Last week, we discussed a major strategy issue for insurers: What happens when we have the knowledge to move forward but are stymied by a Knowing/Planning/Doing gap? It can be difficult for insurers to get from the point of knowing to the point of planning, let alone doing. We dipped into a relevant book by Stanford professor Jeffery Pfeffer, titled, The Knowing-Doing Gap: How Smart Companies Turn Knowledge Into Action. And we drew on Majesco’s findings in our most recent thought leadership paper, Strategic Priorities 2017 — Knowing vs. Doing. So, if insurers know what needs to be done and aren’t doing it, what is standing in their way? Is it possible that the organization has built its own barriers to progress? Recognizing harmful habits Habits rule our individual lives. While there are many factors and hypotheses about why we don't do what we know we should, the root cause can be viewed by looking in the mirror.  Human decisions and behaviors are powerfully driven by habits. Throughout our evolution, we have relied on habits for things as vital as our survival and as mundane as accomplishing daily tasks. Our brains are constantly making countless decisions and processing from an endless flow of information in our environments. In his book, The Power of Habit, Charles Duhigg says scientists believe habits form as a way for the brain to save energy or effort.  A habit is created and maintained through a three-step process, or “loop.” It starts with a Cue, a trigger that tells the brain which behavior pattern to use, followed by a Routine, which is the physical, mental or emotional response to the cue, and then the Reward, which helps the brain decide if the particular loop was beneficial and should be remembered for future use. Once a loop is repeated enough times with a favorable outcome, it becomes more automatic … a system with straight-through processing. In this way, habits are good things. They promote efficiency. They aid in quick decisions. They become rules we can count upon. The downside is that with continued repetition, habits become more ingrained and harder to change. And just like individuals, organizations are driven by habits. Duhigg puts it this way: “It may seem like most organizations make rational choices based on deliberate decision making, but that’s not really how companies operate at all. Instead, firms are guided by long-held organizational habits, patterns that often emerge from thousands of employees’ independent decisions. And these habits have more profound impacts than anyone previously understood.” We often hear, “It’s always been done this way.” This is the death for innovation … something not needed in today’s world of change and disruption. See also: Getting Culture Right: It Starts at the Top Habits can speed up decisions and operational tasks, but they can lead to the same problems that we know as “bad habits.”  Majesco’s Strategic Priorities research suggests many insurance companies are stuck within long-held organizational habits, finding it difficult to change even when they know customer expectations, technology and market boundaries are changing the world around them. This challenge of knowing versus doing is represented in Figure 1, which links the forces of change iden­tified in Majesco’s Future Trends 2017: The Shift Gains Momentum report with the reality of how insurers are responding, both in terms of planning as well as doing. This highlights a significant gap. In addition, those initiatives where insurers are actually doing something tend to be those that are traditional areas of priority and understanding, like security, talent and legacy system replacement rather than those that are transformational and require new thinking, different approaches and different business models. Look around within the organization, and there may be hundreds of habits that are carryovers from past processes that once had good reasoning. In one insurer, for example, a certain type of claim is always sent to the legal team for review before settlement because one time (a long time ago) the lack of review resulted in litigation. Since that time, policy language has changed, and similar litigation is rare. But the review is a habit that has stayed in place. If the organization can remove the review, many more claims could be automated. It’s a hurdle worth moving. A Way Forward to Doing Duhigg describes two approaches for changing harmful organizational habits so that beneficial change can take place. The first involves the implementation of and commitment to a small number of “keystone habits” by company leadership.  A keystone habit is one that has a ripple effect on other habits that, over time, can transform the company. Implementing the keystone habit leads to improvements in other areas, much like a habit of exercising has been shown to lead to other positive habits like better eating and increased productivity. To illustrate this, Duhigg described how Paul O’Neill’s singular focus on improving worker safety at Alcoa during his tenure as CEO rippled through the company’s other processes and ended up transforming it from a struggling, dysfunctional company into an economic powerhouse. The second approach is to wait until a crisis occurs and use it to shock the organization into change. While effective, waiting for a crisis certainly seems like a less desirable option. But sometimes it takes a major failure to motivate organizations to change their old, established ways of doing things. In fact, Duhigg notes that good leaders seize crisis “opportunities” to remake organizational habits, and some even prolong the sense of emergency on purpose. See also: A Gap That Could Lead to Irrelevance   The insurance companies that are not yet acting on the changes, or that don’t act soon, unfortunately may find that the gap between them and the leaders may become too large to be overcome. It’s best to weed out detrimental habits and make room for growth. In our last blog in the series, we’ll look at some practical ways that insurers are closing the growing gap between knowing and doing. We’ll also look at the myth of stability that keeps insurers from taking much needed risks to build a secure future. In the meantime, be sure to read Majesco’s recently released report, Strategic Priorities 2017 — Knowing vs. Doing.

