Ferma European Risk Management Benchmarking Survey 2010

FERMA European Risk Management
Benchmarking Survey 2010

Keys to understand the diversity of Risk management pratices in Europe
- 5th Edition
In collaboration with and E

Q
Presentation of the survey
Fifth biennial benchmarking survey conducted by the Federation of European

Risk Management Associations (FERMA) in collaboration with AXA Corporate Solutions
and Ernst & Young
The survey (45 questions) received 782 respondents

Section 0 10 introduction questions and 782 respondents
Section 1 13 questions on risk governance and 379 respondents
Section 2 10 questions on risk management practices and 433 respondents
Section 3 12 questions on insurance management and 451 respondents
Objectives:
Analyze risk management environment evolution since 2008
Determine the level of maturity of risk management practices through the European companies
Illustrate the link between companies complexity & risk management maturity level
Understand the future of risk management and focus on risk appetite triggers
Highlight current insurance issues and expectations
1 September 2010
In collaboration with E
Q
Content 1. Risk management environment:
where do we stand and whats new ?
2. Maturity of risk management

practices at a glance
3. Impact of company complexity

on risk management practices
maturity level
4. The future of risk management:

focus on risk appetite triggers
Introduction
key features: sample composition and
respondent profile
5. Insurance market:
developing expectations
key observations: how to read 2010 results
6. Conclusions
Introduction
Key features: sample composition and respondents profile
Key observations: how to read the 2010 results
An increasing number of respondents
800 782
700
600 Key facts

555
500
460 45 questions
400
February to June 2010
300 16 national risk
269 management associations
200 involved
100 Based on FERMA standard
49
0
2002 2004 2006 2008 2010
4 September 2010
Q
A representative sample of European companies
Respondents from all industries Listed and non listed companies
Basis: N=782 Basis: N=782
Automotive - 3%
Financial services -
10%
Other - 23%
Consumer products - No
8% 48%
Yes
52%
Logistics - 6%
Energy / utilities -
13%
Tech/ Telecom - 7%
Euronext 52%
Services - 5%
Manufacturing -16%
US Market (s) 18%
Life sciences - 4%
Public Sector and
Other 45%
M&E - 2%
NGOs - 3%
5 September 2010
Q
A large array of companies:
67% of companies with a turnover and 63% have more than

above 1 billion 5,000 employees
50,000 and more employees 19%

More than 25 b 13%
From 25,000 to 49,999 employees 12%

Between 10 b and 25 b 12%
Between 1b and 10 b 42%
Between 500 m and 999 m 10%
Between 100 m and 499 m 11%
From 500 to 999 employees 5%
Less than 99 m 5%
Less than 499 employees 8%
No opinion / Don't know 5%

0% 20% 40% 60%
0% 20% 40% 60%
6 September 2010
Q
Companies with head offices located operating at international level

in different European countries.
France 18% Over 151 countries 4%

UK 15%
Germany 11% 101 to 150 countries 7%
Netherlands 8%
51 to 100 countries 13%
Switzerland 7%
Italy 5% 16 to 50 countries 29%
Sweden 5%
11 to 15 countries 7%
Other 5%
Belgium 4% 6 to 10 countries 10%
Denmark 4%
Spain 4% 1 to 5 countries 27%
Finland 2%
Norway 2%
Poland 2% 0% 10% 20% 30%
Turkey 2%
USA 2%
Czech Republic 1%
Portugal 1%
Russia 1%
Bulgaria 0%
0% 5% 10% 15% 20%
7 September 2010
Q
70% of the respondents are in charge of Risk
Management and/or Insurance
Basis: N=782
Risk Manager 32%
Insurance Manager 31%
Other 18%
Chief Risk Officer 7%
Head of Internal Audit 5%
Chief Executive Officer / Managing Director 2%
Legal Counsel / Head of Legal Department 2%
Head of Treasury 1%
General / Company Secretary 1%
Chief Financial Officer 1%
President, Chairman 1%
0% 10% 20% 30% 40%
8 September 2010
Q
1.
Risk management environment:
where do we stand and whats new ?
Introduction
Objectives
Focus on new regulations and standards since 2008
8th EU directive
ISO 31 000
Understand current risk management objectives and triggers
Change in shareholders risk management objectives since 2008
Risk management triggers at top management level
Methodology
Selection and in depth analysis of a sample of four relevant questions
extracted from the 2010 survey and comparison with 2008 results
(if applicable)
10 September 2010
Q
Focus (1/5)
Impact of the EU 8th directive on companies' Risk Management policy:
a very heterogeneous level of awareness among listed companies
40%
18%
11% 12%
8%
5%
3% 3%
The impacts of the EU 8th directive are still poorly assessed and understood by a large number of risk and insurance managers
40% of the listed companies respondents have no opinion or no idea regarding the impact of the EU 8th directive
12% considered that it is not applicable to their organization
11 September 2010
Q
Focus (2/5)
Risk Management framework standards of reference:
a growing but still limited risk management standard of reference
Other 7%
ISO 31000 13%
FERMA / AIRMIC and National Risk Management

