A part of my life allowed me the privilege of treating nearly 10,000 individual patients. Their openness and trust let me partner with them, deciding on and helping enact a course of care, which often helped change lives. We lived life together. Owning a practice means more than just providing necessary healthcare — through ethical and legal means. It allowed me to bring out a greater level of transparency and humanity, while remaining professional. It taught me to always put on a happy face, especially in times of personal stress or upset. I learned to make that one patient in that one moment of time feel like the most important person in the world. Some may think the majority of patients can't tell the difference in care and just want their symptom or disease treated. News flash — you're wrong.   It may seem as though patients are just putting out their time and money, but really they are giving us a high level of trust and control. Depending on the person and problem, we can have significant influence over the course and quality of their lives, as well as the lives of those closely attached to them. See also: Key Misconceptions on Health Insurance Too often, we forget nine out of every 10 patients makes less than $33,000 in income (see below). Nearly 40% of patients carry medical-related debt, and one-third of those must choose between payment for that debt versus rent, housing or heat. Many of these cash-strapped individuals will only come in and choose to make health a priority within later, irreversible stages of chronic disease. Most everyone knows our healthcare is in crisis. The solution appears clear: improve care quality, reduce cost, increase safety, grow healthier communities and deliver all this with greater consumer affordability. The advent of healthcare technology will certainly help make much of this possible. But we must not make the mistake of thinking patients will have the same level of dedication to population health, wearables and medication adherence as we do. Patients care about themselves and those they love. They care about money and their financial future. They care about feeling good and avoiding pain — but the pain can be more than just their symptoms and condition. Health payers acquired a longstanding, terrible reputation for not caring.  Many plan members, who suffer physically, emotionally and financially, felt as though they were treated like just another accounting line item, as if they were just commodities that made the business of healthcare payments go 'round. We're at a tipping point. As more risk shifts onto the shoulders of hospitals, providers and affordable care organizations (ACOs), we must not make the same mistakes. Tomorrow's healthcare will involve and require patient compliance and participation to get the best results. It is one thing to put technology in place that captures patient-generated health data, but it is quite another to show patients you care about the data. Patients deserve to feel the compassion, caring and humanity in our hearts and actions. See also: Innovation: a Need for ‘Patient Urgency’ I've retired from practice, my career now shifting into the business side of healthcare. I am carefully seeking my next path for the right healthcare company, where I can blend my experience, talents, skills and years of front-line patient experience. The healthcare sector is a target-rich environment, whose underlying industries, more than ever, have a tremendous ability to shape the course and outcomes of human lives. Technology, big data and Triple Aim aside, we must remember the human condition is more than just condition. It is a place where people reside because they often have lost hope and human support. In the future of patient data, we must recognize that behind the numbers lives a human life and heart and the potential for physical and emotional improvement.

