FERMA Risk Management

Benchmarking Survey 2016

8th Edition

“ I am delighted to present to you the FERMA 2016 European Risk and Insurance Report, gathering the views of more than 600 European risk managers at a time of major changes in Europe.

At our general assembly in June this year, FERMA set out its strategic vision to achieve “a world where risk management is embedded in the business model and culture of organisations”. Today, we see that risk managers are increasingly moving into a position where they will help achieve that vision in their own organisations. They are taking more strategic roles, and the majority report to a chief officer or to the board.

Risks are always evolving – as we see from the focus on data protection and cyber risks. Risk managers want to develop skills and tools that enhance their ability to manage such emerging risks and want their advisers, brokers and insurers to be their partners in doing so.

The findings of this report, combined with FERMA’s mission and strategy, will shape our activities over the next two years. One of the priorities that our members see for FERMA is to strengthen the professional standing of risk managers in Europe, and FERMA’s professional certification programme rimap® will be an important contribution to achieving that objective.

I trust that you will find FERMA’s 2016 European Risk and Insurance Report a source of valuable information and topics for further discussion as we build our profession together. “

Jo Willaert, President of FERMA

Presentation of the survey Eighth biennal benchmarking survey conducted by the

Federation of European Risk Management Associations

FERMA in collaboration with: AIG Chubb EY Marsh XL Catlin

The survey (39 questions) received 634 responses and was conducted from April to June 2016

The survey was divided into 3 parts:PART 1: RISK MANAGEMENT PROFESSION AND PRACTICES IN EUROPE: from S1 to Q16

This part is seeking to reinforce the understanding and positioning of the risk and insurance management role.

Support the development of the risk and insurance management function.

PART 2: EUROPEAN INSIGHTS ON RISK MANAGEMENT: from Q17 to Q20NEW

This part is seeking to identify the main priorities for EU risk and insurance managers to ensure that FERMA supports its members’ needs and

expectations as regards the risk and insurance management function.

PART 3: Insurance Management : from Q30 to Q39

This part is seeking to provide EU insight on the evolution of the insurance market and risk managers’ expectations.

Key facts

2000 2002 2004 2006 2008 2010 2012 2014 20160

100

200

300

400

500

600

700

800

900

49

269

460

555

782 809850

634

Number of respondents

Total Number of responses since 2002

This is the eighth edition of the FERMA European Risk and Insurance Report. It has been published every two years since 2002. FERMA in collaboration with AIG, Chubb, EY, Marsh and XL Catlin, conducted the European Risk and Insurance Survey, on which the report, is based between April and June 2016.

The FERMA European Risk and Insurance Survey 2016 is a fully online project. The population of the study is composed of all FERMA members (22 national associations in 21 countries) and contacts from AIG. In total, 4.407 invitations were sent: 634 participants responded to parts one and two, of which 406 also answered to the third optional part of the questionnaire. This represents a response rate of 14%, which makes it a good representative sample of the profession. The similarity in the respondents between the previous survey in 2014 and the latest version confirms that the findings are an expression of views across the European risk management community.

Every participant received an invitation email with a personnel link; there were no sampling methods applied to the population. An independent research company, Toluna, collected the responses and compiled the results.

DisclaimerThe 2016 FERMA European Risk and Insurance Report is designed to serve as a high-level overview for risk and insurance managers and other executives. Our analysis includes benchmarking information drawn fromrespondents across a variety of industries and companies. The data, therefore, reflects general trends aboutthe profession.

Survey methodology

Table of Content1. Introduction2. European insights on risk management

practices3. European perspective4. Insurance: Evolution of the Insurance Market

and Risk Managers’ Expectations

1. Introduction

Risk and Insurance Managers’ profile

The survey shows that the typical risk manager profile remains stable in age, gender and salary wise since the last 2 years

The typical risk manager in a leadership role is around 50 years of age (78,8%) and male (80,5%).

Within the younger generation of risk managers women are still the majority in number, however women continue to lose this position quickly as the survey findings move through the risk management career time line and male risk managers predominate in leadership roles from the age of 35.

The growth in the number of young risk managers is encouraging for FERMA’S risk management certification programme, rimap®, launched in 2015. We believe rimap will strengthen career opportunities for people joining the profession.