Bill Gates famously said that we always overestimate the amount of change that will occur in the next two years and underestimate the change that will occur in the next 10. Looking back 10 years, we find a world devoid of iPads, iPhones, mobile apps, big data technologies, the Internet of Things, viable driverless cars or even social media beyond a niche early adopter group. We also find a world without direct online sales of commercial insurance, without persistent low interest rates, without widespread use of catastrophe bonds and without VCs who could spell "insurance." But while most insurers believe that massive changes may occur in the next decade, few believe that the next two years will be substantially different from the last two when it comes to the need for significant product changes, the impact of predictive analytics or the threats of new digital distributors. Insurers devote less than one cent of each premium dollar today to transforming their technology capabilities to thrive in the next decade. Insurers Making Technological Progress Although technology spending is essentially flat, and less than a quarter of it is spent on transformational initiatives, on average, insurers are making progress. Use of predictive analytics is growing, and 18% of insurers believe it will have a materially positive effect on their business this year. Big data technology is expanding, as well, even though it continues to be directed not at big data sets but at solving enterprise data problems. And 10% to 20% are already embracing machine learning to improve their rating algorithms. Other AI usage is still in the potential stage, with insurers exploring the possibilities of leveraging machine vision for property underwriting and claims, and natural language processing for customer service. Digital investments continue, even if there is still little agreement about what constitutes a “digital strategy” for insurers. Portals are enhanced, and mobile is deployed as carriers seek to better engage their customers, distributors and other stakeholders. See also: 10 Trends at Heart of Insurtech Revolution   Core system replacements are still painful and expensive but necessary to enhance the speed of product launches, improve digital service and data accessibility and reduce technical risk. Insurers have a new willingness to consider cloud-based core systems, with 20% already having deployed some core capabilities in a cloud environment and the same number planning pilot programs this year. The maturity of cloud providers and the growing awareness of their own limitations are mitigating carriers’ security concerns. Security, meanwhile, continues to consume 10% of IT budgets, with no end in sight, and additional regulatory requirements add compliance pressure to certify procedures and formalize CISO roles. A boom in analytics and digital across multiple industries is making it harder for insurers to find and retain IT talent, which is driving new strategies, from partnering with colleges and universities to develop new sources of talent to improving ease of employee return, to reacquire experienced staff. With flat resources and burgeoning needs, 40% of insurers are improving governance to make sure resources are allocated effectively and aligned with strategy. Laying Bare the Underlying Structure of the Insurance Industry Meanwhile, improved technology lays bare the underlying structure of the insurance industry. It’s not only distributors standing between insureds and primary insurers that are intermediaries facing the threat of disintermediation—it’s every link in the value chain between people or organizations with risk and pools of capital willing to take on that risk for a profit. This means primaries and reinsurers, as well. Alternative distribution, distributor-developed programs, reinsurer-funded insurtech startups and catastrophe bonds and other risk derivatives all threaten the traditional insurance value chain. All of these stem from the technology-enabled democratization of the ability to analyze, package and transfer risk. At the same time, technology offers the opportunity to ask new questions about the structure of insurance offerings. Is there any reason why minimum required coverage should be sold in all cases bundled with additional coverages, advice, service and risk management? Insurers are finding that some market segments prefer only one or two of these, while there are additional opportunities to monetize some of these offerings separately. Many insurers are unsettled by the emergence of well-funded insurtechs, whether they are new competitors or providing enhanced capabilities to existing competitors. Despite the billions invested, insurtechs will not put major insurers out of business or radically transform the market in the next two years. Many will not even be in business in two years. The Imperative to Learn from Insurtech However, insurtechs will raise the bar on customer experience and process efficiency, as well as on the use of analytics to drive product and processes. They will show insurers how to expand the market by profitably serving underserved segments, and demonstrate how to incorporate emerging technology into key business processes. Insurers that do not learn from insurtech will lose out to those that do. In part driven by the example of insurtechs, insurers are expanding their own formal innovation programs. These may take the form of a small group of educators and evangelists within the company, a dedicated R&D organization with a fully equipped lab and a protected budget or direct investing in startups. See also: Insurtech: Unstoppable Momentum   Two Ingredients of Successful Innovation Whatever innovation path insurers take, the primary determinant of success is the CEO’s and business unit leaders’ commitment to operationalize innovations, and their tolerance for the risk of failure. Without these two ingredients, insurers may perform “innovation theater” but are unlikely to benefit from any discoveries, and are unlikely to be prepared when the next decade of change sneaks up on them.

There are several seminal moments when I first experienced something that forever changed the trajectory of my life: --While senior director of research and development at ACORD in 1992, I worked with New Science, a research firm. The insurance industry was heavily investing in the development of AL3 batch data standards via point-to-point dial-up connections. New Science, however, was looking way down the path toward global, online, real-time transactions through a single network connection. Working with New Science was the first time I heard the word "internet." --I distinctly remember walking through the Indianapolis airport and seeing someone holding a “brick” next to his head. It was the first time I saw a mobile phone in operation, a Motorola Dynatic 8000X. Priced at $3,995 and weighing in at 28 ounces, the phone took roughly 10 hours to take on a full charge and offered only about 30 minutes of talk time on a highly limited analog network. Some of us remember running off airplanes to banks of payphones to check voice mail and to make calls between connections. Now it’s almost impossible even to find a pay phone. --My first date with Mary Ann Hildebrand was Oct. 9, 1971. Game 1 of the 1971 World Series featured the Pittsburgh Pirates against our hometown favorites, the Baltimore Orioles. A week later, I held her hand and kissed her for the first time. And, after 41 years of marriage, the rest is history, as they say. I also clearly remember listening to and meeting Thornton May in 1992 after his scathing commentary, “Luddism Looms Large,” appeared in ComputerWorld. It was the first time I heard the term "Luddite." The term goes back to followers of Ned Ludd, the late 18th century British antitechnology leader who protested the replacement of human labor and skill with machines. Ludd energized a movement throughout the textile industry as his followers protested by destroying machines and property. Luddism today is a more general term for those who are opposed to technology change. See also: Key to Digitizing Customer Experience   When it comes to online verification, the insurance industry is filled with Luddites, compared with other industries. Every time an insurance policy or business relationships changes anywhere in the world, verification of insurance and compliance checking is required. This should happen digitally, right? In this day and age.... Instead, verification is delivered via a form, whether paper, fax or PDF. All have the same problem: The information in them is as of a point in time. The information is locked, and the receiver can't do anything with it. Compare that with these industries:

• To verify stock price information, you don’t have someone send you a form saying what it was last week or last month. You don't even have to log onto the individual company websites, or have to go to the NYSE or NASDAQ. You just search for the company, and you see today’s price as it dynamically changes, in addition to historical pricing and a raft of other information.
• To verify the status of a flight, you don’t have to log onto the individual airline websites. You just search for the airline and flight number and you see the schedule, if it’s on time in addition to city and gate information.
• To verify my ability to pay, no one takes impressions of credit cards anymore. I do not show paper or PDF versions of my three-month-old credit card or bank statements to prove that I can pay. Nor does anyone take a picture of a check, my face and driver's license. Someone I'm paying reads my card or check electronically, automatically verifying that funds are available.

I was reminded of this on my most recent speaking engagement. At 4 a.m., I arrived at my destination city. I stepped into a cab and was efficiently whisked away to my meeting location. Cabs no longer take a physical impression of my credit card. Instead, my card with an onboard chip was inserted, read and charged. Boom! Verified. Unlike other industries that have online verification available, today’s convoluted and wildly expensive verification of insurance is a vortex of manual effort, paper, email, faxes and procedures. Data is both late and locked in certificate forms (paper or PDF). To begin getting our arms around the size of this opportunity, here are three sets of statistics to reflect on:

• $1 trillion-plus of vehicle loans in the U.S. require verification at least once a year -- twice a year if the policy is six months, and perhaps 12 times a year if the insured is paying monthly.
• 1.2 million companies with 28.8 million commercial trucks and 3 million drivers provide forms as proof of insurance. How many do you think are out of date? Fraudulent?
• 42.6 million independent contractors provide form-driven proof of insurance when they bid on a job.

Companies that receive data on forms have no assurance that the information is real or accurate or complies with their needs. Even with extensive and expensive manual checking, no one really knows if the data on the form is valid. We have an expensive, lose-lose proposition. Trying to fix the problem by addressing the form is like trying to fix cigarettes with a new type of cigarette. Problems with the underlying technology preclude a solution. See also: Secret to Finding Top Technology Talent   When a form-based proof/certificate of insurance is shared today, no one asks for a non-disclosure. There is also no password or encryption beyond the PDF format. Insurance rates, rules and forms are filed and approved by state agencies, which by nature make them available to the public. You can also go to web sites to search and view insurance carrier forms. Insurance verification is not just at origination or signing of a contract. Insurance verification is continuous. Once it goes on, it goes on and on.

The $2.5 million payment and corrective action plan that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) required for CardioNet to settle potential charges of noncompliance with the Health Insurance and Portability Act (HIPAA) Privacy and Security Rules contains many important lessons for other healthcare providers, health plans, healthcare clearinghouses (Covered Entities) and their business associates. A remote cardiac monitoring provider, CardioNet is paying the $2.5 million settlement payment and implementing a corrective action plan to settle potential OCR charges it violated HIPAA by impermissible disclosure of unsecured electronic protected health information (ePHI). The first OCR HIPAA settlement involving a wireless health services provider, the CardioNet Resolution Agreement and Corrective Action Plan (Resolution Agreement) announced by OCR on April 24, 2017, adds to the rapidly growing list of announced OCR HIPAA enforcement actions that clearly show all covered entities and their business associates the substantial enforcement liability risks of failing to finalize and actually adopt, implement, administer and maintain the necessary HIPAA Privacy and Security policies and procedures required by HIPAA as well as some of the steps OCR expects to fulfill these requirements. CardioNet OCR Investigation and Resolution Agreement As has become increasingly common in recent years, the CardioNet settlement arose from concerns initially brought to OCR’s attention in connection with a HIPAA breach notification report. On Jan. 10, 2012, OCR received notification from the provider of remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias that a workforce member’s laptop with the ePHI of 1,391 individuals was stolen from a parked vehicle outside of the employee’s home. CardioNet subsequently notified OCR of a second breach of ePHI 2,219 individuals. The facts outlined in the resolution agreement highlight compliance weaknesses existing in the operations of many HIPAA covered entities and business associates. According to the resolution agreement, OCR’s investigation in response to these breach reports revealed a series of continuing compliance concerns, including:

• CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities;
• CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented;
• CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices;
• CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015; and
• CardioNet failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.

See also: Healthcare Buyers Need Clearer Choices To resolve these OCR charges, CardioNet agrees to pay $2.5 million to OCR and implement a corrective action plan. Among other things, the corrective action plan requires CardioNet to complete the following actions to the satisfaction of OCR:

• Prepare a current, comprehensive and thorough risk analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems and applications controlled, currently administered or owned by CardioNet, that contain, store, transmit, or receive electronic protected health information (“ePHI”) and update that risk analysis annually or more frequently, if appropriate in response to environmental or operational changes affecting the security of ePHI.
• Assess whether its existing security measures are sufficient to protect its ePHI and revise its risk management plan, policies and procedures and training materials and implement additional security measures, as needed.
• Develop and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis as required by the risk management plan.
• Review and, to the extent necessary, revise, its current security rule policies and procedures based on the findings of the risk analysis and the implementation of the risk management plan to comply with the HIPAA Security Rule.
• Provide certification to OCR that all laptops, flashdrives, SD cards and other portable media devices are encrypted, together with a description of the encryption methods used.
• Review and revise its HIPAA security training to include a focus on security, encryption and handling of mobile devices and out-of-office transmissions and other policies and practices required to address the issues identified in the risk assessment and otherwise comply with the risk management plan and HIPAA train its workforce on these policies and practices.
• Investigate all potential violations of its HIPAA policies and procedures and notify OCR in writing within 30 days of any violation.
• Submit annual reports to OCR, which must be signed by an owner or officer of CardioNet attesting that he or she has reviewed the annual report, has made a reasonable inquiry regarding its content and believes that the information is accurate and truthful.
• Maintain for inspection and copying, and provide to OCR, upon request, all documents and records relating to compliance with the corrective action plan for six years.

