Warning: this article may upset some conservative risk managers

Risk management in modern non-financial companies is very different compared to say 5 years ago. The level of risk management maturity, for lack of a better word, has grown significantly. As more and more companies across the globe are looking to implement robust risk management, the demand for risk management consultants is also growing. Unfortunately, not all risk consultants are able to generate long term value for their clients. Here are three reasons why: A. Selling the wrong product  Non-financial companies want to buy and many risk consultants continue to sell risk assessments, risk management frameworks, risk appetite statements and risk profiles. What do all these products have in common? I am being intentionally provocative here, so I will say all these products are missing the point completely. One thing they have in common is that they are designed to measure, capture or document risks, making us all believe that risks and their mitigation are the ultimate goals of the exercise.  Over the years, this tendency to treat risk management as a separate, standalone (some go as far as say independent) process with its own inputs (data, interviews, experts) and outputs (risk reports, risk matrices, risk registers) created a whole community of risk consultants who seem to be missing the plot completely. Risk management is not really about dealing with risks. Risk management is about helping companies achieve their objectives and make better decisions. See also: Risk Management: Off the Rails?   OK, sometimes it may be useful to capture risks for the sake of risks and discuss them with the management team, but this should be more of an exception than a norm. So if risk management is not about risk assessments or risks, then what is it about?

I believe that risk management is ultimately about changing how companies make decisions and operate with risks in mind.

The two modern trends in risk management by far are: integration into business processes / decision making and human and cultural factors. Yet, it seems most of the modern risk consultants completely ignore both of them. For example:

• It is fundamentally wrong measuring risk level when instead you could measure the impact risks have on key objectives or business decisions using budget@risk, schedule@risk, profit@risk or KPI@risk.
• I believe any qualitative risk analysis based on expert opinions is evil. More on this here.
• It is wrong to have a risk management framework document when instead you can integrate risk management principles and procedures into operational policies and procedures, like budgeting, planning, procurement and so on. I bet this example upset quite a few of you.
• It is a mistake to try and use a single enterprise-wide approach (sometimes referred to as ERM) to measure different risks. Different risks, different types of decisions and different business processes deserve unique risk methodologies, risk criteria and risk analysis tools.

Join the discussion in the G31000 group dedicated to ISO31000:2009 to find out more about the latest trends in risk management. As strange as it may sound, many risk consultants still have not read the ISO31000:2009 or are unaware of the changes happening to the most popular risk management standard in the world (officially translated and adopted in 65+ countries in the world and is currently being updated by 200+ experts from around the world).

The reality is that most risk management consultants sell completely wrong products. Management doesn't care about risks – they care about making decisions that will hold in court, making money and meeting KPIs. No wonder why modern risk management is mainly lip service.

The funny thing is that corporate risk managers make exactly the same mistakes. They too need to show value from risk management and fail to do so by focusing on risks (their domain) instead of business processes or decisions (business domain). B. Confusing risk management with compliance  Did you know that unlike many other ISO standards, the ISO31000:2009 is not intended for the purpose of certification? This was a conscious decision made by the people working on the standard at the time. It is a guidance document. Risk management is not just black and white. For example, risk management is about integrating decision making and business processes, but every organization will find its unique way of doing so. Many consultants make a huge mistake on insisting on a single version of the truth. Non-financial regulators or government agencies make even bigger mistake by taking guidelines and making them compulsory. Like COSO:ERM in the US, a bad document made obligatory for listed companies. Read more about the new COSO:ERM:

By far the best way to assess risk management effectiveness is by applying a risk management maturity model. Just keep in mind that most existing maturity models were created by consultants who miss the big picture, see point A.

See also: Risk Management, in Plain English   C. Failing to see the intimate details  One of my good friends, Anna Korbut, a few years ago said an interesting thing: "Risk management is a very intimate affair." I liked this phrase, so I have used it ever since. Risk management truly is intimate and unique. I have been working in risk management for over 13 years in 4 different countries, and I have seen close to 300 risk management implementations. Yet, every single one was unique in some way. Unfortunately, many consultants fail to dig deep enough to see how risk management is really implemented into organizational processes and into the overall culture of the organization. Risk management goes against human nature (see research by D.Kahnemann and A.Tversky), so most of the time risk managers use techniques that border line neuro-linguistic programming or building an internal intelligence network. Here are just two examples:

• I personally created a table tennis tournament in the company where I used to work to get an opportunity to meet all business units in informal settings and build rapport. This had a bigger positive impact than monthly executive risk committee meetings where all the same department heads were present.
• A colleague of mine created the whole operational planning procedure within the company to reinforce the need to discuss risks on a daily basis.

See also: Key Misunderstanding on Risk Management   The key takeaway is: unless specifically asked, most risk managers will never disclose how they really build risk management culture within the organization or how they integrate risk analysis into the business. According to ISO31000:2009, risk management is coordinated activities to direct and control an organization with regard to risk. It consists of about 1000 small things that risk managers do on a daily basis, most of which may not directly relate to risk. Yet it is those small things that build risk management culture within the organization. Unfortunately, most risk consultants are quick to jump to conclusions and do not bother to dig deep enough to see all the nuances.

Risk management in every company is unique. It is risk consultant's job to figure out how it all comes together to build better risk-based organization.

P.S. Remember, that if your consultant is showing signs of any of the above, it's time to have an honest chat with him/her.

