Email
Newsletters
R&I ONE®
(weekly)
The best articles from around the web and R&I, handpicked by R&I editors.
WORKERSCOMP FORUM
(weekly)
Workers' Comp news and insights as well as columns and features from R&I.
RISK SCENARIOS
(monthly)
Update on new scenarios as well as upcoming Risk Scenarios Live! events.

Crisis Management

Target as Target

Risk experts grade Target's efforts to manage the reputation damage caused by the data breach.
By: | February 3, 2014 • 4 min read
TargetV1

After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.

However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.

Advertisement




In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.

Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.

“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.

Initial email (truncated) sent by Target on 12/19/2013. The original email included an additional 4 pages of information.

Initial email (truncated) sent by Target on 12/19/2013. The original email included an additional 4 pages of information.

Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.

“I would still say it’s so much better to get it right the first time,” he said.

2nd email to guests, 12/20/2013.

2nd email to guests, 12/20/2013.

Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.

Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.

In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”

A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:

Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”

Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.

“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.

Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.

Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.

“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.

Advertisement




As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.

But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.

“Those are the ones where the trust has really been lost,” Korschun said.

Joel Berg is a freelance writer and adjunct writing teacher based in York, Pa. He has covered business and regulatory issues. He can be reached at riskletters@lrp.com.
Share this article:

Reputational Risk

The Underwriter’s View of Reputation Risk

The transfer of reputational risks involves both preventative strategies as well as finding ways to mitigate the impact.
By: | October 15, 2014 • 6 min read
risk

Thanks to the speed of the Internet and all things “viral,” scores of companies have found themselves at the center of a maelstrom of litigators, regulators and bloggers, often involving the public humiliation of the CEO and board of directors by activist investors.

Nir Kossovsky, CEO, Steel City Re

Nir Kossovsky, CEO, Steel City Re

Such are the hallmarks of a 21st century reputation crisis. The long-term economic consequences and the personal sting are among the compelling reasons for managing reputation risk.

Stakeholders expect companies to behave a certain way. That includes responsible behaviors such as supply chain integrity; manufacturing or production quality; ethical standards; innovation and intellectual property management; environmental sensitivity; and security (both physical and cyber) management.

It specifically includes C-suite and board-level behaviors including governance, risk management and compliance (GRC) policies. From time to time, companies fail to meet stakeholder expectations.

Advertisement




It may be surprising that reputation crises don’t always follow operational failures. But the explanation for this is simple and a key predictor of success. Reputation risk is the threat of a change in stakeholder expectations.

Provided the company was both aware and diligently managing its risks, stakeholders will forgive (read, preserve the reputation value of) a company that has suffered an operational failure.

As Frederick the Great explained nearly 150 years ago before the Internet undermined the effectiveness of corporate marketing and communications, “It is pardonable to be defeated, but never to be surprised.”

Since the goal of reputation risk management is to reduce the risk of a change in stakeholder expectations, risk management starts with understanding the underlying causes.

A comprehensive GRC strategy that centers on reputation risk should enumerate both mitigable causes of risk and mitigable consequences should those risks become reality. Reputation risks can be divided into four risk archetypes:

1. Spatio/temporal (being in the wrong place at the wrong time);

2. Criminal behaviors;

3. Negligent behaviors (including ethics, innovation, quality, safety, sustainability and security); and

4. Black swan events.

Some of the sources of business operating losses arising from these four reputation risk archetypes are business interruption, unauthorized or underreported product sales, excessive GRC and operating costs, redundant production costs, restitution costs, litigation costs, and regulatory fines and penalties.

Video: Bloomberg TV reviews the “red flags” ignored by JPMorgan during London whale trading scandal.

Such results of failure to deal with risks lead to lost revenue and earnings, and reduced enterprise value.

When these consequences spill over and lead to reputational harm, the range of monetary losses rises to a strategic level and can result in potentially unlimited costs from damaged stakeholder relationships going forward.

Losses then also include reduced pricing power, increased human resource costs, increased supplier and vendor costs, increased credit costs, above average fines and penalties, and depressed earnings multiples.

When an adverse operational event blossoms into a full-blown reputation crisis, in addition to the often long-term nature of strategic financial consequences, the personal consequences for the company’s directors and officers can be significant.

So it’s no small wonder that reputation risk has become a top governance risk in board-level surveys in recent years and that reputation risk management has become one of today’s leading strategic corporate imperatives.

Some insurers offer products that effectively warranty the governance of the companies they insure — assuring stakeholders that the insured has the requisite risk controls to protect the company’s reputational value and to better weather any reputational storm.

Such products require companies to have GRC processes and technologies that provide reputation-protecting controls, which an underwriting team must see before it agrees to cover these risks.

Underwriters also seek to understand how controls are monitored, how discrepancies are managed and how the validity of monitoring is affirmed. They look for evidence of negative impacts to effective governance, controls and risk management.

