Menu

Risk Assessment

Who, What, When, Where – Does Your Risk Management Program Dig In?

We recommend using the 4W’s as a method of digging in to better understand the operations of a business. This concept is not new and sounds simple but is often not utilized appropriately.

The 4W’s concept can be used as the building blocks with a focus at all stages of operations when considering risk management. Here’s the problem; while every department head is very knowledgeable about their individual expertise it can be difficult if not overwhelming to think about it from the wide-ranging standpoint of risk.

“Digging In” – By using these four basic questions you can gather a wealth of knowledge about your business; the trick is to do this at the various stages of operation and not just the top-level thus coordination is important.

This valuable approach is overlooked and many times in Premier’s early analysis we find that businesses are generalized by the insurance industry and brokers. There is a lack of special attention to the individual company beyond “what is your business”.

This generalization becomes the cracks in the foundation … by doing these analyses you can better understand what risk you are accepting, how to transfer the risk, and/or mitigate the risk. While accepting risk is easy, when it comes to transferring risk most companies are unsure, and mitigating risk falls through the cracks because companies don’t know how to ask the right questions or utilize the services available.

After Premier “Digs In” we helps you better understand what risk to accept or transfer, ultimately we focus on mitigating risk. Imagine speaking to the insurance industry no longer being generalized but having a wealth of understanding. Not only will you be better prepared internally but since you are appropriately addressing risk this practice will result in lower premiums and lower total cost of risk.  It’s a Win – Win.

 

Cyber Security – The Stark Reality

It’s in the news every day. Just recently there was a report of a breach at the IRS. You’d think that of all of the government entities holding personal information the IRS would be one to have an all but impenetrable and completely locked down system. In addition there is more and more media focusing on cyber-security related to smartphones and how easy it is for a hacker to gain access to phones and all of the information contained therein.

The hard fact is that cybercrime is pervasive. Cyber thieves are crafty and persistent in finding ways and opportunities to breach security to gain access to personal information and beyond.

Cyber Attack Realities

The Risk – If your business uses computers, chances are someone will try to hack them.

The Fallout – Data breaches can result in fines, litigation, business interruption and reputation damages.

The Solution – Having the right protocols and insurance policies in place can mitigate the damage caused by a cyber-attack.

The ramifications of a cyber-breach can be both financially and operationally catastrophic to any business. We live in a cyber-world where we must learn to deal with the associated risks from both a business and a personal perspective.

How can a business best deal with Cyber Security?

Start by performing risk assessments from both an IT as well as an insurance perspective. As technology is constantly changing, this should be done on a continuous basis. Insurance coverage aspects need to be evaluated in-depth as exposures for each business entity, as well as specific coverage offerings, will vary from insurance company to insurance company. Do your due diligence. Here are just a few of the areas to consider when limiting exposures and liability:

Initial Steps in the Risk Management Process

Businesses should first focus on developing a robust internal risk management program, including the establishment of strong policies and procedures; Training and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs.

In general an organization should review the following areas to begin developing a well-rounded risk management program:

  • Corporate Security policy
  • Asset classification and control
  • Personnel security
  • Computer network and management protocols for vulnerability
  • System access controls
  • Privacy and regulatory compliance

Then, ask yourself “what does our company have in place to mitigate our exposures?”

  • Do we have an effective privacy policy? A policy that your company does not follow is worse than not having a policy at all; therefore, ensure that your policies are distributed among, and followed by, employees.
  • Do we have an effective privacy breach response plan? Review your incident response plan regularly and ensure that the team members are prepared to jump in when an incident occurs.
  • Do we continuously test our disaster response and business continuity plans? Work closely with your business partners to ensure that they are properly handling your confidential data. Vendors are the cause of at least 1/3 of all data security incidents.

Continually Assess Risks and Exposures

Companies should continuously assess risks, exposures and insurance policies. It is imperative to conduct a yearly security risk assessment to identify any vulnerability in your processes and procedures for handling confidential data. Some laws, such as HIPAA, require periodic risk assessments, and as such it is good practice as organizational risks change with changing practices.

An assessment might be as simple as asking the following questions:

  1. What are our risks/exposures? These can be broken down into two parts, first party claims and third party claims:

First Party Claims would include Forensic Examination Expenses; PCI/PFI Audit Costs; Privacy Notification Costs; Privacy Counsel Fees; Mailing Notification Costs; Credit Monitoring & Call Center Services; Business Interruption (loss of income); Intellectual Property Loss; Public Relations; Extortion.

Third Party Claims include Claims by Private Litigants, Consumers, or other businesses; Claims by State Attorney Generals; Claims by FTC; Regulatory Fines & Penalties; PCI Fines & Penalties; Loss of Business; Damage to Reputation

Insurance coverage aspects address the exposures listed above. However, keep in mind that each insurance carrier will have various definitions, terms and conditions that will play a part in each of these coverage areas. Some of these terms include:

  • Invasion of Privacy and Identity Theft
  • Breach of Security, Network Disruption
  • Intellectual Property
  • Errors & Omissions
  • Defamation & Product Disparagement
  • Discrimination & Harassment
  • Extortion
  • Digital Theft & Forgery
  • Business Income
  • Disaster Recovery
  • Crisis Response Costs

Consider:

  • What are the threats? Cyber criminals, organized criminal groups, Bot-network operators, hackers, insiders, phishers, spammers, corporate espionage, even terrorists.
  • Where are we exposed? Corporate intellectual property, employee data, client data, third party data, web sites, social media outlets. What parts of our systems are at risk?
  • What are the gaps in our existing coverage? What’s covered and what’s not – how will our policy respond is there is a cyber-security event? How can the gaps be addressed?

The bottom line here is that cyber-attacks and data breaches have become an everyday threat to both individuals and businesses. The diverse types of cyber risks are ostensibly limitless and it’s all but impossible to predict exactly how and when you or your business may become a bull’s eye for cyber-criminals. Be diligent in your efforts to control what you can and mitigate exposure where possible.

Experience Modification: 5 Steps to Control Your Own Destiny

Many times when a client engages us to become their Outsourced Risk Manager, in the interview stage we often discover that their workman’s compensation costs are high relative to the employee population and work functions. Typically we discover that the experience modification factor is high (which is commonly referred to as a “debit mod”, over 1.0 and beyond) and in many cases the client thinks their experience modification is a consequence they can’t influence. What we find when we investigate the root cause is that their program has been neglected and they don’t have proper procedures in place to mitigate claims. This means that when claims occur they are reported, sometimes improperly, and then left to the insurance company to handle with no follow up whatsoever.

You CAN effect and control your experience modification by following a few strategies.

Here are 5 things you can do to help reduce your workers compensation experience modification:

  1. Report all claims to carrier immediately. Use a phone call to alert carrier to any serious, potentially serious, or suspect claims.
  2. Investigate accidents immediately and thoroughly. Take corrective action to eliminate hazards.
  3. Take an aggressive approach to providing light duty to all injured employees upon their release from treatment. Supervise light duty employees to assure their conformance with restrictions.
  4. In serious cases that involve lost time, communicate with the claims adjuster so that they recognize your interest in returning the injured employee back to gainful employment.
  5. Set safety performance goals for persons with supervisory responsibility. Success in achieving safety goals should be used as one measure during performance appraisals.

Review and analyze the root cause of the elevated experience modification, create a plan to address the issues head on and then work the plan. Be aggressive and be in control.

 

 

 

In Business, There is No Avoiding Risk

What is something exceptionally good about mid-market companies? They are agile and hold onto their entrepreneurial spirit … in fact they are even taking lessons from the big Fortune 500’s and looking to gain a financial advantage over competitors through various strategies.

A key point was recently made in a Traveler’s survey: “Business who manage risk report higher performances!”

What is evident is that the big boys’ (fortune 100 & 500 companies) have in-house risk manager’s that provide a level of knowledge that can’t be matched internally by other department heads. Thus a best business practice for mid-market companies seeking a financial advantage is to consider integrating similar risk management strategies and policies no matter your size of business.

The survey also points out: large firms continue to outpace their midsize counterparts in relying on third-party consultants for risk mitigation and prevention advice though mid-market companies’ risk mitigation strategies are beginning to equal strategies used by their larger counterparts.

The use of an Independent Outsourced Risk Manager is becoming an industry standard and if you don’t have an in-house or outsourced risk manager, you might not be taking full advantage of your opportunities.

The risk management department serves a vital role as it must understand the various silos within an organization whether it is operational, financial, or human resources. A structured approach helps create a risk-aware culture thus mitigating risk across an entire organization.

The biggest difficulty we see on a continual basis is that the typical company does not know how to utilize the resources available from an insurance carrier or broker or customize needed services according to specific operational units within an organization. Independent Outsourced Risk Manager’s can oversee the daily business operations and truly utilize the valuable services of those offered by the insurer and broker.

While there is No Avoiding Risk, you certainly can be better prepared.

Awareness: An Important Step To Protecting Your Business

No matter what your business is it is important to keep yourself, employees and those working (inside and outside) your organization informed of safety issues.

We had a client come to us for help with a very large residential portfolio. Most of the buildings were located in New York and were garden style brick apartments. They had several very large losses that were prohibiting them from finding insurance coverage at a reasonable cost. One of the largest losses was a result of a Christmas tree fire. The fire took three lives as well as disrupting the lives of dozens of residents and causing hundreds of thousands of dollars in property damage. In addition to that, they had two other Christmas tree fire losses that took place in separate buildings — I would say that this was a problem!

