ERM is becoming one of the key issues, with recognition that risk might be a positive factor

THIERRY VAN SANTEN: I've divided this discussion into two parts - enterprise risk management (ERM) and insurance, reflecting the concerns of people in our industry. Starting with the status of ERM in Europe, what are your views of progress in your own countries, new trends such as corporate governance, the emergence of CROs (chief risk officers), risk disclosure and reporting to stakeholders such as investors and the public as well as the board and audit committees, and risk financing issues?

I see some differences in approach to ERM in Europe, as well as a very significant trend towards a new concept where ERM is becoming one of the key issues, with recognition that risk might be a positive factor in some cases and also that risk must be addressed with care by top management and the board.

Do you share this vision? Is ERM really emerging or do you think that it is still only a concept?

LARS ANDERSEN: We still have a long way to go in Denmark. There are the big industrial companies but the majority of companies are very small and have no interest in ERM, merely buying insurance. The very preliminary stages of ERM are developing in the big companies, usually starting with the treasury people who look solely at financial risks asking risk managers if they can contribute something else. But maybe only 10 companies are moving in the ERM direction.

THIERRY VAN SANTEN: Do you think that SOX (Sarbanes-Oxley) has been an influence or not?

LARS ANDERSEN: Only around three companies in Denmark are listed on the New York Stock Exchange so they are the only ones that need to comply, although of course we do have subsidiaries of American companies. In my risk surveys and interviewing our local people, sometimes I have arrived before the SOX people and sometimes afterwards. Sometimes we were asking the same questions - but sometimes we asked a little more than the SOX people. So I am not too impressed with SOX. It is the typical American approach of saying we will do the same things each time but whether these are good or bad is not taken into consideration. As long as you can prove that you do the same thing over and over again, it is okay. We focus more on common sense. And you have to spend a lot of money on SOX.

VICTOR VERESHCHAGIN: As you know, our risk management association started just two years ago and risk management was a zero area in Russia a few years ago. Our society is trying to develop industrial risk management for all Russian companies, not just big ones but small and medium sized companies too. We are trying to adapt the risk management standard of FERMA to Russian conditions because our situation is different to other European countries. However, some big Russian industrial companies and professional risk managers are participating in our society's activities and we are moving towards risk management more and more.

THIERRY VAN SANTEN: When I look at Russia and other European countries, I see that there is a difference between the approach to risk management in the west and in the east. In Western Europe we have seen steady progress year after year and in Russia, with its huge political changes, you are 'burning steps' and going from zero directly to the objective. It's faster.

It is the same in China, whereas in other countries the approach is more gradual. What about in Germany?

EBERHARD KNEBEL: I'd like to refer to the FERMA survey on how risk management is organised in Europe. The sample was around 280 companies in Europe.

The respondents were mainly the insurance managers or CFOs. And the result was that 50% of the insurance people deal only with operational risk.

Operational risk exists up and down the supply chain, the production chain and the sales chain. In my experience as former risk and insurance manager for BMW, that only accounts for 10% of the risk. 40% of the risk of a company is to do with finance - fluctuations in currency exchange rates, interest rates, etc. This is normally left out when we talk about risk management in these circles. The rest of the risk, 50%, depends on behaviour and leadership.

ANDREW KENDRICK: That is reputational risk.

EBERHARD KNEBEL: Yes, that sort of thing. When we talk about risk management, we leave out the 50% accounted for by the behaviour-related risk. For example, with regard to product liability, punitive damages can be up to 70% because of management mistakes. That is leadership risk, managerial risk and reputational risk. When we talk about risk management in groups such as this, we only talk about 10% of what the real risk in a company is. We leave out the finance risks and the behaviourally related soft risks completely.

When reporting on this 10%, I interviewed my former BMW colleagues to find out what practical approach companies such as BMW take, looking at the supply chain, the production chain and the sales chain. For example, what does the factory manager do in relation to risk management? He is responsible for the factory, making sure it does not burn down, there is no business interruption and no quality failure. So he builds an interdisciplinary group of people who ultimately sit down together and talk about their risk. What is the risk for this particular factory? It is to make sure it does not burn down or that production is not interrupted or to consider the results of natural catastrophes. That is a team job. For that reason, there is no CRO in any German company and I do not believe there will ever be one. No one person can know everything. Everybody to some extent is an owner of risk and needs interdisciplinary people to consult with.

An experienced risk management consultant consults with particular risk owners using his knowledge of the other ones. That's what I call an interdisciplinary approach. A risk manager such as Thierry is a welcome consultant to a risk owner. Fruitful cooperation leads to an improvement in risk management

The problem is in getting a consistent standard in, say, 150 countries.

