From the You Can’t Make This Stuff Up Department: Steve Legg took an important step on his path to becoming the director of risk management of Starbucks to avoid having what looked like a bad pun on his business card. He had earned his Associate in Risk Management designation, but that meant his name appeared as Legg-ARM. So, he says, he went on to earn his Chartered Property & Casualty Underwriter (CPCU) designation, because it is listed before ARM. His card now (safely) reads “Steve Legg, CPCU, ARM.” But I’m jumping into the middle of the story, in this second in our series of Thought Leaders in Action. (The first, with Loren Nickel, director of risk management at Google, is here.) To begin at the beginning, I’ll provide a summary of Legg’s background, then follow with the story of how he earned his prestigious position, some detail on Starbucks and how it manages risk and some insights from Legg for other risk managers. Steve Legg His bio Legg, who is 46 years old, has been at the Starbucks headquarters in Seattle since June 1997. His responsibilities include global corporate property and casualty insurance and risk financing for the company. Legg reports to the treasurer of Starbucks and heads a risk management team of 13 professionals, with two-thirds involved in claims management and the balance working in risk financing and risk transfer, its risk management information system (RMIS) , internal reporting and captive management. Starbucks has 22,519 stores in 66 countries, with a targeted growth rate of 1,650 net new stores during this fiscal year. Starbucks, the name inspired by Herman Melville’s novel Moby Dick, has one of the most recognized logos in the world. Its mission statement, developed by its founder Howard Schultz, is “to inspire and nurture the human spirit one person, one cup and one neighborhood at a time.” Before joining Starbucks, Legg worked as an independent insurance broker, as well as in a claims capacity for Crawford & Co. Legg served on the board of the Washington state chapter of the Risk & Insurance Management Society (RIMS) for seven years, serving as president of the chapter during the 2005-2006 year. He has been an active participant within National RIMS and has served as a speaker to other insurance industry groups, such as the CPCU Society, the Professional Liability Underwriting Society (PLUS) and the Marine Insurance Association of Seattle. He has a degree in political economy of industrial societies from the University of California at Berkeley. His story Legg grew up in Kirkland, WA, on the east side of Lake Washington. Nicknamed “the little city that could,” Kirkland is the former headquarters for the Seattle Seahawks and Costco. Kirkland Signature is still Costco’s store brand. “I grew up interested in a lot of different things, but I wouldn’t say with any degree of certainty that I knew what I wanted to do for a living,” Legg said. “I was intrigued with going somewhere else to study, so I attended UC Berkeley. I was interested in crisis management, and I just happened to be at Cal when the 6.9 Loma Prieta earthquake [1989] and devastating Oakland Hills firestorm [1991] hit. From those experiences, I thought I might pursue law school. “As things turned out, my first job was back in Washington state working as a claims adjuster for the branch manager of Crawford & Co., hired by our mutual friend and industry colleague Katrina Zitnik, who was later director of workers’ comp for Costco, 2001-2013. We handled the huge Boeing workers’ comp self-insured account. There were around 100 employees in that office alone. My specialty was working with chemical-related claims, which was really fascinating, before I moved over to liability claims. By my second year there, I started to really understand what risk management was all about.” From that experience, Legg went on to achieve his ARM designation. “It may sound corny, but I didn’t like the way it looked on my business card as Legg-ARM, so I went on to pursue my CPCU,” Legg said. “With that formal insurance education, I went to work for a regional insurance brokerage in Kirkland where I learned a lot about insurance and other facets of risk management.” Legg said: “I came to this realization that I didn’t want to handle claims or broker insurance. I wanted to be on the buyer’s side of all this – tending to insurance and a whole lot of other things.” In 1997, Legg was hired by his predecessor at Starbucks, which had gone public in 1992. At the time he joined Starbucks, the company had about 1,000 stores in the U.S. and Canada and just a few new locations in Japan. Legg describes his experience at that time in risk management as more of a buyer of insurance, but his job responsibilities quickly deepened and expanded with the global spread of Starbucks. He assumed the director of risk management position in 2006 when his boss and mentor retired and became active in the management of Starbucks’ Vermont captive. The evolving company Legg explained that the organizational structure is set up based on three key global regions: (1) the Americas; (2) EMEA, which is Europe, Middle East and Africa; and (3) CAP, which is China, Asia Pacific. “Our biggest push is in the CAP region, especially China, which presents a lot of opportunity,” he said. Although that region has a tea-drinking tradition, Legg pointed out that Starbucks owns the tea company Tazo and more recently bought Teavana and its 300-plus stores, providing a high-end, specialty tea product that has become popular at Starbucks locations. He said Starbucks’ specialty coffee and expresso beverages have also become very popular in tea-drinking cultures. Starbucks has also expanded its offerings in premium pastries (it bought La Boulange), food and merchandise offerings, and it recently began providing beer and wine in selected areas of the country. “Evenings at Starbucks had been under-utilized,” Legg said, “so with the rollout of beer and wine we’re able to serve additional patrons.” How Starbucks manages risk Serving 66 countries with various laws and customs, Starbucks has a global quality assurance organization work with business units that are immersed in foreign locations. “Risk management and legal principles are practiced with our people that understand and are sensitive to local government, culture, customs and laws,” Legg said. “Starbucks wants to provide appropriate food and beverages, and we have a global safety security organization, as well, that makes sure that we are tending to the different types of risks these different and diverse cultures hold. Safety and security are fundamental components in the initial and on-going training of our partners." When asked about the challenge of identifying, evaluating and treating risk in far-flung global operations, Legg noted that there is a common thread regardless of demographics that relates to keeping stores well-managed, clean, secure and hazard-free. He added that a global design team works with individual markets to address issues that mitigate any unusual risk factors, which could include something as simple as adjusting counter and stool height. Store components are designed to provide for each locale’s needs while Starbucks maintains the quality and consistency that its customers expect. As for dealing with its insurance and reinsurance markets, Legg noted that Starbucks collects a significant amount of data on all of its locations to enable its internal team and underwriters to have the geographic information they need for modeling. North American operations are mostly self-insured via large retentions and deductibles; Legg points out that first-dollar and low-deductible insurance policies are far more common, accessible and prevalent in other parts of the world. Compulsory insurance requirements differ across jurisdictions -- in many parts of the world, for instance, workers’ compensation as we know it is not available, and injuries or illnesses among employees (which Starbucks calls "partners") are addressed in different ways. “Regardless of the transfer or retention of risk, Starbucks feels that no one could ever care as much about our partners and our brand as we do,” Legg said. He added, “We inspire and nurture our partners and customers… through providing good products, friendly service and by contributing to our communities. It’s an important part of our culture and what makes this brand so strong.” All eligible full- and part-time Starbucks employees receive comprehensive health coverage and equity in their company, referred to as “bean stock.” In turn, employees typically volunteer more than one million hours each year in helping their local communities. Starbucks has also set up agronomy offices in different countries around the world to help origin farmers to better manage their crops and businesses. “It’s really important all up and down the chain from the front-line stores to the source of the company’s most precious commodity to have a seamless connection,” Legg said. His suggestions I asked Legg what coaching suggestions he has for people entering the field of risk management. He said, “I think to be successful in risk management that it helps to have a good understanding of a number of different disciplines like accounting, finance, law, etc. Most importantly, you need to have the ability to think critically through things to make good decisions and to then have the ability to communicate well and to influence others. Knowledge without good communication skills won’t equip you for this career. “I find myself guiding and teaching other people in the organization every day, helping them develop their own risk assessment philosophy in what they do day in and day out. We in risk management can’t be there all the time, so our job is to train others throughout the organization to make good, sound risk management decisions. “Be open-minded and flexible. Risk management staff needs to identify and admit their mistakes, correct things and be able to change course as needed.” Legg added with a laugh, “You think you know in detail how things are, then you find out you really don’t know how things are.”

