Email
Newsletters
R&I ONE®
(weekly)
The best articles from around the web and R&I, handpicked by R&I editors.
WORKERSCOMP FORUM
(weekly)
Workers' Comp news and insights as well as columns and features from R&I.
RISK SCENARIOS
(monthly)
Update on new scenarios as well as upcoming Risk Scenarios Live! events.

Crisis Management

Target as Target

Risk experts grade Target's efforts to manage the reputation damage caused by the data breach.
By: | February 3, 2014 • 4 min read
TargetV1

After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.

However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.

Advertisement




In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.

Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.

“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.

Initial email (truncated) sent by Target on 12/19/2013. The original email included an additional 4 pages of information.

Initial email (truncated) sent by Target on 12/19/2013. The original email included an additional 4 pages of information.

Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.

“I would still say it’s so much better to get it right the first time,” he said.

2nd email to guests, 12/20/2013.

2nd email to guests, 12/20/2013.

Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.

Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.

In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”

A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:

Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”

Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.

“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.

Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.

Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.

“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.

Advertisement




As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.

But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.

“Those are the ones where the trust has really been lost,” Korschun said.

Joel Berg is a freelance writer and adjunct writing teacher based in York, Pa. He has covered business and regulatory issues. He can be reached at riskletters@lrp.com.
Share this article:

Reputational Risk

The Underwriter’s View of Reputation Risk

The transfer of reputational risks involves both preventative strategies as well as finding ways to mitigate the impact.
By: | October 15, 2014 • 6 min read
risk

Thanks to the speed of the Internet and all things “viral,” scores of companies have found themselves at the center of a maelstrom of litigators, regulators and bloggers, often involving the public humiliation of the CEO and board of directors by activist investors.

Nir Kossovsky, CEO, Steel City Re

Nir Kossovsky, CEO, Steel City Re

Such are the hallmarks of a 21st century reputation crisis. The long-term economic consequences and the personal sting are among the compelling reasons for managing reputation risk.

Stakeholders expect companies to behave a certain way. That includes responsible behaviors such as supply chain integrity; manufacturing or production quality; ethical standards; innovation and intellectual property management; environmental sensitivity; and security (both physical and cyber) management.

It specifically includes C-suite and board-level behaviors including governance, risk management and compliance (GRC) policies. From time to time, companies fail to meet stakeholder expectations.

Advertisement




It may be surprising that reputation crises don’t always follow operational failures. But the explanation for this is simple and a key predictor of success. Reputation risk is the threat of a change in stakeholder expectations.

Provided the company was both aware and diligently managing its risks, stakeholders will forgive (read, preserve the reputation value of) a company that has suffered an operational failure.

As Frederick the Great explained nearly 150 years ago before the Internet undermined the effectiveness of corporate marketing and communications, “It is pardonable to be defeated, but never to be surprised.”

Since the goal of reputation risk management is to reduce the risk of a change in stakeholder expectations, risk management starts with understanding the underlying causes.

A comprehensive GRC strategy that centers on reputation risk should enumerate both mitigable causes of risk and mitigable consequences should those risks become reality. Reputation risks can be divided into four risk archetypes:

1. Spatio/temporal (being in the wrong place at the wrong time);

2. Criminal behaviors;

3. Negligent behaviors (including ethics, innovation, quality, safety, sustainability and security); and

4. Black swan events.

Some of the sources of business operating losses arising from these four reputation risk archetypes are business interruption, unauthorized or underreported product sales, excessive GRC and operating costs, redundant production costs, restitution costs, litigation costs, and regulatory fines and penalties.

Video: Bloomberg TV reviews the “red flags” ignored by JPMorgan during London whale trading scandal.

Such results of failure to deal with risks lead to lost revenue and earnings, and reduced enterprise value.

When these consequences spill over and lead to reputational harm, the range of monetary losses rises to a strategic level and can result in potentially unlimited costs from damaged stakeholder relationships going forward.

