Recall Mitigation Relies on Risk Managers
This is turning out to be a record year for auto-related recalls and, with the astronomical costs associated with them, insurance companies that offer accidental contamination or malicious product tampering policies are on alert.
This type of insurance is primarily used by food manufacturers, distributors, retailers and auto parts suppliers to cover business expenses related to a recall. And in light of recent events, you can be sure that parts suppliers are working closely with their insurers to see what losses are covered and what the damage will be to their bottom line.
Those with insurance are the lucky ones, as the costs associated with a recall can be significant, but even for those organizations, the results of the recall and subsequent insurance coverage rely heavily on the assessments of risk managers.
One of the key concerns for risk managers is cost containment.
Typically, an insurance company becomes engaged with the manufacturer when the recall is about to happen or has just happened. To get started on remediation, the insurer must determine the total loss of product and what services are needed.
Then, the insurer will pull impacted lots and have them tested by an independent company to confirm that a full recall is necessary. Risk managers must ensure that lot sizes and distribution channels are optimized to minimize the impact on the bottom line depending on the likelihood of a recall.
Throughout a recall event, a lack of effective risk management can cause manufacturers to make missteps that cost millions of dollars and negatively impact insurers.
For example, if organizations don’t have the ability to identify and isolate contaminated products from safe ones, they may end up crediting a retailer for the full lot and not just the impacted products – resulting in a cash loss.
Also, manufacturers may incur compliance fines as they scramble to meet all of the regulatory requirements surrounding recalls. Lastly, the complex logistics involved in a recall may prolong the process and expose the brand to greater risk.
Here are some best practices for risk managers to consider when faced with a recall:
• Ensure access to good data and tracking on impacted products, including information on where it is located and what the value of lost product is.
• If the origin of the recall is known, contact the source to see what damages they will pay and determine if legal action is needed.
• Encourage the organization to be recall-ready with a designated recall team and plan, and an understanding of the supply chain partners’ recall protocol.
As the global supply chain continues to become more complex, risk managers need to be vigilant when preparing for internal and supplier issues.
And for companies of all sizes, product contamination is a loss exposure that cannot be ignored. It’s occurring with alarming frequency in the U.S. and globally catching many organizations by surprise.
Companies that fall victim to these incidents often incur staggering costs in damage control and significant lag time in restoration of profits and reputation.
The Thrill of the Risk
In the ever-constant battle for the scariest rides, amusement park risk managers have their work cut out for them.
Owners constantly push the envelope in ride design to create an atmosphere of heightened risk to attract thrill-seeking patrons. That risk is only supposed to be an illusion, but it can become all-too-real thanks to the subjective decisions of park owners, ride operators and patrons themselves.
Case in point: In 2013, Rosa Esparza, a heavyset woman was allowed to ride a roller coaster at Six Flags Over Texas, but then fell out of the car and to her death when the ride turned upside down. Esparza’s family is now suing Six Flags and its parent companies, as well as the ride’s manufacturer, Gerstlauer Amusement Rides in Münsterhausen, Germany.
Video: ABC News reports on the deadly accident on the ‘Texas Giant’ roller coaster ride at Six Flags amusement park in July 2013.
Roughly 297 million people visit the 400 U.S. amusement parks annually and take 1.7 billion safe rides, according to the 2011 Fixed-Site Amusement Ride Injury Survey of the Association of Amusement Parks and Attractions. The chance of being seriously injured on a ride at a fixed-site park in the U.S is 1 in 24 million, and 61 of the 1,415 ride-related injuries, or less than 5 percent, required some form of overnight treatment at a hospital.
Most parks design and operate rides with the utmost safety in mind, but the tricky part is making sure the rides seem like they’re very risky, said Robert Murphy, global entertainment and events practice leader at Marsh in Philadelphia.
“If a park is marketing itself for thrill-seekers, they are typically pushing the big coaster speed rides,” Murphy said. “Then it becomes the battle for the most advanced ride – the fastest, tallest, most loops. There’s this constant competition to upgrade.”
Loss of public trust may be a park’s greatest exposure. “That’s what will kill your company.” — Jim Petersen, attorney specializing in risk management litigation
Likewise, risk managers of water parks have to contend with their own set of challenging risks, particularly patron drowning, or water-borne illnesses that may affect not just one or two patrons, but hundreds, he said.
The risks assumed by a park can rarely be transferred, but they can be shared by patrons and “designer engineers,” said Boyd F. Jensen II, owner of Garrett & Jensen law firm in Riverside, Calif., who sits on the safety and ASTM executive committee of the International Association of Amusement Parks and Attractions.