Alarm systems have a long and varied history — from geese in ancient Rome, to noise makers that announced the presence of an intruder, to present-day electronic sensors and lasers. Originally, the creation of alarms was driven by the psychological need all humans have to establish a safe environment for themselves. Today, that same need exists, but it has been extended to include other concerns, such as valued personal possessions, merchandise and intellectual property. In the cyber realm, security is as important as it is in the physical world because people must be able to feel secure in their ability to store sensitive, high-value data. Without that sense of security, the cyber realm would lose almost all of its relevance. Cybersecurity is established by various hardware and software components, but none of the components are more essential than strong encryption. It is such encryption that keeps bank transactions, online purchases and email accounts safe. However, there is a disturbing worldwide governmental trend to weaken encryption, which was exemplified in the legal disagreement earlier this year between Apple and the U.S. government. While there are definite aspects of the dispute that fall outside of the professional insurance sphere, there is an undeniable part of the battle for strong encryption that the professional insurance sector must not fail to acknowledge and address. The outcome of this struggle will be felt well into the 22nd century, and, perhaps, at least in the business arena, the outcome will be borne most keenly by cyber liability and technology E&O insurers. With global attempts to reduce the effectiveness of encryption, no insurer can claim it lacks a part in the effort for resilient and ever-evolving encryption and cybersecurity measures. The Chinese government is not a supporter of privacy, and it has even hacked Google’s Gmail service and the Dalai Lama’s email account to gain access to information it has deemed disruptive. It also has been stepping up its “investigations” into products produced by U.S-based technology companies. Furthermore, after both the 2015 attack in Paris and the 2016 attack in Brussels, the debate regarding whether encryption should be allowed was re-ignited in Europe and the U.K. Recently, the French, Hungarian and British governments have made various attempts at weakening or removing encryption. Therefore, with this global challenge facing insurers, they are required to be completely aware of what is at risk for them, and they must help pave a path forward that endeavors to balance profitability of products (like cyber liability and technology E&O) with the protection those products should afford any insured. See also: Best Practices in Cyber Security Apple, perhaps, serves as the best example of how governmental interference with cybersecurity is an issue that requires direct and immediate intervention from insurers. There are thousands of businesses around the world that rely on the iPhone and iPad for productivity purposes — and almost all of those businesses also rely on the security that those devices provide, both from a hardware and a software standpoint. Recently, the U.S. government attempted to force Apple, in different judicial battles, to write code that will allow the government to have a master key to access the data of any iPhone. However, the U.S government is also pursuing a legislative avenue to pass a law that will force U.S. companies to give the U.S. government unfettered retrieval of any data on which it sets its sight. To provide such access would almost always require companies to write software code that is purposefully compromised from a security standpoint. It would be extremely unwise for professional insurance companies to assume this disagreement is only between the technology sector and world governments because, if there is an outcome favorable for the U.S. government, it will have direct and immediately negative effects on insurers that offer cyber liability and technology E&O insurance in the U.S., and it will set a dangerous precedent that will embolden other governments to justify similar breaches that will allow them to acquire what should be secure data. From a cyber liability standpoint, any vulnerability in software code gives hackers another way to compromise a victim's computers and network. If a company like Apple (which has thousands of businesses depending on it to keep them safe) has to create a master key, then all of the businesses that use Apple products will be vulnerable to attack. The U.S. government has a long history of being unable to keep its own data safe, which means, in time, hackers will be able to figure out what entrance point was created and then exploit it. The most worrisome entities that might access the backdoor would be non-democratic nation-states because they have the most to gain from exploiting any vulnerabilities in U.S-based companies. However, such companies are not the only ones who use products produced by Apple, which means companies located anywhere would also be vulnerable. Additionally, if world governments put restraints on encryption to make it illegal or to limit the ways data can be encoded then, again, that gives power to those entities that would exploit weak encipherment to the detriment of the private sector. From a technology E&O standpoint, any request by the U.S. government to weaken products produced by an insured creates a breach of contract, which will hurt claims made against technology E&O policies. If Foxconn, which builds the iPhone for Apple, was forced to alter firmware used in the iPhone to allow at least one software flaw, then Apple could sue Foxconn for a breach of contract were Apple to learn of Foxconn obeying a government order to create a security bypass in the firmware code. Worse yet would be a company like FireEye being forced to reduce the effectiveness of its virtual execution engines that are at the heart of its malware analysis appliances. FireEye, and other cyber security companies, are what often stand between a hacker and its victim. Should a cybersecurity company ever be forced to obey a government order, little would stand between a hacker and its potential victims. Moreover, all of the companies that depend on the products of a cybersecurity company would also be in a position to bring claims against the insured organization, which would certainly be detrimental to technology E&O insurers. To defend itself and its products from government interference, Apple is implementing a security feature that removes its ability to bypass the iPhone's security. While such method works from a simplicity standpoint, it will not work for a majority of technology companies, with cybersecurity and cloud providers being two examples of where such a solution would not work. Additionally, if a law were passed that forced a company by way of a court order, for example, to decrypt information on its products, then the company so ordered would be put into a bind. Cyber liability and technology E&O insurers could also add exclusions to policies that would void insurance contracts if an insured organization complied with a governmental request to create a backdoor. However, it would be extremely difficult for an insurer to prove the backdoor was created deliberately, and, ultimately, such exclusions would be ethically ambiguous given they would punish an insured firm for obeying the rule of law. Companies could also contest each governmental request, assuming no law makes it illegal to deny a government request, but not all companies have the time or financial resources with which to fight a government. The only reasonable avenue to rein in disruptive governmental orders, then, is for insurers, technology companies and others to unite and block any legislative attempt to pass a law that would force any technology company to create a security gap. Moreover, the resistance movement will also need to fight against any attempt to weaken or make illegal any type of encryption. See also: Paradigm Shift on Cyber Security Currently, the relationship that exists between the insurance and technology sectors is that of provider and client, but that relationship must now evolve into a partnership. The technology sector cannot afford to go without cyber liability and technology E&O insurance because almost every company needs to offset technological risk now that we are in a globally connected and highly litigious age. Insurers also need to continue offering cyber liability and technology E&O policies because they have the clout and financial strength to help protect companies — especially small- and medium-sized ones — from an ever-changing technological landscape. Then, too, whichever insurer develops a realistic understanding of the intersection of risk and technology will be in a position to enrich itself. The path forward, then, is to create a coalition whose first goal would be to stay on top of both pending and current judicial cases and bills being drafted or voted on in any legislature worldwide that would degrade the security strength of any member’s product. The U.S. government has recently tried to force Apple to create a master key to one of its product lines, and there is no reason to believe that it will not force other companies (like cloud providers) to build similar backdoors into their products. To work against such actions, the coalition might be composed of two representatives from each sector’s main representative organization. For instance, for the professional insurance sector that would be PLUS, and for technology companies that would be IEEE. Furthermore, the coalition might also be composed of members from automotive manufacturers, educators and telecommunication firms. The coalition’s protective approach, then, would be to identify cases or bills and then attempt to bring all resources forward to eliminate or mitigate the offending threat. A recent example on the judicial side of a case that would have been a threat to the putative coalition was the Apple vs. the U.S. government in Central District of California, Eastern Division. A current example of a legislative threat to the coalition is the Burr-Feinstein Anti-Encryption draft that seeks to allow courts to order a company to decrypt information it has encoded, like the way the iPhone protects a user’s data. In a judicial case, the main measure could be filing amicus curiae briefs on the part of the aggrieved organization, but another measure might be ensuring the defendant is crafting the most reasonably persuasive anti-governmental interference arguments and appealing unfavorable rulings. On the legislative front, measures might include lobbyists but, more importantly, ought to involve the unity achieved by the existence of the coalition, working with an organization like the EFF and even creating public relation campaigns to appeal to the support of the world populace. In the rare instances when a government attempts to work with the private sector to understand the concerns that it has — for instance, as the U.S. government is trying to do with the proposed “Digital Security Commission” — then the coalition would need to support such efforts as much as possible. It is true that the coalition’s efforts in countries like China and Russia might be limited, and they will be also be limited when a country feels that a criminal act, like terrorism, is better dealt with by eroding encryption and cybersecurity measures. In an instance concerning China, insurers could consider increasing the amount of re-insurance that they purchase on their cyber liability and technology E&O portfolios to offset the damage from increased claims. Insurers will also need to be extremely cautious when providing cyber liability and technology E&O coverage to organizations that have close relationships with non-democratic governments (like the Chinese government) or ones that produce products that have a high likelihood of being the result of IP theft, such as any mid- to high-end binary processor. The pursuit of the best encryption and cybersecurity measures needs to be unencumbered by the efforts of any government, just as alarm systems have been free to evolve over the past two or three millennia. This can only be achieved, though, through the unified actions and vigilance of a coalition. Encryption and resilient cybersecurity frameworks are the essential and irreplaceable elements in a safely connected world. To limit, in any way, the efforts to perfect those elements or to purposefully reduce their effectiveness is irresponsible regardless of whether the reason is national security or the pursuit of breaking a criminal enterprise. Lloyds, and other organizations involved with cyber liability and technology E&O insurance, see a future where insurers are able to achieve healthy profits off those two products. However, if insurers do not responsibly oppose governmental attacks on encryption and cybersecurity, that profitable future will give way to a future of excessive claims, damaging losses and very little profit.