Maybe these fires could have been prevented had the landlord informed the residents of the potential dangers related to Christmas tree fires. The landlord could have sent out a notification informing residents of Christmas tree safety and raise awareness with the tenants. Would this have totally prevented that particular fire from happening? Maybe, maybe not – but sometimes simple preventative actions can make an impact on outcomes.

Believe it or not, the larger devastating fire was a result of the tenant using “live” candles on the Christmas tree. The landlord did send out a notice to all residents that the use of real candles on Christmas trees was prohibited.

A major factor in reducing risk is awareness. Risk Management is all about awareness. Developing a risk management program geared toward awareness is essential. Organizations are busy conducting business everyday, it is difficult for them to concentrate on what they might consider to be extraneous issues. But once these issues are addressed business owners are generally thankful that they were brought to their attention. We all have a lot of different things on our minds everyday, however if we make an effort to draw attention to a particular issue – that is more than half the battle…especially ones that we might consider to be common sense.

Do you really know your D&O coverage?

Whether your organization is a publicly held company, private company or nonprofit it is vitally important to have a thorough understanding of the corporate charter and its indemnification of corporate officers and directors and how the directors and officers’ (D&O) insurance policy protect their interests and that of the entity.

Not all policies are the same nor are their meanings. D&O policies differ from carrier to carrier in many respects – while the primary coverage issue is to indemnify corporate directors and officers for defense expenses as well as settlements and judgments made against them – how each carrier does that is the real issue. There are very subtle differences. Let’s take a look at a couple of examples.

What are the coverage concerns?

D&O policies typically contain three coverage parts:

  1. Side A: protects officers and directors when the company does not indemnify them
  2. Side B: reimburses the company when it does indemnify the officers and directors
  3. Side C: covers claims against the company itself

Pay attention to the coverage because company or corporate insiders’ interests don’t always coincide with directors and officers’ interests. That is what happened to five former directors of a defunct company where they were put in the position of having to pay $41.5 million of their own money to settle a lawsuit stemming from a company’s bankruptcy. To avoid this possibility, directors should demand a “Side A” policy of their own. This option has been very popular for several years now. These types of policies are also referred to as independent director liability or IDL policy; it can’t be exhausted by claims against the company or the officers.

Claims denial – one aspect. The insurance carrier may deny coverage for reasons unrelated to the claim against you. Insurers can rescind a D&O policy – return the premium and pretend as though there had never been coverage – if they conclude at a later time that the application contained false or misleading information. Seems reasonable. Insurers today require that financial statements be attached to the application. The problem here is that if your CFO cooked the books unbeknownst to you, this could nullify the policy. To avoid this scenario affecting other board members that have clean hands, it is important to pay attention to the severability clauses contained in the policy. This prevents the insurer from using the acts of one bad actor to disqualify other officers and directors from coverage. However, an even better scenario is to find an insurer to write a policy that is non-rescindable and non-cancelable.

Outside the U.S., directorship may not be covered. D&O policies may provide international coverage but the fine print reveals that it is only “to the extent possible.” This is very vague. Some countries including India, China, Russia and Brazil require that companies maintain local D&O policies. It is therefore important to purchase additional D&O coverage outside the U.S.

Bottom Line: It all begins with the corporate charter and indemnification provision contained therein. Before considering D&O coverage you must have an understanding of how the corporate charter works and who and what should be protected. Then when dealing with D&O policies and coverage make sure that you have a full understanding of the terms and conditions that are incorporated into that particular policy – you may be surprised by who and what is actually covered (or not) and how the policy will respond in the event of a claim (when the rubber meets the road).

Are you OK with being surprised?

Risk Tip: Strategy to identifying business interruption exposures

Use flow charts to identify sole source suppliers or other contingent business interruption exposures

Comment: Assessing business income exposures is not always easy. So consider how helpful it would be to draw a map or create a chart of how goods and services flow. That way you can visualize your supply chain. Ask yourself, what in the chain could cause an interruption? If there were an interruption in that chain how long could it last? What would be the worst case scenario? What if there is no physical loss to the building? How much coverage is enough? Is there a plan to replace the flow if the original gets interrupted? Sometimes simple solutions can mitigate big exposures, but it all starts with asking the right questions and an assessment of your situation.

Bottom Line: Business Interruption Insurance is to a business as Disability Insurance is to us personally. If we get sick and are unable to work there is a good chance that our income will stop and our households will suffer. Same thing with a business, if it suffers a loss (gets sick) there is a good chance that the businesses income will be affected and the business will suffer — to the point were it may not survive. Spend the time to review your organizations exposures.

