Presidents Roundtable by Nathan Skinner

THE PRESIDENTS’ ROUNDTABLE

Preparing for a double dip FERMA REPORT FERMA REPORT

Ferma benchmark survey results

Risk appetite per risk category

The most eagerly awaited news at Ferma’s biennial get-together is always the results of its benchmarking survey. This year, 782 risk and insurance professionals from 20 member associations responded to the poll. Addressing the attendees and announcing the survey results, corporate risk management director for Campofrio Food Group and a Ferma board member Cristina Martinez said: “The survey results show the evolution of risk management and its role in European organisations today.”

60%

Risk taker zone High-impact risks

No tolerance zone High-impact risks

Competition & market

50% Compliance

70% 71%

Legal, regulatory or compliance requirements 45% 63%

Catastrophic event 39%

31% 31%

13% 26% Major increases in insurance premiums 12% 9% Other

INCLUDES A FOUR-PAGE SPECIAL REPORT ON THIS YEAR’S FERMA CONFERENCE

10%

20%

30%

40%

50%

60%

70%

Nature of risk management triggers

Risk management maturity triggers

80%

61%

Identifying future risks 48% Looming hard markets 42% Solvency II – potential impact on availability of insurance

capacity and cost

32% Change in environmental liability 25% Solvency II – potential impact on captives 24% Collective redress/class actions 19% Broker remuneration, disclosure and transparency 11% Terrorism coverage 10% Absence of appropriate solutions to cover investments in renewable

energies

13% Other 5% No opinion/don’t know

10%

20%

30%

40%

50%

60%

70%

80%

Insurance concerns Risk managers’ biggest bugbear with the insurance market is its ability to identify and respond to future risks (61% said so), according to the survey, which was carried out in partnership with AXA Corporate Solutions. The looming hard market is the biggest fear for about half (48%) of the respondents. Almost the same number (42%) indicate that their biggest worry is the impact of Solvency II on insurance capacity. Overall, the results reveal continuing progress in risk management fundamentals but there are still signiﬁcant disparities between companies, countries and risk management topics.

Planning & execution Political social & economical

30%

Financial

Mature

Advanced

11%

31%

Both compliance and shareholders expectations oriented

Shareholders expectations oriented

19%

11%

Complex organisations are most risk-mature The survey shows that the most risk-mature organisations are those with the most complex operations. Highly complex organisations have the most advanced risk governance, practices, tools and communication. But 26% of respondents say they have no external risk communication. Overall, the survey suggests that risk management mandates remain fairly limited and there is minimal co-ordination across risk functions.

Fixed assets

Just over a quarter of respondents say they have no external risk communication

IT/IS/data

Safety, health & security Product Credit Ethics, fraud, CSR Environment design HR & social Liabilities security Internal control Civil, general, professional Treasury

Corporate governance Financial market Dynamics, M&A

10%

Intangible assets Risk taker zone Low-impact risks

No tolerance zone Low-impact risks

Risk taker

Risk averse

Zero tolerance

Risk appetite Strategic & governance

Operational risks

Risk appetite relies on type of risk Other important ﬁndings from the survey relate to risk management maturity and risk appetite. The ﬁndings show that corporate attitudes to risk are mainly driven by the category (or type) of risk, rather than a technical risk assessment. For example, companies mainly adopt risk-taking strategies when it comes to strategic or business risks

Link between advanced level of risk management maturity

and company complexity

Company complexity

Risk governance

Production, quality Supply chain, business continuity

20%

Risk management level of maturity Moderate

Compliance oriented

xiv Strategic RISK NOVEMBER 2010 |

The top three issues that most concern you about the insurance market

Proportion of companies with an advanced level of risk management maturity per category

Sponsored by

Strategic RISK NOVEMBER 2010 |

www.strategicrisk.co.uk

iii

ROUNDTABLE

Introduction After a modest recovery, could Europe be heading for a double-dip recession? How has risk management weathered the downturn and is it prepared for another economic plunge? Is the ‘soft’ insurance market likely to reverse in the near-future? These were the questions that our panel addressed at the Presidents’ Roundtable discussion during the London Ferma seminar in late September. It was clear from the comments of participants that many European companies have yet to emerge from the effects of the recent ﬁnancial crisis, with most still in a cautionary and cost-cutting mode. However, it was felt that lessons had been learnt – as chairman Jorge Luzzi put it: “The patients have been inoculated and the vaccine should be taking effect.” Risk management during the recession has been tough. The experience has shown the need to take into account interconnectivity of businesses, geographies and suppliers, and to include a wide range of ‘what if’ scenarios. The discussion also highlighted the importance of small companies in corporates’ supply chains. Small- and medium-sized iv