This is part 5 of a 5-part series. Part 1 can be found here. Part 2 can be found here. Part 3 can be found here. Part 4 can be found here. A Thirst for Reality Today’s Insurance Renaissance shares one very clear trait with the Renaissance of the 1400s — in both cultures we find the thirst for reality.  If you look at the paintings of Jan Van Eyck or the sculptures of Donatello, you see a cultural wave influenced by the desire to see and know reality and portray it. Leonardo Da Vinci wrote about the change. When he described the art of Giotto di Bondone, his predecessor, he said, “Giotto appeared, and drew what he saw.” That was the beginning of a shift toward “real” pictures of people painted in the right perspectives, colors and tones. The insurance industry has always understood this craving for reality. In order to know and understand, they must first see clearly. The concept hasn’t changed much, but the tools and dimensions of perception have certainly changed.  We hone our tools (software and hardware), find the right paints (data streams, sensors, evidence providers) and practice at producing the correct colors and tones (analytics, product development, marketing messages). But the questions of reality and where an insurer fits into the current market are complex. When it comes to prioritizing, it seems that the “thirstiest” areas hold the most promise for technology’s answers. You could make a long list of how our organizations are now thirsty, but here are a few examples.

• We need new products that meet new market needs and customer expectations
• We want data to uncover new risk areas and improve risk selection
• We want predictions of customer trends to build appropriate channels and products
• We need to become digitally enabled
• We need to transform claims management … and eliminate or reduce claims proactively with customers
• We need to grow analytic capability to well beyond operational effectiveness

See also: How to Turn ‘Inno-va-SHUN’ Into Innovation   So how will insurers, as a part of the Insurance Renaissance, capture reality and put it to good use?  Let’s look at six areas in particular. New Products – Meeting an Unfolding New Market With the emergence of new technologies, new demographics and the falling of industry boundaries, we are seeing the growing demand for new, innovative and (in many cases) personalized insurance products than ever before. These range from products focused on the “on demand” economy, to new risks such as cyber and new needs for the sharing economy. All of these are unleashing a demand for innovation, simplification, and in some cases unbundling of the insurance risk to meet very different demands and expectations. Insurers need to capitalize on these opportunities to seize new markets and gain competitive advantage to drive revenue and profitability. Risk Selection — From Answers to Eyes The Internet of Things (IoT) from the connected car to the connected home, wearables for healthy living and more has given eyes to risk. For years, a commercial insurer would have to rely upon answers to questionnaires, claims experience and all of the numbers associated with insuring a business risk. Now sensors, drones, cameras and satellites are capturing not just real data, but real images. All of these efforts represent greater control and decision capabilities for insurers whose systems are prepared to use them. Customer Profiles — Getting to Know Them Who are we insuring? For centuries, insurers never truly know their insureds. Now, they can, leveraging real-time feedback on their day-to-day living, driving, exercise and travel. Technology has advanced far enough that artificial intelligence (AI) and demographic profiling can potentially recognize risk patterns that policyholders don’t recognize themselves. The additional consumer knowledge will contribute to additional, valid, automated decisions, streamlining the process. Automated decisions will contribute to flipping the insurance model upside down and beginning to focus heavily upon prevention. See also: Data Science: Methods Matter   Digital Readiness — Bringing the Pictures Home Insurers are now beginning to rely upon the tools that consumers wear, the devices they carry with them and their desire to do business where they are, at times that are convenient for them. Consider this: The consumer is actually the one paying for the equipment that the insurer is using to foster the relationship AND track lifestyle. Every digital interaction between the insurer and the consumer is a teachable moment for the insurer — but only if the insurer is digitally prepared and developing an omni-channel presence. So, if the insurer will simply “go half way” and provide the back-end platform, the consumer will provide the front-end communication devices, the telematic sensors and the location data. To bring this back to our analogy, it is the insurer prepping the canvas and the policyholder painting a self-portrait. That’s a real, modern, Insurance Renaissance concept. But insurers can’t tap into free portraits without providing the canvases. In many cases, now that greenfields, startups and aggregators are filling information gaps and now that companies such as Majesco are providing cloud-based platforms, an insurer doesn’t even need to make a tremendous upfront investment to become digitally prepared. It simply needs to have the desire to capture opportunities and a willingness to modify business models. It is the thirst that matters. See also: How to Plant in the Greenfields   Claims Transformation – From Payout to Prevention and Elimination In today’s fast paced world of disruption and transformation, the management of claims is increasingly complex, challenging and in a constant state of flux. Insurers who want to deliver a new level of customer experience to compete, must move beyond efficiencies, cost reduction and claims payment to innovating the claims process to enhance the customer relationship and to prevent or eliminate claims using new technologies.  The response to potential and actual catastrophic events is proactive, with a focus on saving lives, minimizing or eliminating damage (think about an alert for a severe thunderstorm with hail to get a car under cover) and to provide customers a feeling of personalized care. Analytic Capability — Making the Invisible Visible Trends will always be with us. They may annoy us with their persistence, but if there were no such thing as trends, there would be far fewer opportunities for competitive growth. It doesn’t matter if trends are demographic, operational, economic or atmospheric…we know more when we see trends clearly. Analytics is like a periscope that reaches up out of the depths of the home office and views the landscape, allowing us to make the decisions that will keep us on course. Today’s analytics are far more precise (and fast) than they used to be, so our virtual picture can be strikingly close to reality.  Analytic answers color in our blind spots, bringing light to areas where we have traditionally been in the dark. It adds a new dimension to our decisions and also allows for improved experimentation and testing. The Insurance Renaissance — Front Row vs. On Stage Of course, the end of all of this improved observation isn’t just a better picture of reality. If that were the case, insurers could be content to sit and watch.  The end result of the clear picture must be an active performance based upon perpetual observation. The industry will reward the players, not the spectators. For those who are watching — the pundits, the experts, the researchers and the industry — they are likely to see that the thirst for reality is simply a small step in a gigantic shift from a focus on indemnity to a focus on prevention.  Someday, perhaps, prospects will search for companies with the fewest claims — knowing that those insurers are the ones who actively turn their knowledge of reality into increased safety, reduced loss and improved lives.

