For European risk managers, the first decade of the third millennium began with the event that didn’t happen, the year 2000 or Y2K bug. As the decade continued, it brought fresh challenges to European risk managers, writes Lee Coppack
The new decade started with a hype that became a whimper. Ralf Oelssner, former vice-president of the Federation of European Risk Management Associations (FERMA), says, “Looking back to the last 10 years, we can say that the decade started with a big hype for not too much – the Y2K issue – which was not really an issue of honour for risk managers and risk management.”
He continues: “Less than two years later there was 9/11, a scenario which nobody had anticipated and which not only placed the terror risk in the middle of our societies, but changed the attitude towards risk on the whole.”
While risk managers like Oelssner grappled with the reaction of the insurance market to 9/11 , regulators were busy at work on a different aspect of risk. The dot.com bubble had burst and energy trader Enron went spectacularly bankrupt. In 2002, the telecoms giant WorldCom blew up. Before the year was out, companies found themselves facing a big compliance challenge, the US Sarbanes-Oxley Act 2002, or SOX for short.
Although it was US legislation, SOX had an important influence on the work of risk managers in Europe, in part because many European companies were obliged or felt they ought to comply with SOX. In Europe, corporate governance measures like the UK’s Combined Code and Germany’s KonTrag also focused the minds of directors on their responsibility to reduce uncertainty in their results.
In 2004 COSO, an organisation of US accountants, auditors and financial associations - whose full name is so cumbersome that almost no one uses it - published guidance on enterprise risk management (ERM). This turning of regulatory and public eyes on risk as a board responsibility gave risk management a higher profile; it also made the territory more desirable to other functions, such as internal audit.
Pressure developed for a senior risk professional or even a chief risk officer (CRO) to sit on the board or at least to report directly to it. The first adopters were sectors whose business is actually risk: financial institutions, investment houses and insurers, For them, the role of the CRO is effectively an operational one, as it is in data heavy industries, such as energy companies and utilities. Largely, there it has remained. Few traditional risk managers have moved into general management.
Neither the growth of CRO positions in banks, nor SOX, nor the other corporate governance regimes prevented the even worse financial crisis of 2008. Nevertheless, between 2007 and 2009, legal and regulatory requirements and the need for compliance became more significant features in the European risk management landscape, according to the 2009 biennial FERMA benchmarking survey of its membership.
If anything, the need for compliance with a growing edifice of regulation may have hampered true risk management. Steve Fowler, CEO of the Institute of Risk Management (IRM) describes it as “governance-smothernance,” in which committee has followed committee and regulation after regulation, mostly of an 'after the horse has bolted' nature.
David Gamble, a businessman who served as chief executive of the UK association AIRMIC, says that continued emphasis by top management, investors and advisors on short term gains compromised the organisation with regard to its management of long term risks. “Short term incentives for management distort risk management thinking and put the risk manager on a collision course with the finance director or CEO. This was super emphasised in the banking crisis and the dot.com crash.”
Despite the deep shock of 9/11 and outrage at the excess of Enron and its like, markets rebounded and stock markets continued toward their inflated heights. Globalisation and cost cutting through outsourcing created additional work for risk managers as they looked to ensure the resilience of ever longer supply chains and the consequences for company reputation.
Marie-Gemma Dequae is a former president of FERMA and risk manager for the multinational materials and manufacturing group Bakaert. She explains that between 2000 and 2010, the company changed its management, strategy and organisation with much shorter reporting lines and a matrix communication structure. “This was an ideal environment to grow in risk management.”
The strategy focused more on core business activities but growth in production activities all over the world continued. This globalisation introduced new and more complicated supply chains and complex risks involved with them. “The important law of minimising costs introduced outsourcing in different steps of the processes, which demanded extensions of our internal risk management system to these outsourced companies. This was needed to manage risks in all steps of the processes,” says Dequae.
According to Gamble, “The relentless drive to cut costs continues to provide epic examples of how excess can destroy success, as we’ve seen most recently with Toyota. Joined up thinking is necessary to protect the reputation of the company.”
He believes that only the advent of the corporate social responsibility (CSR) movement with its wider stakeholder pressure brought some longer term thinking into the investment community “which was otherwise far more interested in churning than earning”.
Although most European risk managers are typically not involved in company strategy at this level, the financial market’s collapse had repercussions that they had to manage. As Dequae explains “The financial collapse of 2008 had a devastating effect on one major risk, namely the credit risk. This risk was not only at the clients’ side but also at the suppliers’ side. Due to the fact that we had a broadly outsourced financial analysis of our clients’ credit risk and insurance, we had to completely adapt our way of managing credit risk.”
Following the aircraft attacks on the World Trade Center, Oelssner was in the front line as then risk manager for the airline Lufthansa. He says the insurance market’s reaction to “nine eleven became ‘the mother of all excuses’ for premium rises, reduction of cover, exclusions, etc.”
