Cyber raises fundamental questions about role of risk management–Italy

The Italian risk managers agreed with their peers across the continent that the depth and breadth of the topic does make rigorous risk analysis and the search for solutions difficult. But this certainly does not justify a head in the sand approach from the risk manager.

Also the debate on this topic rapidly moved on to the role of the risk manager within the organisation as such an enterprise-wide risk does raise fundamental questions about where risk fits in any organisation and how best it should be organised.

Paolo Rubini, President of ANRA and Risk Manager for Telecom Italia, said that cyber risk is really ‘anything’ because all businesses are basically run on the internet nowadays and all risks on the internet represent the brand.

hide

“This is apparently a new branch of risk management, but I am not sure because maybe shareholders are able to manage this one because it is really managed through culture. It is the same question of how your new technical environment is managed through your tradition and culture,” explained Mr Rubini.

“You as a risk manager should make a big effort to understand how technology works but it is not your task. You are not the owner of the technology and the process and therefore you have to rely on and monitor the experience of others such as the CIO or IT people,” continued Mr Rubini.

“Often IT people do not know the business as you do therefore you bring a knowledge of the business and this is why IT people may be very dangerous if they are not well connected to the risk manager, because they do not have the broad view of the business risks and liability implications,” he added.

Mr Luzzi agreed, but said that, for this reason, IT managers do have to be integrated.

Mr Rubini said that because of this, cyber risk is certainly raising questions about the integration of functions on the insurance side.

“Indeed the whole branch of non-material damage is becoming more and more important. Non-material BI has to be tackled and more work needs to be done to understand the underlying risk better,” he said.

Mr Rubini said that, again, as with cyber risk, insurers and risk managers have to rely on the knowledge and skills of others. They have to properly understand how the supply chain network works, he said.

But he also said that risk managers and insurers should not forget that this is also a risk opportunity to trade off.

“The risk is there and can never be got rid of but it can be managed and transferred more effectively. We are not talking about the old categories of insurance here. To think like that is dangerous because it may lead to less investment in traditional loss prevention because this is regarded as something that you don’t have to worry about anymore. But this is a problem because, as a risk manager, you have built your profession on this and you could become more isolated and weaker as a result,” he said.

Roberto Bosco of Mediaset said that this is one of the reasons why companies need risk management by committee, adding that it would be a ‘great achievement’ if it could be done.

“We need this because we are not specialists in IT or, in my case, TV. Therefore you have to look to other managers such as IT and security. We have to have a risk management committee with the traditional insurance manager involved too,” said Mr Bosco.

Mr Luzzi agreed with his colleague at ANRA. “The IT manager could not be aware about the liability risk. The commercial manager will have an understanding of the overall market situation but not necessarily about insurance details, some of which are very important. Industrial engineering managers do tend to need to understand the commercial strategic approach. At the end of the day nobody is an expert in all areas. Nobody could play all instruments in one band and play well in all positions in a soccer team. Most probably we have leaders but always it needs teamwork,” he said.

Mr Rubini said that one has to ask the question of whether the risk management function and process is still relevant and important in a heterogeneous way.

“If the answer is yes then the risk manager becomes a process manager and you have to give guidelines about how to assess and manage risk so that it can be reported in a clear and uniform way to stakeholders. If this is the true future of the risk manager then they are more the process owner of ERM,” he said.

Mr Rubini added that he has not seen boards hurry to have a single risk management process and person in place on the board. For this reason the risk manager may become more of a controller than a risk manager and a mix between the second and third line of defence.

“Risk management is currently the second line of defence but risk management could arguably become the third line of defence,” he suggested.

Claudio Ades of Willis said that the broker has recently been appointed by many entities that look at risk management from a financial angle and address risk from a credit and investment angle. “Clients are more and more demanding, asking for structured solutions to their needs,” he said.

Mr De Felice said that this was a good point because it is also an important area in which ANRA is attempting to move forward.

“We are trying to move the level of discussion towards one of risk as a tool for gaining access to lenders, creditors and bank ratings. Companies that are able to demonstrate an integrated approach for the assessment of risk in the era of the credit crunch especially for SMEs should find it easier to get their money from the banks,” he explained.

“I do believe there should be a direct reward for demonstrating an integrated approach for managing risk, better business continuity and basically giving better security to lenders. This is therefore the main topic for ANRA in 2012 and I do believe that we can really expand the interest in our profession if we can make this work,” continued Mr De Felice.

Mr Ades pointed out that, for some very large companies, the integrated approach is reflected in the appointment of a CRO.

Mr De Felice said that he was thinking more of the mass of SMEs in Italy that have to find money and credit to sustain their businesses. “I would like to take the opportunity to include this in the discussion about Basel III because the banks are not looking at how the process of risk management is put into place among their customers and this could really be the big bang for our profession. Once risk management is directly linked to funding then it will be a big step forward. South Africa for example has really taken a bit step forward in this regard because it is included within its new corporate code,” he said referring to King III, the groundbreaking South African corporate governance code that leading IRMSA risk manager Gert Cruywagen has been so involved in.

Paolo Rubini, President of ANRA, agreed with Mr De Felice on this potentially important project. “It must come from the banks. Italian banks are too small and have not evolved a rating criteria. We are trying to push the Italian banking association to try and define a rating criteria similar to the Dow Jones sustainability index with the main component being risk,” he added.

Marco Terzago of SKF Industrie said that this credit component should have the same weight as environmental and sustainability management as evidence of proof of what Mr De Felice suggested. “I discussed this with a banker and in Italy the only visibility a risk manager has with a bank is when they are also doing credit management,” he said.

In this sense, it was logical to ask therefore if credit insurance was again becoming increasingly part of the risk manager’s role and whether this helps the risk manager’s cause.

Mr Luzzi said that in his opinion credit management and insurance is coming back into the world of the corporate risk manager. “For a long period people said that if you had a good credit manager it is not necessary to have credit insurance. But now credit insurance is being brought back to the table. There is a change in mentality and credit managers are among our best allies,” he said.

But Mr De Felice said that companies are still ‘far from’ being offered an international service by the insurers and they are not integrated with the programmes.

“I am currently renegotiating a multinational credit programme and working closely with the finance department. I am really discovering that credit insurance is driven by the credit limit and ratio. You can negotiate on conditions and rates but when you try to negotiate on limits it is impossible,” he said.

Mr De Felice said that he was then in negotiations to try and find out what exactly the insurers proposed to cover. He said that they carried out a check on 100 of its 80,000 customers and then recorded a percentage for the whole cover so that only a percentage was covered. The insurer also included an ability to cancel the cover a day after it was taken out.

“It is a bit like a fire insurer saying you are actually only 10% covered and we can cancel, which would be untenable. In my view this industry needs to completely rethink its model. Even if they are providing large capital at a cost compared to the book the cost is zero therefore it is a value,” said Mr De Felice.

Back to top button