FERMA presentation at the IIA Belgium Conference

1. 1
COORDINATION OF THE ASSURANCE FUNCTIONS
Julia Graham
President of FERMA

2. WHERE WE ARE
22 member associations in 20 countries
Over 4300 individual
members who are
responsible for risk
management and/or
insurance in their
organisations

3. OUR MEMBER ASSOCIATIONS

4. OUR PURPOSE

5. WORLD ECONOMIC FORUM
GLOBAL RISK REPORT 2014
The 10 risks of highest concern to respondents are:
1. Fiscal crises in key economies
2. Structurally high unemployment/underemployment
3. Water crises
4. Severe income disparity
5. Failure of climate change mitigation and adaptation
6. Greater incidence of extreme weather events
7. Global governance failure
8. Food crises
9. Failure of a major financial mechanism/institution
10. Profound political and social instability
Source: World Economic Forum, Global Risks 2014

6. WE LIVE AND WORK IN A RISKIER WORLD
• Faster Change
• More Complex
• Greater Connectivity
Source: World Economic Forum, - Global Risks 2014

7. WHICH OF THESE RISKS ARE ON
CORPORATE RISK MAPS?
The 10 risks of highest concern to respondents are:
1.Economic slow down / slow recovery
2.Regulatory / legislative changes
3.Increasing competition
4.Damage to reputation / brand
5.Failure to attract or retain top talent
6.Failure to innovate / meet customer needs
7.Business interruption
8.Commodity price risk
9.Cash flow / liquidity risk
10.Political risk / uncertainties
Source: Aon Global Risk Management Survey 2013 / Underrated threats? 2013

8. THE FERMA RISK 2014 MAP
Top 10 2014 2012 Mitigation level Satisfaction level
1. Political – Government intervention, legal & regulatory changes
2. Reputation and brand
3. Compliance with regulation and legislation
4. Competition n.c*
5. Economic n.c*
6. Market strategy, client n.c*
7. Planning and execution of strategy
8. Human resources / key people, social security (labour)
9. Quality (design, safety & liability of products & services)
10. Debt, cash flow n.c*
*n.c not comparable High Medium Low

9. OUR FOCUS

10. ROADS TO RUIN
▸ 18 case studies (events)
▸ 23 companies involved
▸ 7 event categories
▸ 14 industries
▸ All based on information already in the public domain
▸ Companies studied included
▸ BP, AIG, Cadbury & Schweppes, Independent Insurance,
Coca-Cola, Total, Firestone, Railtrack, Northern Rock,
Shell, Zurich, SocGen, Arthur Andersen and 12 others
▸ Aggregate pre-crisis value of the companies was $6trn!
▸ Risk management failures studied, took place in the period
2000-2007

11. WHAT CONTRIBUTED TO THE
CATASTROPHIC CONSEQUENCES?
• Poor crisis management
• Failure to recognise significance of the event early enough in the crisis
• Poor stakeholder communications, including with news and social
media
• Lack of awareness of the potential for reputational damage
• Failure to appreciate the importance of transparency early enough
• Failure to learn from prior experience (even with the same company)

12. A BROADER APPROACH TO RESILIENCE
Resilience is about opportunity,
adaptation and evolution as well
as managing disruptions and
crises
• Less resilient organisations are
prone to failure
• Organisations are more complex,
impacts materialise faster
• Can’t be expected to address all
risks
• Resilience for many means
focussing on operational issues,
missing the more strategic ones
Source: AIRMIC and others - Roads to Resilience 2014

13. RESILIENCE – THE NEW RISK MANAGEMENT?
Resilient companies have exceptional risk radar to detect changes in
the external and 1 internal situation
Resilient companies have diversified resources and assets to
2 facilitate alternative approaches and adaptation to change
Resilient companies build strong relationships and networks,
3 both internally and externally
Resilient companies have the ability to respond rapidly and
4 decisively to an emerging crisis
Resilient companies review and adapt based on experience and
5 changing circumstances
Source: PWC 2014

14. RESILIENCE – THREE KEY MESSAGES
Resilience is about long-term
surviving and thriving
Resilience is generated (and lost)
by who we are, what we know,
what we do and how we do it
Well understood resilience can be
measured, manipulated and
leveraged
Source: PWC 2014

15. RISK LANGUAGE AND STANDARDS
ARE IMPORTANT

16. ISO 31000 DEVELOPMENT
 ISO 3100 adopts a management system
 Plan - Do - Check - Act
 ISO 31000 published in November 2009
 Technical Committee and Working Group
 ISO Experts for risk management and responsible for ISO 31000
maintenance and further development
 Represents the opinion of countries and cultures
 Undertaking a limited revision of ISO 31000 in the short term,
following the principle of continual improvement
 Including the human and cultural factors in risk management
 Determine in the long run a more fundamental technical revision
 This work will take into consideration the global development of risk
and risk management

17. MANY USE COSO ERM AND ISO 31000
COSO ISO 31000
Lengthy vs. Short
Focused on ERM vs. General
One cube vs. Framework and process
Skewed to negative vs. Risk positive or negative
Risk already exists vs. Risk tied to objectives
Risk and opportunities vs. Opportunities as a risk
More sequential process vs. More iterative process
… Concepts not aligned

18. STANDARDS OR FRAMEWORKS USED
ISO 31000 up 5% from 2011
COSO up 2% from 2011
Source: RIMS 2013 Benchmark Survey - Produced by Advisen

