1
COORDINATION OF THE ASSURANCE FUNCTIONS
Julia GrahamPresident of FERMA
WHERE WE ARE22 member associations in 20 countries
Over 4300 individual members who are responsible for risk management and/or insurance in their organisations
OUR MEMBER ASSOCIATIONS
OUR PURPOSE
WORLD ECONOMIC FORUMGLOBAL RISK REPORT 2014
The 10 risks of highest concern to respondents are:
1. Fiscal crises in key economies2. Structurally high unemployment/underemployment3. Water crises4. Severe income disparity5. Failure of climate change mitigation and adaptation6. Greater incidence of extreme weather events7. Global governance failure8. Food crises9. Failure of a major financial mechanism/institution10. Profound political and social instability
Source: World Economic Forum, Global Risks 2014
WE LIVE AND WORK IN A RISKIER WORLD
• Faster Change • More Complex• Greater Connectivity
Source: World Economic Forum, - Global Risks 2014
WHICH OF THESE RISKS ARE ON CORPORATE RISK MAPS?
The 10 risks of highest concern to respondents are :
1.Economic slow down / slow recovery2.Regulatory / legislative changes3.Increasing competition4.Damage to reputation / brand5.Failure to attract or retain top talent6.Failure to innovate / meet customer needs7.Business interruption8.Commodity price risk9.Cash flow / liquidity risk10.Political risk / uncertainties
Source: Aon Global Risk Management Survey 2013 / Underrated threats? 2013
Top 10 2014 2012 Mitigation level Satisfaction level
1. Political – Government intervention, legal & regulatory changes
2. Reputation and brand
3. Compliance with regulation and legislation
4. Competition n.c*
5. Economic n.c*
6. Market strategy, client n.c*
7. Planning and execution of strategy
8. Human resources / key people, social security (labour)
9. Quality (design, safety & liability of products & services)
10. Debt, cash flow n.c*
THE FERMA RISK 2014 MAP
High Medium Low*n.c not comparable
OUR FOCUS
ROADS TO RUIN
▸ 18 case studies (events)
▸ 23 companies involved
▸ 7 event categories
▸ 14 industries
▸ All based on information already in the public domain
▸ Companies studied included
▸ BP, AIG, Cadbury & Schweppes, Independent Insurance, Coca-Cola, Total, Firestone, Railtrack, Northern Rock, Shell, Zurich, SocGen, Arthur Andersen and 12 others
▸ Aggregate pre-crisis value of the companies was $6trn!
▸ Risk management failures studied, took place in the period 2000-2007
WHAT CONTRIBUTED TO THE CATASTROPHIC CONSEQUENCES?
• Poor crisis management
• Failure to recognise significance of the event early enough in the crisis
• Poor stakeholder communications, including with news and social media
• Lack of awareness of the potential for reputational damage
• Failure to appreciate the importance of transparency early enough
• Failure to learn from prior experience (even with the same company)
A BROADER APPROACH TO RESILIENCE
Resilience is about opportunity, adaptation and evolution as well as managing disruptions and crises
• Less resilient organisations are prone to failure
• Organisations are more complex, impacts materialise faster
• Can’t be expected to address all risks
• Resilience for many means focussing on operational issues, missing the more strategic ones
Source: AIRMIC and others - Roads to Resilience 2014
RESILIENCE – THE NEW RISK MANAGEMENT?
Resilient companies have exceptional risk radar to detect changes in the external and internal situation 1
Resilient companies have diversified resources and assets to facilitate alternative approaches and adaptation to change 2
Resilient companies build strong relationships and networks, both internally and externally 3
Resilient companies have the ability to respond rapidly and decisively to an emerging crisis 4
Resilient companies review and adapt based on experience and changing circumstances5
Source: PWC 2014
RESILIENCE – THREE KEY MESSAGES
Resilience is about long-term surviving and thriving
Resilience is generated (and lost) by who we are, what we know, what we do and how we do it
Well understood resilience can be measured, manipulated and leveraged
Source: PWC 2014
RISK LANGUAGE AND STANDARDS ARE IMPORTANT
ISO 31000 DEVELOPMENT
ISO 3100 adopts a management system Plan - Do - Check - Act
ISO 31000 published in November 2009 Technical Committee and Working Group
ISO Experts for risk management and responsible for ISO 31000 maintenance and further development
Represents the opinion of countries and cultures Undertaking a limited revision of ISO 31000 in the short term,
following the principle of continual improvement Including the human and cultural factors in risk management
Determine in the long run a more fundamental technical revision This work will take into consideration the global development of risk
and risk management
COSO ISO 31000Lengthy vs. Short
Focused on ERM vs. General
One cube vs. Framework and process
Skewed to negative vs. Risk positive or negative
Risk already exists vs. Risk tied to objectives
Risk and opportunities vs. Opportunities as a risk
More sequential process vs. More iterative process
MANY USE COSO ERM AND ISO 31000
… Concepts not aligned
STANDARDS OR FRAMEWORKS USED
Source: RIMS 2013 Benchmark Survey - Produced by Advisen
ISO 31000 up 5% from 2011
COSO up 2% from 2011
THE VOICE OF EUROPEAN RISK AND INSURANCE MANAGERS
SEMINAR 2014 19
European Risk and Insurance Report
EMBEDDED ACTIVITIES
▸ Insurance management and claims handling and insurable loss prevention
▸ Development of risk maps