A smoke alarm isn't the only kind of protection on sale at your local superstore these days. Need some life or health insurance with those printer cartridges? You’re in luck. Insurers like Metlife and Aetna now sell insurance policies through superstores. Walmart launched a pilot program with Metlife to sell life insurance policies at 200 Walmart stores, and Costco members can select Aetna health plans offered through Costco’s Personal Health Insurance program -- Costco has offered its members discounts on auto, homeowner, renters, umbrella and specialty insurance through Ameriprise Insurance for several years. Although not every effort has gotten off to a flying start, these are good examples of insurers experimenting with approaches to tap into large, underserved markets and new sales channels and to create brand awareness in a shopping environment where there’s a natural connection with the products they sell. What I’m most curious about is the impact the superstore channel will have on how these insurers sell. What can insurers learn from two of the world’s most valuable retail brands about creating the kind of convenient, affordable one-stop-shopping experiences that Walmart and Costco offer and consumers so desperately want? Plenty of things. Here are four: 1) FOCUS ON SELLING YOUR BRAND RATHER THAN YOUR PRODUCT Walmart and Costco both offer lower-priced house brand products, but neither focuses its attention on selling its own product even though that would obviously benefit the bottom-line. The goal is to own the customer by meeting the brand promise of offering low prices and good value on any and all products that a customer wants to buy. Walmart doesn’t worry about selling a competitor’s product – even with a small profit margin, Walmart still generates revenue and profit, through multiple product sales, and keeps the customer coming back rather than sending him to shop with the competition. It’s good business sense to focus on what the customer wants to buy rather than what a retailer wants to sell. Similarly, it’s good business sense for an insurer to consider selling products that are a good fit with the brand and that complement other product offerings – even if that means offering a competitor’s product. Selling a competitor’s products can help insurers facilitate that convenient, one-stop-shopping experience that consumers want. It allows the insurer to keep the customer relationship while generating revenue from underwriting the risk, or from brokerage fees. And in cases where an insurer doesn’t have the experience, appetite or capacity to underwrite the product, it’s better to make fee income than the underwriting income. An insurer’s No. 1 goal is to own the customer. The insurer that underwrites the product makes one sale; the insurer that owns the customer can sell to her for her entire lifetime. That can mean decades of selling renewals, cross-selling related products and generating referral business. 2) OFFER CUSTOMERS CHOICE Mac or PC? Chocolate or vanilla? We’re a culture of consumers who covet choice. Even a limited selection is enough to provide customers with this valuable component of the shopping experience. While Costco is cautious about the number of brands it offers (limiting the number of brands allows Costco to get the kind of volume discounts it needs to offer the lowest prices), like Walmart it offers at least two choices of brands for any given product. Providing a competitor’s products can help insurers, too. The objective is to give customers a selection ample enough that they can compare insurance products and choose the product that works best for them. As with Costco, this may mean offering the customer a choice between two brands that offer different price points and levels of coverage. 3) SELL CUSTOMERS EVERYTHING THEY WANT There’s nothing haphazard about the layout of a Walmart or Costco. Superstores invest a great deal of time and money walking the walk of their customers. They think through how customers search and shop for products and how those products should be grouped for optimal cross-selling opportunities. While insurers understand the profitable art of cross-selling, in theory, I’ve witnessed more than a few property and casualty insurers who’ve missed big opportunities to cross-sell products. What happens when that flower shop you just insured needs auto insurance on its three delivery vehicles and you don’t have it? If the insurer isn’t prepared to sell the customer what she wants, the customer will go to the competition to satisfy her multiple coverage requirements. 4) NEVER LET THE CUSTOMER LEAVE EMPTY-HANDED The path from creating awareness to having a customer walk through the door ready to purchase is long and expensive. A superstore does everything in its power to make sure you have no excuse to walk out the door without buying something. Factoring in advertising and promotional campaigns, the cost of bringing a paying customer through the door could be as high as $400 to $500 for some insurers. Every insurer’s goal should be to make effective use of a lead by finding some way to fulfill the customer’s product needs. I’ve only scratched the surface. Now it’s your turn: What superstore selling practices do you think insurers should consider to win market share?