People have different perceptions of risk and risk management. There needs to be something on top of that, a risk philosophy. That is not yet defined and I do not know any company that really has a risk philosophy covering the leadership or reputational failure issue, the finance failure issue and the operational failure issue. That is the direction we need to go in for further development in this area.

ANDREW KENDRICK: Don't you think that, given the advent of Basel II in the financial services sector, the banks are much closer to identifying this? They look at finance risk, credit risk, sales risk and reputational risk. When we spoke recently to one of the chairmen of the largest banks in the world, he said that his most feared risk was, without question, reputational risk. If no one wants to bank with his bank or buy his products, it is over for them. Financial institutions are, arguably, better equipped to manage the finance and the credit risk, because that's their business.

But managing reputational risk is the same for everybody. It is very difficult to ascertain and as for allocating capital towards how you manage that risk, I think that is virtually impossible, but it has to be dealt with at some stage.

EBERHARD KNEBEL: The CFO of BMW has said that if he considers the leadership risk side, financial risk side and operational risk side, he thinks the finance risk is the best developed and the most sophisticated. And he has appointed a CRO, the number two person in the finance hierarchy. He is regarded as the risk coordinator and has been tasked to see whether the most developed risk management expertise of the finance department cannot be applied to the other two areas. The immediate reaction by my successor in BMW is 'no way'. You cannot apply the rules of a highly sophisticated financial department risk management system to the others. The rules are not directly applicable or transferable, although you can learn a lot from them. So the answer is both yes and no.

ANDREW KENDRICK: The principles can be applied.

EBERHARD KNEBEL: Yes, but then you have a lot of work to do, because that, to my knowledge, is not the real practice in companies. If you are saying the best risk management knowledge is in the finance department, then it is a risk transfer process. How do you do that on a best practice basis across the world?

In Germany, medium-sized companies are aware that there is something going on but it is not being done very professionally, to a large extent.

The major companies, however, are thinking about how to coordinate the whole thing within some sort of risk philosophy, learning from best practice, particularly within finance departments.

THIERRY VAN SANTEN: It is true that in my company there is this consultative role of coordinating, networking, benchmarking and developing best practices.

We went further a few months ago with the former CFO taking on the position of CRO and now handling the merger of all of these things. This step is due to the need to report to the board. It is very good to have many people - all the general managers the people working for them - managing risk, but ultimately we must disclose risk to the board. For this, we need coordination.

OLIVIER SORBA: You said that financial risk methods tend to spread across other areas, Eberhard. Does the way that KonTraG (German Business Monitoring and Transparency Act) is written push in that direction?

EBERHARD KNEBEL: If you look at the history, KonTraG, the control and transparency law in Germany, came into force in the post-Leeson period.

Leeson, based in Singapore, managed to bankrupt Barings Bank almost overnight through lack of controls. The first reaction of the Ministry of Law in Germany was: one has to do something to avoid it. They enacted a law which refers to 'any risk which is threatening the existence of a company', but what does that mean? They could not explain clearly what they wanted, so everybody now interprets it differently. At first, after 1998 when the law was enacted, chartered accountants reported at the end of the annual report that everything was compliant with the law. Now there are two or three pages. It is getting more sophisticated because there is greater awareness of many losses and major failures that have been exposed around the world.

MARIE-GEMMA DEQUAE: As in other countries, the environment in Belgium is changing. We see new corporate governance legislation for both quoted companies and also for smaller companies. That is the Code Buysse; Baron Buysse is chairman of my own company's board. In our group, we are focusing on corporate governance, but there are also compliance and ERM. We are not the only people involved in that process. There are a lot of consultants and other people in the companies involved with risk management. Indeed, risk management is becoming more a process or a fact of management in the company, so that everyone has to be part of the risk management culture.

If you look at what is happening from the risk manager's point of view, most of the risk managers in Belgium are insurance managers getting into treating risks in a processed way. The question is, with the environment changing and with COSO (Committee of Sponsoring Organisations) providing a good framework for looking at risks and the internal auditors involved in these risks, what will the position and status of the risk manager be in that whole process?

I think it will depend on the culture of companies. Most larger Belgian companies are evolving to ERM, but I cannot say that all risk managers are becoming CROs. As risk managers we have ensure that we are involved with that evolution from the beginning, bringing our added value. We need to be part of a team approach in which risk is very important. We will have to train a lot of people, even top management, in risk awareness.

We have to be a part of the whole process of corporate governance, compliance and ERM.

