Target as Target
After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.
However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.
In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.
Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.
“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.
Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.
“I would still say it’s so much better to get it right the first time,” he said.
Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.
Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.
In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”
A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:
Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”
Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.
“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.
Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.
Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.
“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.
As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.
But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.
“Those are the ones where the trust has really been lost,” Korschun said.
Stop the Silliness
While short of issuing a full-blown rant, I am frustrated by the ongoing subversion by marketing of the word “reputation” and its risks. Executives are putting companies at risk, government officials are embarrassing themselves and small businesses are suffering.
The silliness persists because “reputation” — a core driver of value created by expectations in the modern world of behavioral economics — has been hijacked by a handful of marketers to mean as much as a Facebook “Like.”
The Reputation at Risk survey by Deloitte late last year reported “76 percent of executives interviewed believed their company’s reputation to be better than average.” But the survey also reported “only 19 percent of those executives would give their company an “A” grade for their capabilities to manage reputation risk.”
Confounding reputation risk with social concepts such as likability and cultural acceptability is “doing it” wrong.
Those numbers worry me. It’s like saying 76 percent of restaurants believe they serve above average meals when only 19 percent score themselves highly on ensuring chef competence, food safety and quality of customer service.
Reputation is an expectation of behavior. Reputation risk is when behavior falls short of expectations. Reputation risk is created by setting expectations too high or by executing below par.
Execution is what companies do – deliver solutions safely, securely, sustainably and ethically. If the majority of the 300 executives surveyed by Deloitte are deluded about how well they deliver solutions when they admit they could manage risk better, the firms’ market values are then behavioral economic bubbles.
There’s another worrisome side to this misunderstanding: The Department of Justice’s Operation Choke Point. Since 2009, the DOJ and bank regulators have been forcing banks and other third-party payment processors to refuse services to companies that are deemed to pose “reputation risk.” The list of dubious industries is populated by enterprises that are generally legal.
Last year, start-up condom company Lovability learned that JPMorgan Chase would not handle its credit card transactions. Lovability’s founder, Tiffany Gaines, whose business discreetly sells condoms to women, said a bank representative told her that they would not work with her because doing so posed a “reputation risk” to the company.
This bizarre initiative, only now being challenged in Congress with the Financial Institution Customer Protection Act (H.R. 766), comes from a misunderstanding of orders from the Office of Comptroller of Currency (OCC) to manage financial risk due to “reputation risk.”
This is reputation risk in the behavioral economic sense — a risk of negative future expectations — which in the financial sector, means liquidity risk. It is what underpins contagion and leads to runs on banks and Lehman moments.
“In a market system based on trust,” Alan Greenspan said during the market meltdown precipitated by Lehman, “reputation has a significant economic value.”
Confounding reputation risk with social concepts such as likability and cultural acceptability is “doing it” wrong.
If awareness is the first step to redemption, then I take comfort in the Deloitte survey’s observation that 9 out of 10 executives are explicitly focusing on reputation risk as a key business challenge. But it is time to stop the silliness.
A Modern Claims Philosophy: Proactive and Integrated
According to some experts, “The best claim is the one that never happens.”
But is that even remotely realistic?
Experienced risk professionals know that in the real world, claims and losses are inevitable. After all, it’s called Risk Management, not Risk Avoidance.
And while no one likes losses, there are rich lessons to be gleaned from the claims management process. Through careful tracking and analysis of losses, risk professionals spot gaps in their risk control programs and identify new or emerging risks.
Aspen Insurance embraces this philosophy by viewing the data and expertise of their claims operation as a valuable asset. Unlike more traditional carriers, Aspen Insurance integrates their claims professionals into all of their client work – from the initial risk assessment and underwriting process through ongoing risk management consulting and loss control.
This proactive and integrated approach results in meaningful reductions to the frequency and severity of client losses. But when the inevitable does happen, Aspen Insurance claims professionals utilize their established understanding of client risks and operations to produce some truly amazing solutions.
“I worked at several of the most well known and respected insurance companies in my many years as a claims executive. But few of them utilize an approach that is as innovative as Aspen Insurance,” said Stephen Perrella, senior vice president, casualty claims, at Aspen Insurance.