23%
Standards
COSO 2 30%
None 47%
There is no leading risk management framework standard of reference and many European companies still do not refer to any standard
Several risk management framework standards are in use such as COSO 2 (30%) or Ferma/Airmic and National Risk Management Standards (23%)
whereas the reference to the ISO 31 000 standard remains an emerging practice (13%)
* Multiple choice question
12 September 2010
Q
Focus (3/5)
Main external factors triggering Risk Management within your company:
legal, regulatory or compliance requirements considered as the main triggers (1/2)
70% Legal, regulatory or compliance requirements
45% Catastrophic event
39% Clear requirements from shareholders As in the 2008 study (see next page), compliance and legal
requirements remain the main external factors triggering
risk management within companies.
34% Corporate social responsibility
31% Pressure from the market
17% Analysts / rating agencies pressure
13% Major increases in insurance premiums

13 September 2010
Q
Focus (4/5)
but growing expectations from shareholders as compared to the 2008 study (2/2)
70%
Legal, regulatory or compliance requirements 71%
45%
Catastrophic event 63%
31%
Pressure from the market 31%
2010
39%
Clear requirements from shareholders 35%
2008
13%
Major increases in insurance premiums 26%
12%
Other 9%
0% 20% 40% 60% 80% 100%
Shareholders expectations clearly emerge as a major external factor triggering risk management compared
to the 2008 study
If compliance and legal requirements remain a major factor triggering risk management within companies (70%), risk management efficiency is more and more
becoming a clear expectation or concern for shareholders (from 35% to 39%) who want to ensure and improve the performance of their operations.
Similarly, catastrophic events (from 63% to 45%) and major increases in insurance premiums (from 26% to 13%) experience a significant decrease.
14 September 2010
Q
Focus (5/5)
Risk Management objectives for companies top management:
traditional expectations still on the top of the list but better link with strategic decisions
Align risk appetite and strategy: zoom per country

Countries
Minimize operational surprises and losses 70%
Identify and manage cross-enterprise risks 52% Netherlands 54%
Decrease the cost of risk 39% Belgium 53%
Provide integrated responses to multiple 37% UK 53%
Align risk appetite and strategy 37% Sweden 38%
Link growth, risk and return 36% France 33%
Improve predictability of delivering business 32% Spain 29%
Enhance external reputation with investors 31% Germany 27%
Rationalize capital and improve 29% Switzerland 25%
Seize opportunities 28% Italy 15%
0% 20% 40% 60% 80% 100%
Risk management objectives remain conservative and focus on traditional missions but a will to better link risk management
and strategic decisions is clearly emerging
Traditional objectives remain on the top of the list: minimize operational surprises and losses (70%) and identify and manage cross enterprise risks (52%).
However, the survey revealed a growing will to better link risk management and strategic decisions, especially in Northern countries:
- In the UK, Belgium and the Netherlands, better align risk appetite and strategy is now a major objective for the top management for more than 50% of the respondents
- Also, link growth, risk and return has become a major objective for 36% of the European companies
15 September 2010
Q
2.
Maturity of risk management
practices at a glance
Introduction (1/2)
Objectives
Assess maturity level of risk management practices within european companies
Illustrate maturity level of risk management practices regarding three main risk topics:
Risk governance
Risk practices & tools
Risk communication
Seize the diversity of risk management practices
Methodology
Selection of 13 questions (see next slide) from the survey
Breakdown of these questions by risk management category:
Risk Governance - 5 questions
Risk practices & tools - 5 questions
Risk Communication - 3 questions
Definition of four levels of risk management maturity per question

(see detailed graph captions):
Emerging: low or basic level of risk management maturity
Moderate: intermediate level of risk management maturity
Mature: good level of risk management maturity
Advanced: high level of risk management maturity
17 September 2010
Q
Introduction (2/2)
Risk Management maturity: 13 questions extracted from the survey

Risk governance
Q.1.3 : mandate of the board audit and/or risk committee
Q.1.2 : link between risk management and Board of Directors / Supervisory Board / Audit Committee
Q.1.1 : whom does risk management report and by whom is it sponsored ?
Q.1.12: are various risk functions coordinated ?
Q.1.13: is internal audit department providing independent assurance over overall risk management
system ?
Risk practices & tools

Q.2.5 : as part of your risk management activities, which of the following actions are already embedded
or planned ?
Q.2.6 : does your company map its risks ?
Q.2.7 : methodology used to measure / quantify your risks ?
Q.2.9 : is risk analysis formally and systematically linked to decision making ?
Q.2.2 : relationship between risk management and internal audit functions
Risk communication
Q.1.6 : definition or communication of a formal risk management policy or charter
Q.1.11 : how is risk information perceived by the Board ?
Q.1.9 : disclosure of risks in external reporting (annual report, reference documents, etc)
18 September 2010
Q
Risk governance (1/5)
Mandate of the Board Audit and/or Risk Committee:
a limited scope and a mandate to be clarified
GRAPH CAPTION
% of answers
60%
Mandate of the board audit and/or risk committee:
44%
1) Monitor and ensure the compliance of risk management framework
40% with respect to standards and norms
2) Challenge residual risk exposure and relevance of existing mitigation actions

22%
18% 3) Challenge Risk Management strategy
20% 16%
Emerging: no criteria included