▸ Assistance to other functional areas in contract negotiation, project management, acquisitions and investments
▸ Design and implementation of risk controls / prevention
SEMINAR 2014 20
Trend
PLANNED ACTIVITIES
▸ Development and embedding of business continuity management
▸ Alignment and integration of risk management as part of business strategy
▸ Development and integration of risk culture across the organization
SEMINAR 2014 21
Trend
REPORTING AT TOP MANAGEMENT LEVEL
SEMINAR 2014 22
A strong interaction with Top Management / Board48% of Risk Managers present RM activities several times a year
Top 3 reporting lines
RM function IM function
CFO 22% 31%
Board of Directors 18% 12%
CEO 17% 12%
Widespread use of risk mapping
• Reporting at CFO level 22% with sector variations
• Board of Directors/Supervisory Board level primary reporting line of the ‘Automotive’ , ‘Banking and Financial Services’ sectors
• In small companies reporting to the Board of Directors / Supervisory Board most commonly shared practice
• Reporting at CEO level mostly observed in the ‘Healthcare’, ‘Pharmaceuticals’ and ‘Real Estate’ sectors
• Reporting to the Audit and/or Risk Committee remains marginal whereas they represent advanced practices
• Reporting lines emerging functions include Business Development, Corporate Affairs, Group Controller, Commercial Assurance, Shared Services or Financial Compliance
CFOs REMAIN PRIMARY REPORTING LINE FOR RISK MANAGERS ACROSS EUROPE
AREAS FOR REFLECTION
What is the right organisation for Risk functions?
SEMINAR 2014 24
RELATIONSHIP BETWEEN RISKAND OTHER FUNCTIONS
MANAGING ASSURANCE WHOSE JOB IS IT ANYWAY?
The IIA standard 2050 requires chief audit executives should share information and coordinate activities with other internal and external providers of assurance ….. to ensure proper coverage and minimise duplication of effort: yet…..
▸ Assurance roles and responsibilities not clearly defined ▸ Assurance functions reporting lines and not coordinated ▸ Assurance functions have different objectives ▸ Assurance functions do not base programmes on significant risks ▸ Breadth of skills in many assurance functions is limited ▸ Many assurance functions are not represented at "Top
Management” and do not get heard ▸ Assurance functions often accused of not working with management ▸ Reporting dull and unconvincing▸ Box tickers not agents of opportunity or change
MANAGING RISKWHOSE JOB IS IT ANYWAY?
► Risk management is fundamental to organizational control and critical to providing sound corporate governance
► It touches all of the organization’s activities ► The establishment of an effective enterprise-wide risk
management system is a key responsibility of management and the board
► The board are responsible for adopting a holistic approach to the identification of organizational risks, creating controls to mitigate those risks, and monitoring and reviewing the identified risks and established controls
► The board should ensure that risk management is integrated into the organization, at both the strategic and operational levels
THE 8TH EU COMPANY LAW DIRECTIVE
▸ 1984Conditions for approval of persons carrying out the statutory approval
of accounting documents ▸ 2001Enron influence globally▸ 2003Ahold and Parmalat influence in Europe▸ 2010 – Article 41Focus on good practice for oversight, responsibilities and relationships Wider adoption of the Three lines of Defence model▸ 2014 – Directive 2014/56Focus on external audit and non-financial information reportingConsequences for the board. internal auditors and risk managers
RISK AND AUDIT COMMITTEE RESPONSIBILITIES
1. Review risk management systems2. CRO or equivalent3. External audit4. Relationship and coordination5. Report annually on the effectiveness and efficiency of
risk management in the organization6. Review annually the performance and terms of
reference of the Committee in order to determine whether it is functioning effectively by reference to best practices
7. Oversee the integrity of the financial reporting process and financial reports
8. Review the efficiency of internal control and risk management systems
9. Review and appraise the audit activities: independence, objectivity and effectiveness of the audit process
10. Supervise the internal audit function
Audit and Risk CommitteesNews from EU Legislation and Best Practices
Source: Audit and Risk Committees - News from EU Legislation and Best Practices 2014
THREE LINES OF DEFENSE
Source: Audit and Risk Committees - News from EU Legislation and Best Practices 2014
FERMA STRATEGIC ACTIONS
THE PROFESSION OF RISK LEADERS
▸ ACCREDITATION: verifying that third-parties can demonstration its competence to carry out specific conformity assessment tasks
▸ CERTIFICATION: verifying that individual candidates have adequate credentials to practice the risk management discipline
By the Certification Process FERMA will set up an standard to evaluate the candidate skills along with other pillar such as experience, ethics and CPD.
FERMA CERTIFICATION
Values
FERMA CERTIFICATION
The aim is to certify the competence of Risk Managers
•Certification and Accreditation launched in parallel •Certification application through
• online submission • file review • interview
•Certified Risk Managers will be part of an Alumni •Longer long term two certification levels planned•First Awards at the 2015 FERMA Forum •FERMA will accept applications globally
ANY QUESTIONS?