Keeping Pace

RIMS Annual Conference & Exhibition
Philadelphia

The RIMS Annual Conference & Exhibition, held in Philadelphia April 23 to 26, offered a host of sessions from which to choose.

Front and centre, though, was talk of technology risks.

BETTER UNDERSTANDING OF DISRUPTIVE TECHNOLOGIES NEEDED

Risk managers need to take the lead in organizational efforts to address complex challenges and opportunities in an environment that increasingly features rapidly advancing disruptive technology risks, a report from Marsh and RIMS has found.

“We believe risk management professionals should be leading the way as companies adapt to technology innovation, with the understanding that those who fail to do so will be relegated to a supporting role,” cautions the report, released at the 2017 RIMS Annual Conference & Exhibition.

Despite the importance, there seems to be a lack of awareness among risk professionals regarding existing and emerging technologies (such as telematics, sensors, the Internet of Things (IoT), smart buildings and robotics) and their risks.

Findings are based on 700-plus responses to an online survey and a series of focus groups with leading risk executives earlier this year.

Just shy of a quarter of respondents say their organizations do not currently use or plan to use any of 13 common disruptive technologies cited. This seems at odds with some estimates that 90% of firms will be using IoT within a few years.

In addition, six in 10 respondents note they do not conduct risk assessments around disruptive technologies despite their potential impact on the business strategy, model and risk profile of the company.

“Companies cannot afford to be surprised when technology fails or goes awry. Risk executives need to fortify their strategic role by understanding how technologies impact business models and the direction of entire industries,” authors argue.

“Organizations cannot fully realize the rewards of using today’s innovative technology if the risks are not fully understood and managed,” says Brian Elowe, report co-author and United States client executive leader for Marsh.

“Risk professionals are advised to proactively educate themselves about disruptive technologies, including what is already in use at their organizations, what technologies may be on the horizon, and the respective risks and rewards of using such technology,” advises Carol Fox, report co-author and RIMS vice president of strategic initiatives.

STAFF REPORTING CAN HELP STEM TERRORISM, VIOLENCE

The value of staff monitoring and reporting to identify behaviours that may seem linked to the risk of terrorism and workplace violence should not be underestimated, Harry Rhulen, chief executive officer of Firestorm, said as part of an educational session at 2017 RIMS.

“The ability to identify those people (possible threats) and the things that they are going to do are in the hands of all of us,” Rhulen said during Terrorism Measures You Can Take: Lessons from Nice, Paris and Mumbai. “The eyes and the ears of your employees – if they’re well-trained, if they understand what the issues are – are a far more useful tool that we’ll get more data and intelligence from than you might from almost anything else.”

Although a hurdle has been that no one wants to get involved and report possible cues, he said, “what everybody needs to understand is if we’re going to combat terrorism and if we’re going to combat workplace violence, it’s going to need to be on a basis where we err on the side of caution, not on the side of privacy.”

Whatever steps organizations can take to be better prepared, informed and trained are worthwhile since terrorism or like attacks are changing rapidly, he pointed out. Consider, for example, the growing use of vehicles as weapons to cause mass casualties. It is essential to keep “your plans, your training, your education, your thought processes broad enough to understand that bad people are going to find new ways to do things.”

With autonomous vehicles, for example, Rhulen’s view is they are “going to change this issue of vehicular attacks significantly. So understanding how you control the movement of vehicles on your property, around your building, all those kind of things” is imperative.

He advises companies to ensure there is insurance coverage in place to cover terrorism, active shooter and mass casualty-type events; understand any exclusions; train people on behaviours of concern and put in place anonymous reporting; do threat assessments; and make sure that everybody is involved by carrying out test exercises.

PEOPLE RISK AN UNDERRATED ART OF CYBER SECURITY

The human element is routinely overshadowed by technology in organizational efforts to bolster cyber security and combat associated costs, Anthony Dagostino, global head of cyber risk for Willis Towers Watson (WTW), told Canadian Underwriter in advance of 2017 RIMS.

“Companies tend to place a heavy emphasis on investing in technology to improve cyber defences, which is crucial, however, often at the expense of human risk,” said Dagostino, part of a private panel discussion during the conference.

Recent WTW claims data shows that employee negligence or malicious acts account for 66% of cyber breaches, while only 18% were directly driven by an external threat and cyber extortion

accounted for just 2%. “Our data further shows approximately 90% of all cyber claims are the result of some type of human error or behaviour,” he said.

“This creates a compelling argument for organizations to take a more strategic approach to how they allocate their capital across the three main buckets: technology, people and risk transfer,” Dagostino reported. “Companies need to understand, quantify and provide sufficient capital for their greatest exposures.”

What hurdles must be cleared? “It really starts with an enterprise-wide approach to combating cyber risk, which includes employee training, an effective talent and rewards strategy, and an efficiently designed information technology and information security program,” he said.

FRUSTRATION COMMON TO BI CLAIMS CAN BE LESSENED

Quantifying business interruption (BI) losses is a big challenge, reported by six in 10 RIMS members participating in a recent survey, but a well-conceived approach can help clear hurdles.

“By taking control of their data, establishing a team and developing plausible BI figures before losses occur, risk managers can do much to lessen the confusion and frustration common to these claims process,” notes the RIMS Business Interruption Survey 2017, issued at 2017 RIMS.

Reflecting input from 372 RIMS members, findings show 58% of respondents who have been through a BI claim say “difficulty quantifying loss” was the biggest challenge they faced; 68% note feeling their maximum indemnity period is adequate; and 35% cite their organizations have 12 months as the length of the maximum indemnity period.

In all, just 17% of polled risk mangers report they were “extremely confident” their BI values and limits are adequate. On the other end of the scale, 11% characterize themselves as having no confidence.

“The low rate of confidence in BI values indicates the need for organizations to do more analysis before BI limits and values are determined,” the survey notes.

Add to that that the overall exposure data for both property damage and BI is important in establishing the correct perception of risk. “Experience dictates that the clearer you are in relation to your exposures, and the more information you provide to your insurers, the smoother the claims process is likely to be,” the report adds.

SILENT CYBER GROWING LOUDER

Silence is decidedly not golden when it comes to cyber risk, Scott Stransky, assistant vice president and principal scientist for AIR Worldwide, suggested to Canadian Underwriter before 2017 RIMS.

Silent cyber occurs when the risk for a cyber event impacts a non-affirmative cyber policy (an affirmative cyber policy is written specifically for cyber, with limits and terms), said Stransky, who took part in a panel discussion at the conference.

Though not intended to cover cyber, the policy ends up being used because cyber is what caused the loss, he noted. Consider, for example, a directors and officers policy being used after a director opted not to pay for installing software recommended by IT staff and the company then suffers a hack, he said.

Even “scarier” is silent, silent cyber, when the link between an event and damage is “very, very indirect,” he added.

“Silent cyber and what we call silent, silent cyber are very big deals and they lead us to believe that most insurance policies today contain some exposure to cyber risk,” Stransky argued. “If you have an insurance book of business and you don’t explicitly exclude cyber from your policies, you probably have cyber and you should probably start managing it properly,” he cautioned.