Bruce Carnegie-Brown, UK CEO of Marsh
FROM CORPORATE GOVERNANCE TO STRATEGIC ADVANTAGE - BUILDING A FOUNDATION FOR SUCCESSFUL RISK MANAGEMENT
It is almost five years since Nigel Turnbull issued his guidance on implementing the Combined Code. Since then, UK companies have had to digest a smorgasbord of corporate governance directives and legislation, some of which have emerged in response to well-documented corporate scandals in the US and Europe. What should risk managers make now of the corporate governance landscape in the UK, and how can they deliver a return on the time and money that they have had to invest to keep pace with the ever-increasing demands of government and regulators?
Since the publication of the Turnbull report, UK plcs have sought to develop 'a sound system of internal control and risk management' in respect of their significant risks. The major investment in this respect has been concentrated in the UK's largest plcs, although in some cases this has resulted in knock-on investment from mid-cap firms who have felt obliged to manage risk more efficiently through their position as a subsidiary of, or supplier to, a major plc. Others have recognised for themselves the value of accountability and the danger of lack of foresight in addressing critical risk issues.
These efforts across UK business have improved considerably the country's position with regard to transparency, corporate governance and risk management, to the extent that the Financial Times recently reported that "the UK leads the world in standards of corporate governance." The preamble to this encouraging assessment bears repeating, though: "Whisper it quietly and avoid any hint of complacency or triumphalism".
Meanwhile, the march of regulation continues, with the publication in May of government proposals for an 'Operating Financial Review' (OFR) within the forthcoming Company Law Review. The OFR will require around 1,300 UK listed companies to set out the social and environmental factors affecting them, and is designed to enable stakeholders to assess directors' approach to "managing all those factors - environmental performance, employee issues, relations with suppliers, customers and local communities - which are crucial to the company's future success and reputation".
Marsh welcomes these proposals, particularly as they stress that "the objective is quality, not quantity of content." We have long argued that risk management is not just about compliance, but about developing a comprehensive understanding of all the exposures facing organisations, and then taking the appropriate decisions on how to prioritise and deal with those risks - whether that be through mitigation, retention or transfer.
Turnbull should therefore be regarded as the foundation upon which to build a risk management strategy. The incentives driving many organisations to meet the initial recommendations were pressure to comply and an ultimate fear of failure at the hands of the auditors. Those companies that can now apply the techniques they have developed to the understanding and managing of risk in everyday business decisions are those that stand to benefit most from the implementation of a risk management strategy.
The strategic upside of risk management remains under-recognised. Yet simple comparisons between risk and business management reveal that the two operate on very similar principles and are often rightfully integrated.
Successful organisations are, by design, successful risk takers. Business planning, decision-making, investment, and change management all carry with them varying degrees of risk. The greater the understanding and subsequent control of that risk by the organisation, the more improved the integrity of the decision and the chances of success.
Against this backdrop, the role of risk managers is changing. They are increasingly required to help take risk management out of their division and raise awareness throughout the organisation. Sometimes they face the altogether harder task of instigating a wholesale change in mindset.
Historically, risk management has fallen into two distinct areas. The insurance manager dealt with traditional, insurable risks and pure risks, and the internal audit function focused on financial risk and controls.
If risk management is to develop so that it becomes a valuable management skill then there will need to be a third, much broader remit. Risk assessment must become an intuitive part of every important business decision, embedded into the culture of an organisation as naturally as every other cost-benefit consideration.
John Percy-Davis, chairman, EOS RISQ
NEW BORDERS, NEW MARKETS, NEW RISKS - WHO'S READY?
When EOS RISQ was born five year ago, there was a vision built around an expectation of a new and enlarged Europe which would mean business opportunities for our clients and therefore a need to work with our clients in new territories. The Europe we see today has not only new borders but also a host of issues which today's risk manager is expected to manage.
Take the new International Accounting Standards (IAS), AMF in France, rapidly moving market cycles post 9/11, insurer and broker consolidation and the impact of the decline of the equity market on insurance security, to name but a few. The risk manager's role has taken on a new perspective just in these last few years.
The accession of 10 new member states to the European Union has added 75 million people to the EU population. This creates an enormous new market and provides an opportunity for the Northern European economies to relocate manufacturing to areas of not only lower costs but also lower per capita incomes and faster growing economies. We can expect to see relocation gathering momentum and eventually a levelling up of the economies. Britain may have been slower than others in perceiving opportunities but the success of Poland, Hungary and Slovakia demonstrates the contributions we can expect these economies to make.
For the risk manager, this will mean learning to deal with the commercial and financial infrastructures of the new countries and also coping with perhaps under-developed legal systems and insurance regimes which lack the mature jurisprudence of Northern Europe. You can add to that the whole issue of working with a new local insurance market which has a past based in socialist or communist economies.
