Assessing Third Party Risk
The financial services industry is in “high gear” to reassess third-party risk management practices in response to regulatory guidance.
Institutions are investing in technology to improve reporting and analytics, so that third-party risks are appropriately assessed and that controls are effective, according to the Third Party/Vendor Risk Management Survey, recently released by the Risk Management Association and sponsored by MetricStream.
It’s not just about assessing the risks from vendors and their subcontractors, but also affiliates, debt buyers, agents, channel partners, and correspondent banks, to name just a few third parties that banks and credit unions work with, said Edward DeMarco, RMA’s general counsel and director of operational risk/regulatory relations/communications.
Best practices are in “an evolutionary state,” DeMarco said.
“Prudent third-party risk management requires that the third party be risk-assessed in connection with the enterprise and not simply any one individual business line.” — Edward DeMarco, general counsel, Risk Management Association
“Multiple business lines and functional units within an institution might have their own special relationship with the same third party,” he said. “Prudent third-party risk management requires that the third party be risk-assessed in connection with the enterprise and not simply any one individual business line.”
Institutions are also increasingly putting pressure on to make sure third parties assess the risks of their own contractors, DeMarco said.
“For example, a bank might hire XYZ appraisal company, and that company might sub out to appraisal companies 1, 2, 3 and 4,” he said. “While the bank won’t require a report because they are not in control of those relationships, the banking company does expect its third party to assess their risks.”
Other survey findings include:
• Nearly 50 percent of the respondents said their institution’s risk management functions were responsible for oversight of vendor risk.
• More than 50 percent said their institutions send questionnaires to vendors for risk management purposes.
• Roughly one-third said they have more than 25 “enterprise critical” suppliers that have the potential to affect their entire organization in the event of a failure.
• More than 75 percent have in place a supplier code of conduct that suppliers must acknowledge.
Negotiations with third parties and vendors can be time consuming — and cyber insurance coverage is “an integral part” of those conversations. –Michael O’Connell, managing director and financial Institutions practice leader, Aon Risk Solutions.
Peter Foster, executive vice president and one of the leaders of the cyber risk group at Willis, said that many of his financial institution clients require their vendors to complete a Statement on Standards for Attestation Engagements (SSAE) No. 16, which is a guidance from the American Institute of Certified Public Accountants.
“But this is the minimal of what a vendor should be doing to demonstrate how they are protecting their systems,” Foster said.
“That report really doesn’t get deep into the weeds whether or not the security around the data or around operational applications is really secure.
“Financial institutions should take a step further with a set of questions or a physical audit of a vendor, particularly if the application is more critical to operations or contains customers’ personally identifiable information.”
Institutions should also require third parties to have a technology errors and omissions policy with cyber insurance built into the one policy, he said.
An institution should require third parties to name it as an “additional insured” and provide it with certificates of insurance to cover any disruptions, including liability to cover unauthorized access or unauthorized use of data.
An institution should also have coverage for vicarious liability and direct liability under its own cyber policy, which would cover a data breach resulting from outsourcing, Foster said. That way, the institution will be covered if its third party doesn’t have a policy or its policy doesn’t provide such coverage.
Such is often the case with cloud computing firms, he said.
“We recommend [third parties provide coverage] because it should be the first line of dense — the vendor who causes the breach should be paying for the breach,” Foster said. “But we’re also cognizant of the fact that many vendors will not provide that coverage and that the bank needs to use that vendor.”
Negotiations with third parties and vendors can be time consuming — and cyber insurance coverage is “an integral part” of those conversations, said Michael O’Connell, managing director and financial Institutions practice leader at Aon Risk Solutions.
“Also, a critical part of these discussions centers around who is liable for what part and how much of the loss, especially when there is a breach of confidential data,” he said.
From a risk management perspective, he recommended that vendor risk assessments include answers to these questions:
• Does the insurance fully cover the liability of the insured due to an incident caused by third-party providers?
• Are regulatory investigations, fines and penalties addressed?
