Newsletter Sign-up

By STEVE YAHN, who has written for and edited national trade magazines for more than 30 years

As it turned out, June of 2007, three years after Google Inc.'s blistering initial public offering, became another landmark in the storied corporate life of Google Inc. That month, Google, which up until then had handled risk management through Assistant Treasurer Ronni Horrillo, hired 39-year-old Wisconsin native Kelly Crowder as the company's full-time risk manager.

Being hired as Google's first official risk manager in its then eight-year history was a prized accomplishment, for sure, but Bay Area risk and finance officials didn't have much difficulty foreseeing the choice.

Since 2002, Crowder was part of the Marsh FINPRO team, the broker's financial and professional liability practice that consults on a large range of casualty risks ranging from directors' and officers' liability to fidelity bonds to employment practices issues. Based in the San Francisco office, Crowder served on the Google account team. That meant working with Horrillo, now her boss.

As Google grew, first from a handful of workers to several hundred, then to several thousand and finally into the 20,000-employee powerhouse that it is today, company managers realized it needed a full-time risk guardian. Storming up the market-share charts on its way to the top spot in Internet searches, the company realized its risks were also becoming more complex.

And if the company was going to raise money in the public markets, it was going to have to meet the burden of federal reporting requirements too.

"The company got to be a certain size and was growing in various ways in which exposures were getting to be more unique," says Crowder. "Part of that was our expansion internationally. So part of the risk management role was that handling international growth became more time-consuming."

Every time Google launches a new product or service--Google Health, Google Checkout, Gmail or its mobile platform known as Android, for example--privacy advocates raise red flags. And as the company explores new markets in the United States and abroad, the more frequent the privacy challenges. Hence, the need for a full-time risk manager, like Crowder.

Shortly after joining Google, Crowder began moving the company, albeit carefully, away from a transactional, insurance-driven model to one more geared to the enterprise risk management model practiced by many.

ERM holds the promise of thinking about risk holistically, says Crowder, which makes the approach to risk more efficient.

"Once you know what your exposures are, it is possible to then determine the best way to treat them, through insurance or otherwise, and also allows you to justify your methods," she says. Google's insurance program is split between Marsh and Aon, the two largest brokers. Marsh serves as the company's risk and insurance adviser for property/casualty lines. Aon serves as adviser for professional liability lines, according to Crowder.

Crowder, who received a double-major undergraduate degree in finance and risk management from the University of Wisconsin-Madison, says she's recently structured a multiyear, integrated risk program for the company and hopes to add coverage lines to the program in the years to come.

With the help of Marsh, Crowder started implementing a risk management information system to track the rising number of claims facing the company. Collecting the data--and Google is king when it comes to turning data to its advantage--was bound to help Crowder mitigate Google's exposures.

During last year's renewal season, the first renewal in which Crowder was involved, the company consolidated several coverages under one umbrella as part of its efforts to integrate its risk program.

The initiatives are part of Crowder's efforts to bring a more "disciplined risk management culture" to the company, says Yvonne Cho, senior vice president and client advisor in the casualty department of Marsh's San Francisco office. "She is working to help her internal constituents view risk management as a business enabler rather than a department that always says, 'No, we can't do this or that because it's too risky.' "

Cho says that Crowder's goal is to encourage Google's business units to take into consideration potential impacts of risk and improve the company's decision-making. "Especially given the short time she's been there, I see this as a major contribution she's making at Google."

Google's Internet search business is considered a core competency. It is the dominant Internet search engine in the United States by far, according to numbers released in February by comScore. Of the 13.5 billion Internet searches carried out in the United States in January, Google-branded sites raked in a 59 percent market share, well ahead of second-place finisher Yahoo! with 15 percent market share.

Google derives billions of dollars from advertising revenues. Internet search, however, is neither the company's only product offering, nor its only revenue opportunity.

Other Google-branded products, well-known to technology-savvy consumers, include Google Video, Google Images, Google Earth, Google Maps, YouTube, Blogger News, Google Shopping, Gmail, Google Books, Google Calendar, Google Translate and Google Docs. More than a brand, perhaps, or even a noun, Google for millions of people has become a verb.

Together, these staples of our Internet age give the company significant influence over anyone--consumers and corporations alike--doing business on the Web, and they all present different risk management challenges for Crowder and Google's Chicago-based insurance broker, Aon.

"Certainly our brand is critical to us," says Crowder. "But this is not something you can insure against. It is currently being managed by corporate communications, investor relations and legal. As we move toward the ERM model, other components that are managed outside of my group will be added in and this will be one of them. The ERM team will involve multiple divisions across the company."

Along with the business units that include operations, engineering, sales, corporate communications, real estate, finance and legal, corralling Google's vast and decentralized insurance exposures, and meeting renewal deadlines, hasn't been easy.

Cho says that, since Crowder joined the firm, the renewals have proceeded more quickly and efficiently. Crowder's serious about her day--and night job.

"I get e-mails from her at all hours." says Cho. Crowder's background as a broker has helped as she understands the nuances of the commercial insurance marketplace and the "bigger picture" of an integrated risk management approach.

In addition to Internet search, mapping is considered another of Google's core competencies. Street View, a function available on Google Maps, reveals street-level locations typed into Google Maps. Cameras mounted on cars collect the data from public streets and the images appear on computer screens via the Internet.

Launched in the United States in June 2007, Street View is available in 20 countries including Australia, Japan and parts of Europe. It will be available in another 10 to 15 countries by the end of 2009.

"The registration and insurance process can be somewhat different by country," says Crowder, "so we have had to establish a protocol with the Marsh network and insurer, AIG, that provides consistency but also allows for flexibility."

"My goal was to never have insurance be the hindrance in slowing down the launch of operations. My partners have worked with me to achieve that."

Google's property exposure is not all that unique, except for perhaps the number of its locations--which is enough to keep Crowder busy full time. The company has about 40 buildings on the Mountain View, Calif., headquarters campus, known as the Googleplex. (See story Page 20.)

In addition, the company has another 40 buildings in about 20 other states. Abroad, the company has a presence in 45 countries. The property in itself has value, of course, but the datacenters contained within the buildings are even more important.

"Adequately protecting our datacenters is clearly one of our main concerns," she says. "Site visits are important to our insurer."

Crowder's property program is led by Allianz with XL Insurance and Zurich also having a large percentage. Allianz provides the engineering services, and to date they have been extremely impressed with the controls Google has in place, as well as the consistency between locations. Seeing one site is essentially the same as seeing another.

"We primarily focused on visiting U.S. locations this year, with the goal of seeing the top five largest international locations next year," says Crowder.

"MINDING" THE EXPOSURE

Google's real value--and the exposures it seeks to protect the most--are risks associated with intellectual property, privacy and information security and the company's business model, according to various people familiar with the company's risk exposures.

The company is a magnet for patent infringement and intellectual-property misappropriation claims, particularly outside the United States, where protection of intellectual property remains untested in the courts. Trademark and copyright actions tend to be the most prevalent but Google is also a target of patent infringement and trade secret misappropriation risks.

In one of the most recent disputes, Google last December was named as a co-defendant, along with Apple and Microsoft, in a suit by Taylor, Mich.-based Cygnus Systems Inc., alleging infringement on a patent covering thumbnail previews of computer files, according to Web postings by Lane R. Ellis, lead editor of SearchEngine World, a publication that tracks the Internet search-engine market.

Last summer, GraphOn Corp., a Santa Cruz, Calif.-based developer of server-based application publishing software, filed an infringement claim alleging that Google's Base, AdWords, Blogger, Sites and YouTube services infringe on the Santa Cruz company's patents.

Other plaintiffs have sued the company, alleging Google infringed on their business models.

