Target as Target
After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.
However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.
In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.
Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.
“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.
Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.
“I would still say it’s so much better to get it right the first time,” he said.
Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.
Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.
In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”
A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:
Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”
Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.
“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.
Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.
Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.
“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.
As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.
But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.
“Those are the ones where the trust has really been lost,” Korschun said.
Top Five Uninsurable Risks
Whether it’s a Sriracha hot sauce maker being threatened with closure by city council or General Motors fighting for its reputation after recalling more cars than it made in the past three years, companies face a world of complex risks.
And some of those risks cannot be transferred via insurance products.
How well are companies protected, for example, when new regulations get passed — such as the EPA’s proposed restrictions on coal burning plants that may drive some in the energy industry out of business, or the current political drumbeat against tax inversion practices?
What insurance covers a company whose rogue employee sells trade secrets to an outside company? How about when a pandemic shuts down operations?
Risk managers identify their organizational exposures as best they can and then work to manage or eliminate those risks. Sometimes, commercial insurance can be used to remove the bulk of that risk, but we’ve isolated five risks which many experts believe are uninsurable in many respects: For the time being anyway.
“For the most part, the insurance industry rises to the occasion and creates products for emerging risks that evolve over time,” said Carol Laufer, executive vice president, ACE Excess Casualty.
“For insureds, the purchase of products such as employment practices and cyber insurance eventually evolves from a discretionary spend to standard insurance coverage,” she said.
For sure there are other challenging risks — such as weak economic conditions or skilled talent shortages — that also are uninsurable, but we have selected those for which risk managers are able to play an effective role in mitigating the risk.
Part of the problem in transferring such risks is the complexity involved in the exposures. Look at tax inversion — where a U.S. company merges with a foreign company to change their tax jurisdiction and lower their tax burden.
Is that a political risk? A regulatory risk? A reputational risk? It could be any one of them, or all three of them.
“I think it’s almost uncountable the ways that a loss could occur where that loss could be tied back to reputational risk or regulatory risk,” said David White, a national actuarial leader at KPMG.
At the same time, calling a risk uninsurable has nuances to it. Coverage for criminal fines and penalties, for example, are truly uninsurable. The law forbids such coverage, said Patrick Donnelly, chief broking officer, Aon Risk Solutions.
But for other types of risks, there may be various products offered by brokers and underwriters to address some, but not all of the specific exposures faced by a company, he said. Such coverage, however, may be rare or expensive, or corporations may find risk transfer to be an ineffective way of hedging the risk.
“I’m very careful about branding something as truly uninsurable,” Donnelly said.
“It’s not black and white.”
General Motors might be the quintessential example of a company undergoing a reputational hit. It recalled nearly 30 million cars, and faces numerous lawsuits and investigations related to a delayed recall of 2.6 million cars — some manufactured more than a decade ago — with a faulty ignition switch that has been linked to 13 deaths and more than 50 accidents.
Video: As this report from the New York Times indicates, automakers have a long history of trying to maintain their reputations in the face of major recalls.
But every day brings another contender for the throne. One day, it’s American Apparel’s founder being suspended, and possibly eventually fired, for alleged sexual misconduct. Another day, it’s a viral video of a Comcast customer service representative who refuses to let a customer cancel his account.
Or it could be yet another cyber theft of customer information or a celebrity spokesman tweeting out an offensive comment.
While there are insurance products that provide coverage for crisis management/public relations costs and product recall expenses, only a limited market exists for loss of income or net profit for reputational harm, said Emily Freeman, global technology and privacy practice specialist at Lockton.
“You need to be able to wrap your arms around the risk and the value of risk before you can insure it,” said Tom Srail, senior vice president, Willis. “What a company name is worth has long been a risk to the industry.”
Freeman said Lockton has been involved in creating customized solutions for large clients that address specific threats of reputational harm. The client and underwriter negotiate the period of indemnity and loss adjustment, she said.
“The perils are not on an ‘all risk’ basis, but rather categories listed that are relevant to the client, such as disgrace of key persons or breach of sensitive data,” Freeman said.
“In my mind,” said KPMG’s White, “you can’t find policies that cover all types of reputational risk from whatever event that occurred.”
When you think of regulatory risk, many risk managers keep an eye on the rules of the Health Information Portability and Accountability Act (HIPAA), the Dodd-Frank Act or a regulatory agency such as the Food & Drug Administration.