• Are first-party business interruption and crisis management included within the cyber policies and are there full limits or sublimits?
“Additionally, the contingent business interruption component must include increased attention to the number and complexity of third-party relationships,” O’Connell said.
Firms must have a complete plan for loss mitigation, restitution, and a response to the potential reputational damage that may be caused, he said.
An Eye on the Chain
Supply chain risk had been steadily escalating for the last few decades, but it took natural disasters in Japan and Thailand in 2011 to bring the true extent of the risk to the surface.
In addition to the enormous financial and human losses suffered in those countries, businesses around the globe faced major disruption as key suppliers were wiped out and supply chains ground to a halt.
It was a harsh wake-up call.
“The events in Japan and Thailand really gave rise to a realization of how much greater the risk in people’s supply chains is today than 10 or 20 years ago,” said David Shillingford, senior vice president, supply chain solutions for Verisk Analytics.
“Supply chains have become more efficient — thinner, longer — but in many ways less resilient.”
Video: Supply chain risk management as discussed at the University of Bath.
In the automotive industry, for example, there are significant interdependencies regarding raw materials and parts. The Japanese tsunami wiped out essential component manufacturers and halted car production around the globe.
Meanwhile, added Shillingford: “Supply chain disruption in the pharmaceutical industry can be very costly because of the value of the ingredients, and in both pharmaceuticals and food there are evolving compliance risks to consider too.”
In fact, in today’s interconnected world, almost all industries are affected by supply chain risk. And as an increasing amount of production is farmed out to specialist manufacturers — often in emerging markets — risk is becoming more concentrated.
Sid Feagin, director, enterprise risk management, Aon Risk Solutions, noted that it is now common for firms across many industries to farm out 85 percent or more of their core product to a long chain of suppliers.
“In many cases the risks associated with this are uninsurable, which makes the management of supply chain risk paramount to the success of an organization,” he said.
A Lack of Visbility
However, gaining visibility into the risks of suppliers deep into a complex supply chain is extremely difficult, and many companies have turned to analytic software for help.
“A lot of businesses have a pretty good grip on their direct suppliers, but it’s the second, third, fourth tiers in their supply chains where there is a gap in knowledge and information and an accumulation of risk,” said Caroline Woolley, leader of Marsh’s global business interruption center of excellence.
Computer manufacturer Lenovo uses suppliers from all around the world. According to Mick Jones, the firm’s vice president of supply chain strategy worldwide, analytics have become an essential risk management tool in addition to improving business efficiency. So much so that the firm has created a role akin to a “chief analytics officer,” running analytics teams stationed around the world, he said.
“Analytics offers massive value to the business. We are at a start of the journey of using analytics to help us focus on risk. We are investing a lot of time in getting product visibility and order visibility along the entire supply chain, which is an area we can always improve on,” said Jones.
Jones explained that analytics have become essential given the volatile environment of the last five years characterized by natural disasters, socio-economic unrest and financial instability.
“The algorithms in the software are becoming more intuitive and intelligent, so you are able to do more with data and analytics,” he said.
“In four years, we’ve moved from a very ‘descriptive’ analytics approach — reporting, scorecards, dashboards — through to a more ‘prescriptive’ approach, using simulation and optimization tools to almost predict what is going to happen going forward.”
However, meaningful data on supply chain risk is patchy because a great deal of supply chain risk is not insured and companies typically don’t keep detailed records of their losses. Such risk historically fell between the cracks as far as insurers were concerned, but the last decade has seen a number of specialist products emerge to protect companies against these risks.
“These losses were treated almost as operational risk, which was something companies had to deal with on daily basis, so they weren’t recorded,” said Woolley.
“As we are seeing more of these incidents and getting more data on the impact of supply chain risk, we are seeing a lot more interest in alternative supply chain policies.”
Shillingford said that analytics being developed by Verisk could make it easier for both companies and insurers to identify and calculate the impact of supplier risks more accurately.
