407-445-2414 info@wrmllc.com
Understanding the Organization’s Risks

Understanding the Organization’s Risks

Financial disaster preparedness begins with a thorough understanding of the risks facing the organization. As an organization grows and its operations become more intricate, its risks change and tend to become more complex. Accordingly, risks need to be assessed continuously, an exercise typically orchestrated by the risk manager with support from throughout the company.

Beyond the many challenges of physical recovery following a catastrophe, additional problems affecting financial recovery often occur because key areas of risk were overlooked or their potential impacts were not fully understood. For example, a real estate services provider had adequate liability coverage for cyber breaches but did not anticipate the potential financial impact of an interruption of its IT systems. The company experienced a cyber intrusion that shut down its servers for 24 hours, resulting in a multimillion-dollar loss that was only partially covered by insurance.

Risks that are not identified or clearly understood in advance are difficult to manage in a cost-effective manner following a catastrophic event. Such risks expose an organization to unexpected and often avoidable financial losses. The process of risk identification, analysis, mitigation and transference is a critical part of the financial preparedness process.

Once risks have been identified and analyzed, seven key areas of financial preparedness must be addressed:

1. Planning for business continuity

The foundation of financial preparedness, business continuity planning entails understanding how, and to what degree, your organization will be able to service its customers and maintain solvency in the event of a major shutdown of operations or other catastrophic event. This can include a variety of actions, such as fulfilling orders using existing inventory, receiving support from other company locations, outsourcing production and/or services, and setting up a temporary location. These actions help ensure continuity of operations and, in doing so, also help mitigate the loss.

In planning for business continuity, it is important to consider unexpected occurrences and challenges. Catastrophic losses can occur in ways that were not anticipated or previously experienced by an organization. For example, as a result of Superstorm Sandy in 2012, a company lost two of its major data centers, one located in New York City and a backup center located miles away in New Jersey. The company’s management never anticipated the possibility of a hurricane impacting both data centers at the same time. Organizations must explore a wide range of possible causes of loss and the resulting impacts when assessing both the maximum possible and the maximum probable loss.

2. Understanding employee retention

Retaining key employees and other members of the workforce following a catastrophic event is essential to the continuity and restoration of a company’s operations. Organizations must assess whether or not insurance will be necessary to cover labor costs following a catastrophic loss.

3. Understanding and mitigating costs

In addition to labor, there are many other costs that will continue following a catastrophic loss. The key to managing these costs is assessing the organization’s (and each facility’s) structure of variable and fixed costs and determining how they will likely be impacted following a partial or complete shutdown of operations.

By understanding and assessing continuing costs, the organization can better plan for mitigation of those expenses and required insurance coverage. The preparation of a simple business interruption values worksheet does not typically go deep enough—the process requires a detailed understanding of operations and related costs, and ways they will be impacted following a loss.

4. Identifying other sources of potential funding

Insurance is typically the first line of defense following a catastrophic loss, but other sources of funding may also be available. For example, if the president formally declares a disaster, state and local government entities, eligible nonprofits (including hospitals, colleges and universities) and Native American tribes may qualify for federal disaster relief, including Federal Emergency Management Agency (FEMA) Public Assistance Program grants, U.S. Department of Housing and Urban Development Community Development Block Grant Disaster Recovery grants, and Federal Highway Administration disaster grants.

In the case of FEMA Public Assistance grants, the documentation and reporting processes can be onerous, with a multitude of eligibility requirements that address the applicant, facilities, work performed and costs incurred. FEMA also has many insurance requirements, particularly for organizations that have received FEMA funding for previous disasters. Developing an understanding of these and other federal guidelines and implementing necessary procedures and controls before a disaster occurs can help ensure that maximum funding is secured in a timely manner, and can also help withstand audits by federal agencies.

