e h r t r o t a e How of an t c a p m i ﬁnancial ‘ Seismic Matters’. Our Free White Paper outlines a new engineering-based approach to minimising risk and loss. Download it now at www.fmglobal.co.uk/touchpoints

Secure the value you create

THEORY & PRACTICE [ INSIGHT ][ CASE STUDIES ][ BEST PRACTICE ]

EMERGING MARKETS

How to do business in frontier markets A

S THE GLOBAL ECONOMY CONTINUES to recover, fast-growing multinational companies have sought new markets. For some, this has included countries once considered undesirable due to political instability, poor economic prospects or undeveloped infrastructure -- the so-called frontier markets. These markets offer big opportunities in areas such as natural resources, real estate, communications and alternative and renewable energy. Many frontier markets also have pent-up demand for everything from housing to computers and telecommunications systems, with mobile solutions o en leapfrogging the installation of land lines. Large domestic markets combine with low operating costs to make direct investment a highly attractive proposition. The BRIC (Brazil, Russia, India and China) countries, long regarded as attractive targets for investment, continue to be the focus for multinationals, as well as offering increasingly competitive domestic markets. But given that it is now the world’s second largest economy and represents almost 10% of global GDP, China is arguably no longer emerging. And competition is signiﬁcant in such countries as Mexico, South Korea, Turkey and Indonesia. Expansion into the BRICs or frontier markets requires companies to have a full understanding of the risk they are taking on and an actionable plan for managing it. To compete in these markets, companies must transform their approach to risk management, playing offense rather than defense and recognising that risk management is an essential part of their growth strategy. Without a proactive approach to risk management, many companies enjoy initial success in these markets but can encounter big problems later. Establishing a risk management

Getty Images

Emerging markets promise big gains – and risk management challenges to match. Ambitious companies should follow these ﬁve steps to crossing frontiers Brazil is one of the frontier markets, regarded as a very attractive target for investment

StrategicRISK [ SEPTEMBER 2011 ] www.strategic-risk.eu

programme for frontier and emerging markets calls for ﬁve key steps:

INTEGRATE RISK MANAGEMENT INTO THE OVERSIGHT STRUCTURE AND SUPPORTING PROCESSES The company must identify at the outset what it wants to accomplish by taking on the risks of expanding into frontier markets. The risk framework must look at broad strategic risks and narrower ﬁnancial and operational risks. If operational risk is given too little attention, it could lead to damaging losses.

DETERMINE RISKS TO ASSESS In one frontier market, there may be more than 100 risks. The ﬁrm may not want or be able to focus equally on all risks, so it must prioritise and choose among them based on size, consequence and possible impact on strategic objectives. Many ﬁrms do this by integrating changes into their enterprise risk management programme on a pilot basis. By launching it in one division, the company can gain a good understanding of the risks and how to mitigate them better across country operations.

ENGAGE IN CONTINUAL RE-EVALUATION Risk management is not a static process, especially in rapidly changing frontier markets. Scenario planning should be a dynamic process that determines when corporate action should change in response to circumstances, be it political, economic or environmental. Scenario planning should also incorporate developments in other markets, which may have a direct impact on the country being evaluated.

USE QUALITATIVE AND QUANTITATIVE METHODOLOGIES Risks can be complex and companies o en resist the effort to quantify them because large amounts of data are hard to simplify and analyse. Some companies do not rely on numbers to make decisions, while others look at risk too narrowly, limiting scope and depth of vision and failing to aggregate the risk at the top of the company. What may sharpen these organisations’ view are stronger capabilities in risk prioritisation and measurement, scenario analysis and stress testing. These include qualitative risk assessment processes to prioritise risks, assess management and assign ownership.

ANALYSE, MONITOR AND REPORT RISKS Companies need to agree on metrics and methodologies. What indicators will be reported to operational and executive management? How frequently will those results be monitored and reported? Can the process be automated to provide results in real time? An effective monitoring and reporting programme is the front line of risk management in frontier markets. The potential rewards from ventures into frontier and emerging markets remain attractive. But companies entering such markets with a clear and well-developed plan for managing the full range of potential risks – operational, strategic and ﬁnancial – are far more likely to achieve lasting success than those focused on a narrow band of ﬁnancial and operational concerns. SR

Michael Chagares is executive director for risk management cross-industry services at Accenture and author of Managing Operational Risk with Eyes Wide Open; Phillip Straley is Accenture’s managing director for risk management in the Asia Paciﬁc region

Special Report

INTRODUCTION

HE LACK OF MAJOR NATURAL CATASTROPHES IN developed countries in recent memory may have lulled some multinational companies into a false sense of security. However, the events that have occurred so far in 2011 have been a rude awakening. Australia, Japan, New Zealand and the USA have all experienced significant events by way of floods, tornadoes and earthquakes. European companies with subsidiaries in the affected regions have seen their property loss prevention measures and business continuity plans tested. A little can go a long way when it comes to protecting property. If a company knows that it has operations in an area prone to earthquakes or floods, it can implement potential loss mitigation strategies that may be relatively inexpensive and can be disproportionately effective in reducing damage. For example, just raising a building’s floor level in an area likely to be flooded can prevent flood water ruining stock and equipment. While most major European companies may not have premises in the affected areas, many were relying upon suppliers located there. With little or no direct control over how these suppliers were protecting their businesses, the lessons may have been harder. For example, a significant number of multinational businesses were affected by the Japanese earthquake, tsunami and associated damage to nuclear installations. A combination of direct damage to premises, infrastructure problems and reduced availability of power meant that some companies’ key suppliers were unable to deliver at all. Others could only operate on a reduced basis and understandably gave preferential treatment to their best customers. Furthermore, some of these suppliers were way down the supply chain of the affected companies. They were suppliers to suppliers to perhaps even more suppliers – in other words, well behind the first group of so-called tier-one suppliers that most risk-management-enlightened companies would know about. Some were producing just a tiny, albeit vital, part of the customer’s ultimate product. The result is that many international companies were hit hard. The problems that beset Japan’s automotive industry and the knock-on effect for global motor manufacturers have been widely publicised. In addition, in view of the fact that Japan is a

key producer of hi-tech products and that so many goods now contain chips or other electronic components, many other companies felt the aftershock of the Japanese earthquake. This special report looks at some of the issues arising from the events so far this year and some of the lessons that companies may learn from the outcomes. For many risk managers, there may be no great surprises. But 2011 has put natural catastrophe exposures squarely back on the strategic risk map. Risk managers now have the opportunity to reinforce the value of risk management to their boards, in the light of what has been for many companies a salutary, and far from enjoyable, experience.

Contents [ PROPERTY RISKS ]

48 48

A catastrophic six months This year has shown that predicting events counts for little if you don’t fully prepare for their consequences Choked by the chain The Japanese earthquake and tsunami revealed how little many businesses know about their network of suppliers