Underwriting Touch Points

Underwriters use qualitative measures that focus on operational awareness at the board and senior executive levels, and use questions designed to understand how a company effects oversight and operational control over the critical business processes that underpin reputation.

Advertisement




The scope of qualitative analysis is generally limited to a defined range of business processes and a listing of critical stakeholders including customers, vendors, employees, creditors, equity investors, and regulators.

Underwriters also seek to understand how controls are monitored, how discrepancies are managed and how the validity of monitoring is affirmed. They look for evidence of negative impacts to effective governance, controls and risk management.

Examples of common issues that are underwriting red flags are information management and human resource management strategies that are likely to lead to unpleasant surprises, or governance policies that create ambiguities about the understanding of corporate values.

Underwriters also use indexed quantitative measures of reputational value and control. But even in cases where objective metrics might indicate that stakeholders are assuming responsible governance, underwriters might conclude that an organization was at risk for a rude surprise if:

• An organizational framework is not in place to manage and maintain a fluid information environment.

• Human resource management systems do not factor enterprise-level reputational consequences into the incentive systems.

• Board-level communications, including regulatory filings, do not present a uniform view of reputation risk and its management.

Video: Observant risk managers are aware of latent problems, such as the geopolitical risk that flared up between the Chinese and Vietnamese.

Reputation Management

The element of surprise is a common theme underpinning reputation risk. Because surprised stakeholders tend to punish companies that fail to meet their expectations, information management is a key strategy for providing better awareness for executive decision-makers, and also for better managing stakeholder expectations.

There are three information management systems underwriters like that provide business decision-makers with timely actionable intelligence.

These systems work by identifying risk patterns:

• From the federated information the companies house in their various data repositories;

• From the wealth of information found on the web; and

• From tacit information (read, gut feelings) held by key stakeholders.

All four risk archetypes have signatures that, when recognized, can lead to better risk mitigation or consequence management.

The art is in employing technologies and processes that can find these signatures and present actionable intelligence to executive decision-makers before “surprises” manifest.

Forewarned of latent and emerging risks, decision-makers are better equipped to protect a firm’s reputation by improving operations, mitigating operating risks, and responding more rapidly and effectively should threats materialize.

Spatio-temporal risks have obvious signatures. Flood plains have geographical and historical signatures. Weather patterns have emerging signatures.

Even emerging geopolitical risks have signatures — the burning of Chinese-owned factories in Vietnam, for example, was preceded by a long history of ethnic tension, a recent history of economic exploitation, and very near-term military disputes and government encouragement for the Vietnamese people to “express their feelings.”

Both negligent and criminal behavior (moral hazard) risks also have signatures. Consider the group at JPMorgan Chase taking outsized risks that eventually cost the bank $8 billion. The most prominent culprit in the group — the “London Whale” — was well known among his peers.

Criminal risks have signatures, which is a feature long appreciated by the global intelligence agencies. Black swans have signatures usually obvious only in hindsight.

These bits of information are like needles in a haystack, but can be found using algorithms that spot anomalies, discrepancies, and other departures from expectations.

Advertisement




However, before these technologies can help expose emerging risks in the publicly accessible data space, they need to be looking at the right haystacks. In that regard, big data engines that can merge multiple divergent stores of internal data can be very helpful.

Solutions that merge the two capabilities — targeting and spotting — comprise the family of technologies that can help reduce organizational surprises.

As for tacit information, there are systems that can provide insight into what employees and other internal stakeholders generally know but rarely share.

These systems perform the role for which hotlines were created, but they are far more effective, and in practice, embody “gamification” strategies for risk management.

All three technology capabilities can also help reduce insurance premiums.

Shareholder disappointment when a company fails to properly set expectations or fails to meet them can have significant personal consequences for the company’s directors and officers and can result in potentially unlimited costs of damaged stakeholder relationships going forward.

GRC processes and technologies can help to mitigate risk and to reduce the reputational consequences should the risk materialize.

Nir Kossovsky is the Chief Executive Officer of Steel City Re. He has been developing solutions for measuring, managing, monetizing, and transferring risks to intangible assets since 1997. He is also a published author, and can be reached at nkossovsky@steelcityre.com.
Share this article:

Sponsored: Liberty International Underwriters

A Renaissance In U.S. Energy

Resurgence in the U.S. energy industry comes with unexpected risks and calls for a new approach.
By: | October 15, 2014 • 5 min read

SponsoredContent_LIU
America’s energy resurgence is one of the biggest economic game-changers in modern global history. Current technologies are extracting more oil and gas from shale, oil sands and beneath the ocean floor.

Domestic manufacturers once clamoring for more affordable fuels now have them. Breaking from its past role as a hungry energy importer, the U.S. is moving toward potentially becoming a major energy exporter.

“As the surge in domestic energy production becomes a game-changer, it’s time to change the game when it comes to both midstream and downstream energy risk management and risk transfer,” said Rob Rokicki, a New York-based senior vice president with Liberty International Underwriters (LIU) with 25 years of experience underwriting energy property risks around the globe.