Strategic RISK NOVEMBER 2010 |

www.strategicrisk.co.uk

enterprises generally play a major part in the profitability of larger businesses, so it is essential to encourage them to have good risk management. Communicating the value of risk management is a continuing theme. Some participants feared that the message might have been eroded by the fact that financial institutions experienced difficulties despite having what appeared to be excellent risk management in place. The key question here is whether senior management listened to risk managers’ warnings, and this leads on to the debate over the standing of risk managers within an organisation. Finally, it looks like it will take a major catastrophe (or two) to harden the insurance market. For the time being, multinational companies are unlikely to experience the cost savings created by good risk management in previous years. Jeff Carr, client relationship manager, major risks, Ace UK Sue Copeman, editor-in-chief, StrategicRISK Kadidja Sinz, commercial director, Ace Continental Europe

ROUNDTABLE

What’s next? The profession’s leaders met in London to discuss how the state of the worldwide economy is affecting their work, whether some countries will see a double-dip recession, if captives still make sense, and how best to spread the message of good risk management

hairman Jorge Luzzi, Ferma vice-president, opened the discussion by looking at some of the problems that Europe has experienced in the recent recession. Although it was banking institutions that were hit hard at first, he pointed out that the insurance industry had been affected too, with some companies relying on government funding for their survival. Luzzi expressed gratitude for this government help, saying that if these insurers had been allowed to fail, there could have been significant capacity problems, particularly with liability cover. He said current discussion concerned the possibility of a new recession – a so-called double-dip. It appeared that the USA could be on the verge of this, while some European countries had still to emerge from the first downturn. Luzzi cited problems in Spain where unemployment has reached nearly 20% and is likely to worsen as the country reaches the end of the holiday season. Problems with the Greek economy, accompanied by significant social unrest, have also hit the headlines.

Ace UK’s Jeff Carr pointed out that recession had triggered employment disputes and social unrest in the USA and Europe, all of which could affect businesses. Graham agreed that the world’s economic problems mean there is more pressure on risk managers to do things well, and this includes employment practices. She said risk assessments against future scenarios should include disputes and unrest. Carl Leeman said lessons had to be learnt from the previous crisis, although he questioned whether the financial institutions that triggered the problems had taken these on board. “Many

‘Businesses under pressure want to cut costs. Risk management, like other things, is an overhead and a cost’ Julia Graham, Ferma

Recession risks Against this dismal background, and taking into account the slight recovery in some European countries, Luzzi asked if those present thought that some fragile economies might slip back into recession. “If that happens, how do you think it will affect risk management, and what new challenges will risk managers face? Are we prepared?” he asked. Ferma vice-president Julia Graham was first to respond. Pointing out that there are several angles to take into account, she said it was important to look at scenarios and actually get a company’s board or risk committee to think about what the risks could be, and the effect on corporate plans. She asked: “If you’re trying to protect the delivery of your strategic objectives, what would be the impact of a doubledip? What are the variables that could change your view?” For example, a double-dip might not be universal. Europe could suffer while China continues untroubled. Organisations that trade in Asia, as well as in Europe and in North America, need to consider the implications and look at the combined picture, she suggested. In terms of the local view for the risk manager, a further recession would put more pressure on corporate overheads. “Often the first thing that happens when businesses are under pressure is that they want to cut costs. Risk management, like other things, is an overhead and a cost,” Graham said. She stressed the need for risk managers to keep their eyes on delivering value and providing evidence of their effectiveness, suggesting that one of the best ways do this was to help the board look into the future.

Sponsored by

Strategic RISK NOVEMBER 2010 |

www.strategicrisk.co.uk

ROUNDTABLE

‘Take the Iceland ash cloud. Everyone thinks somebody else should step in, but they should ask what they can do’ Carl Leeman, Ifrima

Sponsored by

Strategic RISK NOVEMBER 2010 |

risk managers within financial organisations had predicted and/or warned their senior managers about the risks associated with the tricky investments and derivatives they were playing with – but they were not listened to,” he said. Leeman said it was mainly the investment operations of the banks that led them into trouble. Public opinion was that huge bonuses in the banking sector were part of the problem. “Now we see that, despite the debate on bonuses, people are finding many ways to get around this and continue paying them. Most frighteningly, the major European banks that have now changed their chief executives have put in charge people who were responsible for their investment operations. Rather than penalising these individuals, they’ve been promoted,” Leeman said. In terms of how the economic crisis had affected his own organisation, he said that his company’s broad spread, both geographic and in different types of business, had provided a cushion and enabled it to increase cashflow. It had remained conscious of the need for good risk management. Leeman had a warning, however: “At a time of tough competition, there’s a danger that those in charge of