It is still a process of evolution. One of my colleagues is training to become an internal auditor because he views the future of the risk management process in his company as being more directed within that audit function. There will certainly have to be collaboration between different functions, not only internal audit but all functions where risk elements are involved. We will have to collaborate to a great extent.

THIERRY VAN SANTEN: I'd like to make one point here because that's a very specific issue. It reminds me of what I said in a speech at the last AMRAE conference. Firstly, the good news is that risk management is becoming very important in every corporation. The bad news is that you will not be the people who will manage it. That is an issue. The other thing is that internally we still have discussions about general controls and risk management. I have been involved in various discussions over the past few months with the people involved in the legal side and in internal controls, and the roles of the various departments are becoming clearer to me. The auditor is not required officially to be the risk manager of the corporation, but he is required to be independent. The model is basically that the risk manager touches upon any kind of risk: strategic, financial and so on. Internally, he checks that things are done as well as possible and in accordance with the law and sometimes investigates certain types of risk that are unclear. He is there to help the business take risks and report big risks to the board. Internal audit is there to check that everything is operating in the right way. Internal control is something else - they try to implement SOX, other procedures and the documentation needed, and COSO. So I think there is a clear distinction between the roles of the risk manager and internal audit.

From Belgium, let's go to France.

OLIVIER SORBA: A lot of things are happening very quickly, but we too have that split between ERM and people who are only dealing with some kinds of operational risk or just insurance.

Questions about the standards of some risk management were raised very sharply first by the public and then by regulators. As a result, we now have several new laws. The first applies to listed companies. The law says that you must give specific disclosures on risks and risk management.

It goes as far as including giving the limits on insurance contracts and practically a list of insurance contracts. I think this is quite unique and it poses a real problem for all of us in trying to explain to the authorities that we may do things differently and there are other types of risk than purely insurable risk.

There is another law which is very much like SOX but slightly less stringent.

It is broader and is not limited to financial risk. That has given a very strong push towards ERM, with risk maps and so on gradually becoming standard.

In fact, the market authorities state that more than 20% of listed companies now refer to the fact that they have risk maps. In meeting these requirements, we have to realise that our relationships with the internal auditors are growing stronger and more important.

Having worked in risk management for many years, I've always hoped that the concept of risk would rise in importance. As Thierry said, the good news is that risk is very fashionable. But perhaps it is becoming a bit too fashionable. When you look at the parliament reports and the regulators who are preparing the laws, there is a tendency to think that everything can be managed starting from risk, which is not true. Risk is secondary to the business itself. If you put it first, you will have a lot of problems.

That's the first point.

The second point is that the financial methods to deal with risk are much more developed - and then you have insurance, and then commonsense.

Many people tend to think that you can manage any risk starting from the financial methods but that is simply not true. In fact, making a list of all risks is practically impossible. However, with the way the law is structured in France, the company president must sign a document saying that the internal controls are in place. In a few years, the authorities will require the president to also give an opinion as to the effectiveness of those controls. When you recognise that it is impossible to make a list of risks and understand that the law says that risk is part of internal controls, then your president will surely end up with legal problems in a few years. One day, some risk will happen and it will be a problem.

We suffer from our success, in some ways.

On the other hand, a positive development is that as an association we are listened to more and more. The AMF (Autorite des Marches Financiers), the French equivalent to the US Securities & Exchange Commission, decided to start a working group on an internal controls framework. If the president has to publish a document, on what basis will we judge the document? What is the reference point? It is a very important topic in terms of a company's competitiveness and I am very glad that the AMRAE was invited to take part in that working group. We hope to exert some influence in the areas that I've mentioned to avoid too extreme measures.

THIERRY VAN SANTEN: I'd like to add to what Olivier said about the problem of risk and internal controls. People who have implemented SOX now understand that SOX is not protecting the company against risks. It is a purely formal process. When we benchmark, we know that SOX will only address 25% of the risks, and usually it is the small ones rather than the big ones.

We have said that we think we should go ahead in focusing more on risk management than on compliance and internal controls. There are some companies, especially in London, which focus on risk management rather than on compliance.

That is something which is in the air now and I think it will be the next step, but it will take some time.

EBERHARD KNEBEL: In the discussion before this meeting, we debated whether or not a risk manager, wherever he sits in the hierarchy, should get a right of veto or not. A veto puts strength in his position but would be against the corporate contract, based on companies like BMW. You are responsible for your business but you are also responsible for your risk. You cannot have someone who has a veto against your risks but has no veto against your profits. In the end, one should bear in mind what that means. If you want to strengthen the position of the risk manager somewhere and give them a veto, this is a very strong position. However, in my understanding of the corporate culture, that is not the right way to do it. Nevertheless, it is worth thinking about.