• The founder and CEO of an early-stage company that has just closed a solid seed round tells me that what has benefited his business most in the past year, and allowed him to pivot toward a promising future, can be expressed in one word: focus.

• The CEO of a late-stage startup who spent more than 100 days closing a recent round with an important new investor tells me how he was thoroughly “beaten up” during due diligence because of what was perceived to be a lack of clarity in the company’s market positioning. This added weeks to the process, diverting resources away from sales and daily operations.

• The CEO of a B2B content start-up tells me that he and his team are doing too many things and essentially careening from one new idea to the next, acknowledges the need to prioritize but indicates he has to get through his short-term list first.

Each of these conversations is recent and real – they all occurred in the past two weeks. And while they happen to be about young, relatively small companies, each of these situations scales to big, mature companies, as well. If the issue isn't about closing a round of funding, it’s about getting funding in the annual budget. If it’s not about investor feedback, it’s about reacting to the latest round of input from the CFO or the board. And who among us hasn’t bemoaned the quarter-to-quarter focus of publicly held companies of every size and sector? Each of these stories points to the need every business has for strategy. And even if you think you don’t have one, or can coast along without one, guess again – you just have strategy by default. What is strategy? Better yet, what isn’t it? Strategy is NOT:

• The domain of high-priced (or any price) consultants who create fancy documents – although some outside perspective or facilitation can be a big help

• The catch-all for anything your team comes up with that survives the budget review process even though it cannot be precisely quantified (I have witnessed respected members of the finance function inside a Fortune 100 company be fully comfortable with this characterization)

• The department in which geeky, analytic introverts perceived as unable to execute (hence they create more of those strategy documents) build their careers

• Optional, something to be dealt with later, maybe when you have more time (tell me when, honestly, that will be?)

• A list of strategic initiatives…or a set of PowerPoint slides full of cool visuals

So, then, what is strategy?

• Strategy, quite frankly, is what leaders do to identify and allocate resources to help them get their businesses where they want them to go.

• Strategy is mostly about execution.

• Strategy is less about what you must do, than what you should not be doing.

Or, my favorite definition:

• Strategy is about knowing (1) where are you? -- (2) where do you want to be? -- (3) how are you going to get there?

There are both direct and opportunity costs of deferring answers to these three questions, and ultimately taking the actions that ensure every employee and partner can buy into and play their roles in ways that reflect the answers. Where to start:

• Write down what you envision at your “point of arrival.” What is it going to look like and feel like? What will respected colleagues and members of the sector be saying about your company when you reach your destination? What will your products, customer or client experience and customer service be like? What will your brand represent?

• Then write the story of where you are today, answering these same sorts of questions in the present.

• Spend most of your effort breaking apart the answer to “how” into three to five headlines.