5. Assessing liquidity needs

It is critical to maintain liquidity following a loss event. A careful assessment of the amount and timing of potential recovery from insurance and other sources of funding, consideration of continuing costs and extra expenses to maintain operations, and the need for capital to rebuild operations can shed light on the requirements for cash reserves and access to credit during an extended operational shutdown. While insurers may provide advances following a catastrophe, final settlement often takes longer than expected. Planning in this area can help avoid unexpected cash shortages that put business continuity at risk.

6. Developing a loss response team

Before a loss occurs, it is essential to identify and train the team that will support the organization following a loss event. Internal resources should include a broad spectrum of resources spanning the risk, legal, finance and accounting, operations, sales, engineering, and procurement departments. Additional external resources may include debris removal companies, general contractors, engineers, attorneys, accountants and other consultants. Developing your team and outlining their roles before a loss occurs will help expedite the recovery process, increasing its overall effectiveness and saving costs.

7. Assessing insurance coverage

An organization must conduct a review of its coverage at least annually and even more frequently when faced with significant changes in operations. Often, companies discover too late that their insurance policies do not provide sufficient coverage for property damage, business interruption and extra expenses. Many also discover unclear or ambiguous policy language that creates settlement issues.

An annual policy review should provide an understanding of the risks covered, sublimits, exclusions, deductibles, waiting periods and coinsurance requirements. This process can help ensure that risks are covered in the manner intended by management. Following annual renewals, it is also important to determine if any risks need to be further addressed and mitigated due to changes in coverage that may have occurred during the underwriting and renewal process.

The review should include an assessment of the organization’s covered locations and confirmation that the policy lists (or contains appropriate blanket coverage for) all existing locations, especially recently added ones. It should also include an assessment of the statement of values to determine whether property values are current. Property values may need to be updated as companies add, upgrade or sell equipment, invest in new capital, and change physical structures.

The organization’s business interruption values should also be assessed. This means, at a minimum, assessing each location and operation to determine the organization’s exposure to a loss of net income and expenses that would likely continue following a catastrophic event. As your business grows or declines or margins change, business interruption values will likely change as well. Failing to update these values could result in a gap in coverage due to insufficient policy limits, or potentially trigger a coinsurance penalty if designated in the policy.

In assessing insurance, it is important to pay close attention to sublimits, exclusions, waiting periods and deductibles, all of which can significantly impact an organization’s level of financial recovery. As an example, a large entertainment facility experienced a significant loss when an electrical outage led to the cancellation of a show on a busy weekend. Management was surprised to learn that the loss was not covered due to a 48-hour waiting period for “service interruption.”

The period of indemnity specified in a policy may also have a major impact on recovery. Insurance policies typically define the period of indemnity as beginning on the date of loss and extending through the period during which the property can be repaired, rebuilt or replaced, with reasonable speed, to the condition that existed prior to the loss (or, alternatively, the date business is resumed at a new location). Many policies also provide an “extended period of indemnity” of 30 days or more to give the business additional time to restore normal operations. This extended period can provide critical support for financial recovery.

It is also crucial to understand your needs with regard to employee payroll following a catastrophic loss. Business interruption insurance policies may provide full, limited or no coverage for “ordinary payroll” following a catastrophic loss. Ordinary payroll refers to payroll expenses of employees other than executives, department managers, employees under contract and other employees deemed vital to continuing operations. Companies with a critical need to keep such employees after a loss typically require this type of coverage in their policy.

Coverage for extra expense should also be assessed and considered in light of potential actions following an interruption of operations. This coverage generally addresses expenses incurred during the period of restoration to avoid or minimize the suspension of operations at either the current location or temporary locations.

A variety of special coverages are available to cover other areas of risk and may be appropriate for risks specific to the organization, such as insurance for contingent business interruption (to cover losses sustained by your organization as a result of physical damage occurring at your suppliers’ or customers’ facilities), supply chain disruption and cyber incidents.

Source: Risk Magazine
Author: Allen Melton
Author: Michael Speer

HIPAA Enforcement: A Look Ahead

HIPAA Enforcement: A Look Ahead

So, what’s next for the Trump administration’s handling of health data privacy and security issues now that the 100-day milestone has been reached?

