- FERMA is an organization with 22 member associations in 20 countries representing over 4,300 risk management professionals. - It focuses on helping members address global risks like economic crises, climate change, and political instability, as well as developing risk management best practices. - The presentation calls for organizations to take a broader, more strategic approach to resilience by improving risk monitoring, contingency planning, and responsiveness to crises.

1. Enterprise Governance, Risk and Compliance
Athens 12 November 2014
Living and Working in a Riskier World
Julia Graham
President of FERMA

2. Where we are
22 member associations in 20 countries
Over 4300 individual
members who are
responsible for risk
management and/or
insurance in their
organisations

3. Our member associations
? ? ?

4. FERMA is 40

5. Our focus

6. World Economic Forum – Global Risk Report 2014
The 10 risks of highest concern to respondents are:
1. Fiscal crises in key economies
2. Structurally high unemployment/underemployment
3. Water crises
4. Severe income disparity
5. Failure of climate change mitigation and adaptation
6. Greater incidence of extreme weather events
7. Global governance failure
8. Food crises
9. Failure of a major financial mechanism/institution
10. Profound political and social instability
Source: World Economic Forum, Global Risks 2014

7. Which of these risks appear on corporate risk maps?
The 10 risks of highest concern to respondents are:
1.Economic slow down / slow recovery
2.Regulatory / legislative changes
3.Increasing competition
4.Damage to reputation / brand
5.Failure to attract or retain top talent
6.Failure to innovate / meet customer needs
7.Business interruption
8.Commodity price risk
9.Cash flow / liquidity risk
10.Political risk / uncertainties
Source: Aon Global Risk Management Survey 2013 / Underrated threats? 2013

8. Which of these risks appear on corporate risk maps?
The 10 risks of highest concern to respondents are:
1.Economic slow down / slow recovery
2.Regulatory / legislative changes
3.Increasing competition
4.Damage to reputation / brand
5.Failure to attract or retain top talent
6.Failure to innovate / meet customer needs
7.Business interruption….?
8.Commodity price risk
9.Cash flow / liquidity risk
10.Political risk / uncertainties
Source: Aon Global Risk Management Survey 2013 / Underrated threats? 2013

9. Directors of Captives – sense check
• Cyber
• Interdependency of risk
• Pandemic / health risk
• Pension scheme funding risk
• Terrorism risk
• Creativity in the insurance industry
• increased focus on risk management spend
• Failure to attract top talent
• Unethical behaviour
• Supply chain?
Source: Aon - Underrated threats? 2013
Cyber no longer
on the horizon
Innovation often
comes from the
producer not the
customer
increased risk complexity
and connectivity adds to the
challenge for risk managers
Travel increased from 683m
to 1bn in a decade – yet
pandemic off the radar …
then came Ebola

10. No risk is an island
10

11. We live and work in a riskier world
Graphic to be
replaced
Change
Complexity
Connection
Source: World Economic Forum, - Global Risks 2014

12. Global risks are beyond normal Board activities
• Corporate risk maps tend to focus on risk where the company
has some control
• These risks are big and catastrophic
• It is not clear how Boards should tackle these risks
• Do they have the know-how?
• Yet the Board is best placed to manage them

13. Managing Global Risks
• Focus on impacts, outcomes and consequences for your
operations, not the risks themselves
• Check critical dependencies
• Check and reinforce contingency planning and crisis
management capabilities
• Improve your risk radar throughout your extended network
• Focus on agility

14. A broader approach to resilience
Resilience is about
opportunity, adaptation and
evolution as well as managing
disruptions and crises
• Less resilient organisations are
prone to failure
• Organisations are more complex,
impacts materialise faster
• Can’t be expected to address all
risks
• Resilience for many means
focussing on operational issues,
missing the more strategic ones
Source: AIRMIC and others - Roads to Resilience 2014

15. Roads to Resilience
Resilient companies have exceptional risk radar to detect
changes 1 in the external and internal situation
Resilient companies have diversified resources and assets
2 to facilitate alternative approaches and adaptation to change
Resilient companies build strong relationships and
3 networks, both internally and externally
Resilient companies have the ability to respond rapidly and
4 decisively to an emerging crisis
Resilient companies review and adapt based on experience and
5 changing circumstances
Source: PWC 2014

16. Resilience – three key messages
Resilience is about long-term
surviving and thriving
Resilience is generated (and
lost) by who we are, what we
know, what we do and how
we do it
Well understood resilience can
be measured, manipulated
and leveraged
16
Source: PWC 2014

17. Risk Managers are White Swans

18. FERMA – Strategic Actions

19. The 2014 FERMA Risk Map
Top 10 2014 2012 Mitigation level Satisfaction level
1. Political – Government intervention, legal & regulatory changes
2. Reputation and brand
3. Compliance with regulation and legislation
4. Competition n.c*
5. Economic n.c*
6. Market strategy, client n.c*
7. Planning and execution of strategy
8. Human resources / key people, social security (labour)
9. Quality (design, safety & liability of products & servides)
10. Debt, cash flow n.c*
*n.c not comparable High Medium Low

20. Embedded activities
• Insurance management and claims
handling and insurable loss prevention
• Development of risk maps
• Assistance to other functional areas in
contract negotiation, project management,
acquisitions and investments
• Design and implementation of risk controls /
prevention
SEMINAR 2014 20
Trend

21. Planned activities
• Development and embedding of business
continuity management
• Alignment and integration of risk management
as part of business strategy
• Development and integration of risk culture
across the organization
SEMINAR 2014 21
Trend

22. Knowledge and Skills required
22

23. Three Lines of Defense
Source: Audit and Risk Committees - News from EU Legislation and Best Practices 2014

24. Risk and Audit Committee responsibilities
1. Review risk management systems
2. CRO or equivalent
3. External audit
4. Relationship and coordination
5. Report annually on the effectiveness and efficiency of
risk management in the organization
6. Review annually the performance and terms of
reference of the Committee in order to determine
whether it is functioning effectively by reference to
best practices
7. Oversee the integrity of the financial reporting process
and financial reports
8. Review the efficiency of internal control and risk
management systems
9. Review and appraise the audit activities:
independence, objectivity and effectiveness of the
audit process
10. Supervise the internal audit function
Audit and Risk Committees
News from EU Legislation
and Best Practices

25. Foundations – our profession
Risk Language and Standards are important

26. Many use COSO ERM and ISO 31000
COSO ISO 31000
Lengthy vs. Short
Focused on ERM vs. General approach to managing risk
One cube vs. Framework and process
Skewed to negative vs. Risk can be positive or negative
Risk already exists vs. Risk tied to achieving objectives
Risk & opportunities vs. Opportunities also source of risk
More sequential process vs. More iterative process
… Concepts not aligned

27. Standards or Frameworks Used
ISO 31000 up 5% from 2011
COSO up 2% from 2011
Source: RIMS 2013 Benchmark Survey - Produced by Advisen

28. ISO 31000 Development
 ISO 3100 adopts a management system
 Plan - Do - Check - Act
 ISO 31000 published in November 2009
 Technical Committee and Working Group
 ISO Experts for risk management
 Responsible for ISO 31000 and its maintenance and further
development
 Represents the opinion of countries and cultures
 Undertaking a limited revision of ISO 31000 in the short term,
following the principle of continual improvement
 Including the human and cultural factors in risk management
 Determine in the long run a more fundamental technical revision
 This work will take into consideration the global development of risk
management

29. FERMA Certification – our profession

30. Innovation – our needs
• A frequently used word at cocktail parties
• Innovation is not invention
• We live and work in a riskier world
• Organizations need solutions for the conventional and unconventional
• Are insurers up to the challenge?
• Are brokers up to the challenge?
• Are we up to the challenge?
"It’s about the people you have, how you are
led, and how much you get it"
Steve Jobs

31. • Managing Diversity makes business sense:
– 78% risk managers are over 45 years old
– 73% risk managers are male
• Diversity demands:
– Leadership by Top Management
– Leadership by example
– Action not just words
• Sustainable change not a project
• Diversity is more than gender
– Culture
– Gender
– Age
– Ethnicity
Diversity – our assets

32. Come and join us!

33. Any Questions?
33