Buying Cyber – Consider Carefully
The threat arising from cyber security is real. If it is not already, I suspect this threat will shortly be one of the most significant risks that companies face.
Given its significance, the cyber threat needs a comprehensive integrated response with risk transfer being just one element.
As a risk manager I cringed when I heard another risk manager declare at a RIMS annual conference session, “Yep, I bought cyber risk insurance last year. I did so because everybody else is doing it and also because my director thought it was a good idea. To be honest, I must admit that I am not really sure exactly what I bought.”
That risk manager may have done the right thing but definitely for the wrong reasons.
Some risk managers adopt a “risk flavor of the month” approach when considering, indeed purchasing new insurance products.
When you purchase an insurance product you are, as we all know, actually engaged in the practice, or should I say, sometimes the art form of transferring risk to the marketplace. This seems pretty clear, or is it? You should only engage in the practice of risk transfer after you have:
1. Carried out a thorough investigation of your business in order to identify all relevant original or “raw” risk(s).
2 Identified the controls that exist within your business to mitigate the risks identified. In doing so, you also need to assess the effectiveness of the controls in place to treat the identified risks.
3. Considered what other new or augmented existing controls could be established to deal with the risks on a cost effective basis.
4. Assessed the residual risks arising after applying steps 1 – 3 above and determined whether they are within your risk appetite or not.
Some risk managers adopt a “risk flavor of the month” approach when considering, indeed purchasing new insurance products. Cyber risk insurance is one such product that has been flavor of the month for quite some time.
The social/peer pressure to buy “cyber” is unrelenting. It is egged on by the myriad of studies that for example state, x percent of entities now buy cyber insurance and that this will grow to y percent within 12 months.
Do you want to be the brave insurance manager who bucks this trend? I am not suggesting that you be that person; what I do suggest is that you go about the process of evaluating whether or not this risk in your company needs to be insured against in a very disciplined, dispassionate manner.
The advantage of adopting the above is that you will end up with:
1) A very detailed description of the risks you face.
2) A comprehensive assessment of your suite of controls.
3) Absolute clarity as to which element of your risk you will seek to transfer to the insurance marketplace because by doing so, and if you do buy you will end up with a product that precisely fits your needs.
When you make that decision to buy cyber you will feel better as a risk management professional for having done so after following the above.
Recall Mitigation Relies on Risk Managers
This is turning out to be a record year for auto-related recalls and, with the astronomical costs associated with them, insurance companies that offer accidental contamination or malicious product tampering policies are on alert.
This type of insurance is primarily used by food manufacturers, distributors, retailers and auto parts suppliers to cover business expenses related to a recall. And in light of recent events, you can be sure that parts suppliers are working closely with their insurers to see what losses are covered and what the damage will be to their bottom line.
Those with insurance are the lucky ones, as the costs associated with a recall can be significant, but even for those organizations, the results of the recall and subsequent insurance coverage rely heavily on the assessments of risk managers.
One of the key concerns for risk managers is cost containment.
Typically, an insurance company becomes engaged with the manufacturer when the recall is about to happen or has just happened. To get started on remediation, the insurer must determine the total loss of product and what services are needed.
Then, the insurer will pull impacted lots and have them tested by an independent company to confirm that a full recall is necessary. Risk managers must ensure that lot sizes and distribution channels are optimized to minimize the impact on the bottom line depending on the likelihood of a recall.
Throughout a recall event, a lack of effective risk management can cause manufacturers to make missteps that cost millions of dollars and negatively impact insurers.
For example, if organizations don’t have the ability to identify and isolate contaminated products from safe ones, they may end up crediting a retailer for the full lot and not just the impacted products – resulting in a cash loss.
Also, manufacturers may incur compliance fines as they scramble to meet all of the regulatory requirements surrounding recalls. Lastly, the complex logistics involved in a recall may prolong the process and expose the brand to greater risk.
Here are some best practices for risk managers to consider when faced with a recall:
• Ensure access to good data and tracking on impacted products, including information on where it is located and what the value of lost product is.
• If the origin of the recall is known, contact the source to see what damages they will pay and determine if legal action is needed.
• Encourage the organization to be recall-ready with a designated recall team and plan, and an understanding of the supply chain partners’ recall protocol.
As the global supply chain continues to become more complex, risk managers need to be vigilant when preparing for internal and supplier issues.
And for companies of all sizes, product contamination is a loss exposure that cannot be ignored. It’s occurring with alarming frequency in the U.S. and globally catching many organizations by surprise.
Companies that fall victim to these incidents often incur staggering costs in damage control and significant lag time in restoration of profits and reputation.
Global Program Premium Allocation: Why It Matters More Than You Think
Ten years after starting her medium-sized Greek yogurt manufacturing and distribution business in Chicago, Nancy is looking to open new facilities in Frankfurt, Germany and Seoul, South Korea. She has determined the company needs to have separate insurance policies for each location. Enter “premium allocation,” the process through which insurance premiums, fees and other charges are properly allocated among participants and geographies.
Experts say that the ideal premium allocation strategy is about balance. On one hand, it needs to appropriately reflect the risk being insured. On the other, it must satisfy the client’s objectives, as well as those of regulators, local subsidiaries, insurers and brokers., Ensuring that premium allocation is done appropriately and on a timely basis can make a multinational program run much smoother for everyone.
At first blush, premium allocation for a global insurance program is hardly buzzworthy. But as with our expanding hypothetical company, accurate, equitable premium allocation is a critical starting point. All parties have a vested interest in seeing that the allocation is done correctly and efficiently.
“This rather prosaic topic affects everyone … brokers, clients and carriers. Many risk managers with global experience understand how critical it is to get the premium allocation right. But for those new to foreign markets, they may not understand the intricacies of why it matters.”
– Marty Scherzer, President of Global Risk Solutions, AIG
Basic goals of key players include:
- Buyer – corporate office: Wants to ensure that the organization is adequately covered while engineering an optimal financial structure. The optimized structure is dependent on balancing local regulatory, tax and market conditions while providing for the appropriate premium to cover the risk.
- Buyer – local offices: Needs to have justification that the internal allocations of the premium expense fairly represent the local office’s risk exposure.
- Broker: The resources that are assigned to manage the program in a local country need to be appropriately compensated. Their compensation is often determined by the premium allocated to their country. A premium allocation that does not effectively correlate to the needs of the local office has the potential to under- or over-compensate these resources.
- Insurer: Needs to satisfy regulators that oversee the insurer’s local insurance operations that the premiums are fair, reasonable and commensurate with the risks being covered.
According to Marty Scherzer, President of Global Risk Solutions at AIG, as globalization continues to drive U.S. companies of varying sizes to expand their markets beyond domestic borders, premium allocation “needs to be done appropriately and timely; delay or get it wrong and it could prove costly.”
“This rather prosaic topic affects everyone … brokers, clients and carriers,” Scherzer says. “Many risk managers with global experience understand how critical it is to get the premium allocation right. But for those new to foreign markets, they may not understand the intricacies of why it matters.”
There are four critical challenges that need to be balanced if an allocation is to satisfy all parties, he says:
Across the globe, tax rates for insurance premiums vary widely. While a company will want to structure allocations to attain its financial objectives, the methodology employed needs to be reasonable and appropriate in the eyes of the carrier, broker, insured and regulator. Similarly, and in conjunction with tax and transfer pricing considerations, companies need to make sure that their premiums properly reflect the risk in each country. Even companies with the best intentions to allocate premiums appropriately are facing greater scrutiny. To properly address this issue, Scherzer recommends that companies maintain a well documented and justifiable rationale for their premium allocation in the event of a regulatory inquiry.
Insurance regulators worldwide seek to ensure that the carriers in their countries have both the capital and the ability to pay losses. Accordingly, they don’t want a premium being allocated to their country to be too low relative to the corresponding level of risk.
Without accurate data, premium allocation can be difficult, at best. Choosing to allocate premium based on sales in a given country or in a given time period, for example, can work. But if you don’t have that data for every subsidiary in a given country, the allocation will not be accurate. The key to appropriately allocating premium is to gather the required data well in advance of the program’s inception and scrub it for accuracy.
When creating an optimal multinational insurance program, premium allocation needs to be done quickly, but accurately. Without careful attention and planning, the process can easily become derailed.
Scherzer compares it to getting a little bit off course at the beginning of a long journey. A small deviation at the outset will have a magnified effect later on, landing you even farther away from your intended destination.
Figuring it all out
AIG has created the award-winning Multinational Program Design Tool to help companies decide whether (and where) to place local policies. The tool uses information that covers more than 200 countries, and provides results after answers to a few basic questions.
This interactive tool — iPad and PC-ready — requires just 10-15 minutes to complete in one of four languages (English, Spanish, Chinese and Japanese). The tool evaluates user feedback on exposures, geographies, risk sensitivities, preferences and needs against AIG’s knowledge of local regulatory, business and market factors and trends to produce a detailed report that can be used in the next level of discussion with brokers and AIG on a global insurance strategy, including premium allocation.
“The hope is that decision-makers partner with their broker and carrier to get premium allocation done early, accurately and right the first time,” Scherzer says.
For more information about AIG and its award-winning application, visit aig.com/multinational.