Risk managers can develop better risk management programs if they collaborate effectively with other departments, but first, they must win their colleagues’ trust, two risk management professionals said.
By adjusting how they communicate, risk managers can learn more about the concerns of other departments, explain possible solutions to problems and be viewed more as a business partner than a person who deters risk-taking, they said.
While many companies are either underinsured, overinsured or carry the wrong type of insurance, risk managers often feel that they are known as the “department of ‘no’” and that other department heads don’t tell them enough about the risks they face and, therefore, they are hampered in their job, said Liz Walker, director of enterprise risk and global insurance for Groupon Inc.
To solve that problem, she said, risk managers should take more ownership of the situation and ask: “How can I reduce or manage risk if I’m not communicating effectively?”
She was speaking during a session Monday at the Chicagoland Risk Forum, sponsored by the Chicago and Mid-Illinois chapters of the Risk & Insurance Management Society Inc.
“It’s about us. It’s about how we conduct our relationships internally and externally,” Ms. Walker said. Risk managers should generate trust and a sense of partnership with others at their organizations before they approach them about renewals, claims review and other risk management issues, she said.
To encourage trust, risk managers should adopt communications strategies that reflect their goals, such as using risk management to identify opportunities for business units, Ms. Walker said.
Or they can make clear how they can help colleagues through their insurance expertise, said Mary Friedl, insurance and claims manager at Redbox Automated Retail LLC in Oakbrook Terrace, Illinois, who introduces herself to colleagues as “the insurance nerd.”
“They know me now, and they know that if they need the insurance section of a contract reviewed to make sure it’s appropriate, they come to me,” she said.
Once risk managers have articulated how they can help people, they should ensure they are aligned with their organization’s values and strategy, develop and use a common language around those goals and values, and frame conversations with colleagues with those goals in mind, Ms. Walker said.
For example, rather than simply ask for total insured values at renewal times, risk managers should meet with facilities managers to let them know that they are looking to cover all property and equipment and ask about recent purchases and plans for the next year so they know the risk manager is seeking to align the coverage with their plans, she said.
Getting access to operating plans for different lines of business is also valuable for risk managers, she said. “It tells you not just what risks are coming up, but also what keeps your business partners up at night, which is a goldmine for potential opportunity to help them solve their problems,” she said.
Risk managers should also adjust the terms they use to reflect their audience, said Ms. Friedl. “Keep in mind who your audience is and what you want to get across to your audience.”
Risk managers can also use outside service providers, such as brokers, to help communicate with other managers within their organization, Ms. Walker said. For example, brokers offer training services where they come into an organization and talk about specific coverages and other issues that are relevant to various departments, she said.
Active shooter coverage available in the market can cover a wide variety of potential liabilities for employers whose workers, customers and others are impacted by such an incident, experts say.
Laura Zaroski, Chicago-based area senior vice president, law firms practice, for Arthur J. Gallagher & Co., said active shooter coverage, which primarily comes out of London, with a handful of domestic insurers, can include counseling, medical disability expenses for victims, funeral expenses, death benefits, and “loss of attraction” coverage, when a mass shooting results in a loss of revenue because people are no longer coming to the location of the incident.
She spoke during a session at the Professional Liability Underwriting Society’s conference in San Diego on Thursday as attendees were still absorbing the news of the shooting in a Thousand Oaks, California, bar Wednesday in which 12 victims and the gunman died.
Ms. Zaroski said other coverages include the cost of upgrading a building and its security, damages to a building, relocation costs and sometimes the cost of a teardown following an incident
Thomas Lookstein, New York-based head of financial and professional line claims for Starr Adjustment Services, a division of the Starr Cos., said one question that should be addressed is whether these policies have terrorism exclusions.
Marchelle M. Houston, senior vice president, bond and specialty insurance, for The Travelers Cos. Inc., said another potential claim is kidnap and ransom, where people are unable to leave a facility during an incident. You have to look at the host of allegations and policy terms and conditions to determine other insurance issues as well as exclusions, she said.
“We shouldn’t just be waiting for an event to do it for the first time,” said Ms. Zaroski also. “Let’s learn what to do and handle the situation before it arises.”
With the number of shooting incidents increasing, “more and more lawsuits are being brought against employers” in their wake, said Claudia A. Costa, a partner with Gordon Rees Scully Mansukhani LLP in New York, who moderated the session.
The U.S. Occupational Health and Safety Administration’s general duty clause states employers must have a place free of recognized hazards, and active shooting incidents are considered such a hazard, said Ms. Costa, adding her firm has been involved in defending some of these cases. Claims filed against employers in active shooter situations include negligence and failure to train workers, she said.
Other charges, she said, include negligent hiring and retention, which was an issue in the 2003 naval yard shooting in Washington that left 12 dead.
In that case, complaints from fellow employees that the shooter heard voices in his head were not addressed, and there had been a prior incident in which the shooter had shot through his ceiling to the apartment of a neighbor, she said. Bullying was cited as a factor in the 2015 San Bernardino shooting, in which 14 people were killed, said Ms. Costa.
More lawsuits are being filed against employers in connection with active shooter incidents, said a speaker at the Professional Liability Underwriting Society’s conference in San Diego on Thursday.
Claudia A. Costa, a partner with Gordon Rees Scully Mansukhani LLP in New York, spoke during a session on significant employment liability issues at the conference as attendees were still absorbing the news of the shooting in a Thousand Oaks, California, bar Wednesday in which 12 people plus the gunman died.
She observed that all the recent incidents have the common factor of having occurred in a workplace, whether it was a bar, a place of worship or a school.
With the number of these incidents increasing dramatically, “more and more lawsuits are being brought against employers” in their wake, said Ms. Costa during the session.
The U.S. Occupational Health and Safety Administration’s general duty clause states employers must have a place free of recognized hazards, and active shooting incidents are considered such a hazard, said Ms. Costa, adding her firm has been involved in defending some of these cases. Claims filed against employers in these situations include negligence and failure to train workers, she said.
Other charges, she said, include negligent hiring and retention, which was an issue in the 2003 naval yard shooting in Washington, D.C., that left 12 dead.
In that case, complaints from fellow employees that the shooter heard voices in his head were not addressed, and there had been a prior incident in which the shooter had shot through his ceiling to the apartment of a neighbor, she said. Bullying was cited as a factor in the 2015 San Bernardino, California, shooting, in which 14 people were killed, said Ms. Costa.
These shootings and the ensuing litigation have “made all employers take notice of these risks,” which can involve employees, customers, clients, strangers and those related to these people, said Laura Zaroski, Chicago-based area senior vice president of the law firms practice for Arthur J. Gallagher & Co.
Coverage, which varies, is primarily coming out of Lloyd’s of London right now, she said, with a handful of domestic insurers. Coverage can include counseling, medical disability expenses for victims, funeral expenses, death benefits and “loss of attraction” coverage when a mass shooting results in a loss of revenue because people are no longer coming to the location of the incident.
Other coverages include the cost of upgrading a building and its security, damages to the building, relocation costs and sometimes the cost of a teardown following an incident, she said.
Employees should be trained to recognize potential situations. “We shouldn’t just be waiting for an event to do it for the first time,” said Ms. Zaroski. “Let’s learn what to do and handle the satiation before it arises.”
Thomas Lookstein, New York-based head of financial and professional line claims for Starr Adjustment Services, a division of Starr Cos., said one question that should be addressed is whether these policies have terrorism exclusions.
Marchelle M. Houston, senior vice president, bond and specialty insurance, for Travelers Co. Inc., said another potential claim is kidnap and ransom, where people are unable to leave a facility during an incident.
Other issues covered during the session included the #MeToo movement, sexual orientation discrimination, religious discrimination and Supreme Court rulings.
Author: Judy Greenwald
Source: Business Insurance
While the number of incidents and casualties declined in 2017, a report released Monday by Marsh L.L.C. said terrorism is still a significant threat and that the insurance market is adapting to handle the evolving risk.
Marsh’s 2018 Terrorism Risk Insurance Report, which explores the state of the terrorism insurance marketplace, said that in the wake of recent events, terrorism insurers are expanding terrorism definitions to include active assailant events.
In some cases, the report said, insurers also are developing specialty products that offer first- and third-party business interruption protection for businesses that suffer lost income or revenue without the need for a direct property damage trigger.
Although fewer people were killed in terrorist attacks in 2017 than in 2016, the Marsh report said the means of attack and perpetrators have shifted.
“Past attacks were carried out primarily by specific groups against perceived high-value-high-profile targets,” the report said. “While that threat remains, many recent attacks have come against soft targets and been perpetrated by ‘lone wolves’ and small groups with no direct connection to known terrorist organizations. Weapons of choice now include vehicles, knives and other handheld devices.”
In 2017, the report said, pricing increased in five of the 17 industries surveyed by Marsh, with the sharpest increases being felt by hospitality and gaming companies, public entities and nonprofit organizations, which have been targets of terrorist acts in recent years.
Pricing declined in seven industries, the report said, most notably for energy and mining and construction companies, reflecting the generally positive conditions in the property insurance market prior to the 2017 Atlantic hurricane season.
Sixty-two percent of U.S. companies in 2017 purchased coverage embedded in property policies under the Terrorism Risk Insurance Program Reauthorization Act of 2015, or TRIPRA. Companies in the Northeast U.S. were most likely to purchase terrorism insurance, Marsh said.
The number of Marsh-managed captive insurers actively underwriting one or more insurance programs that access the TRIPRA increased 44% to 166 captives in 2017.
After incurring sizable ransomware losses in 2017, kidnap and ransom insurers are seeking to restrict coverage for cyber risks in their policies.
Terrorism insurance capacity remains strong, the report said, but pricing could increase as global insurance costs generally increase following natural catastrophe losses in 2017. January 2018 year-over-year pricing changes for a majority of reinsurance program renewals that included terrorism coverage averaged flat to an increase of 10% on a risk-adjusted basis, according to the report.
The Marsh report made several suggestions for businesses in the face of evolving terrorism risk, including continually reviewing and reevaluating their risk financing programs to ensure they have adequate protection for property, business interruption, workers compensation, general liability and cyber losses.
The report also encouraged businesses to effectively model their terrorism risk and to build and test robust crisis management and business continuity plans.
Author: Rob Lenihan
Source: Business Insurance
Recently, I had the chance to spend some time at Walt Disney World in Orlando, Florida, when I attended the NAMIC conference in February. One session included a presentation by Barry Dillard, director of claims for Walt Disney World, where he shared the company’s approach to handling a wide variety of claims.
I sat down with their vice president of risk management to learn about some of the strategies they employ, and I had the opportunity to tour Walt Disney World itself to peek behind the curtain and see how this massive theme park creates the magic for its guests and cast members while keeping everyone safe.
Believe it or not, the Walt Disney World Resort covers 40 square miles and is twice the size of Manhattan. Within its confines, this world-class attraction employs 75,000 cast members, each of whom plays a critical role in spreading the Disney magic. Their emphasis on safety is both taught and caught, which is especially important when serving the millions of guests who visit the Disney attractions around the world.
The Walt Disney Company is extremely proactive in their risk management strategies — it truly is everyone’s responsibility — not just the realm of those at the corporate level. As is often the case in life, the simplest things can make the biggest difference. Merely walking the parks, hotels, shops, and restaurants can yield valuable information, allowing cast members to identify small issues before they become larger ones. Even in one of the most magical places on earth – reality tends to intrude.
Unexpected risks arise every day and training plays a key role in mitigating them. Hackers are constantly devising new ways to access company information or hold it for ransom. The use of ransomware is expected to increase 350% this year, so being vigilant and backing up data has never been more important.
The number of shooting incidents in businesses and other settings is increasing at an alarming rate. Knowing what to look for and how to respond in these situations can literally be the difference between life and death.
For better or worse, new risks are changing our behavior — how observant we are in open spaces of our surroundings, what we post on social media, where and how we protect our personal information, what we open online and how we train our staffs. It really is the smallest things that can make the biggest difference in keeping people safe.
Author: Patricia L. Harman
The challenges of cybersecurity have been covered ad nauseum: the ever-increasing volume and sophistication of attacks, the shortage of skilled cybersecurity analysts, and the general inability to keep up with all that is going on in the cybersecurity market have all been well documented.