Implications of CardioNet and Other HIPAA Enforcement For Covered Entities and Business Associates The CardioNet resolution agreement contains numerous lessons for other covered entities and their business associates, including:

• Like many previous resolution agreements announced by OCR, the resolution agreement reiterates the responsibility of covered entities and business associates to properly secure their ePHI and that as part of this process OCR expects all laptop computers and other mobile devices containing or with access to ePHI will be properly encrypted and secured.
• It also reminds covered entities and their business associates to be prepared for, and expect an audit from, OCR when OCR receives a report that the organization experienced a large breach of unsecured ePHI.
• The resolution agreement’s highlighting of the draft status of CardioNet’s privacy and security policies also reflects that OCR expects covered entities to actually finalize policies, procedures and training for maintaining compliance with HIPAA.
• The discussion and requirements in the corrective action plan relating to requirements to conduct comprehensive risk assessments at least annually and in response to other events, and to update policies and procedures in response to findings of these risk assessments also drives home the importance of conducting timely, documented risk analyses of the security of ePHI, taking prompt action to address known risks and periodically updating the risk assessment and the associated privacy and security policies and procedures in response to the findings of the risk assessment and other changing events.
• The requirement in the resolution agreement of leadership attestation and certification on the required annual report reflects OCR’s expectation that leadership within covered entities and business associates will make HIPAA compliance a priority and will take appropriate action to oversee compliance.
• Finally, the $2.5 million settlement payment required by the resolution agreement and its implementation against CardiNet makes clear that OCR remains serious about HIPAA enforcement.

While the $2.5 million settlement payment sends a strong message about the risks of violating HIPAA by itself, this lesson takes on even greater significance when considered in light of OCR’s January 2017 announcement of its imposition of another HIPAA civil monetary penalty against Children’s Medical Center of Dallas and the growing list of expensive settlement payments that OCR has exacted from other covered entities wishing to avoid CMPs for their alleged HIPAA violations. In January 2017, for instance, OCR announced Children’s paid a $3.2 million CMP assessed by OCR for failing to adequately secure electronic protected health information (ePHI) and correct other HIPAA compliance deficiencies that resulted from its failure to take appropriate, well-documented actions to timely to secure ePHI on systems and mobile devices and other actions needed to comply with other HIPAA privacy or security requirements. Of course, covered entities and business associates need to keep in mind that that actions and inactions that create HIPAA liability risks also carry many other potential legal and business risks. For instance, since PHI records and data involved in such breaches usually incorporates Social Security Numbers, credit card or other debt or payment records or other personal consumer information, and other legally sensitive data, covered entities and business associates generally also may face investigation, notification and other responsibilities and liabilities under confidentiality, privacy or data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code, the Social Security Act, state identity theft, data security, medical confidentiality, privacy and ethics, insurance, consumer privacy, common law or other state privacy claims and a host of other federal or state laws. Depending on the nature of the covered entity or its business associates, the breach or other privacy event also may trigger fiduciary liability exposures for health plan fiduciaries in the case of a health plan, professional ethics or licensing investigations or actions against health care providers, insurance companies, administrative service providers or brokers, shareholder or other investor actions, employment or vendor termination or disputes and a host of other indirect legal consequences. See also: Healthcare Disruption: Providers Are Making Newspaper Industry Mistakes   Beyond, and regardless of the technical legal defensibility of its actions under these and other laws, however, the most material and often most intractable consequences of a HIPAA or other data or other privacy breach report or public accusation, investigation, admission also typically are the most inevitable:

• The intangible, but critical loss of trust and reputation that covered entities and business associates inevitably incur among their patients, participants, business partners, investors and the community; and
• The substantial financial expenses and administrative and operational disruptions of investigating, defending the actions of the organization and implementation of post-event corrective actions following a data or other privacy breach, audit, investigation or charge.

In light of these risks, covered entities business associates and their management should use the experiences of CardioNet and other covered entities or business associates caught violating HIPAA or other privacy and security standards to reduce their HIPAA and other privacy and data security exposures. Management of covered entities and their business associates should take steps to ensure that their organizations policies, practices and procedures currently are up-to-date, appropriately administered and monitored, and properly documented. Management should ensure that their organizations carefully evaluate and strengthen as necessary their current HIPAA risk assessments, policies, practices, record keeping and retention and training in light of these and other reports as they are announced in a well-documented manner. The focus of these activities should be both to maintain compliance and position their organizations efficiently and effectively to respond to and defend their actions against a data breach, investigation, audit or accusation of a HIPAA or other privacy or security rule violation with a minimum of liability, cost and reputational and operational damages. As the conduct of these activities generally will involve the collection and analysis of legally sensitive matters, most covered entities and business associates will want to involve legal counsel experienced with these matters and utilize appropriate procedures to be able to use and assert attorney-client privilege and other evidentiary privileges to mitigate risks associated with these processes. To help plan for and mitigate foreseeable expenses of investigating, responding to or mitigating a known, suspected or asserted breach or other privacy event, most covered entities and business associates also will want to consider the advisability of tightening privacy and data security standards, notification, cooperation and indemnification protections in contracts between covered entities and business associates, acquiring or expanding data breach or other liability coverage, or other options for mitigating the financial costs of responding to a breach notification, investigation or enforcement action.

