The final draft version of the King IV Report on Corporate Governance in South Africa 2016 places a different focus on the governance and management of risk. It now states that: “The governing body should assume responsibility for the governance of risk by setting the direction for how risk should be approached and addressed in the organization. Risk governance should encompass both:

• the opportunities and associated risks to be considered when developing strategy; and
• the potential positive and negative effects of the same risk on the achievement of organizational objectives.”

The focus is now firstly on “opportunities” and the “potential positive effects” and only thereafter on “negative effects.” The major change in focus, however, is the requirement in paragraph A, where it is stated that opportunities (firstly) and risks should be considered when developing strategy. It is implied that the opportunities referred to are the opportunities brought about by the development of the organization’s strategy. These opportunities can be viewed as “stand-alone” opportunities, or opportunities that were identified without first identifying the risk. This requirement is different from the requirement in the next paragraph, where the positive and negative effects of the same risk should be dealt with. See also: Easier Approach to Risk Profiling   The difference in accent is more apparent when the definition of risk contained in King IV is examined. It states that, “Risk is about the uncertainty of events; including their likelihood of occurring and their effect, both positive and negative, on the achievement of the organization’s objectives. Risk includes uncertainties with a potential positive effect on the organization (i.e. opportunities) not being captured or not materializing.” This definition of risk clearly highlights “uncertainties with a potential positive effect.” Although all commonly used risk definitions, from COSO 2004 to ISO 31000/2009, as well as King III, referred to opportunity or the upside of risk, the concept of risk was generally viewed as something negative, or as the potential downside of a future occurrence. What has exacerbated this misconception was the view that risk and opportunity were opposites. Many documents, including King II, stated that “enterprise is the undertaking of risk for reward,” implying that the greater the risk, the greater the reward. In other words, if everything went well, you had great reward, but if things went badly, you had great risk. This led to the mistaken belief that opportunity is merely the “upside of a downside risk.” This belief assumed that risk and opportunity are inextricably linked. It is now apparent that this notion is not true. It is entirely possible to reduce risk while improving returns. In fact, to survive in today’s world, it is not only possible but essential. Traditionally, risks were classified and managed in three broad categories, namely hazard risks (so-called pure risks like fires, natural catastrophes, violent attacks, etc.); financial risks (bad debt, currency, interest rates, etc.); and operating risks (IT system failures, supplier interruptions, etc.). The opportunities attached to these risks can be described as reducing the impacts of the downsides, also known as the “silver-lining” opportunities. In other words, every dark cloud (risk) has a silver lining (opportunity) attached to it. Often the opportunities are the exact opposite of the downside risk, viewed as the two sides of the same coin. A good example may be a rise in interest rates, which may be a risk to some people, while being an opportunity to others. However, when one looks at the King IV definition of risk it is apparent that the achievement of the organization’s objectives is the key element. The key objective of any organization can never only be the avoidance of loss or harm, but must be the optimization of its strategic objectives. This is confirmed by the adage that “a risk is not only a bad thing happening, it is also a good thing not happening.” Any future uncertainty, which can be opportunity, risk or both, can be classified into four broad categories, namely:

• Future possible event (Stochastic Uncertainty).
  • This refers to an event that has not happened, and it may not happen at all. However, if it does, it will have an impact on the organization. Most identified risks are like this and include events like new developments, a supplier going out of business, law changes, disasters and the like.
• Variability (Aleatoric Uncertainty).
  • Some aspect of a task or project is uncertain and may include timing uncertainties, budget variability and the like.
• Ambiguity (Epistemic Uncertainty)
  • This uncertainty stems from lack of knowledge or understanding of a situation, condition or event. This may include matters like market conditions, competitor capability and the like.
• Blind Spots (Ontological Uncertainty).
  • This uncertainty exists outside of normal knowledge and experience frameworks and is therefore not seen or expected – the so-called “black swans,” emergent or emerging risks and blind spots.

The traditional method of identification of opportunities as part of the risk assessment process, where the upside of a downside risk is identified, can be viewed as “passive opportunity identification.” These identified opportunities are mostly the direct opposites of the identified risks and fit in well with the view that higher reward requires higher risk – the “two different sides of the same coin” principle. It must be stressed, however, that this method of opportunity identification remains a key component of risk and opportunity management and that it remains important to have it done. Examples of these kinds of opportunities are items such as interest rate movements, exchange rate fluctuations, margin squeeze and the like. In short, it can be described as “risk including opportunity.” King IV, on the other hand, now requires the governing bodies of organizations to ensure that “active opportunity identification” is conducted. These are the stand-alone opportunities that are not necessarily aligned with any downside risk. These would be the opportunities that the organization needs to pursue to enable it to achieve its strategic objectives. Custodians of this process would normally be the office of the CEO, the strategy director or the research and development department. The opportunity identification and assessment process would be distinctly different, and separate, from the risk assessment process that organizations are currently conducting in terms of King III. Reporting of the opportunities that are the result of the identification process would be different as well. These reports would not fit the mold of the typical risk report, with likelihood and impact indications, as these metrics are mostly irrelevant to opportunities. The target audience of the report would be different, as the information surrounding potential opportunities are by their very nature confidential and not for wider consumption. See also: Building a Risk Culture Is Simple–Really   The key aspect in the risk assessment process that needs careful consideration when conducting opportunity management is that of “appetite and tolerance." When downside risks are considered in isolation, determining and calculating risk appetite and risk tolerance levels are foundational in the process. These levels do not only refer to financial metrics (gearing, debt levels, cash, etc.) but also to non-financial metrics (level of injuries, negative press, etc.) and are mostly absolute downside risk limits beyond which the organization is not willing or able to venture. These risk limits do not reference opportunity, and the only upside apparent in appetite and tolerance levels would be when those limits are not reached or breached. When dealing with stand-alone opportunities, the organization would determine or calculate what downside limit it is prepared or able to endure to achieve a particular opportunity. Although the identification and management of opportunities may not be the responsibility of an organization’s risk department, the latter has a role to play and can add significant value to the process. As a result of the methodologies and techniques at its disposal, and as a result of the knowledge and experience of its personnel, the risk department may be able to assist in the process to identify opportunities, may be able to assist in the documenting and evidencing of the results of this process and may be able to assist in the monitoring of the results.