Maturity
Moderate: one out of 3 criteria included
0% Mature: 2 out of 3 criteria included
Emerging Moderate Mature Advanced Advanced: all criteria included
The mandate assigned to the Board Audit and/or Risk Committee remains limited to specific areas (44%) or unclear (16%)
For 44% of the respondents, the mandate of the Board Audit and/or Risk Committee remains limited to only one of the three issues highlighted in the survey
(monitor and ensure compliance of risk management, challenge residual risk exposure and relevance of existing mitigations actions, or, challenge risk management
strategy).
Moreover, 16% of the respondents do not have a clear vision of the mandate assigned to the Board Audit and/or Risk Committee.
Conversely, the mandate of the Board Audit and/or Risk Committee appears appropriate (mandate extended to 2 or 3 of the topics highlighted by the survey)
for 40% of the respondents.
19 September 2010
Q
Risk Management interaction with the boards: a close and regular relationship
GRAPH CAPTION
% of answers
Emerging Moderate Mature Advanced
60%
No mechanism in Interaction with Topic of risk Risk management

46%
place to ensure risk these Committees management dealt completely
management on an as needed with at least on an embedded in
40% basis annual basis reporting to the
interaction with the
32% Boards
Board of
Directors/Superviso
ry board/Audit
20% 15% Committee
7%
0%
Emerging Moderate Mature Advanced Maturity
Risk Management activity is globally correctly embedded in reporting to the boards (78%) and risk management
topic is generally formally addressed by the board at least on an annual basis
Regarding this topic, the country of origin seems to keep a significant impact over the depth of the interaction between
risk management and the boards:
Countries with strong risk management legislation track record as the UK, France and Germany benefit from better interaction levels
(mature and advanced practices > 80%).
20 September 2010
Q
Risk management reporting: a reporting at top management level but still rooms for improvement
GRAPH CAPTION
% of answers
Emerging Moderate Mature / Advanced

60%
Report to other Report to CFO, Report to Audit risk committee, Board

45% function or department General councel/Head of directors/Supervisory board,
40% of Legal Department, CEO/Managing Director or General / Company
40% Head of Internal Audit secretary
20% 15%
0% Maturity
Emerging Moderate Mature/Advanced
Risk Management function globally reports at top management level (85%), but reporting at CFO level (35%),
still remains widespread among certain countries (Germany).
* Graphs exclude No opinion / Dont know figures
21 September 2010
Q
Coordination with other risk functions: basic coordination in place but still incomplete
GRAPH CAPTION
% of answers
61%
Emerging Moderate / Mature Advanced
60%
Risks functions Some coordination exists between the different Full risks functions
(risk management, risks functions coordination/
internal audit, (including
40% controlling, insurance) in place
environment,
quality, )
23% are working
independently
20% 16%
0%
Emerging Moderate/Mature Advanced Maturity
The different risk functions are no longer working in silos, however their level of coordination remains limited
A minimum set of coordination of the different risk functions is now largely widespread (61%). However, if the different risk functions do not work in silos any more
(only 14%), a full coordination of the different risk functions (including insurance) appears more as a best practice (23%) than a usual standard.
22 September 2010
Q
Risk management system independent assurance: a role of the Internal Audit still in debate
GRAPH CAPTION
% of answers
60% No independent Partially independent assurance provided Complete

assurance provided in collaboration with others parties independent
by the Internal Audit assurance provided
39% by Internal Audit
40% 36%
25%
20%
0%
Internal Audit is globally involved in the process of providing an independent assurance over the quality/efficiency of the risk
management system but its role regarding this topic still remains unclear
Internal audit is fully or partially involved in the risk management system assessment for 61% of the respondents.
But, for more than a third of the respondents (39%), the Internal Audit is still considered as not involved in this process (29%), or as dealing with an unclear role role
regarding this topic (10%).
23 September 2010
Q
Risk practices & tools (1/6)
Risk management scope of intervention:
a broader scope of intervention but still too limited in some major activities (1/2)
GRAPH CAPTION
% of answers
60%
The following actions are part of your risk management activities:
1) Enterprise Risk Management coordination
2) Risks and controls identification and quantification
40%
32% 3) Operational risk management practices continuous improvement drive
29%
25% 4) Risk financing solutions definition and implementation
5) Risk management policy and standards compliance audit
20%
14% 6) Risk reporting and information systems operations
0% Emerging: embedded for 0 to 1 criteria

Maturity
Emerging Moderate Mature Advanced Moderate: embedded for 2 to 3 criteria
Mature: embedded for 4 to 5 criteria
Advanced: embedded for the 6 criteria
A move towards maturity (43% of the companies) but still rooms for improvement (see next slide)
24 September 2010
Q
Risk management scope of intervention:
an increasing number of activities covered since 2008 (2/2)
100%
80% 72%
55% 57%
60% 51%
49% 49%
42% 43% 42%
38% 35%
40% 34%
20%
0%
Coordinated enterprise Identify and quantify risks Drive continuous Define and implement Audit compliance with Operate risk reporting
risk management and controls improvement of risk financing solutions risk management policy and information system
operational risk and standards
2008 2010 management practices
The number of activities covered by the risk management function are increasing but remain limited for some major topics
72% of the companies identify and quantify their risks and controls, however, only 43% of the companies deal with more than 4 of the above listed activities.
More specifically, two topics still remain poorly covered by the risk management function:
Define and implement risk financing solutions

