Email
Newsletters
R&I ONE®
(weekly)
The best articles from around the web and R&I, handpicked by R&I editors.
WORKERSCOMP FORUM
(weekly)
Workers' Comp news and insights as well as columns and features from R&I.
RISK SCENARIOS
(monthly)
Update on new scenarios as well as upcoming Risk Scenarios Live! events.

Joel Berg

Joel Berg is a freelance writer and adjunct writing teacher based in York, Pa. He has covered business and regulatory issues. He can be reached at riskletters@lrp.com.

2014 Risk All Star: Zachary Gifford

Finding the Balance

With thousands of students traveling and taking the field every semester as part of campus sports clubs, leaders of The California State University system couldn’t afford to sit on the sidelines.

So when Zachary Gifford joined the system’s risk management office in 2008, he quickly found himself on a conference call with campus administrators who had been kicking around ways to mitigate the risks.

Advertisement




“The learning curve was like a black diamond ski slope,” said Gifford, associate director for systemwide risk management for the CSU system, based in Long Beach, Calif.

Administrators began scrutinizing sports clubs, which are separate from NCAA-sanctioned sports, after two fatal accidents involving students in the early 2000s.

“It was a serious exposure to the university that needed to be addressed, and it’s an example of something that every campus was handling a little differently,” said Cindy Parker, who works closely with Gifford and CSU in her role as vice president of operations for Sedgwick Claims Management Services Inc.

Zach Guifford, systemwide risk administrator, the California State Universities

Zach Gifford, associate director, systemwide risk management, The California State University

As Gifford hashed out a uniform approach, he had to balance the needs of 23 campuses ranging in size from fewer than 6,000 students to more than 35,000. Some had well-established sports clubs, while others were just getting started.

Ultimately, Gifford wanted to produce policies and procedures that every program could use, and that would not be seen as directives from above by campuses that treasure their autonomy.

For two years, Gifford and his fellow risk managers in the chancellor’s office worked closely with campus-based risk managers, club administrators and other university personnel to develop a comprehensive guide for club sports. A final document came out in 2010, and reflected Gifford’s collaborative approach.

“He really respected the comments and the input and, especially as a risk manager, was kind of able to see things from both sides if there was a little bit of push back and conflict between how a risk manager might see something, and how a practitioner might see something,” said Pam Su, campus recreation director at San Francisco State University.

She helped lead implementation of the guide.

Some campuses, for example, balked at travel policies they felt were too onerous. The final guide allowed those clubs to essentially acknowledge they are traveling on their own, in non-university vehicles, outside university control.

Two years after the guide came out, the system launched an insurance program for club sports, giving campuses access to more uniform coverage. Clubs are required to have adequate insurance, but don’t have to go through the CSU program.

Advertisement




All but one or two campuses have opted into the program so far, Gifford said. He expects the coverage to eventually give CSU a better picture of the overall risks and a way to explore possibilities for self-insurance.

A new version of the guide is due out this fall, with revisions reflecting a recent survey of its users.

Overall, the feedback has been positive.

“A lot of the sports club administrators were actually really thankful for having some guidelines in place,” said Su.

_____________________________________________

350px_allstarRisk All Stars stand out from their peers by overcoming challenges through exceptional problem solving, creativity, perseverance and/or passion.

See the complete list of 2014 Risk All Stars.

Share this article:

2014 Risk All Star: Michael Gross

Ending Unnecessary Accidents

With accidents piling up at a rate of nearly one per week, Convergint Technologies suspected its drivers were distracted, possibly by their cell phones.

Michael Gross, national safety director, Convergint Technologies

Michael Gross, national safety director, Convergint Technologies

One clue was the proportion of accidents in which Convergint drivers rear-ended other vehicles, said Michael Gross, national safety director for the Illinois-based company, which installs and services safety and security systems for commercial, industrial and institutional customers.

In 2012, the company recorded 44 claims for such accidents, representing 75 percent of total accident claims and a cost of $214,550.

Backed by senior and local management, Gross unveiled a cell-phone ban in November 2012 that got drivers’ attention — and slashed company losses.

In 2013, Convergint faced 12 claims for rear-end accidents in which its drivers were at fault. The number is even lower in 2014, with only one or two rear-end accidents in the first six months, Gross said. The company has 555 vehicles, mostly small vans, on track to cover 10 million miles this year.

Advertisement




“I never in a million years would have dreamed that you could reduce the accident rate at the rate that they did,” said Fred LeSage, senior risk engineer with XL’s North American construction business.

“Personally, I rarely talk on the phone while I’m driving any more, and it’s more a result of this than anything else.”

But it wasn’t just a ban that made Convergint’s policy effective, said Gross, who is based in Houston. It also required buy-in from company managers and an effective enforcement mechanism.

And by trusting employees to do the right thing, rather than install devices that blocked calls, the policy stayed true to Convergint’s principles, Gross said.

“Everybody understood that it would be based on our [core] value and belief, that we expect you to have integrity and you’re going to follow the policy when nobody’s looking,” Gross said, noting there is verification alongside the trust.