• Now here is the toughest part: The temptation will be to build laundry lists of activities under each headline, or even just rearrange (and add to!) what you are already doing today. The successful outcome of this thought process is to surface things you would like to do (including things that are already underway) that you have to admit play at best a limited role in getting you where you want to be. And to cross them off the list and actually stop doing them.

What I am suggesting is not a one-and-done exercise. It’s not a solo activity. And while it may begin at an offsite or work session, it’s not a meeting. This is a process to reflect in your daily leadership, management and the culture of your company. This is how strategy becomes meaningful to creating sustainable and persistent growth. This article also appears in Amy Radin’s column in Huffington Post and her LinkedIn blog.

Here we go again: Out of the blue, FIS agreed to acquire SunGard. The joining of two more global technology firms creates another giant in the financial services space. Why so many?

• Power of scale. Size allows companies to consolidate overhead, with the merger of people, processes, infrastructure and product offerings, allowing for profitable growth.
• Market dominance. Buying market share and client footprint across industries certainly is faster than organic growth, and it allows for performance balancing across industries as the market swings and shifts.
• Diversification of offerings and clients. The broadening of offerings, rather than deepening capabilities, allows for an expanded footprint in customers across many industries.

What does this mean to us in insurance?

• Fills the gap. Combining creates opportunities to bring together a suite of offerings that better align to the changing needs of insurers as they continue to transform and innovate toward becoming the Next-Gen insurer.
• Reflects financial strength. Many M&As reflect the health and wealth of the financial services industry, especially in insurance. Insurance is a top target industry for many solution providers because of growing technology investments, expanding needs and demand and solutions providing more offerings.
• Presents fewer options. As we see more solution providers consolidate, there are fewer company options. But on the flip side, the solution providers will bring together all these technologies and services.

So don’t blink, there will be more to come. We will see more consolidation – all with the goal to strengthen offerings, broaden footprints, position for growth and ultimately seize the pot of gold in insurance.

You would think a judge would know better. But then again, because he was also the local cemetery sexton, perhaps he was too busy to educate himself on the finer points of law regarding workers' compensation fraud. A former Seneca County village judge has been convicted of falsely claiming two men attacked him outside his courtroom two years ago. A jury found him guilty of insurance fraud, falsifying business records, defrauding the government and falsely reporting an incident. The weapon he claimed to have been assaulted with? That would be the ubiquitous and sorely-in-need-of-regulating toilet tank lid. Yes, in what was sure to whip up a frenzy with the anti-toilet crowd, another seemingly innocent victim had suffered needless injury. Personally, as a pro-toilet guy, I feel compelled to urge calm and remind everyone that toilet lids don't kill people; people kill people. While there is no specific constitutional amendment that protects the right to bear toilets, I can state unequivocally that they are essential for both number one and number two. I sense I have strayed from my initial point. The judge told police in August 2013 that he was attacked from behind while locking up the Waterloo Village Court. He claimed to have been choked with something and hit over the head with a heavy object. Village police, using what can only be described as excellent police investigative techniques, found the shattered lid of a toilet tank at the scene. Photo by Seneca County District Attorney's Office Ultimately, however, a story emerged that made it appear our jaded jurist made up the affair as part of a nefarious scheme to obtain prescription painkillers through a workers' compensation claim. The district attorney who prosecuted the case said, "The jury heard evidence that this was a way for him to get a lifetime supply of painkillers." Can't argue with him there. If you are looking for a way to get an endless supply of top-grade narcotics, then workers' comp is where you want to be. We give that crap away like candy at Halloween. Perhaps the fact that this guy spent nine days on a pain pump at a Rochester hospital, while doctors and nurses testified he did not sustain any injuries whatsoever from choking, a blow to the head or any kind of assault, should have been a clue. I find myself asking, then, why the pain pump? But then I remember, "Ah, yes, this was a workers' comp case." Authorities report that the judge's medical records showed, prior to the bogus assault, he'd been on prescription painkillers for lower-back pain and for gout throughout his body. He also had 20 to 30 previous insurance claims for alleged accidents. The judge, who is not a laywer, had no known employment other than the acting village judge position -- except, of course, for his position as cemetery sexton, where he is under indictment for allegedly stealing gasoline from the village. Perhaps he needed it to pick up all those prescriptions. Honestly, we have a guy here who most likely has an obvious addiction problem and needs help beyond the two to seven years in prison he is currently facing. My bigger concern is the Waterloo village board. Despite the police department's determination that the judge's assault claim was false, the board re-appointed him to another term as acting village judge. Why they would do that is beyond my limited comprehension. The lessons here are twofold. First, and most importantly, toilet lids are safe when used by responsible adults. We do not need a plethora of restrictions and regulations just because one person abused them. Second, this village judge and cemetery caretaker might be a criminal and addict, but that does not make him stupid. That designation, it would seem, is reserved for the village board, which clearly has its share of idiots.