A friend of mine asked me if the cyber-risk threat was a bit of flimflam designed to sell more insurance policies. He compared cyber-risk to the Red Scare of the 1950s, when families scrambled to build bomb shelters to protect them from a war that never came. The only ones who got rich back then were the contractors, he concluded. I found his question incredible. But I realized that he didn’t work in the commerce stream, per se, which quelled my impulse to slap him around. See also: 3 Things on Cyber All Firms Must Know   I shared with him some statistics that sobered him up quickly. I explained that cyber-crime costs the global economy more than $400 billion per year, according to estimates by the Center for Strategic and International Studies. Each year, more than 3,000 companies in the U.S. have their systems compromised by criminals. IBM reports more than 91 million security events per year. Worse yet, the Global Risks 2015 report, published in January by the World Economic Forum (WEF), included this rather stark warning: “90% of companies worldwide recognize they are insufficiently prepared to protect themselves against cyber-attacks.” Cyber protection is not just about deploying advanced cyber threat technology to manage risk; you also have to educate your employees to not fall victim to unassuming scams like “phishing,” which is stealing private information via e-mail or text messages. It remains the most popular con as far as stealing company data because it’s so painfully simple. Just pretend to be someone else and hope a few people fall for it. While most people understand the threat to data privacy for retailers, hospitals and banks and other financial institutions, few realize that manufacturers are also vulnerable in terms of property damage and downtime. In 2014, a steel manufacturing facility in Germany lost control of its blast furnace, causing massive damage to the plant. The cause of the loss was not employee error, but rather a cyber-attack. While property damage resulting from a cyber-attack is rare, the event was a wake-up call for manufacturers worldwide. According to The Manufacturer newsletter, “the rise of digital manufacturing means many control systems use open or standardized technologies to reduce costs and improve performance, employing direct communications between control and business systems.” This exposes vulnerabilities previously thought to affect only office computers. In essence, according to The Manufacturer, cyber attacks can now come from both inside and outside of the industrial control system network. See also: Now Is the Time for Cyber to Take Off   Manufacturers also need to be concerned about cyber attacks that would: a) interrupt their physical supply chain or, b) allow access to their system via the third-party vendor. Manufacturers must then take steps to mitigate those risks. When Target and Home Depot were hacked several years ago, it wasn’t a direct attack on them but an attack on one of their third-party vendors. By breaching the vendors’ weak cyber security, the criminals were able to access the larger prize. To circle back to my friend’s weird fallout-shelter theory, it’s certainly a good idea to have a backup plan in case one is hit by a proverbial “cyber-bomb.” But rather than hunker down and wait for the attack to occur, it’s critical to educate employees, vet vendors’ cyber-security and adopt -- and continuously optimize -- a formal cybersecurity program.

