While businesses may greet EU proposals for new regulation with a universal groan, Andrew Williams asks – is the need for compliance actually an aid for risk managers in establishing better systems and practices?

Since its inception, the European Union (EU) has created a raft of regulations and directives to address health, environmental, financial and other risks. There are indications that some risk managers welcome the holistic approach of many directives, since they provide a coherent framework around which better systems can be based.

Gary Marshall, group risk manager at printing company Polestar, says, ‘However sophisticated a business is, it also requires additional drivers.’ He highlights IPPC and REACH as particularly helpful in this respect, since they ‘consolidated and brought together issues previously in their own silo.’ However, he added that financial regulations often ‘miss the point completely ... and don’t impact far enough into the risk profile.’

EU regulations are also broadly welcomed by Peter den Dekker, corporate insurance risk manager at Stork BV, who explains, ‘It depends on what type, but in general regulations are more of an aid, since they demand a higher attention level than you have from an internal risk management perspective.’

This praise is echoed by Pierre Sonigo, general secretary of the Federation of European Risk Management Associations (FERMA), who thinks that regulations can help risk managers by making some of their recommendations mandatory, making it easier to implement good practices in the face of inertia from reluctant boards. However, he criticises some of the practical aspects of implementation.

‘The problem is the piling up of different regulations, which sometimes contradict themselves, refer to different directives and are quite difficult to implement. Compliance can also be expensive and the cost/benefit analysis can be disappointing,’ he says.

The process of transposition into domestic law is also criticised. According to den Dekker, ‘We’re not always sure what approach domestic governments will take. Every country will implement in a different way and at a different tempo; they could even go beyond requirements. If you are based in only one country it’s not a problem, but if you’re based in lots of different countries it’s not easy.’

There is also a sense that manufacturing companies in particular, face onerous demands, not only from statutory regulators, but also from an increasingly fragmented auditing, standardisation and certification sector. According to Marshall, ‘We seem to be driven further and further into the hands of people who are paid to audit.’

“Every country will implement in a different way and at a different tempo.

Peter den Dekker

Another concern is the effect that compliance can have on a company’s economic and risk management activities worldwide. According to Adrian Clements, asset risk manager at steel giant ArcelorMittal, global companies often face competitive disadvantages when required to meet regulations at non-European as well as European sites. He stresses that islands of strong regulation are all very well, but when issues are viewed globally, companies have only limited resources to deal with them.

‘Say a company has 20 sites in the EU and 20 outside, and maybe CO2 emissions in those companies based outside are ten times higher. If the company has a million dollars and wants to reduce CO2, it will seek to divert funds to sites with the highest emissions. But, because the EU’s CO2 standards are so high, the company must spend money on plants in the EU and not on those outside.’

Within the EU, companies in some of the newer member-states must comply with sophisticated regulations, whereas companies in the older member-states have been able to adapt over a much longer period of time. ‘Companies in newer member-states will comply, but don’t necessarily understand why they’re doing it,’ says Clements.

He thinks that EU legislators sometimes have outdated views of the increasingly sophisticated role of risk managers. ‘The concept of a risk manager is quite new. As the profession gets better you’ll find it will be able to mitigate risk more effectively. It may be that the EU doesn’t yet feel that industry is mature enough to make changes themselves.’

He adds, ‘I like the idea of legislation as a framework, setting goals and visions that you can use to inform internal systems. As governments become more trustful of risk managers they will realise that they should allow them more flexibility.’

In terms of the overarching approach to regulations, Sonigo suggests that ‘life cycle approaches are difficult to implement because of the difficulty of agreeing on a well accepted calculation methodology particularly in health risk assessment. Voluntary and market based instruments are more likely to produce satisfactory results, since the economic impact of the regulation can be managed over time.’

He adds that, ‘When dealing with risk issues it is important that EU policy-makers use a common vocabulary. They should also refer to well-accepted processes as outlined in widely used standards and guides to good practice. FERMA has a project to work with CEN to develop guidelines to be used in future EU regulations on risks and risk management.”