Losses then also include reduced pricing power, increased human resource costs, increased supplier and vendor costs, increased credit costs, above average fines and penalties, and depressed earnings multiples.

When an adverse operational event blossoms into a full-blown reputation crisis, in addition to the often long-term nature of strategic financial consequences, the personal consequences for the company’s directors and officers can be significant.

So it’s no small wonder that reputation risk has become a top governance risk in board-level surveys in recent years and that reputation risk management has become one of today’s leading strategic corporate imperatives.

Some insurers offer products that effectively warranty the governance of the companies they insure — assuring stakeholders that the insured has the requisite risk controls to protect the company’s reputational value and to better weather any reputational storm.

Such products require companies to have GRC processes and technologies that provide reputation-protecting controls, which an underwriting team must see before it agrees to cover these risks.

Underwriters also seek to understand how controls are monitored, how discrepancies are managed and how the validity of monitoring is affirmed. They look for evidence of negative impacts to effective governance, controls and risk management.

Underwriting Touch Points

Underwriters use qualitative measures that focus on operational awareness at the board and senior executive levels, and use questions designed to understand how a company effects oversight and operational control over the critical business processes that underpin reputation.

Advertisement




The scope of qualitative analysis is generally limited to a defined range of business processes and a listing of critical stakeholders including customers, vendors, employees, creditors, equity investors, and regulators.

Underwriters also seek to understand how controls are monitored, how discrepancies are managed and how the validity of monitoring is affirmed. They look for evidence of negative impacts to effective governance, controls and risk management.

Examples of common issues that are underwriting red flags are information management and human resource management strategies that are likely to lead to unpleasant surprises, or governance policies that create ambiguities about the understanding of corporate values.

Underwriters also use indexed quantitative measures of reputational value and control. But even in cases where objective metrics might indicate that stakeholders are assuming responsible governance, underwriters might conclude that an organization was at risk for a rude surprise if:

• An organizational framework is not in place to manage and maintain a fluid information environment.

• Human resource management systems do not factor enterprise-level reputational consequences into the incentive systems.

• Board-level communications, including regulatory filings, do not present a uniform view of reputation risk and its management.

Video: Observant risk managers are aware of latent problems, such as the geopolitical risk that flared up between the Chinese and Vietnamese.

Reputation Management

The element of surprise is a common theme underpinning reputation risk. Because surprised stakeholders tend to punish companies that fail to meet their expectations, information management is a key strategy for providing better awareness for executive decision-makers, and also for better managing stakeholder expectations.

There are three information management systems underwriters like that provide business decision-makers with timely actionable intelligence.

These systems work by identifying risk patterns:

• From the federated information the companies house in their various data repositories;

• From the wealth of information found on the web; and

• From tacit information (read, gut feelings) held by key stakeholders.

All four risk archetypes have signatures that, when recognized, can lead to better risk mitigation or consequence management.

The art is in employing technologies and processes that can find these signatures and present actionable intelligence to executive decision-makers before “surprises” manifest.

Forewarned of latent and emerging risks, decision-makers are better equipped to protect a firm’s reputation by improving operations, mitigating operating risks, and responding more rapidly and effectively should threats materialize.

Spatio-temporal risks have obvious signatures. Flood plains have geographical and historical signatures. Weather patterns have emerging signatures.

Even emerging geopolitical risks have signatures — the burning of Chinese-owned factories in Vietnam, for example, was preceded by a long history of ethnic tension, a recent history of economic exploitation, and very near-term military disputes and government encouragement for the Vietnamese people to “express their feelings.”

Both negligent and criminal behavior (moral hazard) risks also have signatures. Consider the group at JPMorgan Chase taking outsized risks that eventually cost the bank $8 billion. The most prominent culprit in the group — the “London Whale” — was well known among his peers.

Criminal risks have signatures, which is a feature long appreciated by the global intelligence agencies. Black swans have signatures usually obvious only in hindsight.