But the threat of regulation is immense and often unpredictable. In just one year, 2012, there were 17,763 changes to laws, rules and regulations affecting the banking and financial sectors alone, according to The Network, a training and compliance company.
“From a risk management or risk mitigation perspective, you can’t really predict regulations. You can prepare for them, but you can’t predict them or price them.” — David White, national actuarial leader, KPMG
Plus, risks can emanate from all sectors of government. One recent example is Huy Fong Foods, the manufacturer of Sriracha hot sauce, which was temporarily shut down by a judge following a lawsuit by the city council of Irwindale, Calif., after four families (one of which was related to a city councilman) complained about odors.
Eventually, the city dropped its lawsuit and its declaration that the factory was a “public nuisance,” but it took months for the situation to resolve itself.
“From a risk management or risk mitigation perspective, you can’t really predict regulations. You can prepare for them, but you can’t predict them or price them,” White said. “Regulatory risk is handled through risk mitigation, not risk transfer.”
“Even in the United States,” Srail said, “a government or state can put an industry or a company, if they want to, out of business or severely restrict their ability to operate.”
Certainly, the energy industry has been facing that threat since 2008 when President Obama noted that coal-powered plants can still be built, but at a steep regulatory cost.
“It’s just that it will bankrupt them because they are going to be charged a huge sum for all that greenhouse gas that’s being emitted,” Obama said.
While a final rule has not yet been issued by the Environmental Protection Agency, the president has recently called on it to enact new emissions regulations. The U.S. Chamber of Commerce estimated the regulations will cost the economy about $50 billion annually.
“There are some creative products underwriters have tried over the years … but there is definitely nothing off the shelf or run of the mill,” Srail said of regulatory risk.
“There’s nothing easy to do.”
Trade Secret Risk
“I find trade secrets to be one of the most dangerous areas,” said attorney Rudy Telscher, a partner at Harness Dickey & Pierce, who recently won a patent infringement case at the U.S. Supreme Court.
“There are no boundaries. It’s such a nebulous area.”
It can include anything from a disgruntled employee taking customer lists or R&D information to his next job, a foreign government stealing trade secrets or a hacker burrowing into a computer system to steal a company’s version of its special sauce.
Globalization and the expanded use of supply chain partners increase the potential exposure. Plus, even when a company is able to pursue trade secret litigation, courts consider whether reasonable precautions had been taken to secure the proprietary information.
“The violation,” said Bob Fletcher, president, Intellectual Property Insurance Services Corp., which offers insurance to litigate intellectual property cases, “is not the use [of a trade secret]. The violation is, ‘How did you get the information?’ ”
In any event, said Aon’s Donnelly, “an organization would have a very difficult time obtaining an insurance policy that adequately protects them against the theft or wrongful disclosure of their trade secrets and the potential damage that could do to the company if that trade secret got out.”
More common than industrial espionage, however, are the run-of-the-mill business discussions that revolve around synergies and potential partnerships between enterprises. Often, the nondisclosure agreements (NDAs) covering such discussions are not specific enough to protect the parties, Telscher said.
It is the party receiving the information that is most at risk, he said. If the discussions dissolve, that party may find itself accused of acting upon trade secrets because the NDA did not specify the information that was to be disclosed and held confidential.
“The more information you receive, the greater the risk there will be a lawsuit if you don’t end up doing a deal and you move forward on your own,” Telscher said.
In this era of globalization, companies establish operations all over the world, and the world is not a stable place.
Upheaval — or the increasing threat of it — is prevalent on just about every continent of the globe. Certainly, the possibilities in the Middle East, Eastern Europe, Asia and Latin America are concerning to risk managers.
While political violence and trade credit coverage is available in the majority of cases, companies continue to face uninsurable exposures.
“It’s definitely tricky,” said Mark Garbowski, a shareholder at Anderson Kill.
“Based on the policies I have seen, there will always be some aspects of it that will be fully outside the scope of what can be covered.”
And only “a minority” of companies actually buy the cover, said John Hegeman, AIG senior vice president, specialty lines-political risk.
“I think the principal reason is most risk managers view it as a self-insured business risk,” he said.
“Pretty much anything an insured thinks is really essential to their operations can be covered, but you have to identify it and understand what it is.”