Yes, you read that right. A vaccine for heroin. I first ran across this concept on Twitter last week. I saw a posting from @heroin_research about a heroin vaccine. I was trained by my parents, and through practical experience over the past 55+ years, I've learned that if something sounds too good to be true then it probably is. This sounded too good to be true. But, being The @RxProfessor, I had to check it out. And that led to a Saturday conversation with Caron Block. Caron's son has been in recovery from heroin for over four years. It has been a long journey. Unlike the new trend in heroin users, his abuse did not start with a legitimately prescribed opioid after an injury or surgery. It started with drinking himself to sleep in 8th grade, then escalation to marijuana, then meth, then cocaine, then heroin. Naloxone literally saved his life multiple times from an overdose death. He has had open-heart surgery for Endocarditis (a heart valve infection very common with heroin users). He was adjudged to be a "use till death" person given the nature of his genetic predisposition to addiction. By all accounts, the fact that he is still alive is a miracle. That he's on his way this Fall to Columbia University after restarting his education at a community college is astounding. While his battle with addition will last a lifetime, his is a story of victory ... achieved every single moment of every single day. See also: Progress on Opioids — but Now Heroin?   But Caron knew that her son's victory was unfortunately not common. She had personal experience with death and devastation among friends and family. Many of his friends (past co-users) have died. And many still use. Rather than preaching to those still suffering from the addiction, he's trying to lead by example. But it is frustrating. And overwhelming. And so that turned Caron into an evangelist for the work of Kim Janda, Ph.D., the Ely R. Callaway Jr. Professor of Chemistry at The Scripps Research Institute (TSRI), and his pursuit of immunopharmacotherapy. He is really smart, working initially on a cocaine vaccine, then a nicotine vaccine, then a methamphetamine vaccine, and now a heroin vaccine. Note that each drug requires it's own unique vaccine, so a heroin vaccine will not be an opioid vaccine. But it's certainly a step in that direction since the heroin vaccine deals with morphine, one of the two metabolites, along with  6-acetylmorphine or 6-AM, that come from heroin, which as a chemical actually only lasts for about 30 seconds in the body. If you have 47 minutes available, watch this YouTube video titled "Heroin Vaccine and Understanding Addiction with Dr. Kim Janda & Caron Block." If you only have 5 minutes, a June 28, 2016 article published by Science News entitled "Vaccines could counter addictive opioids" is a detailed accounting of the vaccine. Included is a sobering statistic:

More than 60 percent of people with addiction experience relapse within the first year after they are discharged from treatment

In essence, the heroin vaccine "trains the immune system to usher the drugs out of the body before they can reach the brain." Just like how all vaccines work, it creates antibodies and turns the immune system into the front-line defense. In this case, it keeps heroin away from the brain. The "active vaccination" is primarily to help people get through rehab/detox or to stay clean afterwards (even if they relapse, the vaccine has made heroin an enemy of the body and they can't get the reward effects of the drug). Importantly, the vaccine is only valuable to those who desire to defeat their addiction, so vaccine recipients would need to be carefully vetted. The expectation is three to four boosts would be needed every two weeks to build up the antibodies that could last for several months. For more details, please read the Science News article. According to a January 2015 TIME magazine article ...

In 2013, preclinical trials of the drug on heroin-addicted rats showed those vaccinated didn’t relapse into addiction and were not hooked by high amounts of heroin in their system. “It’s really dramatic,” says Dr. George Koob, director of the National Institute on Alcohol Abuse and Alcoholism (NIAAA) who was involved in the heroin vaccine research. “You can inject a rat with 10 times the dose of heroin that a normal rat [could handle] and they just look at you like nothing happened. It’s extraordinary.

In 2015 TSRI and Dr. Janda received a $1.6M grant from the National Institute on Drug Abuse (NIDA), with the potential of three additional years of funding, to support pre-clinical trials of the heroin vaccine. That is really good news. TSRI has a very specific plan forward:

• Pre-clinical meeting with the FDA
• Production of the vaccine under cGMP
• Animal toxicity studies (2 species)
• Efficacy study in another animal model (likely primate)
• IND filing with the FDA prior to initiating human trials

The corresponding bad news is that a lot more money will be required to take it to human trials and ultimately to FDA approval and production. They have estimated a minimum of $10.5M and 3 years to get through Phase II trials, after which they'll need even more money and time for Phase III trials, NDA application, FDA review and approval. There are a lot of financial headwinds for a variety of reasons (if you consider a heroin vaccine reducing demand, you can probably speculate on who might not be supportive). Caron is doing her part with a Facebook page and the aforementioned@heroin_research on Twitter. Dr. Janda believes that addiction is perceived to be a moral failing (of the individual or society as a whole) where it should be seen as a brain disease. Dr. Nora Volkow, Director of NIDA, believes in "treating addiction like a disease that needs to be managed, such as diabetes or high blood pressure, with a multiplicity of treatment options would help addicts find a treatment that works well for them over the long haul." That stigma certainly doesn't help fundraising. See also: Opioids Are the Opiates of the Masses   I'm an ALL OF THE ABOVE kind of person. For any complex multi-dimensional issue, there is no single solution. We need Medication Assisted Treatment. And greater access to substance abuse and mental illness treatment facilitated by the series of bills recently signed into law ("What will $180 Million Buy Us?"). And the use of PDMPs to identify prescription drug abuse/misuse. And the trending yet controversial "safe spaces" for heroin users to be guaranteed clean needles and clinical oversight (and, hopefully at some point, a recognition for the need to change). And any number of other initiatives around the country focused to combat the dual epidemics of painkiller and heroin abuse. At this point, I'm a believer that this is not "too good to be true." But it might not ever be one of the solutions available without other evangelists and dollars to fund the research to validate whether this really works on people. Are you willing to be an evangelist? Do you know somebody who would be willing to be an evangelist? Do you have access to research dollars? If the answer to any of those questions is "yes", let me know. Or contact Caron (@heroin_research). Or contact Christopher Lee (clee@scripps.edu) at TSRI. It would be yet another tragedy for this vaccine to hit a dead-end because of funding. If it truly does work, this should be one of the biggest no-brainers in our lifetime.