In a meticulously planned operation, we filed for a license in 47 states simultaneously. We’ll be revealing the first states in which Lemonade will become available in a couple of months. One thing’s for certain, 2017 is going to be an interesting ride! Stay up to date with news about our progress here…

Now that I got this off my chest, I can add some color to why we’re doing this.

Many tech startups go through the famous Local vs. Global debate as they start to plan a market penetration strategy. This dilemma was born with the arrival of modern internet commerce and became even more prevalent with the emergence of SaaS companies that provide global coverage right out of the box.

When you’re selling a digital product, going global may seem like small overhead. Reality is a bit different, though, and, more often than not, small startups that take a bigger bite than they can swallow get into trouble.

When feasible, startups should consider aiming their launch beams at a single city or even a town with population that represents their typical customer.

Here’s why:

1. Know thy users, and design for them

It always amazes me how often startups overlook usability testing during the initial design phase. Having videos of random people playing with your (barely working) mockup is priceless. We learned more in a couple of days of testing than we did in months working in our office.

The cool thing is that you only need about five testers to get value out of a session like that, so there’s really no excuse to not doing it. The smaller the area you launch in, the better the chance of getting valuable data in a user testing session.

We spent hours in WeWork and Starbucks with our early stage, smoke-and-mirrors version of the Lemonade app. We would show it to people, ask for their feedback, ask them some questions and record the entire session. We would then sit in the office and analyze the videos to figure out what worked and what didn’t.

Our early Starbucks user testing sessions allowed us to launch a relatively mature product into the market and achieve faster adoption by our New York customers.

See also: Let’s Make Lemons Out of Lemonade   2. Budget

Product launches require spending some money. To improve the chances of success, it is recommended to fuel the organic interest generated by social noise and PR efforts with some paid channels. Got a story in TechCrunch? Bloomberg? It will probably die down quicker than you think.

A nice trick is to use content recommendation tools like Outbrain and Taboola to promote content to users who may be interested in it. Google Ads are another obvious choice. Choosing the right outlets is one thing, but there’s a huge difference in costs between a global campaign and a local one.

This becomes much more dramatic when your company requires additional resources to operate in each region like Groupon and Uber. Lemonade recently closed its third round of financing ($60 million in one year of operation) from top VCs such as Google Ventures, General Catalyst, Thrive, Sequoia, Aleph and XL Innovate. We’re going to use this money to drive our expansion throughout the country and activate specific markets the way we did in New York.

3. Surgical use of media coverage

Getting great media coverage takes a lot of attention and time. Whether you can afford an agency or not, you’ll have to choose your battles well. Launching in a specific city allows you to focus on the outlets that are most relevant and will simplify your pitch to journalists.

If you’re creating something exclusive for a certain region, reporters who cover that region usually have a hunger for tech stuff that is happening, or launching in their hometown before everywhere else. BTW, there’s a case for launching in unexpected places like Portland or Philadelphia, which usually don’t get much attention from the tech and consumer industry for new products. There’s a good chance that media reach (which expands far beyond just the place you’re starting from) will be much stronger.

We chose New York for Lemonade’s home. We see NY’ers as an ideal representation of our target demographic and personality. So we invested our efforts in a select few outlets that are read by our first wave of early adopters of the city’s financial workers and young professionals — NY Post, Bloomberg and Wall Street Journal.

4 . Brand and messaging

Building a great brand involves a lot of consumer psychology. You spend weeks trying to figure out the best tagline, the perfect ad and the right illustrator to do your art. If you get this right, you have a real chance at grabbing your customers’ attention.

The first few months of brand activation are critical. Limiting yourself to a select region or demographic allows you to be laser-focused on framing and positioning.

Lemonade Local

Building an insurance company from scratch, in New York, one of the toughest regulatory environments in the country, is a huge undertaking. The sheer complexity and investment required to get to the starting point includes raising a lot of capital and hiring the right people to be able to get licensed by the state’s Department of Financial Services.

This is the life of a company that operates in a highly regulated industry, and it’s unlike anything I’ve ever seen in the tech space. For Daniel and me, the decision to start in one state was simple. There’s no other way. Insurance carriers have to choose a state. Just one. And then maybe, if you play nice, regulators will let you go for more.

We wanted to launch Lemonade in one state — NY, and even more so when we realized we had no choice :)

See also: Lemonade: A Whole New Paradigm  

In the last three months since our New York launch, we’ve had overwhelming demand coming in from all over the country to open up for business in more states. This was very encouraging because it showed us hints of initial demand and product market fit to people and age groups that we never thought would be our early adopters.

But what surprised us most was the excitement coming from unexpected places, such as government offices and regulators. Having a favorable regulatory environment is a great opportunity to bring an honest, affordable, transparent and fun insurance experience to everyone in the U.S.!

Be the first to know how we’re making progress with our nationwide expansion.

Here’s the list of states where we will gradually launch in the coming year or so:

Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, West Virginia, Wisconsin

* States in bold represent the ones most requests to launch came from

This article originally appeared here, and you can find more about Lemonade here.