Among software and Internet companies, intellectual patent infringement claims are nothing new, nor do they mean much to anyone except software engineers conversant in the language of computer code. In the end, almost anyone can file a patent claim.

Google insists on strong legal, contractual and operational protections against such claims. Looking to the future, Crowder notes that intellectual-property and copyright consideration is a major component of Google's business platform. In the end, though, even she admits that in the world of patent infringement, unlike in the more mundane universe of slips and falls and workers' compensation, there are risks that she can't do anything about.

Google recognizes as much. In public filings, the company repeatedly cites claims on intellectual-property rights as an expensive risk. Even when there is an insurance product to protect Google's intellectual property, there may be better ways to protect the company from such intellectual-property risks, says Crowder. "It's one of the things we are diligent about analyzing and managing."

Privacy risks are another matter. They are related to the company's core advertising business, which generates an estimated 97 percent of the firm's revenues. In the first quarter ended March 31, 2009, Google booked a total of $5.5 billion in revenue, up 6 percent from the year-ago period, but down 3 percent from the fourth quarter of 2008. As much as 51 percent of Google's revenues are derived from international operations.

The company's business model, rooted in search advertising, is sound and management intends to generate even more money from the Web as users and advertisers continue to migrate to it, notes CEO Eric Schmidt.

"Going forward, our priority remains investing for the long term to drive future growth in our core and emerging businesses," the company head stated in public filings. There's new revenue to be earned in the enterprise applications business, Google believes and yet more advertising dollars to be mined through display and mobile advertising. New growth in the foreseeable future will come from within, says Schmidt.

With Google on the straight-and-narrow Internet path, its exposures to privacy-related claims will continue to extend far beyond the traditional 19th century "right to privacy" torts, according to people familiar with the company's risk coverage programs.

Given the mountains of data collected on Google's server farms, and the growth of services such as Gmail, Google Health and Street View, the privacy and information security risks faced by the company are already high and poised to rise even higher, according to people familiar with the company's risk program.

In addition, courts over the past three years have held companies responsible for data breaches in cyberspace and Google isn't immune to such exposures, particularly as the company continues to play a precedent-setting role in pushing the barriers of civil liability in the Internet age.

The cyberspace exposures are always top of mind, according to Crowder. "Obviously, it's very important to us, and we're doing everything we can to manage the risk appropriately."

The latest dustup regarding Google's behavioral advertising initiative could shed light on how difficult that risk could become. The most recent salvo in March involved the Electronic Privacy Information Center, a Washington, D.C.-based public interest research center.

Marc Rothenberg, the center's executive director, called Google's user-tracking plan "a disaster." The Center for Digital Democracy, another privacy advocacy group, asked Google to allow users of Google's AdSense network and YouTube to opt in to behavioral tracking instead of opting out.

According to Deputy General Counsel Nicole Wong, quoted recently in Networkworld, Google had solicited the advice of industry groups, users and privacy experts in the private sector and the government before launching the initiative.

Privacy risks would traditionally be covered by errors-and-omissions policies but many of Google's largest E&O risks are not insurable. In fact, the company, which has successfully monetized its own innovations, has outgrown the traditional E&O marketplace because it often breaks new ground for which there is scant legal precedent.

Crowder, with Aon's help, has initiated a review of the company's E&O risk.

"Prior to Kelly joining Google, Google handled professional liability and E&O, which is a very complex risk, with traditional insurance," says Matt Davis, resident managing director in Aon's San Francisco offices. "Kelly came in and said, 'I'm not sure this insurance product approach fulfills the most effective need for us.' "

"It's a very in-depth process to qualify and quantify the risks that are faced by Google and to try to translate that into the financial impact of those risks, forget whether you're buying insurance or not," adds Davis.

Crowder is determined to have Google rapidly abandon the transactional, off-the-shelf approach to risk management in favor of enterprise risk management.

July 1, 2009

Copyright 2009© LRP Publications