Storm, Hurricane. Workplace Violence, Terrorism. Missing Person, Kidnapping. A name is just a name, right?
Not in insurance, it isn’t.
When insurance companies see at the rising costs of Hurricane Sandy, the conversation inevitably starts of whether it was a hurricane or a storm by the time it hit New York. However, enterprises should not remain in ignorance of their policies, crossing their fingers for the favorable decision. According to insurance leaders, CSOs should gather the C-Suite to create a united plan to address everything from storms to workplace violence to terrorism in order to get the organization back to work faster, so that no matter which category Sandy – or any natural disaster or loss – falls into, they’re covered.
“Most security executives are charged with a unique role: protecting the organization’s assets,” says Sean Ahrens, Security Consulting Services Practice Leader for Aon Global Risk Consulting, and a member of Security’s editorial advisory board. “When security gets funding, it’s when the bell rings, either after a workplace violence or other negative event. It’s viewed as the cost of doing business.
“No matter the amount of control, organizations have to consider that things will happen, and leverage risk management policies and plans to respond to the worst effects,” he says.
Insurance is often considered the CFO’s responsibility – it’s a matter of money, but also of risk. This is where security needs to step up to the table and present their perspective, says Mark Monson, Director, Loss Control Specialty, at Hanover Insurance.
“From a security standpoint, your involvement should at least be relative to discussing what security measures are in place so your insurance carrier and agent, as well as top management, are aware of what’s in place,” says Monson.
“We’re always looking for ways for security to be improved,” he says. “Depending on the products potentially targeted, your insurance agent will ask if your lighting is adequate, if you have a full-time security patrol or a 24/7 security team, as well as what kinds of security systems you have in place.
“Security’s job is to make sure that people, property, assets and reputation are protected – insurance is one piece of that,” he adds.
By outlining all of the protective measures already in place, security executives can help reduce redundancies across departments, which can occur when an insurance agent evaluates a facility and might make recommendations that security already has covered. For example, the agent might suggest adding more physical patrols of a perimeter, while security already has the area covered through a virtual guarding program or added surveillance. The CSO might not be touring the facility during the evaluation, but as long as the enterprise’s representative is aware of what security has added to the facility, the CFO won’t feel the need to add a redundant layer of it
This includes having preemptive conversations with the CFO (or the party responsible for insurance purchasing) about upcoming risks and the insurance policies available to protect the enterprise from extreme losses.
Insurance policies can evolve as quickly as the risks they address, so it behooves security executives to remain informed on the latest insurance offerings, even if only to reinforce to upper management that they are not needed.
According to Randy Nornes, executive vice president at Aon, the three major insurance trends facing enterprises in 2013 are:
Global Travel and Security:“Normally, enterprises will procure multiple insurance policies for travelers. Employee benefits too will normally have some type of embedded travel assistance or emergency responder benefits. There’s a huge opportunity to understand the intersection of various policies,” says Nornes. “This will decrease friction and confusion between departments when things do happen and you’re coordinating a response, enabling you to access the right resources when you’re under duress.”
Organizations also need to be more proactive on travel safety, he says. If there is a sudden event, such as June’s protests in Turkey or Brazil, it might not be a direct threat to business travelers, but enterprises might want to move people out anyway.
According to Ahrens, “Global organizations are in locations they shouldn’t be. I’ve seen a lapse in K&R (Kidnap and Ransom) policies. These are essential in high-risk countries where kidnap is common – Mexico, Brazil, Portugal… there’s a whole slew of them. Without this type of policy, if something were to occur, enterprises may not be able to exercise resources to facilitate the quasi proof-of-life or negotiate a release. They would have to procure that outside of the policy, and usually that’s an emergency, and it could be expensive,” he says.
Other international insurance could include business travel accidents or foreign voluntary worker’s compensation insurance.
Pandemic:After SARS initially struck in 2002 and 2003, the risk of a pandemic striking grew to be a duty of care and operations issue for enterprises, says Nornes. “Some of the basic planning people have for disasters used to include pandemics, but it’s worth refreshing. Some of the considerations are backup locations, and from a security standpoint, if you don’t quarantine off workers coming to those sites you can literally transmit a disease into the backup site. Everyone’s so mobile now, so things can move quickly.”