FERMA’s insight

Risk and Insurance Managers’ profile

Europe’s risk management population has changed little in terms of age, gender and compensation since 2014. Generally, risk managers are: Male (73% male compared to 27% female) Between 36-55 years (72%), with a small increase in young risk managers since 2014 Earning more than €100.000 a year (46%) and more than €200.000 for 7%, with salaries remaining higher for men than

women by 65% The younger generation (less than 25 years category) seems to be more diverse having 50/50 between genders 62% working for companies with turnover exceeding €1 billion 80% working for companies with more than 20,000 employees and dedicate four or more full time employees to risk

management

Risk and Insurance Managers’ salary

Salary levels for risk managers in leadership positions are typically higher for male risk managers than for women.

Less than €60k

Between €60k - €80k

Between €81k - €100k

Between €101k - €120k

Between €121k - €150k

Between €151k - €200k

More than €200k

18%

18%

18%

15%

12%

12%

7%

A representative panel of European companies

Manufacturing

Energy / utilities

Banking and Financial Services

Professional and Business Services

Transportation / logistics

Insurance

Technology and Telecoms

Automotive

Food and Beverages

Retail

Public sector and non-profit

Real Estate

Pharmaceuticals and Life Sciences

Others

19%

13%

10%

8%

7%

5%

5%

4%

4%

4%

4%

3%

3%

8%

The top 3 organization’s main sector of activity are:

1. Manufacturing2. Energy /utilities3. Banking and Financial services

While capital intensive industries face more risks than services industries – the very reason why the majority of respondents work within these sectors – the rise of cyber risks is set to change this balance. In the future, we are likely to see higher proportions of risk and insurance managers in service industries as cyber risk continue to grow with further advancement in technology.  

A representative panel of European companies

Less than €50 million

Between € 50 million and less than € 100 million

Between € 100 million and less than € 500 million

Between € 500 million and less than € 1 billion

Between € 1 billion and €5 billion

More than € 5 billion

10%

3%

14%

11%

31%

31%

Less than 250

Between 250 and less than 1,000

Between 1,000 and 5,000

Between 5,001 and 10,000

Between 10,001 and 20,000

More than 20,000

13%

10%

22%

12%

13%

31%

Organization’s turnover: Organization’s total number of employees:

Risk Management team in larger companies include at least 4 people : 60.6% of respondents from companies with turnover over 1 billion EUR have RM team of >4 FTE 77% of respondents from companies with turnover over 5 billion EUR have RM team of > 4 FTE The larger company, the larger the risk management team (same as in 2014)

Risk Management Insurance

52% 51%

29%

17%19%

32%Up to 3Between 4 to 10More than 10

Full Time Equivalents dedicated to Risk/Insurance Management

More than half of European companies have up to 3 FTE dedicated to Risk/Insurance Management

2. European insights on risk management practices

GRAPH CAPTION

Reports to other function or department

Emerging Moderate Mature/Advanced

Reports to CFO, General counsel/Head of Legal Department, Head of Internal Audit

Reports to President/Chairman, Audit (and/or risk) Committee, Board of Directors / Supervisory Board, CEO / Managing Director or General / Company secretary

Risk Management function globally reports at Top Management level (88%). This practice is increasing compared to 2014 (84%).

Risk Management reporting: increasing reporting at Top Management level

Emerging Moderate Mature/advanced

7%

40%

53%

17%

33%

51%

12%

36%

52%

2012 2014 2016

CFOs remain the primary reporting line for Risk Managers across Europe

The main reporting lines are respectively: Risk managers: Board of directors,

president, chief executive officer, risk committee and chief financial officer (65%)

Insurance managers: President, chief executive officer, chief financial officer, head of treasury and head of legal (73%)

Risk and insurance managers are also reporting to top level non-executive functions such as presidents and the chairman as well as the board of directors and supervisory board at 21% and 16% respectively.

This suggests that risk managers are beginning to gain much-needed board engagement as they start to take on a more strategic role.

