The bombings on the London transport system this summer moved the threat from terrorism into the headlines and up the risk management agenda.
According to Justin Priestley, a director in Aon’s crisis management division: “What it highlights to people is that the threat is still very real.”
For companies that have not yet reviewed either their procedures to guard against a terrorist attack, or insurance cover should they be caught in an incident, “it is an agenda item that is on their to-do list, which probably gets shifted up a couple of stages,” he says.
However, since the London bombings, there have been several stark reminders that companies face many perils other than terrorism. Hurricane Katrina, which could result in insured losses of up to $60bn according to some estimates, has graphically illustrated the fact that natural catastrophes remain a significant threat to businesses.
Inevitably, the onslaught by Katrina, and later by Rita, will raise questions about whether the risks from natural perils are rising as a result of climate change.
According to Bronek Masojada, chief executive of Hiscox, the Lloyd’s insurer: “It does not matter whether you believe in global warming or not. There have been more events of greater size, with a greater frequency than any models or anybody had predicted, so I think that [the threat from natural perils] will go up the risk management agenda.”
He suggests that following the flooding in New Orleans there could be a re-evaluation of the risks to property from flooding in areas exposed to this risk, such as London’s Thames Gateway, 90 per cent of which is on a flood plain.
Several incidents have also demonstrated the risks to companies’ supply chains.
Increasingly, companies are outsourcing non-core functions or transferring aspects of their operations such as manufacturing, to lower-cost regions of the world.
The recent dispute between the European Commission and China, over cheap Chinese textiles, which left 77m Chinese sweaters, trousers and bras impounded at the EU’s borders, has highlighted companies’ vulnerability to problems in the supply chain.
Meanwhile, the risks associated with outsourcing were highlighted in August when the bitter industrial conflict at Gate Gourmet, British Airways’ sole catering supplier at Heathrow airport, spilled over to the airline, triggering a 24 hour strike by 1,000 BA employees, and paralysing its Heathrow operations. A recent study from FM Global, an insurer of commercial and industrial property, found that risks to the supply chain were of most concern to financial executives in the UK and North America.
It surveyed 500 European and North American finance directors, treasurers and risk managers at companies with £300m of annual turnover and found almost a third of UK respondents, and a quarter of those in North America, cited supply chain issues as the leading property-related threat to their income.
Martin Fessey, vice-president of international operations at FM Global, says most companies view their supply chain from raw material to finished goods.
“Taking a link out of their supply chain can take a link out of their own business,” he says.
He points out that many locations to which functions are outsourced are those most exposed to natural perils.
But it is not just physical hazards that must be identified and mitigated.
Regulatory requirements are globally putting greater emphasis on risk management.
According to a study from Lloyd’s, in association with the Economist Intelligence Unit, mounting regulatory and governance risks emerge as factors that have done most to convince company boards of the need to reassess risk management.
Across Europe, countries have strengthened codes to tighten the way companies are governed.
In the US, a subsidiary requirement of the Sarbanes-Oxley Act, which forces companies to upgrade internal controls, is for them to demonstrate they identify and measure risk.
The boards and audit committees of companies listed on the New York Stock Exchange must also produce annually a global risk assessment of their organisation.
Furthermore, codes are emerging that require effective risk management systems. “Risk management is developing at a rapid pace right across the world,” says Richard Sharman, a partner in KPMG’s risk advisory services group. He says corporate governance reform is taking place across Asia, with a new guide on effective internal controls and risk management for companies listed on the Hong Kong Stock Exchange, and the “Clause 49” corporate governance reforms in India. Australia has reissued its Stock Exchange requirements on risk management, while interest is growing in this area in Japan.
As the risks that business face vary around the world so does the approach to risk management.
Mr Sharman says the UK, Australia, New Zealand and South Africa are the most developed regions in terms of risk management. But Asian companies are catching up. US companies have tended to concentrate on managing financial risks – with added impetus from Sarbanes-Oxley – and the sort of risks that can be insured. But US companies are “starting to grapple with the concept of business risk”.
Hans-Kristian Bryn, director of Mercer Oliver Wyman’s enterprise risk consulting practice, says in more sophisticated markets where risk management practices are already well established, the challenge is to move from “box ticking” to having “risk management incorporated into an organisation’s DNA”.
This makes it easier to evaluate strategic options, make better decisions and deliver shareholder value.
Jonathan Herbst, a partner in Norton Rose’s financial services group, points out that under Basel II, an international framework that seeks to relate banks’ regulatory capital more closely to the risks they take, companies that manage operational risks effectively will be required to set aside less capital.
“You have a direct commercial incentive to manage your risk properly,” he says.
At the same time, the insurance market itself – important for transferring the risks that companies face – has gone through profound change after Eliot Spitzer, New York state attorney general, began an investigation into practices in the US insurance industry last year.
He accused Marsh, the world’s biggest insurance broker of rigging bids and favouring insurers at the expense of clients in return for higher commissions.
He then turned his attention to finite reinsurance, a form of reinsurance spanning financing and insurance that he feared could be used to manipulate companies’ figures. He targeted American International Group, the world’s biggest insurer, and its then chairman and chief executive, Maurice “Hank” Greenberg.
The inquiries have had far-reaching implications. They have forced insurance brokers to reassess fundamentally the way they do business and how they are remunerated. Meanwhile, there is evidence of a sharp downturn in demand for finite reinsurance. Hannover Re, the second biggest operator in the finite sector, has said premiums in this business slumped 51 per cent in the second quarter.
Insurance industry experts also predict that Katrina will force up the price of insurance sharply in areas affected by the storm. There could even be lesser effects on areas not directly impacted by Katrina or Rita. The reinsurance market is expected to be particularly hard hit by Katrina, which could put pressure on insurers, forcing up premiums for corporate buyers of insurance. If this is the case, then companies will have a direct economic interest in managing the risks they face. Companies with good risk management systems should reduce the likelihood of costly claims, enabling them to negotiate better deals with insurers.
The prospect of higher premiums should also ensure risk management remains a key subject for debate in most boardrooms.
According to the Lloyd’s/EIU study, the time company boards spend on risk management has risen four-fold in the past three years. This is with good reason – the study found one in five companies suffered significant damage from a failure to manage risk adequately last year, and more than half had at least one “near miss”.