Today, dog lovers all over this great nation walk their dogs through neighborhood streets, and after the dogs “do their business” or “deposit a love biscuit,” the dutiful owner takes a moment to pick up the waste and carry it home. The telltale swinging plastic bag of poop is a sign the responsible dog caregiver is keeping their neighborhood clean. After all, only in America can placing a naturally degradable substance inside a plastic bag where it will last 10,000 years in a landfill be considered ecologically responsible. But all of that difficult work is about to end, thanks to a ridiculous bit of technology --  and signals the sort of confusing adjustment that workers' comp will have to make as the definition of work and work sites changes. Imagine, not so far in the future, the dog owner does not pick up his pooch's steaming pile of love. Rather, they grab their cell phone (which they were probably holding because they’ve been on Facebook for most of the walk), snap a picture of the pile, tag its location with an app and simply walk away. Somewhere, an “Uber style driver” is notified that fresh feces is afoot. They race to the geographically tagged location and, quick as a flash, scoop up Fido’s poop. They will have the onerous and odoriferous task of keeping your neighborhood safe from unwanted piles of poop. One and done — and you are good to go. I suppose the picture is useful for identification purposes. You wouldn’t want to scoop the wrong poop, after all. You read that right. There will soon be an app that will allow you to summon someone else to clean up after your dog. See also: Five Workers’ Compensation Myths Beyond being the ultimate sign of a lazy and slothful society teetering on the brink of self-destruction, this idea actually just stinks. Imagine, if you will, the physical machinations of the concept. You are standing in your neighbor’s yard, taking a picture of dog shit. As your neighbor stands in their living room window, drinking their morning coffee, what could they possibly be thinking? You might just be arranging for a pick up, but, in their mind, you’ve now been labeled an irresponsible pervert who commemorated the officious occasion of your dog dumping in their yard. Maybe Fido should get a ribbon for his effort. While the developers of the “Pooper App” claim it is an “Uber-like service,” it seems to lack an actual verification factor. How do we know the poop was actually purloined? I mean, with Uber, we know whether the guy showed up or not. With the pooper app, you may be able to see the pooper scooper drove by, but you’ll have no idea if they actually scooped the poop. Maybe they have to take a selfie with the poop as proof. It is certainly going to be an interesting morning in your neighbor’s yard. And who would actually want this job? I know that services already exist that clean out yards and such on a scheduled basis, but who will want to troll an area waiting for an app to notify them that there is poop afoot? The developers tell us pet owners of all types will take this job because they love animals so much that scooping their poop is a pleasure. I would conjecture that if people loved bagging poop so much, we wouldn’t need the pooper app to begin with. No, these scoopers must be experiencing a serious call of doody. That is the only explanation. From a workers’ compensation perspective, I suppose these Uber scoopers will have the same challenges now being faced by other participants in the sharing economy. Who will cover them? What if they are hurt on the job; say shot for trespassing on your neighbor’s lawn? And if they are covered under workers’ comp, what class code would we possibly assign them? See also: How Should Workers’ Compensation Evolve?   Technology continues to challenge our industry. At least we can be comforted by the fact that it is challenging our common sense, as well. This article first appeared on WorkersCompensation.com.

The 1926 Model A is a far cry from the self-driving Tesla we see on the road today. The automotive industry has progressed light years since Henry Ford first paved the way for automobiles. From refrigerators to cars, technology is moving at warp speed. There’s just one industry that hasn’t quite kept up with the Joneses: the insurance industry. For over one hundred years, the $1 trillion industry has stayed pretty constant — consumers purchase a policy from an agent, pay their premiums and really don’t think twice about it. These four startups from Silicon Valley, New York City, etc. are about to turn the insurance world upside down. And, if you ask us, it’s about time. Mojio— Some may remember Mojio as a “connected car” hard- and software company, but the brand recently went through a major overhaul.  With a seasoned startup CEO on their hands, Mojio looked at industry trends and discovered a major hole and an opportunity for change. They plan to roll out their new business model in North America sometime this fall, in conjunction with the revamped AutoMobility LA, the first smart car technology trade show of its kind.  With their new model, Mojio hopes to create an automotive ecosystem where the automotive industry, insurance industry and telecom services thrive together. While staying mum about their North American partnerships, Kyle MacDonald, head of marketing had this to say:

“This open approach enables the owner of the car to become the owner of his or her data. Novel? Yes, but we believe this is simply the logical evolution of car ownership. As software continues to eat the world, startups like Mojio are poised to take a big bite out of the connected car market.”

Needless to say, your connected car is about to get a whole lot better. Mojio has been experimenting with their new model oversees with wild success. In an article posted on the Mojio blog, CEO Kyle Hawk said, “Deutsche Telekom and ZTE are turning to partners like Mojio to provide the platform for global, scalable connected car offerings, signaling an exciting time for not only the automotive and mobile industries, but ultimately for end users who’ll soon be able to enjoy a new era of car ownership and driving experiences.” See also: InsurTech: Golden Opportunity to Innovate   CoverHound— CoverHound is built for one-stop shoppers. With the wild success of things like Amazon's 1-click ordering, consumers are used to comparing and purchasing things in one place. Why not apply this philosophy to the insurance world? The brilliant minds behind CoverHound are doing just that. With $33.3 million in their series C round seed funding, this San Francisco startup is everything you would imagine. With urban chic offices and a mass of young professionals with immense potential, this start up is poised to rocket to even more success. They’ve already clobbered over similar sites like the now-defunct Leaky, and they’ve just secured a new round of investors. With this, they plan to take on business insurance coverage for small startups. CoverHound board member James D. Robinson III said, “The industry is ripe for change, CoverHound paves the way into the next generation of insurance.” They’re not just relying on a great user experience website; CoverHound allows potential customers to tweet at them for quotes, capitalizing on high traffic social media. With these innovative business practices, CoverHound will be the new way to get insurance as technology continues to push on. Trov— Insurance isn’t just about cars.; what about your house and all your belongings? There is nothing worse than coming home to a ransacked home and discovering that all your valuables have been stolen. Panic sets in. Did I pay my premiums this month? Will my renter’s insurance cover the cost of my bike? Do I even have proof of all my valuables? Trov solves all of these in one glorious mobile app. The brilliant minds behind Trov thought pretty critically about the behaviors of millennials before designing the platform Trov is built on. Insurance companies of the past have two fatal errors. The first is they don’t account for the fact that today’s consumer is far from stagnant and that moving every two years is commonplace. Home insurance policies for 30-plus years just aren’t happening anymore. The second, and perhaps the more frustrating, is claims. Insurance giants intentionally make the claims process difficult to discourage you from filing them. Trov solves it all with its cloud-based insurance app that — with a few swipes, photos and texts — you can catalog, insure and file a claim right from your phone. It’s a dream come true when it comes to insuring your valuables without the hassle. Right now, Trov is only available in Australia, but this Bay Area-based company plans to launch in the U.S. by 2017. Lemonade— For a company that has yet to launch after receiving one of the highest amounts in first-round seed funding, Lemonade is getting a lot of press. Claims like, “We aim to be the Facebook of insurance” are pretty bold, but we would be lying if we said we weren’t intrigued. Lemonade is a peer-to-peer insurance company. To put it simply, a group of small policyholders pay their premiums into a pool to pay claims. If there is still money left in the pool at the end of the period, the group gets money back. The company is backed by notable investors Sequoia and Aleph Capital and has brought on AIG and ACE veterans execs. A simple search of “Lemonade insurance” and you’ll find article after article of its “plans” to launch. As the end of 2016 creeps closer and closer, we can’t help but wonder what’s going on behind the hot pink doors. With a concept that’s yet to be tested in the American market, Lemonade has potential — but, then again, good press doesn’t last forever. See also: The Start-Ups That Are Innovating in Life Fast forward to 2017, and this list could be entirely different. That’s the beauty of startups: they’re constantly pushing boundaries. All of it is good news for the customer, who desires a better experience when it comes to their insurance policies. Giants such as State Farm and Progressive will have to rely on more than just clever marketing spokespeople to keep up with the tech trends. These four startups are already causing some mayhem of their own in the industry. With a piece of a $1 trillion pie at stake, it’s surprising it has taken this long for the shakeup. This article first appeared on obrella.com.

A part of my life allowed me the privilege of treating nearly 10,000 individual patients. Their openness and trust let me partner with them, deciding on and helping enact a course of care, which often helped change lives. We lived life together. Owning a practice means more than just providing necessary healthcare — through ethical and legal means. It allowed me to bring out a greater level of transparency and humanity, while remaining professional. It taught me to always put on a happy face, especially in times of personal stress or upset. I learned to make that one patient in that one moment of time feel like the most important person in the world. Some may think the majority of patients can't tell the difference in care and just want their symptom or disease treated. News flash — you're wrong.   It may seem as though patients are just putting out their time and money, but really they are giving us a high level of trust and control. Depending on the person and problem, we can have significant influence over the course and quality of their lives, as well as the lives of those closely attached to them. See also: Key Misconceptions on Health Insurance Too often, we forget nine out of every 10 patients makes less than $33,000 in income (see below). Nearly 40% of patients carry medical-related debt, and one-third of those must choose between payment for that debt versus rent, housing or heat. Many of these cash-strapped individuals will only come in and choose to make health a priority within later, irreversible stages of chronic disease. Most everyone knows our healthcare is in crisis. The solution appears clear: improve care quality, reduce cost, increase safety, grow healthier communities and deliver all this with greater consumer affordability. The advent of healthcare technology will certainly help make much of this possible. But we must not make the mistake of thinking patients will have the same level of dedication to population health, wearables and medication adherence as we do. Patients care about themselves and those they love. They care about money and their financial future. They care about feeling good and avoiding pain — but the pain can be more than just their symptoms and condition. Health payers acquired a longstanding, terrible reputation for not caring.  Many plan members, who suffer physically, emotionally and financially, felt as though they were treated like just another accounting line item, as if they were just commodities that made the business of healthcare payments go 'round. We're at a tipping point. As more risk shifts onto the shoulders of hospitals, providers and affordable care organizations (ACOs), we must not make the same mistakes. Tomorrow's healthcare will involve and require patient compliance and participation to get the best results. It is one thing to put technology in place that captures patient-generated health data, but it is quite another to show patients you care about the data. Patients deserve to feel the compassion, caring and humanity in our hearts and actions. See also: Innovation: a Need for ‘Patient Urgency’ I've retired from practice, my career now shifting into the business side of healthcare. I am carefully seeking my next path for the right healthcare company, where I can blend my experience, talents, skills and years of front-line patient experience. The healthcare sector is a target-rich environment, whose underlying industries, more than ever, have a tremendous ability to shape the course and outcomes of human lives. Technology, big data and Triple Aim aside, we must remember the human condition is more than just condition. It is a place where people reside because they often have lost hope and human support. In the future of patient data, we must recognize that behind the numbers lives a human life and heart and the potential for physical and emotional improvement.

Alarm systems have a long and varied history — from geese in ancient Rome, to noise makers that announced the presence of an intruder, to present-day electronic sensors and lasers. Originally, the creation of alarms was driven by the psychological need all humans have to establish a safe environment for themselves. Today, that same need exists, but it has been extended to include other concerns, such as valued personal possessions, merchandise and intellectual property. In the cyber realm, security is as important as it is in the physical world because people must be able to feel secure in their ability to store sensitive, high-value data. Without that sense of security, the cyber realm would lose almost all of its relevance. Cybersecurity is established by various hardware and software components, but none of the components are more essential than strong encryption. It is such encryption that keeps bank transactions, online purchases and email accounts safe. However, there is a disturbing worldwide governmental trend to weaken encryption, which was exemplified in the legal disagreement earlier this year between Apple and the U.S. government. While there are definite aspects of the dispute that fall outside of the professional insurance sphere, there is an undeniable part of the battle for strong encryption that the professional insurance sector must not fail to acknowledge and address. The outcome of this struggle will be felt well into the 22nd century, and, perhaps, at least in the business arena, the outcome will be borne most keenly by cyber liability and technology E&O insurers. With global attempts to reduce the effectiveness of encryption, no insurer can claim it lacks a part in the effort for resilient and ever-evolving encryption and cybersecurity measures. The Chinese government is not a supporter of privacy, and it has even hacked Google’s Gmail service and the Dalai Lama’s email account to gain access to information it has deemed disruptive. It also has been stepping up its “investigations” into products produced by U.S-based technology companies. Furthermore, after both the 2015 attack in Paris and the 2016 attack in Brussels, the debate regarding whether encryption should be allowed was re-ignited in Europe and the U.K. Recently, the French, Hungarian and British governments have made various attempts at weakening or removing encryption. Therefore, with this global challenge facing insurers, they are required to be completely aware of what is at risk for them, and they must help pave a path forward that endeavors to balance profitability of products (like cyber liability and technology E&O) with the protection those products should afford any insured. See also: Best Practices in Cyber Security Apple, perhaps, serves as the best example of how governmental interference with cybersecurity is an issue that requires direct and immediate intervention from insurers. There are thousands of businesses around the world that rely on the iPhone and iPad for productivity purposes — and almost all of those businesses also rely on the security that those devices provide, both from a hardware and a software standpoint. Recently, the U.S. government attempted to force Apple, in different judicial battles, to write code that will allow the government to have a master key to access the data of any iPhone. However, the U.S government is also pursuing a legislative avenue to pass a law that will force U.S. companies to give the U.S. government unfettered retrieval of any data on which it sets its sight. To provide such access would almost always require companies to write software code that is purposefully compromised from a security standpoint. It would be extremely unwise for professional insurance companies to assume this disagreement is only between the technology sector and world governments because, if there is an outcome favorable for the U.S. government, it will have direct and immediately negative effects on insurers that offer cyber liability and technology E&O insurance in the U.S., and it will set a dangerous precedent that will embolden other governments to justify similar breaches that will allow them to acquire what should be secure data. From a cyber liability standpoint, any vulnerability in software code gives hackers another way to compromise a victim's computers and network. If a company like Apple (which has thousands of businesses depending on it to keep them safe) has to create a master key, then all of the businesses that use Apple products will be vulnerable to attack. The U.S. government has a long history of being unable to keep its own data safe, which means, in time, hackers will be able to figure out what entrance point was created and then exploit it. The most worrisome entities that might access the backdoor would be non-democratic nation-states because they have the most to gain from exploiting any vulnerabilities in U.S-based companies. However, such companies are not the only ones who use products produced by Apple, which means companies located anywhere would also be vulnerable. Additionally, if world governments put restraints on encryption to make it illegal or to limit the ways data can be encoded then, again, that gives power to those entities that would exploit weak encipherment to the detriment of the private sector. From a technology E&O standpoint, any request by the U.S. government to weaken products produced by an insured creates a breach of contract, which will hurt claims made against technology E&O policies. If Foxconn, which builds the iPhone for Apple, was forced to alter firmware used in the iPhone to allow at least one software flaw, then Apple could sue Foxconn for a breach of contract were Apple to learn of Foxconn obeying a government order to create a security bypass in the firmware code. Worse yet would be a company like FireEye being forced to reduce the effectiveness of its virtual execution engines that are at the heart of its malware analysis appliances. FireEye, and other cyber security companies, are what often stand between a hacker and its victim. Should a cybersecurity company ever be forced to obey a government order, little would stand between a hacker and its potential victims. Moreover, all of the companies that depend on the products of a cybersecurity company would also be in a position to bring claims against the insured organization, which would certainly be detrimental to technology E&O insurers. To defend itself and its products from government interference, Apple is implementing a security feature that removes its ability to bypass the iPhone's security. While such method works from a simplicity standpoint, it will not work for a majority of technology companies, with cybersecurity and cloud providers being two examples of where such a solution would not work. Additionally, if a law were passed that forced a company by way of a court order, for example, to decrypt information on its products, then the company so ordered would be put into a bind. Cyber liability and technology E&O insurers could also add exclusions to policies that would void insurance contracts if an insured organization complied with a governmental request to create a backdoor. However, it would be extremely difficult for an insurer to prove the backdoor was created deliberately, and, ultimately, such exclusions would be ethically ambiguous given they would punish an insured firm for obeying the rule of law. Companies could also contest each governmental request, assuming no law makes it illegal to deny a government request, but not all companies have the time or financial resources with which to fight a government. The only reasonable avenue to rein in disruptive governmental orders, then, is for insurers, technology companies and others to unite and block any legislative attempt to pass a law that would force any technology company to create a security gap. Moreover, the resistance movement will also need to fight against any attempt to weaken or make illegal any type of encryption. See also: Paradigm Shift on Cyber Security Currently, the relationship that exists between the insurance and technology sectors is that of provider and client, but that relationship must now evolve into a partnership. The technology sector cannot afford to go without cyber liability and technology E&O insurance because almost every company needs to offset technological risk now that we are in a globally connected and highly litigious age. Insurers also need to continue offering cyber liability and technology E&O policies because they have the clout and financial strength to help protect companies — especially small- and medium-sized ones — from an ever-changing technological landscape. Then, too, whichever insurer develops a realistic understanding of the intersection of risk and technology will be in a position to enrich itself. The path forward, then, is to create a coalition whose first goal would be to stay on top of both pending and current judicial cases and bills being drafted or voted on in any legislature worldwide that would degrade the security strength of any member’s product. The U.S. government has recently tried to force Apple to create a master key to one of its product lines, and there is no reason to believe that it will not force other companies (like cloud providers) to build similar backdoors into their products. To work against such actions, the coalition might be composed of two representatives from each sector’s main representative organization. For instance, for the professional insurance sector that would be PLUS, and for technology companies that would be IEEE. Furthermore, the coalition might also be composed of members from automotive manufacturers, educators and telecommunication firms. The coalition’s protective approach, then, would be to identify cases or bills and then attempt to bring all resources forward to eliminate or mitigate the offending threat. A recent example on the judicial side of a case that would have been a threat to the putative coalition was the Apple vs. the U.S. government in Central District of California, Eastern Division. A current example of a legislative threat to the coalition is the Burr-Feinstein Anti-Encryption draft that seeks to allow courts to order a company to decrypt information it has encoded, like the way the iPhone protects a user’s data. In a judicial case, the main measure could be filing amicus curiae briefs on the part of the aggrieved organization, but another measure might be ensuring the defendant is crafting the most reasonably persuasive anti-governmental interference arguments and appealing unfavorable rulings. On the legislative front, measures might include lobbyists but, more importantly, ought to involve the unity achieved by the existence of the coalition, working with an organization like the EFF and even creating public relation campaigns to appeal to the support of the world populace. In the rare instances when a government attempts to work with the private sector to understand the concerns that it has — for instance, as the U.S. government is trying to do with the proposed “Digital Security Commission” — then the coalition would need to support such efforts as much as possible. It is true that the coalition’s efforts in countries like China and Russia might be limited, and they will be also be limited when a country feels that a criminal act, like terrorism, is better dealt with by eroding encryption and cybersecurity measures. In an instance concerning China, insurers could consider increasing the amount of re-insurance that they purchase on their cyber liability and technology E&O portfolios to offset the damage from increased claims. Insurers will also need to be extremely cautious when providing cyber liability and technology E&O coverage to organizations that have close relationships with non-democratic governments (like the Chinese government) or ones that produce products that have a high likelihood of being the result of IP theft, such as any mid- to high-end binary processor. The pursuit of the best encryption and cybersecurity measures needs to be unencumbered by the efforts of any government, just as alarm systems have been free to evolve over the past two or three millennia. This can only be achieved, though, through the unified actions and vigilance of a coalition. Encryption and resilient cybersecurity frameworks are the essential and irreplaceable elements in a safely connected world. To limit, in any way, the efforts to perfect those elements or to purposefully reduce their effectiveness is irresponsible regardless of whether the reason is national security or the pursuit of breaking a criminal enterprise. Lloyds, and other organizations involved with cyber liability and technology E&O insurance, see a future where insurers are able to achieve healthy profits off those two products. However, if insurers do not responsibly oppose governmental attacks on encryption and cybersecurity, that profitable future will give way to a future of excessive claims, damaging losses and very little profit.

As more companies invest in insurtech, we know that the small business insurance market is in the crosshairs of a number of start-ups, because small businesses are underserved and often underinsured. What many have failed to discuss is the impact that serving a small business has on carriers and brokers and how innovation could help these folks, as well. It is both challenging and costly to manage a small businesses book because serving these smaller, often first-time business owners comes with more questions, more time spent on renewal and more upkeep. Small businesses often do not have someone solely responsible for operations, and, thus, business owners are figuring out insurance on their own, with little time or patience to learn every intricacy of the insurance process. See also: Start-Ups Set Sights on Small Businesses However, the small business market makes up $100 billion of the $1 trillion insurance market. While not serving these businesses comes with a cost, serving these businesses poorly perhaps comes with a greater cost — not the least of which could be the loss of trust, if not the loss of a customer for life. Without the right systems in place, brokers and carriers will continue to feel the burden of serving small businesses, and small business owners will continue to feel confused about their insurance needs. So the truth that no one is talking about is: Innovation goes beyond helping small businesses; innovation helps everyone, carriers and brokers included. So, what is the solution? When many insurance veterans hear the words “start-up,” “innovation” or “change,” they roll their eyes, and they have the right to. After all, many of these folks have dedicated their lives to selling insurance and managing books worth hundreds of millions of dollars. Traditional carriers and brokers have built strong brands and have served billions of businesses, both large and small. At CoverWallet, we don’t take the expertise of those who have come before us lightly, but we know that finding a better way to acquire, retain and improve lifetime value of small businesses policies in a more cost-effective way is an essential path forward for traditional carriers and brokers. What’s important to understand is that many carriers and larger brokers aren’t well-positioned to take on completely innovating their tech stack, which is where start-ups can fill an unmet need. Start-ups can innovate and build faster and can focus on a single group, while traditional carriers and brokers have largely been forced to focus on many groups, businesses and sizes of business. Overall, start-ups are better poised to:

• Acquire customers: Quotes and binds can take a long time, and carriers are more apt to focus on larger accounts. However, start-ups with an online application can serve businesses faster, moving from quote to bind in record time.
• Service customers: Finding information about insurance online is tough, but with peer comparison tools, informative landing pages and support any way you want it (email, chat, phone) a customer can get questions answered in 1-2-3.
• Retain customers: Retention of small businesses for traditional carriers and brokers gets tougher and tougher year-over-year as customer expectations grow. Many small business owners will at least shop around for a new quote when renewal time comes up, typically because they are disappointed with the level of customer service they have received. Start-ups focused on small businesses, providing a digital solution, built-in notifications and renewal reminders will likely make customers more comfortable with renewing — again and again.