Audit compliance with risk management policy and standards
25 September 2010
Q
Risk mapping exercise: a standard within European companies
GRAPH CAPTION
% of answers
60% Emerging Moderate Mature Advanced
60%
No risk mapping Partial approach Approach in place Approach in place
approach in place yet in place (certain at global corporate from Corporate level
40% business units/areas, level (strategic, down to divisions

risks) financial & and business units
operational)
20% 17% 17%
6%
0%
Risk mapping exercise can now be considered as a risk management standard within European companies
77% of the companies perform a risk mapping exercise at Global (60%) or Corporate (17%) levels.
26 September 2010
Q
Risks assessment and quantification:
basic assessment methodology in place but advanced quantification tools still poorly used
GRAPH CAPTION
% of answers
60% The main risk measurement approaches are:
1) Risk assessment workshop
42% 41% 2) Internal or external databases (incident, losses)
40%
3) Scenario simulation models
4) Value at risk simulation models (Monte Carlo, others)
5) Stochastic aggregation models of B.U / level risks mapping
20%
12%
5%
0% Emerging: other approaches in place

Emerging Moderate Mature Advanced Maturity Moderate: risk assessment workshop used
Mature: risk assessment workshop and internal or external databases used
Advanced: use of the 5 main risk measurement approaches above
Risks assessment workshop is now a widespread practice among European companies but advanced quantification
tools are still poorly used
Risk assessment workshops are now used by more than three quarters of the European companies (88%).
However, advanced quantification is still poorly used among major European countries (UK, Germany, France, Spain):
Stochastic aggregation models of B.U / level risks mapping used by less than 25% of the companies
Value at risk simulation models used by less than 25% of the companies , except for Germany (38%)
27 September 2010
Q
Decision making process: risk analysis and major Corporate decisions still partly disconnected
GRAPH CAPTION
60% % of answers Six categories of strategic decisions identified:

1) Major projects
38% 2) Strategic planning

40%
3) Investment decisions
27% 28%
4) Contracts/bids,
20% 5) Acquisitions/ transfers decisions
7% 6) Budget decisions
0% Maturity
Emerging Moderate Mature Advanced Emerging: risk analysis and decision making are linked for 0 or 1 criteria
Moderate: risk analysis and decision making are linked for 2 or 3 criteria
Mature: risk analysis and decision making are linked for 4 or 5 criteria
Advanced: risk analysis and decision making are linked for the 6 criteria
Major Corporate decisions do not systematically include a specific risk analysis
65% of the companies do not systematically perform a risk analysis (emerging and moderate levels) prior to major Corporate decisions.
Conversely, more than a third of the studied companies (35%) perform a risk analysis prior to most of their major Corporate decisions.
28 September 2010
Q
Risk Management and Internal Audit functions:
a growing relationship but still too limited synergies
GRAPH CAPTION
% of answers
60%
No particular Mutual reporting - Coordination and Very close
relationship between coordination./ cooperation on the relationship between
40% 36% Risk Management cooperation on a audit plan the two functions
and Internal Audit limited basis
27%
functions and/or
20%
20% 17% separate reporting
lines
0%
A minimum level of coordination between the two functions is now in place for most of the European companies
A minimum level of coordination between Risk Management and Internal Audit functions is now in place for 64% of the respondents.
However, there is still no particular relationship between the 2 functions for more than a third of the respondents (36%) which remains quite high.
29 September 2010
Q
Risk communication (1/3)
Risk management role and activities: a clear definition through risk management policies or charters
GRAPH CAPTION
% of answers 62%
60%
40%
No risk A risk management policy is currently being A formal risk
management policy prepared Management policy
or charter has been or charter has been
17% 21% defined defined and
20%
communicated
0%
100%
% of answers
Yes The role of risk management is now clearly defined, or in the
process of being defined in most of the European companies
No, but it is currently being
80% prepared
83% of the respondents have defined (64%) or are currently in the process
62% No
of defining (19%) a Risk Management policy or charter.
60%
48% No opinion / Don't know
This practice is now widespread among both listed and not listed companies
40% and a significant improvement can be observed since 2008 (from 48% in 2008
30% to 62% in 2010).
18% 21% 17%
20%
4% 1%
0%
Year
2008 2010
30 September 2010
Q
Board use and perception of risk information: a regular use and a growing interest
GRAPH CAPTION
% of answers
60%
Dont know, no Risk management Risk management Complete embedding

mechanism in place topic dealt with on an topic dealt with at of risk management
40% to ensure risk as needed basis least on an annual in decision making
30%
28% information use basis at board level
23%
or identified
19%
20% Compliance/Gover-
nance requirement
for the board
0%
Boards have a regular use and a growing interest for risk information
Risk management is now completely embedded in board decision making process (28%) or the topic of risk management dealt at least on an annual basis (30%)
for 58% of the respondents.
Moreover, risk information can also be asked on an as needed basis for 19% of the respondents.
Conversely, for 23% of the respondents, risk management/information mainly remains considered as a pure compliance requirement (13%) or is not really
taken into account by the Board (10%).
31 September 2010
Q
External risk communication: a large array of practices
GRAPH CAPTION
% of answers

60%
No communication or Communication Communication Communication

minimal carried out on carried out on major provided for major
40%
communication general or generic specific risks faced specific risks as well
26% 27%
24% risks for the sector by companies as assessment
23%
of their importance
20%
and management
0%
Risks external reporting remains very diverse from one company to another and deal with a large array of practices
50% of the companies (mature and advanced practices) communicate at least about major specific risks faced by the companies, whereas an other 50%,
still deal with a very limited level of external communication (24%), if not minimal or inexistent communication (26%).
32 September 2010
Q
Synthesis: results per category and level of maturity
Companys breakdown per category and level of maturity
Risk Governance 18% 26% 24% 32%
Mandate of the board audit and/or risk committee 16% 44% 18% 22%
Interaction with the boards 7% 15% 78%
Risk management reporting 15% 40% 45%
Coordination with other risk functions 16% 61% 23%
Risk management system independent assurance 39% 36% 25%
Risk Practices & Tools 21% 31% 27% 21%
Risk management scope of intervention 25% 32% 29% 14%