Thierry is the chairman of the chairmen, or what have you, of various hierarchies of committees. We have to avoid this sort of thing in risk management. We should not have decentralised policies all over the place, producing a lot of red tape. It must be a lean hierarchy and a lean administration; otherwise, one cannot improve in terms of costs and time. But if you have a group of companies around the world, how can you concentrate all of these things in very few people, ultimately reporting to the board, avoid red tape and do the right thing?

OLIVIER SORBA: To get people to face their responsibilities, you need some set rules.

THIERRY VAN SANTEN: Ultimately, the CEO and executive committee or the board has the right of veto. You can manage risk top-down, but I think that is the wrong answer. A top-down approach which means vetoes on everything will not produce good results. In a bottom-up approach where everyone has to manage risk, risk managers can provide the tools to help manage risks and will have a good vision of what is going on in the company.

But at the end of the day, even in this bottom-up approach we need a group of people at head office to share the information to be sure that that we understand where the problems exist. Ultimately we have to report to the board and are obliged to give good information.

EBERHARD KNEBEL: For me, the secret is a good flow of information between responsible people. For example, the biggest food dealer in Europe has a risk questionnaire consisting of eight questions, on one page. The leader of every business unit must sign that he is in agreement with this questionnaire.

There are more questions behind these eight questions, which are also signed off either directly or indirectly. He is responsible for fulfilling certain requirements based on just eight questions - no red tape. If he does not meet those requirements, he is out. That can also work in this way. You can have a partially top-down approach, asking him to sign off on the eight questions. He is not responsible for the rest of the organisation, but he must organise it within his own unit.

THIERRY VAN SANTEN: Let's turn now to the last continental European country represented here - Portugal.

JOSe MANUEL DIAS DA FONSECA: Until the 1970s Portugal was closed to international companies and products, with a very protected economy behind a dictatorship with no international relationships. Portugal opened its economy in the 1980s, and there has been a revolution, mainly in the financial sector.

Sometimes there is an advantage in being later, because you can learn from the mistakes of others. We have a very good, modern financial sector, especially the banks. Also, because we are now such an open country in terms of imports and exports, we are very used to dealing with risks like exchange rates, political risk and so on.

Like Denmark and Italy, our economy is based very much on medium-sized companies, with very few big global companies. I am very optimistic about the development of risk management in these. Since the 1980s, our managers and our companies have been very open to international trends and new ways of managing. In the 1990s, the big Portuguese companies established captives. They are now more international, closer to the big insurers and brokers, and more modern in terms of risk management.

The events of September 11 in the US were very important because the cost of insurance doubled or even tripled in some cases. That changed the way in which CEOs and financial people looked at the insurance sector.

They looked at the costs and decided that something must be done. Before they were very dependent on insurance. Although Portugal had only a few insurance companies they could solve a lot of things. But after September 11, it became more difficult and, in looking more closely at insurance, we became more aware of other risks - not only financial risks, but also operational risks - and also the possibility of retaining some risk.

Most big Portuguese companies now have risk management departments. Some have important risk management structures, depending on the approach of the CEO, president or vice president of the company. We have tried to profit from the creation of the Portuguese association and our integration in FERMA and this world of risk managers to promote this discipline.

In terms of corporate governance, we do not have strong regulations such as SOX. We do now have a corporate governance institute, one of the leaders of which is the Portuguese president of the European Corporate Governance Institute. Big listed companies are disclosing a lot of information; not because they are obliged to, but because it is a trend and because of issues of reputation.

We still have very sparse risk management in terms of people from treasury and the operational risk side. The people involved with reputational risks are usually the CEO, the communications adviser and so on. These are often not integrated. Some Portuguese companies have set up risk management committees, led by the CEOs, which meet three or four times a year and discuss everything related to the company in different countries. Some companies have even established global minimum standards in their industrial businesses, with significant encouragement from their insurers. Portugal is still a small economy but it is increasingly open and has made real improvements in this field.

GEOFF LINGHAM: In ERM the risk manager cannot be the expert in all areas of risk. As we heard from Eberhard earlier, the part in which they are traditionally involved is a very small proportion of the total. With AIRMIC, we have been working very closely on cooperation with corporate treasurers and internal auditors. In some of the best-run companies, certainly in the UK, I have seen more of a coordination role for some risk managers, ensuring there is some alignment of their colleagues in treasury, operations, quality areas and, particularly, corporate communications when it comes to reputation. The difficulty for many is obtaining that standard internationally when you are dealing with many different cultures that have different perceptions of risk? I don't know anybody who has yet come up with a 100% solution to this.