Cyber Risk:“There are whole suites of products available for cyber risks,” Nornes says. “It’s actually a pretty rapidly developing risk management and insurance areas. Some products link back to traditional coverage while others address specific cyber risk elements. The main issue is to understand the services that are available and do things proactively to minimize damage from an event. Once you’re into the position where you’re looking to get paid back from insurance, you’re in a place that you don’t want to be anyway. A lot of this is promoting internal conversations before events occur to keep them from occurring.”
“We’ve seen huge losses in terms of hacking, and many have exceeded any expectation of cost,” says Ahrens. “Cyber is one of the big credible threats right now. The problem is: you don’t realize they amount of data at risk until you see the losses.
“Depending on the organization, the risk may not be one that we can absorb.”
And the risks in cyber are so varied; it’s difficult to address them all. Risks from the cyber age can come from a wide range of sources. For example, a prospective hire drops off his or her resume on a flash drive … which carries a virus. Executives may post updates on Facebook or other social media sites, leaving them vulnerable to security threats, cyber attacks or spying from the competition.
“The bottom line is that organizations need to understand the range of products and services available, and then promote conversations about the risks and the coverage before events occur,” says Nornes.
Monson also comments that he has seen losses in theft increase, including metal theft, especially copper, in open yard storage or remote locations of renewable energy sources.
Is ‘All Hazards’ Hazardous?
The “All Hazards” policy is a double-edged sword, these experts say. While it can be a boon to smaller organizations, international enterprises could find it difficult to utilize the umbrella policy when working abroad.
“An ‘All Hazards’ approach comes down with some basic, defined response mechanisms to manage a wide variety of events,” says Ahrens. “Would it cover civil unrest, like we saw during Hurricane Katrina? Maybe. The key to understanding the coerage is to understand what the policy will and will not cover. For instance, special peril protection may be required for specific hazards. However, the common hazards such as fire and select natural disasters should be covered.”
According to Nornes, a small firm could reasonably rely on an All Hazards or All Risks approach, but “realistically, it’s not the way most people should go, especially if you’re global. Compliance regulations changes from country to country, and each nation will have its own set of rules,” he says. An All Hazards approach in the U.S. might not fulfill the requirements of Canadian law, much less German, he notes.
One of the biggest changes Nornes sees approaching is an increased emphasis on compliance. “Newly enforced regulations on foreign corruption practices are leading to more internal compliance issues. Insurance may be able to help with investigative expenses and fines,” he says.
The Win-Win Scenario
“Many security managers don’t realize the money that’s available to security,” says Ahrens. “In a kidnap and ransom, they might not realize that there is a ‘consult and report’ function available to the security department to help them manage an incident.”
This funding could also come from a variety of other functions within the business, and a conversation over insurance is an easy way to get all of the parties at the same table and on the same level.
“Different functions don’t realize that everything within the organization is connected, so insurance is often procured by multiple departments,” says Nornes. “If you have separate policies, you have an employee temporarily in China, and he or she gets into a car accident. It’s unclear which insurance will step in – HR’s or risk management’s – so the process stalls.
“From a cost standpoint, if you do the work upfront, get rid of gaps and overlaps in coverage, you’ll save money by eliminating redundancy,” he adds. “It’s a win-win: You get cost savings, you’re smarter about the services available and there is less aggravation when an incident occurs.
“By breaking down the silos, security gets to take the lead.”
Nornes recommends approaching insurance coverage like a task force or project (“which reduces the possibility of it being a ‘turf issue,’” he says), where the CSO brings potential sources of support in for a conversation, and then hiring someone to assess the enterprise’s gaps and suggest improvements.
According to Monson, many insurance providers can provide guidance documents and recommendations to assist enterprises in conducting their own in-house audits throughout the year.
“It’s pretty simple now to bring all of the departments together,” says Nornes. “And starting those conversations is a strong step to get stronger, united insurance coverage.”