As more companies invest in insurtech, we know that the small business insurance market is in the crosshairs of a number of start-ups, because small businesses are underserved and often underinsured. What many have failed to discuss is the impact that serving a small business has on carriers and brokers and how innovation could help these folks, as well. It is both challenging and costly to manage a small businesses book because serving these smaller, often first-time business owners comes with more questions, more time spent on renewal and more upkeep. Small businesses often do not have someone solely responsible for operations, and, thus, business owners are figuring out insurance on their own, with little time or patience to learn every intricacy of the insurance process. See also: Start-Ups Set Sights on Small Businesses However, the small business market makes up $100 billion of the $1 trillion insurance market. While not serving these businesses comes with a cost, serving these businesses poorly perhaps comes with a greater cost — not the least of which could be the loss of trust, if not the loss of a customer for life. Without the right systems in place, brokers and carriers will continue to feel the burden of serving small businesses, and small business owners will continue to feel confused about their insurance needs. So the truth that no one is talking about is: Innovation goes beyond helping small businesses; innovation helps everyone, carriers and brokers included. So, what is the solution? When many insurance veterans hear the words “start-up,” “innovation” or “change,” they roll their eyes, and they have the right to. After all, many of these folks have dedicated their lives to selling insurance and managing books worth hundreds of millions of dollars. Traditional carriers and brokers have built strong brands and have served billions of businesses, both large and small. At CoverWallet, we don’t take the expertise of those who have come before us lightly, but we know that finding a better way to acquire, retain and improve lifetime value of small businesses policies in a more cost-effective way is an essential path forward for traditional carriers and brokers. What’s important to understand is that many carriers and larger brokers aren’t well-positioned to take on completely innovating their tech stack, which is where start-ups can fill an unmet need. Start-ups can innovate and build faster and can focus on a single group, while traditional carriers and brokers have largely been forced to focus on many groups, businesses and sizes of business. Overall, start-ups are better poised to:

• Acquire customers: Quotes and binds can take a long time, and carriers are more apt to focus on larger accounts. However, start-ups with an online application can serve businesses faster, moving from quote to bind in record time.
• Service customers: Finding information about insurance online is tough, but with peer comparison tools, informative landing pages and support any way you want it (email, chat, phone) a customer can get questions answered in 1-2-3.
• Retain customers: Retention of small businesses for traditional carriers and brokers gets tougher and tougher year-over-year as customer expectations grow. Many small business owners will at least shop around for a new quote when renewal time comes up, typically because they are disappointed with the level of customer service they have received. Start-ups focused on small businesses, providing a digital solution, built-in notifications and renewal reminders will likely make customers more comfortable with renewing — again and again.

This is not to say that introduction of start-ups into the insurance world means the end of traditional carriers and brokers. Quite the opposite. While start-ups are better-positioned in some ways, even the most innovative start-ups will need the help and support of traditional carriers and brokers. See also: InsurTech Boom Is Reshaping Market   Partnering with a start-up, especially one that focuses on making insurance a digital experience, from the bind to policy management, will no doubt prove valuable for today’s insurers. Doing so will allow carriers and brokers to focus on their largest binds and will reduce the cost of maintaining smaller businesses for the carrier. Having a strong digital presence and giving customers a way to buy online will be essential to the future of the industry. What is important for all players to understand, from start-ups to brokers to carriers, is that the most successful way forward is together.

Healthcare Matters sits down with Dr. Richard Anderson, chairman and CEO of the Doctors Company. In part 7 of our State of Defensive Medicine series, we asked Dr. Anderson how the medical liability insurance landscape has changed over the last 15 years.  

In July 2015, a hacker who goes by the name Phineas Fisher breached an Italian technology company, Hacking Team, that, ironically, sells spying and hacking software tools. Fisher exfiltrated more than 400 gigabytes from the company and declared his motive was to stop its “abuses against human rights.” “That’s the beauty and asymmetry of hacking: With 100 hours of work, one person can undo years of work by a multimillion-dollar company,” Fisher wrote online. “Hacking gives the underdog a chance to fight and win.” Hacktivism, or the act of hacking into others’ computer networks to promote one’s political or other agenda, has been around as long as the internet. But the technology that’s available is easier and cheaper than ever, lowering the barrier of entry even for those with little experience. “You don’t have to be an expert to have access and to cause damage to people and their websites,” says Rick Holland, vice president of strategy at Digital Shadows, which has tools to search the internet and the Dark Web to compile compromised information about their clients. Anonymous, perhaps the most notorious hacking group, largely markets itself as hacktivists. But with the emergence of social media as a loud megaphone that also enables anonymity, other lesser-known hacktivists have become increasingly emboldened in heralding their cause and calling for others to join. See also: 2 Novel Defenses to Hacking of Browsers   Here are five things every company should grasp about hacktivism: • Hacktivists are true believers. They are individuals who often belong to a hacker network group online that shares their values and ideology. They can act alone or be prompted by a broader hacktivist campaign, such as OpIcarus or Ghost Squad Hackers. Hacktivists are motivated by branding their agenda — Operation X — and distinguish themselves from cyber criminals who merely pursue financial gains. But “there’s a lot of blurring of the lines between criminals, espionage actors and hacktivists,” Holland says. “It’s oftentimes difficult to tell who it is. You see some of the cybercriminal organizations that might moonlight take contracts.” • Controversy can make you a target. Controversial individuals, companies and governmental and nongovernmental organizations are often targets. The list of past victims includes autocratic governments, politicians, agrochemical manufacturers, oil companies, pharmaceutical companies, genetically modified food makers, religious groups, social media websites and others. They generally target large organizations. Small- to medium-size businesses typically are not on their radar unless they operate in controversial industries. A small supplier to GMO manufacturers, for example, could potentially be a target. “Hacktivists can come after you because of that relationship in the supply chain,” Holland says. • Attacks can be widespread. Data on the frequency of attacks are hard to come by. But one group, Ghost Squad Hackers, plans to target banks, and their activity offers a glimpse of how quickly plans can proliferate. “We’ve seen 70 different organizations that they’ve announced are going to be targets,” Holland says. • Attacks can take varied forms. Hackers can compromise the target’s computer systems in all the ways that are available to cyber criminals. They can set up a phishing domain that looks like the target’s domain to acquire sensitive information, such as passwords and company data. Using Twitter (or other social media channels), they may coordinate a distributed-denial-of-service attack on a web page to take it down. See also: Hacking the Human: Social Engineering   “We may find this out, and then we can tell the company, ‘Look we’re seeing a campaign against one of your executives,’” Holland says. “We give them an idea of a risk to their staff that they didn’t know about.” • The best defense: Use security best practices, keep a low profile. All the usual cybersecurity steps should be established, such as virtual private networks, multifactor authentication protocol, firewalls and tools to guard against DDoS attacks. Companies should undergo a “threat modeling exercise” to determine how they’d respond in the event of an attack, Holland says. Knowing who to call for help is important. Organizations that can afford cloud-based services should consider them, as a company can move its traffic up to the cloud if it's attacked. “If you’re a big bank, you can afford those kinds of services. But if you’re a smaller-tier company, (you should ask) ‘Do I need to spend that kind of money?’ That’s a difficult question,” Holland says. According to Holland, executives should be trained by the PR staff or consultants to be more careful when speaking publicly and not say things that could incite hacktivists. Suppliers also should be alerted about the possible dangers. “A lot of hacktivists are typically younger, idealistic people who are getting attached to these causes. So there’s no shortage of that,” he says. “This will never end.” More stories related to hactivism: Cybersecurity a concern for candidates on 2016 campaign trail Despite precautions, DDoS attacks becoming more dire, damaging Chaos theory takes root in aftermath of Sony Pictures hack This post first appeared on ThirdCertainty. It was written by Roger Yu.

Paul Harvey used to say, “We’re not one world.” He was right. When I started in the business, it wasn’t one world. But that didn’t matter to the old guy who owned the place. The only opinion that mattered was that of the owner, and, if you didn’t like it, you could leave. That’s the way it was. Today we’re a more diverse world. Mark, a friend of mine and the leader of a very successful organization, reinforced that message. He’s wise beyond his years. He’s not young enough to be my son, but I’d be proud to have him as a younger brother. At a planning session, some of his senior employees went on a rampage about what was wrong with the Gen Xers and the millennials in his organization and in other companies. When asked his opinion, Mark said, “I think they’re bright, creative and very much the future. I think the rest of us are stuck in a rut and only want to criticize the new — we’re the past.” Did I say Mark was wise? See also: Selling to Millennials Is Easy!   Then, the other day, I saw an impeccably dressed white-haired gentleman heading into his boutique for another day of selling designer clothes to his upscale clientele. He wore a seersucker suit, white shirt and a colorful tie. He was dapper, or, as they said in the good old days, “dressed to the nines.” Not two blocks down the street I saw a young man in full urban wear. His pants were hanging to his shoes. He wore a baseball hat that was crooked on his head (either that or his head was off-center for his body). Around his neck hung more gold than my momma, wife and mother-in-law own collectively. He wore shoes that included more colors and probably cost more than all of the shirts in my closet. His look was capped off by a smile and a full “grill.” He was “dressed to it.” My first reaction was to shake my head, but the wisdom of Mark and Paul surfaced in my psyche. I realized that both the young man and the old must have had some success and some sense of style to dress as they were. Both had dressed perfectly for their audience. Yesterday, I finally saw “Bourne Ultimatum.” I anticipated a modern-day James Bond, but I saw more action in five minutes than in all the James Bond movies ever filmed. Bourne moved too fast for me, but I realized how bored most of this audience would be with Bond, James Bond. Much of today's audience is wired by seven hours of video games and three cans of Red Bull. I watched after taking a short nap to make sure I’d stay awake. We’re not one world. Success depends on meeting the needs of the niche you’re in. Don’t expect the marketplace to adapt to your style and values and needs — you must meet theirs.

First, there was science... Some sources suggest probability theory started in gambling and maritime insurance. In both cases, the science was primarily used to help people and companies make better decisions and, hence, make money. Risk management used the mathematical tools available at the time to quantity risk, and their application was quite pragmatic. Banks and investment funds started applying risk management, and they, too, were using it to make better pricing and investment decisions and to make money. Risk management at the time was quite scientific. In 1990, Harry M. Markowitz, Merton H. Miller and William F. Sharpe won a Noble Prize for the capital asset pricing model (CAPM), a tool also used for risk management. This doesn't mean risk management was always always accurate — just see the case of LTCM — but managers did apply the latest in probability theory and used quite sophisticated tools to help businesses make money (either by generating new cash flows or protecting existing ones). Then, risk management became an art... Next came the turn of non-financial companies and government entities. And that's when risk management started becoming more of an art than a science. Some of the reasons behind the shift were, arguably:

• Lack of reliable data to quantify risks — Today, certainly, there is no excuse for not quantifying risks in any type of an organization.
• Lack of demand from the business — Many non-financial organizations of the time were less sophisticated in terms of planning, budgeting and decision making. So, many executives didn't even ask risk managers to provide quantifiable risk analysis.
• Lack of qualified risk managers — As a result, many risk managers became “soft” and “cuddly,” not having the skills or background required to quantify risks and measure their impact on business objectives and decisions.