These bits of information are like needles in a haystack, but can be found using algorithms that spot anomalies, discrepancies, and other departures from expectations.

Advertisement




However, before these technologies can help expose emerging risks in the publicly accessible data space, they need to be looking at the right haystacks. In that regard, big data engines that can merge multiple divergent stores of internal data can be very helpful.

Solutions that merge the two capabilities — targeting and spotting — comprise the family of technologies that can help reduce organizational surprises.

As for tacit information, there are systems that can provide insight into what employees and other internal stakeholders generally know but rarely share.

These systems perform the role for which hotlines were created, but they are far more effective, and in practice, embody “gamification” strategies for risk management.

All three technology capabilities can also help reduce insurance premiums.

Shareholder disappointment when a company fails to properly set expectations or fails to meet them can have significant personal consequences for the company’s directors and officers and can result in potentially unlimited costs of damaged stakeholder relationships going forward.

GRC processes and technologies can help to mitigate risk and to reduce the reputational consequences should the risk materialize.

Nir Kossovsky is the Chief Executive Officer of Steel City Re. He has been developing solutions for measuring, managing, monetizing, and transferring risks to intangible assets since 1997. He is also a published author, and can be reached at nkossovsky@steelcityre.com.
Share this article:

Sponsored: Helmsman Management Services

Six Best Practices For Effective WC Management

An ever-changing healthcare landscape keeps workers comp managers on their toes.
By: | October 15, 2014 • 5 min read

It’s no secret that the professionals responsible for managing workers compensation programs need to be constantly vigilant.

Rising health care costs, complex state regulation, opioid-based prescription drug use and other scary trends tend to keep workers comp managers awake at night.

“Risk managers can never be comfortable because it’s the nature of the beast,” said Debbie Michel, president of Helmsman Management Services LLC, a third-party claims administrator (and a subsidiary of Liberty Mutual Insurance). “To manage comp requires a laser-like, constant focus on following best practices across the continuum.”

Michel pointed to two notable industry trends — rises in loss severity and overall medical spending — that will combine to drive comp costs higher. For example, loss severity is predicted to increase in 2014-2015, mainly due to those rising medical costs.

Debbie discusses the top workers’ comp challenge facing buyers and brokers.

The nation’s annual medical spending, for its part, is expected to grow 6.1 percent in 2014 and 6.2 percent on average from 2015 through 2022, according to the Federal Government’s Centers for Medicare and Medicaid Services. This increase is expected to be driven partially by increased medical services demand among the nation’s aging population – many of whom are baby boomers who have remained in the workplace longer.

Other emerging trends also can have a potential negative impact on comp costs. For example, the recent classification of obesity as a disease (and the corresponding rise of obesity in the U.S.) may increase both workers comp claim frequency and severity.

SponsoredContent_LM“The true goal here is to think about injured employees. Everyone needs to focus on helping them get well, back to work and functioning at their best. At the same time, following a best practices approach can reduce overall comp costs, and help risk managers get a much better night’s sleep.”
– Debbie Michel, President, Helmsman Management Services LLC (a subsidiary of Liberty Mutual)

“These are just some factors affecting the workers compensation loss dollar,” she added. “Risk managers, working with their TPAs and carriers, must focus on constant improvement. The good news is there are proven best practices to make it happen.”

Michel outlined some of those best practices risk managers can take to ensure they get the most value from their workers comp spending and help their employees receive the best possible medical outcomes:

Pre-Loss

1. Workplace Partnering

Risk managers should look to partner with workplace wellness/health programs. While typically managed by different departments, there is an obvious need for risk management and health and wellness programs to be aligned in understanding workforce demographics, health patterns and other claim red flags. These are the factors that often drive claims or impede recovery.

“A workforce might have a higher percentage of smokers or diabetics than the norm, something you can learn from health and wellness programs. Comp managers can collaborate with health and wellness programs to help mitigate the potential impact,” Michel said, adding that there needs to be a direct line between the workers compensation goals and overall employee health and wellness goals.