19. THE VOICE OF EUROPEAN RISK AND
INSURANCE MANAGERS
European Risk and Insurance
Report
SEMINAR 2014 19

20. EMBEDDED ACTIVITIES
▸ Insurance management and claims handling
and insurable loss prevention
▸ Development of risk maps
▸ Assistance to other functional areas in contract
negotiation, project management, acquisitions
and investments
▸ Design and implementation of risk controls /
prevention
Trend
SEMINAR 2014 20

21. PLANNED ACTIVITIES
▸ Development and embedding of business
continuity management
▸ Alignment and integration of risk management
as part of business strategy
▸ Development and integration of risk culture
across the organization
Trend
SEMINAR 2014 21

22. REPORTING AT TOP MANAGEMENT LEVEL
Top 3 reporting
lines
RM function IM function
CFO 22% 31%
Board of Directors 18% 12%
CEO 17% 12%
A strong interaction with Top Management / Board
48% of Risk Managers present RM activities several times a year
Widespread use of risk mapping
SEMINAR 2014 22

23. CFOs REMAIN PRIMARY REPORTING LINE
FOR RISK MANAGERS ACROSS EUROPE
• Reporting at CFO level 22% with sector
variations
• Board of Directors/Supervisory Board level
primary reporting line of the ‘Automotive’ ,
‘Banking and Financial Services’ sectors
• In small companies reporting to the Board of
Directors / Supervisory Board most commonly
shared practice
• Reporting at CEO level mostly observed in the
‘Healthcare’, ‘Pharmaceuticals’ and ‘Real
Estate’ sectors
• Reporting to the Audit and/or Risk Committee
remains marginal whereas they represent
advanced practices
• Reporting lines emerging functions include
Business Development, Corporate Affairs,
Group Controller, Commercial Assurance,
Shared Services or Financial Compliance

24. AREAS FOR REFLECTION
What is the right organisation for Risk functions?
SEMINAR 2014 24

25. RELATIONSHIP BETWEEN RISK
AND OTHER FUNCTIONS

26. MANAGING ASSURANCE
WHOSE JOB IS IT ANYWAY?
The IIA standard 2050 requires chief audit executives should
share information and coordinate activities with other internal
and external providers of assurance ….. to ensure proper
coverage and minimise duplication of effort: yet…..
▸ Assurance roles and responsibilities not clearly defined
▸ Assurance functions reporting lines and not coordinated
▸ Assurance functions have different objectives
▸ Assurance functions do not base programmes on significant risks
▸ Breadth of skills in many assurance functions is limited
▸ Many assurance functions are not represented at "Top
Management” and do not get heard
▸ Assurance functions often accused of not working with management
▸ Reporting dull and unconvincing
▸ Box tickers not agents of opportunity or change

27. MANAGING RISK
WHOSE JOB IS IT ANYWAY?
► Risk management is fundamental to organizational control and
critical to providing sound corporate governance
► It touches all of the organization’s activities
► The establishment of an effective enterprise-wide risk
management system is a key responsibility of management and
the board
► The board are responsible for adopting a holistic approach to the
identification of organizational risks, creating controls to mitigate
those risks, and monitoring and reviewing the identified risks and
established controls
► The board should ensure that risk management is integrated into
the organization, at both the strategic and operational levels

28. THE 8TH EU COMPANY LAW DIRECTIVE
▸ 1984
Conditions for approval of persons carrying out the statutory approval
of accounting documents
▸ 2001
Enron influence globally
▸ 2003
Ahold and Parmalat influence in Europe
▸ 2010 – Article 41
Focus on good practice for oversight, responsibilities and relationships
Wider adoption of the Three lines of Defence model
▸ 2014 – Directive 2014/56
Focus on external audit and non-financial information reporting
Consequences for the board. internal auditors and risk managers

29. RISK AND AUDIT COMMITTEE
RESPONSIBILITIES
1. Review risk management systems
2. CRO or equivalent
3. External audit
4. Relationship and coordination
5. Report annually on the effectiveness and efficiency of
risk management in the organization
6. Review annually the performance and terms of
reference of the Committee in order to determine
whether it is functioning effectively by reference to
best practices
7. Oversee the integrity of the financial reporting
process and financial reports
8. Review the efficiency of internal control and risk
management systems
9. Review and appraise the audit activities:
independence, objectivity and effectiveness of the
audit process
10. Supervise the internal audit function
Audit and Risk Committees
News from EU Legislation
and Best Practices
Source: Audit and Risk Committees - News from EU Legislation and Best Practices 2014

30. THREE LINES OF DEFENSE
Source: Audit and Risk Committees - News from EU Legislation and Best Practices 2014

31. FERMA STRATEGIC ACTIONS

32. THE PROFESSION OF RISK
LEADERS
▸ ACCREDITATION: verifying that third-parties can
demonstration its competence to carry out specific
conformity assessment tasks
▸ CERTIFICATION: verifying that individual candidates
have adequate credentials to practice the risk
management discipline
By the Certification Process FERMA will set up an standard to evaluate the
candidate skills along with other pillar such as experience, ethics and CPD.

33. FERMA CERTIFICATION
Values

34. FERMA CERTIFICATION
The aim is to certify the competence of Risk Managers
•Certification and Accreditation launched in parallel
•Certification application through
• online submission
• file review
• interview
•Certified Risk Managers will be part of an Alumni
•Longer long term two certification levels planned
•First Awards at the 2015 FERMA Forum
•FERMA will accept applications globally

35. ANY QUESTIONS?