Often, said Richard Maxwell, chief underwriting officer and global head of political risk and trade credit insurance for XL Group, corporations wait too long in the face of deteriorating conditions and insurers will not accept the risk.
“Buy the cover before the barn is on fire,” he said.
Generally, policies cover a host of risks, including government expropriation of an asset, destruction of an asset due to war or political violence, credit default of trade receivables, and when foreign governments block transfer and convertibility of currency.
Some countries, such as Iran, Iraq, Afghanistan and the like, are not insurable, said Jochen Duemler, CEO and head of Euler Hermes Americas Region, which offers risk coverage in nearly 200 countries.
Argentina is a recurring problem, and as for Venezuela, it’s not uninsurable, he said, “but we would say we pretty much have no exposure there and are very, very reluctant” to offer coverage.
Overall, policies exclude losses that occur when currency is devalued, losses that occur as a result of a nuclear incident and non-payment of premium, or any losses to suppliers or partners as a result of political violence, except for trade receivables.
Policies also require insureds to make certain warranties and representations that are included in the insurance contract.
Policy disputes can arise when property is expropriated or licenses are cancelled due to what a foreign government says are reasonable or legally justified regulatory actions, according to an article on political risk coverage by Robert C. Leventhal, an attorney with Foley and Lardner.
Another area of dispute emerges when assets are jeopardized by “creeping expropriations,” such as a series of actions by the government as opposed to a single act, he said.
Many risk managers aren’t too worried about the Ebola pandemic in West Africa that has already killed more than 900 people. And they probably aren’t all that worried — if they even know — about the four cases of pneumonic plague in Colorado that are life-threatening.
But who among them can forget the H1N1 pandemic influenza virus known as the swine flu, that in 2009 killed more than 250,000 people worldwide, including more than 3,600 in North America.
At one point, the U.S. Centers for Disease Control and Prevention estimated that as many as two in five workers might become infected or have to stay home to care for an ill family member.
Video: Researchers at the Massachusetts Institute of Technology studied the role airports play in spreading disease and pandemics, according to this report by Voice of America.
A pandemic flu is something all risk managers should worry about. And there’s no coverage for it.
“A pandemic is a very difficult exposure to insure in any meaningful way. You can do some work around it, but it’s a very, very difficult risk to insure and no one really insures it,” said John McLaughlin, managing director of the higher education practice at Arthur J. Gallagher & Co.
For schools or universities, his specialty, there may be some loss of tuition coverage available, but “it’s not very cost effective.”
For business, supply-chain insurance may offer some protection, but that coverage still has a limited take-up.
Companies may also be able to craft special wording for property or D&O policies, he said.
“You never say never. There’s always some solution that you can work up,” he said.
But, McLaughlin said, a healthier perspective for a risk manager is to analyze how the risk would impact the organization and to devise solutions that are not insurance-related.
The Next Wave of Workers’ Comp Medical Cost Savings
Managing medical costs for workers’ compensation claims is like pushing on a balloon. As you effectively manage expenses in one area, there are bound to be bulges in another.
Over the last decade, great strides have been made in managing many aspects of workers’ compensation medical costs. Case management, bill review and pharmacy benefits management are just a few categories that produce significant returns.
And yet, according to the National Council on Compensation Insurance (NCCI), medical costs remain the largest percentage of workers’ comp expenses. Worse still, medical costs continue to be the fastest growing expense category.
Many medical services are closely managed through provider negotiations, bill review, utilization review, pharmacy benefits management, to name a few. But a large opportunity for medical cost containment remains largely untouched and therefore represents a significant opportunity for cost savings.
Ancillary medical services is a term used to describe specialty or supplemental health care services such as medical supplies, home health care, durable medical equipment, transportation and physical therapy, etc.
According to Clifford James, Vice President of Strategic Development at Healthesystems in Tampa, Fla., modernizing the process for managing ancillary medical services presents compelling opportunities for cost savings and improved patient care.
Source: 2014 Healthesystems Ancillary Medical Services Survey
“The challenge of managing these types of medical products and services is a cumbersome and extremely disconnected process,” James said. “As a result, it represents a missing link in an overall medical cost management strategy, which means it is costing payers money and patients the most optimal care.”
James singled out three key hurdles:
Lack of transparency
As the adage goes, you can only manage what you can measure.
Yet when it comes to the broad range of products and services that comprise ancillary benefits, comprehensive data and benchmarking metrics by which to gauge success are hard to come by.
The problem begins with an antiquated approach to coding medical services that was developed in the 1970s. The coding system falls short in today’s modern health care environment due to its lack of product and service level detail such as consistent units of measure, quantity and descriptors.
As a result, a meaningful percentage of ancillary benefits spending is coded as “miscellaneous,” which means a payer has little to no visibility into what product or service is being delivered — and no way to determine if the correct price is being applied or if the item is even necessary or appropriate.
Source: 2014 Healthesystems Ancillary Medical Services Survey
“It’s a big challenge. Especially when you consider that for many payers, it’s difficult to determine exactly what they are spending, or identify what the major cost drivers are when it comes to ancillary services,” James said. And when frequently over 20 percent of these types of services are billed as miscellaneous, payers have zero visibility to effectively manage these costs.
Measurement and monitoring
Often, performance that is monitored is given the most attention. Therefore, ancillary programs that are closely monitored and measured against objective benchmarks should be the most successful.
However, benchmarks are hard to determine because multiple vendors are frequently involved using disparate data and processes. There isn’t a consistent focus on continuous quality improvement, because each vendor operates off of their own success criteria.
“Leveraging objective competitive comparisons breeds success in any industry. Yet for ancillary services there is very limited data to clearly measure performance across all vendors,” James said. “And for payers, this is a major area of opportunity to promote service and cost containment excellence.”
Source: 2014 Healthesystems Ancillary Medical Services Survey
If you ask claims executives about their strategies for improving the claims management process, a likely response may be “workload optimization.” The goal for some is to enable claims professionals to handle a maximum case load by minimizing administrative duties so they can leverage their expertise to better manage the outcome of each case.
But the path towards “workload optimization” has many hurdles, especially when you consider what needs to be coordinated and the manual way it frequently is done.
Ancillary benefits are a prime example. For a single case, a claims professional might need to coordinate durable medical equipment, secure translation services, arrange for transportation and confirm the best physical therapy plan. Unfortunately they often don’t have the needed time, or the pertinent information, in order to make quick, yet informed, decisions about the ancillary needs of their claimants.
In addition there is the complexity of managing multiple vendor relationships, juggling various contacts, and accessing multiple platforms and/or making endless phone calls.
“We’ve been called the ‘industry integrator’ by some people, and that’s accurate. We are delivering a proven platform connecting payers with providers and vendors on the ancillary medical benefit front. It’s never been done before.”
– Clifford James, Vice President of Strategic Development, Healthesystems
Modernizing the process
To the benefit of both payers and vendors, Healthesystems offers Ancillary Benefits Management (ABM).
The breakthrough ABM solution consists of three foundational components — a technological platform, proprietary medical coding system and a comprehensive benefits management methodology.
The technological platform integrates payers and vendors with a standardized architecture and processes. Business rules and edits can be easily managed and applied across all contracted vendors. All processes – from referral to billing and payment – are managed on a single platform, empowering the payer with a centralized tool for managing the quality of all ancillary providers.
But when it comes to ancillary products, the critical and unique challenge Healthesystems had to solve is the antiquated coding system. This was completed by developing a highly granular, product-specific coding system including detailed descriptions and units of measure for all products and services. This coding provides payers with the clearest understanding of all products and services delivered including pricing and all the necessary utilization metrics.
“We bring the highest level of transparency and visibility into all ancillary products and services,” James said, adding that the ABM platform uses an extensive preferred product coding system 15 times more detailed than any other existing system or program.
This combination of sophisticated technology, proprietary coding system and benefit management methodology revolutionizes the ancillary category. Some of the benefits include:
- Crystal-clear transparency
- A more detailed and comprehensive view into ancillary products and services
- An automated process that eliminates billing discrepancies or resubmittals
- Integrated and consistent processes
- Strategic program management
Taken together, the system leapfrogs over the existing hurdles while creating entirely new opportunities. It’s a win for vendors and payers, and ultimately for patients, who receive the optimal product or service.
“We’ve been called the ‘industry integrator’ by some people, and that’s accurate,” James said. “We are delivering a proven platform connecting payers with providers and vendors on the ancillary medical benefit front. It’s never been done before.”
To learn more about the Healthesystems Ancillary Benefits Management solution visit: http://www.healthesystems.com/solutions-services/ancillary-benefits