Debbie discusses the second biggest challenge facing buyers and brokers.

2. Financing Alternatives

Risk managers must constantly re-evaluate how they finance workers compensation insurance programs. For example, there could be an opportunity to reduce costs by moving to higher retention or deductible levels, or creating a captive. Taking on a larger financial, more direct stake in a workers comp program can drive positive changes in safety and related areas.

“We saw this trend grow in 2012-2013 during comp rate increases,” Michel said. “When you have something to lose, you naturally are more focused on safety and other pre-loss issues.”

3. TPA Training, Tenure and Resources

Businesses need to look for a tailored relationship with their TPA or carrier, where they work together to identify and build positive, strategic workers compensation programs. Also, they must exercise due diligence when choosing a TPA by taking a hard look at its training, experience and tools, which ultimately drive program performance.

For instance, Michel said, does the TPA hold regular monthly or quarterly meetings with clients and brokers to gauge progress or address issues? Or, does the TPA help create specific initiatives in a quest to take the workers compensation program to a higher level?

Post-Loss

4. Analytics to Drive Positive Outcomes, Lower Loss Costs

Michel explained that best practices for an effective comp claims management process involve taking advantage of today’s powerful analytics tools, especially sophisticated predictive modeling. When woven into an overall claims management strategy, analytics can pinpoint where to focus resources on a high-cost claim, or they can capture the best data to be used for future safety and accident prevention efforts.

“Big data and advanced analytics drive a better understanding of the claims process to bring down the total cost of risk,” Michel added.

5. Provider Network Reach, Collaboration

Risk managers must pay close attention to provider networks and specifically work with outcome-based networks – in those states that allow employers to direct the care of injured workers. Such providers understand workers compensation and how to achieve optimal outcomes.

Risk managers should also understand if and how the TPA interacts with treating physicians. For example, Helmsman offers a peer-to-peer process with its 10 regional medical directors (one in each claims office). While the medical directors work closely with claims case professionals, they also interact directly, “peer-to-peer,” with treatment providers to create effective care paths or considerations.

“We have seen a lot of value here for our clients,” Michel said. “It’s a true differentiator.”

6. Strategic Outlook

Most of all, Michel said, it’s important for risk managers, brokers and TPAs to think strategically – from pre-loss and prevention to a claims process that delivers the best possible outcome for injured workers.

Debbie explains the value of working with Helmsman Management Services.

Helmsman, which provides claims management, managed care and risk control solutions for businesses with 50 employees or more, offers clients what it calls the Account Management Stewardship Program. The program coordinates the “right” resources within an organization and brings together all critical players – risk manager, safety and claims professionals, broker, account manager, etc. The program also frequently utilizes subject matter experts (pharma, networks, nurses, etc.) to help increase knowledge levels for risk and safety managers.

“The true goal here is to think about injured employees,” Michel said. “Everyone needs to focus on helping them get well, back to work and functioning at their best.

“At the same time, following a best practices approach can reduce overall comp costs, and help risk managers get a much better night’s sleep,” she said.

To learn more about how a third-party administrator like Helmsman Management Services LLC (a subsidiary of Liberty Mutual) can help manage your workers compensation costs, contact your broker.

Email Debbie Michel

Visit Helmsman’s website

@HelmsmanTPA Twitter

Additional Insights 

Debbie discusses how Helmsman drives outcomes for risk managers.

Debbie explains how to manage medical outcomes.

Debbie discusses considerations when selecting a TPA.

SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Helmsman Management Services. The editorial staff of Risk & Insurance had no role in its preparation.


Helmsman Management Services (HMS) helps better control the total cost of risk by delivering superior outcomes for workers compensation, general liability and commercial auto claims. The third party claims administrator – a wholly owned subsidiary of Liberty Mutual Insurance – delivers better outcomes by blending the strength and innovation of a major carrier with the flexibility of an independent TPA.
Share this article: