Living and working in a riskier world discusses the evolution of risk management from a standalone activity focused only on threats to a strategic business discipline that supports organizational objectives. It argues risk management must shift from rules-based compliance to principles-based resilience by considering opportunities in addition to threats, taking a holistic view of risks, and integrating risk management into the business rather than treating it as a separate cost. As the world becomes more complex and interconnected, reputation and non-insurable risks are rising concerns, requiring risk professionals to broaden their skills and focus on culture, behavior, and building resilience across organizations.

1. Living and working in a riskier world
From Risk Management to Risk Leadership
20 March 2014
Julia Graham
FERMA President

2. What we stand for
 Co-ordinate, promote and support the development and use
of risk management, insurance and risk financing in Europe
 Be a significant stakeholder in the decision making process
at the European level on risk management, insurance and
risk financing
– Profession
– Innovation
– Diversity
 We go where others do not go
 Leading risk management and insurance across Europe

3. Where we are
22 member associations in 20 countries
4336 individual
members who are
responsible for risk
management and / or
insurance in their
organisations

4. Who we are

5. Our leadership team
Pierre Sonigo
Secretary
General
Florence Bindelle
Executive
Manager
Alessandro
de Felice
Vice President
Michel Dennery
Vice President
Jo Willaert
Vice President
Julia Graham
President
Fernand
De Winter
Treasurer

6. "Three" lines of defence
Source: ECIIA - Making the most of the Internal Audit Function

7. Risk management
“Why do you have brakes in a car? So you can drive faster safely. Why do you have good risk
management? So you can pursue your business goals more energetically….” FT
"In an emergency the driver needs to know where the brakes are and how to use them properly.
This is why you need good crisis management" …. JG

8. No risk is an island

9. It's risk management Jim but not as we've known it
A strategic business
discipline that supports
the achievement of the
organisation's
objectives by
addressing the full
spectrum of its risks
and managing the
combined impact of
those risks as an
interrelated risk
portfolio

10. Old risk management practices
– Risk management as stand alone activity
– Driven by audit
– Based on rules
– Off-the-shelf systems and solutions with pre-determined lists of risks
– Focused only on threats
– Mainly hard controls about tangible things – insurable
– Artificially implemented or imposed
– Stand-alone and not part of the business
– Static, out-of-date – "we've done that" and filed away
– Viewed as purely a cost overhead
– Abandoned because nobody pays attention
Source: International Federation of Accountants - IFAC

11. New risk management practices
– Risk management driven by objectives
– Board and management driven – by example and from the top of the business
– Based on principles and not rules
– Tailor made to the business
– Focused on opportunities as well as threats
– As much about social / human / cultural aspects – not insurable
– Organically implemented
– "Part of the way we do things here" - integrated
– Dynamic, evolving – not left on a shelf
– Creates results and add value – with measures
– Supported and long term
Source: International Federation of Accountants - IFAC

12. Leadership in risk management
• Board level supervision of risk management increasing and there is increasingly a
role for leadership of risk management
• The majority of companies have education and review processes in place that keep
the Board informed about risk exposures
• Most think communication between the Board and the "CRO" could be better
• Companies aspire to improve the link between risk management and strategic
planning
• Risk management has some way to go to use the risk management function for
making more effective strategic decisions
• Risk-based incentives as part of remuneration slow
• Brand and reputation rising concerns
• Some executives and "experts" cite lack of risk management talent as an important
area especially in emerging products and markets
• Processes to define risk appetite now in place at nearly half of the companies
Source: Leadership in Risk Management – Zurich, Harvard, FERMA and PRIMO

13. The first standards committee

14. Standards commonly used
Source: RIMS 2013 Benchmark Survey Produced by Advisen
All rights reserved.
 ISO 31000 up 5% from 2011
 COSO up 2% from 2011

15. COSO ERM and ISO 31000 are different
Preferences can vary bias -
audit and risk
COSO ISO 31000
Lengthy Short
Focused on ERM General approach to managing risk
One cube Framework and process
Skewed to negative Risk can be positive or negative
Risk already exists Risk tied to achieving objectives
Risk & opportunities Opportunities also source of risk
More sequential process More iterative process
Many organisations use COSO and ISO 31000

16. Route to corporate failure
Weaknesses that make organisations prone to crises and escalation of crisis into disaster:
1. Board skills and NED control risks
2. Board risk blindness
3. Poor leadership on ethos and culture
4. Defective communications
5. Risks arising from excessive complexity
6. Risks arising from inappropriate incentives
7. Risk "glass ceilings"
Necessary developments
– Scope, purpose and practicalities of risk management need to be re-thought from
the Board down
– Education of risk professionals needs to be extended
– Risk professional's status needs to change
– Not necessarily more CROs
Systems that prevent crisis escalating into disasters
Source: Roads to Ruin - a report by Cass on behalf of AIRMIC, Lockton and Crawford

17. Reputation is now higher in our risk thinking
 Reputations take years to build and minutes to destroy
 More than giving correct advice and more than a brand
– understanding the value of reputation - often the largest asset
– taking ownership of reputation
– having a holistic and systematic risk management process
– understanding the expectations of our clients
– identifying the main causes of risk
– applying joined up management
– viewing reputation as a risk consequence
– having good crisis management for when things go wrong

18. Roads to Resilience "future proofing"
The next generation
 Capability to deal with the unexpected
 Everyone acutely aware of risk – "bristling with risk awareness"
 Not a special function – everyone's job
 Widening scope of risk
 Widening of knowledge and skills for the "risk manager"
 Moving away from physical assets and people
 Client experience, brand and reputation key assets
 The range of assets at risk has changed
 In the world of social media firms cannot risk manage as if nothing has changed
 Risk management more facilitators than managers
 All levels of risk embraced
Evolution from risk management to building resilience

19. Principles of the resilient organisation
 Exceptional radar
 Value and build strong relationships internally and externally
 Leaders that are respected and respectful
 The ability to respond rapidly
 Diversified resources
 We live and work in a riskier world
 Top Management
– Board directors believe that they should spend more time on strategy, talent and
risk
 Risk Managers
– Risk managers must develop business leadership skills, become a business
discipline and add significant value - or stay as fragmented technical people
called upon only when needed
Source: Roads to Resilience AIRMIC

20. Challenges to achieving resilience
The Risk Manager
 Overcoming barriers
– don't over analyse
 The role is changing
– no hiding behind rules and regulations
– valued senior advisor
– get out and engage
 More about culture, behaviour, mind-set and insights
Enablers and behaviours
 People and culture
 Business structure
 Strategy, tactics and operations
 Leadership and governance

21. Risk management will become risk leadership
Position
 risk management will continue to assume a higher priority
 strong board involvement advocated to facilitate strategic and enterprise-wide risk
 more energy devoted to defining risk appetite, tracking, measuring and analysing risk
Challenges
 risk ownership and communication at all levels
 links between risk management and strategic planning and management
 communication between the board and risk management
 risk based incentives
 risk management talent pool with the right talent
 risk forecasting
Evidence to suggest that well risk managed businesses will be more profitable

22. Developments in risk management as a profession
 What profession?
 Predicted that there will be fewer but more senior professionals
– as risk management matures and moves towards first line management
 But the profession is generic and hard to define
 Professional certification
– knowledge
– experience
– ethics
– continuing professional development
 Some similarities to NEDs
 Watch this space ….

23. Diversity in the teams works

24. Final Observations
 Effective risk management in NOT just about compliance
 Risk is at the heart of strategy and effective risk management should be an enabler
and a potential differentiator
 Growth in a flat market can only be achieved by taking risks – these must be
calculated and transparent
 Reputation is critical and reputation risk management should be prioritised
 The tone is set at the top and the C-suite will take a stronger role in leading the risk
management effort in Europe
 The information required to take risk aware decisions is most likely to exist already
inside the company
 Risk management must be owned by the business
 Risk managers must be fit for the challenge

25. Knowledge
Skills
EthicsCPD
Business
model
What FERMA is doing

26. 26