So far, despite the overall anti-regulatory tone of the new administration, it appears that enforcement of HIPAA is moving along at the same or perhaps even a slightly more aggressive pace than what was taken by the Department of Health and Human Services under the Obama administration.

“Congress established OCR to adapt to new technology – and to protect it.”

In one of his first speeches, Roger Severino, who last month took on the job of director of HHS’s Office for Civil Rights, promised to keep HIPAA privacy and security enforcement a top priority.

“I came into this job with an enforcement mindset,” Severino said on April 27 during a session at the Health Datapalooza conference in Washington, according to HealthcareITNews. “Congress established OCR to adapt to new technology – and to protect it.”

Resource Hungry

But will that mindset continue? A lot likely depends on the resources OCR gets for fiscal 2018. The staff has been stretched thin in recent years, especially as OCR has been digesting the findings of more than 200 HIPAA compliance audits of covered entities and business associates. Plans to launch a smaller number of more comprehensive audits in early 2017 have already been delayed until later this year. And who knows if that will even happen?

Privacy attorney David Holtzman, the vice president of compliance at security consulting firm CynergisTek who formerly was a former senior policy adviser at OCR, notes that so far this year, in terms of enforcement actions taken by OCR, the agency could break its aggressive record of 2016, which included 12 settlements and one civil monetary action – not to mention the relaunch of audits.

“OCR has continued its stepped-up enforcement of the HIPAA privacy, security and breach notification rules. Thus far in 2017, the agency has announced negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million,” he says.

“In all but one of these cases, organizations have also been saddled with multiyear corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016, in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.”

But it’s still unclear how the Trump administration will handle bigger-picture health data privacy and security issues.

“I believe it is important to distinguish between broader policy decisions and the day-to-day operations of the department’s mission,” he says. “While we have not seen evidence of how administration policy on health data security and privacy issues will develop, there is ample evidence that it is business as usual in OCR’s administration of the HIPAA privacy and security standards.”

Beyond HIPAA

While meeting HIPAA compliance requirements doesn’t necessarily equal the kind of robust security efforts needed to effectively safeguard data – including data that goes beyond patients’ protected health information – OCR’s recent enforcement ramp-up likely will help nudge security laggards out of their complacency.

But it’s also important to remember that the OCR enforcement actions we’re seeing have been in the works for years. Looking ahead, will OCR be spending less time investigating major breaches that get reported now? Let’s hope not.

Here’s an updated look at the sobering breach stats: As of April 28, there were 1,921 major breaches affecting nearly 173.4 million individuals reported to OCR since September 2009, according to HHS’ “wall of shame.” And to date, OCR has issued 47 HIPAA settlements and two civil monetary penalties.

So, while there’s been an a slight uptick in the number of enforcement actions taken by OCR over the last year or two, the reality is that there are still slim odds that you’ll end being smacked with a financial penalty related to a breach.

And the odds could grow even slimmer if OCR finds itself with a barebones budget for fiscal 2018. President Trump has proposed big cuts to HHS’ overall budget for the next fiscal year beginning on Oct. 1, and he has also instructed federal agencies to plan reducing their workforces near term.

In the meantime, OCR likely will keep picking and choosing cases for settlements that highlight common mistakes entities make in safeguarding patient information. Plus, the HIPAA enforcement agency will continue to release guidance that addresses confusing and critical security and privacy issues.

Hopefully, the healthcare sector will continue to learn from these cases and guidance and make it a higher priority to bolster their overall risk management programs to better safeguard all data against evolving threats.

Source: InfoRiskToday
Author: Marianne Kolbasuk McGee


New tool evaluates climate risk for insurers

New tool evaluates climate risk for insurers

How are climate-related risks and opportunities affecting your organization’s businesses, strategy and financial planning? Increasingly, companies are asking themselves that question to prepare for an uncertain future.

Indeed, the impact of climate risk is a topic that regulators are considering as well. The Financial Stability Board set up the Task Force on Climate-related Financial Disclosures “to help identify the information needed by investors, lenders and insurance underwriters to appropriately assess and price climate-related risks and opportunities.”

