European Risk Frontiers Belgium
Nicholas Pratt spoke to Belgian risk experts about some of the leading issues affecting the risk and insurance management profession, as part of our European Risk Frontiers survey sponsored by HDI Global and the Worldwide Broker Network.
The big risks When asked to identify the top three risks dominating their agenda during 2017, Belgian risk managers gave a diverse set of responses, from major geopolitical threats to industry-specific exposures.
Nathalie Vandenbroucke, risk and insurance manager at construction firm Bam Belgium, identified professional indemnity and safety as two of the big three risks. Given that Bam Belgium has more than 1,700 people on its payroll, it is of little surprise that these concerns should be highest on the agenda.
The response also illustrates the mix of insurance and risk management that many readers of Commercial Risk Europe employ to manage their exposures. Construction firms are increasingly employing building information management (BIM) to improve performance and reduce the risk of errors or unexpected risks on the construction site.
A well-prepared BIM can also help reduce health and safety exposures. For example, BIM can be used not just to model new-builds but can also map existing buildings due to be renovated and highlight hazardous areas.
Another key issue highlighted by several members of Belgian risk management association Belrim was project risk. This is an area where some have bemoaned the lack of dedicated insurance and where others believe that the risks should be managed internally, or by some means other than insurance.
For example, Marc Doorenbos, a partner at project management consultancy Pro Temporis, is one of several former Belrim members to have returned to the association in the past 12 months, because he is encouraged by its refocus on non-insurance-based risk management. For Mr Doorenbos, project risk is one of those exposures that is best managed through contractual means and physical management, as opposed to insurance.
Another critical threat cited by Belgian risk managers is human risk and the effects of a potential skills shortage. The paucity of these skills has been caused, in part, by huge advances in technology and is especially pronounced in the service industry, said Mr Doorenbos. “There is an obsolescence of competence. The technology revolution is so dramatic that companies have to constantly keep themselves and their staff updated and trained in order to keep up,” he said.
Insurance management
Some belgian risk and insurance managers expect renewals to be tougher than last year but only because rates have been so low, for so long, that they have become unsustainable in certain professional lines and insurers have stopped providing coverage.
“Some big players stopped covering technical construction risk in Belgium,” said Nathalie Vandenbroucke, risk and insurance manager at construction firm Bam Belgium. “Instead of asking for a higher premium, they chose to pull out of the market.”
In general, most risk managers are prepared to pay higher premiums for reliable coverage and would certainly prefer an increase in premium as opposed to a decrease in choice.
However, it is the abundance of choice and capacity that is keeping premiums down and there is no compelling sign to suggest this will change any time soon. As Diane Mintjens, risk manager at Belgian financial institution Dexia, said: “Insurers have been saying that the market is hardening but I’ve seen no evidence for it.”
Belgian risk managers were also asked whether the use of captives was becoming more popular with risk managers and their companies – after all, why bother with insurance when you can simply retain the risk in a captive and save all that hassle and expense?
Ultimately, it comes down to two factors – the extent of your risk appetite and the adequacy of the response from insurers, said Sabine Desantoine, insurable risks manager at ING Belgium and new Belrim president. “I would say that the question of whether to retain rather than transfer risk is one that is being asked more and more.”
However, while risk managers may be asking the question, many are finding that establishing a captive involves more hassle and expense than it used to. “Setting up and running a captive is becoming a more capital-intensive exercise thanks to regulation like Solvency II and Basel III,” said Ms Desantoine. “And following the financial crisis, companies are more cost conscious. So you have to assess the internal (balance sheet, size of the risk) and external (regulation) costs of setting up a captive.”
Companies must also to look at their own capabilities and scale, said Michelle De Vlieger, an independent director and management consultant. “The company has to be big enough to manage a captive and for the larger risks there has to be a reinsurer behind it all. But it is not just about size. There also have to be some fiscal and process benefits from having a captive. It can be a great way to divide risks, but I think with all the regulation there could be a backlash and more risk managers could turn back to insurers.”
The impact of Solvency II, Basel II and the Organisation for Economic Co-operation and Development’s (OECD) Base Erosion And Profit Shifting (BEPS) measures could all affect the use of captives. Under the presidency of Belrim member Jo Willaert, Ferma has led a passionate defence of captives and their status as legitimate risk management vehicles. In September 2016, it submitted a position paper to the OECD that aimed to dispel “substantial misperceptions” about the use of captives. In June, Ferma published guidelines for BEPS on captive insurance arrangements covering three areas: substance and governance; commercial rationale; and the transfer pricing/premium setting process.
“A captive is first and foremost a risk management tool as opposed to a way to save money,” said Ms Desantoine. “Maybe that principle was lost a little bit in recent years as captives became more popular and as companies became more cost conscious. Even the best concepts can be open to abuse. But I think the risk management community has to do more to explain to regulators why we use captives and the benefit they provide,” she added.
As for some of the perennial bugbears of corporate risk managers – the need for annual renewals and the tardy delivery of policy documents – Belgium has done more than most to address these issues, said Belrim’s members.
Firstly, Belgium has delivered regulations to protect consumers from the vagaries of annual renewals. Secondly, there are local companies able to insist that the policy document is delivered on the day of inception. “It is one of the key performance indicators,” said Ms Mintjens.
Of course, it makes it easier to insist on these things when you are one of Belgium’s biggest financial institutions with more than €212bn of assets, as is the case with Dexia. However, the point remains that until risk managers make the prompt delivery of policy documents a condition to winning their business, the situation is unlikely to change.
Belgium’s risk managers were also in broad agreement when it comes to whether the risk manager, broker or the insurer should be responsible for ensuring compliance of global programmes.
Ultimately, it is the responsibility of the client – the risk manager – said the Belrim members. For smaller companies it is possible to ask the broker for advice. In fact, even the largest companies will attest that it is difficult to navigate the regulatory issues of a global programme without the help of a good broker, even if risk managers recognise that ultimately the responsibility for compliance rests with them.
Cyber risk and transfer
From the suitability of new policies and their wording to the changing exposures – cyber continues to be at the forefront of risk managers’ concerns.
The WannaCry virus revealed that it is not just the small companies at risk from cyberattacks. A number of large public sector organisations fell victim to the ransomware virus. Given the reduced budgets affecting so many public sector bodies across Europe and the likelihood that many will be using old or outdated software and systems, this exposure is likely to increase.
“Every company has a problem with vulnerability,” said Michelle De Vlieger, an independent director and management consultant. The problem for insurers is knowing just how vulnerable a company is before providing them with insurance. There are a growing number of cyber ratings designed to provide this information. But, said Ms De Vlieger, just as there are property engineers to verify property claims, there should be cybersecurity engineers to perform the same role for any cyber-related claim. Novel
Risk managers also recognise that cyber is a new area of insurance and that insurers need information from companies to be able to properly price coverage. However, the problem is getting the information to insurers. Either the information is not easily available within some companies or the information requests from insurers are not clear enough.
There has also been a shift in cyberattacks, said Sabine Desantoine, insurable risks manager at ING Belgium and new Belrim president. “The target may stay the same but the method of attack is changing, with more of a focus on social engineering and exploiting the weakness of the individual. The employees are still the weakest link in terms of IT security and that is why training is so important,” she said.
Fortunately, companies are spending more and more on cybersecurity, training, policies and guidelines. It is less clear how much is being spent on cyber insurance though.
Both insurers and risk managers agree that there is adequate capacity in the cyber market, driven by the fact that insurers are keen to capitalise on corporates’ appetite for coverage and develop a new source of premium revenue. The challenge is crafting cyber insurance products that have clear and understandable wordings.
Risk managers are also concerned about the ability to undergo impact assessments and feel that they are missing a key element in managing cyber risk without this information. “I don’t think many companies have any idea of the impact,” said Jacques Van Keirsbilck, Belrim member and risk and insurance coach. “We need a new approach – a well-defined questionnaire. You have to start by asking specific questions to make your client aware – questions to which they can very specifically relate.”
Risk management associations have tried to play their part in this effort, said Belrim board member Marie Dequae. “Ifrima has produced a questionnaire for cyber risk management. There is also the latest report from Ferma on corporate governance and cybersecurity, which was written with the Internal Audit Association. It favours an approach that involves all stakeholders – risk management, compliance, IT etc – and reports to the risk committee.”
Awareness is helped by media reports on cyberincidents and data breaches. The WannaCry virus was the last big, high-profile cyberattack to gain worldwide notoriety. But the companies affected were largely unsophisticated SMEs or cash-strapped public service organisations working on outdated operating systems, rather than large corporates. Therefore, the attack is unlikely to change behaviour at the biggest companies.
There is also a concern that the publicity around cyberattacks is too fleeting and not thorough enough to have a lasting effect on corporates’ behaviour. “There is a brief bit of media attention but then the news moves on and the memories fade and it gets forgotten,” said Mr Keirsbilck.
Despite risk managers’ acceptance that there is generally adequate cyber capacity, there is still a problem when it comes to critical infrastructure and widespread business interruption, should a national utility be put of action.
Governments have invested in developing more cyber resilience around critical infrastructure. For example, the Belgian Department of Defence has established a cyber defence department and is hiring 150 cybersecurity staff to run the department.
The concern around national infrastructure also raises the prospect of government-backed cyber pools. Belgium has tried to create insurance pools before, but these have not been successful, said Mr Van Keirsbilck.
He said that most corporate risk managers believe that government-sponsored insurance pools are primarily concerned with the protection of citizens and consumers rather than companies, and therefore of limited use in terms of commercial risk management.