The IoT continued its toddler-like growth and stumbles in 2016. Here are five trends to look for in 2017 as the IoT enters its adolescence and how to benefit from them. 1. Ecosystems begin to determine winners and losers Previously these were nice in-the-future concerns; now they will really count. Filling out a whole product value proposition through partnerships has repeatedly proven its importance across B2B and enterprise software sectors. In the IoT, they will be even more critical. As an example, the Industrial Internet Consortium (IIC) is driving the definition of platforms and test beds and should show results in 2017. In the meantime, expect some IoT companies to fail when they can’t gain traction. If you’re developing IoT infrastructure or platforms, it’s time to get real, regarding building great partnerships, developer programs, tools, incentives and joint marketing programs. Without them, your platform may appear like an empty shopping mall. If you're a device manufacturer or application developer, it's time to place your platform bets so you can focus your resources. If you’re implementing IoT-based systems, you’ve been through this before. Welcome to the next round of the industry’s favorite game, “choose your platform.” Make sure you also evaluate vendors based on their financial health, business models and customer service — not just technology. Learn more in Monetizing IoT: Show me the Money in the section “Ecosystems as the driver of value.” See also: Insurance and the Internet of Things 2. Vendors get serious about experimenting with business models and monetization This was a big theme at Gemalto’s recent LicensingLive conference and was further driven home by solution partners like Aria Systems. Tech won’t sell if it’s not packaged so that buyers want to buy. Look for innovation in business models and pricing, including subscription models, pay per use, recurring revenue, subsidization or replacement of hardware device revenues with service revenues, monetizing customer data and even pay-per-API call models. If you’re marketing whole solutions, be sure to avoid the “partial solution trap” as described in my article, The Internet of Things: Challenges and Opportunities. 3. Big Data gets “cloudier” (pun intended) No doubt there will be a lot more data with billions of new connected devices. Not just text and numbers but also images, video and voice can all add significant monetization opportunities to different participants in the value chain. More devices mean more data, more potential uses and more cooks in the kitchen. This is a complex cluster of issues: Do not expect a resolution of ownership, privacy or value in 2017. Instead, approach this by building a clear vision of what you want and don’t want with respect to data rights as you enter these discussions. And try to anticipate the genuine needs of your partners. Device manufacturers will likely have a going-in desire to own data produced by their devices; and apps developers, the data they handle; others may be okay with aggregated info. Buyers should make sure they understand what’s happening with their potentially sensitive data. We have already started to see partnerships and deals stall out over intense discussion on data ownership and rights. 4. You’ll need to prove your security, with privacy not far behind 2017 IoT systems are going to need to up their game. No one is going to stand for hacked doorlocks, video cameras or Mirai botnet/DDoS attacks via connected devices much longer. Similar events will come with very high price tags. So far, the IoT has dodged any major incidents with large losses suffered directly by end users. We could see growth flatten if a major hack of thousands of end users occurs in 2017, especially if hardware devices are ruined or people get hurt. At that point, users will need to receive greater guarantees of security, privacy and integrity. This risk needs to be mitigated if the industry wants to avoid an “IoT winter.” Vendors will need to invest more in security development and testing before deployment and offer assurances, possibly including insurance. Installers and integrators will need to ensure ecosystem integrity, and buyers will look for these guarantees. Just one flaw could be very expensive: Gartner believes that by 2018 20% of smart buildings will suffer digital vandalism through their HVAC, thermostats and even smart toilets. 5. Voice-powered, AI virtual assistants drive a next round of platform wars Voice will become increasingly important to control IoT systems and computing infrastructure. Google Assistant, Apple Siri, Amazon Alexa, Microsoft Cortana and Samsung’s Viv Labs acquisition underscore the importance of these new AI-assisted voice interfaces. They’ll be used across multiple devices like phones, PCs, tablets, cars, home appliances and other machinery. By 2020, Gartner believes smart agents will facilitate 40% of mobile interactions. This is the beginning of a new round of platform battles that you need to recognize, internalize and prepare for. See also: How the ‘Internet of Things’ Affects Strategic Planning What do you think? Email me with your predictions, comments or war stories. You can find the original article here.

We are at an inflection point. The internet is going from controlling information to controlling physical things, which has profound implications for both the global economy and the future of insurance. In this post, I will provide seven predictions for how the Internet of Things (IoT) will change the insurance industry, although ultimately these predictions only scratch the surface as there are few lines of insurance that won’t be affected by cyber risk in the next five to 10 years.

Background on Internet of Things (IoT)

It is estimated that there will be as many as 200 billion everyday objects connected to the internet by 2020. Applications for the IoT are as diverse as consumer devices, manufacturing sensors, health monitoring, connected vehicles, office automation and all the way to fully "smart cities." The emergence of IoT technologies is a tremendous development that spans all aspects of human existence and could unlock as much as $11 trillion per year in value to the global economy by 2025, according to the McKinsey Global Institute.

See also: Insurance and the Internet of Things  

What these numbers don’t show, however, is the tremendous physical and financial risks associated with the emergence of having everyday objects connected to the internet. According to the 2016 Symantec Internet Security Threat Report (ISTR), hundreds of millions of internet-connected TVs are vulnerable to click fraud, botnets, data theft and even ransomware, and these numbers are growing rapidly. Cyber attacks on internet-connected devices create systemic risks and the potential for hundreds of billions of dollars in losses. When physical devices can be hacked (and potentially hacked en masse), the potential for major business interruption, physical damage and even loss of life becomes very real.

This isn’t to say we should not pursue IoT technologies. In fact, in many ways, IoT will make society safer, as well as more efficient and convenient. Every year, 1.2 million people die in automobile accidents, and around 90% of those accidents are attributable to driver error, which will decline as more internet-connected vehicles incorporate advanced safety features. However, as internet-connected devices become pervasive in all aspects of our lives, the nature of risks facing consumers and businesses will be fundamentally different.

While the future is uncertain, especially as it pertains to technology, here are seven predictions on how IoT could affect insurers.