Recognizing the need for better cybersecurity in the insurance sector, the National Association of Insurance Commissioners (NAIC) recently published “Principles for Effective Cybersecurity: Insurance Regulators Guidance.” High-profile data breaches at several health insurance providers exposed data on 90 million consumers, revealing the industry’s vulnerability. So the NAIC document provides best practices for insurance regulators and companies, focusing on the protection of the sector’s infrastructure and data from cyber-attacks. Thus far, U.S. banks and payment processors have led the way on cybersecurity, both because they have been frequent targets of cyber-attacks and because of strong regulatory enforcement (e.g., FFIEC, GLBA, and PCI DSS). It’s time for insurance companies to play catch-up, and the NAIC is spurring them on. As a result, we anticipate seven changes:

1. An increase in cybersecurity regulations;
2. A focus on consumer privacy;
3. An increase in cybersecurity spending;
4. The growing importance of cybersecurity information-sharing and analysis groups;
5. The board’s and management’s involvement in cybersecurity;
6. The increased need to manage third-party risks; and
7. The link between cybersecurity and risk management.

Background The NAIC is the standard-setting and regulatory-support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. But individual state and territorial regulators oversee the insurance companies’ practices within their jurisdictions. Only a few states (e.g., New York, California and Massachusetts) have actually enacted data protection laws that apply to the insurance sector. Thus, most individual regulators have been left to their own devices when it comes to cybersecurity practices, particularly given that there is no central regulator defining industry standards and no uniform set of requirements. Consequently, individual regulators on the whole have been using different standards when examining cybersecurity practices, with cybersecurity requirements varying state-to-state. The NAIC became involved to help both insurance regulators and companies. Specifically, it conducted a multi-state examination of a breached insurer’s cybersecurity practices and determined what actions the company could have taken to minimize its data loss. The NAIC then published two documents related to cybersecurity:

• "Principles of Cybersecurity" – Created by the NAIC’s cybersecurity task force (formed in November 2014), the document is intended to (a) help insurance regulators identify cybersecurity risks and communicate a uniform set of control requirements to their covered entities and (b) promote cooperation between regulators and the insurance industry in identifying and addressing cybersecurity risks. The document applies to state regulators and insurers, insurance producers and other regulated entities ("covered entities"); and
• "Annual Statement Supplement for Cybersecurity" – The NAIC’s property and casualty insurance committee created this document to establish requirements for insurers that provide cyber coverage. It requires insurers to report the range of limits offered on cyber insurance policies (both stand-alone and commercial, multi-peril packages), losses paid under each policy, earned premiums, whether policies are claims-made policies and whether tail coverage is offered.

Principles of Cybersecurity Insurance regulators:

• Should ensure that confidential and personally identifiable information (PII) that covered entities hold is protected from cybersecurity risks.
• Should mandate that insurance providers have systems in place to alert consumers in a timely manner of cybersecurity breaches. Insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.
• Should protect covered entities’ confidential information and PII that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. In the event of a breach, those affected should be alerted in a timely manner.
• Should deliver flexible, scalable and practical cybersecurity regulatory guidance for covered entities that is consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.
• Should make regulatory guidance risk-based and consider the resources of the covered entities, with the caveat that a minimum set of cybersecurity standards must be in place for all covered entities that are physically connected to the Internet, regardless of size and scope of operations.
• Should provide appropriate regulatory oversight, including conducting risk-based financial examinations or market conduct examinations regarding cybersecurity.

Covered entities:

• Should appropriately safeguard customer PII that is collected, stored and transferred inside or outside of a covered entity’s network.
• Should implement incident response planning activities as part of a cybersecurity program, including conducting cyber incident response tabletop exercises.
• Should take appropriate steps to ensure that third parties and service providers have controls in place to protect PII. This may include third-party assessments to understand service providers’ current controls environments.
• Should incorporate and address cybersecurity risks as part of the enterprise risk management process. Cybersecurity transcends the information technology department and must include all facets of an organization.
• Should have a board of directors or its appropriate committee review information technology audit findings that present a material risk to an organization.
• Should participate in an information-sharing and analysis group to share information and stay informed regarding emerging threats or vulnerabilities.
• Should consider periodic and timely training, paired with an assessment, to be an essential component of all cybersecurity programs.

What Should Insurance Companies Expect? Over the next few years, we anticipate many changes in the insurance sector related to cybersecurity, including:

