FERMA Risk Management Benchmarking Survey 2016 8 th Edition
FERMA Risk Management
Benchmarking Survey 2016
8th Edition
“ I am delighted to present to you the FERMA 2016 European Risk and Insurance Report, gathering the views of more than 600 European risk managers at a time of major changes in Europe.
At our general assembly in June this year, FERMA set out its strategic vision to achieve “a world where risk management is embedded in the business model and culture of organisations”. Today, we see that risk managers are increasingly moving into a position where they will help achieve that vision in their own organisations. They are taking more strategic roles, and the majority report to a chief officer or to the board.
Risks are always evolving – as we see from the focus on data protection and cyber risks. Risk managers want to develop skills and tools that enhance their ability to manage such emerging risks and want their advisers, brokers and insurers to be their partners in doing so.
The findings of this report, combined with FERMA’s mission and strategy, will shape our activities over the next two years. One of the priorities that our members see for FERMA is to strengthen the professional standing of risk managers in Europe, and FERMA’s professional certification programme rimap® will be an important contribution to achieving that objective.
I trust that you will find FERMA’s 2016 European Risk and Insurance Report a source of valuable information and topics for further discussion as we build our profession together. “
Jo Willaert, President of FERMA
Presentation of the survey
Eighth biennal benchmarking survey conducted by the Federation of European Risk Management Associations
FERMA in collaboration with: AIG Chubb EY Marsh XL Catlin
The survey (39 questions) received 634 responses and was conducted from April to June 2016
The survey was divided into 3 parts:PART 1: RISK MANAGEMENT PROFESSION AND PRACTICES IN EUROPE: from S1 to Q16
This part is seeking to reinforce the understanding and positioning of the risk and insurance management role.
Support the development of the risk and insurance management function.
PART 2: EUROPEAN INSIGHTS ON RISK MANAGEMENT: from Q17 to Q20NEWThis part is seeking to identify the main priorities for EU risk and insurance managers to ensure that FERMA supports its
members’ needs and expectations as regards the risk and insurance management function.
PART 3: Insurance Management : from Q30 to Q39This part is seeking to provide EU insight on the evolution of the insurance market and risk managers’ expectations.
Key facts
49
269
460
555
782 809850
634
0
100
200
300
400
500
600
700
800
900
2000 2002 2004 2006 2008 2010 2012 2014 2016
Number of respondents
Total Number of responses since 2002
This is the eighth edition of the FERMA European Risk and Insurance Report. It has been published every two years since 2002. FERMA in collaboration with AIG, Chubb, EY, Marsh and XL Catlin, conducted the European Risk and Insurance Survey, on which the report, is based between April and June 2016.
The FERMA European Risk and Insurance Survey 2016 is a fully online project. The population of the study is composed of all FERMA members (22 national associations in 21 countries) and contacts from AIG. In total, 4.407 invitations were sent: 634 participants responded to parts one and two, of which 406 also answered to the third optional part of the questionnaire. This represents a response rate of 14%, which makes it a good representative sample of the profession. The similarity in the respondents between the previous survey in 2014 and the latest version confirms that the findings are an expression of views across the European risk management community.
Every participant received an invitation email with a personnel link; there were no sampling methods applied to the population. An independent research company, Toluna, collected the responses and compiled the results.
DisclaimerThe 2016 FERMA European Risk and Insurance Report is designed to serve as a high‐level overview for risk and insurance managers and other executives. Our analysis includes benchmarking information drawn fromrespondents across a variety of industries and companies. The data, therefore, reflects general trends aboutthe profession.
Survey methodology
Table of Content1. Introduction2. European insights on risk management
practices3. European perspective4. Insurance: Evolution of the Insurance Market
and Risk Managers’ Expectations
1. Introduction
Risk and Insurance Managers’ profile
The survey shows that the typical risk manager profile remains stable in age, gender and salary wise since the last 2 years
The typical risk manager in a leadership role is around 50 years of age (78,8%) and male (80,5%).
Within the younger generation of risk managers women are still the majority in number, however women continue to lose this position quickly as the survey findings move through the risk management career time line and male risk managers predominate in leadership roles from the age of 35.
The growth in the number of young risk managers is encouraging for FERMA’S risk management certification programme, rimap®, launched in 2015. We believe rimap will strengthen career opportunities for people joining the profession.