Risk mapping exercise 6% 17% 17% 60%
Risks assessment and quantification 12% 42% 41% 5%
Decision making process 27% 38% 28% 7%

Risk management and internal audit functions relationship 36% 27% 17% 20%
Risk Communication 22% 17% 21% 40%
Risk management role and activities 17% 21% 62%
Board use and perception of risk information 23% 19% 58%

27%
External risk communication 26% 24% 23%
33 September 2010
Q
3. Impact of company complexity on risk
management : focus on risk appetite triggers
Introduction (1/2)
Objective
Illustrate the correlation between the level of complexity of a company
and its risk management practices maturity.
Methodology
Assessment of the level of complexity of the studied companies based on four criteria:
Listed or not listed companies
Number of employees: between 0 and 4 999; between 5 000 and 24 999; between 25 000 and 49 999; more than 50 000
Number of countries of operations: between 1 to 10 countries; between 11 to 50 countries; > 51 countries
Sector of activity complexity: low (other); moderate (Media and entertainment, Automotive, Services, Transportation /
Logistics, Other industry / Manufacturing); high (Energy/Utilities, Consumer products, Technology/Telecommunications,
Government service/Welfare organization); very high (Banks, Financial institutions, Asset management and Insurance,
Pharmaceuticals/Life sciences)
Based on this multi criteria analysis, definition of four levels of complexity

per company:
Low: low or basic company in terms of complexity
Moderate: company with an intermediate level of complexity
High: complex company
Very high: very complex company
Cross analysis (level of complexity compared to level of complexity) with maturity

of risk management practices results per question (13 questions) and risk category
(risk governance, risk practices and tools, risk communication).
35 September 2010
Q
Impact of company complexity on risk management
practices maturity level
The impact of company complexity on risk management practices is clear but some weaknesses
appear to be shared and widespread amongst all companies
The impact of company complexity

on risk management practices is
clear but needs to be mitigated for
some risk domains
Indeed, 42% of complex companies benefit
from an advanced risk management
governance maturity level (compared to 28%
for less complex companies),
and 69% when it comes to risk
communication (compared to 40% for less
complex companies).
This difference can be explained by listing
requirements and the number of countries of
operations that lead to higher degrees of
formalization.
Conversely, the domain of risk practices and

tools appears to be poorly influenced by
company complexity. In fact, if only 18% of
the less complex companies have an
advanced level of risk management maturity
rating regarding this topic, the complex
companies also appear to be poorly
equipped (32%).
This poor level of maturity partially relies on
the limited involvement of risk management
in some strategic decisions and the low use
of strong quantitative tools.
36 September 2010
Q
4.
The future of risk management:
focus on risk appetite triggers
Introduction
Objectives
1st objective:
Classify risk significance and define risk appetite for 23 generic risks
Understand the impact of company complexity on risk appetite
2nd objective:
Seize the respective impacts of compliance and shareholders expectations triggers on risk management maturity
Illustrate these impacts with respect to companies risk management level of maturity
Methodology
1st objective:
The respondents were required to classify risk significance and define risk appetite for 23 generic risk areas
identified in the four most important areas of their organization:
Strategic & governance
External risks
Operational risks
Compliance and ethics
Based on their responses, companies were then classified into four risk appetite
categories
2nd objective:
Analyze the respondents responses regarding risk management maturity triggers: mainly compliance,
both compliance and shareholders expectations, mainly shareholders expectations
38 September 2010
Q
Risk Appetite per risk category
Companies risk appetite rather relies

on risk category than on risk significance
Our analysis reveals that companies

definition of risk appetite (e.g. zero
tolerance stance vs risk taker position) only
partially depends on their assessment
of the significance of each risk.
In fact, a closer analysis of the results shows

that the declared risk appetite is mostly
triggered by the risk category, rather than the
risk assessment.
Consequently, it appears that companies

mainly adopt risk-taking strategies when it
comes to external risks (competition, financial
markets, macroeconomic issues, mergers
and acquisitions), or, especially for complex
companies, for planning and execution
decisions.
Conversely, companies appear to be totally

averse to risks for regulatory and safety
issues (risks related to compliance, internal
control, corporate governance, health and
safety, liquidity issues).
39 September 2010
Q
Risk management maturity triggers
Risk management maturity is no longer a pure compliance mirror effect, especially for complex
companies, but a true shareholder expectation
Risk management level of maturity