Many non-financial companies quickly learned which risks to quantify and how. Other companies lost interest in risk management or, should I say, never saw the real value. Today, it's just a mess... What I am seeing today, however, is nothing short of remarkable. Instead of being pragmatic, simple and focused on making money, risk management has moved into the “land of buzz words.” If you are reading this and thinking, “Hold on, Alex. Risk velocity is important; organizations should be risk resilient; risk management is about both opportunities and risks; risk appetite, capacity and tolerances should be quantified and discussed at the board level; and inherent risk is useful,” then, congratulations! You may have lost touch with business reality and could be contributing to the problem. See also: Risk Management, in Plain English   I have grouped my thinking into four problem areas: 1. Risk management has lost touch with the modern science. These days, even the most advanced non-financial organizations use the same risk management tools (decision trees, Monte Carlo, VaR, stress testing, scenario analysis, etc.) created in the '40s and the '60s. The latest research in forecasting, modeling uncertainty, risk quantification and neural networks is mainly ignored by the majority of risk managers in the non-financial sector. Ironically, many organizations do use tools such as Monte Carlo simulations (developed in 1946, by the way) for forecasting and research, but it's not the risk manager who does that. The same can be said about the latest development in blockchain technology, arguably the best tool for transparent and accurate counterparty risk management. Yet blockchain is pretty much ignored by risk managers. It has been years since I saw a scientist present at any risk management event, sharing new ways or tools to quantify risks associated with business objectives. That can also be said about the overall poor quality of postgraduate research published in the field of risk management. 2. Modern risk management is detached from day-to-day business operations and decision making.  Unless we are talking about a not-for-profit or government entity, the objective is simple: Make money. While making money, every organization is faced with a lot of uncertainty. Luckily, business has a range of tools to help deal with uncertainty, tools like business planning, sales forecasting, budgeting, investment analysis, performance management and so on. Yet, instead of integrating all the tools, risk managers often choose to go their separate ways, creating a parallel universe that is specifically dedicated to risks (which is very naive, I think). Examples include:

• Creating a risk management framework document instead of updating existing policies and procedures to be aligned with the overall principles of risk management in ISO31000:2009;
• Conducting risk workshops instead of discussing risks during strategy setting or business planning meetings;
• Performing separate risk assessments instead of calculating risks within the existing budget or financial or project models;
• Creating risk mitigation plans instead of integrating risk mitigation into existing business plans and KPIs;
• Reporting risk levels instead of reporting KPI@Risk, CF@Risk, Budget@Risk, Schedule@Risk; and
• Creating separate risk reports instead of integrating risk information into normal management reporting.

Risk management has become an objective in itself. Executives in the non-financial sector stopped viewing risk management as a tool to make money. Risk managers don't talk, many don't even understand business language or how decisions are being made in the organization. Risk analysis is often outdated, and by the time risk managers capture it, important business decisions are long done. 3. Risk managers continue to ignore human nature. Despite the extensive research conducted by Noble Prize winners Daniel Kahneman and Amos Tversky (psychologists who established a cognitive basis for human errors that are the result of biases) and others, risk managers continue to use expert judgment, risk maps/matrices, probability x impact scales, surveys and workshops to capture and assess risks. These tools do not provide accurate results (to put it mildly). They never have, and they never will. Just stop using them. There are better tools for integrating risk analysis into decision making. Building a culture of risk awareness is critical to any organization's success, yet so few modern risk managers invest in it. Instead of doing risk workshops, risk managers should teach employees about risk perception, cognitive biases, fundamentals of ISO31000:2009 and how to integrate risk analysis into day-to-day activities and decision making. 4. Risk managers are too busy chasing the unicorn Instead of sticking to the basics and getting them to work, many are busy chasing the latest buzzwords and innovations. Remember how “resilience” was a big thing a few years ago? Before that, there was “emerging risks,” “risk intelligence,” “agility,” “cyber risk” — the list goes on and on. It seems we are so busy finding a new enemy every year that we forget to get the basics right. See also: Key Misunderstanding on Risk Management Lately , consultants seem to have too much say in how modern risk management evolves. The latest installment was the new COSO:ERM draft, created by PwC and published by COSO this June.  The authors sure did “innovate” — among other “useful ideas,” they came up with a new way to capture risk profiles. That is nice, if risk profiling was the objective of risk management. Sadly, it is not. Risk profiling in any form does little to help executives and managers make risky decisions every day. For more feedback on COSO:ERM, click here. To be completely fair, the global team currently working on the update for the ISO31000:2009 also has a few consultants who have a very limited understanding about risk management application in day-to-day decisions and in helping organizations make money. I think it's time to get back to basics and turn risk management back into the tool to help make decisions and make money. I am interested to hear your thoughts. Please share and like the article and comment below.

As Bruce Buffer, voice of the UFC, would say, "IIIIIIIIIIIIIIIIIIIIIIIT'S TIME!" In this case, it's time for big pharma to stop just defending its prices and to start to tap into the consumerism that is transforming healthcare. Check out these stats (mostly from Google and Decisions Resources Group):

• One in 20 online searches is for health-related questions.
• According to comScore, health topics are the No. 1 search category on mobile.
• 72% of people with pre-existing conditions searched for medical info online.
• Half of all patients and caregivers already turn to digital channels to look up formulary or dosing information.
• After a diagnosis, 84% of patients searched for options.
• In a report by Decision Resources Group of 1,000 physicians, more than 50% reported their patients are more actively involved in treatment decisions — and these doctors called on pharma to support affordable options, provide relevant information and make online information more understandable.

