Falling in the middle of the risk management cycle (after developing risk appetite and tolerance and identifying, but before assessing and analyzing risks), the organization then must identify who will “own” or be responsible for a particular risk.
Although the exact definition of what a risk owner is will vary depending on the organization, it can generally be defined as a person or persons responsible for the day-to-day management of a risk. (I will talk later about when to assign a risk owner…)
Assigning an owner for these risks is important for a few reasons…
One, a designated risk owner ensures someone in the organization is accountable for the risk. If there is not one person or a group charged with managing a risk, then by default, the entire organization will own the risk, and therefore it is highly likely the risk will fall through the cracks (a/k/a nothing will be done). Having a risk owner is an important step toward ensuring that a response plan is developed and acted upon in a timely manner.
Two, risk ownership is one way for executives to not only hold individuals accountable for risks, but to show their support for ERM in general.
The third reason for appointing a risk owner is to ensure that the ERM function does not own risks.
It’s important to understand that ERM does not actually manage risks, which is a common misnomer. The role of ERM is to help facilitate a process for identifying, assessing, and analyzing risks, and to ensure that executives and other key players have the information they need to make risk-informed decisions.
The only exception to this rule is if the risk function is responsible for insurance, business continuity, or similar program. This situation applied to me when I was Director of ERM for a large Florida-based property insurance company…in this case, it was only natural for my area to be responsible for these risks. In fact, business continuity can very closely integrate with ERM, so it made perfect sense to have them under a single manager.
In what circumstance will the organization need to assign a risk owner?
Not every identified risk will require an owner. In fact, if your organization has thousands of risks identified through a bottoms-up approach, assigning a risk owner for each one will overwhelm you and your team and nothing will get done.
Instead, start with the most critical risks and then consider adding more once a workable, sustainable process is in place.
Iconic cosmetics brand Estee Lauder for example has 46 critical corporate risks where an owner has been assigned. These particular risks met several guidelines which exceeded their respective risk tolerance or could cross this threshold in the near future.
In short, a risk owner needs be assigned for risks that exceed tolerance levels that were set earlier in the risk management cycle. However, that doesn’t mean risks that are within tolerance levels should be ignored…accepted risks have to be monitored as well.
More specifically, the cumulative result of accepted risks and the inter-dependencies of risks have to be carefully considered as well. If Risk A occurs and could trigger Risk B, a risk owner should be appointed and action taken, especially if Risk B is considered critical and falls outside of tolerance levels should it occur.
You also don’t need me to tell you that things are always changing. Perhaps tolerance levels change down the road or the risk itself changes. Of course, this certainty that things change is why I’m a firm believer in having a maximum time limit for a review of both low and accepted risks to ensure nothing is being overlooked.
Risk Ownership: Key Considerations, Challenges, and Options
I could probably write an entire article or even an eBook on how an organization could go about assigning an owner for a particular risk. Before getting into different options though, there are a few key considerations and challenges I should discuss first.
- Ensure there are clear definitions on roles and responsibilities in place before proceeding any further…this is one of the first and most important considerations when it comes to choosing a risk owner. As explained by Chris Corless in this article in Strategic Risk, it’s important for everyone involved to have a clear understanding of expectations when someone accepts the role of risk owner.
- Properly train on risk owner responsibilities and how they need to manage and report the risk. Think about it this way – your organization wouldn’t roll out a new time management system and not train employees on how to use it, right? Risk ownership is no different…
- Maintain consistent language throughout the firm regarding risks. Frank Fronzo of Estee Lauder explains how the company has a dictionary of terms it uses to ensure everyone is speaking the same language and stays on the same page.
One of the most common challenges organizations face when assigning a risk owner is the tendency to give it to the highest accountable person in the organization. While this is okay for risks linked to the strategic plan, the fact is that executives and other leaders simply do not have the time to take many of these risks on. In situations like this, the individual may delegate the responsibilities of owning a particular risk to someone else with time to perform them.
In cases like this, the senior-level person becomes a risk “custodian,” meaning they still have an interest in the risk but do not fulfill the day-to-day responsibilities of an owner.
And as I mentioned earlier, risk ownership should extend down the organization chain for a couple of reasons. One reason is limited time on the part of executives and other leadership. Second to that, appointing a mid-level manager as a risk owner can play a huge part in cultivating a positive risk culturethroughout the entire organization.