So, what can be done? Given all these conditions, how can a business better protect their operations and resources? The short answer is they can start using a combination of technologies, services and education to stem the impact of cyber-attacks on their organization.
Technologies Can Help Fill the Gap Created by the Skills Shortage
Organizations can look for technologies that are primed to automate and orchestrate responses to cyberattacks.
This is not a new concept – back in 2011, the US Department of Homeland Services described, in their paper “Enabling Distributed Security in Cyberspace,” an ecosystem where “cyber devices are able to work together in near-real time to anticipate and prevent cyberattacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state.”
This is very different from what most organizations have today. Typically, companies have a host of cybersecurity technologies, from firewalls and to that are working alongside, but not in concert with one another. Each solution is specialized to look for something – e.g. evidence of a distributed denial of service attack, indicators that a user’s credentials have been compromised, pointers to data being leaked via cloud apps, signs that a mobile device has been taken over, etc.
Each of these solutions requires someone to deploy, manage and maintain it, as well as make sense of the information it generates. The data these solutions produce and the people managing them often remain in a silo, making it hard for anyone or anything to see the complete picture to quickly and confidently take action, as appropriate. But change is coming.
Half of the respondents (55%) to a survey by Intel Security “believe cybersecurity technologies will evolve to help close the skills gap within five years.” Likely this will come in the form of advances in intelligence, automation and orchestration. We have already seen vendors dabble with artificial intelligence (AI) and machine learning to accelerate the identification of an attack and support the orchestration of more automated responses.
It has been particularly effective when entities or events can be easily incriminated or exonerated, such as in the incident response process. A large organization can average close to 17,000 alerts a week, which is why only one in five alerts ends up being something worth dealing with.
A solution, however, that can automate investigations and help prioritize subsequent activities is sustainable. Hence, we have seen an explosion in the IR automation market – the Enterprise Strategy Group found that 56% of enterprise organizations “are already taking action to automate and orchestrate incident response processes;” Technavio has the IR system market growing at a compound annual growth rate (CAGR) of 13%.
To truly ease the burden on cybersecurity analysts and improve the efficiency and productivity of their cybersecurity infrastructure, organizations need to look for and demand more of these kinds of innovations from their technology vendors.
Services Play a Viable Role in Augmenting Capabilities
The reality is there are always times when organizations, even those with SOCs that are skilled and staffed appropriately, may need a little help. This is where services come in; we are finding there is greater acceptance that augmenting resources with a service offering can be a good way to enhance the effectiveness of an organization’s cybersecurity strategy and implementation.
An outsider’s view can give organizations the knowledge they need, a fresh perspective or a new way of thinking that helps drive better decision-making and ultimately better security.
The problem is managed security services providers (MSSP) are having to staff up themselves to meet the demand, which is why we’ve seen some a lot movement in this space. For example, there has been FireEye’s acquisition of Mandiant, IBM’s acquisition of Lighthouse Security, and BAE System’s acquisition of SilverSky, etc.
Ultimately, being able to deliver the experience and know-how organizations need will help close the gap and strengthen overall security.
Educational Opportunities are Key to Bolstering General Awareness and Expertise
At the end of the day, nothing replaces the knowledge and expertise of an in-house analyst. Only they truly understand an organization’s nuances, putting them in the best position to effectively identify, contain and fully remediate many of the more sophisticated attacks targeting the organization.
Unfortunately, as we’ve already mentioned, these folks are in short supply, so organizations need to look across their IT organization to develop cybersecurity awareness and know how.
Training courses taught by experts with real-world experience and include lab time are invaluable for building the skills that will be applicable to strengthen the organization’s security stance. Virtual sandboxes (vSandbox) and Ultimate Test Drives (UTD) are also good tools to deploy. They allow attendees to test and work with solutions in a safe environment, so they can see firsthand how they can be deployed and used to improve the cybersecurity capabilities of the organization’s own environment.
Ultimately, to address the cybersecurity gap and all the threats that are targeting an organization, it will take a confluence of technologies, services and experiential learning. Together, organizations can deploy the skills and capabilities they need to keep up, and ideally get ahead, in this harried cybersecurity landscape.
Source: InfoSecurity Group
Author: Pradeep Aswani