Risk, Interrupted

The slow-moving, massive system that was Hurricane Sandy is but a reminder. The storm brought with it wind and rain, that delivered damage through reach and surge, that then stretched recovery beyond days to months.

Sandy shows perhaps less starkly – but certainly more recently – what lessons have (or should) be taken from catastrophic events not so long ago. The Japan earthquake and tsunami, as well as the Thailand floods, in 2011 produced heavy losses, delivered a hard economic hit and crippled certain supply chains, at least for a time, throwing them into harried catch-up mode.

Today, there are, by turns, encouraging and disconcerting signs about whether or not available lessons have truly taken hold. Although the progress to date may not be everything that all may want it to be, there appears to be enhanced awareness of both business interruption (BI) and contingent business interruption (CBI) issues, in addition to the value of partnering proper risk management measures with appropriate insurance to help avoid the devastation that can be avoided, and to deal with what damage cannot. 

NOT SO GENTLE NUDGE

Recent history is replete with events that could not have been avoided, but perhaps the effects and costs of which could have been mitigated.

Natural catastrophes are a usual harbingers of damage for BI that may then lead to CBI. The 15-fold rise in insurance claims caused by weather events over the last 30 years is the result of a number of things, including an increase in insured assets worldwide and “the ongoing shift towards settlement in high-risk coastal regions,” Markus Stowasser, meteorologist at Allianz Re, notes in Allianz Risk Barometer 2013, based on responses from 500-plus risk management and underwriting professionals surveyed by Allianz Global Corporate & Specialty (AGCS) about global business risks for 2013.

But recent history is also marked by an ebb and flow of attention paid to BI and CBI. On the face of it, however, awareness seems to be on the rise.

“There’s definitely more focus on CBI from the customers’ side and especially from the insurers’ and reinsurers’ side,” reports Markus Franc, director of corporate underwriting at Zurich Insurance Company in Toronto.

Allen Melton, a partner in assurance services at Ernst & Young in Dallas, would likely agree. “If you look at what has happened in the industry the last couple of years, going back to the 2011 Japan earthquake and tsunami, followed by the extensive flooding in Thailand, and now Hurricane Sandy, I think it certainly has raised awareness and the potential issues that are out there, from a supply chain standpoint,” Melton says.

Citing the effects on the technology and auto sectors in 2011, he adds: “Just because you’re not physically located in a geography doesn’t mean you’re immune to these types of issues, and I think that was a real wake-up call to a lot of companies, as well as the insurance industry, about how big an issue this is.”

Events like the Japan earthquake, tsunami and nuclear meltdown “seem unprecedented, and I think people start to realize that you can have more than one peril create several kinds of catastrophes,” suggests Nowell Seaman, manager of risk management and insurance for the University of Saskatchewan in Saskatoon, and treasurer of the RIMS Board of Directors.

But it is not just natural catastrophes that can interrupt business operations. There are also events as varied as labour unavailability, IT glitches, government interference, transportation issues, political instability, civil unrest, limited suppliers, suppliers being located in a single area and regulatory orders.

Most likely to file a CBI claim are “manufacturers in general, and those dependent on others, such as suppliers, key customers, single transportation corridors, single sources of energy and key local attractions,” notes Robert Harder, head of Robert Harder Risk Consulting Inc. in southern Ontario.

A TWIST ON CLAIMS

Hurricane Sandy, transformed into a post-tropical storm by the time it made landfall in New Jersey on October 29, reduced parts of the Garden State to drenched debris. The storm was equally unkind to New York City, flooding certain areas under a record storm surge.

New York and Washington, D.C. “ground to a halt,” at the hands of Hurricane Sandy, notes Allianz Risk Barometer 2013.

The Sandy Update from Fitch adds the event will produce a loss split of 60% to 65% commercial lines and 35% to 40% personal lines, reverse that for most hurricane events. “Much of this shift is due to flooding from the record storm surge being such a significant component of catastrophe damages, particularly in large commercial areas, including lower Manhattan,” the report states.

