Risk Manager Barometer Survey 2017 5th edition · Since the third edition of the Risk Manager...

2017

Management des Risques et des Assurances de l’Entreprise

in partnership with

5th edition

Risk Manager Barometer Survey

The 2017 Risk Manager Barometer SurveyPublished every two years, the survey report is designed to provide insight into the risk management profession and gauge changes over time in order to serve as a key bench-marking tool while also helping to promote the profession.

In the face of new challenges in an increasingly complex environment, risk managers have reached a turning point at which they need to become actors of change: they are called on to address and adapt to the new challenges and compliance issues facing companies today as well as the impact of the digital transformation and the resulting changes to business models. In this environment, risk managers have an imperative to develop their leadership and fully assume their role working alongside management as it grows in maturity with regards to risk management issues, from determining strategy to implementing it. Senior management, with whom relationships are strengthening year after year, is becoming increasingly receptive to risk management advice. Risk managers should therefore position themselves within their companies as strategic advisors. This new strategic role, as well as ever-growing recognition of risk managers' work, are bringing excitement to the profession.

This fifth edition of AMRAE's risk manager barometer survey was carried out in partner-ship with PwC, whom we would like to thank for their involvement in surveying a large panel of risk managers in France.

The information presented in the report was prepared using an analysis of the results of an online questionnaire of more than 270 people conducted between January and April 2017. The panel of risk managers included everyone working in risk management, both "top managers" and their teams. AMRAE would like to thank all participants for the time and care they took in answering the survey.

As with previous editions, the 2017 survey gives us a platform for analysing risk manag-ers' profiles, roles and responsibilities, compensation and career development opportu-nities. This year's report also includes information on the role of risk managers in man-aging risks related to company strategy, risk communication and relationships with other functions.

We hope you enjoy reading the survey report.

Brigitte Bouquot

AMRAE Chairman & CEO

François Malan

Vice President (Occupational issues), AMRAE

Françoise Bergé

Partner, Risk Management, PwC France

Editorial

2 -

Profiles

The majority of risk managers surveyed were men (55%) aged 46 years and over (53%). The proportion of women in the panel continued to rise, standing at 45% com-pared with 41% in 2015 and 28% in 2013.

Risk managers still hold degrees in the same three main fields of study as in 2013 and 2015, i.e., Law (33%), Business/Management/Economics (33%) and Engineering/Science (27%). The proportion of risk managers with degrees in Law and Engineering/Science has risen since 2015, when they represented 24% and 22% of the panel respectively.

As with previous editions, the risk managers surveyed mainly work in large companies (62% in 2017 versus 63% in 2015) in the industrial and services (44%) and insurance (17%) sectors.

There has been a net decrease in the proportion of risk managers working exclusively in insurance and prevention (from 42% in 2013 to 31% in 2015 and 24% in 2017) and a corresponding increase in the proportion of risk managers working exclusively in ERM (from 31% in 2015 to 40% in 2017). The proportion of risk managers handling risks and insurance has remained stable (38% in 2015 versus 36% in 2017).

Roles and responsibilities

Among the tasks listed in AMRAE's Risk Manager Framework, respondents indicated that their work mainly involves:

• developing a risk culture (82%);• assessing risks (79%);• controlling risks (70%).

In addition to these tasks specific to risk management, 32% of the risk managers surveyed indicated that they were also in charge of internal control and 18% in charge of compliance.

As in previous years, risk managers still deal with a wide range of risks, including:

• operational risks (91%);• fraud risks (83%);• cybersecurity risks (79%);• environmental risks (79%).

Cybersecurity risks entered the top 3 this year, in particular because risk managers are spending more and more of their time addressing these pressing issues.

There has also been an increase in the proportion of risk managers handling compliance risks (77% in 2017 versus 59% in 2015) and safety/security risks (76% in 2017 versus 70% in 2015), which could be the result of the more stringent regulatory environment (Sapin 2, GDPR, duty of care, etc.) and ever growing safety/security challenges.

Executive summary

- 3

Compensation

Risk managers' average annual gross salary was on par with 2015, at €107,000 for "top managers" (versus €108,000 in 2015) and €84,000 for "non-top managers" (unchanged since 2015).

Although the gender pay gap has shrunk since 2015, women risk managers still earn less than their male counterparts. There was an 8% gap among "top managers" this year, down from 15% in 2015.

Risk managers in Ile-de-France earned more than risk managers in the rest of France. There was a 23% gap among "non-top managers" and a 20% gap among "top managers", well below the national average of around 28%.

Career development

On a professional level, 79% of risk managers think that instilling a risk culture is the most important avenue for advancing the profession. On a personal level, 50% of risk managers would like to remain risk managers but at another company.

In conclusion, there has been an rise, from 53% in 2015 to 63% in 2017, in the proportion of risk managers who think that their work is increasingly recognised within their organisations.

New

Where strategy-related risks are con-cerned, 41% of respondents said that they identify and analyse the risks of the different strategies drawn up by their organisations.

In addition, 76% of risk managers stated that they communicate externally on risks.

Resources

By "resources", the survey refers to the different points of leverage available to risk managers.

The risk managers surveyed mainly report to senior management (44%) or the finance department (31%) and have direct access to the CEO (63%). In 2015, 36% of the risk managers surveyed said that they reported to senior management.

Although only 45% of the risk managers surveyed said that they had a close relationship with the safety/security function, 76% include safety/security risks in their scope of analysis.

To help them carry out their duties effectively, risk managers who oversee insurance and prevention are assisted by teams of fewer than five people (70% in 2017 versus 66% in 2015). Risk managers who are in charge of ERM are assisted by teams of fewer than three people (60% in 2017 versus 76% in 2015).

The proportion of respondents who believe that their budget is sufficient has fallen to 58% this year, from 77% in 2015.