The latest survey from Medical, Marketing & Media (MMM) shows 76% of pharma respondents use digital marketing, but the channel segregation below shows respondents devoted the greatest percentage of their marketing budgets to professional meetings/conferences and sales reps/materials. Digital channels — including websites, digital advertising and social media — lagged behind. More surprising is that only half of both large and small pharmaceutical companies see the growth of consumerism in healthcare as an opportunity. But that's EXACTLY where the opportunity for growth lies. To thrive in the new era of value-based care, pharma companies will need to change their marketing strategy toward partnering and will certainly need to focus far more on the individual consumer. See also: Checklist for Improving Consumer Experience   Trying to scare politicians away from lower-price reforms with the “It will kill our R&D” excuse is becoming the “BOO!” that no longer scares the grown-ups. Both 2016 presidential candidates, Hillary Clinton and Donald Trump, plan to stimulate price competition through imports — and there is bipartisan pressure to lift the ban on Medicare's negotiating drug prices. Apart from trade groups and shareholders, high-priced pharma doesn't have many friends. Payer pressure is bad enough, but if you don't get into the value-based care game, you are going to be on the wrong side of a very emotional equation. Patients have greater financial burdens because of higher deductibles and greater cost-sharing requirements, with varying medication tiers. Providers are ever-burdened with less time, and, now, a greater level of risk is being put on them to deliver higher-quality care, better outcomes and greater patient satisfaction — all at a lower price. Patients are not just seeking advice from providers. They are increasingly online, and at all hours. Plus, we're going to start to see greater levels of patient-generated healthcare data with wearables and digital technology. And, as we have seen, half of consumers spend their online time on social media. (HINT: Tap into consumers' behaviors and beliefs, show that you genuinely care and engage them in ways that let them feel as though you are part of their health team.) The writing is on the wall. Consumers are practically screaming out what they want and need from you. Partner with wearable and EHR companies. Start developing ways to capture and interact with your customers — specific to individuals, at the best times to engage. Find ways you can partner with hospitals, physicians and affordable care organizations (ACOs) to get into their care pathway in ways that help them lower costs to patients and payers. See also: Stop Overpaying for Pharmaceuticals   Say “yes” to predictive modeling, big data, analytics, lots of testing and customer segmentation. “Yes” to retaining some of the traditional marketing. Most of all, become human in your approach. Put yourself out there and let people know that you are no longer on an island, separate from everyone else. Let them know your port and beaches are open to more boats and more people than ever before.

Get used to it. The Internet of Things is here to stay. In fact, IoT is on a fast track to make all manner of clever conveniences part of everyday commerce and culture by the close of this decade. Tech research firm Gartner estimates IoT endpoints will grow at a breakneck 32% compounded annual growth rate over the next few years, reaching an installed base of 20.8 billion IoT units by 2020. See also: Insurance and the Internet of Things   Tiny, single-purpose sensors designed to collect rich profile data on individual behaviors — as well as on company systems — can already be found in all manner of medical devices, automobiles, TVs, gaming consoles, webcams, thermostats, utility meters, household appliances, manufacturing settings and wearable tech. Much more is coming. It is incumbent upon the businesses that deliver both the IoT devices — and the new internet-connected services that IoT sensors make possible — to address the security exposures that are part and parcel of this rapid scale-up. Fortunately, cybersecurity vendors are stepping up innovation to do just that. Gartner projects that worldwide spending on IoT security will reach $348 million in 2016 — up 24% from 2015 spending — and will climb steadily to $840 million by 2020. I recently sat down with Johnnie Konstantas, director of security solutions at Gigamon, a supplier of network visibility technology, to discuss what’s on the horizon. The following text has been edited for clarity and length. 3C: What is the core security challenge accompanying our rapid deployment of billions of IoT sensors? Konstantas: IoT sensors are quite small and pretty cheap, too, and they don’t have a lot of memory on them. Their whole point is to store a little bit of information and then just forward it on to the cloud. If you think about how we traditionally use things like encryption and a firewall to secure a mobile phone or laptop, that’s very hard to do on a small IoT sensor. So what you have is a conduit into the corporate network deployed for the purpose of receiving intelligence, and you can’t really push perimeter protection out to these IoT devices. There’s no question IoT sensors can potentially be a way in. The IoT endpoint could get infected with malware, or it could be used as a lily pad to jump in deeper. 3C: What defensive approaches look promising? Konstantas: A lot of it comes down to continuous monitoring. These devices are going to always be on, transmitting intelligence. The idea is to continuously understand what the IoT device is forwarding or receiving 24/7. Sounds like a tall order, but doing that allows you to essentially perform analytics on IoT-generated traffic. And with the proper kinds of security analytics in place, you will be able to surface anomalies. See also: How the ‘Internet of Things’ Affects Strategic Planning   3C: Sounds like big data analytics with an IoT twist. Konstantas: Yeah, exactly. Big data analytics is nothing new. Security analytics is nothing new. But both are actually seeing a resurgence. Call it SIEM (security and information event management) 2.0 for lack of a better word. This time, SIEM is not so much about collecting large volumes of data; it’s more about getting the right kinds of data. It’s about pruning my data feeds to figure out whether I have any risks associated with my IoT deployments. 3C: What key developments are on the horizon? Konstantas: I’ve been in security since ’98, so I’ve seen a few patterns play out. The one constant has been that when cool technology emerges — like our ability to do commerce on the web or virtualized storage and computing — adoption tends to be a lot faster than the arrival of the technology to secure it. So it’s fair to say that our desire to take advantage of sensor networks and IoT is going to outpace our ability to roll out security infrastructure to secure them as well. More stories related to the Internet of Things: Technological armor evolves to keep IoT devices safe from attack Ripples from Internet of Things create sea change for security, liability Consumers should brace for home network intrusions in 2016 This post originally appeared on ThirdCertainty.