These voluntary disclosures would give stakeholders a clearer picture of how companies perceive and are addressing climate risks. And the National Association of Insurance Commissioners’ Insurer Climate Risk Disclosure Survey, adopted in 2010, is now mandatory for larger insurers.

The Actuaries Climate Index (ACI), a monitoring tool launched in November 2016 by four North American actuarial organizations, may be helpful to insurance companies in answering these types of questions and in managing climate-related risks and opportunities.

Why are actuaries weighing in on climate risk?

Actuaries are experienced in the assessment and mitigation of the financial consequences of risks and in the summarization and presentation of complex data for decision-making. A changing climate is having a financial impact on insurance consumers and providers, and actuaries are well positioned to conduct deep analysis to map out what has been happening in recent decades. The Actuaries Climate Index was developed by the Climate Change Committee, a joint effort of the American Academy of Actuaries, the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries.

What is the Actuaries Climate Index?

The ACI is an educational tool designed to help inform actuaries, public policymakers and the general public about climate trends and their potential impact. A quarterly measure of changes in extreme weather events and sea levels, the ACI is based on analysis of quarterly seasonal data for six different index components collected from 1961 through the latest available season, compared to the 30-year reference period of 1961 to 1990. The ACI is available online at ActuariesClimateIndex.org.

The ACI divides the continental United States and Canada into 12 different regions. Higher index values indicate an increase in the occurrence of extreme weather events.

The risk measured by the ACI is relative to the average frequencies during the reference period of 1961–1990. The data is from neutral, scientific sources, generating objective, evidence-based results on extreme weather events. According to the data analysis, 1.02 is the current five-year moving average value for the index. The index value remained below 0.25 during the reference period, reached a value of 0.5 in 1998, and first reached 1.0 in 2013. These values indicate an increase in the frequency of extreme weather occurrences and changes in sea levels to a sustained level above any single season (out of 120) during the reference period.

The ACI data is available for free on the website, which shows graphs and maps of the data by region and component. There is a guided tour to the website and documentation explaining how the index was developed and how it is calculated.

A second index, the Actuaries Climate Risk Index (ACRI), is based on the historical correlations of economic losses, mortality, and injuries to the ACI data, and is expected to be launched later this year. Regions used in the ACI follow state and provincial borders as shown in Figure 2.

The six components of the Actuaries Climate Index are:

  1. Warm temperatures (above the 90th percentile)
  2. Cold temperatures (below the 10th percentile)
  3. Heavy precipitation (maximum 5-day rainfall in each month)
  4. Drought (measured by consecutive dry days)
  5. Wind (above the 90th percentile)
  6. Sea level

For the purpose of combining the six components, the seasonal differences versus the reference period are divided by the statistical measure of variability in the reference period, the standard deviation. This approach allows such inherently different quantities to be combined in a single index while preserving the accuracy of the components. For each component, the index value indicates how unusual that season’s value is, compared to the reference period mean and standard deviation for that season. Hence, each component is in units of the standard deviation of that quantity.

The index components are approximately normally distributed, therefore, about one-third of the time one expects that index values will be outside the interval ±1, and one-sixth of the time it will be greater than +1. When it comes to the composite ACI, constructed as a combination of the components, the standard deviation is significantly less than 1, and thus a composite index value of 1 indicates a more unusual event than a similar value at the component level.

How insurers can use the Actuaries Climate Index

Data by region and component can be used to focus on areas where claim activity is most important to an insurance company. Concerned about sea levels or heavy rain in the northeastern United States? Data for the Central East Atlantic region (CEA) will show that sea level rise has been greater there than in any other region and that periods of heavy precipitation have been much more significant in recent years. Seasonal data underlying graphs such as Figure 3 could be modeled against claims data to help assess the risk — and then companies can incorporate their insights into pricing, underwriting, product development or claim department strategy. Monthly ACI data is also available.