New topics

4 -

- 5

The survey panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Focus areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Demographics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Education & training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Hiring channels and methods . . . . . . . . . . . . . . . . . . . . . . . . 14

Work experience in risk management . . . . . . . . . . . . . . . . . . 15

Employer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Roles and responsibilities . . . . . . . . . . . . . . . . . . . . . . . . .18

The Risk Manager Framework . . . . . . . . . . . . . . . . . . . . . . . . 18

Spotlight on Insurance and Prevention (IP) . . . . . . . . . . . . . . 24

Other responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Types of risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Operating budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Risk managers within their organisations . . . . . . . . . . . . . . . . 30

Compensation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Fixed compensation (salary) . . . . . . . . . . . . . . . . . . . . . . . . . 36

Variable compensation (bonus) . . . . . . . . . . . . . . . . . . . . . . . 37

Compensation factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Career development . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

Future of the profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Personal career development opportunities . . . . . . . . . . . . . . 40

Contents

6 -

This fifth edition of the survey is designed to gauge changes in the purpose and role of the risk management profession over time. It helps to improve visibility regarding the profession and can be used as a legitimate benchmarking tool to assess risk managers' role in the current business environment.

The survey was carried out by AMRAE between January and April 2017 among more than 270 risk managers in France. Around 200 complete responses were collected this year, versus 188 in 2015.

The report covers five key areas:

• profiles;• roles and responsibilities;• resources;• compensation;• career development.

It also includes information on:

• risk managers and strategy;• risk managers and risk communication;• risk managers and safety/security.

The panel of survey participants covered both members and non-members of AMRAE and included risk managers working in ERM and IP, in companies varying in size and representing a range of sectors. As in 2015, the survey was open to "top managers" and their teams.

This year, women made up 45% of the panel and men 55% (versus 59% in 2015), reflecting a further influx of women into the profession.

The participants were also younger this year, which can largely be explained by the larger proportion of "non-top managers" in the panel (43% in 2017 versus 40% in 2015).

The survey panel

"Top manager": person who holds the most senior position in an organisation's risk management function.

- 7 - 7

8 -

Focus areas

The survey analysis is based on the following three risk manager profiles:

• ERM (Enterprise Risk Management): risk managers in charge of a company's overall risk management;

• IP: risk managers who deal with insurance and the prevention of insurable risks;• IP/ERM: risk managers who handle both insurance and prevention issues and

enterprise risk management.

Breakdown by professional profile

Since the third edition of the Risk Manager Barometer Survey in 2013:

• the proportion of risk managers with an ERM profile, particularly "non-top managers", has increased;

• the proportion of "top managers" with an IP/ERM profile has increased;• the proportion of "top managers" and "non-top managers" with an IP profile has decreased.

This change reflects the wide variety of responsibilities allocated to risk managers, whose role now increasingly includes ERM.

Profiles

With respect to the profiles of "top managers" and "non-top managers":

• 47% of "top managers" have an IP/ERM profile (versus 45% in 2015);• 50% of "non-top managers" have an ERM profile.

In 2015, "non-top managers" largely had an IP profile (42%).

ERM

IP/ERM

IP

40%

36%

24%

Exclusively ERM

IP/ERM

Exclusively IP

ERM

IP/ERM

IP

31%

38%

31%

2015 2017

- 9

Demographics

Age

Risk management positions still tend to be held by more experienced professionals.

53% of the survey participants were over 45 (versus 53% in 2015). This age group accounted for as much as 64% of "top managers" (versus 65% in 2015).

While ERM risk managers are getting younger, IP and IP/ERM risk managers are getting older.

Under 35

35-45

46-55

Over 55

IP

10%

33%

45%

12%

IP/ERM

20%

24%

35%

21%

ERM

22%

30%

30%

18%

Total

18%

29%

36%

17%

10 -

Gender

More than one in two survey respondents were men (55%), but the proportion of women in the panel grew from year to year (28% in 2013, 41% in 2015 and 45% in 2017).

Under 35

35-45

46-55

Over 55

11%

13%

19%

12%

7%

15%

17%

6%55% 45%

Total

The proportion of woman "top managers" in the panel has increased this year to 42%, from 37% in 2015.

I was recently hired by my company to fill the risk manager position, following the retirement of my predecessor. In addition to finding a candidate who met the requirements of the position, management was very keen to increase the number of women in the finance department and was therefore looking to hire a woman. My company has reached a turning point with respect to its governance structure and is paying special attention to developing best practices, in particular regarding hiring and diversity.

This may be happening in other companies too. Until very recently, the vast majority of risk managers were men.

Companies are taking advantage of the recent wave of retirements to replace outgoing men risk managers with women. This demonstrates their commitment to appointing women to positions of major responsibility. This could explain the increase in the proportion of women in the survey panel this year. The profession is diversifying and expanding, and risk managers are now handling a wide variety of issues. Woman risk managers are well suited to the profession because of their ability to have a broad, cross-functional vision.

Testimonial

Risk manager at an international French manufacturing company

- 11

Location

The large majority of survey respondents work in an organisation based in Ile-de-France, where many holding companies and registered offices are located.

72.5%

22.8%

Rest of France

4.7%

World

Education & trainingNB: This was a multiple choice question.

Initial field of study

The survey respondents' main initial fields of study were the same as in 2015, although there were some changes in the composition of each profile.

The three main fields of study were the same in 2015, but the proportions were different:

1. Business/Management/Economics (31%);

2. Law (24%);

3. Engineering/Science (22%).

Although the proportion of risk managers with a first degree in Law dropped significantly in 2015, a reverse trend was observed in 2017. Law has in fact become the most popular degree among IP/ERM risk managers and the proportion of ERM risk managers having studied Law has risen from 3% in 2015 to 6% in 2017. The increase in the proportion of risk managers with a degree in Law can be explained by increased regulatory pressure in recent years.

IP IP/ERM ERM Total

Business/Management/

Economics10% 20% 33%

Law 12% 6% 15% 33%

Engineering/Science/Medicine

10% 12% 5% 27%

Risk Management

(DESS, Master, etc.)

5% 5% 13%

Political Science/Foreign

Languages

7%

Insurance (Enass, etc.) 5% 11%

Other

- Law is still the most popular field of study for IP risk managers. It is now also the most popular field of study for IP/ERM risk managers (up from 8% in 2015 to 12% in 2017), closely followed by Business/Management/Economics and Engineering/Science.