www.strategicrisk.co.uk

commercial operations may accept unreasonable terms just to get business. What is the use of good risk management if your commercial guys take unlimited liabilities in their contracts? That can kill a company.” He considered this was an often underestimated aspect of risk management. “People are always talking about contract certainty in relation to their insurance policies. But contract certainty for the commercial contracts that a company has with its clients is perhaps much more important.” A double or even a triple recessionary dip is something that risk managers do not have the power to avoid, but they can assist senior management in preparing the company to cope as well as possible, far in advance of any crisis. The results of the 2010 Ferma risk-benchmarking survey showed that catastrophic events have diminished in importance as triggers of risk management. Leeman found this rather alarming, for example in view of the oil spill in the Gulf of Mexico, which he said could have led to the collapse of a company smaller than BP. Leeman also pointed out that, in his view, individuals did not want to take responsibility for risk. “We saw it with the ash cloud from the Iceland volcanic eruption. People whose travel was disrupted were immediately thinking about their travel agencies or airlines paying the costs. What did travel or air companies have to do with the volcanic eruption? Everybody thinks that somebody else should step in and solve the problem. “We should come back to the situation where people ask themselves what they can do to solve a problem – or even better to avoid a problem – rather than looking around for what other people will do.” Graham agreed it could be valuable to look back and make sure that a business had learned the lessons of the first dip. She said: “In that recession, we saw a lot of things: cutting corners, contract terms and clients transferring their liabilities to you. For example, there were situations where, if your landlord went out of business or failed to pay its bills, you might not have premises; so we saw the need for contingency plans. There are some really interesting business continuity issues that we could learn from.” Luzzi concurred that businesses were probably better prepared today because of what they had suffered in the past.

Supply chain The lessons also applied to component suppliers, said Swerma president Charlotte Barnekow. It had been difficult to persuade managements of the need to manage exposures arising from the interconnectivity of businesses, especially the damage that could result from a shortage of components. Although managements understood there could be problem, the view tended to be that it was unlikely to occur. She felt there was now a greater appreciation of supply chain risk. Barnekow said that, while most large companies now had some risk management in place in this area, there was a need to educate SMEs, which are thought to account for 80% of most European economies. Encouraging SMEs to adopt good risk management practices would benefit the big companies they supply.

ROUNDTABLE

Leeman said more attention should be paid to educating SMEs. Most risk management associations’ membership comprised larger companies, and it was a “huge task” for them to try to reach SMEs and spread good practice in risk management. Ferma’s Günter Schlicht pointed out that some associations, such as the German risk management association, DVS, included SMEs. He pointed out the difficulties in serving the needs of both large and smaller companies. “You cannot do it in exactly the same way, “ he said. “We try to render active service by counselling them. If they ask us questions, we tell them how we think an insurance programme or a contract should look, and what to do. We hold seminars and regional conferences. However, even with this active service, the possibilities are limited and it is difficult. It is an ongoing job and we are committed to it.” Paolo Rubini said Anra, the Italian risk management association, also found it difficult to reach SMEs. He suggested that it was probably easier for big companies to try to educate them via their supply chains. Associations could help with such educational programmes as a service to their large corporate members. Training aside, large buyers could require suppliers to meet certain risk management standards, although Ace Continental Europe’s Kadidja Sinz pointed out that this would be a cost at a time when suppliers were already under financial pressure. “The crisis has shown the interdependency that exists and highlighted the fact that, in terms of financial resources, the system is only as robust as some of the weaker links,” she said. The credit crunch also meant that at one point some major companies could not continue to sub-contract to certain businesses because of their inadequate credit rating. “The financial aspect is also crucial,” emphasised Sinz. Luzzi said that with large companies generating work at a time when many countries are suffering high unemployment, suppliers needed to maintain good relationships with their customers. He added that his own organisation was requiring transport companies to provide improved protection of its products in some countries. As far as smaller suppliers were concerned, Luzzi agreed that those risk management associations with a significant number of SME members had a role in educating them. However, small businesses had to understand that larger companies relied on their support in order to compete effectively. He gave the example of a contract to supply tyres to a team in Formula 1 racing. “We have to demonstrate that we are able to fulfil the contract on time because, if we fail, that will affect our clients’ ability to compete, and they will lose revenue in terms of sponsorship. There is an interconnection all the way through now. If small companies want to play the game, they have to try to manage that.”

Exposure Sinz said a double-dip recession could drastically affect those companies that were finding it hard to recover after being weakened by the last economic crisis. Schlicht pointed out that smaller suppliers in some industries had their own associations, some of which provided assistance with liability, insurance and risk

‘This has shown the interdependency that exists. The system is only as robust as some of its weaker links’ Kadidja Sinz, Ace Continental Europe

management. He said interests can differ, and they might find it better to obtain advice and develop strategies from these groups rather than from risk management associations with large corporate members. Generally, it was agreed that there should be a change from past practice, where big companies imposed their will on small suppliers without discussion, and with the threat of going elsewhere if those suppliers did not sign up to their terms. Leeman said more people were aware of the importance of small suppliers in the supply chain and the vital contribution they made to the success of large businesses. Credit exposure also came under discussion, with the panel agreeing that credit insurance was one of the few covers that had not moved into a soft market. Schlicht said this was the insurance area that caused most problems in Germany during the financial crisis. “Companies encountered real difficulties because they could not obtain cover, or the cover they had was cut down from one day to the next in a sudden and rather brutal manner,” he said. Not all countries were hit by the financial crisis, principally because stringent banking regulations prevented them

Sponsored by

Strategic RISK NOVEMBER 2010 |

www.strategicrisk.co.uk

vii

ROUNDTABLE

‘Things are going well in Germany but there are signs of a growing readiness to demonstrate … to go on the streets’ Günter Schlicht, Ferma

taking the risks that led to the problems, said Leeman. Sinz questioned whether companies really would give up on risk management.

Short-life technology

Sponsored by

viii Strategic RISK NOVEMBER 2010 |

The pressure in certain industries to keep offering new products and models was discussed next, and it was agreed that this is not conducive to good risk management – as demonstrated by the number of recalls in the car industry. Luzzi said that while some products had a relatively long life before obsolescence, other markets required companies to continually re-invest their profits to remain competitive. He cited the mobile phones and computer industries, where buyers demanded the latest technology. Rubini said sophisticated telecom companies that could rely on a good IT infrastructure were starting to sell their services, for example in the internet cloud, but these were unregulated. The danger is that they are shifting the risk from the customer to themselves; they are managing clients’ data and there is a real exposure to liability. But such companies believe they have to

www.strategicrisk.co.uk

move in this direction because it is perceived to be the way that the telecoms industry is going. Graham believed that this illustrated her first point about the need to consider scenarios and the way that trends could combine to create risk. “We could have fast-moving and innovative technology without a recession, but in a time of recession it imposes all sorts of additional pressures on the businesses concerned and their suppliers. This includes geographical considerations as to where you can get a product made the most cost-effectively. “A recession in one part of the world can have a huge effect, potentially, somewhere else. It is all these connections that I think are so complicated for us to understand and to know what to do with,” Graham said. Luzzi asked whether, in the event of a double-dip recession, risk managers considered that they had more weapons in their armoury than before 2008. Were they in a weaker or stronger position than in the run-up to the last financial crisis? Schlicht said that the DVS had asked risk managers whether the importance of insurance management had changed within and with the crisis. Most said it had not altered fundamentally, but they were more cautious about certain aspects. They said there was more careful consideration of what they were doing. Giving an insurer’s view, Carr said that some clients had reduced the number of people in their insurance teams. “They’re looking to perhaps push some of the tasks onto their broker, or even their insurer, or are putting the tasks to one side and deciding that maybe they don’t need to be done at the moment.” Graham said that the UK risk management association Airmic had seen a slight move towards more insurance buying being outsourced, especially among SMEs. Some companies are turning to their brokers, perhaps to run the portfolio as an outsource supplier. Barnekow, however, has seen the reverse trend. She said that some smaller companies, which a few years ago outsourced insurance purchasing, had taken it back internally. Carr suggested that the squeeze may have led to more outsourcing by larger companies with big insurance departments, and less by smaller companies with no insurance departments, which had decided to bring in purchasing. In effect, they were coming closer together.

‘Real’ risk management Leeman said he deplored the focus on insurance buying. “If risk managers really want to grow in their organisation, they should take care of other things apart from buying insurance. It’s crucial to be able to advise your board on real risk management issues, not only for the board’s and your own sake, but also for the targets that the company has set for itself. “At the end of the day, that will have an effect on insurance as well. I’ve heard a number of insurers say they want risk managers to grow within their organisations and to have more input, because that will affect the risks of the company. In turn, that will influence insurance: their companies will get better terms and conditions because insurers will know the risks better.

ROUNDTABLE

“For the sake of risk management, that’s the only way forward. It’s not an easy debate because most members of the risk management associations spend around 80%-90% of their time on insurance issues.” Darim president Charlotte Enggaard said the liquidity problems and cost-cutting considerations of the financial crisis had led to many long-term pay-back projects being put on hold. As Graham said: “It’s a brave organisation that invests a lot of money in something it can’t see.” She said it was a more typical and understandable reaction for organisations to start to manage what was in front of them, and not to want to look too far into the future. She added that a lot of risk managers were trying to balance both but that was a big challenge in a recession when many companies were in survival mode. It was also suggested that this was one of the reasons many risk managers had failed to demonstrate the value added by risk management. Even institutions that were claiming to have proper risk management procedures in place, with people employed full-time to do it, did not manage to see the financial crisis coming. Risk managers needed to overcome this challenge to get buy-in for strategic risk management. Sinz said that you could argue that some people were informed and advised by their internal unit that there was a danger zone. “It’s always about which risks bring margin and which don’t. The message didn’t get through because some of what was happening was bringing margins to the companies and was being welcomed by shareholders. “Now it’s a question of how much money we spend to be in less trouble the next time, and that’s difficult to answer,” she said. Enggaard agreed this was the case “because what’s coming next time is the thing we can’t see”. She added: “If we look backwards and make evaluations based on what we’ve seen before, that is never the story, even though memory is short. We will see some catastrophes coming back.” However, some regulators have taken action to help prevent or mitigate future problems. For example, the UK is ensuring that organisations have good facilities for whistleblowers. This might mean that people whose warnings were ignored before the last recession could be heard if something similar were to happen. Organisations also have to ensure that facilities are set up properly so that people are not victimised if they highlight a problem within their organisation. There have also been a number of anti-bribery and anti-corruption measures.

