1

COORDINATION OF THE ASSURANCE FUNCTIONS

Julia GrahamPresident of FERMA

WHERE WE ARE22 member associations in 20 countries

Over 4300 individual members who are responsible for risk management and/or insurance in their organisations

OUR MEMBER ASSOCIATIONS

OUR PURPOSE

WORLD ECONOMIC FORUMGLOBAL RISK REPORT 2014

The 10 risks of highest concern to respondents are:

1. Fiscal crises in key economies2. Structurally high unemployment/underemployment3. Water crises4. Severe income disparity5. Failure of climate change mitigation and adaptation6. Greater incidence of extreme weather events7. Global governance failure8. Food crises9. Failure of a major financial mechanism/institution10. Profound political and social instability

Source: World Economic Forum, Global Risks 2014

WE LIVE AND WORK IN A RISKIER WORLD

• Faster Change • More Complex• Greater Connectivity

Source: World Economic Forum, - Global Risks 2014

WHICH OF THESE RISKS ARE ON CORPORATE RISK MAPS?

The 10 risks of highest concern to respondents are :

1.Economic slow down / slow recovery2.Regulatory / legislative changes3.Increasing competition4.Damage to reputation / brand5.Failure to attract or retain top talent6.Failure to innovate / meet customer needs7.Business interruption8.Commodity price risk9.Cash flow / liquidity risk10.Political risk / uncertainties

Source: Aon Global Risk Management Survey 2013 / Underrated threats? 2013

Top 10 2014 2012 Mitigation level Satisfaction level

1. Political – Government intervention, legal & regulatory changes

2. Reputation and brand

3. Compliance with regulation and legislation

4. Competition n.c*

5. Economic n.c*

6. Market strategy, client n.c*

7. Planning and execution of strategy

8. Human resources / key people, social security (labour)

9. Quality (design, safety & liability of products & services)

10. Debt, cash flow n.c*

THE FERMA RISK 2014 MAP

High Medium Low*n.c not comparable

OUR FOCUS

ROADS TO RUIN

▸ 18 case studies (events)

▸ 23 companies involved

▸ 7 event categories

▸ 14 industries

▸ All based on information already in the public domain

▸ Companies studied included

▸ BP, AIG, Cadbury & Schweppes, Independent Insurance, Coca-Cola, Total, Firestone, Railtrack, Northern Rock, Shell, Zurich, SocGen, Arthur Andersen and 12 others

▸ Aggregate pre-crisis value of the companies was $6trn!

▸ Risk management failures studied, took place in the period 2000-2007

WHAT CONTRIBUTED TO THE CATASTROPHIC CONSEQUENCES?

• Poor crisis management

• Failure to recognise significance of the event early enough in the crisis

• Poor stakeholder communications, including with news and social media

• Lack of awareness of the potential for reputational damage

• Failure to appreciate the importance of transparency early enough

• Failure to learn from prior experience (even with the same company)

A BROADER APPROACH TO RESILIENCE

Resilience is about opportunity, adaptation and evolution as well as managing disruptions and crises

• Less resilient organisations are prone to failure

• Organisations are more complex, impacts materialise faster

• Can’t be expected to address all risks

• Resilience for many means focussing on operational issues, missing the more strategic ones

Source: AIRMIC and others - Roads to Resilience 2014

RESILIENCE – THE NEW RISK MANAGEMENT?

Resilient companies have exceptional risk radar to detect changes in the external and internal situation 1

Resilient companies have diversified resources and assets to facilitate alternative approaches and adaptation to change 2

Resilient companies build strong relationships and networks, both internally and externally 3

Resilient companies have the ability to respond rapidly and decisively to an emerging crisis 4

Resilient companies review and adapt based on experience and changing circumstances5

Source: PWC 2014

RESILIENCE – THREE KEY MESSAGES

Resilience is about long-term surviving and thriving

Resilience is generated (and lost) by who we are, what we know, what we do and how we do it

Well understood resilience can be measured, manipulated and leveraged

Source: PWC 2014

RISK LANGUAGE AND STANDARDS ARE IMPORTANT

ISO 31000 DEVELOPMENT

ISO 3100 adopts a management system Plan - Do - Check - Act

ISO 31000 published in November 2009 Technical Committee and Working Group

ISO Experts for risk management and responsible for ISO 31000 maintenance and further development

Represents the opinion of countries and cultures Undertaking a limited revision of ISO 31000 in the short term,

following the principle of continual improvement Including the human and cultural factors in risk management

Determine in the long run a more fundamental technical revision This work will take into consideration the global development of risk

and risk management

COSO ISO 31000Lengthy vs. Short

Focused on ERM vs. General

One cube vs. Framework and process

Skewed to negative vs. Risk positive or negative

Risk already exists vs. Risk tied to objectives

Risk and opportunities vs. Opportunities as a risk

More sequential process vs. More iterative process

MANY USE COSO ERM AND ISO 31000

… Concepts not aligned

STANDARDS OR FRAMEWORKS USED

Source: RIMS 2013 Benchmark Survey - Produced by Advisen

ISO 31000 up 5% from 2011

COSO up 2% from 2011

THE VOICE OF EUROPEAN RISK AND INSURANCE MANAGERS

SEMINAR 2014 19

European Risk and Insurance Report

EMBEDDED ACTIVITIES

▸ Insurance management and claims handling and insurable loss prevention

▸ Development of risk maps

▸ Assistance to other functional areas in contract negotiation, project management, acquisitions and investments