The hard market that was already developing before 9/11 and hardened sharply post WTC is now turning downwards in some classes, particularly for short-tail risks. Once again the quality of security and insurer services will be high on the risk manager's agenda. Lord Levine, chairman of Lloyd's, has openly criticised the market's ability to issue documents in a timely manner and considerable investment and resource is being applied with consequent improvements beginning to emerge. Claims following WTC have starkly demonstrated the importance of this issue for our industry.
As Sarbanes-Oxley, AMF and the like take hold, demand for D&O insurance has grown. However, capacity has diminished following the large losses of recent years leading to a mismatch between demand and supply for risk managers. On the general liability front, the disease exclusion trend is only going to gather further momentum and the new asbestos regulations in the UK are typical of the demands that will be made on companies and therefore their increase in exposures. New risk issues will grow in the e-risk environment and we have probably only seen the beginning of the potential for fraud through the use of mobile communications technology.
The risk manager will need a patient employer to help him sort through these coverage problems.
On the financial and corporate governance front, we can expect to see more development in corporate governance and those countries that have been slow to embrace this issue will soon be swept up in the increasing need to understand risk and exposure. Companies moving into Eastern Europe face a significant challenge as the old business cultures may find it difficult to adapt to these new demands. International Accounting Standards will affect the risk manager and IAS 37 and 19 are already causing risk managers to think about the effect that these new standards will have on the balance sheet and profit and loss account of their parent company.
Nothing is more certain than the uncertainty of the future. The risk management industry will need to understand the dynamics of that change and be able to respond quickly to future needs of our companies.
Mike Hammond, member of the JLT group executive committee
RETAINING RISK
Over the last three years of the insurance cycle, self-insurance has inevitably become more prominent in the minds of those responsible for risk management. However, the debate has tended to concentrate on the trade-offs between the relatively high price of risk transfer charged by insurers (and reinsurers) and the ability of risk managers to select risks effectively, so that they can be absorbed within the corporation's own resources. In most cases, it is still concerned with the relatively predictable levels of potential loss. But this type of decision has merely increased the volatility to insurers who, as a result, increase the price over the long-term for providing cover for the more volatile exposures, creating a vicious circle.
The one-dimensional analysis that has historically dominated decisions on self-insurance is not valid in today's unpredictable economic, political and social climate. Focus has shifted (and must continue to shift) from the lower layers of risk retention, to look at the full spectrum of risks that a firm is absorbing.
Why is this shift occurring? The severe reduction in the limits of insurance available (in some areas that were traditionally insurable), coupled with the narrowing of coverage in a world where risks are more complex, has meant that most businesses today are self-insured in some form without any planning or choice. In such an environment, using the firm's capital to increase a deductible from £100,000 to £1m because the premium has doubled, might not be the most effective use of limited resources.
How should we lead the debate within our firms to allow more informed decision-making? First we must consider the environment in which we are trading. For instance:
- Most firms in the life sciences and medical product industries cannot buy adequate product liability or clinical trials insurance
- Many UK businesses cannot buy sufficient 'contingent business interruption' insurance. Some sectors such as telecoms, technology and electronics cannot find business interruption cover that addresses the real risks facing their business
- Protection for professional advice, financial loss and other non-damage triggers fall short of the exposures carried by firms with these risks
- Firms with high concentrations of employees in a single location find themselves inadequately covered for the aggregate risk protection previously promised under their personal accident and death in service benefits
- Product recall for most firms that consider it a prime risk is now all but uninsured except at relatively low levels of cover.
In such an environment, where should you focus resources for self-insurance?
It starts with an analysis of what risks are currently insured, consciously self-insured and unwittingly uninsured. The distinction between these three terms is critical to the end decisions that we make for greater self-insurance.
Historically, we as an industry have a poor track-record in adequately testing how and whether the programmes and products we create respond to the variety of risk scenarios. How, for example, will the individual programmes interface with each other? If 9/11 taught us one lesson, it was that risk exposures (and the resulting losses), do not respect the boundaries that we have imposed in mono-line insurance and self-insurance programmes. Very few losses are covered in full by insurance - this is not a new phenomenon.
The difference is that today the size, scope and depth of potential losses resulting from the risks we either accept, or in some instances create, need to be tested and modelled before deciding the most appropriate mix of self-insurance and risk transfer. We also need to create better bench-marking assessments of how our businesses are faring in comparison to our competitors. If the cost of insurance has risen, how are we doing in that changed environment against a 'basket' of other similar buyers?
If we are still getting a better deal than the average for our peers, self-insuring a greater portion of an adequately insured risk rather than diverting resources to risks that are uninsured may not be the best use of capital.
The 'cost of risk' has in most cases increased and is unlikely to reduce.
Seeking to limit it by self-insuring a risk that is currently insurable is missing the point. Better to buy good quality insurance that is available and shift our focus on self-insurance to those areas of exposure that are not readily manageable or capable of being transferred. That is surely what shareholders expect. In the longer term, the result might be a 'better' risk management programme for all who have a stake in the long-term health of our respective businesses.