How often is a representative of our industry asked to weigh in on a pressing issue of the day? The answer is: rarely, if ever. Within our culture, thought leadership and the insurance industry are rarely intertwined. Thought leaders are sought out for their opinions and ideas. They are experts in their field who can see the “bigger picture” on issues important to many. College professors, politicians, editorial writers and financial analysts are some of the professionals in which thought leadership seems to most comfortably reside. The reasons behind our exclusion, I suppose, are varied. Perhaps most people are unaware of the nature and impact of the industry on their daily lives -- "out of sight, out of mind.” It also easy for industry executives to lose sight of the forest for the trees. Each insurance policy we negotiate on behalf of our clients must be carefully constructed to cover a myriad of conceivable risks. One missing word or poorly constructed sentence will result in a potentially devastating claim rejection. A requisite focus on detail can crowd out the bigger picture. See also: Thought Leader in Action: At Walmart   We are the equivalent of firewatchers. Business owners depend on us to identify, root out and transfer risk in a number of ways. Our constant state of heightened wariness has a leveling effect. For many of us “firewatchers,” small things matter a great deal— a shift in the winds, a dry summer or an untended campfire or a change in claims management, carrier appetite or operations. To live in the moment and be aware of the need to be diligent now does not allow for the forward-looking characteristics normally reserved for someone considered to be a thought leader. Young people searching for a career rarely associate the words "exciting," "challenging" and "stimulating" with the insurance industry. A young insurance producer is never the lead in a TV drama and certainly not a sitcom. Of course, perception is only a piece of the puzzle. The ideal skill set demanded for an insurance professional may discourage young people who view being a thought leader as a career goal. Yet, any modestly observant and well-read person can see a great deal is happening in the world and in our business. The rapidly shifting landscape requires muscular thought leadership from insurance professionals—not one, but many. One of the many issues we as an industry face is the perception of being slow to change, to adapt and “flex” when necessary. A cursory review of some of the recent system combinations in the industry reveal just how inflexible we are in modifying how we do what we do. CFO Magazine’s recent article titled “Insurance’s Innovation Gap” (April 3, 2017, by David Katz) was not flattering. The mounting challenges of cyber security, alone, demand herculean thought leadership. Although nearly every nonprofit and commercial organization would benefit from the addition of cyber liability coverage to its insurance portfolio, many do not have this coverage. We believe they do not fully appreciate the potentially ruinous risks or are perhaps waiting for some bellwether event to push them into a purchase. It is our job as risk managers and insurance professionals to identify and negotiate adequate coverages, build a persuasive sales argument and successfully communicate it. Of course, even as we take the lead in managing current cyber risks, new and heightened risks are evolving. Thought leadership must look ahead to evolving cyber threats and begin to formulate a risk management response. Emerging artificial intelligence applications also require strong thought leadership from the risk perspective. As many are working to make the wildest dreams of this technology reality, insurance industry professionals must be equally imaginative in analyzing emerging risks and developing coverages to mitigate and transfer these risks. As the gig economy (the economy centered on short-term contracts) spreads through wide swaths of the commercial landscape, insurance industry professionals must provide the thought leadership required to manage emerging risks. The speed with which the gig economy is advancing only adds to the urgency. While Uber was founded only eight years ago, it now operates in 570 cities worldwide. The breadth of the gig economy also calls for thought leadership. The simple risks posed by dog walking apps, for example, are as new as morning. The risks to both those who walk and own the dogs are as numerous as the minutes in the rest of the day. The promise of driverless cars challenges our thought leadership in more than one way. Assurances regarding the safety of this technology notwithstanding, there will be a place for risk management. Insurance industry professionals must identify and evaluate the risks, while developing appropriate coverages. As an industry, we must also prepare for potential lost revenue as safe technology takes the seats formerly occupied by accident-prone drivers. Drone sales are expected to nearly triple from 2.5 million in 2016 to 7 million in 2020, the FAA said last year. Without getting fancy about it, risks and claims stemming from drone sales will also likely nearly triple in these four years. Thought leadership must anticipate the type and extent of these risks, while calculating the cost of the claims. Discussions of drones may also lead to the perils of terrorism. As events in Europe demonstrate, terrorists are prepared to turn even motor vehicles into weapons. These acts appear to be random and are exceedingly difficult to predict. Thought leadership is required to mitigate the unknown risks—a very tall order—and anticipate the claims. It is not something we as an industry can do alone, but we must be active participants when the solving begins. See also: Thought Leader in Action: At Starbucks   The new administration in Washington also calls for thought leadership. As rules regarding the internet, the environment, healthcare and so much more shift, the insurance industry must provide thought leadership to insureds who are affected by these changes. As a general principle, the insurance industry must take a seat at the table. There are many moving pieces in any functioning society. These include technology, human capital, innovation, infrastructure, transportation, public utilities and hundreds more. Risk is not simply one of the moving pieces; it is a major component running through all of them like a coil of rope. This is our area of expertise. It is where our thoughts must be heard. This article was originally published at Carrier Management.

This article is the first in a series on key forces shaping the insurance industry. Trend #1: In the future, insurance will be bought, sold, underwritten and serviced in a fundamentally different way, and that creates opportunities for industry leaders and problems for industry laggards. We are still in the initial stages of what Gartner terms the Hype Cycle, with an ever-increasing amount of noise and expectation without clear impact and results. Have we reached the peak of inflated expectations? We expect not. Certainly, valuations continue to rise with relatively new businesses still at the effectively pre-revenue stage commanding valuations in the tens of millions. Hard to justify on any fundamental level. However, at the core of insurtech, we continue to see a huge opportunity to innovate in a sector that is ripe for change – lack of customer engagement, lack of customer trust, outdated and legacy infrastructure combined with traditional and unpopular products all highlight the need for change and the underlying potential. Ignore Insurtech at Your Own Risk Eos has talked with dozens of insurance companies, and there is a wide range of responses from the insurance community about when, where, if and how to engage with insurtech. The top insurance companies have, for the most part, followed a two-phased approach combining an innovation team with a corporate venture initiative. These carriers see the impending disruption clearly and want to be able to shape and influence the impact. The results so far have been mixed, as some large incumbents have found it difficult to circumvent legacy mindsets, governance, organizational structures and technology. See also: 10 Trends at Heart of Insurtech Revolution   Other carriers have yet to agree/settle on an approach to deal with these disruptive forces. Eos calculates that the impact of insurtech is at least 40% to the average carrier. We calculate that by looking at a 20% upside, and a 20% downside scenario: On a conservative basis, insurers may risk losing at least 20% of their business to disruption. On the flip side, for those that embrace innovation there is an opportunity to grow their business by 20%. Stated another way, the net present value (NPV) of insurtech is $100 million for every $1 billion of premium on the downside and $285 million on the upside, assuming a top-line and profitability improvement. Timing is also key, as the scale of adoption and impact is not linear. The upside opportunity by investing now in the right opportunities is likely to give an insurer a lead that others can’t catch --- essentially a “first-mover” advantage. At the same time, the lost opportunity by delaying is exponential, not linear. There are many ways to create and capture value The positive momentum is further driven by the growth of insurtech into all areas of the value chain and across multiple product lines. We see two broad types of innovator: the "enabler" and the "disruptor." The enabler is a business that significantly improves an existing part of the value chain driving efficiency, improved customer satisfaction or better customer outcomes. A great example is RightIndem, which is transforming the claims process by creating an end-to-end, customer-managed claims process. The disruptor is a business that has developed a new approach to fulfilling part, or all, of the value chain. This is illustrated by Insure A Thing, an insurtech startup that has created a way of providing insurance without the need for an upfront premium. On face value, the disruptors may appear more exciting, but the enablers perhaps better illustrate the underlying potential of insurtech, as there are an abundance of opportunities for most insurance companies to hit "the low-hanging fruit" and do things better, more cheaply and more aligned with the customer. Insurtech is not an overnight revolution, and there are many ways to create and capture value that combine different elements of the above, for example:

• Low-hanging fruit -- these are mostly your enablers,
• True differentiators -- a combination of enablers and disruptors
• Measured bets for the future -- all pure disruptors

At Eos, we continue to adapt and evolve our investment strategy to take advantage of these opportunities, with an initial focus on our three core platforms:

• Digital distribution
• Frictionless claims
• Artificial intelligence for risk selection, underwriting, pricing and capital optimization

All of the above underpin our first trend and belief that the future of insurance will look very different than today, with all areas of the value chain from distribution, underwriting, products, claims and customer engagement changing fundamentally:

• Bought differently: As asset ownership (cars, homes, etc.) mobility and crossborder employment evolve with the shared economy, insurance covers (at least personal lines initially) will be bought on a just-in-time, on-demand, needs basis. Greater information transparency on the buyer and seller side will enable direct interaction with lower cost of intermediation/brokerage. We see this starting with simpler personal line covers and gradually evolving to more complex risks.
• Sold differently: Insurance will be quoted, bound and issued at points of transaction/sales/service enabled by ubiquitous IoT, telematics and external data availability. Selling will become increasingly distributed and linked to companies with strong customer engagement across both B2C and B2B sectors.
• Serviced differently: End consumers will choose how to be serviced and made whole via a channel, time and a manner of their choice. Servicing, especially claims, will focus on "delivering on the customer promise" as an integral part of the policy.

See also: Industry Trends for 2017   We hope you enjoy these insights, and look forward to collaborating with you as we create a new insurance future. Next article in the series: Trend #2: “External data and contextual information will become increasingly more important than historical internal data for predicting risk and pricing.” This article was written by Sam Evans, Carl Bauer-Schlichtegroll and Jonathan Kalman.

The Ponemon Institute recently shared the results of its survey on risk management: The Imperative to Raise Enterprise Risk Intelligence: Inside the Promise & Pitfalls of Enterprise Risk Management. The results are disturbing, but unfortunately what I had anticipated. The 641 who answered the survey were involved in risk management within their organization, so the results are skewed toward having some level of formalized risk management. In other words, the respondents are better than the general population. Most of the respondents are IT folk, and some of the questions reflect the author’s IT orientation, as opposed to a general business one. See also: 4 Steps to Integrate Risk Management   The report, as so many, has to define risk management in its own way. But, frankly, the definition isn't bad. The report splits the issue into risk management and risk intelligence.

In the context of this research we define enterprise risk management as the application of rigorous and systematic analysis techniques to the evaluation of risks that impact the whole organization including information assets and IT infrastructure. Cyber risk management is considered a component of enterprise risk management. We define enterprise risk intelligence as the insight necessary to drive actionable business decisions related to governance, risk and compliance. It is the organization’s ability to think holistically about risk and uncertainty, speak a common risk language and effectively use real-time information and forward-looking risk concepts and tools to maximize business performance.

Ponemon tells us that only 24% of respondents said they have a risk management strategy that is clearly defined and pertains to the entire enterprise. Ponemon doesn't define what it means by a risk management strategy, so I can’t comment further. But this is key:

“…only 43 percent of respondents say enterprise risk intelligence integrates well with the way our business leaders make decisions.”

I have to wonder whether the business leaders would agree with that assessment by the risk practitioners! This adds fuel to that fire:

“A lack of collaboration among organizational functions is a barrier to an effective enterprise risk management program. 53% of respondents say their finance, operations, compliance, legal and IT functions do not collaborate on enterprise risk management activities. Only 8% of respondents say these functions fully collaborate in enterprise risk management activities.”

A lack of resources and an inadequate budget are identified as barriers. But here is the key question. If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded? This is demonstrable when “30% of respondents say no one person has overall responsibility to ensure the risk management program is well executed.” See also: A Revolution in Risk Management   The appendix contains some valuable pieces of information. Here are two:

• Only 32% say their organization has a very significant commitment to enterprise risk management.
• On a scale or 1 (low) to 10 (high), just 14% of the respondents rated the effectiveness of their risk management activity as a 9 or 10.

So what do we make of this? Let’s start with some unpleasant facts!

1. Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
2. If they saw risk management as helping them make better decisions, you can bet they would invest in it!
3. They can be persuaded, not by words but by action.
4. Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
5. Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
6. The traditional approach to risk management, a list of top risks, is not going to work. It hasn’t worked for decades so why should it now?
7. Satisfying the board but not top management is not a recipe for long-term success.
8. The risk practitioner has to think out of the box. Understand what the company’s leaders need to be successful and make intelligent and informed decisions, then deliver it.

I welcome your comments.

EY last week held the glitziest event I've attended in some time. When I walked into a huge tent by the water along the San Francisco Bay, I was handed an iPad that contained all the information I'd need for the day. There was even a compass on the home screen that could direct me to where I should go. The name tag on the lanyard that I put around my neck was oddly heavy. It turned out to be a smart device. Rather than hand out business cards, you could exchange information with someone by touching your name tags to each other's. 

I half-expected a Cirque du Soleil show to start up. 

But our friends at EY, including Shaun Crawford and Dave Hollander, had bigger things in mind for the, I'd guess, 200 people who attended. They provided ideas and exercises to stretch our thinking on how to innovate, to get us past the incremental thinking that still afflicts so many of us even in these creative times. 