- As previously, the majority of ERM risk managers have degrees in Business/Management/Economics.

Spotlight: breakdown by profile

2% 2%

3% 3% 1%

3% 3%

3%

3%

4%

12 -

A breakdown of the respondents by age reveals that risk managers have highly diverse educational backgrounds.

The proportion of risk managers under 35 holding Science/Engineering degrees has increased from 6% in 2015 to 35% in 2017, making it the most popular field of study for this age group. As in 2015, a large proportion of survey respondents under 35 have pursued specialised studies in Risk Management (30%).

Above and beyond these main fields of study:

• 38% of under 35s hold a degree in Insurance (16%) and Political Science (11%) as well as Actuarial Science, Accounting and Finance;

• 31% of the 35-45 age group also hold a degree in Insurance (14%);

• 23% of the 46-55 age group hold a degree in a field of study other than the main three fields outlined above, such as Insurance (9%) and Political Science (7%);

• 18% of over 55s hold a degree in another field of study, including Political Science (6%) and Insurance (3%).

Under 35

35-45

46-55

Over 55

Risk Management

30%

Law

34%

37%

14%

37%

Engineering/Science

27%

34%

34%

37%

23%

35%

21%

29%

Business/Management/

Economics

13%

6%

3%

- 13

Additional training in risk management

Risk management

More than half (62%) of the risk managers surveyed have pursued additional training in risk management.

Nearly 70% of risk managers aged 35 to 55 and 50% of those aged under 35 and over 55 have received additional training in risk management.

56% have undertaken training to improve skills and 22% after taking on a new position.

The Associate in Risk Management (ARM) training programme is now the most popular (27% in 2017 versus 17% in 2015), closely followed by theme-based AMRAE seminars (25% in 2017 and 2015). The uptake of CEFAR seminars fell slightly (9% in 2017 versus 13% in 2015).

In addition, 28% of risk managers stated that they had undertaken training other than that listed, such as the Certified Enterprise Risk Analyst (CERA) qualification.

IP ERM

Other

ARM (Carm Institute

– AMRAE)

Theme-based seminars (AMRAE)

Seminars (IFACI)

IMR

Post-graduate university

studies (e.g., Masters in Risk Management)

IGR (CNPP)

Seminars (Enass)

Total

CEFAR (AMRAE)

5%

9%

6%

13%

5%

IP/ERM

10%

9%

6%

7%

9% 27%

28%

25%

21%

9%

15%

9%

5% 8%

0% 2%

2% 1%0%

2%

2%

2%

3%

3%

4%

2%

12%

3%

14 -

Uptake of finance training climbed from 27% in 2015 to 38% in 2017.

Other additional training

A total of 74% of survey respondents received other additional training (versus 60% in 2015).

83% of risk managers attended "classroom" sessions, while 21% completed e-learning modules.

Hiring channels and methods

As was the case in previous years, risk managers were mainly hired internally (32% of respondents).

37% of "top managers" found their jobs via recruitment agencies and 31% via internal mobility programmes, while "non-top managers" were largely hired through their network (34%) or internal opportunities (33%).

There has been a sharp increase in the proportion of risk managers hired via recruitment agencies/headhunters, from 17% of respondents in 2015 to 31% in 2017.

32%

31%

25%

8%

3% 1%

Internal mobility

Start-upAMRAE website

IP IP/ERM ERM Total

Personal Development (public speak-ing, negoti-ation tech-

niques, etc.)

9% 20% 12% 41%

Finance 7% 18% 13% 38%

Risk Management/

Project Management

7% 15% 15% 37%

Foreign Languages 8% 15% 11% 34%

Legal 11% 15%

- IP risk managers were mostly hired by recruitment agencies (47%).

- IP/ERM risk managers were largely recruited through their network (29%) or internal mobility (28%).

- ERM risk managers were mainly recruited via internal mobility (44%).


1%3%

Recruitment agency/headhunter

Unsolicited application

Network/contact

- 15

Work experience in risk management

36% of survey respondents have more than ten years of experience in risk management (versus 39% in 2015 and 44% in 2013) and 33% have between five and ten years of experience.

Less than 5 years

5-10 years

11-15 years

More than 15 years

12%

IP

35%

16%

37%

29%

IP/ERM

22%

18%

30%

44%

ERM

42%

9%

5%

Employer

Company size

86% of the risk managers surveyed work in large or middle-market companies, versus 91% in 2015.

In comparison with the findings of the previous edition, there has been an increase in the proportion of risk managers working in SMEs, from 5% in 2015 to 9% in 2017.

24%

9%

4% 1%

Large company (more than €1.5 billion/ 5,000 employees)

Middle-market company

(less than than €1.5 billion/

5,000 employees)

SME (less than

€50 million/ 250 employees)

Association/NGOPublic sector entity

62%

- IP risk managers are the most experienced: 53% have more than ten years of experience (versus 50% in 2015).

- ERM risk managers have generally been in the job for a shorter period of time, although they have gained experience since 2015: 44% have less than five years of experience in risk management (versus 52% in 2015) and 42% have between five and ten years of experience (versus 30% in 2015).

- IP/ERM risk managers have considerable experience: 49% have been in the profession for over ten years (unchanged from 2015).


Total

31%

33%

14%

22%

16 -

Business sector

As in 2015, the industrial sector is in first place, accounting for 33% of risk managers.

The insurance/reinsurance/health insurance sector comes second, with 17% of risk managers versus 8% in 2015, perhaps as a result of the regulatory pressure of Solvency II on this sector. There has been a decrease in the proportion of risk managers working in the services sector, from 19% in 2015 to 11% in 2017. These changes are largely related to the panel of risk managers who participated in the survey this year.

In total, 61% of respondents work in the industrial, insurance/reinsurance/health insurance and services sectors, as in 2015.