FERMA’s insight
Risk and Insurance Managers’ profile
Europe’s risk management population has changed little in terms of age, gender and compensation since 2014. Generally, risk managers are: Male (73% male compared to 27% female) Between 36‐55 years (72%), with a small increase in young risk managers since 2014 Earning more than €100.000 a year (46%) and more than €200.000 for 7%, with salaries remaining higher for men than
women by 65% The younger generation (less than 25 years category) seems to be more diverse having 50/50 between genders 62% working for companies with turnover exceeding €1 billion 80% working for companies with more than 20,000 employees and dedicate four or more full time employees to risk
management
Risk and Insurance Managers’ salary
Salary levels for risk managers in leadership positions are typically higher for male risk managers than for women.
18%
18%
18%
15%
12%
12%
7%
Less than €60k
Between €60k - €80k
Between €81k - €100k
Between €101k - €120k
Between €121k - €150k
Between €151k - €200k
More than €200k
A representative panel of European companies
19%13%
10%8%
7%5%5%
4%4%4%4%
3%3%
8%
ManufacturingEnergy / utilities
Banking and Financial ServicesProfessional and Business Services
Transportation / logisticsInsurance
Technology and TelecomsAutomotive
Food and BeveragesRetail
Public sector and non-profitReal Estate
Pharmaceuticals and Life SciencesOthers
The top 3 organization’s main sector of activity are:
1. Manufacturing2. Energy /utilities3. Banking and Financial services
While capital intensive industries face more risks than services industries – the very reason why the majority of respondents work within these sectors – the rise of cyber risks is set to change this balance. In the future, we are likely to see higher proportions of risk and insurance managers in service industries as cyber risk continue to grow with further advancement in technology.
A representative panel of European companies
10%
3%
14%
11%
31%
31%
Less than €50 million
Between € 50 million and less than € 100 million
Between € 100 million and less than € 500 million
Between € 500 million and less than € 1 billion
Between € 1 billion and €5 billion
More than € 5 billion
13%
10%
22%
12%
13%
31%
Less than 250
Between 250 and lessthan 1,000
Between 1,000 and 5,000
Between 5,001 and10,000
Between 10,001 and20,000
More than 20,000
Organization’s turnover: Organization’s total number of employees:
Risk Management team in larger companies include at least 4 people : 60.6% of respondents from companies with turnover over 1 billion EUR have RM team of >4 FTE 77% of respondents from companies with turnover over 5 billion EUR have RM team of > 4 FTE The larger company, the larger the risk management team (same as in 2014)
52% 51%
29%
17%19%
32%
Risk Management Insurance
Up to 3Between 4 to 10More than 10
Full Time Equivalents dedicated to Risk/Insurance Management
More than half of European companies have up to 3 FTE dedicated to Risk/Insurance Management
2. European insights on risk management practices
GRAPH CAPTION
Reports to other function or department
Emerging Moderate Mature/Advanced
Reports to CFO, General counsel/Head of Legal Department, Head of Internal Audit
Reports to President/Chairman, Audit (and/or risk) Committee, Board of Directors / Supervisory Board, CEO / Managing Director or General / Company secretary
Risk Management function globally reports at Top Management level (88%). This practice is increasing compared to 2014 (84%).
Risk Management reporting: increasing reporting at Top Management level
7%
40%
53%
17%
33%
51%
12%
36%
52%
Emerging Moderate Mature/advanced
2012 2014 2016
CFOs remain the primary reporting line for Risk Managers across Europe
The main reporting lines are respectively: Risk managers: Board of directors,
president, chief executive officer, risk committee and chief financial officer (65%)
Insurance managers: President, chief executive officer, chief financial officer, head of treasury and head of legal (73%)
Risk and insurance managers are also reporting to top level non‐executive functions such as presidents and the chairman as well as the board of directors and supervisory board at 21% and 16% respectively.
This suggests that risk managers are beginning to gain much‐needed board engagement as they start to take on a more strategic role.