My group focused on reimagining healthcare and pretty quickly pushed the bounds of what we might have imagined would be possible. One subgroup proposed a sort of data foundation—medical groups and hospital systems or even countries could contribute anonymized data in return for the right to run analytics against the giant database and gain insights about population health. Another subgroup took a philanthropic approach—we all get worn down by travel and can feel disconnected on the road, but what if a group collected donations of frequent traveler points and let us feel at least a bit fulfilled by steering them to a good cause of our choice? Might travel gain a bit more of a purpose? My subgroup designed a sort of community health center. It would collect as much data as residents were willing to share electronically about their vital signs, sleep, etc., then provide dietary, exercise and medical advice electronically, bring people in via Uber or driverless car for consultations, offer social interactions for shut-ins and generally provide a low-key way of making the community healthier. (I later learned that such centers actually exist in poorer communities, under the name Federally Qualified Community Health Centers. I, of course, took them as validation of my subgroup's ability to define a real need.)

The point isn't so much the ideas—though EY said it was going to continue the conversation about some of the ideas that were developed about healthcare, smart cities and so on, perhaps even investing in some of them. The point is that we all need to find ways to shake out the cobwebs from time to time and let our minds wander to new possibilities. 

As always, when it comes to innovation in insurance, I'd steer you to our Innovator's Edge, which now tracks more than 1,000 insurtechs and helps you sift through them in ways guaranteed to stretch your thinking.  

Please also visit the ITL website for nearly 2,900 articles—including the six recent ones below—with cutting-edge thinking on how to take advantage of the huge opportunities in front of us. 

Cheers,

Paul Carroll,
Editor-in-Chief 

Over the past decade, many industries have made tremendous progress when it comes to offering consumer choice. Just look at the travel industry. Twenty years ago, it wasn’t possible to search for a flight, compare dozens of different options side-by-side and tailor your selection to match your specific needs. Shopping experiences across many categories are now offering choices -- and making those choices clear. The healthcare industry, however, is lagging behind. And when it comes to something as critical as healthcare, clear choices are imperative. Consumers who make a less-than-optimum insurance choice face higher costs, less satisfaction and poorer health when an issue that should be looked after gets ignored because it’s not covered. These Six Factors Make Clear Choices Imperative for Health Insurance Shoppers 1. Cost When most individuals shop for a new plan, it’s not just a matter of going with the option that comes with the lowest monthly premium. There’s always a juggling act between the monthly premium and out-of-pocket costs. If the co-pays and deductibles are too high, if there are services that individuals use that aren’t covered, the lowest-cost plan may well end up costing the consumer more. Consumers need to understand their total cost of healthcare with any given plan. See also: Key Misconceptions on Health Insurance   2. What’s Covered After the basics, individuals may have a wide range of services for which they seek coverage, and every healthcare consumer will have different needs. One individual may require mental health services, another physical therapy. For yet another, it’s audiology services. Even if a certain service is covered at some level, there will likely be different limits (e.g., the number of physical therapy sessions allowed) from one plan to the next. While it’s not possible for individuals to anticipate everything that they might need in a year, consumers should be experts in their current requirements. 3. Prescription Drug Coverage Formularies listing the prescription drugs covered under each insurance plan can be extensive. And when they’re on paper, they can be very difficult to navigate. However, consumers are quickly learning the importance of determining whether the drugs they take are covered by their health insurance plans. Given last year’s unexpected cost increases for the EpiPen, consumers are wising up. Looking through the formulary and not finding an expensive drug they need to take regularly may knock a plan out of consideration. 4. Provider Network Whether a healthcare provider is in-network is a big deal to consumers. In fact, when it comes to choosing a physician, it may be the biggest deal. A 2015 survey of more than a thousand patients showed that 90% of consumers reported that the most important attribute of a physician is whether they accept the individual’s health insurance – more important even than the physician’s clinical experience. Consumers need to know what happens when they see a physician or other provider, or use a hospital, that’s outside of their network: The costs may be untenable. Consumers might be okay with switching from a primary care physician to someone new if they only see them once a year for a regular physical. But if they’ve developed a close relationship with their pediatrician – someone they like and trust – they’ll want to make sure that their provider is in-network. 5. Unique Elements Consumers are taking more ownership of their own healthcare. These days, when shopping for health insurance, they are now factoring in all of the details that make them unique. For example, if their kids play sports, they’re thinking about ER visits. When they’re planning an addition to the family, they’re doing research to see if the facility where they want to have their baby is covered by their health plan. There are many unique elements that require choice. Health insurance is not a one-size fits all solution. 6. Overall Risk Aversion When it comes to choosing a health insurance plan, risk aversion is really about what level of financial risk an individual is able to accept. And, in this regard, every individual is different. The lower-cost premium plan might be fine if there’s a low probability of something occurring that is not covered. But if you’re likely to be making frequent ER trips with your kids, that low-premium plan may not be so attractive. It’s up to the individual to determine how risk-averse they are. Insurance customers are desperate for clear choices that are easy to understand. They need them because everyone is unique and living a different situation. And, given the wide range of choices that are available to consumers in so many other aspects of their lives, they expect options. Choices provide an opportunity for your customers to find the best-fitting health insurance plan. Are you offering enough choices? See also: The Basic Problem for Health Insurance   Clearly presenting the information that today’s healthcare consumers require can be overwhelming. After all, carriers are experts in insurance, not in software application development and data presentation. Fortunately, in the 21st century, data is highly digestible, usable and transparent. Health insurtech companies across the nation are making sure of that. As insurance carriers and health insurtech companies work together, slowly but surely, the industry will progress, offering more clearly defined choices for today’s consumers.