Tag Archives : insurance

Risk managers are developing strategic role and wider view of risks, survey finds

European risk managers are taking a more strategic role in their companies with increasing access to top management levels and the board. Against this background, they have a wider vision of the risks that could affect the ability of business to achieve its objectives.European Risk & Insurance Report 2016

These are the key conclusions of the 8th European Risk and Insurance Survey conducted by the Federation of European Risk Management Associations (FERMA) and reported in the FERMA European Risk and Insurance Report. The report was published on 4 October 2016 on the occasion of the FERMA Seminar taking place in Malta.

More than half the 634 respondents to the survey are becoming:

  • involved in implementing risk culture across the organisation (68%),
  • developing risk management as a part of business strategy (62%) and
  • developing business continuity and other crisis response (59%) programmes,
  • and two-thirds report to the board or top management level.

The survey shows rising concern among risk managers about economic conditions and business continuity disruption since the previous FERMA survey in 2014. Together with political and country instability, these are regarded as the three top risks to businesses. Digital risks – cyber-attack/data privacy and IT systems and data centres – also increased in importance in 2016.

Jo-WillaertThe President of FERMA Jo Willaert commented: “From this survey, we see that risk managers are moving into a position where they are helping embed risk management into the business model and culture of their organisations. They are taking an enterprise wide vision of risks, including the wider business environment, and the majority report to a chief officer or the board.

Respondents also indicated they want additional expertise and techniques, such as scenario analysis and post-event lessons learned, to enhance insight into the nature of the complex risks facing their companies. As a result, they are looking for their advisers, brokers and insurers to go beyond transactions and provide support in such activities. For example, risk control and transfer remain a day-to-day responsibility for the great majority of risk managers (86%), but loss prevention has become the top priority.

Digital and cyber risks are, not surprisingly, a rising concern and risk managers are looking for a greater partnership with insurers on loss prevention and incident management. The purchase of standalone cyber risk coverage has grown since 2014, but two-thirds of companies still do not buy such protection.

There is work to be done here in strengthening our resilience to these constantly evolving risks. FERMA has always emphasised that they are enterprise risks, and the survey shows that we need closer relationships between the risk management and IT functions. We are also looking for a partnership with our advisers, brokers and insurers to strengthen our resilience and management of incidents,” said Jo Willaert.

In terms of risk managers’ European objectives, the survey revealed three clear priorities for FERMA: establish official recognition of the risk manager, advise on data protection regulations and present risk managers’ views on increased corporate reporting and transparency requirements.

Said Jo Willaert: “The findings of this report, combined with FERMA’s mission and strategy adopted at our general meeting in June, will shape our activities over the next two years, including the continuing development of our professional certification programme rimap®.

The full European Risk and Insurance Report and supporting documents are available on the FERMA website at http://archives.ferma.eu/about/publications/benchmarking-surveys/benchmarking-survey-2016/ and also on Slideshare here below:

Press contacts:


Expert view: the future of captives

FERMA board member Dirk Wegener answers some questions about captives.

FERMA: When companies are deciding to set up or maintain a captive, how important are:
Coverage that isn’t generally available on the commercial market?
Higher limits than available at an acceptable price from the commercial insurance market?
Better pricing on frequency risks (avoiding euro for euro trading with insurers)?
Better loss information?
Ability to plan better for severity losses?

Dirk: In principle, all of the above can motivate a company to set up a captive and the ultimate goal is to optimise the total costs of insurable risks. However, such a decision has always to be taken in light of the individual risk appetite of the company for self-insurance and the regulatory framework of the captive territory. Moreover, the captive has to operate on a sound business case, including risk-based underwriting, proper claims handling, and solid risk, capital and asset management procedures, because it needs to be run on an “arm’s-length” basis.
More from Dirk on captives [insert url]

FERMA: What factors govern the choice of domicile for a captive?

Dirk: It is fair to say that the predominant consideration is the territorial scope of a captive domicile, meaning the type and quantity of risks of the company and in what territories can be insured by the captive. Then, (prospective) captive owners are certainly interested in a supportive environment of their endeavour, which includes responsive and experienced regulators, a reasonable regulatory framework and the possibilities of outsourcing non-core functions.

FERMA: Do European companies typically look for an onshore domicile like Dublin or Luxembourg?

Dirk: Yes, this is generally the case. The EU Freedom of Service principles are instrumental in allowing a parent company to cover a significant volume of risks through an EU-domiciled captive, and some territories have demonstrated more interest than others in providing this attractive environment to captives. Moreover, the EU Solvency II regulatory regime is an advanced risk-based framework to grant a level plain field across the EU regards regulation, which thereby narrows even further the competition of EU captive domiciles on service capabilities.

FERMA: To what extent does it depend on the class(es) of business you want to use the captive for? Or the location of the risks?

Dirk: In principle, all typical captive domiciles allow insurance of all relevant classes of insurance contracts, but there might be some niche product which can only be insured in specialised domiciles or by setting up a structure for the purpose, such as protected cell captives. The location of the risks is a more distinct denominator. Some insurance classes can only be insured by domestic (captive) insurers, for example, such as insurance-based employee benefit schemes. In such cases, non-domestic captives alternatively often act as a reinsurer of a fronting insurer which meets the regulatory requirements.