Another challenge many organizations face when assigning and managing risk owners is the tendency for risk management activities to fall back within organizational silos. If this type situation occurs, the case can be made that you’re not really practicing ENTERPRISE risk management.
(Click here to learn more about risk management that occurs within a singular business unit vs. a top-level, enterprise-wide process.)
To address this challenge or avoid it altogether, a risk information system should be used that contains details about all risks the organization is managing, who the owner(s) of a particular risk is, recent activities and more. This system should be accessible by all risk custodians and owners…
During a recent conversation, a fellow risk professional mentioned that his organization uses Archer, but other commonly known software tools organizations commonly use include Logic Manager, MetricStream, CURA, and Sword Active Risk. But there are plenty of other options out there, like Aviron Financial Solutions, Audit Comply, and Vose Software, to name a few…
When developing the process and choosing risk owners, company culture and the accountability structure of the organization will play a huge role…
Broadly speaking, risk ownership can be assigned to an individual or a designated risk committee.
Individual risk owner
If your organization has diverse functions and a weak collaborative culture, you will most certainly want to go with an individual risk owner. This individual (…and the risk custodian if applicable) will be the oneperson held accountable for the management of the risk they are charged with handling. I mentioned this in a way in the beginning of this article…having an individual risk owner is not only a way to hold someone accountable for a risk, it is also a way for executives to demonstrate how important they view ERM.
When assigning an individual to be the owner of a particular risk, it’s vitally important they have decision-making authority and the ability to allocate financial and human resources for the risks they are charged with managing.
Another point to consider when determining an individual risk owner is assigning accountability by position rather by name. (I personally really like this concept!) This is one key point of how Estee Lauder determines the proper owner. Assigning accountability this way ensures risks are continuously managed, even if the individual person moves on from their position.
One situation where an additional person may be involved with managing a risk but not be considered group or committee ownership is when a department is impacted by a risk but another department is better suited to manage the risk. In cases like this, co-ownership and coordination between the departments will be needed, but in the end, one person will still be responsible for monitoring and managing the risk.
For organizations with a strong group or collaborative culture, group ownership of risk(s) may be the way to go. This group can consist of individuals from across the enterprise, which of course can be a positive in that it brings together different perspectives. Specific action-items can be assigned based on responsibilities of individuals within the group.
However, one big drawback of group or committee ownership is that it is hard to hold the entire group accountable. Absent any strong oversight from a management-level risk committee, the group can easily end up pointing fingers when things go awry or otherwise sit around and talk about a risk without ever taking any action.
These management-level risk committees can benefit the organization in many ways, including building a positive risk culture. Click here to learn more about oversight…
As you can see, your organization’s culture is a key part of determining the best model for assigning risk owner(s).
A Word of Caution
Developing your organization’s risk ownership process will take time and require a bit of trial and error, and above all, patience. Long before any risk owners begin their work and report their activities into a software system and to executives, definitions on roles and responsibilities and a consistent language must be developed, plus training for everyone involved.
This, of course, is all in addition to other phases of the risk management process like identification, risk assessment, setting risk appetite and tolerance, and more. But risk ownership should be embedded throughout the process of managing risks; after all, the risk owner will be your main contact for a risk. And by all means, don’t overlook the relationship factor and how it can support ERM success.
If done properly though, having individuals throughout the organization “own” and therefore be responsible for certain risks will go a long way to building a long-term, value-driven ERM program.
Source: ERM Insights
Women in the workplace encounter particular safety risks that need to be addressed, including workplace violence and ill-fitting personal protective equipment, according to safety experts.
For example, women in industries such as health care and retail are significantly impacted by workplace violence, according to safety experts participating at the American Society of Safety Professionals’ Women’s Workplace Safety Summit in Rosemont, Illinois, on Monday.
According to the U.S. Bureau of Labor Statistics, 16,890 workers in private industry experienced trauma from nonfatal workplace violence in 2016; 70% of those employees were female, and 70% worked in the health care and social assistance industry.
Diana Stegall, ASSP president-elect and senior loss control consultant for workers compensation insurer United Heartland, otherwise known as United Wisconsin Insurance Co., a member of AF Group, said she sees claims data about the workplace violence injuries that happen in the health care and social services sector.
“Many times when we think about workplace violence, we think about it in terms of active shooter,” she said. “But when you look at the injuries that actually happen, many times it’s those people who were providing care. They get injured in providing care. It’s a huge issue.”
Meanwhile, 500 U.S. workers were workplace homicide victims in 2016, and 31% of them were working in a retail establishment, according to BLS data.