Industry 33%

Insurance Reinsurance

Health insurance

17%

Services 11%

Construction and public works

Property9%

Transport Logistics 6%

Advisory 6%

Banking Finance

5%

Distribution 4%

Consumer goods

Luxury3%

High-tech 3%

Media Entertainment 3%

- 17

18 -

The Risk Manager Framework

Roles and responsibilities

Risk managers primarily deal with the following:

• risk culture development (82%);• risk assessment (79%);• risk control (70%);• risk management and reporting (70%).

Claims management no longer features on the list of key roles and responsibilities due to the sharp decrease in the proportion of IP risk managers in the panel.

The roles and responsibilities above are taken from AMRAE's Risk Manager Framework, which is available from:

> http://www.amrae.fr/referentiel-metier-du-risk-manager

67%79%

70%

82%35%

31%

46%

37%

70%

Defining the role and structureof the IP and/or ERM

risk management process

Risk assessment

Risk control

Risk culture development

Risk financingManagement of

uninsured/uninsurable events

Claims management

Crisis management

Risk managementand reporting

2015 2017

- 19

Defining the role and structure of the risk management process

The three ma in tasks associated with defining the role and structure of the risk management process are the same as in 2015.

ERM and IP/ERM risk managers are particularly involved in:

• p r e p a r i n g t h e r i s k management methodology and framework (61%);

• developing the organisational f r a m e w o r k f o r r i s k management (61%).

Risk assessment (risk identification, analysis and evaluation)

In comparison with 2015, a larger proportion of the risk managers surveyed stated that they took part in risk assessment tasks.

Defining the company's risk appetite is the only task to be carried out by less than half of the respondents (48%).

In addition, less than half (47%) of IP risk managers carry out any of the risk assessment tasks listed in AMRAE's Risk Manager Framework.

Identifying risk management tasks and processes(business lines, support functions)

40%

Integrating threats and opportunities that are inherent to strategy 41%

Getting management and/or governance bodies to approvethe risk management process and structure, and the allocation

of the resources necessary to implement them44%

De�ning the role of the risk management processwithin the organisation's strategy 46%

De�ning the risk management policy while takinginto account management's and/or

the governance bodies' appetite and tolerance for risk47%

Preparing the risk managementmethodology and framework 50%

Developing the organisational frameworkfor risk management 51%

48%

55%

59%

60%

61%

61%

62%Analysing and consolidating

the organisation's major risks

Forecasting risks and risk trends(with the business intelligence department)

Conducting individual interviews withexecutives and managers

De�ning risk assessment tools and resources(scales, interview guides, registers and lists,

common language, etc.)

Conducting risk identi�cation, analysisand assessment (prioritisation) workshops

Mapping risks by entity/business line or by project

De�ning the company’s risk appetite

20 -

- IP risk managers participate in visiting at-risk zones, identifying and preparing action plans and consolidating and monitoring such action plans.

- ERM risk managers are particularly involved in presenting and validating major risks and consolidating and monitoring action plans.


Risk control (keeping risks at acceptable levels based on the risk criteria used)

The proportion of risk managers involved in risk control tasks has increased across the board, from 64% in 2015 to 70% in 2017.

58%Presenting/validating major risks

33%Assisting in audits of acquisitions

and disposals

45%Analysing and implementing risk

treatment action plans

57%Participating in the preparation of action plans

51%Identifying appropriate risk treatments

55%Consolidating and monitoring action plans

32%Visiting at-risk zones

Risk culture development

Risk managers' number one task is developing a risk culture (82% of respondents).

Although 91% of IP/ERM and ERM risk managers are involved in developing a risk culture, only 56% of IP risk managers are.

The fact that risk managers are getting more and more involved in risk culture development demonstrates the growing importance of this task:

• 69% of risk managers were involved in the development, management and training of a network of risk coordinators in 2017, versus 63% in 2015;

• 69% of respondents participated in major internal events in 2017, versus 60% in 2015.

69%Developing, managing and

training a networkof risk coordinators

69%Attending major events

(seminars, committees, etc.)

58%Preparing internal

communication materialson risk culture

- 21

Risk financing (this analysis only concerns IP and IP/ERM risk managers)

In comparison with 2015, the proportion of IP and IP/ERM risk managers carrying out risk financing tasks has fallen, by around ten points with respect to the top three tasks.

There has also been a sharp decrease in the proportion of risk managers creating and managing captive insurers, from 49% in 2015 to 28% in 2017.

28%

47%

48%

50%

50%Negotiating insurance contracts

Creating and managing acaptive insurer

Managing and implementinginsurance coverage

Identifying risk �nancing solutions

Managing relations with serviceproviders (brokers and insurers)

Management of uninsured and uninsurable events

As in 2015, less than half of the risk man-agers surveyed reported being involved in one of these tasks.

21%

22%

24%Identifying and integrating

resources and action plans

Qualifying events

Managing feedback

Claims management (this analysis only concerns IP and IP/ERM risk managers)

In line with the decrease in the proportion of IP risk managers in the panel, the proportion of respondents involved in claims management has fallen in comparison with 2015:

• 71% of IP and IP/ERM risk managers coordinate management with partners, versus 79% in 2015;

• 69% follow up claims, versus 77% in 2015;• 65% qualify events, versus 72% in 2015;• 42% validate a return to normal operations,

versus 47% in 2015.

71%Coordinating management

with partners (brokers, insurers,experts, reinsurers, etc.)

69%Following up claims

42%Validating a return to

normal operations

65%Qualifying events to determine

the insurance policies that wouldprovide coverage and any liabilities

22 -

The trends observed in 2015 continued in 2017:

- the majority of IP/ERM risk managers are involved in crisis management (52% in 2017 versus 56% in 2015);

- less than half of ERM risk managers are involved in crisis management (39% in 2017 versus 35% in 2015);

- only a small proportion of IP risk managers are involved in crisis management (13% in 2017 versus 12% in 2015).


59%Reporting to stakeholders

11%Interviewing with the media

39%Coordinating with internal audit

58%Maintenance and continuous

improvement of the riskmanagement process

43%Leading risk committee(s)

56%Participating in the preparation of corporate

documents (annual report, registrationdocument, integrated reporting, etc.)

Crisis management

Almost 30% of the risk managers surveyed are involved in crisis management.

Only 8% of survey participants head a crisis unit. Around 25% of respondents are active in one or more of the other areas.

27%Business continuity management

8%Head of a crisis unit

23%Member of a crisis unit

25%Maintenance and continuous improvement

of crisis management procedures

Assisting in de�ning, implementing andcommunicating on risk prevention and

crisis management organisation and tools26%

Coordination and reporting

There has been a net increase in the proportion of risk managers involved in reporting to stakeholders, from 55% in 2015 to 59% in 2017.

As in 2015, only a small proportion of IP risk managers handle coordination and reporting (24%), while the majority of ERM and IP/ERM risk managers are involved in these areas (86%).

- 23

New

- 23

Spotlight on risk managers and risk communication

With respect to internal communication, risk managers are deeply involved and play an important role through a variety of tasks.

First, risk managers have a key role in developing a risk culture in their company. 69% attend major events (seminars, committees, etc.) and 58% participate in preparing internal communication materials on risk culture. A greater proportion of ERM and IP/ERM risk managers (69% and 66%, respectively) participate in drafting such materials than IP risk managers (31%).

Among the other internal communication tasks, a large majority of respondents (59%) are in charge of reporting to stakeholders. A greater proportion of ERM and IP/ERM risk managers (77% and 67%, respectively) report to stakeholders than IP risk managers (20%).

The majority of risk managers (56%) participate in preparing corporate documents, such as the annual report or the registration document. Once again, a greater proportion of ERM and IP/ERM risk managers (77% and 66%, respectively) are involved in this task than IP risk managers (9%).

In addition, 59% of risk managers regularly take part in and 17% often take part in events outside their companies, such as training programmes or round tables.

Lastly, 18% of "top managers" have given an interview to the media.

The "Risk Communication" document publ ished by AMRAE in 2017 (vol. 7 of its Risk Control series) provides a comprehensive overview of the environment in which organisations communicate on risks as well as insights into the function.

One of the pillars of risk communication is developing a risk culture, one of the ERM tasks which I am responsible for in my company. A risk culture is based on three principles: accountability, risk-taking in the decision-making process and a risk cost-effectiveness analysis.

On this basis, the information that we communicate has to be tailored to different employee profiles. The awareness level required of a risk owner is not the same as that required of a manager or an employee.

To communicate effectively about the risk culture, risk managers can recommend a variety of tools depending on the awareness level required. They can also communicate on feedback, provide concrete examples of the control measures that have been introduced and discuss how the company responds when a risk materialises. In this way, risk managers help to promote a positive image of risk management.

Testimonial

Risk manager at a CAC 40 telecommunications company

24 -

Insurance and risk prevention

64% 20% 16%

Risk prevention Insurance

59%

14%

9%

7% 2%

Property & Casualty

Property & Casualty/Personal

Personal

CreditProperty & Casualty/Personal/Credit

9%

Property & Casualty/Credit

Spotlight on Insurance and Prevention (IP)

Responsibilities

As in 2015, the majority of IP risk managers (64% in 2017 versus 68% in 2015) are in charge of both insurance and risk prevention.

There has been an increase in the proportion of risk managers in the panel who only manage risk prevention (20% in 2017 versus 13% in 2015).

Insurance categories

The proportion of IP risk managers who only manage property and casualty insurance has fallen, from 79% in 2015 to 59% in 2017. The proportion of risk managers handling property and casualty insurance and personal insurance has also dropped, from 18% in 2015 to 14% in 2017.

In contrast, the proportion of risk managers who only manage personal insurance has increased, from 3% in 2015 to 9% in 2017.

Credit insurance was added to the list of insurance categories this year and 18% of respondents indicated that they manage it.

- 25

- 77% of IP/ERM risk managers have another responsibility. 26% work in internal control, 22% in compliance and 19% in safety/security.

- 74% of ERM risk managers have at least one other responsibility. 56% work in internal control, nearly 25% in compliance and 19% in internal audit.

- The majority (66%) of IP risk managers do not have any other responsibilities. Those who do have other responsibilities mainly work in legal affairs (28% in 2017 versus 17% in 2015).


Other responsibilitiesNB: This was a multiple choice question.

The proportion of risk managers with other responsibilities outside those related to insurance and/or risk management has increased, from 56% in 2015 to 62% in 2017.

In 2017, internal control was once again the task carried out by the greatest proportion of risk managers (32%).

38%None

12%Internal audit

32%Internal control

12%Legal affairs

18%Compliance

10%Other

5%SI

9%Finance

8%Safety/security

8%Quality

5%CSR

Compliance is becoming an increasingly important issue for organisations. Due to the increase in regulations in recent years, compliance is at the forefront of organisations' thinking and seen as a major issue. Historically, compliance has been handled by the legal function, but risk managers have a meaningful role to play. First, risk managers

offer a broader view of compliance and look beyond the legal aspects. They make the connection between compliance, company processes and business challenges. Second, thanks to their cross-functional role, risk managers facilitate the transition between theory and practice when it comes to implementing regulations. The fact that risk managers play a

centralising role is very important, as compliance is an issue that affects the whole organisation and should not be dealt with exclusively at the business unit level. Risk managers offer real added value because they are at the crossroads between operational teams, support functions and governance bodies.

Testimonial

There were differences according to the size of the organisation. Of the risk managers surveyed, 48% in large companies do not have other responsibilities versus only 20% in middle-market companies and SMEs, demonstrating that risk managers in such organisations are more versatile. They are primarily involved in internal control (47%) and/or compliance (30%).

Risk manager who is also in charge of compliance

26 -

For IP risk managers:

- operational risks (91%);

- environmental risks (86%);

- legal risks (73%).

For ERM risk managers:

- compliance risks (95%);

- fraud risks (94%);

- reputation and operational risks (92%).

For ERM risk managers:

- operational risks (89%);

- financial risks (86%);

- customer risks (84%).


2015 2017

Types of risksNB: This was a multiple choice question.

We noted that the risk managers surveyed this year handled a broader spectrum of risks than in previous years.

Cybersecurity risks jumped to third place this year, from sixth place in 2015.

91%Operational

risks 80%

83%Fraud risks 75%

79%

Cybersecurity risks

Environmental risks

67%

70%

Financial risks

Legal risks

Project risks

78%

66%

66%

57%

Reputation risks

Compliance risks

Supplier risks

66%

59%

67%

77%

Purchasing risks

Customer risks

Security/Safety risks

58%

63%

70%

76%

HR risks 73%64%

Digital risks 71%54%

Country/political risks 70%58%

Strategic risks 69%58%

Supply chain risks 66%59%59%

64%Governance risks 53%

- 27

28 -

Almost twice as many IP "top managers" (15%) as ERM "top managers" (8%) reported that the size of their team had decreased over the last 12 months.

Resources

Teams

SizeNB: Only "top managers" were asked this question. Answers submitted by "top managers" with an IP/ERM profile are included in IP teams or in ERM teams.

Headcount is roughly on par with 2015. However, 19% of IP teams have fewer people while 24% of ERM teams have more people.

Trends

ERM profiles:

• 68% of ERM risk managers reported that the size of their team had remained stable, versus 74% in 2015;

• 24% reported that the number of people in their team had increased;

• 8% reported that their team had shrunk.

IP profiles:

• 66% of IP risk managers reported that the size of their team had remained stable, versus 69% in 2015;

• 19% reported that the number of people in their team had increased;

• 15% reported that their team had shrunk.

No team1-2 FTE team members3-4 FTE team members5-10 FTE team membersMore than 10 FTE team members

34%

21%

18%

18%

9%

20%

17%

11%

9%

43%

70% of IP teams are made up of fewer than five people (versus 66% in 2015) and 60% of ERM teams have fewer than three people (versus 76% in 2015).

ERM profiles IP profiles

- 29

Resources

Operating budget

58% of the risk managers who answered this question reported that their budgets were sufficient, down from 77% in 2015.

67% of IP "top managers" reported that their budgets were sufficient, versus 51% of ERM "top managers".

63% of ERM risk managers reported that their budgets had remained stable, in comparison with 49% of IP risk managers. 24% of IP risk managers reported that their budgets had decreased, versus 11% of ERM risk managers.

67% of IP risk managers working in middle-market companies reported that their budgets were insufficient, while 78% of those working in large companies and 57% of those working in SMEs reported that their budgets were sufficient.

The majority of ERM risk managers working in middle-market companies (52%) and SMEs (57%) reported that their budgets were insufficient.

Nearly half of the risk managers surveyed (48%) reported using an internal risk management framework, a sharp increase on 2015 when only 28% of risk managers reported using an internal framework. 32% of respondents reported using the COSO ERM framework, versus 25% in 2015.

Internal framework

COSO ERM

ISO 31000

No framework

Other (AMF, Solvency II)

FERMA

32%

48%

23%

19%

14%

5%

Risk management framework NB: IP profiles were not included in this analysis. This was a multiple choice question this year.

81% of respondents reported using a risk management framework, up slightly on the 79% of respondents who reported using a framework in 2015.

88% find that risk management frameworks help them to carry out their duties.

30 -

Risk managers within their organisations

63% 31% 6%

Increasing Stable Decreasing

- ERM risk managers mainly report to senior management (60% in 2017 versus 46% in 2015) or the finance department (20%).

- IP/ERM risk managers mainly report to senior management (42% in 2017 versus 40% in 2015) or the finance department (37% in 2017 versus 22% in 2015).

- IP risk managers mainly report to the finance department (36% in 2017 versus 28% in 2015) or the legal department (27% in 2017 versus 40% in 2015).


Reporting linesNB: This analysis only concerns "top managers". This was a multiple choice question.

The proportion of risk managers who report directly to senior management has increased, from 36% in 2015 to 44% in 2017. 44%Senior management

6%Internal audit department

11%Legal department

Finance department 31%

13%Corporate affairs

Risk department 4%

3%Insurance department

2%

Other

Operations department

2%

Recognition of risk man-agers' work

This year, 63% of the risk managers surveyed felt that they were receiving more recognition for their work within their organisations, versus 54% in 2015.

- 31

53% 36% 11%

L-1 L-2 L-3

- ERM profiles are mainly one level below senior management (63% in 2017 versus 47% in 2015).

- IP/ERM profiles are mostly one level below senior management (52% in 2017, on par with 2015).

- IP profiles are mainly two levels below senior management (45% in 2017, almost unchanged from 44% in 2015).


- Many IP risk managers do not participate in any committee, although the proportion has fallen from 69% in 2015 to 36% in 2017. 32% work on operational risk committees, versus 20% in 2015.

- ERM risk managers predominantly participate in operational risk committees (77% in 2017 versus 46% in 2015) and audit committees (54% in 2017 versus 43% in 2015).

- IP/ERM risk managers mainly participate in operational risk committees (56% in 2017 versus 51% in 2015) and Board risk committees (40%).


Risk managers' position in relation to senior managementNB: This analysis concerns "top managers" across all professional profiles.

The proportion of "top managers" who are one level below senior management has continued to increase in line with the trend observed in recent years, rising to 53% in 2017, from 43% in 2015 and 18% in 2013.

63%

Direct contact

29%

Indirect contact

8%

No contactContact with the CEO

92% of the "top managers" surveyed are in contact with their CEOs, although only 53% report directly to them.

Committee work NB: This analysis concerns "top managers" across all professional profiles. This was a multiple choice question.

The proportion of risk managers who participate in committees, particularly strategic and executive committees, has increased sharply since 2015.

36% of risk managers work on audit committees, on par with 2015.

58%Operational risk committee

26%Management committee

Audit committee 36%

35%Board risk committee

None 17%

Executive committee 14%

Strategy committee 10%

Other 9%

Investment committee 9%

HSE/sustainabledevelopment committee

8%

32 -

In 2013, AMRAE and IFACI presented a joint report entitled "Trois lignes de maîtrise pour une meilleure performance" (Three tiers of internal control for optimal performance). Its purpose is to clarify roles and responsibilities at each level of internal control. The document (in French only) is available from: > http://www.amrae.fr/sites/default/files/fichiers_upload/2013_AMRAE_IFACI_

PP_1709_0.pdf.