1. Increase in Cybersecurity Regulations – According to PwC’s recently released "The Global State of Information Security Survey," cybersecurity regulation within the financial services industry is only expected to increase in 2015 and beyond. Based on the NAIC’s guidance, we expect the various U.S. states and their insurance regulators to pass cybersecurity regulations to ensure that covered entities have adequate controls in place to protect consumer PII. Covered entities will be required to demonstrate resilience to cyber-attacks, including malware attacks, insider threats, data corruption and destruction and denial of service attacks.
2. Focus on Consumer Privacy – In addition to cybersecurity regulations, covered entities will be expected to comply with privacy regulations. The Consumer Privacy Bill of Rights, which the Obama administration proposed, includes provisions mandating transparency, individual control, respect for context, focused collection and responsible use, security, access and accuracy and accountability. If passed into law, the Consumer Privacy Bill of Rights would require covered entities to provide transparent descriptions of their data collection practices, and to limit how and what data they collect. Additionally, global data privacy laws, such as the European Union’s General Data Protection Regulation, increase compliance obligations of U.S. insurance companies doing business globally.
3. Increase in Security Spending – To implement adequate controls and comply with the regulatory requirements, covered entities will increase their cybersecurity spending. According to the New York State Department of Financial Services (NYDFS) study, “Report on Cyber Security in the Insurance Sector,” released in February 2015, 86% of insurers expect their security budgets to increase in the next three years. The study noted that only 51% of insurers had budgeted for cybersecurity incidents.
4. Importance of Information Sharing Organizations – Information-sharing will be an essential part of insurance companies’ cybersecurity strategies. We expect to see more insurance companies join Information Security and Analysis Centers (ISAC), such as FS-ISAC, or the recentlyannounced insurance ISAO.
5. Board and Management Involvement – For organizations to better address cybersecurity threats and regulatory guidance, we anticipate a push to increase senior management and board involvement in cybersecurity issues and decision-making. According to the NYDFS study, only 30% of boards receive updates on cybersecurity issues on a quarterly basis.
6. Managing Third-Party Risks – Concerns will grow around third-party risks and potential cybersecurity threats that can arise when sharing networks with business partners. Covered entities will be expected to demonstrate adequate oversight of their service provider relationships.
7. Link Between Cybersecurity and Risk – As cybersecurity incidents continue to proliferate, organizations must reposition their security strategies to align closely with their broader risk-management activities.

Your employee was just injured at work. He is in pain, cannot perform regular job duties and is unsure how quickly he can return to work. His mortgage, medical care and kid’s tuition payments are due next month. It is a vulnerable time for him, with substantial uncertainty. When a football player goes down on the field and is carried off, the crowd applauds in support of the player, and the player often returns a smile. When a worker is injured on the job, what happens at the workplace before and after the injury can affect the costs incurred by the employer and the outcome achieved by the injured worker. Twelve new state studies from the Workers Compensation Research Institute (WCRI) aim to help CFOs and other stakeholders identify ways they can improve the treatment and communication an injured worker receives after an injury, leading to better outcomes at lower costs. The studies interviewed 4,800 injured workers from across 12 states who suffered a workplace injury in 2010 and 2011 and received workers’ compensation income benefits. The 12 states surveyed were Arkansas, Connecticut, Indiana, Iowa, Massachusetts, Michigan, Minnesota, North Carolina, Pennsylvania, Tennessee, Virginia and Wisconsin. The surveys were conducted during February through June in 2013 and 2014—on average, about three years after these workers sustained their injuries. The research found that a worker’s fear of being fired after an injury had a large and pervasive effect on costs and worker outcomes, like return to work. The fear of being fired may arise out of the relationship between the worker and the supervisor. If the relationship is low trust, the worker is more likely to fear firing when injured. To describe the level of trust or mistrust in the work relationship, workers were asked to agree with the statement, “I was concerned that I would be fired or laid off.” Workers were given four possible answers—strongly agree, somewhat agree, somewhat disagree and strongly disagree. Depending on the state, 18% to 33% of workers strongly agreed that they feared being fired when injured. Overall, workers who were strongly concerned about being fired after the injury experienced poorer return-to-work outcomes than workers without such concerns. Across all 12 states, 23% of those concerned about being fired reported that they were not working at the time of the interview—double the rate observed for workers without such concerns. The following are other findings from workers who were strongly concerned about being fired:

• Concerns about being fired were associated with a four-week increase in the average duration of disability.

• Workers who were strongly concerned about being fired had higher rates of dissatisfaction with care (21% were very dissatisfied with care) when compared with workers who were not concerned about being fired after the injury (9%).

• Workers who were concerned about being fired were much more likely to report problems with access to care. Among workers who were concerned about being fired, 23% reported big problems getting the services they or their provider wanted. The rate was double the 10% among workers who were not concerned about being fired.

• 16% of workers who were strongly concerned about being fired reported large earnings losses at the time of the interview predominantly because of injury, compared with 3% of workers who were not concerned about being fired.

What do these findings really signify? The following are some alternative possibilities:

• Workers reporting a strong fear of being fired might know they have a difficult relationship with their supervisor. That difficulty might translate into fewer opportunities to return to work, or more active management of the nature of medical care and the selection of medical care providers.
• The worker may be exaggerating the possibility of termination, being a pessimist by nature, and that tendency to overreact might characterize the workers’ general performance on the job—perhaps resulting in fewer return-to-work opportunities and more active management of the care by the payers.
• The worker may be more likely to retrospectively report a fear of being fired if the worker has had a poor outcome. Poor outcomes color the worker’s view of most events in the course of the claim. Conversely, workers who have experienced excellent outcomes tend to see events in the course of handling the claim in a much more positive fashion.

This is not the first time we looked at trust as it relates to workers’ compensation. A study we did several years ago on attorney involvement, which was covered by CFO magazine, looked at why injured workers hired attorneys. The character of the employment relationship, for example, was a factor for the 23% who strongly agreed that they hired attorneys because they feared being fired or laid off. 15% also strongly agreed that they needed attorneys because their employer could perceive their claims as illegitimate. Employers Can Make a Difference WCRI contacted Lisa Healy, who is a manager of claims at AGL Resources, a natural gas-only distribution company in the U.S. She told us that AGL has been very successful in managing and reducing its workers’ compensation costs. In part, she ties this success to practices where employees in the organization feel engaged and trust the company. The following are five things she told us the company is doing to facilitate trust:

1. Establishing a set of values and a code of conduct with the ability to report those who violate it without fear of retaliation. This gives an organization depth in terms of morals and standards, which appeal to workers of all ages.
2. Holding claim adjusters accountable for treating injured employees in an honest fashion with dignity and respect.
3. Encouraging employees to identify possible safety hazards as well as recommend opportunities to improve safety. When workers are encouraged to point out safety issues or offer suggestions on how to improve things and these comments are taken seriously and addressed, trust is formed.
4. Providing a 24/7 nurse triage program to speed treatment for injured employees so they get the care they need as soon as possible. The employee can contact the nurse triage line immediately after feeling a twinge of pain or sustaining an injury that doesn’t require emergency treatment. This service not only ensures the employee gets the right care immediately, it also cuts down on unnecessary visits to the physician when the employee can use self-care treatments such as ice, rest, elevation or an aspirin.
5. Promoting early return to work with transitional duty positions whenever possible. Research has shown that the longer a worker is out, the harder it is to for the worker to return―not to mention that the costs go up the longer that person is out, so getting him or her back quickly shows the worker you care and is good for the worker and the employer.

The WCRI research is an important first step in realizing how important trust is between employee and employer to ensuring good outcomes when the employee is injured on the job. Additional studies by WCRI and others will provide further information on which policymakers can base appropriate measures. But employers can act now, as AGL Resources has demonstrated, to improve trust while lowering their workers’ compensation costs -- through early intervention, putting safety first, effective return-to-work programs and access to medical care.

We all manage risks in our daily lives—we keep a spare tire in our car in case we get a flat, a little cash in our pocket in case we lose our wallet—but how do companies manage risks for hundreds of thousands of individuals? To manage risks holistically across all divisions of an organization, companies use enterprise risk management (ERM), a process that helps them get an integrated understanding of risks, manage their net exposure, create efficiencies and add value. The challenge is putting it into practice. My colleagues Martin F. Grace of Georgia State University, Richard D. Phillips of Georgia State University and Prakash Shimpi of Fraime LLC and I wanted to find out how the most successful companies do this to develop a set of best practices. We studied the results of a worldwide survey conducted by a risk management consulting firm that asked life and property and liability insurance companies about their risk management practices. These companies take on big risks and need cash reserves in case their liabilities are greater than expected. They often use formulas called economic capital models (ECM) to determine how much money they need on hand to cover these risks. ECMs can be simple or complex. We found that these formulas matter, but companies don’t get additional value from more advanced calculations. The simpler formulas are sufficient, primarily because the cost of implementing sophisticated models often offsets the value derived from using them. We also found that having a dedicated risk manager creates value. This person need not be a chief risk officer, but there should be someone or a cross-functional committee in charge of looking at risks throughout the enterprise. Whether it’s a single person or committee, the risk manager can reduce costs by avoiding risk management strategies that are unnecessary. For example, if two divisions within a company are exposed to risk from changes to the value of the U.S. dollar but in opposite directions, the risk manager will see this and realize these risks cancel each other out and do not warrant the purchase of costly risk management. Intuitively, it seems that having the chief risk manager report to the organization’s board improves risk management, but ours is the first study that proves that this reporting structure reduces costs and enhances revenues. This structure signals to everyone in the organization that leaders take risk management seriously. More siloed approaches to risk management—where each division establishes and implements its own risk management plans—are inefficient and can lead to managing opposing risks that, when viewed holistically, cancel each other out. Having dedicated risk managers can improve efficiency and create value, and this research provides some helpful guidelines in implementing such an approach.