Public reaction to the crisis It was noted that public reaction to the financial crisis was intensifying, especially as countries cut public spending, and that this could lead to social disruption. Sinz said that any risk management analysis should include the effect of such disruption as well as customer reactions. She asked how these could be evaluated. Graham suggested that organisations needed to have their contingency plans finely tuned to take into account the effect of air or rail strikes, for example. She said: “It raises the profile of good contingency planning. If something does happen – and there’s not a lot we can do

‘Risk managers should be able to show how they have prepared a company for a crisis’ Jorge Luzzi, Ferma

to control some things – what do you do? How do you keep yourself in business? And how does that become a competitive advantage? If you do it well and somebody else doesn’t, maybe it’s you that survives.” Graham gave as an example the need for office-based businesses to plan for people to work at home. Even in Germany, where recent economic developments have been positive, there is talk of a new culture of civil protest. Schlicht said: “Things are going rather well, with positive unemployment rates and the economy growing at a satisfactory pace, but there are signs of a growing readiness to demonstrate – to go on the streets to protest.” Graham attributed this to the cumulative effect of different pressures and events. Carr suggested that it could be a role of risk managers to look into the future, because social unrest and perceived injustice could lead to political change. He said: “It can move from left to right quite quickly, and back again. That generally stirs up the political and the legislative environment, which will affect businesses. It’s difficult to predict, but I think it’s something we have to consider.”

Sponsored by

Strategic RISK NOVEMBER 2010 |

www.strategicrisk.co.uk

ROUNDTABLE

‘Several owners might have allowed their captives to be inactive for a while, to reﬂect current circumstances’ Charlotte Enggaard, DARIM

Sponsored by

Returning to the possibility of a double-dip recession, Leeman said the risk management community should make sure it has a good communication system. Everybody would benefit from exchanging more information, and this could include problems that had occurred, claims experience and any damages paid, particularly in those US cases settled out of court. He said risk management associations, brokers and insurers could take a lead on this as they would all gain from others’ experience. Barnekow said there was more pressure on risk managers to be efficient. “Fast-moving developments create opportunities for risk managers and the risk management community, and I think this is something we should try to leverage, and find ways to help others to do that,” she said. Luzzi agreed, and said risk managers should be able to show senior management how they had prepared a company for a crisis, and not just prove their value through lower insurance premiums.

Risk managers’ wider role Moving to the effects of recession on employment, Luzzi pointed out that some countries had raised the pensionable age

Strategic RISK NOVEMBER 2010 |

www.strategicrisk.co.uk

for employees and asked if risk managers were likely to become more involved in workforce-related issues. Leeman and Rubini agreed that an older population was a problem for many European countries because it is unsustainable for a diminishing employee base to support an increasing number of elderly people. Schlicht said trends in pensions would not have a direct influence on the work of risk managers, but Graham pointed out that “people issues” were now more of a priority. She said: “You have to look after your people. You have to consider how you get the right people and whether they’re working under pressure because of cost cutting. If people leave, you have to make sure this is done in the right way to avoid any liabilities.” Graham believed that risk managers had a significant role in risk financing. She said more risk managers were involved in buying health and other employee benefits, just like any other kind of insurance. Sinz noted that there was increased interest in liability with regard to employment practices. Enggaard said: “If risk managers are doing their job well, then the human resources people will be applying the same risk management techniques to their work. They will thereby have a better picture of the risks involved in hiring, firing, pension funds, healthcare or whatever.” She said instilling a risk management culture into a company was more important than worrying about who was directly responsible for any one area. “Defining who is responsible for what is not as interesting as asking: ‘Are we feeding the right culture into the companies?’ You can work together on these things, it doesn’t just have to be the role of risk managers.” Luzzi said that some enterprise-wide risk management activities reflected the traditional work of risk managers in identifying, mitigating and transferring or assuming risk, and that this culture was transferring to other sectors of companies. He said that the emergence of risk committees with the involvement of chief executives and other senior management was, in a way, a victory for the risk management profession. “I don’t know whether the risk manager will eventually take up the role of chief risk officer in all cases but, in a way, the tools that we were using are being applied for everything,” he said.

A fresh look at captives The discussion moved on to captives and whether their existence and role had changed due to the financial crisis. Graham suggested that the downturn had put pressure on risk managers to take a fresh look at the need for captives. “It’s not always for building a nest egg; sometimes you can set up a captive purely for the benefit of control, knowing where your cost is going. I do think that the recession has challenged people to ask whether their captive was set up for the right reasons, if it is delivering what it should be doing, and if they can put more through it. “If you set up a captive because you thought the conventional insurance market was going to harden, you now have to try to look over the horizon to see if your assumption is still valid. Can you place your company’s health and benefits programme with your captive? It’s a matter of making your captive work for you.

ROUNDTABLE

“The pressure is on risk managers to step back and examine why they have captives and what value they’re adding, just like anything else.” Although it was generally agreed that such questions should have been asked when the captive was set up, it was felt that the recession and increased regulation had brought more pressure to bear on captives. Carr pointed out that the rationale for a captive might have changed with the competitive risk transfer options now available. He said: “One of the reasons for setting up a captive – and one that is sometimes forgotten – is to remove some of the volatility of risk transfer. In a recessionary environment, the finance director might question putting business through a captive when conventional insurance is relatively cheap. They might at least want to see what a conventional risk transfer option would produce.” Enggaard said not many Danish companies had captives but those that did were generally favourable. “I think that several captive owners might have allowed their captives to be inactive for a while to reflect current circumstances. This goes to show that captives are a tool that you use as appropriate. Of course, companies have to consider why they are using a captive, but those that have used them to leverage prices and to try to smoothe the insurance-buying process have found that they have achieved this over the past couple of years.”

‘Insurers are becoming more cautious about the pricing of renewals. Any reductions are likely to be less’ Jeff Carr, Ace UK

A harder market? The soft market in insurance may reduce the value of having a captive insurer but there are signs of a hardening, perhaps not next year but possibly in 2012. Luzzi said new solvency requirements could lead to consolidation and a reduction in capacity; for niche products, there could be a relatively small market offering few options. Carr stressed that Ace provided underwriting for each risk on its merits, but said that market overcapacity could continue for some time. He felt the situation was unlikely to change as a result of attritional risks. “Insurers in combination with clients have got a much better handle on employee injuries and those types of losses, so I think those costs, certainly outside the USA, are much more under control. “However, if there are one or more significant catastrophic events that have an impact on reinsurers, and therefore on insurers via their reinsurance treaties, rates could start to harden. When that’s going to happen is obviously difficult to predict.” Carr pointed out that Ace, along with other insurers, was becoming more cautious about the pricing of renewals, so any reductions were likely to be less than they would have been six months ago. This applied especially in the multinational arena where relatively few insurers can provide a global solution. He said that while the SME marketplace in certain territories was still very soft, competition for multinational business had started to reduce. Enggaard said she understood there needed to be rectification when margins were falling, but she probably spoke for all risk managers when she said she hoped volatility would not be as extreme as in the past. “Solvency II might be the ‘big bang’ that starts it up but hopefully, in the long run, that will produce a better picture.”

Sinz suggested that the allocation of capital to various types of insurance could change. “When insurers analyse the margins and return on capital associated with different types of business, it may be that they see quite a different picture to what they originally thought. That will trigger some adjustments in pricing and an analysis of systemic risk. “Historically, insurance has not been an industry that has given investors a high return: we’ve been more focused on stability.” But the volatility that is part of insuring uncertain events has not gone away. If one or more major catastrophes occurred, the system would need more premium to cope. This would affect prices, as would the need to ensure adequate return on capital. Schlicht concluded by saying that German risk managers do not think the insurance industry is suffering at the moment. He said the market had been soft for several years but had started at rather a high level. “At the moment, there doesn’t seem sufficient reason to force a turnaround. Industrial insurers haven’t reported bad results in the last six or seven years. However, I wouldn’t guarantee that things will remain as they are.” ■

Sponsored by

Strategic RISK NOVEMBER 2010 |

www.strategicrisk.co.uk

FERMA REPORT

Ferma explores the best way to set up risk management

‘A small issue somewhere in the world can spread quickly online. It can then affect your reputation worldwide’ Arnout van der Veer, Reed Elsevier