“We know about health care, but we sometimes forget about the retail portion where workplace violence takes place and the late-night gas and go’s,” said Sally Smart, technical safety specialist at W.W. Grainger Inc. based in Janesville, Wisconsin. The health care and social services and retail industries “are the ones who have unfortunately the most experience with workplace violence.”
One solution that emanated from a discussion group at the summit focusing on the workplace violence issue was to share the stories of the women impacted by workplace violence to raise awareness of the issue, Ms. Stegall said.
“Sometimes we become numb when we see one headline after another after another,” she said. “How does this really impact us as an organization? How does this impact us personally? What are those stories that show this can happen to you? It can and in many cases already is happening, and you may just not be aware of it.”
ASSP will also gather data on the workplace violence issue, including underreported verbal altercations, to create guidance documents or toolkits for employers to help them improve or develop their workplace violence prevention programs, Ms. Stegall said. The documents would address key issues such as safety culture, accountability and how to engage workers in the process, she said.
A separate group of experts participated in a discussion about another safety exposure for women in the workplace: ill-fitting personal protective equipment, or PPE.
“Ill-fitting PPE leads to increased hazards, increased injuries, and also affects productivity because of those two things, as well as (having) a psychological impact,” Ms. Smart said. “If you put a women in PPE and it doesn’t fit her … do they feel unprotected because it doesn’t fit right? Or more importantly, do they not wear it because it doesn’t fit? There are manufacturers who do make specific personal protective equipment for women, but not many. Sometimes employers don’t understand that. They sometimes go with one size fits all and it doesn’t.”
“With any of these issues, awareness is a big piece,” Ms. Stegall said. “A lot of the PPE that’s out there is developed for males based on data gathered from the military from the ’50s. Men in the military look a lot different than those outside of that demographic. Quite frankly, if we get (PPE) that’s more gender-diverse, it’s going to help men as well who don’t fit the standard ‘body type,’ because we’re not all the same size. How do we get the word out? Also, how do we let manufacturers know that just because we’re women doesn’t mean we want pink safety shoes and pink personal protective equipment?”
The summit also focused on the leadership of women in the occupational health and safety industry, with a discussion group highlighting the need for additional data on the issue and identifying potential sources of data as well as developing a problem statement, said Deborah Roy, corporate director of health, safety and wellness at L.L. Bean Inc. in Portland, Maine, and senior vice president on the ASSP board of directors.
“We feel there needs to be more of a baseline to begin work,” she said. “We need to identify between men and women what their leadership opportunities are, and we don’t have that data right now.”
“One of the gaps we identified was education, so we talked about what kind of training in leadership could be offered for women in OSH,” Ms. Roy added. “Quite honestly, we all acknowledged some of those things could be done for men as well.”
Risk managers can develop better risk management programs if they collaborate effectively with other departments, but first, they must win their colleagues’ trust, two risk management professionals said.
By adjusting how they communicate, risk managers can learn more about the concerns of other departments, explain possible solutions to problems and be viewed more as a business partner than a person who deters risk-taking, they said.
While many companies are either underinsured, overinsured or carry the wrong type of insurance, risk managers often feel that they are known as the “department of ‘no’” and that other department heads don’t tell them enough about the risks they face and, therefore, they are hampered in their job, said Liz Walker, director of enterprise risk and global insurance for Groupon Inc.
To solve that problem, she said, risk managers should take more ownership of the situation and ask: “How can I reduce or manage risk if I’m not communicating effectively?”
She was speaking during a session Monday at the Chicagoland Risk Forum, sponsored by the Chicago and Mid-Illinois chapters of the Risk & Insurance Management Society Inc.
“It’s about us. It’s about how we conduct our relationships internally and externally,” Ms. Walker said. Risk managers should generate trust and a sense of partnership with others at their organizations before they approach them about renewals, claims review and other risk management issues, she said.
To encourage trust, risk managers should adopt communications strategies that reflect their goals, such as using risk management to identify opportunities for business units, Ms. Walker said.
Or they can make clear how they can help colleagues through their insurance expertise, said Mary Friedl, insurance and claims manager at Redbox Automated Retail LLC in Oakbrook Terrace, Illinois, who introduces herself to colleagues as “the insurance nerd.”
“They know me now, and they know that if they need the insurance section of a contract reviewed to make sure it’s appropriate, they come to me,” she said.
Once risk managers have articulated how they can help people, they should ensure they are aligned with their organization’s values and strategy, develop and use a common language around those goals and values, and frame conversations with colleagues with those goals in mind, Ms. Walker said.
For example, rather than simply ask for total insured values at renewal times, risk managers should meet with facilities managers to let them know that they are looking to cover all property and equipment and ask about recent purchases and plans for the next year so they know the risk manager is seeking to align the coverage with their plans, she said.
Getting access to operating plans for different lines of business is also valuable for risk managers, she said. “It tells you not just what risks are coming up, but also what keeps your business partners up at night, which is a goldmine for potential opportunity to help them solve their problems,” she said.
Risk managers should also adjust the terms they use to reflect their audience, said Ms. Friedl. “Keep in mind who your audience is and what you want to get across to your audience.”
Risk managers can also use outside service providers, such as brokers, to help communicate with other managers within their organization, Ms. Walker said. For example, brokers offer training services where they come into an organization and talk about specific coverages and other issues that are relevant to various departments, she said.
Active shooter coverage available in the market can cover a wide variety of potential liabilities for employers whose workers, customers and others are impacted by such an incident, experts say.
Laura Zaroski, Chicago-based area senior vice president, law firms practice, for Arthur J. Gallagher & Co., said active shooter coverage, which primarily comes out of London, with a handful of domestic insurers, can include counseling, medical disability expenses for victims, funeral expenses, death benefits, and “loss of attraction” coverage, when a mass shooting results in a loss of revenue because people are no longer coming to the location of the incident.
She spoke during a session at the Professional Liability Underwriting Society’s conference in San Diego on Thursday as attendees were still absorbing the news of the shooting in a Thousand Oaks, California, bar Wednesday in which 12 victims and the gunman died.
Ms. Zaroski said other coverages include the cost of upgrading a building and its security, damages to a building, relocation costs and sometimes the cost of a teardown following an incident
Thomas Lookstein, New York-based head of financial and professional line claims for Starr Adjustment Services, a division of the Starr Cos., said one question that should be addressed is whether these policies have terrorism exclusions.
Marchelle M. Houston, senior vice president, bond and specialty insurance, for The Travelers Cos. Inc., said another potential claim is kidnap and ransom, where people are unable to leave a facility during an incident. You have to look at the host of allegations and policy terms and conditions to determine other insurance issues as well as exclusions, she said.
“We shouldn’t just be waiting for an event to do it for the first time,” said Ms. Zaroski also. “Let’s learn what to do and handle the situation before it arises.”
With the number of shooting incidents increasing, “more and more lawsuits are being brought against employers” in their wake, said Claudia A. Costa, a partner with Gordon Rees Scully Mansukhani LLP in New York, who moderated the session.
The U.S. Occupational Health and Safety Administration’s general duty clause states employers must have a place free of recognized hazards, and active shooting incidents are considered such a hazard, said Ms. Costa, adding her firm has been involved in defending some of these cases. Claims filed against employers in active shooter situations include negligence and failure to train workers, she said.
Other charges, she said, include negligent hiring and retention, which was an issue in the 2003 naval yard shooting in Washington that left 12 dead.
In that case, complaints from fellow employees that the shooter heard voices in his head were not addressed, and there had been a prior incident in which the shooter had shot through his ceiling to the apartment of a neighbor, she said. Bullying was cited as a factor in the 2015 San Bernardino shooting, in which 14 people were killed, said Ms. Costa.
More lawsuits are being filed against employers in connection with active shooter incidents, said a speaker at the Professional Liability Underwriting Society’s conference in San Diego on Thursday.
Claudia A. Costa, a partner with Gordon Rees Scully Mansukhani LLP in New York, spoke during a session on significant employment liability issues at the conference as attendees were still absorbing the news of the shooting in a Thousand Oaks, California, bar Wednesday in which 12 people plus the gunman died.
She observed that all the recent incidents have the common factor of having occurred in a workplace, whether it was a bar, a place of worship or a school.
With the number of these incidents increasing dramatically, “more and more lawsuits are being brought against employers” in their wake, said Ms. Costa during the session.
The U.S. Occupational Health and Safety Administration’s general duty clause states employers must have a place free of recognized hazards, and active shooting incidents are considered such a hazard, said Ms. Costa, adding her firm has been involved in defending some of these cases. Claims filed against employers in these situations include negligence and failure to train workers, she said.
Other charges, she said, include negligent hiring and retention, which was an issue in the 2003 naval yard shooting in Washington, D.C., that left 12 dead.
In that case, complaints from fellow employees that the shooter heard voices in his head were not addressed, and there had been a prior incident in which the shooter had shot through his ceiling to the apartment of a neighbor, she said. Bullying was cited as a factor in the 2015 San Bernardino, California, shooting, in which 14 people were killed, said Ms. Costa.
These shootings and the ensuing litigation have “made all employers take notice of these risks,” which can involve employees, customers, clients, strangers and those related to these people, said Laura Zaroski, Chicago-based area senior vice president of the law firms practice for Arthur J. Gallagher & Co.
Coverage, which varies, is primarily coming out of Lloyd’s of London right now, she said, with a handful of domestic insurers. Coverage can include counseling, medical disability expenses for victims, funeral expenses, death benefits and “loss of attraction” coverage when a mass shooting results in a loss of revenue because people are no longer coming to the location of the incident.
Other coverages include the cost of upgrading a building and its security, damages to the building, relocation costs and sometimes the cost of a teardown following an incident, she said.
Employees should be trained to recognize potential situations. “We shouldn’t just be waiting for an event to do it for the first time,” said Ms. Zaroski. “Let’s learn what to do and handle the satiation before it arises.”
Thomas Lookstein, New York-based head of financial and professional line claims for Starr Adjustment Services, a division of Starr Cos., said one question that should be addressed is whether these policies have terrorism exclusions.
Marchelle M. Houston, senior vice president, bond and specialty insurance, for Travelers Co. Inc., said another potential claim is kidnap and ransom, where people are unable to leave a facility during an incident.
Other issues covered during the session included the #MeToo movement, sexual orientation discrimination, religious discrimination and Supreme Court rulings.
Author: Judy Greenwald
Source: Business Insurance
While the number of incidents and casualties declined in 2017, a report released Monday by Marsh L.L.C. said terrorism is still a significant threat and that the insurance market is adapting to handle the evolving risk.
Marsh’s 2018 Terrorism Risk Insurance Report, which explores the state of the terrorism insurance marketplace, said that in the wake of recent events, terrorism insurers are expanding terrorism definitions to include active assailant events.
In some cases, the report said, insurers also are developing specialty products that offer first- and third-party business interruption protection for businesses that suffer lost income or revenue without the need for a direct property damage trigger.
Although fewer people were killed in terrorist attacks in 2017 than in 2016, the Marsh report said the means of attack and perpetrators have shifted.
“Past attacks were carried out primarily by specific groups against perceived high-value-high-profile targets,” the report said. “While that threat remains, many recent attacks have come against soft targets and been perpetrated by ‘lone wolves’ and small groups with no direct connection to known terrorist organizations. Weapons of choice now include vehicles, knives and other handheld devices.”
In 2017, the report said, pricing increased in five of the 17 industries surveyed by Marsh, with the sharpest increases being felt by hospitality and gaming companies, public entities and nonprofit organizations, which have been targets of terrorist acts in recent years.
Pricing declined in seven industries, the report said, most notably for energy and mining and construction companies, reflecting the generally positive conditions in the property insurance market prior to the 2017 Atlantic hurricane season.
Sixty-two percent of U.S. companies in 2017 purchased coverage embedded in property policies under the Terrorism Risk Insurance Program Reauthorization Act of 2015, or TRIPRA. Companies in the Northeast U.S. were most likely to purchase terrorism insurance, Marsh said.
The number of Marsh-managed captive insurers actively underwriting one or more insurance programs that access the TRIPRA increased 44% to 166 captives in 2017.
After incurring sizable ransomware losses in 2017, kidnap and ransom insurers are seeking to restrict coverage for cyber risks in their policies.
Terrorism insurance capacity remains strong, the report said, but pricing could increase as global insurance costs generally increase following natural catastrophe losses in 2017. January 2018 year-over-year pricing changes for a majority of reinsurance program renewals that included terrorism coverage averaged flat to an increase of 10% on a risk-adjusted basis, according to the report.
The Marsh report made several suggestions for businesses in the face of evolving terrorism risk, including continually reviewing and reevaluating their risk financing programs to ensure they have adequate protection for property, business interruption, workers compensation, general liability and cyber losses.
The report also encouraged businesses to effectively model their terrorism risk and to build and test robust crisis management and business continuity plans.
Author: Rob Lenihan
Source: Business Insurance