Personal injury lawsuits against park owners can be more easily defended if the owners provide documentation that their rides have been operated in a safe manner by trained employees, maintained routinely, complied with accepted safety standards and passed periodic inspections, Jensen said.
Park owners should document incidents as specifically and thoroughly as possible, ideally accompanied with photos and statements, he said. Owners should also demonstrate that they have posted signs and audible warning of known risks, and have ensured that patrons can witness a ride’s characteristics prior to boarding.
Impact on Reputation
But lawsuits can still be challenging because of the resulting perception that the park is not safe, Jensen said. Parks often settle to avoid additional public scrutiny, even though sometimes they could have shown that the patrons did not heed warnings, such as if they had existing heart or back trouble.
“Substantial sums of money can be wasted in settlements and jury verdicts due almost entirely because of inexperienced advisers,” he said.
Indeed, loss of public trust can often be the greatest exposure for a park, said Jim Petersen, a Chicago attorney specializing in risk management litigation. “That’s what will kill your company.”
When theme parks are under pressure to build the next biggest, fastest, tallest rides, certain biases can enter into the risk assessment process, Petersen said.
There is the bias of confidence based on the fact that ride designers have been good at what they’ve done up until this point, so park owners and managers assume they’re going to be good at whatever they do in the future.
Moreover, park managers tend to assume that that the scale of risk rises in a linear way – for example, if they build a ride that’s 10 percent bigger, that means a 10 percent increase in risk, Petersen said. However, increases in risk are typically exponential, so park managers need to prepare instead for greatly elevated risk levels.
“If theme parks are under pressure to get it done … to start the revenue stream, they may be hurt by these biases and build something far more risky — or move too quickly in disregard of the need for a higher degree of prudence,” Petersen said. “They need to slow down and be careful enough to not only think of the risks they do know, but conceive of things they might not know.”
“A theme park can only transfer the monetary loss to insurers, but not the legal liability and loss of reputation if they are sued.” — Frankie Hau, risk and environmental manager, Ocean Park, Hong Kong
Frankie Hau, risk and environmental manager at Ocean Park in Hong Kong, said that too few parks focus on enterprise risk management, and many risk managers tend to focus more on the insurance program for high-risk rides than managing risks across the entire enterprise.
“A theme park can only transfer the monetary loss to insurers, but not the legal liability and loss of reputation if they are sued,” Hau said. “If there is gross negligence that results in worst-case scenarios such as a fatality, then directors can go to jail.”
Ride manufacturers are generally responsible for the mechanics for the life of the ride, but parks must strictly follow procedures outlined in the manufacturers’ operations and maintenance manuals, or they will be found liable in court, he said.
In the current Six Flags case, Gerstlauer has filed a cross-complaint against the Texas park for not using a “test seat” that the manufacturer provided to test weight loads on the restraint system. Attorneys for Six Flags, Gerstlauer and the Esparza family did not return phone calls seeking comment.
Typically local authorities require that parks load test each of their rides with dummies, sand bags or concrete buckets per the manufacturer’s test weight recommendations, said Michael Greear, director of risk control services with Aon Risk Solutions’ entertainment practice in Denver.
Many manufacturers have training sessions on their rides for park mechanics, and completion of courses should be documented and presented in court cases.
But the weight of patrons can be a very challenging issue for parks, Murphy said.
“You can’t put a scale at the ride entrance and require people to stand on it — it has to be by sight, and so basically the park has to say to the operator to use their best judgment,” he said.
Patrons should be able to fit into the seat and have the safety bar closed, locked and fully supporting them, Murphy said. Moreover, if the ride malfunctions, operators have to be able to help the heavy person out of the car and down steps.
It helps to have another employee there to maintain “zero tolerance,” and if there is a disagreement, the other operator can call the supervisor, he said. Many parks try to screen for height and weight at the beginning of the ride’s line, so the person doesn’t have to wait in line or face even greater embarrassment.
For water parks, lifeguards must routinely patrol pools not only to watch for drownings, but also floating debris that could contaminate the pool, Hau said. Then, they must clear the pool, retrieve the substance, sanitize the water with a suitable dose of chlorine and then test the condition of the pool.
In the event of a claim for sickness, parks need to provide documentation to the court that they constantly tested the water’s quality, making sure chlorine, acidity and turbidity levels conform to international standards.
Risks increase on busy days when operators take shortcuts about cleaning testing, treating and then reopening pools, Greear said. “Many times, a business decision is a risk acceptance decision.”
From an insurance perspective, park risk managers can avoid some headaches if they understand what their policy covers and doesn’t cover — understanding the exclusions, coverage limits and requirements for reporting a claim if an event occurs, he said.