Reporting lines of risk and insurance managers - detailed responses

Chief Operating Officer

General / Company Secretary

Head of Internal Audit

Audit Committee

Head of Treasury

Chief Risk Officer

General Counsel / Head of Legal Department

Risk Committee

President / Chairman

Board of Directors / Supervisory Board

Chief Executive Officer / Managing Director

Chief Financial Officer

2%

3%

3%

5%

5%

5%

6%

7%

10%

11%

16%

26%

2%

4%

0%

1%

11%

6%

9%

2%

9%

8%

12%

35%

Insurance ManagementRisk Management

Risk/Insurance Managers’ roadmap: towards the development of Risk management as a strategic tool deployed at all levels of the organization

1. Insurance management and claims handling / insurable loss prevention (86%)

2. Development of map of risks: risk identification, analysis, evaluation, prioritization and reporting (79%)

3. Assistance to other functional areas in contract negotiation, project management, acquisitions and investments (77%)

1. Development and implementation of Risk Culture across the organization (68%)

2. Alignment and integration of risk management as part of business strategy (62%)

3. Development and embedding of Business Continuity Management / Emergency Management / Crisis Management / Incident response programes and solutions (59%)

1. Analysis of capital projects and delivering business plans (40%)

2. Design and implementation of risk financing strategy and association solutions (30%)

3. Definition of compliance (Management, Framework, embedding and assurance) (29%)

1

Top embedded activities Activities planned for 2016-2017:

Not planned activities

Operational risk activities remain high on the agenda for the risk profession but for the year ahead, risk managers are planning to take on more strategic responsibilities as enterprise risk management gains traction in many businesses. This trend shows that risk management is evolving, transitioning from an operational function to a strategic one.

The evolution of reporting lines also indicates that risk managers are gaining much needed board engagement as they ‐develop this more strategic role.

FERMA’s insight

Risk Management interactions with Top Management/Board

There is no mechanism in place to formally report about risk management

GRAPH CAPTION

Emerging Moderate Mature Advanced

Meets Board and/or Top Management members on a requested basis

Formally presents to the Board of Directors and Top Management once a year

Formally presents to the Board of Directors and Top Management several times per year

Emerging Moderate Mature Advanced

7%13%

37%42%

10%

24%18%

48%

11%

22%16%

51%

2012 2014 2016

A majority of respondents (51%) formally present Risk Management activities to the Board/ Top Management several times a year.

Nevertheless, we note that one third of respondents still have limited interaction with Top Management.

Relations between Risk Management and other functions: basic coordination but room for improvement

Risk Management first-rank partnersNo relationships < 20%

Risk Management second-rank partnersNo relationship <35%

Risk Management third-rank partnersNo relationship >35%

1 2 3

Risk managers are forging closer relationships with the finance function, compared to 2014, with investments/ investor relations, treasury and business budgets entering into the second-rank category. This suggests that risk managers are more involved in financial monitoring and financial decision-making, than two years ago. The IT department is only a third-rank partner of the risk management function, which is surprising with IT-related risks and cyber-attacks on the rise. The survey indicates that cyber threats continue to be seen as an IT problem and not an enterprise-wide risk management issue. For ERM to be effective, more needs to be done to fully integrate the governance and risk management of technology risks across the business.

Relationships between Risk Management, Insurance Management, Internal Control and Internal Audit: unchanged organisational model with Risk and Insurance Management together

(all functions together in a single department); 11.0%

(all functions separate in four dif-ferent departments); 23.8%

(Risk and Insurance Management together); 33.9%

(Risk Management and Internal Control together); 7.7%

(Internal Audit separate); 7.7%

(Insurance Management separate); 15.8%

In line with 2014 survey results, the most commonly used organisation remains Risk and Insurance Management together and separated from Internal Control and from Internal Audit.

Nevertheless, this trend is decreasing (34% in 2016 vs. 40% in 2014).

Risk mapping exercise: widely implemented but room for the development of advanced practices

No risk mapping approach in place yet

GRAPH CAPTION

Emerging Moderate Mature Advanced

Partial approach in place (certain business units/areas, risks…)

Approach in place at global corporate level (strategic, financial and operational)

Approach in place from corporate level down to divisions and business units

Emerging Moderate Mature Advanced

5%

16% 17%

62%

8%

15%

22%

55%

11%14%

26%

49%

2012 2014 2016

The survey results previously revealed that risk mapping was an embedded activity in Risk Managers’ agenda. The above graph confirms this trend as 75% of the respondents perform risk mapping: 49% from corporate level down to divisions and business units and 26% at corporate level.

