European risk managers are taking a more strategic role in their companies with increasing access to top management levels and the board. Against this background, they have a wider vision of the risks that could affect the ability of business to achieve its objectives.
These are the key conclusions of the 8th European Risk and Insurance Survey conducted by the Federation of European Risk Management Associations (FERMA). More than half the 634 respondents to the survey are becoming:
- involved in implementing risk culture across the organisation (68%),
- developing risk management as a part of business strategy (62%) and
- developing business continuity and other crisis response (59%) programmes,
- and two-thirds report to the board or top management level.
The survey shows rising concern among risk managers about economic conditions and business continuity disruption since the previous FERMA survey in 2014. Together with political and country instability, these are regarded as the three top risks to businesses. Digital risks – cyber-attack/data privacy and IT systems and data centres – also increased in importance in 2016.
The President of FERMA Jo Willaert commented: "From this survey, we see that risk managers are moving into a position where they are helping embed risk management into the business model and culture of their organisations. They are taking an enterprise wide vision of risks, including the wider business environment, and the majority report to a chief officer or the board."
Respondents also indicated they want additional expertise and techniques, such as scenario analysis and post-event lessons learned, to enhance insight into the nature of the complex risks facing their companies. As a result, they are looking for their advisers, brokers and insurers to go beyond transactions and provide support in such activities. For example, risk control and transfer remain a day-to-day responsibility for the great majority of risk managers (86%), but loss prevention has become the top priority.
Digital and cyber risks are, not surprisingly, a rising concern and risk managers are looking for a greater partnership with insurers on loss prevention and incident management. The purchase of standalone cyber risk coverage has grown since 2014, but two-thirds of companies still do not buy such protection.
Europe's risk management population
Europe's risk management population has changed little in terms of age, gender and compensation since 2014. Generally, risk managers are:
- Male (73% male compared to 27% female)
- Between 36-55 years (72%), with a small increase in young risk managers since 2014
- Earning more than €100.000 a year (46%) and more than €200.000 for 7%, with salaries remaining higher for men than women by 65%
- The younger generation (less than 25 years category) seems to be more diverse having 50/50 between genders
- 62% working for companies with turnover exceeding €1 billion
- 80% working for companies with more than 20,000 employees and dedicate four or more full time employees to risk management
Risk Management function globally reports at Top Management level (88%). This practice is increasing compared to 2014 (84%).
Emerging: Reports to other function or department
Moderate: Reports to CFO, General counsel/Head of Legal Department, Head of Internal Audit
Mature/Advanced: Reports to President/Chairman, Audit (and/or risk) Committee, Board of Directors / Supervisory Board, CEO / Managing Director or General / Company secretary
The main reporting lines are respectively:
- Risk managers: Board of directors, president, chief executive officer, risk committee and chief financial officer (65%)
- Insurance managers: President, chief executive officer, chief financial officer, head of treasury and head of legal (73%)
CFOs remain the primary reporting line for Risk Managers across Europe
Relations between Risk Management and other functions: basic coordination but room for improvement
Risk managers are forging closer relationships with the finance function, compared to 2014, with investments/ investor relations, treasury and business budgets entering into the second-rank category. This suggests that risk managers are more involved in financial monitoring and financial decision-making, than two years ago.
The IT department is only a third-rank partner of the risk management function, which is surprising with IT-related risks and cyber-attacks on the rise.
The survey indicates that cyber threats continue to be seen as an IT problem and not an enterprise-wide risk management issue. For ERM to be effective, more needs to be done to fully integrate the governance and risk management of technology risks across the business.
Risk and insurance managers are also reporting to top level non-executive functions such as presidents and the chairman as well as the board of directors and supervisory board at 21% and 16% respectively.
This suggests that risk managers are beginning to gain much-needed board engagement as they start to take on a more strategic role.
Top 10 risks
The study reveals that the economic conditions are currently seen as the number one threat to
successful achievement of an organisation's strategic objectives in terms of impact and likelihood.
This is demonstrated by its surge to first place from fifth in 2014 and its mention by 63% of respondents compared to 47% in 2014.
Business continuity disruption has made an entrance into the top 10 and jumped straight into second place. Political/country instability, non‐compliance with regulation and legislation, and competition complete the top five risks, selected by over half of respondents.
Concern has increased about digital risks in various forms and interest rate and foreign exchange
exposures. The latter is most likely linked to the top risk of threats to economic growth.
[Source: FERMA, European Risk and Insurance Report 2016]