Risk managers with responsibility for insurance buying were active in the encouragement of public facilities to cover terrorism risks. Capacity did return to the market and with a few exceptions, such as catastrophe lines after the most severe US hurricane seasons, commercial insurance has been comparatively stable since.
Although insurers' asset values suffered in the market collapse of 2008, with one exception, major insurers have come through the crisis and have rebuilt their balance sheets. There has been no wholesale hardening of insurance prices, so risk and insurance managers have not been in the unenviable position of announcing much higher insurance premiums in a recession.
This doesn't mean risk managers aren't under pressure. Fowler says spending on risk related functions has become a senior management issue in the recession. “Several firms have outsourced their insurance buying function already. Clients are putting consultants under pressure to lower their 5 - 10% spending on governance, risk and compliance,” he says.
The unexpected fragility of AIG, now re-named Chartis, also poses a continuing issue for risk managers, as Oelssner explains. “One of the results of the last crisis was that ratings as a mechanism of evaluating the financial security of business partners (the so-called counter-party risk) have proven unreliable and that as yet there is no real solution to this question. There is no effective control of rating agencies and no comparable alternative source of information on which companies could rely. It is an ongoing issue, and we don’t really know where it will end.”
Ostensibly, the attack in 2004 by then New York state attorney general Eliot Spitzer on broker remuneration was a gain for risk managers not just in the US but in Europe. Brokers became obliged by client pressure, if not law, to renounce contingent commissions and be open about how they were rewarded.
An unintended consequence of the chain of events unleashed by Spitzer’s attack, however, is less helpful, argues Franck Baron, a former FERMA vice-president now working in the insurance industry. “Over the last 10 years, there has been a dramatic drop in the expertise in insurance companies and broking houses. It became more and more difficult for them to sustain the head count. For brokers, it was mainly because they were struggling to recover the loss of their business model post-Spitzer.”
Baron says that at the start of the decade many European companies had risk management departments with significant numbers of staff to deal with loss prevention and insurance. Then they changed their business model to outsourcing and reducing staff numbers, but their professional partners no longer had the same skilled resources available.
The late noughties financial crisis did intensify directors' awareness of their own exposure and highlight the importance of directors’ and officers’ insurance as never before, even though in Europe successful, large claims are few. In Germany, says Oelssner, D&O insurance had not previously played a significant part in board members’ thinking; it does now.
“We began the decade with most white middle class business men (and they were mostly men) treating the environment as the province of tree-hugging nutters,” comments Fowler. “Ten years on, the talk is now of adaptation, with only the most rabid neo-cons denying the fact that real change is happening and at a pace most could but didn't want to foresee,”
Dequae says that Bakaert was exposed to flood, hurricane and earthquake risks during the 1980s and 1990s. “But from end of the ‘90s on I could convince management that the decision of a location for a new plant had to be screened on all potential natural risks, in addition to all other aspects: strategic, regulatory, and so on. In this risk assessment, it was very important, not only to take into account the actual situation of these risks, but certainly also to consider the evolution due to climate change.”
FERMA directed its efforts on behalf of a growing number of European countries during the decade on the activities of the European Commission. In the insurance area, there was the reinsurance directive, mediation directive, competition inquiry in the business insurance sector, patent litigation insurance and the continuing evolution of Solvency II. The impact of the Environmental Liability Directive is still unknown and there have been measures on employer’s and product liability and safety, on climate change, plus corporate governance and the responsibilities of audit committees, Dequae points out.
The background of risk is continually changing, but as Gamble would argue, the importance of short term results can make businesses myopic. They may not perceive how material certain risks are becoming. For example, Fowler asks whether most have yet woken up to digital risks. And whether their underwriters know, either. Ageing populations in most European countries and the mobility created by the open frontiers of the European Union also create many uncertainties, he says.
Baron also draws attention to the importance of heightening visibility of long term risks to strengthen the ability of organisations to manage them and of insurers to find risk transfer solutions.
Yet, as there have been challenges over the last decade, there have been risk management achievements, is the reminder from Gamble. The money spent on preparing for Y2K created resilience that stood the world in good stead when 9/11 happened. Likewise the preparation for influenza pandemics in part reduced the cost and added to the international cooperation which will be needed when a really nasty virus strikes. Steve Fowler says that Y2K was actually a great risk management success story and should be celebrated as such. Business continuity is now standard practice.
Against the background of the noughties, Gamble says the challenge is to get good risk management championed by the board throughout the organisation and for the company to have a “walk away” policy in place to allow it to avoid excessive risks, act according to ethical principles and discipline those who get too close to making disastrous decisions, including the CEO.
Lee Coppack is a writer on risk management and insurance