If a Convergint driver is at fault in an accident, the company pulls phone records from 60 minutes before to 30 minutes after to see if a phone was in use, Gross said. If it was, the driver faces disciplinary action. The first offense draws a written reprimand and a day off without pay. A second offense could lead to termination.

Drivers don’t have to worry about ignoring a call from a supervisor or vendor. Under the policy, they recorded new voicemail greetings indicating they were away from the phone or behind the wheel. In meetings to introduce the policy, managers emphasized the importance of safety over instant communication.

Advertisement




“A big part of the policy’s success is that leaders and managers supported it, and our drivers understood that,” Gross said.

After Convergint’s drivers put down their phones, they began noticing all the other drivers who had not. Now, Gross is exploring training opportunities that will keep the company’s drivers from falling victim to other people’s distractions.

“We’re actually the ones getting rear-ended a lot because, I guess, everybody else is texting and not paying attention to what they’re doing,” he said.

_____________________________________________

350px_allstarRisk All Stars stand out from their peers by overcoming challenges through exceptional problem solving, creativity, perseverance and/or passion.

See the complete list of 2014 Risk All Stars.

Share this article:

Cyber Security

Into the Breach

State and federal regulators are increasingly looking at cyber defenses, not just breaches.
By: | June 2, 2014 • 4 min read
CyberRegs

Think of it as a seatbelt check for cyber security.

Just as police set up checkpoints to audit compliance with seatbelt laws and other rules of the road, state and federal regulators appear increasingly likely to gauge whether companies are following the rules of data protection.

“It’s a logical move, unfortunately, because of Target and all of the other breaches that have occurred, and even breaches within federal agencies,” said Jerry Irvine, CIO of Prescient Solutions, an IT outsourcing company in Schaumburg, Ill. He serves on a public-private task force on cyber security.

Advertisement




To date, regulators mostly have been reactive, according to cyber security specialists. After a data breach, companies are expected to notify consumers, and to conduct forensic reviews to determine what happened.

The approach also has included an emphasis on disclosure to investors and other stakeholders. In 2011, the U.S. Securities and Exchange Commission issued guidance calling on public companies to discuss cyber risks and incidents in their regulatory filings.

Recently, however, the focus has broadened to include a closer look at cyber defenses, regardless of whether they have been penetrated. The closer look doesn’t necessarily require new laws, experts said.

In May, the New York State Department of Financial Services said it would beef up assessments of cyber security among state-chartered banks. “The revised procedures are intended to take a holistic view of an institution’s cyber readiness and will be tailored to reflect each institution’s unique risk profile,” according to the department.

The SEC, meanwhile, announced this year that it would examine handling of cyber risks by registered broker-dealers and registered investment advisers.

“I think they’re going to be holding more people’s feet to the fire,” said Bob Parisi, managing director and cyber practice leader for Marsh. “But I think it will be through the application of existing regulations and standards.”

No new rules were introduced in the SEC’s 2011 guidance, Parisi noted. But the document prompted action nonetheless. “We saw an absolute spike in companies reporting risks on annual reports and SEC filings,” he said.

It’s not just public companies and financial services in the crosshairs. All companies are likely to face greater scrutiny.

The approach will vary by industry, said Tom Reagan, large risk underwriter for breach response at Beazley, a specialty carrier. “But it does seem clear that regulators do have the bit between their teeth, and they are determined to reach their goal: protection and safeguarding of consumer and corporate information in the U.S. That’s a good goal.”

One sign of increased scrutiny is a rising volume of breaches first identified by law enforcement, rather than the targets, Reagan said, citing anecdotal evidence from Beazley clients. The calls result, in part, from a 2013 executive order from President Obama asking for greater sharing of information with private entities.

“Law enforcement is taking that to heart,” Reagan said.

Regulators also are digging deeper via post-breach audits, he said. Even when the breach seems small, they want to ensure the damage isn’t worse than initially reported.

“They’re pulling on that thread to see where it goes,” Reagan said, noting that regulators are relying on existing authority to do so.

In one case involving the Health Insurance Portability and Accountability Act, or HIPAA, an investigation by the Department of Health and Human Services found that a breach initially described as affecting seven people had actually affected 1,581. The department also found wider noncompliance with HIPAA’s privacy, security and breach notification rules.

Advertisement




The organization under investigation, Skagit County, Wash., agreed in March to pay $215,000 and work with regulators to strengthen HIPAA compliance, according to the HHS. The breach took place in Skagit’s public health department.

As law and practice continue to evolve in the United States, companies also need to pay attention to developments overseas, said Ken Goldstein, vice president and worldwide cyber security manager for Chubb Group of Insurance Cos.

In many countries, the laws are less stringent, though that is changing.

But even if a company suffers a breach in a country with no rules requiring customer notification, a company’s reputation could still suffer, Goldstein said.

It’s not just regulators who are watching.

“Do you really want to be the company that gets outed by some kind of online expert who’s in the know about breaches, or do you want to make a voluntary notification?” Goldstein said.

Joel Berg is a freelance writer and adjunct writing teacher based in York, Pa. He has covered business and regulatory issues. He can be reached at riskletters@lrp.com.
Share this article: