Monthly Archives: March 2017

FERMA welcomes Commission actions to improve ELD implementation

Click above for the pdf version of the Press Release

FERMA welcomes Commission actions to improve ELD implementation The Federation of European Risk Management Associations (FERMA) today welcomes publication by the European Commission of a three-year programme to improve implementation of the European Environmental Liability Directive (ELD). The Multi-Annual rolling Work Programme 2017-2020 is based on the evaluation of the ELD concluded in April 2016 in which FERMA participated.

We welcome this process, part of the EU Better Regulation approach, because it capitalises on the existing ELD text without introducing costly new requirements on industrial operators, including our members,” stated the Jo Willaert, President of FERMA. He will present FERMA’s views on the future implementation of the ELD at a public hearing organised by the European Parliament in Brussels on 11 April.

The new multi-year work programme will serve as a guideline, not legally binding, to steer activities by all stakeholders towards better implementation of the ELD in the next three years.

The work has three pillars: improve the evidence base to gather more data measuring the efficiency of the ELD in the Member States, focus on implementation tools for a common understanding of key concepts of the Directive and explore the availability of financial security.

FERMA shared the conclusion of the European Commission published in the 2016 review that no revision of the ELD was necessary. The current Directive has already had positive results with the introduction in every national legal system of the EU of the concepts of biodiversity damages, remediation and compensation for environmental damage.

It has shown the value of having the same environmental protection principles in every member state: polluter pays, strict liability for high-risk operators and biodiversity protection.

Said Jo Willaert: “By respecting the principles of subsidiarity (no EU intervention when an issue can be dealt with effectively by EU countries) and proportionality (EU action must not exceed what is necessary to achieve the objectives), the Commission is sending a positive message to industrial operators.

He added: “FERMA will continue to argue that mandatory financial security would not serve the true purpose of the ELD, which is first and foremost to prevent environmental damage.

More information about the ELD multi-year work programme can be obtained at

Press contacts

Typhaine Beaupérin, FERMA CEO:, tel: +32 (2) 761 94 31

Lee Coppack, press contact:, tel: +44 208 318 0330/ +44 7843 089904

2016 Innovative Insurance Programme winner, Michaël Dehert shares the challenge of a terrorist attack

Excellence in Risk Management

Michaël Dehert:  the challenge of a terrorist attack

Just over one year ago, on the morning of 22 March 2016, terrorists launched two attacks in Belgium: one at Brussels Airport, and one at a metro station in the centre of Brussels. It was for Michaël Dehert, Risk Manager for Brussels Airport Company, the most difficult period of his career. Although not directly involved in the security issues, he had to respond quickly and to activate the insurance approach he put in place in the previous years.

In December 2016, Michaël was the winner of the Innovative Insurance Programme Award of the year in FERMA’s Excellence in Risk Management Awards. A lawyer by training, he started out working as regional head of legal operations in a bank.  In time, looking for some new horizons he moved into internal audit, where he learned about risk management. Any sort of risk, he says, so long as it was non-financial and non-tax.

“At a certain moment, I saw a vacancy at Brussels Airport for a risk manager. I was a glider pilot instructor, so it was a one-to-one perfect match. I said this job is mine, and I have been the airport risk manager since 2010.”

On 22 March, it took Michaël more than an hour before he could arrive at work. Immediately after the attacks, the airport had been closed. “It was a physical confrontation with risks that you have been working on for years in insurance tenders, in broker tenders, describing property damage, business interruption, terrorism risks and liability risks, and they had all just occurred where we work every day.”

When starting his job at Brussels Airport, Michaël had put a new insurance approach in place. A broker tender defined the qualitative and quantitative targets. The qualitative targets included claims management, policy wordings and also their market approach. “By doing that we had an entry to the market in a very professional approach, not just saying – I want this type of policy, you get a price, you sign and it’s finished. It is really an integrated process from the business process, risk management and insurance management through the broker to the insurance company.”

On the matter of the attacks on 22 March, the insurance programme responded as Michaël had planned in terms of property damage and business interruption. The primary claim was settled end of 2016, after a very constructive cooperation between the airport as insured, the broker as intermediary, the loss adjusters and technical experts, and the single insurer, he says, adding: “You only get to know the true meaning of policy wording, (sub-) limits and coverage during the handling of such a catastrophic claim.”

To facilitate the claims of the victims, direct lines of contact were opened with the airport’s insurer for fire and explosion, and communicated through the airport’s websites, call center, and the government’s crisis centre.

Michaël states that the claims process is complex to navigate, even for a professional insured party as the airport. This due to the multitude of intervening parties (governments, insurances, violence victims’ compensation fund, …), specific regulations and the immense administration. As risk manager for the insured, Michaël strived to have the victims’ claims processed in the most efficient and humane manner. However, all insureds and victim, remain dependant on the insurance sector and public authorities to foresee an efficient claims handling process for such catastrophic risk occurrences.

Commemoration ceremonies for the victims, staff, public services and authorities took place at the airport on the first anniversary of the attacks. Victims, authorities and staff had the opportunity to attend a commemoration ceremony at the remembrance statue, “Flight in Mind” that was previously stood in the affected terminal area. It still wears the impact marks of the attacks. Together with the artist, Olivier Strebelle, the airport decided to place this statue, as it was left after the attacks, at the entrance of the airport, as a lasting memory of the events of 22 March 2016.

Watch full video of the four winners of the 2016 Excellence in Risk Management Awards here



We need to risk manage corporate transparency- Helle Friberg, FERMA board member, reports on the webinar on increased risk reporting requirements held on March 9

Helle Friberg, FERMA board member, reports on the webinar on increased risk reporting requirements held on March 9 and covering country-by-country financial reporting and non-financial reporting.



Increasing disclosure by companies of their financial and non-financial results around the world exposes them to new scrutiny. We need to risk manage this process of greater transparency, or businesses could face damaging, unforeseen consequences.

Company reports are no longer limited to financial and economic information for shareholders prepared according to generally agreed accounting principles, as they were in the past. Today, all sorts of stakeholders are looking for information about the way companies operate: clients, employees, NGOs, public bodies and business partners. As a result of new European and international requirements, large enterprises will be obliged to report country-by-country financial results and provide information on the social, human and ethical aspects of their activities.

Management needs to be aware of the possible consequences – positive and negative – disclosing more business information to the public. Certain figures are going to pop up and could easily be open to misinterpretation taken out of the context of the company’s whole value chain. Special purpose entities and captive insurance companies, for example, are likely to show a large revenue compared to the number, if any, of employees, because the management is usually outsourced. That could increase existing suspicions so the company must be able to show the real purpose and risk management value of such arrangements.


The content of the report should therefore be risk-assessed to anticipate possible difficulties when it has been released. The risk manager should be one of the strategic advisors that the board uses when talking about transparency, because she or he has a tremendous knowledge of what could damage the company’s reputation. The risk manager already produces internal risk reporting for the management and the board and is working with a risk database which contains much useful information.

When a company has put figures and data out into the public domain, it can be very vulnerable and exposed. Published information is open to misunderstanding – with potentially big positive and negative consequences for the business. Done correctly, it can create a possibility of using the report as a strategical tool in communications with investors, clients, and employees. The quality of the reported data, especially on risks, is essential. Businesses should take advantage of what the risk manager can bring to this new regime of transparency.

Helle was a speaker in the latest of the webinar series on the risk conversation with the board, organised by FERMA, the directors’ organisation ecoDA and AIG and held on 9 March.

Other speakers were Alexandra Lajoux, Chief Knowledge Officer Emeritus, National Association of Corporate Directors; Daniel Lebègue, Chair of Transparency France and Eric Miller, Head of EMEA Tax Advisory at AIG. The moderator was Roger Barker.

The presentation is available here:

Head of Airbus Defence and Space Insurance Risk Management, Philippe Cotelle speaks at 2017 Advisen Cyber Risk Insights Conference in London

Head of Airbus Defence and Space Insurance Risk Management, Mr. Philippe Cotelle’s speech at 2017 Advisen Cyber Risk Insights Conference in London on 7th March:

1 Governance

Digital revolution is underway at all level of the economy. New opportunities are developed supporting new strategy of companies and organization in order to generate growth and progress. However we identify a lack of focus on risk governance in order to address exposure related to those opportunities, evaluate risk appetite choice impact and compliance risk to the change of regulations effective rapidly in Europe. It is of utmost importance to develop right methodologies allowing the Board and Top management to take the right decisions regarding the challenges embedded with digitization. This is the reason why Ferma (European federation of risk management with 22 national member associations representing almost 5000 risk and insurance managers in Europe) and ECIIA (European Confederation of Institutes of Internal Auditing) have decided to develop a new initiative by creating a common working group. This delegation group is composed of 10 people (5 risk managers and 5 internal auditors) representative of 8 EU countries and 6 economic sectors considered as essential services (energy, transport, healthcare, digital, water supply). We all agree in this room that cyber risk is more than an IT risk and a consequence shall be treated as an enterprise-wide risk with an adapted governance. What does it mean governance? It’s a framework whose objective is to increase cyber resilience. It’s also a clear identification of the most important stakeholders who can influence and affect the decisions on cyber risk (role of the Board, IT, legal, finance..etc).

This working group will be producing a report to EU Commission in June. The key question which will be addressed is whether there is an optimal or recommended governance processes that would help organization manage cyber risk across their operations? The goal is to obtain recognition by European Institutions that the proposed cyber risk governance is a key element to increase the level of cybersecurity for EU organisations.

The fact that those two highly representatives organisations decide to team up and jointly present their conclusion demonstrates the importance of this issue and of this document. It will address cyber risk management framework, very concretely describe how to insert GDPR and NIS requirement in global ERM, the DPO function and the role of cross disciplinary teams. This shall support the integration of cyber risk governance within the development of the organisations objectives.

So as you can see Sarah, we are pretty active !


2 Insurance Market offer

I think that it is important to point out from a buyer perspective, the current debate and uncertainty on the way the insurance offer is developing. As you know cyber risk ignores the frontier, nevertheless there is a clear discontinuity between the continental Europe and UK market regarding cyber insurance. On one side, in continental Europe, cyber insurance is composed not only of dedicated cyber policy but also is included as part of the conventional traditional insurance coverage. In UK, the offer is more to strictly exclude cyber from conventional insurance in order to provide a dedicated cyber policy.

I can understand this latter position and there are many arguments supporting it. For example it is probably better to have a clear common agreement on the intention of the insurance coverage instead of relying on some interpretation that such cyber risk not being explicitly excluded from this traditional coverage would be therefore covered with the same limit and conditions. Told or untold this ambiguous situation may generate in itself conflict and dissatisfaction on both parties. I can also understand that insurance companies as regulated enterprises need to face some challenges by their regulators or rating agencies when asked to clarify the extent of the exposure of their portfolio on cyber risk. Cyber can be exposed to catastrophic accumulation scenarios and it is important that the insurance companies are able to identify, quantify their exposure and secure the necessary capital for the benefit of their commitment towards their customers. As such an approach which consists in creating a specific risk category and excludes cyber risk from all other policies is a robust and rigorous way for insurers to control their exposure and respond to their regulators questions.

However I believe that insurers shall also make sure that their proposal does fulfill their customer’s need. As I did say, digital revolution is underway in the companies. But surprisingly we do not have a new business activity called digitization! In fact digital is spreading everywhere in the organization, from process to engineering, marketing, and manufacturing. A digital factory is an adaptation of our current factory to the digital technologies, embedded in our machines, and our sites. As a consequence our cyber risk is fully embedded within our traditional risk, be it on property or casualty. Our exposure to cyber risk is complex, I would probably come back to this point later if I may, but a catastrophic scenario combines usually cyber risk with other risks in a succession of occurrences. How would we as risk managers be able to manage those different policies which, by the way could be subscribed by different set of insurers, and still make sure that our claim is fully covered. I think that the market shall also take into account the insured’s reality and it is a challenge on our side to progress as well in the clarification of our exposure, of our needs and the value that we attach to the transfer to an insurance solution.



3 Risk Assessment

One of the main driver for this improved cyber risk governance is to put the Board in a situation to take strategic decision regarding cyber risk. Board shall be able to answer to simple questions such as “do you know the exposure of your company to cyber? Can you explain the rationale of the decision you took on cybersecurity to preserve the interest of the company?”. To achieve this clear risk assessment process is key. It shall be considered in 3 different steps:

First there is the operational cyber security management, which is mainly technical and under the authority of the IT department. It consists of securing the company against typical attacks, disseminate good practices and develop constant monitoring of the IT network, regularly tested against latest new cyberattacks.

Secondly there is the compliance risk to the new set of regulations which are applicable. This is in this category, that legal shall be involved, new position shall be created like data risk officer and cybersecurity measures shall be taken as a consequence of regulatory obligations

Thirdly, once those mandatory steps are fulfilled, comes the enterprise cyber risk management. There, the awareness of business stakeholder is necessary because the approach is the opposite. The catastrophic scenarios which would affect significantly the future of the companies are elaborated by the business and the management. Cyber expertise is then necessary to articulate among those scenarios, the one that are compatible with mindset and effort to develop them through a cyber attack, and then IT is required to analyze the potential weakness which would render eventually this attack successful.  Such scenario is then worth quantifying financially and over time the consequences for the business until full recovery.

Probability associated to this catastrophic scenario is complex to measure; First because those events are of course rare, but 3 dimensions shall be considered to provide support for decision: the threat, first which is the technical capacity available for an attack, the exposure secondly, or how this company differentiate from others to be an identified target and finally the maturity of the company, how the company would be equipped to respond to a potential threat.

Mitigation measures able to respond to those catastrophic scenarios can be developed by IT cybersecurity. Managers have then the ability to arbitrate and prioritise among the proposals and allocate the right ressources.

Entries open for Excellence in European Risk Management Awards 2017


Entries are open for the 2nd Excellence in European Risk Management Awards organised by the Federation of European Risk Management Associations (FERMA). The awards recognise the highest achievers within the European risk management community, who are nominated by their colleagues through their national risk management associations.


The Excellence in European Risk Management Awards are part of the European Risk Management Awards launched in 2016 by FERMA and the publication Commercial Risk Europe. There are four categories: European risk manager of the year; lifetime achievement in risk management; rising star of the year and innovative insurance programme of the year. The deadline for entries is 26 May 2017. There will be a gala presentation for the winners in London on 6 November 2017.


FERMA President Jo Willaert said: “We were delighted with the success of the 2016 Excellence in European Risk Management awards and the widespread recognition the winners have received, including within their own enterprises. We encourage our member associations and their members, as well as our colleagues in the wider risk management community, to become involved this year.”
The confirmed judges for the 2017 programme are:
  • Jana Bicanová, Winner Risk Lifetime Achievement Award 2016
  • Brigitte Bouquot, President – AMRAE
  • Julia Graham, Deputy CEO – Airmic
  • Sabrina Hartusch, President – SIRM
  • Tapio Huovinen, President – FINNRIMA
  • Gaetan Lefèvre, President – BELRIM
  • Alexander Mahnke, President – GvnW
  • Juan Carlos López Porcel, President – AGERS
FERMA and Commercial Risk Europe will also present awards for Excellence in Customer Service and Individual Achievement in the risk services industries.


FERMA will make regular announcements via its website, electronic newsletters and social media.


Notes to editors


The 2016 European Excellence in Risk Management winners were:
  • Risk Manager of the Year – Hejlo Laukkala, Vice-President, Corporate Risk Management, Metso Corporation – Finland,
  • Lifetime Achievement – Jana Bicanová, Risk Manager, CZRMA – Czech Republic
  • Risk Manager Rising Star of the Year – Pauline Davoust, Risk Manager, Gate Group – Switzerland.
  • Innovative Insurance Programme of the Year – Michael Dehert, Risk Manager, The Brussels Airport Company – Belgium
Click HERE to discover video and full interviews of 2016 European Excellence in Risk Management Winners.
For more information on how to enter, see