Another issue is that with ERM we are concentrating very much within our own organisations. However, every company is increasingly outsourcing processes, services and sub-assemblies to other organisations. Their actions can have a very big effect on our reputational risk, and the boards of companies are becoming quite concerned about how to manage this. You can find that a key part of your business - your reputational risk - is actually in somebody else's hands, over which you have very little or no control.

THIERRY VAN SANTEN: This type of outsourcing risk is typically one of the jobs of the risk manager. We're here to bring to the attention of the board or executive committee the degree to which the group depends on other organisations. We can provide some key added value to the company, along with looking at new risks that can result from consolidation of suppliers. These are things we need to look at, keeping in mind that our role is to be a coordinator, a transverse function. The biggest challenge is to bring strategic risks such as these to the table and to task risk owners with managing those risks properly. We first have to identify - sometimes difficult - who owns the risk.

GEOFF LINGHAM: That is why we do not like to use the title 'risk manager' in my organisation. That suggests ownership of the risk, which I certainly do not have. It is the person within the production unit, possibly the general manager, or the sales division or whatever. We are there to give them help, advice and support. We provide a framework which enables them to properly manage their risks.

THIERRY VAN SANTEN: I would like to return to the cultural issues. In the last few years, we have been creating a specific risk map for every business unit in the company. Initial reactions to risk are different in China, Indonesia, Italy, the UK or the US. But at the end of the day, when we are working with them on their risk, they all face similar challenges and issues.

GEOFF LINGHAM: Management at the process level is easy to handle in itself. The cultural issue often comes from the thousands of employees or team members worldwide.

THIERRY VAN SANTEN: But I believe that ultimately these differences are not significant in terms of risk management.

EBERHARD KNEBEL: You asked how to deal with reputational risk management.

I agree that you can be a framework supplier. The responsibility is with the risk owners at the upper level of management, those who have a legal liability as directors and officers (D&O). But if we look at the landscape of managerial failures, those arising from breach of legal liability and which may be indemnifiable under D&O insurance are probably no more than five per cent. For the other 95%, it is a matter of self-education. There may be a contradiction culture within the company - a CEO who is completely insensitive to the fact that his communications are wrong, or one who only allows contradiction from a small circle of people around him and will not accept constructive criticism from anyone else, even though it's for the good of the company.

Insurers cannot help. They go by the claims statistics to decide how much premium to charge. They don't know the risk, the managerial methods and the psychology within the company. Reinsurers go entirely by figures.

They never see a client. Direct insurers prevent reinsurers from being involved or prevent insureds being involved directly with reinsurers.

As long as there is no risk dialogue with the reinsurers who are the ultimate risk carriers, then there will be no solution to insuring reputational risk beyond the legal liabilities.

MARIE-GEMMA DEQUAE: One important element of ERM is that enterprises are changing a lot. For risk management and risk managers, it is important to be very involved in changes within the company. I was recently involved in selling 20% of our company and now the entire portfolio of risks is changing. When you are involved at the start of these due diligence discussions, that is when we need a right of veto. You can say then whether a risk is inappropriate for the group. Again, it requires a team approach, but as risk managers we can help a lot in evaluating risks and informing the decision.

THIERRY VAN SANTEN: There is no Italian association representative here, but perhaps Jeff Moghrabi could let us have a brief description of what he sees in the Italian market?

JEFF MOGHRABI: As you know, Italy has had its share of big financial scandals. All risk managers agree the key issues are reputation, governance and regulatory risk. There is a bit of confusion as to how to face these issues. Is it through internal audit, the legal department, consultancy firms or risk managers? As we've said, risk management is a team activity and that means you need a very strong team leader in the organisation.

Ideally, it should be the CEO.

As a country manager for ACE, one of my most important activities is to be a risk manager and a team leader for my organisation. When I talk about risk here, I am not talking about underwriting risk or whatever but the business agenda.

We have our own version of SOX - law 231 - that deals with financial and corruption risk. The board is responsible for all corruption risk, including something done in good faith by an employee, regardless of his level. It is not just a formal law. It implies that people must model their organisations and be able to prove to the attorney general that they have the necessary risk controls in order to avoid criminal prosecution.

We also all live in societies in which there is zero tolerance of risk.

These are some tough issues that we must deal with.

Risk managers must be team players and help bring various issues to the board. Boards often make decisions on investment against return, without really considering risks. Risk management should shed light on investment versus risk, in a very pragmatic manner, providing a number of scenarios to better inform the decision-making process.