This is not to say that introduction of start-ups into the insurance world means the end of traditional carriers and brokers. Quite the opposite. While start-ups are better-positioned in some ways, even the most innovative start-ups will need the help and support of traditional carriers and brokers. See also: InsurTech Boom Is Reshaping Market   Partnering with a start-up, especially one that focuses on making insurance a digital experience, from the bind to policy management, will no doubt prove valuable for today’s insurers. Doing so will allow carriers and brokers to focus on their largest binds and will reduce the cost of maintaining smaller businesses for the carrier. Having a strong digital presence and giving customers a way to buy online will be essential to the future of the industry. What is important for all players to understand, from start-ups to brokers to carriers, is that the most successful way forward is together.

Healthcare Matters sits down with Dr. Richard Anderson, chairman and CEO of the Doctors Company. In part 7 of our State of Defensive Medicine series, we asked Dr. Anderson how the medical liability insurance landscape has changed over the last 15 years.  

In July 2015, a hacker who goes by the name Phineas Fisher breached an Italian technology company, Hacking Team, that, ironically, sells spying and hacking software tools. Fisher exfiltrated more than 400 gigabytes from the company and declared his motive was to stop its “abuses against human rights.” “That’s the beauty and asymmetry of hacking: With 100 hours of work, one person can undo years of work by a multimillion-dollar company,” Fisher wrote online. “Hacking gives the underdog a chance to fight and win.” Hacktivism, or the act of hacking into others’ computer networks to promote one’s political or other agenda, has been around as long as the internet. But the technology that’s available is easier and cheaper than ever, lowering the barrier of entry even for those with little experience. “You don’t have to be an expert to have access and to cause damage to people and their websites,” says Rick Holland, vice president of strategy at Digital Shadows, which has tools to search the internet and the Dark Web to compile compromised information about their clients. Anonymous, perhaps the most notorious hacking group, largely markets itself as hacktivists. But with the emergence of social media as a loud megaphone that also enables anonymity, other lesser-known hacktivists have become increasingly emboldened in heralding their cause and calling for others to join. See also: 2 Novel Defenses to Hacking of Browsers   Here are five things every company should grasp about hacktivism: • Hacktivists are true believers. They are individuals who often belong to a hacker network group online that shares their values and ideology. They can act alone or be prompted by a broader hacktivist campaign, such as OpIcarus or Ghost Squad Hackers. Hacktivists are motivated by branding their agenda — Operation X — and distinguish themselves from cyber criminals who merely pursue financial gains. But “there’s a lot of blurring of the lines between criminals, espionage actors and hacktivists,” Holland says. “It’s oftentimes difficult to tell who it is. You see some of the cybercriminal organizations that might moonlight take contracts.” • Controversy can make you a target. Controversial individuals, companies and governmental and nongovernmental organizations are often targets. The list of past victims includes autocratic governments, politicians, agrochemical manufacturers, oil companies, pharmaceutical companies, genetically modified food makers, religious groups, social media websites and others. They generally target large organizations. Small- to medium-size businesses typically are not on their radar unless they operate in controversial industries. A small supplier to GMO manufacturers, for example, could potentially be a target. “Hacktivists can come after you because of that relationship in the supply chain,” Holland says. • Attacks can be widespread. Data on the frequency of attacks are hard to come by. But one group, Ghost Squad Hackers, plans to target banks, and their activity offers a glimpse of how quickly plans can proliferate. “We’ve seen 70 different organizations that they’ve announced are going to be targets,” Holland says. • Attacks can take varied forms. Hackers can compromise the target’s computer systems in all the ways that are available to cyber criminals. They can set up a phishing domain that looks like the target’s domain to acquire sensitive information, such as passwords and company data. Using Twitter (or other social media channels), they may coordinate a distributed-denial-of-service attack on a web page to take it down. See also: Hacking the Human: Social Engineering   “We may find this out, and then we can tell the company, ‘Look we’re seeing a campaign against one of your executives,’” Holland says. “We give them an idea of a risk to their staff that they didn’t know about.” • The best defense: Use security best practices, keep a low profile. All the usual cybersecurity steps should be established, such as virtual private networks, multifactor authentication protocol, firewalls and tools to guard against DDoS attacks. Companies should undergo a “threat modeling exercise” to determine how they’d respond in the event of an attack, Holland says. Knowing who to call for help is important. Organizations that can afford cloud-based services should consider them, as a company can move its traffic up to the cloud if it's attacked. “If you’re a big bank, you can afford those kinds of services. But if you’re a smaller-tier company, (you should ask) ‘Do I need to spend that kind of money?’ That’s a difficult question,” Holland says. According to Holland, executives should be trained by the PR staff or consultants to be more careful when speaking publicly and not say things that could incite hacktivists. Suppliers also should be alerted about the possible dangers. “A lot of hacktivists are typically younger, idealistic people who are getting attached to these causes. So there’s no shortage of that,” he says. “This will never end.” More stories related to hactivism: Cybersecurity a concern for candidates on 2016 campaign trail Despite precautions, DDoS attacks becoming more dire, damaging Chaos theory takes root in aftermath of Sony Pictures hack This post first appeared on ThirdCertainty. It was written by Roger Yu.