Given the domino effect, whereby critical issues impact each other, today’s businesses and insurers can no longer look at challenges in isolation one issue at a time. A holistic, collaborative and integrated approach to minimizing risk and improving outcomes is called for instead.

Aging Infrastructure, Aging Personnel

SponsoredContent_LIU

Robert Rokicki, Senior Vice President, Liberty International Underwriters

The irony of the domestic energy surge is that just as the industry is poised to capitalize on the bonanza, its infrastructure is in serious need of improvement. Ten years ago, the domestic refining industry was declining, with much of the industry moving overseas. That decline was exacerbated by the Great Recession, meaning even less investment went into the domestic energy infrastructure, which is now facing a sudden upsurge in the volume of gas and oil it’s being called on to handle and process.

“We are in a renaissance for energy’s midstream and downstream business leading us to a critical point that no one predicted,” Rokicki said. “Plants that were once stranded assets have become diamonds based on their location. Plus, there was not a lot of new talent coming into the industry during that fallow period.”

In fact, according to a 2014 Manpower Inc. study, an aging workforce along with a lack of new talent and skills coming in is one of the largest threats facing the energy sector today. Other estimates show that during the next decade, approximately 50 percent of those working in the energy industry will be retiring. “So risk managers can now add concerns about an aging workforce to concerns about the aging infrastructure,” he said.

Increasing Frequency of Severity

SponsoredContent_LIUCurrent financial factors have also contributed to a marked increase in frequency of severity losses in both the midstream and downstream energy sector. The costs associated with upgrades, debottlenecking and replacement of equipment, have increased significantly,” Rokicki said. For example, a small loss 10 years ago in the $1 million to $5 million ranges, is now increasing rapidly and could readily develop into a $20 million to $30 million loss.

Man-made disasters, such as fires and explosions that are linked to aging infrastructure and the decrease in experienced staff due to the aging workforce, play a big part. The location of energy midstream and downstream facilities has added to the underwriting risk.

“When you look at energy plants, they tend to be located around rivers, near ports, or near a harbor. These assets are susceptible to flood and storm surge exposure from a natural catastrophe standpoint. We are seeing greater concentrations of assets located in areas that are highly exposed to natural catastrophe perils,” Rokicki explained.

“A hurricane thirty years ago would affect fewer installations then a storm does today. This increases aggregation and the magnitude for potential loss.”

Buyer Beware

On its own, the domestic energy bonanza presents complex risk management challenges.

However, gradual changes to insurance coverage for both midstream and downstream energy have complicated the situation further. Broadening coverage over the decades by downstream energy carriers has led to greater uncertainty in adjusting claims.

A combination of the downturn in domestic energy production, the recession and soft insurance market cycles meant greatly increased competition from carriers and resulted in the writing of untested policy language.

SponsoredContent_LIU

In effect, the industry went from an environment of tested policy language and structure to vague and ambiguous policy language.

Keep in mind that no one carrier has the capacity to underwrite a $3 billion oil refinery. Each insurance program has many carriers that subscribe and share the risk, with each carrier potentially participating on differential terms.

“Achieving clarity in the policy language is getting very complicated and potentially detrimental,” Rokicki said.

Back to Basics

SponsoredContent_LIUHas the time come for a reset?

Rokicki proposes getting back to basics with both midstream and downstream energy risk management and risk transfer.

He recommends that the insured, the broker, and the carrier’s underwriter, engineer and claims executive sit down and make sure they are all on the same page about coverage terms and conditions.

It’s something the industry used to do and got away from, but needs to get back to.

“Having a claims person involved with policy wording before a loss is of the utmost importance,” Rokicki said, “because that claims executive can best explain to the insured what they can expect from policy coverage prior to any loss, eliminating the frustration of interpreting today’s policy wording.”

As well, having an engineer and underwriter working on the team with dual accountability and responsibility can be invaluable, often leading to innovative coverage solutions for clients as a result of close collaboration.

According to Rokicki, the best time to have this collaborative discussion is at the mid-point in a policy year. For a property policy that runs from July 1 through June 30, for example, the meeting should happen in December or January. If underwriters try to discuss policy-wording concerns during the renewal period on their own, the process tends to get overshadowed by the negotiations centered around premiums.

After a loss occurs is not the best time to find out everyone was thinking differently about the coverage,” he said.

Changes in both the energy and insurance markets require a new approach to minimizing risk. A more holistic, less siloed approach is called for in today’s climate. Carriers need to conduct more complex analysis across multiple measures and have in-depth conversations with brokers and insureds to create a better understanding and collectively develop the best solutions. LIU’s integrated business approach utilizing underwriters, engineers and claims executives provides a solid platform for realizing success in this new and ever-changing energy environment.

SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty International Underwriters. The editorial staff of Risk & Insurance had no role in its preparation.


LIU is part of the Global Specialty Division of Liberty Mutual Insurance.
Share this article: