Enterprise Governance, Risk and ComplianceAthens 12 November 2014

Living and Working in a Riskier World

Julia Graham President of FERMA

Where we are22 member associations in 20 countries

Over 4300 individual members who are responsible for risk management and/or insurance in their organisations

Our member associations

? ? ?

FERMA is 40

Our focus

The 10 risks of highest concern to respondents are:

1. Fiscal crises in key economies2. Structurally high unemployment/underemployment3. Water crises4. Severe income disparity5. Failure of climate change mitigation and adaptation6. Greater incidence of extreme weather events7. Global governance failure8. Food crises9. Failure of a major financial mechanism/institution10. Profound political and social instability

World Economic Forum – Global Risk Report 2014

Source: World Economic Forum, Global Risks 2014

The 10 risks of highest concern to respondents are:

1.Economic slow down / slow recovery

2.Regulatory / legislative changes

3.Increasing competition

4.Damage to reputation / brand

5.Failure to attract or retain top talent

6.Failure to innovate / meet customer needs

7.Business interruption

8.Commodity price risk

9.Cash flow / liquidity risk

10.Political risk / uncertainties

Which of these risks appear on corporate risk maps?

Source: Aon Global Risk Management Survey 2013 / Underrated threats? 2013

The 10 risks of highest concern to respondents are:

1.Economic slow down / slow recovery

2.Regulatory / legislative changes

3.Increasing competition

4.Damage to reputation / brand

5.Failure to attract or retain top talent

6.Failure to innovate / meet customer needs

7.Business interruption….?

8.Commodity price risk

9.Cash flow / liquidity risk

10.Political risk / uncertainties

Which of these risks appear on corporate risk maps?

Source: Aon Global Risk Management Survey 2013 / Underrated threats? 2013

• Cyber • Interdependency of risk• Pandemic / health risk• Pension scheme funding risk• Terrorism risk• Creativity in the insurance industry• increased focus on risk management spend• Failure to attract top talent

• Unethical behaviour

• Supply chain?

Directors of Captives – sense check

Source: Aon - Underrated threats? 2013

Cyber no longer on the horizon

Innovation often comes from the producer not the customer

increased risk complexity and connectivity adds to the challenge for risk managers

Travel increased from 683m to 1bn in a decade – yet pandemic off the radar … then came Ebola

No risk is an island

10

We live and work in a riskier world

Graphic to be replaced

Change ComplexityConnection

Source: World Economic Forum, - Global Risks 2014

• Corporate risk maps tend to focus on risk where the company has some control

• These risks are big and catastrophic

• It is not clear how Boards should tackle these risks

• Do they have the know-how?

• Yet the Board is best placed to manage them

Global risks are beyond normal Board activities

• Focus on impacts, outcomes and consequences for your operations, not the risks themselves

• Check critical dependencies

• Check and reinforce contingency planning and crisis management capabilities

• Improve your risk radar throughout your extended network

• Focus on agility

Managing Global Risks

A broader approach to resilience

Resilience is about opportunity, adaptation and evolution as well as managing disruptions and crises

• Less resilient organisations are prone to failure

• Organisations are more complex, impacts materialise faster

• Can’t be expected to address all risks

• Resilience for many means focussing on operational issues, missing the more strategic ones

Source: AIRMIC and others - Roads to Resilience 2014

Roads to Resilience

Resilient companies have exceptional risk radar to detect changes in the external and internal situation 1

Resilient companies have diversified resources and assets to facilitate alternative approaches and adaptation to change 2

Resilient companies build strong relationships and networks, both internally and externally 3

Resilient companies have the ability to respond rapidly and decisively to an emerging crisis 4

Resilient companies review and adapt based on experience and changing circumstances5

Source: PWC 2014

Resilience – three key messages

16

Resilience is about long-term surviving and thriving

Resilience is generated (and lost) by who we are, what we know, what we do and how we do it

Well understood resilience can be measured, manipulated and leveraged

Source: PWC 2014

Risk Managers are White Swans

FERMA – Strategic Actions

Top 10 2014 2012 Mitigation level Satisfaction level

1. Political – Government intervention, legal & regulatory changes

2. Reputation and brand

3. Compliance with regulation and legislation

4. Competition n.c*

5. Economic n.c*

6. Market strategy, client n.c*

7. Planning and execution of strategy

8. Human resources / key people, social security (labour)

9. Quality (design, safety & liability of products & servides)

10. Debt, cash flow n.c*

The 2014 FERMA Risk Map

High Medium Low*n.c not comparable

• Insurance management and claims handling and insurable loss prevention

• Development of risk maps

• Assistance to other functional areas in contract negotiation, project management, acquisitions and investments

• Design and implementation of risk controls / prevention

Embedded activities

SEMINAR 2014 20

Trend

• Development and embedding of business continuity management

• Alignment and integration of risk management as part of business strategy

• Development and integration of risk culture across the organization

Planned activities

SEMINAR 2014 21

Trend

Knowledge and Skills required

22

Three Lines of Defense

Source: Audit and Risk Committees - News from EU Legislation and Best Practices 2014

1. Review risk management systems

2. CRO or equivalent

3. External audit

4. Relationship and coordination

5. Report annually on the effectiveness and efficiency of risk management in the organization

6. Review annually the performance and terms of reference of the Committee in order to determine whether it is functioning effectively by reference to best practices

7. Oversee the integrity of the financial reporting process and financial reports

8. Review the efficiency of internal control and risk management systems

9. Review and appraise the audit activities: independence, objectivity and effectiveness of the audit process

10. Supervise the internal audit function

Risk and Audit Committee responsibilitiesAudit and Risk CommitteesNews from EU Legislation and Best Practices

Risk Language and Standards are important

Foundations – our profession

COSO ISO 31000

Lengthy vs. Short

Focused on ERM vs. General approach to managing risk

One cube vs. Framework and process

Skewed to negative vs. Risk can be positive or negative

Risk already exists vs. Risk tied to achieving objectives

Risk & opportunities vs. Opportunities also source of risk

More sequential process vs. More iterative process

Many use COSO ERM and ISO 31000

… Concepts not aligned

Standards or Frameworks Used

Source: RIMS 2013 Benchmark Survey - Produced by Advisen

ISO 31000 up 5% from 2011

COSO up 2% from 2011

ISO 3100 adopts a management system Plan - Do - Check - Act

ISO 31000 published in November 2009 Technical Committee and Working Group

ISO Experts for risk management Responsible for ISO 31000 and its maintenance and further

development Represents the opinion of countries and cultures

Undertaking a limited revision of ISO 31000 in the short term, following the principle of continual improvement Including the human and cultural factors in risk management

Determine in the long run a more fundamental technical revision This work will take into consideration the global development of risk

management

ISO 31000 Development

FERMA Certification – our profession

• A frequently used word at cocktail parties • Innovation is not invention• We live and work in a riskier world• Organizations need solutions for the conventional and unconventional• Are insurers up to the challenge?• Are brokers up to the challenge?• Are we up to the challenge?

Innovation – our needs

"It’s about the people you have, how you are led, and how much you get it"Steve Jobs

• Managing Diversity makes business sense: – 78% risk managers are over 45 years old– 73% risk managers are male

• Diversity demands:– Leadership by Top Management– Leadership by example– Action not just words

• Sustainable change not a project • Diversity is more than gender

– Culture– Gender– Age– Ethnicity

Diversity – our assets

Come and join us!

Any Questions?

33