1. Continued Growth of Affirmative Cyber Insurance Policies: According to Lloyd's of London, cyber attacks cost businesses $400 billion in losses per year, and, by some estimates, cyber crime costs the global economy trillions of dollars per year. The current cyber insurance market, which is focused on data protection, is around $2.7 billion globally. The market has doubled over the past 24 to 36 months, and growth shows no signs of abating. Growth of affirmative cyber insurance data and liability policies, primarily covering costs associated with data breaches, is just a tip of the "IoT iceberg," as cyber becomes an even more important insurable risk.
2. Some Core Insurance Lines Will Decline: IoT will change the nature of the risks that consumers and businesses face. For example, according to AT Kearney, features such as advanced driver-assisted systems (ADAS), semi-autonomous vehicles and tracking of stolen vehicles will be deployed in half of the cars on the road by 2025. By some estimates, the global auto insurance market will shrink by 60% or more, where there is a reduction in driver error and a resulting decline in the insurance needed for this risk. As key insurable losses become preventable by IoT, core insurance lines will decline.
3. IoT Aggregation Risk Starts Pervading a Diverse Set of Insurance Lines: IoT can turn large-scale hacks into global cyber catastrophes. Already, there have been successful hacks on industrial control systems that have led to major physical damage in heavy industries. Fortunately, these incidents have been isolated to "one-off" occurrences, but with key industrial control systems, logistics tracking systems and building automation systems crossing tens of thousands of businesses, the potential for major cross-cutting cyber events is increasing. IoT aggregation risk occurs in insurance lines where it wasn’t previously observed, accounted for or priced into the cost of an insurance policy.
4. Cyber Peril Exclusions Grow in Commercial Policies: In the years to come, we will see highly public "forcing events" related to cyber attacks on IoT devices. Unfortunately, it is not a matter of if but when we see major IoT cyber hacks. When these events happen, insurers will likely respond by writing in more explicit exclusions for cyber perils in insurance lines such as product liability, property, E&O and other policies. In many cases, insurers are focused on the aggregation risks that exist within their affirmative cyber data and liability policies, when the reality is there is tremendous silent coverage in the rest of an insurer’s portfolio today.
5. "Cyber Gap" Insurance Policies Emerge: There will be an expanding list of critical cyber perils that won’t be covered under a standard insurance policy. Specialty cyber insurance policies and endorsements will surface to fill in the need for IoT cyber risk coverage. McKinsey estimates that as much as $3.7 trillion in value could be unlocked in factories alone from IoT. Too much value is at stake for clients not to seek coverage from insurers, and the market demand is too large for insurers not to provide this cover, although it will take deep cyber expertise to understand these novel risks.
6. New Cyber Risk Capital Market Offerings Emerge: Currently, the global insurance market has $4 billion to $5 billion in capacity for nuclear risks and $100 billiion for natural catastrophes. Fixing the Y2K bug alone is estimated to have cost $100 billion, and the costs associated with remediating IoT security deficiencies could be very high, particularly when IoT components do not always have a means for remote firmware updates. Given that cyber events represent hundreds of billions of dollars (or more) of potential liability, which have low correlation with other events, there is a role for capital markets providers to step in to help transfer risk. Given initial explorations already happening today, London could emerge as a major market for insurance-linked securities tied back to cyber risk.
7. Insurers Will Help Drive IoT Security: Consumers aren’t necessarily buying technology products with IoT risk in mind; regulators are struggling to keep up; and in a race to get new products to market, technology companies are often launching products without adequate cyber security in mind. Symantec’s research has shown that 19% of mobile apps used to control IoT devices don’t use SSL connections to the cloud and more than 50% didn’t provide a mechanism for firmware updates, or, if they did, those updates were not encrypted. Given that insurers are taking on the financial risk associated with IoT going wrong, insurers have an important role to play in making sure that the basics are done right for the risks they underwrite.

The emergence of IoT is a tremendous technological development that will create wide-ranging benefits for governments, businesses and consumers. However, it will also propel cyber risk into the limelight as the most important risk of the 21st Century.

See also: Prospects for Insurers as a Global Industry  

As an industry that transfers and mutualizes risk, insurers face far-reaching implications, and there will be both winners and losers. Those that win will have a deep understanding of the evolving nature of cyber risk, leveraging cyber data, intelligence and expertise. Companies like Symantec will have an important role to play in helping to understand evolving threats, which is why we have set up a dedicated Cyber Insurance Group to support our insurer partners.

It is hard to predict the future of technology and the risks that new technology will create with any degree of certainty. What is certain is that where there is risk, there is an opportunity for insurers to provide risk-transfer solutions through insurance products. Just as there is innovation in technology, there will be innovation in insurance as both industries come together to unlock the potential of the Internet of Things.

As digital capabilities expand, so do compliance risks—especially those related to privacy and cyber risk. Enhanced analytics and visualization tools are providing insurers with new and better ways to identify, manage and report risks. But along with the availability of more sophisticated technology comes increasing compliance risks related to privacy, cyber risk and the use of digital channels.

At a time when the compliance function us manage risk with constrained resources, it must demonstrate and provide value to the organization—and insurers must support compliance’s seat at the table.

For our Accenture 2016 Compliance Risk Study, we surveyed more than 150 compliance officers at financial institutions across the Americas, Europe and Asia-Pacific. Of concern is that many respondents reported that their data and technology architecture does not meet their needs for managing the increasing compliance risks. See also: Compliance Challenge in Communications   Other issues facing compliance officers include:

• Slowing investments in compliance.
• Shifts in reporting lines to executives.

There are difficult choices in how to make the best use of resources. In this Insurance Insight of the Week video, I outline what compliance officers see as being their top priorities over the next 12 months to three years. As the pace of change continues to intensify, insurers and their compliance functions must identify a path forward that enables them to meet emerging risks and changing stakeholder expectations, and successfully measure their progress along the journey. See also: Minority-Contracting Compliance — Three Risks For the other videos in this four-part series, visit the Accenture Insurance Blog.

I love movies; usually really bad ones, I'm told! While watching movies, I often find myself thinking about insurance. Over the years, I have noticed how things from TV and film have made it off the silver screen and into real life. This has a very real impact and relation to insurance. See also: Movies That Make You Wish You Had Insurance   Let me give you some examples:

• Minority Report (2002): For many, this is one, great movie that showed off lots of very cool technology and futuristic concepts, including the ideas of "Pre-Crime" (preventing something before it happens). The movie also features retina recognition, where, as you walk past shops, computers system recognize you and serve up fully personalized content. This is a great example of mass personalization. Could this lead to risk personalization and prevention-based insurance? 