The risk management implications of climate change will only continue to grow if current trends continue. Companies that incorporate climate data in their strategic planning will have a competitive edge. They will also be better able to answer climate disclosures and provide convincing information to regulators, shareholders and lenders that will demonstrate that they are effectively managing risks.

Climate change will have varying effects by class of business; property, casualty, life and health insurers will identify different risks and opportunities. Reinsurers will also be interested to know how their reinsureds are monitoring this aspect of their business. The ACI should also be useful to non-insurers in their financial planning and risk management.

Coverage decisions, such as where and whether to provide property or flood insurance, can be informed by historical climate statistics. Actuaries are increasingly using predictive models to measure correlations and trends for use in pricing, underwriting, claims management, marketing and enterprise risk management. The Actuaries Climate Index data is an important new input to these models. Where possible, the index components measure extremes, rather than averages, because extremes have the largest impact on people and property.

Some might say that climate change is gradual and should be a manageable risk for the insurance industry. At a presentation to actuaries in 2015, the audience was polled about how concerned the property and casualty insurance industry should be about the risks of climate change. Of the 121 poll respondents, 43 percent indicated that the risks of climate change are inadequately addressed. Is your company in this group?

The Actuaries Climate Index and the Actuaries Climate Risk Index will be useful additions to the analytical toolkit of insurers and other companies as they look to manage the risks of a changing climate.

Douglas J. Collins is a retired actuary and chair of the Casualty Actuarial Society’s Climate Change Committee. He worked for eight years at The Travelers, and spent the remainder of his career as a consulting actuary and principal with Tillinghast, Nelson & Warren, and its successor organization, Towers Perrin in the U.S., Bermuda and Europe.

Source: Property Casualty 360

Realities and risks of the robot revolution

Realities and risks of the robot revolution

The robots are coming. In fact, in many places, they have already arrived.

Some consider software automation such as robo-advisors to be robotics, but there is also considerable progress in the world of the physical, tangible robots that are very similar to the ones made popular by a century of science fiction stories.

We are headed toward a future of robots all around us — on land, sea, and air; in our homes, businesses, and communities. Today, we are witnessing the first glimpses of this robot revolution. The rate of robot proliferation and adoption is astounding, which means that a future with billions of robots may not be that far off.

The International Federation of Robotics reports that there are expected to be 31 million household robots in service by 2019. There are already millions of industrial robots in use; over a quarter of a million were sold just last year. Add that to the millions of drones being sold and robots in business, agriculture, and other settings, and it becomes clear that robots are delivering good value and market acceptance.

Recent examples of robotics pilots and implementations demonstrate some of the future potential:

  • Takeout food delivery:  There are current pilots underway in which small mobile robots deliver takeout orders from restaurants in Washington, DC and Hamburg, Germany.
  • Robotic prostheses:  3D printing and AI advances have enabled low costs and customization of robotic arms, hands, and legs. Wearable robotic gloves that allow the disabled or elderly to have hand function are now available.
  • Robotic kitchen assistant:  A robot called Flippy has been proven to cook burgers at a fast food restaurant more efficiently and at less cost than humans.
  • Insurance sales:  Meiji Yasuda Life will use 100 humanoid robots in branch locations to answer sales and service questions and support sales personnel.

At issue now is how the new wave of robots will alter risks in the world and what that means for the insurance industry. It’s easy to jump to a vision of the world of the future controlled by robots, à la the Terminator movie series. But right now, Elon Musk, among other prominent tech figures, is truly worried about an AI apocalypse in which robots and other AI driven devices run amok and destroy the world and civilization as we know it.

