FERMA Blog

Newsletter #75

 


President’s Column

Looking ahead, I find it hard to predict what the world will look like even five years from now. Clearly, it will be increasingly complex, volatile and interconnected. In this turbulent world, education becomes a critical difference for professional risk managers.

Everyone has already accepted that silos are a barrier to success in a globalised environment. The risk manager will be the person who can give an overall and independent view of risk across the organisation. Such an independent view from someone close to decision makers is essential but has not been common enough, research since the financial crisis has shown.

Education will allow risk managers to be recognised as risk experts.  Our professional certification rimap® provides assurance for decision makers that there is a recognised European standard for risk management knowledge and skills that they can rely on. The rimap examination is only the start; there is always an evolution in the knowledge and skills that the risk manager needs to communicate with authority to decision makers.

The skills and competences of the next generation of risk leaders will have to be broader, with a more analytical mindset and a deeper understanding of digital and other technology. The digitalisation of the world and more specifically cyber risks are changing the risk landscape and risk governance, requiring the creation of cross-enterprise strategies. These will have profound impacts on the risk management profession. Continuous learning is, therefore, essential for risk managers to keep up to date and remain relevant, and the rimap programme recognises this with its requirement for CPD.

Education is close to my heart and my belief in the future of the profession. It is one of the themes for my term as President of FERMA, and one full day at the 2017 Risk Management Forum will be dedicated to education in recognition of its importance to us.

Jo Willaert

 

 

 

 

 

 


Knowledge Corner

Board risk conversation

Ensuring corporate viability in an uncertain world

Airmic and CGMA (English)

HERE

 

Cyber Risks

Advancing Cyber Resilience: Principles and Tools for Boards (English)

HERE

Guide de Hygiène Informatique

Agence Nationale de la Sécurité des Systèmes d,Informatique (French)

HERE

 

Global risks

World Economic Forum Global Risk Report 2017 (English)

HERE

 

HR risks

Reworking duty of care (pan-European)

Chubb (English)

https://www2.chubb.com/UK-EN/_Assets/documents/chubb_reworking_duty_of_care_report.pdf

 

Political risk

Political risk map

Marsh (English)

HERE

 

Risk management

La genercia de riesgos, en su mejor momento

Interviews with Juan Carlos López (AGERS) and Augusto Pérez (IGREA)

Aseguranza (Spanish)

HERE

 

Newsletters

Airmic News

Airmic (English)

HERE

 

Die Versicherungspraxis

GVNW (German)

HERE

 


European News: NFR guidelines: new stakeholder conference on 16 February

The Commission delayed the publication of the Non-Financial Reporting (NFR) Guidelines, initially expected in December 2016. It explained that it had to take account “recent international developments, including at G20 and FSB level […] to consider as far as possible the work of the industry-led Task Force on climate-related financial disclosures established by the Financial Stability Board (FSB)”.

At a new conference for stakeholders held in Brussels on 16 February, FERMA stressed the importance of enterprise-wide risk management as an intelligent tool to ensure that the description and the analysis of risks mentioned in the non-financial statement (such as environment, social and employee matters and bribery) are relevant and based on high-quality data.

Publication of the NFR guidelines is now expected in April 2017.


European News: Adoption issues over country-by-country reporting

Published in April 2016, the European Commission proposal for public country-by-country reporting of results by large companies continues to face legal disagreements between the European Parliament and the Council of the EU, which represents the interests of the 28 member states. MEPs and member states disagree on the legal basis upon which the text should be adopted. MEPs, supported by the European Commission argue that the proposal is within the scope of European Competition policy as harmonising the conditions of the single market. This would mean an ordinary adoption procedure where the legislation is adopted jointly by Parliament and the Council.

On the opposite side, for certain member states at the Council the proposal contains tax measures that belong to the sole competence of member states. Such proposal would have to be adopted by the unanimity of the member states, with only a consultative role from the Parliament.

During an exchange of views on 12 January 2017 at the Legal Affairs Committee at the European Parliament, the Maltese Presidency promised to do its best to come to a solution before the end of June. The Council will start its work based on the draft report from the European Parliament released on 9 February. This report contains stricter amendments to strengthen the initial proposal from the Commission, including a lower threshold in turnover for companies to start disclosing tax and profits information on a country-by-country basis and a larger geographical scope of jurisdictions impacted.


European News: ERM approach argued for data protection officers

FERMA has called for an ERM approach to be included in the Guidelines on Data Protection Officers (DPOs) in its comments to the Article 29 Working Party considering this aspect of the EU General Data Protection Regulation (GDPR). It sees parallels between the roles of the data protection officer and risk managers.

In its submission to the working party, FERMA says that an ERM methodology will help ensure a professional approach to the assessment of data protection risks. It further argues that “three lines of defence model” is likely to be relevant in this process and could be updated to the latest cyber law requirements, including the GDPR and notably the new function of data protection officer.

FERMA also believes that the role of DPO does not necessarily need to be a newly created function. It could be exercised by existing positions in the organisation, notably the risk manager, with some adjustments, thus avoiding an extra cost layer.

FERMA has consistently stated that cyber/information security is an enterprise-wide risk and compliance with the GPDR cannot be the sole responsibility of the IT department. FERMA’s working party with the European Confederation of Institutes of Internal Auditing (ECIIA) is developing a set of recommendations on corporate governance processes that will support organisations in managing cyber risks across their operations.

 


Risk management awards 2017 announced

FERMA and Commercial Risk Europe have announced that the second European Risk Management Awards will take place on 6 November 2017 in London. This follows the successful launch of the awards event in Brussels last year at a gala dinner attended by more than 250 senior members of the European risk and insurance management community.

The official launch of the European Risk Management Awards 2017 will commence in March when we announce the list of judges, categories and important dates.

See our interviews with

Heljo Laukkala, 2016 Risk Manager of the Year

 

 

 

 

 

 

 

 

Jana Bicanova, 2016 Risk Management Lifetime Achievement Award

 

 

 

 

 

 

 

 

 


Expert View: New tool kit need for cyber resilience and cyber risk governance

By Daniel Dobrygowski

Business leaders today recognise that the profound reputational and existential nature of cyber risks means that responsibility for managing them sits with the board and top level executive teams. As the World Economic Forum stated in its 2017 Global Risk Report, we are facing a pressing governance challenge to construct the rules, norms, standards, incentives and institutions and other mechanisms needed to shape the development and deployment of the emerging technologies of the Fourth Industrial Revolution.

Even when it comes to just one aspect of this Fourth Industrial Revolution, many organisations do not feel that they have the tools to manage cyber risks at the same level of confidence as other risks. There are as yet no leading practices to form part of the standard board competencies.

While our virtual and visual worlds continue to merge, the stakes are increasing. Two responses are essential: 1) many more organisations should adopt, share and iterate current leading practices and 2) they must develop new practices through cross-sector collaboration as the risks evolve. The second will be difficult without common tools and language for an informed body of leaders to use.

The World Economic Forum has, therefore, this year, published Cyber Resilience Principles and Tools for Boards. There are 10 principles. Many of them relate specifically to risk management, and ultimately the role of the risk manager, including:

  • A statement of board level responsibility for cyber resilience and a need for board members to receive information and advice on cyber threats and trends. The board may delegate primary oversight activity to a suitable committee, such as the risk committee.
  • Incorporation of cyber resilience and cyber risk management into the overall business strategy and into enterprise risk management.
  • The creation of an accountable officer responsible for reporting on the organisation’s capacity to manage cyber resilience. This person would have regular board access, sufficient resources and command of the subject and experience to fulfil these duties.
  • The definition and quantification by the board of its business risk tolerance relative to cyber resilience at least once a year. The board is to be advised on current and future risk exposure as well as regulatory requirements and industry/social benchmarks for risk appetite.
  • Management to be accountable for reporting a quantified and understandable assessment of cyber risks threats and events as a standing board agenda item. It will validate these assessments using its cyber risk framework.

The business opportunities of new technologies can present higher risk profiles since these technologies are mostly unproven. A rush to market to maximise competitive advantage adds to the risk profile incrementally as the business impact increases. As the World Economic Forum’s work on cyber resilience has made clear, it is no longer feasible to embark on business opportunities at the sub-committee or management level without educating the board on the cyber resilience impacts.

While it is unlikely that every risk can be avoided, a clear framework for managing risk will reduce the impact of any incident. Once organisations can effectively manage the risk associated with these technologies, they will have a greater degree of assurance that they can achieve their strategic objectives.

The World Economic Forum welcomes the work underway by FERMA and the European Confederation of Institutes of Internal Auditing that will contribute to the development of cyber governance principles especially in relation to the latest EU regulations.

Daniel Dobrygowski is the cyber resilience project leader with the World Economic Forum.

Advancing Cyber Resilience: Principles and Tools for Boards is available here: http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf

The World Economic Forum Global Risk Report 2017 is available here: https://www.weforum.org/reports/the-global-risks-report-2017

 


rimap: exam success in Denmark

In cooperation with Danish member association DARIM, nine risk managers went through the rimap® certification process on 25 January 2017. Once it had been confirmed that all of them met the rimap eligibility criteria, they took a two-hour examination, similar to the one delivered during the European Risk Seminar in Malta on October 2016.

 

In order to increase the chances of the candidates passing this exam, DARIM organised a morning training session where they had the opportunity to review and discuss the eight documents that are the basis of the exam. This very interactive session led to excellent results with seven succeeding and becoming rimap certified risk professionals.

 

A rimap examination session is already scheduled during the FERMA Monte Carlo in October 2017. The rimap certification is also expected to become fully online over the course of 2017. It will, therefore, become available to any eligible risk professionals in Europe.

 

 

 

 

 


New name, wider appeal for Czech association

The Czech risk management association has changed its name from ASPAR CZ to the Czech Risk Management Association, CZRMA, to welcome a broad spread of risk managers in addition to those specialising in insurance management.

The President of CZRMA Jana Bicanová explained that the new name reflects the evolution of the association into a strong national platform for both expert and management level positions in risk management from its beginning in 2007. “Since the original name explicitly emphasised the ‘specialist’ aspect, we decided on the change to show that we are an association for the whole range of risk management professionals,” she explained.

CZRMA will hold an extraordinary general meeting on 23 February at which members will elect a new president and vice-president. Jana, who received the FERMA Excellence in Risk Management life time achievement award in December 2016, is stepping down from the role she has held since the beginning of the association for personal reasons, but she will remain involved with CZRMA.