On the issue of who does this, I believe it should be the best team leader, the guy who knows the corporate culture and the business very well and who is credible to the entire organisation. He will not know everything and there will be some difficult problems to deal with but he must be the most credible person for the organisation. He must respect the corporate culture. As Olivier said, if we put risk before the business and business behaviours then we are in big trouble. I think Italian risk managers agree this is the issue. The question is how we can contribute to that and make our contributions at board level.

THIERRY VAN SANTEN: If the risk manager is not the team leader, then he is not doing his job. The true role of the risk manager is as coordinator.

The auditors need to have a vision of the business but they are not running any process. The legal department is managing the legal risks. The CEO is managing operational risk. The role of the risk manager is coordination and being a team leader.

OLIVIER SORBA: There is a new task which is preparing reports and thoughts about internal controls, perhaps only half of which involves risk, so it may or may not be the responsibility of the risk manager. In any case, the risk manager must deal with risk and internal controls and joining these together. To do that, you need a team.

THIERRY VAN SANTEN: Yes, but we're asking the question: who is the team leader? At the end of the day, it is the CRO or the risk manager, someone who is a coordinator dedicated as the team leader - because others must manage their risk.

JEFF MOGHRABI: In many organisations, there is confusion around the risk manager's true role. In some organisations the risk manager is called a safety engineer. In other organisations, perhaps it is a legal adviser.

In that sense, the risk manager's role is really defined within the corporate culture of every organisation. It is not a one size fits all.

OLIVIER SORBA: There is a tendency for people to think that the first day of the year, you think of the risk; on the second day, you devise solutions; and for the rest of the year, you implement them. It does not work like that, and implying it is dangerous, because you have to make representations on how it works in official communications. Many of the frameworks and sets of rules and internal controls are simply there because history put them there. If we revise everything based on pure calculation at the beginning of each year, it will not work and then we will have problems, because we have to be able to state that it works.

GEOFF LINGHAM: One point we have not mentioned on ERM is the upside of risk. We can help our colleagues to leverage risk and there are situations where we can really add value to the organisation. That helps our position within the organisation as well, rather than purely concentrating on the negative side. There are situations where colleagues are perhaps a little reluctant to take certain risks. They have difficulty in measuring and quantifying them and we can help. That is a very important element. We must look at the upside as well.

THIERRY VAN SANTEN: That is a good point on which to conclude the first half of this discussion. First, it's part of the FERMA philosophy. Second, recent FERMA surveys show a significant and growing trend of corporations switching from a negative view of risk to a more positive view. That is an excellent marketing tool to use within your company, discussing risk in a positive light rather than a negative one.

Moving on to the discussion about insurance, when I was at the RIMS (US Risk and Insurance Management Society) conference last week, various senior people from brokers and insurance companies asked me questions like: What is the opinion of risk managers about what is going on in the insurance market? What do you talk about when you meet with colleagues? In fact, when I meet with colleagues, we talk about risk management, accounting rules and SOX, but not really about insurance. And we are much more focused on accounting issues when talking about insurance than commissions. After some years of turbulence, insurance might be considered one of the issues but it's not the most significant that we have to deal with. That is my opinion. What do you think about the organisation of the market, the open market and cross-border transactions, and the smaller number of players in the market? Obviously, we cannot avoid talking about remuneration, commissions and transaction costs.

LARS ANDERSEN: Since 2002, we have had legislation in Denmark whereby brokers have to inform the client whether or not they receive commission and the size of the commission, even if the client does not ask. We are used to that transparency. However, we live in a global world and if I use one of the large brokers, we don't know what they may have agreed in New York, Chicago or wherever.

We see some problems in our insurance market because it's becoming smaller and smaller and insurers are becoming less interested in big industrial clients, so we have to go to the London market. In respect of security, we also have problems. Why should I place my insurance with a company which is less stable than my own? And we are also seeing more captives, which creates other problems, such as letters of credit, and fewer fronting insurance companies. There are big challenges for risk managers.

ANDREW KENDRICK: As insurers, we fully support disclosure and transparency.

We do not have an issue with you understanding how we price risk. I think the intermediaries have a duty to disclose, but in the UK the FSA has not made this mandatory. It is up to the client to ask the intermediary for disclosure. Do you, as risk managers and as buyers of insurance, want to know what your broker is earning out of the deal? Or don't you care?

OLIVIER SORBA: Everybody knows that the broker has to make a living. That's not the issue. But the only way to avoid a conflict of interest getting in the way is to know how much he is paid.

THIERRY VAN SANTEN: There are several issues. One is about advice, in terms of the choice made by the client based on the offers from various companies proposed by the broker. If the broker offers three proposals, you need to know what links exist between the broker and the carriers.