While it is advisable and even imperative to think about these long-term possibilities and establish the right governance today, the truth is that robots are already affecting risks — both positively and negatively. Insurers should consider these aspects of a world with more and more robots:

  • Job loss:  Robots are likely to replace human workers in many different professions and in many different industries.
  • Worker safety:  Robots can operate in dangerous environments, where there may be toxic chemicals or otherwise unsafe conditions for humans. Robots can also work alongside humans, handling tasks that could help to reduce workplace injuries and accidents.
  • Elder/disabled care:  Robots in homes and healthcare settings may allow more individuals to live independent lives and reduce the need for assisted living facilities.
  • Increased cyber exposure:  Robots will collect and create vast amounts of data about the world around them. Like any other environment with electronic data, these will be subject to hacking and criminal abuse.
  • Robot-caused injuries:  Malfunctioning robots in industrial or residential settings could inadvertently cause injury or death to humans. There are examples of this already, and the potential increases as robots become pervasive.

It should be evident from these few examples that insurance coverages will need to evolve correspondingly. In some cases, the use of robots will decrease risks and can be leveraged for loss control. In other cases, new risks will emerge and will demand insurance solutions for individuals and businesses.

No one can predict with accuracy how rapidly robots will be adopted and spread across the world. But wise insurers will begin planning for a robot revolution, today.

Source: Property Casualty 360
Author: Mark Breading
Photo:  ShutterStock

Increasing Risk Complexity Outpaces ERM Oversight

Increasing Risk Complexity Outpaces ERM Oversight

More organizations are recognizing the value of a structured focus on emerging risks. The number of organizations with a complete enterprise risk management (ERM) program in place has steadily risen from 9% in 2009 to 28% in 2016, according to the N.C. State Poole College of Management’s survey “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.”

Yet this progress may lag behind the increasingly complicated risks that need addressing. Of respondents, 20% noted an “extensive” increase in the volume and complexity of risks the past five years, with an additional 38% saying the volume and complexity of risks have increased “mostly.” This is similar to participant responses in the most recent prior years. In fact, only 2% said the volume and complexity of risks have not changed at all.

Increasing Risk Complexity - WRM

Even with improvements in the number of programs implemented, the study—which is based on responses of 432 executives from a variety of industries—found there is room for improvement. Overall, 26% of respondents have no formal enterprise-wide approach to risk oversight and currently have no plans to consider this form of risk oversight.

Organizations that do have programs continue to struggle to integrate their risk oversight efforts with strategic planning processes. “Significant opportunities remain for organizations to continue to strengthen their approaches to identifying and assessing key risks facing the entity especially as it relates to coordinating these efforts with strategic planning activities,” the researchers found.

According to the study:

Many argue that the volume and complexity of risks faced by organizations today continue to evolve at a rapid pace, creating huge challenges for management and boards in their oversight of the most important risks. Recent events such as Brexit, the U.S. presidential election, immigration challenges, the constant threat of terrorism, and cyber threats, among numerous other issues, represent examples of challenges management and boards face in navigating an organization’s risk landscape.

Key findings include:

NC-State-ERM - WRM

Source: Risk Management Monitor


A Revolution in Risk Management

A Revolution in Risk Management

According to a 2013 research report published jointly by MIT and PwC, over 69% of companies surveyed experienced a supply chain disruption that resulted in a 3% or higher increase in total supply chain costs. Meanwhile, a 2014 survey of supply chain executives conducted by the Global Supply Chain Institute found that “many supply chain execs have done very little to formally manage supply chain risks.”

With so much on the line, why has there been so little focus on supply chain risk mitigation? Until recently, there have been no supply chain-focused risk management tools that enable organizations to manage both catastrophic risks (natural disasters), that result in major supply chain disruptions, and operational risks (port congestion), that destroy supply chain performance by a thousand cuts.

Download this white paper to learn how real-time big data and machine learning are enabling transformative new capabilities for risk detection, mapping, visibility and fast response:

  • Dynamically discovering and modeling all nodes, facilities, assets, trading partners and customers in the end-to-end supply chain, continuously
  • Enabling real-time visibility into unfolding interdependent risks and disruptions
  • Performing dynamic, frequent assessments of risks unfolding in real-time and those predicted to occur based on behavioral modeling
  • Producing prescriptive recommendations for risk remediation, and facilitating intelligent actions

Source: RIMS