“We want to encourage ‘risk-adjusted supply chain optimization.’ Often, supply chain optimization focuses only on efficiency, but we rarely hear people talk about risk and resiliency. In order to do that you have to put a value against the risk,” he said.
“The events in Japan and Thailand really gave rise to a realization of how much greater the risk in people’s supply chains is today than 10 or 20 years ago.” — David Shillingford, senior vice president, supply chain solutions, Verisk Analytics.
“The chasm between the amount of risk not insured at the present time and the amount of capital available to be deployed to insure supply chain risk [results from a] lack of visibility into the risk. If we are able to provide that visibility it could be the biggest risk transfer opportunity of the next 10 years.”
Tracking Insolvency Risk
While data on weather or catastrophe-related supply chain losses is increasingly abundant, it is far more difficult to track the risk of insolvency within a supply chain in real time. The financial data of companies is released sporadically and can be incomplete. Given the precarious nature of the economy since 2008, the risk of suppliers going bust is very real.
“Insolvency is a significant risk but it may be near impossible to fully understand,” said Feagin. “The key to understanding whether a supplier is solvent or not comes down to access of information.
“I see companies relying on various sources of information which may be too old or inaccurate to draw relevant conclusions from.”
According to Shillingford, while there are a variety of companies that offer services to assess financial strength, “each has a different methodology, usually expressed as a score, and all face similar challenges obtaining financial data for suppliers to their client’s suppliers.”
Indeed, the software industry has yet to develop an approach that can map solvency risk in real time.
Jones said that analytics play virtually no role in mitigating insolvency risk in Lenovo’s supply chain. “We deal with global suppliers who are based in many parts of the world and the data is difficult to get, but we do have a very sound supplier management approach that allows us to identify issues earlier and more collaboratively.”
Feagin said it’s crucial for companies to focus on their relationships with their suppliers, rather than just crunching numbers.
“In order to get these numbers you need to build up a relationship and trust with the suppliers. Without a strong relationship, you don’t have much power to gain information.
“There is not a piece of software out there that can tell you whether or not to do business with a particular vendor — it comes down to taking a strategic and focused approach to managing supply chain risk.”
He also noted that companies add uncertainty to their supply chains by failing to pay their suppliers promptly.
“The greatest insurance [against insolvency risk in the supply chain] is being a prompt payer and having a good relationship with suppliers,” he said.
Construction’s New World
Get off a plane at Logan Airport and cross the harbor toward Boston and you will see construction cranes, a lot of them.
Grab an Amtrak train from Philadelphia into New York and pulling into Penn Station, you will see more construction cranes, many more of them. The same scene repeats in Denver, Los Angeles, San Francisco and Chicago.
All that steel and cable in the skyline signifies a construction industry that is growing again, after having the rug pulled out from under it in the Great Recession of 2008-2010.
The cranes these days look the same as cranes looked in 2008, but the risk management and insurance environment in construction is anything but the same now.
A variety of factors are now in play that have drastically changed construction risk underwriting, according to Doug Cauti, a senior vice president and chief underwriting officer with Boston-based Liberty Mutual’s construction practice.
Doug Cauti characterizes the current construction market.
Talent and Margins
For one thing, according to Cauti, the available talent pool in construction is nowhere near what it was pre-recession.
“When the economy went into its downturn, a lot of talent left the business and hasn’t returned,” Cauti said.
Cauti said recent conversations with large contractors in Ohio and Pennsylvania confirmed once again that contractors are facing a workforce that is either aging or very inexperienced. That leads to safety management and project quality concerns at just the moment in time that construction is rebounding.
Doug identifies one of the top risk management issues facing construction firms today.
Workers compensation risks in construction, already a problematic area, are seeing an impact from that dynamic.
Contractors are also facing much more competition. In the past, contractors might have bid on 10 jobs to get one, now they have to bid on 50 or 60 jobs to get one. That’s putting pressure on margins.