Working relations with the three tiers of internal controlNB: This analysis concerns risk managers across all professional profiles.

The majority of risk managers (67%) work closely with operations departments.

67%

30%

3%

75%

24%

2%

83%

15%

2%

49%

44%

7%

55%

33%

12%

72%

22%

5%

78%

18%

4%

78%

18%

4%

67%

23%

10%

60%

23%

17%

First tier of controlOperations department

Second tier of controlSupport functions

Second tier of controlRisk functions

Third tier of controlInternal audit

External audit





External audit Close working relations On an as-needed basis No working relations

67%

30%

3%

75%

24%

2%

83%

15%

2%

49%

44%

7%

55%

33%

12%

72%

22%

5%

78%

18%

4%

78%

18%

4%

67%

23%

10%

60%

23%

17%





External audit





External audit

In addition, risk managers work particularly closely with the second tier of internal control, with both the support1 (75%) and risk2 (83%) functions.

Approximately half of all risk managers work closely with the internal audit department (49%) and 44% on an as-needed basis.

55% of the respondents work on an as-needed basis with external audit teams.

More than 70% of risk managers reported that their working relations with the first and second tiers of internal control were sufficient.

1. Finance, legal, human resources and IT departments.2. Internal control, safety, insurance and corporate affairs

departments.

Sufficient Insufficient No opinion

- 33

Close working relations

On an as-needed basis

No working relations

New

11%45% 43%

Spotlight on risk managers and the safety/security function

76% of risk managers include safety/security risks in their scope of analysis.

Only 45% work closely with the safety/security function, which contrasts with the findings reported on the previous page with respect to risk mangers' working relations with the second tier of control, of which the safety/security function is a part. In fact, 83% of risk managers work closely with the other functions involved in their companies' risk management system3. The low proportion of risk managers who work closely with the safety/security function could be due to the fact that the safety/security function is a relatively new addition to many organisations.

Broken down by profile, more than half of IP/ERM risk managers (58%) work closely with the safety/security function (42% for IP risk managers and 36% for ERM risk managers).

Previously responsible for safety/security risks in my company, I was promoted to head of the risk prevention and control department. Safety/security risks are of course included in my risk map, which is the product of a very operational exercise. The safety/security function can seem rather distant from the realm of the risk manager given the typically non-operational nature of their risk mapping. For the safety/security function, risk maps need to be operational and can get bogged down by too much theory. Safety/security directors are usually very practical, but generally they don't take a step back often enough to see the big picture. In contrast, risk managers can sometimes

seem too removed from day-to-day operations and, as a result, don't encourage cooperation with the safety/security function, which requires a pragmatic approach. In particular, safety/security functions are playing an increasingly key role in companies and the people hired to manage safety/security issues do not generally have any experience in risk mapping and management. They are not used to reporting on and sharing issues.

Foster ing more ef fect ive cooperation between risk managers and the safety/security function is in the interest of both functions. Above and beyond operational issues where increased collaboration is necessary, to

cover security risks in insurance for example, strengthening relations with risk managers would facilitate dialogue between safety/security directors and top management and help to make senior management more aware of safety/security issues. Greater cooperation would also enable risk managers to benefit from safety/security directors' more operational, pragmatic vision of safety/security risks, which more closely reflects day-to-day operations. In this way, risk mapping would be more relevant to operational teams and better integrated into companies' DNA.

Testimonial

Risk manager in charge of safety/security at a transport company

3. Risk functions: internal control, safety, insurance and corporate affairs departments.

34 -

60%

Identification and analysis of risks related to implementing

strategy

21%41%

Identification and analysis of risks of planned

strategies None

Spotlight on risk managers and strategyNB: This analysis concerns "top managers" across all professional profiles.

73%

21%

6%

On an as-needed basis (risk mapping, insurability of new activities, etc.)

Close working relations for all risks linked to company strategy

No working relations

New

I've noticed that risk management is increasingly being incorporated into the strategy development process, due to the emergence of new business models and the digital transformation, which is changing the way we create value and reducing margins.

Risk managers have a broad vision of company management, from strategy to operations. They identify and assess residual risks, including those related to strategy

and its implementation. This is case in my company, where we are now being asked by the strategy function to provide insight on the risks related to the strategic goals of each business unit. We are also involved in preparing business plans, in order to ensure that the chosen scenarios are consistent with related risk assessments. Our contributions help to strengthen strategic analyses.

Given this positioning, risk managers need a multi-disciplinary team made up of knowledgeable staff who are recognised experts in their fields. However, we should bear in mind that risk managers have a specific role: their job is to explain the level of risk in their capacity as the second line of defence, but they do not decide on the risk/return level adopted by their organisations.

Testimonial

Risk manager at a CAC 40 company in the energy sector

73% of "top managers" work with their companies' strategy function on an as-needed basis, while 21% work alongside it closely.

Although 32% of ERM "top managers" work closely with the strategy function, only 18% of IP/ERM "top managers" and 14% of IP "top managers" do the same.

An analysis of the findings by organisation size shows that the smaller the organisation, the more closely risk managers work with the strategy function: 30% in SMEs versus 26% in middle-market companies versus 19% in large companies.

To the question "what is your role in managing risks related to company strategy?", 60% of "top managers" reported being involved in identifying and analysing risks related to implementing strategy and 41% reported playing a role in identifying and analysing the risks of planned strategies.

Nearly half of risk managers (48%) reported being involved in defining their companies' risk appetite. In addition, the proportion of risk managers participating in the strategy committee has increased to 10%, from 7% in 2015.

New

Role in managing risks related to M&A transactions

None

40%

Due diligence

Identification and analysis of project risks

42% 34%

72% of IP and IP/ERM risk managers are involved in managing the risks related to M&A transactions. 56% participate in due diligence processes and 40% are involved in identifying and analysing risks.