• Judge Dredd (1995):  This movie features cryogenics. It is not quite insurtech, but I recall a recent article on a teenager who was granted permission to be frozen so he could be cured in years to come. Does this bring a whole new category of health insurance?

• Die Hard 4.0 (2007): We see the "Fire Sale," where hackers take over the entire country – from power stations to water supply to traffic lights. It is the mother of all cyber attacks. Maybe something like this isn't impossible?

• IT (2016): The movie features connected home, connected car and hacking. While this is a terrible movie (even with Pierce Brosnan), it does highlight that the connected home is wildly open to cyber attacks. And, with the recent increase in the numbers of these offerings, what does this mean for homeowners? Could this lead to personal cyber policies?

• Knight Rider (1982): This is where it all started for me as a kid. I loved seeing the ability to talk to your watch and self-driving cars in action. Could this be the future of technology and cars?

There is definitely a theme with these movies, specifically about cyber technology, autonomous cars and connected homes. Maybe it's just the movies I watch,  but I think these movies could signal a trend for the future. See also: What Do A Drive In Movie Theater And Intellectual Property Have In Common?   So, is this our warning shot?  The next time you settle down to watch a movie, think what impact it may have on the future of insurance. Add your movie examples in the comments below! I'll keep adding mine. Look forward to seeing them!

I was very fortunate to host a roundtable during the FERMA risk seminar in Malta. I am very thankful for the opportunity, because the experience of brainstorming for 45 minutes with the representatives from various small and medium enterprises (SMEs) really highlighted some major problems with modern-day risk management and risk managers. Here are three things that I think all of us could learn from managing risk at SMEs: SMEs simply can't afford to waste time or other resources on an activity that does not generate direct value For SMEs, time is pressure, management teams are small, margins are limited and, as a result, management is very pragmatic about any new, sexy activities and initiatives. Risk management is no different. It has been around for years, yet few SMEs have properly adopted it. Something's not right... So can risk management make companies money? Of course it can. Do modern-day risk managers in non-financial companies in fact make money for their companies? Very few. Most of the modern-day approaches used by risk managers are so academic and superficial that management has a tough job buying it. Here is a short video on showing value from risk management, and it's not what most risk managers are doing. See also: Can Risk Management Even Be Effective?   I think it's about time we had an honest look at some of the activities risk managers do:

• Do risk assessments really change the way business processes work, change the manufacturing process and change the way products are sold?
• Do risk managers bring something of value to the table when any important business decision is made?
• Do risk assessments change the way executives make decisions, and is risk analysis available on time to support every significant decision?
• Are risk registers looked at by the CEO before making an important decision?
• Do risk owners check their risk mitigation actions regularly?
• Do risk appetite statements in non-financial companies change the way the company operates and the way decisions are made?
• Do employees regularly read risk management framework documents?
• Do managers call the risk manager before making a decision when faced with uncertainty?

I suspect the answer to most of those questions is “not quite.” This could mean one of two things: Either the risk manager is not doing his job properly, or he is properly doing his completely wrong. My bet is on the second option. There is simply a better way than risk profiles, risk registers, risk frameworks, risk owners — and so on. Here is a short video about what the future holds for risk management. SMEs don't do risk management to mitigate risks; they do it to make better decisions This I found bizarre: We seem to have created a myth that risk management is about managing risks. Not so. Risk management is not an objective in itself. It's just another management tool to help make better decisions and achieve objectives. This realization is a big difference between SMEs and large corporations. SMEs do risk analysis when a decision needs to be made, using whatever risk analysis methodology is appropriate for that particular type of decision. Large corporations do risk management when it's time to do risk management, be it annually, quarterly or some other regular internal. Nothing could be further from the truth. Unless your methodologies, approaches and tools allow risks to be analyzed at any moment during the day — when an important decision is being made or at every milestone within the core business processes — you are probably doing something wrong. If there is one thing I learned over the years it is that no one in the company, and I mean NO ONE, expects the risk manager to care about risks. Well, maybe some about-to-retire audit committee member would, but most executives wouldn't have the courage to deal with the real risks if you showed the risks to them. The rest of the company cares about making money, meeting objectives with the least amount of effort and getting nice bonuses as a result. You can assign risk ownership to top executives as much as you like — no one cares. SMEs learned the hard way that unless an activity directly contributes to achieving objectives, it's not going to be done. Risk management is no different. I find it ridiculous when risk managers talks about high risks and the need to mitigate them when, instead, they could be saying things like, “the probability of meeting this objective is 10% — unless we change things,” “there is an 85% chance your business unit will not get bonuses this year based on our risk analysis” and so on. Anyone can be a risk manager, but it's not natural Despite what we within the risk management community have been telling each other for years, managers are not really managing risks every day. Thinking about risks is not natural for humans. The way System 1 and System 2 thinking operate in our brain make it literally impossible to see most of the risks associated with making decisions, let alone analyze them or manage them. Since the 1970s, many scientists, including two Nobel Prize winners (Kahnemann and Tversky), have discovered more than 200 cognitive biases that prevent managers from seeing, understanding and dealing with risks. See also: 4 Ways Risk Managers Can Engage on Cyber   This basically means risk surveys, most risk workshops and any kind of qualitative risk assessments are very unlikely to produce truthful results. But then what should risk managers use? There are plenty of alternatives, much better alternatives. So how was the rest of the FERMA seminar? My feedback to the organizers stays the same as my last post on the FERMA forum in Venice last year. In short, it's impossible to grow if the people you talk to at conferences are people just like you: risk and insurance professionals. Someone needs to play the devil's advocate. It would be good to hear from a CFO who says he doesn't care about any of the work risk managers do and budgets based on his own methodology with no input from the risk manager. But, then again, Europe is probably way too politically correct for that :)