Sponsored by

xii Strategic RISK NOVEMBER 2010 |

he role of the risk manager, whether or not they hold the post of chief risk officer, was debated at the 2010 summit of the Federation of European Risk Management Associations (Ferma) – Europe’s biggest risk association. Almost 500 risk and insurance professionals gathered at the Hilton London Metropole Hotel for a two-day conference. The summit is held every two years. ‘Driving change’ was the theme of the event. Speaking in the main presentation hall, chief risk officer of information group Reed Elsevier Arnout van der Veer said the enhanced focus on risk issues means there is a great opportunity for members to push their boards to take risk management more seriously. Van der Veer said the global economic crisis has revealed four truths about risk: they are greater than many people originally thought; they are often unexpected; they are often hidden deep in an organisation; and they are usually linked to human behaviour, making them hard to predict. “A small issue somewhere in the world can spread quickly online and affect your reputation worldwide,” said van der Veer. Risk managers: a seat on the board? Meanwhile, the role of the risk manager was investigated in a break-out session with Ferma directors. Ferma board member and director of risk assurance at Morgan Crucible, Paul Taylor, was asked whether the chief risk officer should have a seat on the board (this is the case with many banks). The argument is that this will help business leaders understand and deal with major risks. Taylor said this might be a solution for some organisations but he feels differently. He said: “For me, a risk manager is a driver of change who delivers results and has a supporting and facilitation role. It is not really about taking responsibility and ownership of those risks.” He noted that the ultimate risk managers are all C-suite executives. Ferma president and corporate insurance risk manager for Dutch multinational Stork, Peter den Dekker, agreed with Taylor. He said:

www.strategicrisk.co.uk

“The chief risk officer should not be part of the board. Risk managers are not yay- or nay-sayers. In my view, they are literally facilitators.” Some commentators believe that if a chief risk officer sits on a board, they come under its influence and are then less effective at restraining any excesses of the business. One framework for basic risk governance is the ‘three lines of defence’ model, which is becoming increasingly popular. In this model: • operational management is responsible for implementing internal controls; • group-level risk and compliance management sits above operational management; and • internal audit interrogates everything. The model is explored in more detail in a report by Ferma and the European Confederation of Institutes of Internal Auditing (ECIIA) – Guidance on the 8th EU Company Law Directive – which was launched shortly before the conference (see page xiii of this special conference report for more detail). Co-operate on global insurance standards Ferma also announced that it would like to see improved co-operation over global insurance programmes. In response to a question from StrategicRISK, Den Dekker said he wanted to see large insurers work collaboratively to resolve compliance issues with the administration of global insurance programmes. Speaking at a press conference on the first day of the summit, he said it was time the insurance industry “grew up”. He said: “Compliance should not be an issue of competitiveness. In my view, we should all interpret insurance regulations in the same way.” Den Dekker said he would like to “sit down with large global insurers”, with the approval of the EU Competition Commission, to come up with an industry-wide solution. At the moment, he said, each global insurer treats insurance rules and regulations differently, and uses their own interpretations in each jurisdiction worldwide, which can lead to confusion over the rules and whether they are being followed correctly. He gave as an example the case of a company found to be underinsured (or acting illegally) only when it makes a claim, which could be due simply to the rules having been interpreted incorrectly. Den Dekker would like the industry to develop a consistent interpretation of the various legal systems rather than having each global insurer compete for business based on its understanding of the rules. “We should all be willing to contribute to this process,” he said. Since taking the helm of Ferma, Den Dekker has spearheaded a lobbying campaign at European level on issues such as Solvency II and broker remuneration. The question of globally compliant insurance programmes is another major challenge facing the commercial insurance industry.

FERMA REPORT

En garde: implementing the three lines of defence

he question of how to monitor the effectiveness of a company’s internal control, internal audit and risk management systems is the subject of new guidance published by Ferma and the ECIIA. The guidance is a response to the corporate governance section of the 8th European Directive on Company Law, which states that “the audit committee shall monitor the effectiveness of the company’s internal control, internal audit, and risk management systems”. Ferma directors Michel Dennery, Marie-Gemma Dequae and Paul Taylor worked with ECIIA to produce the Guidance on the 8th EU Company Law Directive. This is intended as practical advice for board members, risk managers and internal audit professionals. The guidance gives an overview of the risk management role and responsibilities of the board, chief executive and senior management, operational management and the assurance functions. It clarifies the recommended interactions between internal control, risk management and audit. The report also suggests good practice for boards on the oversight of the risk management system and internal audit function. Getting defensive The paper recommends a ‘three lines of defence’ model (see box, below). “We think this is one of the answers to the question,” said president of the ECIIA and chief executive of audit consultancy Governis, Claude Cargou. “The first line of defence and control is operational management by the people in the field. The second line of defence involves the development of frameworks and standards of control; risk management is part of that level. The third line of defence is internal audit. This has a mandate to provide some assurance that the two other lines of defence are working properly. Cargou said: “The idea is to strengthen the links between the various control bodies: risk management, compliance, internal audit and quality control. They all used to work in silos but that doesn’t make sense at all. The strength of the control environment is not the strength of one single body, it’s the strength of the various bodies working together. A good answer to what is required by the directive is to implement this architecture