66% of ERM risk managers play no role in handling their companies' M&A transaction-related risks. However, 25% are involved in identifying and analysing risks and 14% participate in due diligence processes.


The majority of respondents (58%) are involved in managing the risks related to their companies' M&A transactions.

- 35

36 -

Fixed compensation (salary)

The average gross salary of "top managers" and "non-top managers" is on par with 2015. It has decreased slightly from €108,000 to €107,000 for "top managers" and remained stable at €84,000 for "non-top managers".

Compensation

Fixed gross compensation

Under 35 35-45 46-55 Over 55 Total

Less than €50,000 16 8 1 2 27

€50,000 to €100,000 9 21 28 6 64

€101,000 to €150,000 2 15 22 12 51

More than €150,000 0 2 11 13 25

Total 27 45 62 33 167

54% of risk managers (i.e., 91) in all professional profiles receive a gross salary less than or equal to €100,000.

Under 35

35-45

46-55

Over 55

More than €150,000

Less than €50,000

€50,000-€100,000

€100,000-€150,000

59% 33% 7%

18% 47% 33%

45% 35% 18%

6% 18% 36% 39%

2%

2%

- 37

29%

52%

19%

26%

43%

31%

43%

31%

25%

Variable compensation (bonus)

Irrespective of professional profile, 77% of risk managers receive variable compensation.

• 88% of IP "top managers" receive variable compensation in an amount exceeding 10% of their fixed compensation, versus 78% of IP/ERM "top managers" and 69% of ERM "top managers".

• 54% of ERM "non-top managers" receive variable compensation in an amount below 10% of their fixed compensation, while 55% of IP/ERM "non-top managers" and 53% of IP "non-top managers" receive variable compensation in an amount exceeding 10% of their fixed compensation.

IP IP/ERM

Under 10%

ERM

10%-20%

Over 20%

Compensation factorsLocation

Unsurpr i s ing ly, r i sk managers in Ile-de-France receive a higher annual gross salary than risk managers outside Paris.

While the overall pay gap between Paris and the rest of France is 28%, for risk managers:

• "non-top managers" in Ile-de-France earn 23% more than "non-top managers" outside Paris (€86,000 versus €66,000);

• "top managers" in Ile-de-France earn 20% more than "top managers" outside Paris (€115,000 versus €92,000).

Ile-de-France

Rest of France

World


Less than €50,000

€50,000-€100,000

€100,000-€150,000

10%

32%

25%

40%

35%

13%

33%

27%

25%

17%

38%

5%

€102

€84

€109

Average salary in € thousands

38 -

Hiring methods

As in the two previous surveys, risk managers who found their current position through a recruitment agency or their network have a higher average salary than those who found their current position through other channels.

Recruitment agency/

headhunter

Unsolicited application

Internal mobility


Less than €50,000

€50,000-€100,000

€100,000-€150,000

Network/contact

AMRAE website

8% 40% 36% 16%

42% 33% 25%

18% 40% 27% 15%

18% 31% 31% 21%

67% 33%

Company size

As in 2013 and 2015, salaries are proportional to the size of the company.

The average salary for risk managers in large companies is higher than the average salary for risk managers who work for smaller organisations, for both "top managers" and "non-top managers".

Association/NGO

Middle-market company (less than

€1.5 billion/ 5,000

employees)

Large company (more than €1.5 billion/

5,000 employees)


Less than €50,000

€50,000-€100,000

€100,000-€150,000

SME (less than

€50 million/ 250

employees)

Public sector entity

100%

31% 52%

8% 29%

25% 50%

33% 67%

42%

12%

17%

21%

8%

5%

€103

€77

€95

€92

€101

€75

€77

€109

€83

€67



- 39

Gender

Non-Top Manager

Top Manager


Less than €50,000

€50,000-€100,000

€100,000-€150,000

Non-Top Manager

Top Manager

21% 44% 32%

32% 42% 20%

30% 48% 15% 6%

17% 34% 24% 24%

3%

5%

Although the gender pay gap has been gradually decreasing, men risk managers stil l earn more than women risk managers.

• Among "top managers", the gap has dropped from 15% in 2015 to 8% in 2017 (€110,000 for men versus €101,000 for women).

• Among "non-top managers", the gap has fallen from 28% in 2015 to 9% in 2017 (€88,000 for men versus €80,000 for women).

€88

€110

€80

€101



Future of the profession

The risk managers surveyed indicated an increase in their level of responsibility for risk culture development in their companies (79% in 2017 versus 70% in 2015) and risk assessment (70% in 2017 versus 64% in 2015).

Personal career development opportunities

In 2017, half of the respondents indicated that they would like to remain risk managers but at another company. This is the first year that this response has been available for selection.

Internal audit/internal control, which was the most common field for career advancement in 2015 (27%), was the sixth most common in 2017 (9%). The second most common field for career advancement was senior management (15%).

The "other" category was the third most common field for career advancement. It was mostly selected by risk managers who want to remain in their current positions at their companies.

Career development

40 -

Risk manager at another company

Senior management

Other

50%

15%

14%

13%

3%

2%

1%

Retirement

Consulting

Internal audit Internal control

Finance

ComplianceInsuranceBrokerage

Operations

Legal

Health, safety, quality and environment

IS

6%

9%

12%

Photo credits: PwC - AMRAE ― Freepik ― GettyImages Copyright © 2017 AMRAE, in partnership with PwC

AMRAE 80, boulevard Haussmann

F-75008 Paris France

Tel.: 33 (0)1 42 89 33 16 Fax: 33 (0)1 42 89 33 14 Email: [email protected]

www.amrae.fr

Management des Risques et des Assurances de l’Entreprise

PwC 63, rue de Villiers

92208 Neuilly-sur-Seine Cedex France

Tel.: 33 (0) 1 56 57 58 17 Fax : 33 (0) 1 56 57 58 60

www.pwc.fr

Date post:	17-Oct-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Risk Manager Barometer Survey 2017 5th edition · Since the third edition of the Risk Manager...

Documents