A catalyst for change

In giving the opening presentation at the French risk management association's (AMRAE) recent conference at Deauville, Michel Prada, head of the Autorite des Marches Financiers (AMF), was at pains to stress the importance of internal controls and procedures. The communication of information about risks and the measures taken to remediate them was a further crucial step in the process, he said. Approximation and intuition should no longer come into the picture; they were too often merely an excuse for incompetence.

The best encouragement for taking on risk, concluded Prada, is to know those risks backwards in the first place.

Loi de Securite Financiere

From this we may conclude that in France, as elsewhere, ever-increasing transparency is the order of the day. The Loi de Securite Financiere, (LSF) passed in July 2003, already obliges companies to append a statement to their annual reports, which details their internal controls. This law has readily been compared to the Sarbanes-Oxley (SOX) legislation in the USA, although, as a report issued by the French senate is at pains to point out, the LSF may cast its net wider than its American equivalent, but is in many respects less stringent. Indeed, for French companies which also have listings in the US and must comply with Sarbanes-Oxley, the LSF is almost a non-event. Says Dominique Hubin, group risk officer at Suez: "The SOX compliance effort is huge; it takes up enormous resources. With the LSF, you don't need to have the whole evaluation procedure."

Now into its third year of operation, the LSF continues to raise questions in its wake, according to Kadidja Sinz of ACE Financial Lines, Continental Europe. How far should the required disclosures concerning risk go, and how detailed does information about mitigation and transfer have to be?
Who is to be responsible for the writing of the statement, and how far do the reports already issued measure up to the rules laid down by the AMF? Indeed, are the rules themselves the right ones?

Class action

As if these issues were not enough to concern the risk manager active in a French company, the latest cause for anxiety is the prospect of the introduction of legal procedures permitting class action in France. A working group was appointed at the start of 2005 to come up with a proposal which would allow 'groups of consumers and their associations to initiate collective actions against abusive practices observed in certain markets.' However, the working group's report, issued in December of last year, has been generally held to be disappointing, since it lacked firm conclusions, and confined itself to listing a variety of options.

This seems to have been primarily due to a failure to resolve two crucial questions. The first was whether only those actively signing up could become part of a class action, or whether all those affected, active or not, could be so considered. The second was whether the procedure should extend beyond the field of consumer rights to include such matters as the environment or health.

Ultimately the proposal seems to have run aground on a fundamental principle of French law - that the plaintiff cannot mandate another in his place.

However, the grounding may only be temporary: a further round of public consultation has been set in motion, with further proposals awaited, in theory, by March 2006. Although it is French companies in consumer and service sectors that would seem to have the most to worry about, the prospect of group actions taken by small shareholders may cause concern even among those not directly in the firing line.

A changing role

To what extent then, is the constantly-evolving regulatory and legislative background affecting the role of the risk manager in France and beyond?
"There is a shift," says Marie-Gemma Duquae, president of FERMA. "Corporate governance has become a very broad movement, and it is very important for today's risk managers to be aware of the growing need for transparency.

There is still more cooperation needed between functions, but we are seeing more committees - not necessarily called risk committees - being set up to deal with the issue." Her words are backed up by Thierry van Santen, director of risk management, Danone. Speaking before chairing a workshop on audit and control at the AMRAE conference, he said: "Risk has a new visibility, and, above all following the COSO II definitions, the risk manager is becoming recognised as having an essential part to play.

"This is giving the role an importance which perhaps not every risk manager is ready to assume. In effect, the role no longer has much to do with the risk manager as insurance manager, which was often recognisably the case in the past. This is one of my old battles ... I have been saying for years that things were about to change, and that is what is now happening."

Van Santen's thoughts are echoed by Alain Poullet, president of AMRAE's scientific committee. "We are witnessing a shift in the function of risk management. While it used to be more or less confined to managing insurance, it is now evolving steadily to becoming something much more widely spread across different areas, with risk being the uniting factor." Poullet considers that risk management can take advantage of changes in society and in the law. We have already seen, he says, how the LSF and Sarbanes-Oxley have given it a new legitimacy. At present, it exists on numerous levels, from the insurance manager to the chief risk officer. And, with the entry onto the scene of a new generation, it can be expected to evolve further.

"Whether or not we wish for this to happen, it is a fact that there is an increasing sensitivity to risk, and that the public tends to demand more and more by way of safety nets and guarantees. So there is a need for specialists who know how to communicate, explain and persuade."

But while most agree that risk management is becoming rapidly more visible, will the increasing emphasis on transparency and good governance be enough of itself to thrust the risk manager into a more prominent role? Indeed, is it capable of pushing enterprises in France towards achieving the holy grail of enterprise-wide risk management (ERM)?

In the opinion of Chris Lajtha, risk management consultant, Adageo, the question needs to be looked at from a slightly different angle. "Risk management is a practice, not a silo," he says. "Practitioners of risk management design processes around what they are doing. A practitioner has to manage communication flows, has to develop expertise in techniques and in coordination and communication in a way that is usable to various parties. There is no doubt that risk management practitioners are getting more status. Top people want to know about risk and to talk about it.

But who exactly are these practitioners? A lot of people are vying for this turf.

"And ultimately, what is the end run of risk management? You are trying to change the behaviours of other people - operations managers for example. You want people to become at ease with the notion of risk. And that means having a shared knowledge and a shared vocabulary."

The way that Chris Lajtha sees it, regulatory change will not of itself bring about a sudden transformation in the role of risk manager, but can most certainly act as a catalyst. In other words, if conditions are already ripe for change, regulatory initiatives can help to speed things up. And the most important pre-condition, he thinks, is a belief at the highest level of an enterprise that ERM is beneficial to the business; that it has strategic value, and that measuring risk-adjusted return on capital is the way to achieve long-term resilience and enhanced performance.

He is optimistic about the future. "You are starting to see movement, even in the large corporations. But we must recognise that the pace will be uneven. You are not starting on a clean page. There is legacy. We must recognise that many organisational structures have not evolved very much from the early years of the 20th century."

At the sharp end

At the sharp end of French risk management, Dominique Hubin reflects on the progress made in his company over the past few years. "Enron was a wake-up call for us," he says. He operates with a light framework. It makes no sense, he says, to have a large team of analysts at the centre, for the information is all in the field. What is required is a rapid and intelligent interface with functional and operational lines. "It is an ongoing process of improvement. We have established a number of processes, all instrumental in building the reporting line all the way up to the directors."

Looking outwards, he agrees with Chris Lajtha that corporate governance initiatives can be a catalyst for change. "Certainly, boards are taking risk management more seriously because of compliance," he says, "but, as ever, other internal processes are always competing for attention."

Andrew Leslie is assistant editor, StrategicRISK.