▸ Design and implementation of risk controls / prevention

SEMINAR 2014 20

Trend

PLANNED ACTIVITIES

▸ Development and embedding of business continuity management

▸ Alignment and integration of risk management as part of business strategy

▸ Development and integration of risk culture across the organization

SEMINAR 2014 21

Trend

REPORTING AT TOP MANAGEMENT LEVEL

SEMINAR 2014 22

A strong interaction with Top Management / Board48% of Risk Managers present RM activities several times a year

Top 3 reporting lines

RM function IM function

CFO 22% 31%

Board of Directors 18% 12%

CEO 17% 12%

Widespread use of risk mapping

• Reporting at CFO level 22% with sector variations

• Board of Directors/Supervisory Board level primary reporting line of the ‘Automotive’ , ‘Banking and Financial Services’ sectors

• In small companies reporting to the Board of Directors / Supervisory Board most commonly shared practice

• Reporting at CEO level mostly observed in the ‘Healthcare’, ‘Pharmaceuticals’ and ‘Real Estate’ sectors

• Reporting to the Audit and/or Risk Committee remains marginal whereas they represent advanced practices

• Reporting lines emerging functions include Business Development, Corporate Affairs, Group Controller, Commercial Assurance, Shared Services or Financial Compliance

CFOs REMAIN PRIMARY REPORTING LINE FOR RISK MANAGERS ACROSS EUROPE

AREAS FOR REFLECTION

What is the right organisation for Risk functions?

SEMINAR 2014 24

RELATIONSHIP BETWEEN RISKAND OTHER FUNCTIONS

MANAGING ASSURANCE WHOSE JOB IS IT ANYWAY?

The IIA standard 2050 requires chief audit executives should share information and coordinate activities with other internal and external providers of assurance ….. to ensure proper coverage and minimise duplication of effort: yet…..

▸ Assurance roles and responsibilities not clearly defined ▸ Assurance functions reporting lines and not coordinated ▸ Assurance functions have different objectives ▸ Assurance functions do not base programmes on significant risks ▸ Breadth of skills in many assurance functions is limited ▸ Many assurance functions are not represented at "Top

Management” and do not get heard ▸ Assurance functions often accused of not working with management ▸ Reporting dull and unconvincing▸ Box tickers not agents of opportunity or change

MANAGING RISKWHOSE JOB IS IT ANYWAY?

► Risk management is fundamental to organizational control and critical to providing sound corporate governance

► It touches all of the organization’s activities ► The establishment of an effective enterprise-wide risk

management system is a key responsibility of management and the board

► The board are responsible for adopting a holistic approach to the identification of organizational risks, creating controls to mitigate those risks, and monitoring and reviewing the identified risks and established controls

► The board should ensure that risk management is integrated into the organization, at both the strategic and operational levels

THE 8TH EU COMPANY LAW DIRECTIVE

▸ 1984Conditions for approval of persons carrying out the statutory approval

of accounting documents ▸ 2001Enron influence globally▸ 2003Ahold and Parmalat influence in Europe▸ 2010 – Article 41Focus on good practice for oversight, responsibilities and relationships Wider adoption of the Three lines of Defence model▸ 2014 – Directive 2014/56Focus on external audit and non-financial information reportingConsequences for the board. internal auditors and risk managers

RISK AND AUDIT COMMITTEE RESPONSIBILITIES

1. Review risk management systems2. CRO or equivalent3. External audit4. Relationship and coordination5. Report annually on the effectiveness and efficiency of

risk management in the organization6. Review annually the performance and terms of

reference of the Committee in order to determine whether it is functioning effectively by reference to best practices

7. Oversee the integrity of the financial reporting process and financial reports

8. Review the efficiency of internal control and risk management systems

9. Review and appraise the audit activities: independence, objectivity and effectiveness of the audit process

10. Supervise the internal audit function

Audit and Risk CommitteesNews from EU Legislation and Best Practices

Source: Audit and Risk Committees - News from EU Legislation and Best Practices 2014

THREE LINES OF DEFENSE

Source: Audit and Risk Committees - News from EU Legislation and Best Practices 2014

FERMA STRATEGIC ACTIONS

THE PROFESSION OF RISK LEADERS

▸ ACCREDITATION: verifying that third-parties can demonstration its competence to carry out specific conformity assessment tasks

▸ CERTIFICATION: verifying that individual candidates have adequate credentials to practice the risk management discipline

By the Certification Process FERMA will set up an standard to evaluate the candidate skills along with other pillar such as experience, ethics and CPD.

FERMA CERTIFICATION

Values

FERMA CERTIFICATION

The aim is to certify the competence of Risk Managers

•Certification and Accreditation launched in parallel •Certification application through

• online submission • file review • interview

•Certified Risk Managers will be part of an Alumni •Longer long term two certification levels planned•First Awards at the 2015 FERMA Forum •FERMA will accept applications globally

ANY QUESTIONS?