“There are a lot of contractors out there competing for business,” Cauti said.
“Margins are going up but not at the same rate as the industry’s recovery,” he added.
Financing and Risk Transfer
Another factor impacting the way construction risk is being underwritten is the size of projects and the way they are being financed. Construction’s recovery from the recession might be slow and steady, but the size of projects requiring risk management and insurance has increased substantially.
In 2010, there were 85 projects under contract nationally that were worth $1 billion or more, according to Cauti. One year later, the percentage of projects of that value or higher had grown by 30 percent, and the trend continues.
A lot of those projects are design-build, a relatively new approach to construction that Liberty Mutual has grown comfortable underwriting over the years. But design-build is still an additional complication, blurring the traditional lines of responsibility.
“We did it when the growth in contractor-controlled insurance programs happened, we did it with the evolution in design-build and we’re laying the groundwork to be a thought leader in public-private partnerships and integrated project delivery.”
– Doug Cauti, Chief Underwriting Officer, Liberty Mutual National Insurance Specialty Construction
Given the funding demands of these much larger and more valuable projects — many of them badly needed public sector infrastructure improvements — public-private partnerships, otherwise known as P3s, are now coming into vogue as a financing option.
But deciding how risk should be allocated, underwritten and transferred in this new arrangement between contractors, the state, and private partners is a relatively new and untested science.
As a thought leader in the underwriting of the design-build approach – and the more traditional design-bid-build – Cauti said construction experts within Liberty Mutual are growing their knowledge to stay in step.
“We did it when the growth in contractor-controlled insurance programs happened, we did it with the evolution in design-build and we’re laying the groundwork to be a thought leader in public-private partnerships and integrated project delivery,” he said.
That means attending relevant industry conferences like the annual IRMI Construction Risk Conference where Liberty Mutual has maintained a significant presence, and engaging in dialogues with contractors and government officials, and maintaining clear and active lines of communications with brokers.
Doug discusses emerging approaches to construction.
Legal and Regulatory
Another change that is creating challenges for construction risk underwriting, according to Cauti, stems from what’s happening in United States courtrooms.
Across the country, how a court interprets coverage can vary widely, especially in the area of construction defect.
“In the past, many jurisdictions viewed construction defect simply as shoddy workmanship and they had to go back and redo it,” Cauti said.
But now, on a state by state basis, courts are ruling that a construction defect is an accident under certain circumstances that may be covered by a contractor’s general liability policy.
In 2014 alone, according to Cauti, Supreme Courts in West Virginia, Connecticut and North Dakota ruled that construction defects can sometimes be considered accidents.
Cauti said doing business with a carrier that pursues contract clarity whenever possible – and that possesses an experienced claims team that can navigate the wide variety of state interpretations – is absolutely essential to the buyer.
Having claim teams not only dedicated to construction but also to construction defect, adds a lot of value to a carrier’s offering.
Doug outlines another top risk management issue facing construction firms in today’s booming market.
Now, as never before, contractors are relying on experienced construction insurance teams to help them address these complexities.
Insurers need to have the engineering expertise to analyze a project, to make sure the right contracting team is in place and to insure that risk exposures are being properly assessed. Another key in a construction insurance team, according to Cauti, is the claims department.
A Strategic Approach
The legal and financing changes that are taking place in the construction market, from a risk transfer standpoint, aren’t going to get ironed out overnight.
Cauti said it could be 10 years until the construction and insurance industries fully understand the complications of public-private partnerships and integrated project delivery, these approaches gain traction, and the state-by-state legal decisions that are causing so much uncertainty can be digested.
In the meantime, an engaged, collaborative approach between carriers, brokers, contractors, and their financing partners will be necessary.
Doug discusses how his area can provide value to project owners and contractors.
For more information on how Liberty Mutual Insurance can help assess your construction risk exposure, contact your broker or Doug Cauti at firstname.lastname@example.org.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty Mutual Insurance. The editorial staff of Risk & Insurance had no role in its preparation.