The 2016 HITLAB Innovators Summit and World Cup was held once again at Columbia University in New York. There were 74 technology companies that entered the competition, and five finalists were selected. All of these startups that entered the competition and others that help sponsor this annual event have the potential to help improve the way healthcare is delivered now and in the future through innovative technologies. Near Infrared Imaging (NII), based in Wrentham, MA, has developed a technology for the enhanced visualization of veins. This technology, called the Vein-Eye, is a hands-free, non-invasive hospital cart that provides real-time imaging of the veins below the surface of the skin. Michael Feeney, president of Near Infrared Imaging, said, “Vein punctures can be very painful, especially for difficult patients who may be obese, very young, very old and/or have dark skin.” Multiple attempts to puncture a vein result in a very negative experience for both the patient and the provider. The first specific successful application of the Vein-Eye is varicose vein treatment. The Vein-Eye is also targeting patients receiving dialysis, patients with severe burns, patients with Thalassemia Major Disorder and patients undergoing FLAP surgery, which is a technique involving lifting a tissue from a donor site to a recipient site. Roughly 25% of all patients, regardless of healthcare setting or illness, have delayed care due to the inability of a healthcare provider to establish an IV access to the patient’s vein. NII is also working to develop a patented technology that will detect real-time bleeding in the brain at the scene of the injury. MedLogiq, based in Hazlet, NJ is bringing technology originally developed and used by the automotive and aviation industries to testing and monitoring product quality and performance in the medical device marketplace. This proven technology comes at a time of increased concerns about product defects in a wide range of medical-devices, resulting in serious injuries to patients and massive product liability lawsuits. The FDA has expressed serious concerns with these adverse events and has significantly increased actions against medical device manufacturers. See also: 5 Apps That May Transform Healthcare   Bill Acevedo, the CEO of MedLogiq, said: “Our solution provides value from proof of concept through end of life for medical device manufacturers and any other stakeholder.” Acevedo went on to say; “Medical device manufacturers don’t know what they don’t know.” There are many key questions that need to be asked and independently verified about medical devices. Is there a design defect? Was it built correctly? Is there a potential for patient harm or product liability? What data points are needed for continued monitoring of quality outcomes? Jim Zerka, CFO, said: “Our main objective is to improve patient care and outcomes by reducing adverse events.” Acevedo closed his presentation by stating that this quality control technology was used by Ford to ensure manufacturing quality of every car coming off their assembly lines worldwide. MedLogiq, along with their technology partner MAHLE Test Systems, has been granted access to the intellectual property for the generic infusion pump (GIP) from the PRECISE Center at the University of Pennsylvania to integrate their solution as the “maintenance processor” to accurately measure and report device performance. The GIP was built by the PRECISE Center to the FDA specifications to enhance safety monitoring, performance testing and event data recording capabilities for infusion pumps designed to administer fluids and medications to patients in a precise manner. Green Sun Medical, based in Fort Collins, CO is revolutionizing the treatment of adolescent idiopathic scoliosis (AIS). AIS is a condition resulting from a curvature and rotational deformity of the spine. This condition develops in 3% of children under the age of 16. This results in the incorrect rotation of the spine and creates a prominent rib hump in these children. Most patients are diagnosed because of this rib hump, and when it progresses past 30 degrees they are prescribed a traditional brace. Current braces involve a 40-year-old technology, which is a rigid brace that the child must wear as much as 23 hours a day. Needless to say, these traditional braces are terribly uncomfortable and can create pressure sores, also known as bedsores or pressure ulcers, that can result in severe infections and must be worn until the child becomes skeletally mature. If the condition progresses past 50 degrees, surgical intervention is required, with the average cost exceeding $150,000. In addition, surgical intervention results in a 50% complication rate over the patients' lifetimes. This new solution is transforming spinal bracing technology and treatment options for spinal deformities through the use of a comfortable dynamic brace with built-in sensors linked to an iPad that provides physicians and family members comprehensive brace pressure information and compliance data in real time through a “report card.” This report card allows for corrections and adjustments to the brace. This technology will prevent children from the pain and suffering of antiquated braces and prevent needless surgeries. In addition, Green Sun Medical has created a new dynamic brace to help both adults and children with Kyphosis. Kyphosis is a forward rounding of the back and can result in a much exaggerated and very painful rounding. This can occur to anyone at any age but is most common in elderly women. Green Sun Medical won the award at the Wilson Sonsini Goodrich & Rosati Medical Device Conference in June 2016 as the #1 new medical device in the U.S. EarID, based in Cambridge, MA, screens and diagnoses ear infections with higher sensitivity and specificity than existing clinical methods by using new 3D imaging and data analytics on a cloud-based platform. EarID assists in ear infections monitoring and management by minimizing unnecessary antibiotic prescriptions and time lost from work by parents and from school by children. Ear infections are the #3 reason for absence from school by children and most likely cause a parent to also miss work. See also: AI: The Next Stage in Healthcare   Anshuman Das, a post-doctoral associate at the MIT Media Lab and MIT Tata Center for Technology+ Design, noted that the primary screening tools for ear infections has not changed since the 1800s, and his research has found that accurate diagnosis of ear infections is not currently met in pediatric care. The current diagnosis of ear infections relies on visual inspection of the eardrum, which is performed by a device called the otoscope, which gives very little quantitative information about the actual health of the ear. EarID overcomes these challenges by integrating the conventional otoscope with a structured illumination system that greatly enhances optical and anatomical information about a patient's ear drum. In addition, the technology with enhanced diagnostic capabilities helps address the overprescribing of antibiotics, which is a well-known public health crisis. (https://tatacenter.mit.edu/portfolio/earid-smart-ear-imaging/) UE LIfeSciences, based in Philadelphia, PA, is on a mission to make effective breast cancer screening accessible in the developing world and was the winner of the 2016 World Cup. Matthew Campisi, CTO and co-founder, noted that 50% of the breast cancer diagnosed today is in the developing world, with 70% in the Pacific Rim/Southeast Asia, where two-thirds of cases are first diagnosed in stage 3. The company's technology is currently being used in India, where the death rate from breast cancer is twice that of the U.S. This technology provides a battery-powered handheld wireless device that can store and send data and is accessible anywhere in the world. It is painless and radiation-free and allows for early detection of breast cancer. UE Life Sciences' first product, NoTouch BreastScan, is an FDA-cleared device and in a recent clinical trial detected early stage breast cancer with 87% accuracy. The second product, iBreastExam, is a handheld breast scanner that uses a smart phone as its monitor. The development of this technology was funded by the PA Department of Health to address the fact that 90% of the developing world and millions of women do not have access to breast cancer early detection. Exhibitors at the HITLAB Summit included several other healthcare technology companies such as AdhereTech, based in New York, which has invented a smart wireless pill bottle. AdhereTech was the winner of the first HITLAB World Cup in 2013. Its “smart” pill bottles are being used by patients in pharmaceutical and research engagements and can collect and send data in real time. This system automatically analyzes information, and, if the patient misses a required dose, he receives customized alerts and targeted interventions by cell phone, text messages, etc. This amazing technology requires zero patient setup and recharges just like a cell phone and lasts as long as 5 years. Josh Stein, the CEO, told me the entire purpose is “to see that patients are taking the correct medication at the right time. This is particularly critical for patients diagnosed with cancer.” (www.adheretech.com) Citus Health, also based in New York, has created a solution named “Call Bell” to help revolutionize how home infusion companies connect with patients. Melissa Kozak, CEO, told me she invented this technology after spending seven years as an on-call nurse for a home infusion company “to help keep my patients out of the hospital.” Kozak experienced firsthand how home infusion patients often needlessly face tremendous anxiety along with many potential adverse events such as delays in receiving antibiotics, chemotherapy, nutrition etc. when patients’ home infusion care process breaks down. The current system typically involves after-hours call centers that are inefficient and typically provide an answering service, not a certified nursing expert. Call Bell allows patients to get answers quickly in real time to address IV support questions and troubleshooting along with answers to questions like, when will my nurse arrive, or when is my next delivery? In addition, this technology provides home infusion companies with accurate patient home infusion supply counts with vastly improved patient support and communications. Call Bell was designed to address the Holy Grail of healthcare, better patient care and better outcomes at a reduced cost. See also: Consumer-Friendly Healthcare Model   It was a real pleasure once again to meet so many amazing people developing state-of-the art solutions for an array of global public health issues through new technology. I wish them all continued success and look forward to the 2017 HITLAB Innovators Summit, Nov. 28 -30, 2017 held once again at Columbia University.