FERMA: How does a captive support the ERM of a multi-national?

Dirk: Not only is the captive an established tool to optimise the total costs of insurable risks, it also provides transparency on global loss distributions by risk types/exposures and the efficiency and effectiveness of internal loss prevention measures. These insights, gathered from an internal data base via a process which is consistent across all risk types/exposures, makes possible a solid ERM process for existing sites and processes. It also supports investment decisions on future locations.

FERMA: To what extent do you think BEPS will increase costs for captive owners? Is this increase likely to make some captives unattractive for their owners?

Dirk: Firstly, owners of EU-domiciled captives are very disappointed that their captives are exempt from the regular procedures applicable to all other insurance companies. Throughout the entire process of the implementation of the Solvency II regime, we were told to accept being treated like any other insurance company, as we were not any different. Now, we are told we deserve a “special treatment”. This inconsistency is neither fair nor helpful to support the captive concept as effective risk mitigation tool.
And yes, proving to be compliant with the BEPS requirements will absolutely increase costs for captive owners. My hope is that the already complex Solvency II data analytics and reporting will be instrumental to prove BEPS compliance at moderate additional cost for EU-domiciled captives and, therefore, will be not prohibitive to continue the captive as such.

Read the FERMA position paper on captive insurance companies.


FERMA speaks out to change misperceptions of captive insurance

FERMA has launched a campaign to change misperceptions of captive insurance by tax authorities and other public bodies.

Click here to read the position

Click here to read the position

As a starting point, FERMA has today published a position paper on captive insurance companies, which it will submit to the OECD so that the views of European risk managers are considered when the OECD discusses the implementation of its Base Erosion and Profit Shifting (BEPS) measures with member governments.

FERMA will urge its 22 member associations across Europe to use the position paper to approach their national tax authorities, who will be responsible for deciding how to implement the BEPS measures, to explain the real risk management value of captives.

In light of the latest corporate transparency and anti-tax avoidance measure at European Union level, FERMA will also reach out to the Commission and Parliament to increase their understanding of the role of captives in the European economy. This follows the adoption in July of the Anti-Tax-Avoidance (ATA) Directive by the Council of the EU.

Jo-WillaertJo Willaert, the President of FERMA, said: “Captives serve an important enterprise risk management role for European business and other organisations. We believe it is important that EU tax authorities understand better how European captives operate to preserve these risk financing capacities. This is not about tax, but a fear that the administrative costs of owning a captive will become uneconomic.

FERMA will also raise the issues at the European Insurance and Occupational Pensions Authority (EIOPA) stakeholder group through its representative Marie-Gemma Dequae.

Key points in the paper include:

• Captive insurance enables European businesses to increase their capacity to take risk;
• The parent company gets a tailor-made risk coverage and pricing, and it can target risk reduction more effectively thanks to better loss information;
• Captive insurance contracts are genuine risk transfer transactions with pricing based on the same approaches as commercial insurers;
• European captives are regulated as other insurance entities under Solvency II;
• Many aspects of captive operations, such as the payment of insurance premium tax in source countries, demonstrate their genuine, non-tax functions.

Said Jo Willaert: “We find it ironic that Solvency II was designed to include as much as possible captives as normal regulated insurance companies, despite requests from the risk management community for more proportional regulation, and now BEPS and Commission initiatives are differentiating captives from the rest of insurance companies.

BEPS and EU anti-tax avoidance and financial transparency initiatives will be the subject of a risk managers only discussion at the FERMA Seminar in Malta on 3 and 4 October. There will also be a presentation on captive insurance and cells in Malta. For more information, see http://archives.ferma.eu/ferma-seminar-2016/


Expert Views: Cyber risks, the SPICE Initiative at Airbus

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, member of AMRAE

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, member of AMRAE

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, describes the development of a response methodology to create resilience against cyber risks.

There are three main obstacles to a good understanding of cyber risks in our organisations, which I believe are common to most businesses:

1/ It has long been perceived as an IT issue only, which neglects addressing the related business impact. This is especially critical with the increase in connectivity of industrial systems.

2/ Confidentiality is a major element preventing a clear and open analysis of this risk as information management is a critical security issue; even creating a list of potential vulnerabilities is a huge concern.

3/ Finally there is a fear that disclosing a cyberattack suffered or even admitting a potential vulnerability could endanger the reputation of the company.

To get over these obstacles, the risk manager has to be able to demonstrate to the CEO or the executive committee the possible financial impact of a massive cyber attack in terms of business interruption and loss of business opportunity. For this, the risk manager needs data to show the organisation’s current state of cyber resilience, past and future cyber protection investments, and mitigation of the risk.

We must also be able to explain the legal and regulatory implications of dealing with data breaches, especially under US laws, and the protection of critical infrastructures under French and EU laws.
The risk manager needs a cyber risk map of the information system of the organisation showing the most sensitive assets to be protected. Finally he or she will use this information to engage with the insurance market.

We found that no convincing method had already been developed for doing this; we had to elaborate one. SPICE stands for scenario planning to identify cyber exposure, and it is an initiative sponsored by the CFO of Airbus Defense and Space, initiated by me as the Head of Insurance Risk management. It is a pilot programme for a business impact analysis to identify cyber-related disaster scenarios that could affect our operational capability and it is truly innovative.

No convincing method available
SPICE needs high level technical experts who know the cyber threat environment of the organisation. To start, we gathered representatives of all the functions as well as from IT and information management security to:
• Educate the operational managers to the new cyber threats;
• Discuss the security issues with great care;
• Openly consider some potential cyber attack scenarios – and not assume it could not happen to us;
• Support ‘impacted’ functions and information management security on quantification.

Building the scenario

Attacks: We focussed on identifying potentially catastrophic scenarios:
• Who might attack us and what would their motives be?
• What functions and assets would be impacted?
• How would we recover and how long would it take?

Cost: We calculated the business and operational impact with inputs from operations. We split the scenarios into four phases from security breach to recovery, including investment in remediation, to estimate the possible costs at each phase. What did we learn from this?
• The numbers relate to our financial exposure – but there is no final number.
• Management has to play a part.
• The objective is to reach a consensus that is acceptable to everyone and valid for our analysis.

Probability: Local information management security then evaluated the technical probability of the success of an occurrence at each step of the process. For this we used the Cyber Kill Chain developed by Lockhead Martin, which plots the stages of an attack from preparation, instruction and active breach against the time involved.

Lessons: This same method applied by experts at two different sites produced two different probability numbers. We learned that we need a homogenous approach, but that it also has to be associated with different types of attackers, from malicious individuals, to organised criminals or foreign government agencies. We have to ask – why would they undertake the specific attack which is the subject of our scenario?

Mitigation: SPICE helps us develop our mitigation security plan and link it to business needs. We measured the costs of implementing further IT security measures to reduce the probability of occurrence and as a consequence the resulting exposure. After making this IT investment, it makes economic sense to evaluate how to mitigate the residual exposure through insurance. We have the basis for a dialogue with the insurance market to complement this mitigation strategy with an insurance programme tailored to our needs.

Conclusions:

• We believe this methodology is key in obtaining valuable insight into our cyber risk exposures.
• This process needs to be performed regularly and as exhaustively as possible.
• We have to be able to roll out the process across the whole company, its products and its locations.
• We must be able to work with operations.
• SPICE provides elements for the risk manager to enlarge the current scope of ERM to encompass cyber risks.

When it comes to cyber risks, many challenges remain in front of us. There is simply no one response. At the same time, there is no alternative to the development of the digital economy, and industry has to adapt thanks to the new possibilities offered by technology to improve efficiency, reliability and profitability. This opportunity, however, generates in itself new risks which have to be addressed and for which a dedicated risk management policy has to be defined. We need a collective effort coordinated between industry, the insurance market and the public authorities. It is time to move from awareness to action.

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space is a member of AMRAE and has been supporting FERMA in the development of its response to the European Commission’s consultation on cyber risk. He is also working with François Beaume, President of AMRAE’s commission on information systems.


Paolo Rubini insights of the ANRA Annual Conference

On September 25th and 26th the 15th edition of the Annual ANRA Convention took place in Milan. An event which over the years has established itself as the most important opportunity to discuss and reflect on risk management issues in our country. Our latest edition was attended by over 400 guests, including over 100 Risk Managers and Insurance Managers, 161 insurers and reinsurers, 64 brokers, 46 company enterprise experts, 14 institutions, universities, associations, to which more than 60 staff members must be added. An unprecedented success in the history of ANRA, which puts us on a par with the most successful events in Europe, such as the one sponsored by FERMA, the European Federation of Risk Management Associations, and with major associations such as the AIRMIC in the UK, the AMRAE in France, DVS Germany. Continue reading


Coinsurance: new review of Insurance Block Exemption

The European Commission has taken the first step towards the review of the Insurance Block Exemption Regulation (IBER), which will expire in 2017. A consultation was launched on 5 August and will last until 4 November. This must be seen as a first round to collect the views of all stakeholders dealing in some way or another with the insurance practices covered by the IBER.

The IBER is a sector-specific legal instrument that grants an exemption from EU antitrust rules for insurance practices like co(re)insurance pools, compilations and tables. The first IBER dates back to 1991 and was renewed in 2003 and 2010. Continue reading


Knowledge Corner

FERMA’s selection of recently published useful reports for risk managers. Continue reading


Future Data Protection Regulation for holding private data?

The EU regulator is at the final stages to adopt the Data Protection Regulation which will set up new rules for operators on how private data must be managed.

In March 2014, the European Parliament strengthened several requirements such as making the applicable fines for breaching rules up to €100 million or 5% of annual worldwide turnover (whichever is greater) when the original proposal of the European Commission suggested fines “only” up to €1 million or 2% of annual worldwide turnover. Continue reading