A rapidly shifting landscape of risk

Companies today face a rapidly shifting landscape when it comes to risk. The threat of a terrorist attack on an important location, ever more burdensome regulation and the trend towards moving operations to lower cost areas of the world are all shaping the risks that companies face.

 But now it is risk management itself - the process of acquiring insurance to protect businesses against potential hazards - that is also subject to unprecedented change because of broadening regulatory investigations into practices in the US insurance industry.

Andrew Cornish, chairman of the UK Association of Insurance and Risk Managers, which represents insurance buyers at 80 per cent of FTSE 100 companies, says: “It has put the insurance piece of risk management perhaps more in the spotlight in the last six months.”

But while US regulatory probes have dominated the headlines, businesses have been quietly dealing with an array of risks to their operations. Although it has been more than a year since a high profile attack, terrorism remains at the forefront of many risk managers’ minds.

The last year has also been a powerful reminder of the threat from natural perils. According to Sigma, the research arm of Swiss Re, natural and man-made catastrophes cost property insurers $49bn in 2004. Of this, $28bn was damage from the four hurricanes that made landfall in the US last August and September. The Asian tsunami, although the most costly catastrophe last year in terms of lives lost, is estimated to have cost property insurers about $5bn.

Companies are also increasingly outsourcing non-core functions, or aspects of their operations that can potentially be carried out more cheaply, such as manufacturing, to lower cost regions of the world.

According to Martin Fessey, vice-president of international operations at FM Global, an insurer of commercial and industrial property, these areas may be more exposed to natural hazards. In addition, the approach taken to risk management by the company carrying out the activity that is being outsourced may be different to that of the company that is delegating the tasks.

“It is very important to try to ensure that the risk management standards that the company has itself in its own manufacturing facilities are in some way extended to the broader global supply chain,” he says.

“When it comes to global sourcing you may be able to outsource the manufacturing, but you cannot outsource the risk control.”

Finally, companies must comply with an ever increasing set of regulations that make risk management an explicit responsibility of directors.

In the UK, the combined code on corporate governance requires companies to demonstrate that they have the processes in place for identifying and assessing risk. Boards must have a view of the main risks and, on an annual basis, include a statement on corporate governance and control in their accounts.

Douglas Flint, finance director of HSBC, is heading a group reviewing the 1999 Turnbull guidance. These rules on internal financial controls make up part of the combined code. Revised guidance is due to take effect from the beginning of next year. In addition, the 1,300 companies listed on the main stock market must publish an operating and financial review for financial years beginning this month.

This separate document - to be written by directors and published alongside the annual report and accounts - details the non-financial risks they believe the company might face and how they are responding.

Jonathan Herbst, a partner in Norton Rose’s financial services group, points out that companies in the European Union must meet new rules for preventing and detecting financial malpractices such as insider dealing and suspicious transactions. At the same time, companies must, after July, also comply with the prospectus directive, which sets rules on the content of the prospectuses published by companies when they raise capital.

Meanwhile, Basel 2, an international framework that seeks to relate the amount of regulatory capital that banks hold more closely to the risks they take, is putting greater emphasis on the identification, measurement and control of both credit and operational risk.

According to Mr Herbst: “International accounting standards, the operational and financial review, new European directives and Basel 2 are a quadrangle of things that come together to point to a much more organised and systematic approach to risk.”

In the US, Sarbanes-Oxley, which forces companies to upgrade their internal controls, is also making executives think more carefully about risk management.

A subsidiary requirement of Sarbanes-Oxley is for companies to demonstrate that they can identify and measure risk on an ongoing basis.

Richard Sharman, a partner in KPMG’s risk advisory services group, says Sarbanes-Oxley has primarily focused on financial risks.

But he says that, in the US, “there is an increasing recognition that risk management should be broader, to cover all risks, not just financial risks.”

It is not just in the US and Europe that risk management is coming to the fore. Risk management systems are encouraged in Australia and New Zealand, and the discipline is developing rapidly in Asia.

Mr Sharman says corporate governance reforms in India, for example, are encouraging companies there to set up risk management systems.

Risk management has, for some time, been moving up the global corporate agenda. “Risk management has to be on all corporate agendas,” says Airmic’s Mr Cornish.

The high cost of cover in recent years made risk management an important subject for debate in most boardrooms. Although prices for insurance cover in many areas are flat or falling, this emphasis is expected to remain.

Some experts suggest that with the probes by US regulators into their domestic insurance industry, risk management, particularly that element concerned with the purchase of insurance, could assume even greater importance in boardrooms around the world.

Last October, Eliot Spitzer, New York state attorney general, filed a civil lawsuit against Marsh McLennan, the world’s biggest insurance broker, accusing it of falsifying bids and favouring insurers at the expense of clients in return for higher commissions.

Recently, the attention of regulators on both sides of the Atlantic has turned to so-called finite reinsurance products, non-traditional policies that can be bought by companies or insurers, which span elements of insurance and finance. US regulators are probing potential accounting irregularities at American International Group, the world’s biggest insurer. However, not all forms of non-traditional insurance are under scrutiny. There is a huge captive industry which is based in offshore locations with lighter regulation and lower costs.

Robin Oakes, a senior partner at Mazars, the accountants and business advisers, says Mr Spitzer’s focus on how insurance brokers are paid, may have prompted executives other than risk managers to take an interest in the company’s insurance arrangements.

Mark Grice, a partner at Mazars, says, for example, that executives other than risk managers could become involved in the selection of a company’s insurance broker.

“Something that may have gone through on a nod has now become much higher on the agenda,” he says.

Yet, risk managers are hopeful that the changes to the insurance buying process emanating from the regulatory probes will be positive.

They hope to have a clearer idea of what their insurance broker is earning for placing insurance for them. But some suggest there could be even more far reaching changes to the risk management landscape from the US insurance scandals.

Hitesh Patel, head of insurance markets at KPMG, says that over the past two years companies have been assessing the risks they face and asking whether they should buy insurance cover or retain that risk on their own balance sheet in some way, for example through their own captives.

Discussions around transparency and broker remuneration could intensify this debate. “More and more companies will actually now look at their insurance programmes far more carefully to see if they are getting value from a risk point of view.”

For more information on how the Continuity Forum can help your organisation develop its BCM programme you can either call us on 020 8993 1599 or e-mail us directly at [email protected]