Three lines of defence model

according to the three lines of defence model.” In many organisations outside the ﬁnancial services sector, the three lines of defence operate independently of each other. Director of risk assurance at Morgan Crucible, Paul Taylor, said: “If management are unwilling to put governance in place then this is not going to make any difference. What this guidance does, particularly for non-executives and the audit committee, is to get people to ask the right questions. This gives them some very simple things to ask in their role in ensuring the effectiveness of risk management systems. He said: “There are two parts: putting the frameworks in place and changing the culture of the organisation. The guidance helps with both aspects. The audit committee can then make up its mind about the effectiveness of the systems. To put it in place, you need the skills of risk management and internal audit, as well as other experts who can drive change.” Cargou said that the design of the control environment is the responsibility of the chief executive. “He has to design the big picture. The second line of defence will then design the standards and frameworks. These will be used everywhere in the organisation by the third line of defence. That’s how it works.” Speaking the same language Taylor explained how he is making the three lines of defence work in his organisation: “I’ve been in my group for just under two years, and we are halfway through a three-year implementation programme. To get real change in the culture and make it sustainable could take another couple of years. It’s not a ﬁve-minute process.” Taylor said he has learnt a lot by working with the ECIIA on the guidance, and said risk managers should co-operate more with audit departments. He said that developing a standard methodology and language for risk can make it easier for the departments to work together: “Having that same expression is very useful.” Ferma and the ECIIA will keep working together, said Cargou. “We have achieved something that should prove valuable. There are so many more directives coming from Europe and together we can help people understand them.”

Source: Guidance on the 8th EU Company Law Directive, ECIIA and Ferma

Board/audit committee

Senior management First line of defence

Internal controls

Third line of defence

Risk management Compliance Other

Internal audit

External audit

Operational management

Second line of defence

Sponsored by

Strategic RISK NOVEMBER 2010 |

www.strategicrisk.co.uk

xiii

FERMA REPORT

Ferma benchmark survey results The most eagerly awaited news at Ferma’s biennial get-together is always the results of its benchmarking survey. This year, 782 risk and insurance professionals from 20 member associations responded to the poll. Addressing the attendees and announcing the survey results, corporate risk management director for Campofrio Food Group and a Ferma board member Cristina Martinez said: “The survey results show the evolution of risk management and its role in European organisations today.” Main external factors triggering risk management within your company 70% 71% Legal, regulatory or compliance requirements 45% 63% Catastrophic event 39% 35% Clear requirements from shareholders

31% 31% Pressure from the market 13% 26% Major increases in insurance premiums 12% 9% Other

10%

20%

30%

40%

Nature of risk management triggers

Risk management maturity triggers

50%

60%

70%

80%

Risk management level of maturity Moderate

Mature

Advanced

11%

31%

Both compliance and shareholders expectations oriented

Shareholders expectations oriented

19%

11%

Compliance oriented

xiv Strategic RISK NOVEMBER 2010 |

www.strategicrisk.co.uk

The top three issues that most concern you about the insurance market 61% Identifying future risks 48% Looming hard markets 42% Solvency II – potential impact on availability of insurance capacity and cost 32% Change in environmental liability 25% Solvency II – potential impact on captives 24% Collective redress/class actions 19% Broker remuneration, disclosure and transparency 11% Terrorism coverage 10% Absence of appropriate solutions to cover investments in renewable energies 13% Other 5% No opinion/don’t know

10%

20%

30%

40%

50%

60%

70%

Just over a quarter of respondents say they have no external risk communication

80%

FERMA REPORT

Risk appetite per risk category

60%

Risk taker zone High-impact risks

No tolerance zone High-impact risks

Competition & market

50% Compliance

Risk importance

40% Planning & execution

Financial

30%

Supply chain, business continuity

Product Environment design

Credit HR & social Liabilities security

Financial market Dynamics, M&A

10%

Intangible assets

Ethics, fraud, CSR

Internal control Civil, general, professional

Treasury

Risk taker zone Low-impact risks

Safety, health & security

Corporate governance

20%

Risk taker

No tolerance zone Low-impact risks

Risk averse

Zero tolerance

Risk appetite Strategic & governance

Operational risks

Company complexity

Proportion of companies with an advanced level of risk management maturity per category

IT/IS/data

Fixed assets

Link between advanced level of risk management maturity and company complexity

Risk governance

Production, quality

Political social & economical

LOW

MODERATE

HIGH

VERY HIGH

28%

25%

30%

42%

Risk practices and tools

18%

20%

24%

32%

Risk communication

40%

43%

51%

69%

Compliance & ethics

External risks

‘The pressure from shareholders on companies to adopt better risk practices is less than expected’ Jean-Michel Paris, Ernst & Young

Strategic RISK NOVEMBER 2010 |