The study indicates a negative trend in the deployment of the risk mapping from corporate level down to divisions and business units (49% in 2016 vs. 55% in 2014 vs. 62% in 2012).

Risk Management technology gains greater significance

Risk reporting / Risk dashboards

Risk mapping

Risk registers (Comprehensive analysis of all risks related to your business, including strategic, operational, financial, and hazard)

Monitoring of risk mitigation actions / controls

Risk quantification (Evaluating the probability of a risk event occurrence and effect) & Risk Modelling

Claims analysis

Risk appetite and tolerance

Scenario Analysis

52%

47%

46%

47%

43%

46%

27%

N/A – new in 2016

57%

55%

52%

49%

46%

45%

35%

34%

2016 2014

IT tools such as governance, risk management and compliance (GRC) software are playing a more significant role in supporting risk management activities, compared to 2014.

While IT/GRC tools are mainly used for reporting activities such as maintaining risk registers, risk mapping and risk dashboards, it is encouraging to see that they are beginning to support activities such as scenario analysis.

This development reflects the changing character of risk. As non physical or intangible risks, such as brand and data, ‐increasingly make up the bulk of business assets, the value of intelligent scenario analysis and data collection analysis, supported by IT/GRC tools, will also increase. This is an area where risk managers can develop expertise and contribute to their organisations.

FERMA’s insight

3. European perspective

Top 10 RisksThe study reveals that the economic conditions are currently seen as the number one threat tosuccessful achievement of an organisation’s strategic objectives in terms of impact and likelihood.

This is demonstrated by its surge to first place from fifth in 2014 and its mention by 63% of respondents compared to 47% in 2014.

Business continuity disruption has made an entrance into the top 10 and jumped straight into second place. Political/country instability, non compliance ‐with regulation and legislation, and competition complete the top five risks, selected by over half of respondents.

Concern has increased about digital risks in various forms and interest rate and foreign exchangeexposures. The latter is most likely linked to the top risk of threats to economic growth.

The rise in concern about business continuity and cyber risks reveals a clear need by companies for more resilience to external threats (industrial damage, extreme events…) and growing awareness following a series of high profile cyber-attacks. Despite the evolving economic conditions and the increased concern about cyber-attacks and data privacy, “digital transformation and “strategy execution and transformation programmes” are not among the top ten risks to business.

FERMA’s insight

What are the five risks for which European Risk Managers are the most/least satisfied in terms of mitigation?

Highest level of satisfaction

1. Loss of assets (buildings, equipment,IP)2. Safety & health3. Security4. Quality of products & services (design, safety & liability)5. Environment and sustainability

Lowest level of satisfaction

1. Economic growth/slowdown2. Political, country instability (crisis, war, regulatory

changes)3. Increase of fiscal and taxes regulation (including fiscal

optimization)4. Human resources / key people, social security (labour)5. Strategic project failures

Despite the fact satisfaction levels are higher for those areas of risk where a risk manager can actually mitigate or transfer the risk, the study highlights that among the top ten risks with lowest level of satisfaction, 5 risks are not directly triggered by external factors:• Human resources / key people, social security (labour)• Strategic project failures • Cyber-attack / data privacy• Digital transformation• Market strategy, clients

Satisfaction level – overall risks list

What are the five risks for which European Risk Managers are the most/least satisfied in terms of mitigation?

Satisfaction level – focus on Top 10 risks

Interest rate & Foreign exchange

Business continuity disruption

Noncompliance with regulation and legislation

Reputation and brand

IT systems and data centers

Market strategy, clients

Cyber-attack / data privacy

Competition

Political, country instability

Economic conditions

HighestLowest

Mitigation strategies: tailored approaches to risks’ specificities

The survey shows that an ACCEPTANCE strategy is applied for strategic/external risks in most cases, while TRANSFER and REDUCTION strategies are mainly applied to operational/internal risks. A risk transfer strategy is applied in a limited number of instances, most frequently where risks are easy to quantify including business continuity disruption and interest rate/foreign exchange.

External risks Accept Economic conditions; Demographics; Political, country instability; Increase of fiscal and tax regulation ...