We are working with other organisations - BIPAR (the European Federation of Insurance Intermediaries) and CEA (the federation of national insurance associations in Europe) - on this and hope to publish some guidelines.

The first issue is to identify the links between the broker and the carrier, as it can lead the broker to push one product over another, perhaps more appropriate, product. It is a basic issue, the only way to avoid bid-rigging.

It is only human nature, unfortunately, to push the product of the company that's paying you the most.

The second issue is the transaction and servicing cost. How can you compare the remuneration where one insurance company is just providing capacity and the broker is providing advice, administration and perhaps services like engineering or claims handling with another proposal where the insurer is giving you all the services and the broker is doing nothing? In order to get good visibility about what each costs, you need to know the cost of servicing, the cost of the pure risk transfer and the cost of the transaction.

At the end of the day, that's good for everyone.

JEFF MOGHRABI: Brokerage operations, within their own organisations, confuse the activity of intermediation for consultancy and servicing, even in terms of timing. They have difficulty in defining and distinguishing these services and calculating how many hours they need to spend on each element.

THIERRY VAN SANTEN: At the end of the day, we need to work much more professionally. At present, I have the insurers' engineers, the brokers' engineers and my own engineers - all professional people doing a job and being paid for it. I would love to be able, in five years' time, to choose which organisation to use for each specific service so that I could mix and match the package I want.

ANDREW KENDRICK: I do not think risk managers have enough control over the negotiation, because the information you are receiving is not clear about the costs, the types of services and who offers the service. From an ACE perspective, we are trying to drive transparency into the entire relationship.

GEOFF LINGHAM: There is a danger that we are becoming so focused on this question of commissions that we are ignoring that of contract certainty.

We need to understand that there are wider issues; it is not purely a question of transparency of commissions and so on.

THIERRY VAN SANTEN: We have to improve most of the processes, including contract certainty. That is also part of the cost. Currently preparing a manuscript form policy takes many months, lawyers, etc. We must move to greater standardisation that will reduce both time and cost.

ANDREW KENDRICK: I think we can achieve contract certainty very quickly, even in the case of the manuscript form. If we are continuing to negotiate the coverage, we could put something mutually agreeable in place in the meantime. For example, assuming your insurance starts on 1 January and we will be negotiating for six months, at 1 January you have a policy which stays in place until we decide on the manuscript wording when it reverts to that. To my mind, that is contract certainty and I think we can achieve that quickly. It may not be exactly what you want, but for the time being it is better than having nothing at all.

GEOFF LINGHAM: There are not many industries where you purchase something without having a clear idea of what it is you are purchasing. Many colleagues within your own corporation have some difficulty with this concept, because it is not something that we do in any other area of our business.

MARIE-GEMMA DEQUAE: When you sell part of your business, at the date of the sale they need policies. That was a very interesting experience that I had!

ANDREW KENDRICK: In the UK, the FSA (Financial Services Authority) is now forcing us to come up with our own solution. They will then police that very strongly

MARIE-GEMMA DEQUAE: The financial authority in Belgium is looking at what we are doing with regard to commissions. BELRIM and the association of big brokers have now finalised a position paper and the next step is to include the association of insurance companies. The paper sets out that the agreed commission for services should be written down between the insurer and broker, with an end to purely contingent commissions.

THIERRY VAN SANTEN: There is an EU directive on intermediation at the moment which talks about transparency. It is very clear that if the market does not solve these types of issues on its own, these will be directed to the Competition Commission with its ability to impose sanctions and such like. However, I am very confident that our work with BIPAR and the CEA will solve these problems.

Returning to cross-border transactions, local regulatory issues can lead to confusion. What are your views?

LARS ANDERSEN: We do not have premium tax in Denmark so it is easy for domestic programmes, but for programmes outside Denmark it is quite a problem. Once companies weren't too worried but they are now because of the size of the tax. There is a lot of confusion about who is responsible for dealing with this issue, is it the insurance company, the broker or the clients themselves?

JEFF MOGHRABI: A related issue is inter-company cost distribution. Are you trying to evade taxation? It is not just an insurance issue.

THIERRY VAN SANTEN: With regard to cross-border transactions, are big companies still working with individual policies for each country?

GEOFF LINGHAM: In my organisation, we tend to have global policies but we have exactly the same issue as Lars. In Sweden, there is no premium tax but it is an issue. How do you allocate premiums; on what basis? How do you justify that? Do you have to justify it to each of the various tax authorities? It is one of the biggest problems.