Moderate Mature Advanced
Risk management is turning into
a major concern for shareholders
An analysis of the different maturity

levels in terms of risk management Nature of risk management triggers
shows that risk management maturity
(particularly for more complex 11% 31%
Compliance oriented 9%
companies) is no longer a pure
compliance mirror effect but a true
shareholder expectation.
Our survey illustrates this trend, and

shows that even if 51% of the companies Both compliance
still consider that compliance remains the and shareholders
3% 8% 2%
main trigger for their risk management expectations
maturity, 36% now put shareholders oriented
expectations on top of the list.
Also, among advanced companies in

terms of maturity, shareholder Shareholders
expectations are now considered as the expectations 6% 11%
key trigger for their risk management 19%
oriented
maturity (11% compared to 9%).
40 September 2010
Q
5. Insurance market: developing expectations
Insurance is seen as remaining good value
What changes have you made to your insurance programmes or will you consider
as a result of the financial crisis?
Basis: N=451
(Multiple choice)
33% were considering locking in their

programme and 29% planned no
changes. That 33% were thinking
about replacing their insurance
partners may indicate some concern
about insurer security.
Risk transfer is regarded as a good

response to the financial crisis:
very few respondents want to restrict
coverage: 1 in 5 thinks of transferring
more risk, either to captives or
traditional insurance programmes.
Little impact on claims settlement

process: already optimised?
42 September 2010
Q
Good degree of satisfaction regarding
insurers network, knowledge and expertise
Do you feel that traditional insurance markets are able to adapt to the needs of your company with regard to?
Basis: N=451
Respondents are confident that their

insurers can support them as their
business develops and expands into
new territories.
However we see less satisfaction

with the insurers ability to help
manage the consequences of the
financial crisis.
43 September 2010
Q
A need for more relevant offering
Where would you see Areas of improvement? (max 3 answers)
Basis: N=151
(Multiple choice)
Requests for extended coverages

and tailor-made policies are the
driving force behind innovation.
A surprising number of respondents

would like more capacity
(56% in Spain/ 41% in France).
Premium reduction is less of a priority

than innovation!
44 September 2010
Q
Interdependancy and emerging risks:
progress to be made
Do you think that insurers have a sufficient level of expertise with respect of:
Basis: N=451
The financial crisis has raised

awareness of interdependencies.
Emerging risks: the extent of

uncertainties and lack of official
positions statements from insurers
worry a number of insured.
Insurers have good credibility with

regard to the analysis of risk
accumulation and environmental risk.
Renewable energy: a developing

market for insurers!
45 September 2010
Q
European insurance services are generally
broker-provided
In your opinion, which partners offer you best services?
Basis: N=451
43% see an internal team as the best
form of claims management (versus
29% in 2008).
The bigger the company, the more

it values the internal team: high
deductibles, captive etc.
Brokers are considered the best

partners for putting together the
insurance programme and the most
valued source of country information
(even though it tends to come from
insurers in the first place).
Over the last 2 years brokers have

lost out to Consultants and insurers in
terms of advice on alternative risk
solutions.
46 September 2010
Q
Risk engineering: a good balance of roles
According to you, which partners offer you best Risk engineering services
with respect to the following areas?
Basis: N=451
Except for:
Health and Safety: internal teams
predominate!
Insurers are seen best partners
for fire safety and prevention (32%),
as historically.
Brokers seen the best partner
on public and product liability (35%).
In the UK, little role is given to the

brokers on risk engineering.
There is some margin for improvements

in communication by insurers who are
offering such services: do all the
respondents have an in-depth
experience of risk engineering services
in all those fields?
47 September 2010
Q
Respondents recognise Risk engineering
as a separate and valuable service
Do you (are you prepared to) pay a separate fee for those Risk engineering Services?
Basis: N=451
65% of respondents value Risk

engineering sufficiently to be prepared
to pay a separate fee for it.
Understanding that Risk engineering

goes beyond routine site inspections
linked to an insurance programme
48 September 2010
Q
Broker transparency progressing but still not perfect
Do you have transparency on your brokers remuneration?
Basis: N=451
In 2010:
u Yes answers went to 55%
from 30% in 2008
u Dont know replies dropped
to 2% from 14% in 2008; insureds
have more awareness
thanks to a combination of:

u regulation,
u lobbying by local and national
associations
u direct pressure from the buyers
however 100% Yes should

be the only acceptable answer.
49 September 2010
Q
Future uncertainties keep respondents awake
Identify the 3 top issues that most concern you about the insurance market:
Identification of future risks is the main

concern for insureds (61%). Its clear
that the development of Risk
Consulting is going in the right
direction! Insurers have here a strong
role to play.
For 48% of respondents it seems

obvious that rates will be increased
and Solvency II contributes highly to
their fear. 60% of those who own a
captive regard Solvency II
Collective redress is a concern for as a major concern
Financial institutions (43%), media
and entertainment (50%), and
pharmaceuticals (44%)
50 September 2010
Q
Insurers required to be more innovative
In which area do you expect insurers to be more innovative?
Basis: N=451
(Multiple choice)
Insured request more extended

coverages and more flexibility on
programme structuring (to respond
positively to brokers proposals?)
They would also value feedback on

claims experience (sharing on
technical causes of claims/ claims
management etc) for benchmark
and loss prevention.
51 September 2010
Q
Contract certainty: disappointed results
With respect to contract certainty, have you experienced any improvement

in the issuing of the policy documents?
Basis: N=451
Local policy issuing still lagging

behind master policy issuing.
Progress follows the same trend as

last survey. However there is
increased awareness from Risk
managers on this issue
The results suggest one reason why 31%

of respondents want insurers to have
better control over their partners
52 September 2010
Q
Timely issuing of documents should
be a differentiating issue among insurers.
On average, at last renewal, when were your policy documents issued versus the policy inception date?
Basis: N=451
Despite the problems which can result

if there is a loss, more than 50%
of policies have not reached their
customers within one month of
inception.
Only 15% of master policies are