• Internal risks Reduce Strategic project failures; Security; Safety, health; Non-compliance with regulation and legislation …

Risk coverage strategy: tailored approaches to risks’ specificities – Focus on TOP 10 Risks

0%

20%

40%

60%

80%

100%

Reduction Transfer Accepted

Mitigation strategies: tailored approaches to risks’ specificities

Strategic project failures

Security

Fraud, Bribery and Insider Dealing

Safety, health

Noncompliance with regulation and legislation

68%

66%

65%

65%

64%

Reduction strategy

Loss of assets (buildings, equipment,IP)

Terrorism

Business continuity disruption

Interest rate & Foreign exchange

Supply chain, outsourcing/off shoring, logistics & transport

66%

46%

34%

33%

29%

Transfer strategy

Economic growth/slowdown

Demographics

Political, country instability (crisis, war, regulatory changes)

Increase of fiscal and taxes regulation (including fiscal optimization)

Competition

69%

68%

66%

56%

48%

Acceptance strategy

The economic environment and political instability are considered the highest accepted risks, and these are also the areas of risk with the lowest level of mitigation, because there are limits to what businesses can do to mitigate/hedge against such forces.

Non compliance with regulation and legislation, reputation and ‐brand, and cyber and IT related risks have a lower acceptance ‐level. Here, risk transfer or risk reduction can be used.

'Reduction' and 'Acceptance' are considered to be the most common strategies, risk transfer being a viable alternative. Risk managers are willing to put in place internal processes to reduce exposure or to accept these risks.

Risk map 2016

5 high risks have a low level of mitigation ("improvement zone") The improvement zone represents high risks with a low level of mitigation. The survey indicates that out of the five risks in the improvement zone, three are strategic or external risks: ‐ Political, country instability ‐ Economic conditions ‐ Market strategy, clients

Two operational/internal risks in the improvement zone are not included in the top 10 risks but are key topics for risk management: ‐ Human resources / key people, social security ‐ Supply chain

The two new risks join the top 10 in the monitoring zoneThe monitoring zone represents high risks that are assessed with a better level of mitigation than others.A majority of operational risks can be found in this zone and are high on the agenda for risk management.

The two newly introduced risks in the top 10 business continuity disruption and cyber ‐attacks/data privacy – directly join the monitoring zone.

The survey reveals that European organisations surprisingly rate risks related to ‘digital transformation’ and ‘strategy execution and transformation programmes’ with low impact and likelihood, whereas they both are ‘hot topics’ in the context of a changing economic environment.

Risk map 2016

European Priorities

Our study uncovers three clear priorities for FERMA on the EU stage:• Establish official recognition of the Risk Manager,• Advise on implementation of Data Protection Regulation and • Represent risk managers’ views on increased reporting and transparency requirements.

1. Recognition of the profession (legal basis)

The survey shows a strong desire for official recognition of the profession, not only by organisations but also by public authorities. There is a broad support for the establishment of a legal basis for the profession (57%).

Respondents believe that risk management should be embedded in non-financial sectors as a matter of good corporate governance and resilience. The position of the risk manager is not yet considered mandatory outside financial services.

FERMA’s strategic vision is of “a world where risk management is embedded in the business model and culture of organisations”. It is our mission to achieve greater recognition for risk managers among EU policymakers and raise awareness among EU institutions of the fundamental role of risk managers.

FERMA’s insight

European Priorities

2. Digital (cybersecurity and data protection ) Cyber is the top priority for risk managers (combined 68%)

Survey shows that cyber is an enterprise risk and not an IT risk only by stressing the risk manager’s role concerning cyber risk assessmentRisk managers are in need of a methodology to better manage the cyber risk and ways to optimize the distribution of their financial investments, notably:

• Cybersecurity norms• The insurance solutions tailored to the needs of their organisation

Data protection is the top European priority (55%) and a compliance challenge for risk managers. Companies will have to comply with new requirements when the EU Data Protection Regulation comes into effect in 2018. Risk managers are especially concerned about the notification of data breaches and possible fines, the appointment of a data protection officer and the data protection impact assessment to be performed.

FERMA will focus its efforts on providing information and advice on the implementation of dataprotection and continue to stress the importance of ERM in the management of digital risks, includingcyber.

FERMA’s insight

European Priorities

3. Corporate transparency Corporate governance and transparency come in third place with 52% in the context of:

1. New EU proposals for corporate transparency and extended reporting requirements (Country by Country Reporting and Non Financial Reporting)‐

2. The OECD (Organisation for Economic Co-operation and Development), Base Erosion and Profit Shifting (BEPS) recommendations, published in October 2015 and their impact on captives

The study shows the demand to explore these wide-ranging risks (52.2%) – from reputation and global competitiveness down to cross-border synergies and their management – and implement a finely balanced set of requirements, taking into account checks that ensure the right level of transparency while bearing in mind the inevitable administrative costs they will impose on companies.

FERMA has been active on this dossier and will continue to be involved and advocate for• The inclusion of ERM in the Non-Financial Reporting Directive guidelines• The role played by risk managers in the context of Country by Country Reporting• The recognition of captives as a needed risk financing tool for companies

FERMA’s insight

4. Insurance: Evolution of the Insurance Market and Risk Managers’ Expectations

Loss control and prevention become priority number one

Foreseen changes to insurance programmes as a result of the current financial and economic climate

Strengthening loss prevention activity is the most important expected change to insurance programmes with an increase of 10 points since 2014, as a result of the current economic and financial climate. Nearly 54% of risk managers intend to invest in loss prevention activity in order to seek balance sheet protection. This ‐confirms the value to insurers of providing of risk engineering services.

The study also shows a decrease in the importance of negotiating long term agreements or roll overs, ‐compared to two years ago (43% in 2016 compared to 50% in 2014). This is a clear indication of a soft market, and suggests that buyers do not expect rapid changes in pricing levels.

There is a noticeable increase in organisations accelerating their claims settlement process from 24% in 2014 to 31% in 2016.

Insurance buying patterns

There have been no clear changes to insurance buying patterns in the last two years. There is a tendency for retentions, limits and lines either to increase or stay the same, reflecting the continued soft market.

It is interesting to note is the rise in the use of ERM tools to guide insurance purchasing decisions from 15% in 2014 to 20% in 2016, which seems to underline the increased combination of risk management with financial decisions.

Compliance with local regulations remains a key consideration for international coverage.It is still by far the most important reason for implementing standalone policies in certain countries (54%).

There have been no significant changes in service delivery regarding the issuance of multinational policies, compared to 2014.

Compliance to local regulation remains a key consideration for international coverage

Policies issued… 2012 2014 2016 Trend

… before inception date 15% 18% 18%

…within 3 months of inception date

65% 68% 67%

…more than 3 months after inception date

20% 14% 15%

There have been no significant changes in service delivery regarding the issuance of multinational policies, compared to 2014.

Loss control services and claims handling

Property Liability (public, products)

Cyber D&O Motor

60% 61%66%

48%

35%

58%

66% 68%

46%41%

For service providers (brokers, insurers, third parties)Within own organisation

Main areas of improvement related to loss control services alongside insurance policies

Claims data are more important than ever, according to the study. Risk managers increasingly use claims data to conduct insurance programme retention optimisation (66% in 2016 compared to 57% in 2014) and insurance programme limit optimisation (45% in 2016 compared to 47% in 2014). Assessing the cost of uninsured risks ranks third in terms of use of claims related data (45% in 2016 compared to 33% in ‐ 2014).

Tailor made and user friendly reporting capabilities as well as claims management tools remain the top‐ ‐two priorities for improvement in terms of IT platform/portal for risk and insurance management, eithervia an in house or external solution.

For both service providers and within their own companies, risk managers believe that cyber, liability and property are the main areas for improvement in relation to loss control services, alongside insurance policies.

Loss control services and claims handling

The three main areas of improvement for service providers (brokers, insurers etc) related to loss control services and claims handling asked by risk managers are:

• Confirmation of coverage as quickly as possible (38.7%)• Policy wording tests (36.9%)• Co-ordination between teams involved (35.5%)

Other important areas of improvement include building relationships at the pre-loss stage between insureds, insurers and brokers, and lessons learned in the post loss stage. Transparent and clear communication is needed at all stages of the claims process: prior to a loss, during a loss and after a loss. For companies themselves, key areas of improvement are different.

• Lessons learned analysis is key for risk managers with 53.9% believing that they need to improve this within their organisation.

• This is followed by crisis management simulations at the pre loss stage with a 10% increase in improvement required versus 2014, and the setting up of claims handling procedures and the co-ordination between teams involved.