Reporting lines of risk and insurance managers - detailed responses
2%
3%
3%
5%
5%
5%
6%
7%
10%
11%
16%
26%
2%
4%
0%
1%
11%
6%
9%
2%
9%
8%
12%
35%
Chief Operating Officer
General / Company Secretary
Head of Internal Audit
Audit Committee
Head of Treasury
Chief Risk Officer
General Counsel / Head of Legal Department
Risk Committee
President / Chairman
Board of Directors / Supervisory Board
Chief Executive Officer / Managing Director
Chief Financial Officer
Insurance ManagementRisk Management
Risk/Insurance Managers’ roadmap: towards the development of Risk management as a strategic tool deployed at all levels of the organization
1. Insurance management and claims handling / insurable loss prevention (86%)
2. Development of map of risks: risk identification, analysis, evaluation, prioritization and reporting (79%)
3. Assistance to other functional areas in contract negotiation, project management, acquisitions and investments (77%)
1. Development and implementation of Risk Culture across the organization (68%)
2. Alignment and integration of risk management as part of business strategy (62%)
3. Development and embedding of Business Continuity Management / Emergency Management / Crisis Management / Incident response programes and solutions (59%)
1. Analysis of capital projects and delivering business plans (40%)
2. Design and implementation of riskfinancing strategy and association solutions (30%)
3. Definition of compliance (Management, Framework, embedding and assurance) (29%)
1
Top embedded activities Activities planned for 2016‐2017:
Not planned activities
Operational risk activities remain high on the agenda for the risk profession but for the year ahead, risk managers areplanning to take on more strategic responsibilities as enterprise risk management gains traction in many businesses. This trendshows that risk management is evolving, transitioning from an operational function to a strategic one.
The evolution of reporting lines also indicates that risk managers are gaining much‐needed board engagement as they developthis more strategic role.
FERMA’s insight
Risk Management interactions with Top Management/Board
There is no mechanism in place to formally report about risk management
GRAPH CAPTION
Emerging Moderate Mature Advanced
Meets Board and/or Top Management members on a requested basis
Formally presents to the Board of Directors and Top Management once a year
Formally presents to the Board of Directors and Top Management several times per year
7%13%
37%42%
10%
24%18%
48%
11%
22%16%
51%
Emerging Moderate Mature Advanced
2012 2014 2016
A majority of respondents (51%) formally present Risk Management activities to the Board/ Top Management several times a year.
Nevertheless, we note that one third of respondents still have limited interaction with Top Management.
Relations between Risk Management and other functions: basic coordination but room for improvement
Risk Management first-rank partnersNo relationships < 20%
Risk Management second-rank partnersNo relationship <35%
Risk Management third-rank partnersNo relationship >35%
1 2 3
Risk managers are forging closer relationships with the finance function, compared to 2014, with investments/ investor relations, treasury and business budgets entering into the second‐rank category. This suggests that risk managers are more involved in financial monitoring and financial decision‐making, than two years ago. The IT department is only a third‐rank partner of the risk management function, which is surprising with IT‐related risks and cyber‐attacks on the rise.
The survey indicates that cyber threats continue to be seen as an IT problem and not an enterprise‐wide risk management issue. For ERM to be effective, more needs to be done to fully integrate the governance and risk management of technology risks across the business.
Relationships between Risk Management, Insurance Management, Internal Control and Internal Audit: unchanged organisational model with Risk and Insurance Management together
(all functions together in a single department); 11,0%
(all functions separate in four
different departments); 23,8%
(Risk and Insurance Management together);
33,9%
(Risk Management and Internal Control
together); 7,7%
(Internal Audit separate); 7,7%
(Insurance Management
separate); 15,8%
In line with 2014 survey results, the most commonly used organisation remains Risk and Insurance Management together and separated from Internal Control and from Internal Audit.
Nevertheless, this trend is decreasing (34% in 2016 vs. 40% in 2014).
Risk mapping exercise: widely implemented but room for the development of advanced practices
No risk mapping approach in place yet
GRAPH CAPTION
Emerging Moderate Mature Advanced
Partial approach in place (certain business units/areas, risks…)
Approach in place at global corporate level (strategic, financial and operational)
Approach in place from corporate level down to divisions and business units
5%
16% 17%
62%
8%
15%22%
55%
11%14%
26%
49%
Emerging Moderate Mature Advanced
2012 2014 2016
The survey results previously revealed that risk mapping was an embedded activity in Risk Managers’ agenda. The above graph confirms this trend as 75% of the respondents perform risk mapping: 49% from corporate level down to divisions and business units and 26% at corporate level.
