Risk managers are increasingly expected to share their expertise and knowledge at board level and their professional bodies are helping them meet the new challenge

Broker perspective

Part of a future in risk and insurance report supported by Zurich
FM Global

Dutch company ASML makes machines that produce computer chips. It strives to develop machines that make ever tinier chips for use in high-end smart phones. But in 10 years’ time, ASML expects its business model to be very different. Today it generates 95% of revenues by selling litho machines – lithography is the patterning technology that simplifies the manufacture of advanced chips. But by 2025, 80% of its revenues will come from machine servicing.

The rapid business transformation that ASML expects is typical of the risks that organisations face during this period of fast-paced technology-driven change.

“The changing business model, complexity and globalisation are all reasons why people are taking a greater interest in risk management,” says Paul Hopkin, technical director of the UK’s Institute of Risk Management (IRM).

“Enterprise risk management encourages a broader perspective by asking what we depend on to be successful and which risks could undermine those dependencies.”

In 2013, ASML ran a materiality assessment to better understand its risks.

“We wanted to know what things we needed to do now to make sure that 20 years down the line we still have a successful business,” says ASML vice-president, risk and assurance, Martin Reinecke.

“We did it from a sustainability perspective and to be responsible for our corporate behaviour. We are a market leader, we are multi-national and the people who do business with us presume we have zero risk appetite for non-compliance.”

Embedding lessons

After investigating its risk landscape, ASML’s next move was to embed its new understanding into company strategy.

“Now, a lot of our risk activity is business-focused and is aligned to our strategic business objectives,” says Reinecke. “We intertwined risk activity with our corporate performance management process, which links to long-term bonus incentives for our top managers.”

The steps taken by ASML reflect increasing pressure from investors and regulators, against a backdrop of fast-paced change in business, for board directors to take more direct responsibility for risk. Operational risk managers are now expected to talk to board directors about risk and demonstrate how, by introducing risk into strategy, the business can better meet its performance objectives.

Setting the agenda

A report from ECODA (European Confederation of Directors Associations) and IFC (International Finance Corporation, the private sector arm of World Bank Group), entitled Guide to Corporate Governance Practices of the European Union, states:

“The board is responsible for ensuring all business risks are identified, evaluated and suitably managed. In a world of increasing complexity and uncertainty, directors must manage risk more assiduously than ever before.”

This view is crystallising across Europe. The Organisation for Economic Co-operation and Development (OECD) is reviewing its corporate governance principles and if it toughens up, many countries are likely to follow. The Netherlands has already passed a new law on data privacy, in anticipation of the forthcoming EU Data Protection Directive.

As risk managers begin to contribute to strategy, professional bodies are bringing forward certification schemes to support their members in this new role. About 70% of risk managers in Europe today have a background in buying insurance. Certification is seen as a way for these individuals to demonstrate to the board that, as well as having skills in insurance buying, risk management, and enterprise risk, they can step up to a strategic risk role.

“An evolutionary process has happened, from people buying insurance to people managing risk to people managing enterprise risk,” says Julia Graham, president of the UK’s Federation of European Risk Management Associations (FERMA).

“Enterprise risk is evolving into risk as part of strategy. There is discussion about the role of risk leaders – and it is shaping up that there are two leaders, one on the board and one on the operational team. The risk manager ought to be stepping up to that operational risk leader role.”

This view is shared by ECODA/IFC in their guide: “The execution of the risk management system should be entrusted to the management, which is in charge of daily risk.”

Certification schemes

Both the IRM and FERMA have developed professional certification schemes that ask risk managers to demonstrate their knowledge and experience, to participate in continuing professional development (CPD) and to sign up to an ethical code.

The IRM scheme began earlier this year, when it published professional standards (see page 15), and FERMA is planning to share full details of its upcoming certification scheme at its Forum in Venice in October.

“It’s important that behind our new certification scheme there is credibility and efficacy. We want people to know that certified risk managers go through a structured, consistent and independent process. We’re not just handing out freebies,” says Graham, who has led on the FERMA certification project, with the steering committee and committee chairman and FERMA Board member, Michel Dennery.

There will be two levels of its certification: Advance Professional, which will be available from early 2016, and Professional, which will be brought in the following year. Applicants must first demonstrate their qualifications and experience and, if eligible, they will then take an exam to determine “whether they are up to the mark”, says Graham. They are also required to sign up for CPD and to a code of ethics.

“When your business model becomes more fragmented, there are greater risks embedded in the way you do business,” explains Hopkin. “If manufacturing is overseas, perhaps in China, India or Bangladesh, operational risks such as health and safety need to be considered on a broader basis. It becomes a reputation or ethical issue and you need to look at things in a more holistic way.”

“We’d like to see risk managers at the strategy table, encouraging the consideration of risk as strategy is formed,” Hopkin says. “Certification helps with that. It says: ‘I’m at the top of my business.’”