Risk managers should also work with their carriers and brokers as partners, because they have a great deal of expertise in loss control within their health and safety groups.
“By doing so, an operator could either avoid an incident or claim altogether or be in a position, through training and documentation, to show that they took the reasonable steps to reduce or eliminate a risk,” Greear said.
5 & 5: Rewards and Risks of Cloud Computing
Cloud computing lowers costs, increases capacity and provides security that companies would be hard-pressed to deliver on their own. Utilizing the cloud allows companies to “rent” hardware and software as a service and store data on a series of servers with unlimited availability and space. But the risks loom large, such as unforgiving contracts, hidden fees and sophisticated criminal attacks.
ACE’s recently published whitepaper, “Cloud Computing: Is Your Company Weighing Both Benefits and Risks?”, focuses on educating risk managers about the risks and rewards of this ever-evolving technology. Key issues raised in the paper include:
5 benefits of cloud computing
1. Lower infrastructure costs
The days of investing in standalone servers are over. For far less investment, a company can store data in the cloud with much greater capacity. Cloud technology reduces or eliminates management costs associated with IT personnel, data storage and real estate. Cloud providers can also absorb the expenses of software upgrades, hardware upgrades and the replacement of obsolete network and security devices.
2. Capacity when you need it … not when you don’t
Cloud computing enables businesses to ramp up their capacity during peak times, then ramp back down during the year, rather than wastefully buying capacity they don’t need. Take the retail sector, for example. During the holiday season, online traffic increases substantially as consumers shop for gifts. Now, companies in the retail sector can pay for the capacity they need only when they need it.
3. Security and speed increase
Cloud providers invest big dollars in securing data with the latest technology — striving for cutting-edge speed and security. In fact, they provide redundancy data that’s replicated and encrypted so it can be delivered quickly and securely. Companies that utilize the cloud would find it difficult to get such results on their own.
4. Anything, anytime, anywhere
With cloud technology, companies can access data from anywhere, at any time. Take Dropbox for example. Its popularity has grown because people want to share large files that exceed the capacity of their email inboxes. Now it’s expanded the way we share data. As time goes on, other cloud companies will surely be looking to improve upon that technology.
5. Regulatory compliance comes more easily
The data security and technology that regulators require typically come standard from cloud providers. They routinely test their networks and systems. They provide data backups and power redundancy. Some even overtly assist customers with regulatory compliance such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS).
1. Cloud contracts are unforgiving
Typically, risk managers and legal departments create contracts that mitigate losses caused by service providers. But cloud providers decline such stringent contracts, saying they hinder their ability to keep prices down. Instead, cloud contracts don’t include traditional indemnification or limitations of liability, particularly pertaining to privacy and data security. If a cloud provider suffers a data breach of customer information or sustains a network outage, risk managers are less likely to have the same contractual protection they are accustomed to seeing from traditional service providers.
2. Control is lost
In the cloud, companies are often forced to give up control of data and network availability. This can make staying compliant with regulations a challenge. For example cloud providers use data warehouses located in multiple jurisdictions, often transferring data across servers globally. While a company would be compliant in one location, it could be non-compliant when that data is transferred to a different location — and worst of all, the company may have no idea that it even happened.
3. High-level security threats loom
Higher levels of security attract sophisticated hackers. While a data thief may not be interested in your company’s information by itself, a large collection of data is a prime target. Advanced Persistent Threat (APT) attacks by highly skilled criminals continue to increase — putting your data at increased risk.
4. Hidden costs can hurt
Nobody can dispute the up-front cost savings provided by the cloud. But moving from one cloud to another can be expensive. Plus, one cloud is often not enough because of congestion and outages. More cloud providers equals more cost. Also, regulatory compliance again becomes a challenge since you can never outsource the risk to a third party. That leaves the burden of conducting vendor due diligence in a company’s hands.
5. Data security is actually your responsibility
Yes, security in the cloud is often more sophisticated than what a company can provide on its own. However, many organizations fail to realize that it’s their responsibility to secure their data before sending it to the cloud. In fact, cloud providers often won’t ensure the security of the data in their clouds and, legally, most jurisdictions hold the data owner accountable for security.
Risk managers can’t just take cloud computing at face value. Yes, it’s a great alternative for cost, speed and security, but hidden fees and unexpected threats can make utilization much riskier than anticipated.
Managing the risks requires a deeper understanding of the technology, careful due diligence and constant vigilance — and ACE can help guide an organization through the process.
To learn more about how to manage cloud risks, read the ACE whitepaper: Cloud Computing: Is Your Company Weighing Both Benefits and Risks?