Internal controls - Mastering risk

Businesses today are expected to make profits, but it is no longer acceptable that this is the only thing they do. Companies are expected to be environmentally friendly and contribute positively to the social framework, and annual reports issued by today's leading organisations contain substantial information on how they are responding to these issues. Failure here can lead to criticism from pressure groups, many of which are skilled in arousing media interest and consequently bring a risk of damage to the reputation of a business.

Changing regulatory risk and the rise of corporate governance has intensified the need for robust internal risk controls and management standards. Insurers and brokers have a key role to play in helping their customers identify and manage these changes, differentiating their service to accommodate their support needs.

The Companies Act (2006) makes explicit that the directors of any business, apart from companies with small turnover, when making decisions about the business, must take into account the impact of those decisions on employees, the environment and other persons that may be affected by them.

In the UK, high-profile corporate failures have resulted in the development of corporate governance. Effective corporate governance is the adoption of a system of internal control and keeping its effectiveness under review. It makes sound business sense to manage risk effectively; to embed internal controls in the business. Risk management and internal control are linked firmly with the ability of the company to fulfil its business objectives.

Corporate governance is a process through which corporate bodies self-govern and are controlled, managed, directed and developed, with the board, on behalf of shareholders and stakeholders, undertaking the governance process. Though its principles apply equally to most organisations, the expression itself is actually limited to companies listed on the London Stock Exchange.

Investors

Companies today are subject to huge scrutiny from institutional investors, while bodies such as the Association of British Insurers and National Association of Pension Funds provide guidelines and recommendations for corporate governance requirements. Failure to comply with these guidelines may result in the loss of confidence and support of institutional shareholders.

The Investor Environmental Health Network is a partnership of institutional investors concerned about the market and the health risks associated with corporate risks from toxic substances. It is an information resource for investors working to reduce portfolio risks related to toxins, and it is concerned that investments may be prejudiced if companies that are invested in become a target as a result of the health and environmental concerns emanating from the toxicity of their products.

Increased legislative and non-legislative requirements on companies heighten the legal risks they face. Compliance with legislative requirements has become an issue for companies, as regulators have considerable powers available to them. The issue of environmental discharge permits is a good example, as financial regulators can insist on a company changing its advertising and can also intervene to prevent certain types of product being marketed. As such, compliance with regulation has become a major source of potential business risk.

The government has consulted on major changes to the civil claims process for injury claims. If enacted, these proposals will put increased pressure on businesses in terms of response times to claims made against them. Any business that is unable to assemble satisfactory evidence to mount a defence may find itself prejudiced under these proposals.

The impact of these changes has produced a hostile legal environment for UK businesses and the industry needs to be alert to change in order to help customers manage the risks that arise.

Risk differentiation

Traditionally, insurers have assessed risk largely on a trade and claims experience basis, but Zurich has initiated a different approach. Although trade and claims experience remain relevant, Zurich is as interested to understand how company management approaches the subject. Our approach is based on the concept of corporate governance and requires a business to undertake an analysis of its activities and the areas of concern that may arise from them in the risk assessment process, then adopting appropriate risk containment policies. Our view is that the critical issue insurers have to examine is the management's approach to risk - a well-managed company will be able to exhibit sound governance and management of it.

Effective corporate governance requires businesses to employ assessment techniques in identifying all the risks they face. Dangers associated with injury and damage to employees and third parties are common to all, but a well-managed organisation considers these factors in the same way it considers other business issues like quality.

In simple terms, if the board of directors can exhibit an appreciation of risk issues and can evidence the existence of suitable controls, then the entire business should perform well in relation to risks. If the board is less sensitive then it is unlikely that lower levels of management and staff can create the right culture of neccessary awareness.

To answer the question of how well managed those risks are requires an evaluation of the assessment processes carried out by the business, though this process is not to be confused with the legal requirement of a risk assessment for individual hazards within the business. The assessment that Zurich is looking for from the board is to establish its risk appetite and philosophy for managing it. In Zurich's experience, the most successful way of managing risks in any organisation is to operate in accordance with a recognised management system, for example the ISO 9 000 series (quality management), ISO 14 001 (environmental management) and BS EN 18 001 (health and safety).

A management system is a framework for managing and improving an organisation's policies, procedures and processes. It is a formal method for revealing potential failures and flagging up issues before they become problems. Applied to the risks that are of concern, it means that an organisation adopting such an approach is more likely to be in control of the risks it faces than an organisation that adopts a more haphazard, reactive approach.

An organisation that is well controlled in its approach to these issues represents a better risk for Zurich to be associated with. Moreover, most management systems embody the requirement for continual improvement and this will usually involve the adoption of best practice. The implementation of best practice in terms of risk controls will reduce the number of incidents occurring, while for those that do occur it will provide an effective mitigation against civil liability claims arising in the workplace.

Some businesses enhance their management systems credibility by using an external certification body to audit it. The use of external certification bodies should be viewed a positive feature by an insurer and will generally affect positively how we look at an organisation's risk and terms.

There are real savings to be made by improving the risk profile of the business.

Broker differentiation

A 2005 survey by the Engineering Employees Federation, a key trade association representing manufacturers in the UK and automatic point of consultation to the government on everything to do with manufacturing industry, revealed some critical remarks about brokers. Among the companies surveyed, many had obtained better terms by changing their broker. In the same vain, an article written in an H&S magazine aimed at risk managers and insurance buyers encouraged businesses to establish a relationship with their insurer, further advising businesses that if their existing broker resisted such an approach then they should change their broker.

By looking at those businesses that saw a decrease in premium we can identify the features that are associated with gaining a premium reduction. Most significant among these was renegotiating with, or changing, the broker. Use the broker as you would any other supplier - if renegotiation fails then take your business elsewhere.

The EEF's 2005 survey of insurance costs offers this advice: "Brokers need to ensure that their knowledge of the businesses they are dealing with in relation to risk matters is complete. If not, they risk other brokers approaching their customers and suggesting that there are flaws in the way the risk has been presented to the market. While this constitutes a threat to holding brokers it is also an opportunity when they are trying to attract other clients, for if they are able to show that the existing broker has not presented the insurer with risk management information that may be persuasive then they can exhibit their better risk knowledge and ability to influence the market."

Risk management is a forward-looking process that seeks to identify hazards, analyse them and implement any improvements required. It is often viewed negatively, yet more advanced businesses understand the value to the business of the effective adoption of risk management techniques. In addition, Zurich has a claims defensibility initiative that will appeal to any business seeking to enhance its risk controls. The process involves an in-depth analysis of claims that have been made against the business, identifying why the claim succeeded and highlighting areas where an organisation could amend its current practices to reduce the risk of similar claims in future. This claims defensibility initiative is a valuable additional input into any customer's risk control strategy.

The operating environment for businesses is constantly changing. The challenge of balancing profit with a corporately responsible, risk-proactive culture is likely to intensify in the future. Insurers and brokers both form an essential part of a policyholder's risk armoury, providing insight into risk issues and seeking to develop a partnership with the policyholder and the broker so that the former can achieve the effective business performance that is essential to its future survival.

- Jim Wilkes, Senior casualty underwriter, Zurich UK General Insurance

QUANTIFYING RISK

The following information will help you gain a fuller understanding of risks.

- Details of any management systems that the business operates.

- Any use of independent certification bodies to check the systems.

- Any other risk management initiatives such as training for staff or the use of qualified risk advisers.

- Copies of recent health and safety committee meeting minutes that can evidence employee involvement.

- Details of the adoption of new machinery and processes, as any new machinery may be quieter than that already there, while toxic chemical usage may have reduced as a result of environmental concerns.

- Completion of a health and safety performance index online questionnaire (insert link).

Source: Zurich.

This article is from a Zurich supplement entitled ‘Corporate Risk’ which was distributed with the November edition of Professional Broking.