By my definition, culture is the house rules. An edgier definition comes from David Balestracci: “Quite simply, culture is created by what is tolerated….Your current processes are perfectly designed to get the results they are already getting." In any case, culture is the most powerful force in your organization. It can bring greatness, or cause your failure as you move away from yesterday, through today, to tomorrow. As more and more organizations need to move to the transformational change that is tomorrow, their culture (if it is an addiction to the status quo) becomes the greatest challenge they face. I’ve been speaking on this subject for many years. Slowly but surely, I’m moving from theory to reality. Early on in my consulting career, I’d proudly state, “we’re going to change the culture.” After having my rear end handed to me after each unsuccessful attempt at cultural change, I retreated to a more realistic but no more possible approach, suggesting that to “change the culture” you must “change the people (educate, rehab, motivate, etc. each individual) or change the people (start anew – with new folks). See also: Does Your Culture Embrace Innovation?   In late 2015 and early 2016, I enjoyed an aha moment. Working to rehab a very troubled organization (its culture), filled with good and talented people who had become divided and moved to their lowest common denominator, I realized the best hope was to agree on a purpose (why), shared values and a unifying vision. With this as the starting point, progress continued as each team member individually committed to grow her skills (abilities) and as all members of the group chose collaboration (improved communication/relationships) on common goals and tasks. In the April 2016 edition of the Harvard Business Review, the cover story reinforced my theory by stating, “You can’t fix culture, just focus on your business and the rest will follow.” I now say, “Amen! Vindication!” (HBR will never quote me, but I am delighted to be able to quote them.) In 2012, a graphic artist created a cultural continuum slide that I could use to demonstrate the evolution of organizational culture. The slide was formatted on Maslow’s Hierarchy of Needs Pyramid. From the base of the pyramid, the five levels (steps) are: physiological (survival) needs, safety (security) needs, belonging (acceptance) needs, esteem (achievement) needs and, finally, at the pinnacle of the pyramid, self (actualization) fulfillment need. To facilitate the “story of culture,” I chose an individual or couple who best personified each step on the pyramid. I also added one action word that supported the culture created by the personality styles of the individuals or culture. What follows is the rest of the story:

1. Survival – Fred Flintstone – React. Fred was a simple leader right for a simple time. His goal was survival for himself and his family. Planning wasn’t important. Being able to react was. When he came face to face with a sabertooth tiger, his ability to react was all important. His family followed his lead.
2. Security – Jim Anderson, an insurance agent (played by Robert Young on Father Knows Best) – Do. Jim was the personification of the OWG (old white guy in charge) in the post-WWII business place and community. The Greatest Generation fought for our security and came home to work hard to create the economic security we all so desired. If you worked for Jim and did as you were told, you would be secure (taken care of). You could work 40 years and get a gold watch.
3. Acceptance – Archie Bunker – Think. Remember, this show came at the beginning of the social revolution where baby boomers fought the status quo -- as a group and as individuals. Remember the Vietnam war protests, Woodstock, civil rights, demands for both race and gender equality, assassinations (MLK, JFK, RFK, etc.) and the chants of “Hell no, we won’t go!” and “If it feels good do it.” Archie in the stereotype was the next generation of Jim Anderson. He wanted to be the “boss” (to think for his family). Unfortunately for Archie, his followers changed. Dingbat, Meathead and Little Girl were not compliant (they wanted to think on their own). Archie’s clan demanded freedom at the risk of security. Archie’s frustration and anger (I believe) resulted from the fact that he did not enjoy the resources nor respect that was given to Jim Anderson.
4. Achievement -- Cliff and Clair Huxtable -- Create. This was the feel-good story post the social revolution of Archie’s day. Cliff and Clair represented the hope and change of a more diverse world. Their drive was to ensure their children had every opportunity to be all that they could be regardless of place, color or gender. They were the hope that remains on the horizon of our country and world. They were creating a new social order: new culture, new possibilities. Creativity provides much greater possibilities than does discipline/compliance. A hundred years from now, people will know that Bill Gates understood technology and created computer operating systems that made him and Melinda Gates the richest and most generous people in the world.
5. Self-Fulfillment – Jane and George Jetson – Imagine. George and Jane lived in a future that we are only now starting to imagine, hoping that what their life was can be real. George and Jane, their daughter Judy, son Elroy, Rosie (their robot maid) and Astro their dog lived large in the universe they occupied. Theirs was a “futuristic utopia.” George worked two days a week about one hour a day. Travel and technology were their world. If it could be imagined, it could be done. Understand that in a century people will reminisce about Steve Jobs, who imagined the possibilities in technology and artificial intelligence and forever changed the world!

Know that your organizational culture can be the most powerful force available to you in the competitive marketplace and the world as it is going to be. If you can leverage your culture for good and change, you will enjoy great success. If you are unable to break the stranglehold that some organizational cultures exercise over their own status quo, your future will be lost in a world of transformational change. See also: How ‘Cascades’ Can Build Work Culture   The lesson, in my opinion, to be learned here – is that your culture is defined by its performance and its people. Be certain that both are the best that they can be. As a leader, one of your most important responsibilities is to keep toxins out of the environment in which you live and operate. Don’t ignore reality just because things are going well. Culture can make you or break you! Keep your finger on your organization’s pulse! When something doesn’t look or “feel right” discover the truth. Address problems. Don’t ignore the painful. Your brand and your culture can be your most valuable assets.

Encryption is a two-edged sword. Over the past few years, the tech sector—led by Google, Facebook and Twitter—has implemented a form of encryption to help secure virtually all of our online searches, social media banter and mobile apps. When you search for something or use social media online, a robust form of encryption protects your data from being intercepted. It is called HTTPS, for Hypertext Transfer Protocol, with an "S" added to indicate security. HTTPS has been used since 1994, primarily to protect online financial transactions. But now the tech giants are highly motivated to keep consumers’ trust level high in the murky internet. So they are leading the charge to spread HTTPS usage far and wide. And, generally speaking, that’s a very good thing. Many government, healthcare and media websites have now jumped on the HTTPS bandwagon, in no small part due to the post-Edward Snowden-era demand for privacy. There’s still a long way to go. But even wider business use of HTTPS to protect sensitive data is inevitable. But here is where the sword cuts the other way: Hackers have discovered that HTTPS is a perfect mechanism for helping them dodge detection. See also: When Hackers Take the Wheel   A recent report from A10 Networks and the Ponemon Institute shows that perhaps as many as half of the cyber attacks aimed at businesses in the past 12 months used malware hidden in encrypted traffic. Backdoor for criminals Because firewalls, antimalware suites and intrusion detection systems have not been tuned to this trick, the effect is that criminals are using HTTPS to subvert powerful technology that has taken decades for the good guys to disperse widely. Most advanced sandboxing technologies and behavior analytics tools are not currently configured to detect and neutralize HTTPS-cloaked malicious traffic. Thus, technology that companies have spent billions to install is being subverted by cyber criminals’ use of HTTPS. “Sadly, enterprise spending on sexy security systems is completely ineffective to detect this kind of malicious activity,” says Kevin Bocek, security strategist at Venafi, a supplier of encryption-related technologies. “A cyber criminal using encrypted traffic is given a free pass by a wide range of sophisticated, state-of-the-art security controls.” The A10/Ponemon report outlines how criminals are using HTTPS to go undetected as they carry out phishing and ransomware campaigns, take control of network servers and exfiltrate data. Of the more than 1,000 IT and IT security practitioners surveyed, some 80 percent acknowledged that their organizations had sustained a cyber attack in the past year, and nearly half said their attackers had used encryption to evade detection. Reading the contents of web traffic The good news is that there is technology already on the market that can look one level deeper into network traffic to spot malicious, or suspicious, HTTPS content. The technique is called HTTPS deep-packet inspection. “This is relatively new technology that has been out for about four or five years now,” says Corey Nachreiner, chief technology officer at WatchGuard Technologies. “There are many organizations that don’t have this HTTPS inspection capability yet, so they’re missing around half the attacks out there.” This is just one more example of why businesses of all sizes need to stay abreast of how cyber criminals innovate to stay one step ahead. Businesses must set up defense Small and midsize businesses should begin looking into adding HTTPS protection. This can be done directly on premises or via a managed security services provider. For SMBs, there are many credible security vendors out there worthy of review. But you have to commit to doing the due diligence. Large enterprises face a bigger challenge. HTTPS uses Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) to encrypt traffic. This revolves around the issuing and managing of encryption keys and digital certificates at a scale that can stir confusion in big companies. See also: 6 Tricks and Tools for Securing Your Data   “The challenge of gaining a comprehensive picture of how encryption is being used across the enterprise and then gathering the keys and certificates that turn on HTTPS is daunting for even the most sophisticated organizations,” Venafi’s Bocek says. “Insufficient resources and automated controls are creating a nearly insane situation.” Again, the good news is that technology to efficiently address this emerging exposure is available. First comes awareness of the problem, followed by continual due diligence by company decision-makers to defend their organization’s digital assets.