Decisions, Decisions, Decisions…are you capable of making them?

In a recent Harvard Business Review post by Nick Tasler 3 Myths That Kill Strategic Planning, he shares that the most “precious ability” a great leader has is his or her ability to make decisions based on strategic thinking. He uses a Napoleon quote to make his point:

“Nothing is more difficult, and therefore more precious, than to be able to decide.”

It may seem like common sense but decisions go hand in hand with knowledge and as the old saying goes “knowledge is power”. However, leaders should ask themselves – “Do I feel comfortable enough to solely make decisions?”

The goal of get things done well, deciding where to focus, and ultimately having an actionable decision could also be the chapters seen in a risk management 101 course. The reality is, senior management typically wear multiple hats and suffer from resource constraints when it comes to risk management. So the question again is – “do you feel comfortable with the go-at-it alone approach?” As Nick stated in his blog “strategic thinking is about deciding on which opportunities to focus your time, people, and money.”

Fortune 500 companies utilize the knowledge of an in-house risk manager to assist with strategic thinking and in the past many middle market firms assumed an adviser was unnecessary given the presence of a broker. While a broker offers a certain level of knowledge, an outsourced adviser’s knowledge does not come with the sale of a product and the broker relationship is maintained like it does with Fortune 500 firms. Times have changed and in the absence of a full-time in-house risk manager, many middle markets firms have realized the need of an outsourced adviser. It is becoming an industry standard and the companies are realizing both the short and long-term benefits.

While Nick clarified the 3 myths that kill strategic planning; the shortage of knowledge can also be a killer.

You Never Know Who is Looking Over Your Shoulder

Recently there was an article about a security chief who was alleging wrongdoing against the company he worked for. He accused the company of not doing all it could do to protect client information. The accusation was that they performed only 27% of the minimum intrusion prevention, data leakage and encryption, and other security measures needed to protect its customers’ sensitive information.

The story gets more complicated…he was fired and all kinds of allegations were leveled against him as well, needless to say – what a mess.

A couple of takeaways jump out:

First: As a corporation/company, are you doing all that you can do to protect personal information of clients, customers and employees? This is a very hot topic, we read about cyber breach just about every day in the paper or hear about them in the news. It is incumbent on the management team, board and other people in positions of responsibility to make sure that appropriate measures are being taken to protect the entity against such intrusive breaches. This also speaks to the heart of D&O insurance and fiduciary duty. As a director or officer you have been charged with the overall stewardship of the organization and thus any breach of duty will fall directly on your shoulders. The type of litigation mentioned in this article is very expensive. Enough said.

Second: Understand your employment practices liability. Here the employer is being sued because of a wrongful termination claim apparently due to the employees “whistle blowing”. Again, these types of actions can get very expensive. Sometimes employment practices liability policies share the same limit with the D&O – I’m not say this is good or bad – but potential exposures must be evaluated to make sure appropriate limits are purchased.

Third: This type of lawsuit especially in a public forum can dramatically damage a company’s reputation. Imagine word getting out that the company you are counting on to protect your personal information is not doing all they should be to protect it.

To wrap this up I would ask… Have you done all that you can do as a company to protect your clients, customers and reputation against harm – from without and from within?

Are You Playing Russian Roulette With The Insurance Related Provisions of Your Everyday Business Contracts?

Many times company leadership does not put much thought to the importance of reviewing the insurance related provisions of their business contracts, but if there is a single message I want to make clear in this post, it is that mitigation of risk is essential.

It is difficult to express in dollar value the importance of contract reviews especially given that you truly don’t know what has actually been saved if a problem or risk was mitigated ahead of time … which is the point of risk management. Unfortunately, and too often business leaders don’t see the value either and just let it go. In reality, it is like playing Russian roulette … it is not if, but when.

Here is a perfect example:

Recently a company was doing some capital improvements and adding a building extension. It was a 3 million dollar project where the contractor presented a “standard form” contract agreement for the project. Standard for who? The word “standard” should raise a red flag and can get you every time. You think, they are a large contractor they know what they are doing. That is exactly right, they know what they are doing … protecting themselves.

Needless to say, there was an accident. A subcontractor hit a sprinkler-head which caused water damage not only to the new construction but to the existing building. The section of the contract relating to indemnification and insurance was written poorly for this particular project and the owner was left holding the bag on $100,000 in repair cost.

Are the following words just a bunch of “mumbo jumbo” or do you understand how they work within the various provisions of your business contracts – additional insured, pollution liability, waiver of subrogation, and indemnification? Also important, will these contracts make insurance policies between the business parties respond appropriately?

Your turn to pull the trigger …

Load More