“We do a lot of trending and data analysis to provide as much information as possible to our clients. Our analytics can help clients improve upon their own risk management procedures.”
— Stephen Perrella, Senior Vice President, Casualty Claims, Aspen Insurance
Utilizing claims expertise to improve underwriting
Acting as adviser and advocate, Aspen integrates the entire process under a coverage coordinator who ensures that the underwriters, claims and insureds agree on consistent, clear definitions and protocols. With claims professionals involved in the initial account review and the development of form language, Aspen’s underwriters have a full sense of risks so they can provide more specific and meaningful coverage, and identify risks and exclusions that the underwriter might not consider during a routine underwriting process.
“Most insurers don’t ever want to talk about claims and underwriting in the same sentence,” said Perrella. “That archaic view can potentially hurt the insurance company as well as their business partners.”
Aspen Insurance considered a company working on a large bridge refurbishment project on the West Coast as a potential insured, posing the array of generally anticipated construction-related risks. During underwriting, its claims managers discovered there was a large oil storage facility underneath the bridge. If a worker didn’t properly tether his or her tools, or a piece of steel fell onto a tank and fractured it, the consequences would be severe. Shutting down a widely used waterway channel for an oil cleanup would be devastating. The business interruption claims alone would be astronomical.
“We narrowed the opportunity for possible claims that the underwriter was unaware existed at the outset,” said Perrella.
Risk management improved
Claims professionals help Aspen Insurance’s clients with their risk management programs. When data analysis reveals high numbers of claims in a particular area, Aspen readily shares that information with the client. The Aspen team then works with the client to determine if there are better ways to handle certain processes.
“We do a lot of trending and data analysis to provide as much information as possible to our clients,” said Perrella. “Our analytics can help clients improve upon their own risk management procedures.”
For a large restaurant-and-entertainment group with locations in New York and Las Vegas, Aspen’s consultative approach has been critical. After meeting with risk managers and using analytics to study trends in the client’s portfolio, Aspen learned that the sheer size and volume of customers at each location led to disparate profiles of patron injuries.
Specifically, the organization had a high number of glass-related incidents across its multiple venues. So Aspen’s claims and underwriting professionals helped the organization implement new reporting protocols and risk-prevention strategies that led to a significant drop in glass-related claims over the following two years. Where one location would experience a disproportionate level of security assault or slip & fall claims, the possible genesis for those claims was discussed with the insured and corrective steps explored in response. Aspen’s proactive management of the account and working relationship with its principals led the organization to make changes that not only lowered the company’s exposures, but also kept patrons safer.
World-class claims management
Despite expert planning and careful prevention, losses and claims are inevitable. With Aspen’s claims department involved from the earliest stages of risk assessment, the department has developed world-class claims-processing capability.
“When a claim does arrive, everyone knows exactly how to operate,” said Perrella. “By understanding the perspectives of both the underwriters and the actuaries, our claims folks have grown to be better business people.
“We have dramatically reduced the potential for any problematic communication breakdown between our claims team, broker and the client,” said Perrella.
A fire ripped through an office building rendering it unusable by its seven tenants. An investigation revealed that an employee of the client intentionally set the fire. The client had not purchased business interruption insurance, and instead only had coverage for the physical damage to the building.
The Aspen claims team researched a way to assist the client in filing a third-party claim through secondary insurance that covered the business interruption portion of the loss. The attention, knowledge and creativity of the claims team saved the client from possible insurmountable losses.
Modernize your carrier relationship
Aspen Insurance’s claims philosophy is a great example of how this carrier’s innovative perspective is redefining the underwriter-client relationship. Learn more about how Aspen Insurance can benefit your risk management program at http://www.aspen.co/insurance/.
Stephen Perrella, Senior Vice President, Casualty, can be reached at Stephen.firstname.lastname@example.org.
This article is provided for news and information purposes only and does not necessarily represent Aspen’s views and does constitute legal advice. This article reflects the opinion of the author at the time it was written taking into account market, regulatory and other conditions at the time of writing which may change over time. Aspen does not undertake a duty to update the article.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Aspen Insurance. The editorial staff of Risk & Insurance had no role in its preparation.