“As global warming progresses, there is a risk that sea levels will rise in the future,” Stowasser says in Allianz Risk Barometer 2013. “This means that in the worst-case scenario, the potential economic damage caused by a very strong hurricane in the New York metropolitan area could rise to trillions of U.S. dollars by 2050 without mitigation measures,” he adds.

“With the pressure on global supply chains today, weather-related incidents do not have to be catastrophic. It could be very localized, not devastating, but cause enough of a disruption that it results in downtime, fines, penalties or loss of reputation that can add up to meaningful dollars quickly,” suggests Michael Loeters, vice president and risk management practice leader (Ontario) for BFL CANADA Risk and Insurance Services Inc.

CLOSE TO HOME

Perhaps, however, no event sends a message more clearly than the one that hits operations and demonstrates the value of risk management efforts. “There is nothing like a disaster to spark interest in one’s own vulnerability,” Harder points out.

“If a company has not experienced a loss, especially where there’s business interruption involved or even contingent BI, they may not truly understand the exposures,” says David Black, vice president and industry leader of manufacturing for Cowan Insurance Group, which provides insurance and risk management products and services to businesses, organizations and individuals. Black characterizes the majority of Cowan clients as “large multi-million dollar companies rather than large multi-billion dollar companies.”

For those who took part in the AGCS survey, supply chain risk is an issue that is top of mind. Business interruption/supply chain risk topped the list for the respondents, cited by 45.7% as among their top three risks – more than the 43.9% for natural catastrophes, and the 30.6% for fire and explosion.

The heightened concern may have something to do with both supply chain risk exposure and frequency of incidents being on the rise.

So suggests results from a survey last year by Deloitte Consulting LLP, which involved 600 executives at manufacturing and retail companies, the majority located in North America, Europe and China, with a minimum of $100 million in annual revenues.

In its report, The Ripple Effect: How manufacturing and retail executives view the growing challenge of supply chain risk, 53% of executives reported that these events have become more expensive over the last three years, including 13% who reported they had become much more costly.

Ranking among their top two picks, responses indicated the most costly outcomes of risk events in the supply chain are margin erosion, 54%; sudden demand change, 40%; physical product flow disruption, 36%; product quality failure, 32%; regulatory non-compliance and/or worker-safety failure, 21%; and social responsibility failure, 17%.

Beyond the what was the where. Locations in the supply chain of the most costly outcomes of risk events over the last three years were company-owned supply chain operations, 38%; Tier 1 (direct) suppliers or third parties, 37%; Tier 2 suppliers, 27%; direct customers, 27%; company-owned functions that support supply
chain operations, 23%; upstream logistics partners, 21%; indirect customers, 17%; and downstream logistics partners, 11%.

Looking beyond Tier 1 is critically important to get a full picture of risk. “Your immediate customer or supplier may be okay, but it’s the supplier of the supplier where the issue might have occurred,” says Melton. “There were clients that we worked for after the Japan earthquake, who traditionally don’t really know who all those Tier 2 suppliers are. Their contracts are with Tier 1 suppliers who, as long as the Tier 1 supplier is contracting with somebody who can provide the right componentry, the right quality and so forth, it’s not visible.”

With supply chains becoming more interconnected and global, they have also become more vulnerable, Deloitte reports. There are now more potential points of failure and less margin of error for absorbing delays and disruptions.

Deloitte has documented 200-plus significant sources of supply chain risk under four categories:

• macro-environment risks, such as natural disasters and downturns in the global economy, that can have an impact on any portion of the supply chain risk, or across the entire supply chain;

• extended value chain risks, stemming from problems with upstream or downstream supply chain partners;

• international operational risks, which can occur anywhere along the chain from product development and manufacturing to distribution; and

• functional support risks – in areas such as legal, finance, human resources and IT – that can lead to such things as a lack of needed talent to interruptions in the vital flow of operational data.

NEED FOR RESILIENCE

Central to avoiding costs is adopting appropriate risk management that, at its core, involves a careful and thorough assessment – wherever risks may fall along the supply chain. “It’s important that the organization identify and assess its exposure to supply chain disruption,” Seaman emphasizes. “That’s really where you have to start.”

That start will necessitate asking obvious, but still vital, questions: What is your risk? What is the magnitude? How vulnerable are you to the risk? What would the impact be? “Then from there, determine whether or not contingent business interruption insurance needs to be part of the solution,” Seaman says.

“When most companies are evaluating the resilience of their supply chain, they tend to focus on well-known areas of exposure, such as regions prone to earthquakes, forest fires, hurricanes, flooding, etc.,” Loeters says. But the Japan tsunami, the Thailand flooding and Sandy “have caused people to re-examine their supply chains because these were events that no one expected and caused significant global disruption to certain industries,” he says. “Many Canadian companies have started to look at their preparedness, and re-evaluate their supply chain resilience criteria.”

Franc suggests that an “absolutely key driver” in choosing a supplier revolves around customers asking suppliers for their business continuity plans.

“We are finding clients are more interested in discussing the scope of coverage and proactive ways to mitigate their supply chain risk,” notes an e-mail response from Marsh Canada Limited’s Andrew Clark and Gayle Mitcham. “We have also seen increased interest from clients wanting to ensure that their business continuity plans are in place and effective,” reports Clark, vice president and department manager of small/medium enterprise insurance and risk solutions, and Mitcham, vice president and national practice leader of the business continuity practice for Marsh Risk Consulting.

“If companies have developed, continue to evolve, and test their business continuity program with the help of third-party professionals, we typically find that they are prepared for most situations,” Clark and Mitcham point out. “However, we often find business continuity planning either does not exist at all or is something that was done to ‘tick the box,’ and a ‘canned’ business continuity plan sits on a shelf and is not updated or tested to ensure it meets the evolving needs of the organization,” they add.

“There are many things that come into selection of a supplier and one of the challenges is ensuring that this becomes part of the criteria when you’re considering a supplier,” Seaman says. “Ideally, you’d like a supplier that has its own plan for redundant supply or multiple operations or spread of risk.”

There is a need for an organization to understand its “full supply chain right down to the production of the raw materials, in many cases, in order to create a risk management plan that will be effective,” Loeters emphasizes.

“If I can’t get supply of raw material, I can’t make a product. And if I can’t get raw material because my supplier suffered a loss, I’m going to suffer a business interruption unless I can source material elsewhere,” Black says, adding that he is not certain clients understand the extent of their exposures.

“As a risk manager, you would want to understand where the client’s revenue is derived from, who are their largest customers, how do they protect against that, where does their supply come from, do they have redundancy in their supply chain,” he adds.

Although risk management best practices to mitigate CBI loss are available, Loeters suggests that many organizations are selective about which best practices they choose to implement.

Deloitte reports the most common risk management strategies to prevent or recover from supply chain risk events are as follows: developing business continuity and risk contingency plans, 45%; building stronger extended value chain relationships, 41%; and building the ability to rapidly adapt the production or distribution network, 41%. That said, just 36% of respondents reported using predictive modelling, risk sensing data and worst-case scenario modelling. “The limited use of such tools may contribute to challenges associated with implementing risk management strategies, measuring program benefits, establishing effective performance metrics, and supply chain risk governance.”

While trends like lean manufacturing, just-in-time inventory, reduced product life cycles, outsourcing and supplier consolidation, “have yielded compelling business benefits, they have also introduced new kinds of supply chain risk and reduced the margin for error,” the report adds.

Notes Franc, “There are more and more companies doing just-in-time manufacturing. They only keep a very thin inventory. That leaves very little room for error and even a relatively small-scale supply chain disruption can result in a relatively large financial loss.”

It may also be important to secure agreements with others to help avoid shutdowns should, for example, a key machine go down and stop production, Black says. These agreements “will allow you to have redundancy in your production, even at a higher cost. That’s better than being totally shut down,” he says. “Insurance can fill that higher cost through extra expense coverage.”

UNDERSTANDING COVERAGE

Despite the estimated BI and CBI claims in the wake of Sandy, Fitch noted last fall, many firms do not purchase CBI insurance and related losses have been underestimated in previous disasters.

But the marketplace is underwriting the exposure more than it has in the past, says Loeters, including managing limits, geographical concentration and reinsuring more of the risk.

“Underwriters want to see evidence that companies are being proactive and implementing meaningful risk management controls before they are willing to offer significant levels of coverage.”

Although “insurance is a critical component of your risk management strategy,” Seaman says, it is only one piece of the puzzle. “When you go out and purchase contingent business interruption insurance, you have to realize its limitations. It will undoubtedly have exclusions and limitations,” he cautions.

“If I’m a risk manger, I really want to understand what my exposur
es are, what my coverages are, what my sublimits are,” Melton says. It needs to be about weighing all of those factors and the cost benefit, he says. “I’m sure most companies would prefer to keep the business running than collecting from insurance.”

Clark and Mitcham emphasize it is “important to review each insurer’s CBI clause in the context of your business needs as they typically differ. The trigger and waiting period/deductible are two areas clients typically need to understand better then they do.”

While most brokers understand what CBI coverage is, they may not understand “all the ways it can be customized to meet their insured’s specific needs,” Loeters points out. That may be because many brokers do not have a risk management model that is readily available, they are not trained on how to use such a model or they are unable to tap into internal resources, he adds.

As it currently stands, PwC notes in its Top Insurance Industry Issues in 2013 report that modelling for CBI risk is in an analogous stage to natural catastrophe modelling following Hurricane Andrew in 1992. But encouraging steps are being made. “Employing agent-based modelling techniques, geographical information systems and industrial supply chain information can be constructed,” PwC states. “This information can be practically incorporated into an agent-based CBI model, the output of which can quantify supply chain vulnerabilities both for specific firms and in the aggregate, irrespective of peril.”

The report suggests widespread adoption of a model by insurers would lead to added capacity for CBI risk protection, which would help to mitigate industrial risks and offer growth for the property and casualty market overall.

MATTER OF FOCUS

The Deloitte survey shows organizations are often unsure where to focus their risk-management efforts, and when they do take action, they often under-invest in dealing with risk.

One thing that is likely to drive action is putting a hard number on risk. By quantifying exposure, “the underwriter will be able to offer specific terms and limits on the specific price, again depending on how many physical supplies and suppliers would have to be insured,” Franc says.

“Most of our insureds know they have a risk, but they lack the tools to fully understand its scope and quantify the risk to their organization. Once this is properly quantified (generally in terms of dollars) an organization can more easily justify the business case to allocate appropriate resources and implement a meaningful plan,” Loeters suggests. “BI and CBI needs to start as a business discussion, not an insurance discussion.”

Enterprise-wide risk management “will address potential interruptions to business from many causes, direct or on a contingency basis. Addressing CBI as an insurance coverage issue overlooks many potential risks to an organization,” notes Harder.

“If you talk about Cat specifically, it’s probably safe to mention the insurance industry is going away from providing unnamed contingent business interruption and indirect contingent business interruption,” Franc says. “If you as an insurer provided unnamed CBI, you basically provide coverage and have no idea of where the supply is located,” he says. “You don’t know whether the location is in a designated Cat area or not.”

POSITIVE SIGNS

“To improve supply chain resilience, many companies consider adding back some redundancy into lean supply chains, even if this reversal of widely used single-supplier sourcing incurs additional costs,” Paul Carter, global head of risk consulting at AGCS, notes in Allianz Risk Barometer 2013.

“Global catastrophic weather events like Sandy and the Japanese tsunami, combined with increasing utilization of ‘just-in-time’ delivery are driving more interest around de-risking the organization – putting the focus on contingent business interruption, supply chain and business continuity management,” say Clark and Mitcham.

“Operating in a global village means that we have to think globally, and not just about our regional or national exposures. Even though a company may source locally, the reality is that when you dig deeper the exposure is almost always global. Many organizations are reactive in this area, but this can often be too late,” Loeters says.