FERMA Highlights Key Risk Management Roles in AI and Sustainability Regulations

The Federation of European Risk Management Associations (FERMA) said it has issued two key policy notes addressing the European Unions's Artificial Intelligence Act (AI Act) and the Corporate Sustainability Reporting Directive (CSRD), each outlining critical roles for risk managers in navigating these complex regulatory landscapes. 

FERMA's Policy on the AI Act 

FERMA stated that it released a policy note on the AI Act detailing the risk management requirements for high-risk AI systems. Set to take effect in February 2025 across the 27 EU member states, the AI Act classifies AI systems from minimal to unacceptable risk, with the highest-risk systems required to register in an EU database and comply with strict governance and transparency obligations. FERMA emphasized the potential insurance implications and urged risk managers to assess potential "silent AI" risks—unquantified exposures to AI within existing insurance policies. 

"The AI Act is one of the most significant regulations introduced by the European Union in recent years," said Philippe Cotelle, board member at FERMA and chair of the digital committee. He noted that risk managers must focus on how AI impacts liability and innovation. 

FERMA's recommendations for addressing AI risks include the following.

• Developing a robust AI strategy with appropriate governance frameworks
• Investing in technology and employee training
• Ensuring systems are designed to meet audit requirements, with formal certification recommended

According to FERMA, risk managers should align their AI policies with internationally recognized ethical standards and create benchmarks to measure AI system performance. The note also stresses the importance of addressing the risks of misuse, unethical outcomes, and data breaches, ensuring AI systems comply with the organization's policy. 

FERMA's research has shown that risk managers are increasingly prioritizing AI-related risks, with responsibilities including monitoring regulations and developing internal governance policies. Typhaine Beaupérin, CEO of FERMA, said that "clear guidance on the legislative environment is critical for practitioners." 

From an insurance perspective, FERMA highlights the need for risk managers to assess potential "silent AI" risks and consider whether new insurance products are required. 

Strategic Role of Risk Managers in CSRD Compliance 

In a separate statement, FERMA said it issued an EU policy note focused on the Corporate Sustainability Reporting Directive (CSRD), an EU regulation designed to enhance and standardize sustainability reporting for companies across Europe. As part of the European Green Deal, the CSRD replaces the Non-Financial Reporting Directive (NFRD) and requires companies to disclose a wide range of environmental, social, and governance (ESG) factors. Developed in collaboration with Protiviti, the note explores how risk managers can support sustainability reporting, particularly in conducting double materiality assessments. This involves evaluating both the financial impact of sustainability issues on the company and the company's impact on the environment and society. Effective January 2023, the CSRD impacts approximately 50,000 companies, with large corporations required to comply with the European Sustainability Reporting Standards (ESRS) by January 2025.  

"The role of risk management will be central to how companies meet their sustainability reporting requirements under CSRD," said Valentina Paduano, chair of FERMA's sustainability committee. Risk managers will need to take the lead in identifying and mitigating sustainability-related impacts, risks, and opportunities. 

FERMA outlined five key areas for risk managers' involvement.

1. Stakeholder identification and evaluating impacts, risks, and opportunities (IROs)
2. Materiality assessments and thresholds
3. Linking risk quantification to sustainability reporting via enterprise risk management (ERM) processes
4. Ensuring compliance with value-chain due diligence requirements from the Corporate Sustainability Due Diligence Directive (CS3D)
5. Integrating remediation plans into the overall ERM process

FERMA also suggested that policymakers simplify risk management guidance for double materiality assessments and make explicit references to the role of risk managers in sustainability reporting. 

According to FERMA, companies with existing ERM systems must expand their risk analysis to meet CSRD standards, while companies without such systems will need to implement structured risk management programs. 

Ms. Beaupérin concluded that as regulatory scrutiny on sustainability-related risks increases, it is imperative for risk managers to be strategically positioned within their organizations to address these new challenges. 

FERMA continues to support risk managers with educational resources, including webinars and upcoming discussions at the FERMA Forum in Madrid, which will cover both AI and sustainability-related risks.