The study indicates a negative trend in the deployment of the risk mapping from corporate level down to divisions and business units (49% in 2016 vs. 55% in 2014 vs. 62% in 2012).
Risk Management technology gains greater significance
52%
47%
46%
47%
43%
46%
27%
N/A – new in 2016
57%
55%
52%
49%
46%
45%
35%
34%
Risk reporting / Risk dashboards
Risk mapping
Risk registers (Comprehensive analysis of all risks related to your business, including strategic,…
Monitoring of risk mitigation actions / controls
Risk quantification (Evaluating the probability of a risk event occurrence and effect) & Risk…
Claims analysis
Risk appetite and tolerance
Scenario Analysis
2016 2014
IT tools such as governance, risk management and compliance (GRC) software are playing a more significant role in supporting risk management activities, compared to 2014.
While IT/GRC tools are mainly used for reporting activities such as maintaining risk registers, risk mapping and risk dashboards, it is encouraging to see that they are beginning to support activities such as scenario analysis.
This development reflects the changing character of risk. As non‐physical or intangible risks, such as brand and data, increasingly make up the bulk of business assets, the value of intelligent scenario analysis and data collection analysis, supported by IT/GRC tools, will also increase. This is an area where risk managers can develop expertise and contribute to their organisations.
FERMA’s insight
3. European perspective
Top 10 RisksThe study reveals that the economic conditions are currently seen as the number one threat tosuccessful achievement of an organisation’s strategic objectives in terms of impact and likelihood.
This is demonstrated by its surge to first place from fifth in 2014 and its mention by 63% of respondents compared to 47% in 2014.
Business continuity disruption has made an entrance into the top 10 and jumped straight into second place. Political/country instability, non‐compliance with regulation and legislation, and competition complete the top five risks, selected by over half of respondents.
Concern has increased about digital risks in various forms and interest rate and foreign exchangeexposures. The latter is most likely linked to the top risk of threats to economic growth.
The rise in concern about business continuity and cyber risks reveals a clear need by companies for more resilience to external threats (industrial damage, extreme events…) and growing awareness following a series of high profile cyber‐attacks. Despite the evolving economic conditions and the increased concern about cyber‐attacks and data privacy, “digital transformation and “strategy execution and transformation programmes” are not among the top ten risks to business.
FERMA’s insight
What are the five risks for which European Risk Managers are the most/least satisfied in terms of mitigation?
Highest level of satisfaction
1. Loss of assets (buildings, equipment,IP)2. Safety & health3. Security4. Quality of products & services (design, safety & liability)5. Environment and sustainability
Lowest level of satisfaction
1. Economic growth/slowdown2. Political, country instability (crisis, war, regulatory
changes)3. Increase of fiscal and taxes regulation (including fiscal
optimization)4. Human resources / key people, social security (labour)5. Strategic project failures
Despite the fact satisfaction levels are higher for those areas of risk where a risk manager can actually mitigate or transfer the risk, the study highlights that among the top ten risks with lowest level of satisfaction, 5 risks are not directly triggered byexternal factors:• Human resources / key people, social security (labour)• Strategic project failures • Cyber‐attack / data privacy• Digital transformation• Market strategy, clients
Satisfaction level – overall risks list
What are the five risks for which European Risk Managers are the most/least satisfied in terms of mitigation?
Satisfaction level – focus on Top 10 risks
Interest rate & Foreignexchange
Business continuitydisruption
Noncompliance with regulation and legislation
Reputation and brand
IT systems and data centers
Market strategy, clients
Cyber‐attack / data privacy
Competition
Political, country instability
Economicconditions
HighestLowest
Mitigation strategies: tailored approaches to risks’ specificities
The survey shows that an ACCEPTANCE strategy is applied forstrategic/external risks in most cases, while TRANSFER andREDUCTION strategies are mainly applied to operational/internalrisks.A risk transfer strategy is applied in a limited number of instances,most frequently where risks are easy to quantify including businesscontinuity disruption and interest rate/foreign exchange.
External risks AcceptEconomic conditions; Demographics; Political, country instability; Increase of fiscal and tax regulation ...
