Regulators are running risk managers ragged as they struggle to meet ever-more complex general requirements as well as the needs of their business. We check out the obstacles in their path

As more and more acronyms descend on them, corporate risk managers must feel as though they are under siege. Each new set of letters from Brussels, London or further afield represents another law, regulation or directive, and more obligations to manage on behalf of their companies.

The noose is tightening across all sectors. “The burden of regulatory risk is much greater than it’s ever been, even more than it was five years ago,” says Airmic chief executive John Hurrell. The danger, he adds, is of companies focusing on compliance rather than on the specific risks associated with their business. Most companies face a set of general regulations – including rules covering bribery, health and safety, and corporate governance – besides sector-specific regulations such as those for food hygiene, energy, solvency and insurance.

Until the past few years UK policy has been relatively light- touch, being based on comply or explain and/or an industry code of conduct. But that’s changing across the board as compliance becomes more specific and regulators more aggressive.


America is where most new regulations start. The USA’s Foreign Corrupt Practices Act has been ensnaring miscreant companies far beyond American shores for years. No international trading operation is immune from the law’s main agent, the Securities and Exchange Commission (SEC), which is now much more powerful and better-funded than it was before the Madoff scandal of 2008 revealed its weaknesses. The SEC is also involving similar international authorities, such as the UK’s Financial Services Authority, in its pursuit of offenders much more than it has done previously, as Italy’s energy giant ENI and Germany’s Daimler discovered.

ENI and its former Dutch subsidiary Snamprogetti were fined $365m (€258m) last year for violations of the act after bribing Nigerian officials. “This elaborate bribery scheme featured sham intermediaries, Swiss bank accounts, and carloads of cash as everyone involved made a concerted effort to cover their tracks,” according to Robert Khuzami, director of the SEC’s Division of Enforcement. “But the billion-plus dollars in sanctions paid by these companies show that ultimately there is no hiding or profiting from bribery.” (The unseemly scramble for Nigeria’s oil and other assets has netted the SEC no less than $1.28bn in sanctions.)

ENI, which used a UK solicitor among other go-betweens to pay Nigerian officials through secret bank accounts, did not respond to StrategicRISK’s request to explain how it had reformed its governance procedures in light of the fines. As for Daimler, its $91.4m disgorgement penalty, not counting $93.6m in fines on related charges, was for “a repeated and systematic practice” of bribing government officials across half the world.

Trading of derivatives

Similarly, much of the new wave of financial-sector regulation originated in the USA, for instance regulation covering the trading of derivatives. Unfortunately, some of this has rebounded on corporates. In the aftermath of the financial crisis, the European Commission followed the American lead and started work on a policy for pushing trades through clearing houses with more transparent pricing and collateral requirements, instead of individually over the counter between firms.

Generally, this is seen as a good thing, except for all those many non-financial companies whose treasurers employ derivatives not for speculative purposes but to hedge risk in physical transactions with counterparties (such as to cover the period between the manufacturing and delivery of products).

America is moving towards a dispensation (a ‘carve-out’) for non-financial companies, but it soon became clear to the European Association of Corporate Treasurers (EACT) that Europe is not. The policy was taking shape in a way that would threaten a long-established commercial tool that posed no risk to financial stability. Indeed, without this tool the reverse would be true, as large amounts of cash would be tied up as collateral in a central clearing system.

EACT members went to Brussels to lobby regulators to soften the rules and permit the trading of such derivatives outside clearing houses. The draft legislative package is now working its way through Brussels with wording altered accordingly. “If it had gone through unmodified, it would have had an impact on corporate derivatives,” explains EACT president Richard Raeburn. He’s keeping his fingers crossed that the package survives intact.

Health and safety

The Gulf of Mexico disaster, the largest peacetime oil spill in a century, has launched a new wave of risk-based regulation on the oil and gas industry, particularly in the USA where two detailed reports, including a president’s commission, found that the previous regulatory regime was unfit for purpose. It has been scrapped in its present form.

As Peter Voser, chief executive of Royal Dutch Shell, explained in February: “The reality is that the picture has changed for the deep water industry. There will be increased regulation, and more public scrutiny of safety. To put it simply, our industry needs to rebuild trust with the communities we work in.”

In Big Oil as in other industries, the management of reputational risk – or trust – should be paramount. “You can’t pick and choose what you want to comply with, but firms should put their best efforts into those compliance issues that bear on a company’s reputation whether its health and safety, product liability, the Bribery Act or anything else,” says Airmic’s Hurrell. “We urge companies to say ‘let’s put the reputation of this organisation at the heart of our risk map’.”

Solvency II

The most far-reaching regulation to hit the insurance industry in decades, the capital-boosting Solvency II directive, is rapidly approaching opening day on 31 December 2012. The results of the fifth quantitative impact study, QIS5 – basically a dummy run to assess the quality and financial integrity of firms – were released in mid-March. For consultants such as Deloitte, QIS5 presented “a host of real-life rather than merely theoretical opportunities to address Solvency II” before it comes into force. So what did the results tell us? Firms can do better, is the summarised assessment of Sean McGovern, general counsel of Lloyd’s. “QIS5 was a worthwhile exercise, but it is vital that appropriate lessons are now drawn from it and reflected in amendments to the Level 2 measures,” McGovern says.

“Further work needs to be done,” he adds. “While we remain supportive of the aims of Solvency II, the shortcomings identified in QIS5 – particularly around non-life catastrophe risk – need to be addressed.”

However, as the Institute of Risk Management’s head of thought leadership Carolyn Williams adds, there’s still room for manoeuvre in Solvency II. “The directive is not a code-of-conduct approach, but there’s leeway in the regulations for firms to develop their own risk models. It’s more a matter of satisfying the regulator that proper procedures are in place.”

Corporate governance

With corporate governance regulations tightening, most publicly listed companies are vulnerable to class actions under various sets of regulations and laws.

One such unsuspected Achilles heel may be shortcomings in insurance management. According to a two-year study, released in March, of some 600 UK companies by risk consultant Mactavish and PricewaterhouseCoopers, boardrooms could be exposing firms to “repudiation risk” – the rejection of a claim – because they failed to assess “the financial materiality of insurance to their business.”

The study revealed “serious deficiencies” in the insurance arrangements of many firms across most sectors. The result is that claims are increasingly being disputed in court, delaying payouts in some cases for so long that the company’s survival is threatened, particularly in an era of more highly leveraged balance sheets.

“The balance of risk is shifting to corporates rather than to insurers,” says Mactavish chief executive Bruce Hepburn. “If the insurer is unable or unwilling to pay a claim, pressures on business can become severe. We now have repudiation risk and it’s largely unrecognised.”

Environmental regulation

For firms most vulnerable to environmental regulation, risk management should be a key concern for the entire board including the non-executive directors, as BP has learned to its cost. In the wake of the Macondo catastrophe, chairman Carl-Henric Svanberg pushed BP’s directors out of the boardroom and into the executive suite so they can develop a better feel for the company than they can possibly glean from piles of documents at board meetings.

As it happens, this is what private equity directors routinely do. McKinsey’s global managing director Dominic Barton pointed out recently: “What’s especially needed [in publicly listed companies] is an increase in the informal time that board members spend with executives and shareholders.

“The non-executive board directors of companies owned by private equity firms spend 54 days a year, on average, attending to the company’s business, and 70% of that time consists of informal meetings and conversations.”

Airmic’s Hurrell agrees: “It makes very good sense for directors to know as much as possible about a company. They should not rely on the chain of command but should drop down through the layers to gather as much information as they can.”

Perhaps it’s a question of attitude. As the IRM’s Williams suggests: “What matters in the long run is that firms approach regulation as a business benefit and not because the regulations require it.” SR

Case study: Eurotunnel puts the fire out

Sometimes the best argument to use with regulators is superior knowledge, as Eurotunnel has learned in the wake of the shuttle train fire in 2008 that caused €290m damage. The bill was so high, the company believed, because the safety regulator, the Intergovernmental Commission, had insisted on rules that required trains to stop in the event of a fire rather than to clear the tunnel first, as has long been established practice on railways. Thus firefighters had to travel 25km from the surface, by which time the fire had taken hold.

In the subsequent investigation, the company proposed an alternative procedure based on four “safe stations” spread out along the route with permanently installed firefighting facilities. “Eurotunnel had no say in regulation, but it believed it had built up enough experience after 17 years of operation to propose its own solutions,” said a spokesman. “We were in a much better position to discuss safety with the commission.”

A demonstration was conducted in Spain and a prototype tested in the tunnel before observers from the commission and insurers. Impressed, they signed off the safe-station concept.

The net benefit is a €21m reduction in the insurance premium – “Eurotunnel will recoup the investment in the first two years” – and a victory for experience.