produced before inception date.
On average, minor improvement

versus 2008
53 September 2010
Q
Good ratings for international programmes
International programmes: how would you rate the insurance compagnies on the following topics?
But the international programme

being a powerful Risk Management
tool for the insured, it deserves
excellence in the administration.
If insurers are conscious that they

have to deliver high quality services
they still have some room for
improvement especially on:
u claims management and reporting

u information and management
of premium -related cash flows
54 September 2010
Q
Snapshot on captives
Does your company own one or more captive insurance or reinsurance company(ies)?
Locations: Some national trends
55 September 2010
Q
6. Conclusions
Conclusions (1/2)
Risk management
The risk management environment is evolving towards more regulations and standards which should
play a structuring role and severely impact risk management practices in the coming years
(8th EU directive, ISO 31000 standard). However, the survey results show that currently the level of awareness
regarding these new regulations and standards still remains very heterogeneous.
Risk management is now on top management, boards and shareholders agenda which clearly support
and sponsor the function in its traditional objectives as well as in its new ambitions. However, if risk
management now appears better known and valued at top management level, its role as well as its level
of coordination with other risks functions, must be clarified and supported by the top management.
A trend towards more consistent risk practices and tools takes shape through a broader scope
of intervention and a convergence of risks practices and tools (risk mapping exercise). However, in spite
of this consistency trend, risk management approach remains more qualitative than quantitative.
A more mature internal communication on risk is emerging through the definition of risk management
policies or charters within most of the European companies and a deeper involvement in board decision
making process. However, contrary to internal communication, external ones continues to deal
with a large array of communication practices.
Furthermore, the survey also reveals that companys complexity has a clear impact on risk
management practices maturity and that companies risk appetite relies more on risk category
than on risk importance assessment.
57 September 2010
Q
Conclusions (2/2)
Insurance
In general, clients are reasonably satisfied with insurance prices, and they are now looking for insurers
to differentiate themselves through both innovation and services. There is, however, real concern about
the possibility of a hard market and the potential impact of Solvency II on insurance capacity and pricing.
The responses show a good degree of satisfaction with insurers networks, knowledge and expertise.
Respondents are confident that their insurers can support them as their businesses develop and expand
into new territories.
As far as innovation is concerned, clients would like insurers to do more to help them manage new and
emerging risks, particularly what are today uninsurable risks.
With regard to services, the results show that respondents want more sharing of claims data and
benchmarking by insurers. Information and management of premium-related cash flows could also be
improved.
Broker transparency remains an issue. Though improving, clients find it is not yet good enough. Similarly,
the timely production of documents is still a weak point for some insurers.
Finally, it is noticeable that the number of dont know responses has fallen substantially from previous
surveys. This suggests that respondents have increased oversight of the insurance programme.
The requirements of the job have certainly grown, perhaps at least in part due to the financial crisis and greater
risk awareness.
In summary, the 2010 benchmarking survey shows that respondents believe insurers offer them good
services at reasonable prices today with developing expectations for the future.
58 September 2010
Q
Appendices
Country 0.1 In which country is the head office of your
company's parent company located?
0.2 Within your organization, are you part of the: 0.3 What is your primary position?
60 September 2010
Q
0.4.1 Among the following areas of responsibilities, 0.5 How do you believe that the recent financial and
please indicate the areas of responsibilities you are directly economic crisis has influenced the standing of the profession?
in charge of: Basis: N=782 Basis: N=782
(Multiple choice)
0.4.2 Within your direct areas of responsibilities, please 0.6 What is your company's main sector of activity?
indicate the areas of risks you directly deal with:
Basis Resp
Basis: N=782
61 September 2010
Q
0.7.1 Your company's turnover: 0.7.2 Number of employees:
0.8.2 If yes, please indicate which market(s)? 0.9 Number of countries in which your company operates
either for production or distribution purposes:
62 September 2010
Q
0.10 Is your company or are you a member of one
of the following Risk Management association?
Basis: N=782
(Multiple choice)
63 September 2010
Q
1.1 To whom does Risk Management report and by whom 1.2 How has the link between Risk Management and your
is it sponsored? Board of Directors / Supervisory Board / Audit Committee
been set up within your company? Basis: N=379
Basis: N=379
1.3 What is the mandate of the board Audit 1.4 What type of risk exposure is included within
and/or Risk Committee(s)? your company Risk Management approach?
(Multiple choice)
64 September 2010
Q
1.4bis Please identify the most important 5 risks areas for your organization:
Basis: N=379
(Multiple choice)
Strategic & Governance
External
Operational
Compliance & Ethics
65 September 2010
Q
1.5 What level of risk acceptability has your organization defined (by risk categories)?
Basis: N=379
66 September 2010
Q
1.6 Has your company defined and communicated a formal Risk 1.7 According to you, what are the main external factors
Management policy or charter (i.e. an internal document triggering Risk Management within your company?
specifying mandatory requirements)? Basis: N=379 Basis: N=379
(Multiple choice)
1.8 According to you, what are the main objectives of your 1.9 To what extent does your company disclose its risks
companys top management with respect to Risk Management? within the scope of its external reporting
Basis: N=379 (annual report, reference documents, etc.)? Basis: N=379
67 September 2010
Q
1.10 To what extent is the EU 8th directive 1.11 How is risk information currently
(if applicable to your organization) impacting your companys perceived and used by your Board?
Risk Management policy? Basis: N=379 Basis: N=379
1.12 In your organization, to what extent are the various risk 1.13 Is your internal audit department providing
functions (Risk Management, internal audit, controlling, independent assurance over your overall
environment, quality,) coordinated? Basis: N=379 risk management system? Basis: N=379
YES = 61% NO = 29%
68 September 2010
Q
2.1 Is Which of the following potential organizations 2.2 What type of relationship is there between
most closely describes that of your company? Risk Management and Internal Audit functions?
2.3 In your company, at corporate and division levels, how 2.4 To what extent do you cooperate with the following
many Full-Time Equivalents are working for the Risk functions / departments (from 1 = no relationship to 4 very
Management and Insurance Management Basis: N=433 close integration): Basis: N=433
functions (at head office)?
69 September 2010
Q
2.5 As part of your Risk Management activities, which of the 2.6 To what extent does your company map its risks
following actions are already embedded or planned? (identification, description, and prioritization):
2.7 In order to measure / quantify your risks, 2.8 Is your Risk Management framework explicitly
what kind of approaches do you use? referring to any of the following?
(Multiple choice) (Multiple choice)
70 September 2010
Q
2.9 Is risk analysis formally and systematically linked to 2.10 In terms of being recognized as a professional
decision making in the following? risk manager, in the next five years, do you think that
Basis: N=433 risk managers should have: Basis: N=433
(Multiple choice) (Multiple choice)
71 September 2010
Q
Contacts
Contacts
FERMA Federation of European Risk Management Associations (Bruxelles)
Florence Bindelle, Executive Manager
Tl. +32 2 761 94 32 - Email : info@ferma.eu
www.ferma.eu
Ernst & Young Risk Advisory (Paris Geneva)

Dominique Pageaud, Partner Email : dominique.pageaud@fr.ey.com
Jean-Michel Paris, Senior Manager Email : jean-michel.paris@ch.ey.com
Sbastien Rimbert, Senior Manager Email : sebastien.rimbert@fr.ey.com
Matthieu Leroy, Manager Email : matthieu.leroy@fr.ey.com
Tl. +33 1 46 93 60 91
www.ey.com/fr
Axa Corporate Solutions (Paris)

Philippe Rocard, Chief Executive Officer Email : philippe.rocard@axa-cs.com
Regis Demoulin, Chief Commercial Officer Email : regis.demoulin@axa-cs.com
Philippe Jouvelot, Chief Underwritting Officer P&C Email : philippe.jouvelot@axa-cs.com
Emmanuel Nivet, Chief Executive Officer UK branch Email : emmanuel.nivet@axa-cs.com
Stphanie Augustin, Marketing Manager Email : stephanie.augustin@axa-cs.com
Tl. +33 1 56 92 83 97
www.axa-corporatesolutions.com
73 September 2010
Q

Ferma European Risk Management Benchmarking Survey 2010

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ferma European Risk Management Benchmarking Survey 2010

Încărcat de

Drepturi de autor:

Formate disponibile

FERMA European Risk Management

Benchmarking Survey 2010

In collaboration with and E

Fifth biennial benchmarking survey conducted by the Federation of European

The survey (45 questions) received 782 respondents

2. Maturity of risk management

3. Impact of company complexity

4. The future of risk management:

600 Key facts

Respondents from all industries Listed and non listed companies

Basis: N=782 Basis: N=782

67% of companies with a turnover and 63% have more than

Basis: N=782 Basis: N=782

50,000 and more employees 19%

From 25,000 to 49,999 employees 12%

No opinion / Don't know 5%

Companies with head offices located operating at international level

France 18% Over 151 countries 4%

0% 5% 10% 15% 20%

Insurance Manager 31%

Chief Risk Officer 7%

Head of Internal Audit 5%

Chief Executive Officer / Managing Director 2%

Legal Counsel / Head of Legal Department 2%

General / Company Secretary 1%

Chief Financial Officer 1%

0% 10% 20% 30% 40%

ISO 31000 13%

FERMA / AIRMIC and National Risk Management

* Multiple choice question

70% Legal, regulatory or compliance requirements

45% Catastrophic event

31% Pressure from the market

17% Analysts / rating agencies pressure

13% Major increases in insurance premiums

* Multiple choice question

0% 20% 40% 60% 80% 100%

* Multiple choice question

Align risk appetite and strategy: zoom per country

Link growth, risk and return 36% France 33%

Improve predictability of delivering business 32% Spain 29%

Enhance external reputation with investors 31% Germany 27%

Rationalize capital and improve 29% Switzerland 25%

Seize opportunities 28% Italy 15%

No opinion / Don't know 3%

0% 20% 40% 60% 80% 100%

* Multiple choice question

Definition of four levels of risk management maturity per question

Risk Management maturity: 13 questions extracted from the survey

Risk practices & tools

2) Challenge residual risk exposure and relevance of existing mitigation actions

Emerging: no criteria included

No mechanism in Interaction with Topic of risk Risk management

Emerging Moderate Mature / Advanced

Report to other Report to CFO, Report to Audit risk committee, Board

* Graphs exclude No opinion / Dont know figures

60% No independent Partially independent assurance provided Complete

0% Emerging: embedded for 0 to 1 criteria

Define and implement risk financing solutions

40% business units/areas, level (strategic, down to divisions

20% 17% 17%

0% Emerging: other approaches in place

60% % of answers Six categories of strategic decisions identified:

38% 2) Strategic planning