LARS ANDERSEN: We also have cultural issues. It would be quite easy to issue a pan-European policy, but we would rather have policies in local languages in each country, just to solve the cultural problem for local operations. It costs a little more but we can live with that.

EBERHARD KNEBEL: What about the free market? All of these insurance taxes are an obstacle to the free market. They are against the Treaty of Rome.

THIERRY VAN SANTEN: In relation to tax harmonisation, there are problems with local regimes. Personally, I do not have too many problems with tax regimes.

JOSe MANUEL DIAS DA FONSECA: If you have an international approach, with global fees and perhaps 10 or 15 insurers across the world, you must be able to pay taxes in each country and have a policy in the local language, which can be quite complicated. On one hand, you are global, but on the other you are very domestic. The differences in tax regimes can be considerable and there are significant administrative costs.

I also think insurance companies take a domestic approach. A company may be part of the same group and have the same name in the different European countries, but if I talk to them in Portugal they tell me they have no capacity for something. If I say: "You do not have the capacity, but you are global! You are in France, England and Spain,' they say: "You must talk to them". But if I talk to a global bank in Portugal, it thinks globally to serve me in different countries. Insurance companies just do not think like that, they do not think globally.

JEFF MOGHRABI: I agree with Lars' earlier point. Many companies will just take a 5% or so share because they want to have the wellknown client name, rather than having the courage to say, "This is our business model, this is what we want to do and this is what we do not want to do". The approach we have taken is that we have one strategy and one legal entity across Europe, including the UK. It does not resolve all of the problems, but it is the first step: to have one strategy, one legal entity, and to consolidate your business in one place.

THIERRY VAN SANTEN: Finally, can we consider whether the market is shrinking or not? Are you optimistic and what do you see going forward?

JOSe MANUEL DIAS DA FONSECA: In Portugal and Brazil, insurers are running away from big risks. We also have a problem of concentration in Portugal.

Following some mergers, one company has 40% of the non-life market and the lion's share of the big risks.

GEOFF LINGHAM: There has been consolidation in the marketplace but there is still competition. For very large corporate buyers, there is a fairly limited number of choices. Like Lars, I have the difficult problem of explaining to the CFO why I want to transfer risk from our balance sheet to a weaker one. Financial stability is a concern - particularly relating to long-tail business. We hope that the insurers will keep their promise in the future, but it would be nice to have some confidence that they might actually be there to fulfil their part of the contract.

There is some innovation in the market but like Jose we have found some inconsistencies. We can operate effectively in 14 or 15 countries of Europe with the same company and a uniform service, and then we find one country where the local manager says, "I am not doing this," and the head office of this global company is unable to exercise any control over this local operation. It is not true of all large insurers, but there are some that are struggling with this problem.

EBERHARD KNEBEL: The German antitrust authority has fined 10 insurers so far EUR230m, mainly for making 9/11 the mother of all excuses to increase premiums in an anti-competitive way. DVS, the German association, was founded in 1904 to defend the industry against the first cartel of that time. And you see it happen again!

I consider that insurers are backward. If you look at the way industry has progressed from James Watt's steam engine of the 1760s to Bill Gates' IT products today, insurers have not kept pace. They are basically insuring the traditional industries, rather than the new industries, and they need to learn from others. In every other industry, companies want customers to be involved in the product design process. It is common practice to sit down with customers to develop products.

ANDREW KENDRICK: I accept your point; we have not treated our capital and our shareholders well. In 30 years, the insurance industry as a whole has only covered its cost of capital twice. We do not always take on profitable products and I agree that we are not as innovative as we ought to be.

However, we have a client advisory board at ACE and talk about what they want to transfer and where we can assist them. Sometimes we can develop products out of that. But an important part of the issue is that if we take on too much of your risk, in our view you would probably not want to pay the price. And then we become a co-venturer.

OLIVIER SORBA: In France, we have historical French players and others.

Some of my colleagues are worried about the shrinking perimeter of markets interested in industrial risk, but it is more about fear than about fact.

We monitor this closely because of the eternal debate on rationalising the insurance sector.

THIERRY VAN SANTEN: Giving some brief conclusions, one is that the insurance market is shrinking, not in terms of capacity but in terms of people who can manage international programmes and issue policies in a number of different countries. But we are seeing two new medium sized brokers emerging which is a good sign.

When you go through ERM and make an assessment of all of your risk, it is clear that the role of insurance is becoming less important. When you have good visibility of your risks, insurance is a limited solution. We may need to rethink the business model.

OLIVIER SORBA: I think insurance has tremendous value as an internal tool, shuffling risk internally. It does nothing for the shareholders but it helps people within the company.

THIERRY VAN SAN TEN: That's why we keep it!