A combination lock relies upon multiple numbers to match in order to release the catch. You can have three of the four numbers correct, and the lock will remain closed. Is this what is happening to the promise of group insurance sales? Are some insurers just one or two details away from unlocking the market? Many organizations would claim to have tried it all. Some have added auto enrollment capabilities, which did help. Some have improved service portals. Many have products and packages that likely meet the needs of today’s employers and their employees. Sales are happening, but if the research surveys are right, group insurers still aren’t scratching the surface of the market, particularly a fast growing new segment seeking something new. Employees still have every reason to want to purchase additional protection products through their employers (e.g. ease, security, underwriting, price). Employers still have every reason to want to carry the best selection of protection and wellness products administered on an easy-to-use platform. Providers, then, need to create and promote an ecosystem that sells itself to employers by selling through to employees. See also: Group Insurance: On the Path to Maturity Fortunately, the market has plenty of opportunity.  We are seeing healthy, steady growth, especially within the new health and wellbeing products offered as flex benefits. Insurers that hit on the right combination of product selection, digital readiness and market relevance, are going to find themselves tapped into a free-flowing market. How do providers create this win-win-win? Add health and wellbeing products One of the innovative ideas considered by a number of providers is focused on the health and wellbeing of employees. New health and wellbeing products are being developed and offered in different insurance segments. The first ones to enter the market were in South Africa with Discovery’s Vitality program and last year in the US when John Hancock teamed up with Vitality. This trend is now emerging in the UK, being replicated by the Private Medical Insurance (PMI) and group protection provider segments. A number of employers are offering a monthly benefit amount, which employees can use to select different products (a smorgasboard or flex approach) based on their unique needs and life-stage. Health and wellbeing products are part of the offerings in conjunction with traditional group protection plans. These health and wellbeing products provide standard PMI coverage to employees as well as significant auxiliary benefits and incentives. These include discounted gym memberships, reduced Eurostar fares, food discounts and more. To effectively provide these benefits, the insurer must build an ecosystem of partners who provide these benefits and services as a core part of the group protection product. Introduce education and gamification tools Benefits, no matter what kind, can be confusing. If the coverage is unclear, the product is unlikely to sell. When it comes to health and wellbeing offerings, gamification can proactively engage employees in selecting and using the right benefits, helping them achieve their well-being goals. An alternative approach for some group protection providers is to partner with health and wellbeing product providers (many of whom already have these educational tools in use) to market and offer a joint product to the employees. Regardless of approach, it is important to make these products easy for employers and employees to understand, select and use. Add and promote self-service functionality A digital portal to enrol, service and engage employees on a regular basis is a must.  The ability to quote and bind online as well as provide online service is of paramount importance to capture the small and medium enterprise market. Extending these capabilities to brokers and employers will not only improve the experience significantly, but also ensure that such books are profitable for the insurance company. Improve system robustness, speed and flexibility A number of companies are struggling with their IT applications, to support the level of flexibility required by the complex flex and voluntary business. A robust, configurable policy system can streamline the design and launch of these risk products and services rapidly into the market. Competitiveness starts with the agility provided by this foundation. Prepare relevant package types Insurers are reactionary by nature. When it comes to consumer and employer demand, product development and coverage packages should be timely and relevant. The insurer who is closely watching benefits trends and anticipating new offerings will be in a prime position to proactively capture more of the market. Smart insurers will also pay close attention to common differences between SME needs and large enterprise concerns when developing packages that fit. See also: How to Set Benefits in Different Nations   PROMOTE, PROMOTE, PROMOTE From marketing to sales to channel development, group risk insurers need to ramp up distribution efforts across the board. During this season of opportunity, it would be a crime to be prepared, yet not aggressive enough in pursuit of the many companies who still desperately need a group risk partner. Gather relevant data. Use it in yearly promotion. Once you are covering a particular group, the job is only half done. Use data gathering to know your clients and understand their employees. The details on how coverage improves within a client company will come in handy during contract negotiations and review the following year. In addition, many of the fine details will help your teams to improve take up rates with certain products and improve products that may need changes to improve utilization. This article was written by Vinay Nagwekar.