• Internal risks ReduceStrategic project failures; Security; Safety, health; Non‐compliance with regulation and legislation …
Risk coverage strategy: tailored approaches to risks’ specificities – Focus on TOP 10 Risks
0%
20%
40%
60%
80%
100%
Reduction Transfer Accepted
Mitigation strategies: tailored approaches to risks’ specificities
68%
66%
65%
65%
64%
Strategic project failures
Security
Fraud, Bribery and Insider Dealing
Safety, health
Noncompliance with regulation andlegislation
Reduction strategy
66%
46%
34%
33%
29%
Loss of assets (buildings,equipment,IP)
Terrorism
Business continuity disruption
Interest rate & Foreign exchange
Supply chain, outsourcing/offshoring, logistics & transport
Transfer strategy
69%
68%
66%
56%
48%
Economic growth/slowdown
Demographics
Political, country instability (crisis,war, regulatory changes)
Increase of fiscal and taxes regulation(including fiscal optimization)
Competition
Acceptance strategyThe economic environment and political instability areconsidered the highest accepted risks, and these are also theareas of risk with the lowest level of mitigation, because thereare limits to what businesses can do to mitigate/hedge againstsuch forces.
Non‐compliance with regulation and legislation, reputation andbrand, and cyber and IT‐related risks have a lower acceptancelevel. Here, risk transfer or risk reduction can be used.
'Reduction' and 'Acceptance' are considered to be the mostcommon strategies, risk transfer being a viable alternative. Riskmanagers are willing to put in place internal processes to reduceexposure or to accept these risks.
Risk map 2016
5 high risks have a low level of mitigation ("improvement zone") The improvement zone represents high risks with a low level of mitigation. The survey indicates that out of the five risks in the improvement zone, three are strategic or external risks:‐ Political, country instability‐ Economic conditions‐ Market strategy, clients
Two operational/internal risks in the improvement zone are not included in the top 10 risks but are key topics for risk management:‐ Human resources / key people, social security‐ Supply chain
The two new risks join the top 10 in the monitoring zoneThe monitoring zone represents high risks that are assessed with a better level of mitigation than others.A majority of operational risks can be found in this zone and are high on the agenda for risk management.
The two newly introduced risks in the top 10 ‐ business continuity disruption and cyber attacks/data privacy – directly join the monitoring zone.
The survey reveals that European organisations surprisingly rate risks related to ‘digital transformation’ and ‘strategy execution and transformation programmes’ with low impact and likelihood, whereas they both are ‘hot topics’ in the context of a changing economic environment.
Risk map 2016
European Priorities
Our study uncovers three clear priorities for FERMA on the EU stage:• Establish official recognition of the Risk Manager,• Advise on implementation of Data Protection Regulation and • Represent risk managers’ views on increased reporting and transparency requirements.
1. Recognition of the profession (legal basis)
The survey shows a strong desire for official recognition of the profession, not only by organisations but also by public authorities. There is a broad support for the establishment of a legal basis for the profession (57%).
Respondents believe that risk management should be embedded in non‐financial sectors as a matter of good corporate governance and resilience. The position of the risk manager is not yet considered mandatory outside financial services.
FERMA’s strategic vision is of “a world where risk management is embedded in the business model and culture of organisations”. It is our mission to achieve greater recognition for risk managers among EU policymakers and raise awareness among EU institutions of the fundamental role of risk managers.
FERMA’s insight
European Priorities
2. Digital (cybersecurity and data protection )
Cyber is the top priority for risk managers (combined 68%)
Survey shows that cyber is an enterprise risk and not an IT risk only by stressing the risk manager’s role concerning cyber risk assessmentRisk managers are in need of a methodology to better manage the cyber risk and ways to optimize the distribution of their financial investments, notably:
• Cybersecurity norms• The insurance solutions tailored to the needs of their organisation
Data protection is the top European priority (55%) and a compliance challenge for risk managers. Companies will have to comply with new requirements when the EU Data Protection Regulation comes into effect in 2018. Risk managers are especially concerned about the notification of data breaches and possible fines, the appointment of a data protection officer and the data protection impact assessment to be performed.
FERMA will focus its efforts on providing information and advice on the implementation of dataprotection and continue to stress the importance of ERM in the management of digital risks, includingcyber.
FERMA’s insight
European Priorities
3. Corporate transparency
Corporate governance and transparency come in third place with 52% in the context of:1. New EU proposals for corporate transparency and extended reporting requirements (Country by Country Reporting
and Non‐Financial Reporting)2. The OECD (Organisation for Economic Co‐operation and Development), Base Erosion and Profit Shifting (BEPS)
recommendations, published in October 2015 and their impact on captives
The study shows the demand to explore these wide‐ranging risks (52.2%) – from reputation and global competitiveness down to cross‐border synergies and their management – and implement a finely balanced set of requirements, taking into account checks that ensure the right level of transparency while bearing in mind the inevitable administrative costs they will impose on companies.
FERMA has been active on this dossier and will continue to be involved and advocate for• The inclusion of ERM in the Non‐Financial Reporting Directive guidelines• The role played by risk managers in the context of Country by Country Reporting• The recognition of captives as a needed risk financing tool for companies
FERMA’s insight
4. Insurance: Evolution of the Insurance Market and Risk Managers’ Expectations
Loss control and prevention become priority number one
Foreseen changes to insurance programmes as a resultof the current financial and economic climate
Strengthening loss prevention activity is the mostimportant expected change to insurance programmeswith an increase of 10 points since 2014, as a result ofthe current economic and financial climate. Nearly 54%of risk managers intend to invest in loss preventionactivity in order to seek balance‐sheet protection. Thisconfirms the value to insurers of providing of riskengineering services.
The study also shows a decrease in the importance ofnegotiating long term agreements or roll‐overs,compared to two years ago (43% in 2016 compared to50% in 2014). This is a clear indication of a soft market,and suggests that buyers do not expect rapid changes inpricing levels.
There is a noticeable increase in organisationsaccelerating their claims settlement process from 24%in 2014 to 31% in 2016.
Insurance buying patterns
There have been no clear changes to insurance buying patterns in the last two years. There is a tendency for retentions, limits and lines either to increase or stay the same, reflecting the continued soft market.
It is interesting to note is the rise in the use of ERM tools to guide insurance purchasing decisions from 15% in 2014 to 20% in 2016, which seems to underline the increased combination of risk management with financial decisions.
Compliance with local regulations remains a key consideration for international coverage.It is still by far the most important reason for implementing standalone policies in certain countries (54%).
There have been no significant changes in service delivery regarding the issuance of multinational policies, compared to 2014.
Compliance to local regulation remains a key consideration for international coverage
Policies issued… 2012 2014 2016 Trend
… before inception date 15% 18% 18%
…within 3 months of inceptiondate
65% 68% 67%
…more than 3 months afterinception date
20% 14% 15%
There have been no significant changes in service delivery regarding the issuance of multinational policies, compared to 2014.
Loss control services and claims handling
60% 61%66%
48%
35%
58%
66% 68%
46%41%
Property Liability (public,products)
Cyber D&O Motor
For service providers (brokers, insurers, third parties)
Within own organisation
Main areas of improvement related to loss control services alongside insurancepolicies
Claims data are more important than ever, according to the study. Risk managers increasingly use claims data to conduct insurance programme retention optimisation (66% in 2016 compared to 57% in 2014) and insurance programme limit optimisation (45% in 2016 compared to 47% in 2014). Assessing the cost of uninsured risks ranks third in terms of use of claims‐related data (45% in 2016 compared to 33% in 2014).
Tailor‐made and user‐friendly reporting capabilities as well as claims management tools remain the toptwo priorities for improvement in terms of IT platform/portal for risk and insurance management, eithervia an in house or external solution.
For both service providers and within their own companies, risk managers believe that cyber, liability and property are the mainareas for improvement in relation to loss control services, alongside insurance policies.
Loss control services and claims handling
The three main areas of improvement for service providers (brokers, insurers etc) related to loss control services and claims handling asked by risk managers are:
• Confirmation of coverage as quickly as possible (38.7%)• Policy wording tests (36.9%)• Co‐ordination between teams involved (35.5%)
Other important areas of improvement include building relationships at the pre‐loss stage between insureds, insurers and brokers, and lessons learned in the post loss stage. Transparent and clear communication is needed at all stages of the claims process: prior to a loss, during a loss and after a loss.
For companies themselves, key areas of improvement are different.• Lessons learned analysis is key for risk managers with 53.9% believing that they need to improve this within their
organisation.• This is followed by crisis management simulations at the pre loss stage with a 10% increase in improvement required
versus 2014, and the setting up of claims handling procedures and the co‐ordination between teams involved.