Nancy Newbee is the newest trainee for LOCO (Large Old Company). She was hired because she is bright, articulate, well-educated and motivated. She is in her second week of training. Her orders include: “We’ll teach you all you need to know. Sammy Supervisor will monitor your every action and coordinate your training. Don’t take a step without his clearance. When he’s busy, just read through the procedures manual.” Nancy is already frustrated by this training process but is committed to following the rules. Upon arriving at work today, Nancy discovers the kitchen is on fire! As instructed, she rushes to Sammy Supervisor. Interrupting him, she says, “There’s a major problem!” Sammy is obviously disturbed by this interruption in his routine. “Nancy, my schedule will not allow me to work with you until this afternoon; go back to the conference room and continue studying the procedures.” “But, Mr. Supervisor, this is a major problem!” Nancy pleads. “But nothing! I’m busy. We’ll discuss it this afternoon. If it can’t wait, go see the department head,” Sam says. Nancy rushes to the office of Billy Big and shouts, “Mr. Big, we have a major problem, and Mr. Sam said to see you!” Mr. Big states politely, “I’m busy now …," all the while wondering why Sam hires these excitable airheads. “But, Mr. Big, the building…,” Nancy interrupts. “Nancy, see my secretary for an appointment or call maintenance if it’s a building problem,” Mr. Big says impatiently, thinking, “Where does Sam find these characters?” Near panic, Nancy calls maintenance. The line is busy. As a last resort, Nancy calls Ruth Radar, the senior secretary in the accounting department. Everyone has told her that Ruth really runs this place. She can get anything done. “Ruth Radar, may I help you?” is the response on the phone. “Miss Radar, this is Nancy, the new trainee. The building is on fire! What should I do?” Nancy shouts through her tears. “Nancy, call 911!” Ruth says calmly. Of course, this dysfunction is a ridiculous example. Or is it? Assuming you are the boss, try this eight-question test:

1. In your business, do you hire the best and brightest and then instruct them not to think, act or do anything during their training except as you tell them to do?
2. Do you promise training but substitute reading of procedure manuals?
3. Do you create barriers to communications, interaction and effectiveness by scheduling the new employee’s problems and inquiries to the busy schedules of your other personnel?
4. Do you and your staff ignore what new employees are saying?
5. Is the process more important than the result? Does the urgent get in the way of the important?
6. Do layers of bureaucracy between you, your employees and customers interfere with contact, communications and results?
7. Is “Ruth Radar” running your shop?
8. Do you have any fires burning in your office?

If you answered “no” to all of these questions, congratulations! Now go back and try again. The perfect business would have eight “no” answers, but very few businesses are perfect. If you are like LOCO (a large old company), you might be so far out of touch with your trainees, employees and customers that you won’t hear about a fire until it starts to burn your desk. Look back at IBM, GM and Sears in the late 1980s. These were kings of their jungles. Yet all nearly burned to the ground. Many thousands of employees were terminated, profits ended and stock values fell. If you would have talked to any of these terminated employees you would have learned that the fire had burned for a long time and that many people had tried to sound the alarm. Remember the large old insurance companies that are no longer here – Continental, Reliance, etc. Did their independent agents smell the smoke? Did the leadership of these carriers ignore the alarm? Sam Walton, who had reasonable success in business during his lifetime, once said, “There is only one boss – the customer. Customers can fire everybody in the company from the chairman on down, simply by spending their money somewhere else.” Sam was right. In your business, do you or Nancy have the most direct contact with the customer – the ultimate boss? If Nancy has the most contact, is she adequately trained, motivated and monitored? Is she providing feedback to you? Are you listening? Take one minute to draw a picture of your organization. Are you, as the boss, at the pinnacle? Are Nancy and her fellow trainees at the base? Is it prudent to have the least experienced personnel closest to the customers? Your organization was formed to meet the needs of customers. You exist to serve these same customers. Where are these customers in the organizational chart? Did you forget them? How much distance is there between you (as boss) and the customers? Does this pyramid model facilitate the free flow of information between you and the customers or does it buffer you from the thoughts and feelings of the real boss (the customer)? In your business, is the customer and her problem seen as an interruption of the work or the very reason for your existence? If your customers voted tomorrow, who would be retained? Who would be fired? Think about it! Do you dare to ask?

How can a company liberate itself from the death spiral of product commoditization? Competing on price is generally a losing proposition—and an exhausting way to run a business. But when a market matures and customers start focusing on price, what’s a business to do? The answer, as counterintuitive as it may seem, is to deliver a better customer experience. It’s a proposition some executives reject outright. After all, a better customer experience costs more to deliver, right? How on earth could that be a beneficial strategy for a company that’s facing commoditization pressures? Go From Commodity to Necessity There are two ways that a great customer experience can improve price competitiveness, and the first involves simply removing yourself from the price comparison arena. Consider those companies that have flourished selling products or services that were previously thought to be commodities: Starbucks and coffee, Nike and sneakers, Apple and laptops. They all broke free from the commodity quicksand by creating an experience their target market was willing to pay more for. They achieved that, in part, by grounding their customer experience in a purpose-driven brand that resonated with their target market. Nike, for example, didn’t purport to just sell sneakers; it aimed to bring “inspiration and innovation to every athlete in the world.” Starbucks didn’t focus on selling coffee; it sought to create a comfortable “third place” (between work and home) where people could relax and decompress. Apple’s fixation was never on the technology but rather on the design of a simple, effortless user experience. But these companies also walk the talk by engineering customer experiences that credibly reinforce their brand promise (for example, the carefully curated sights, sounds and aromas in a Starbucks coffee shop or the seamless integration across Apple devices). The result is that these companies create something of considerable value to their customers. Something that ceases to be a commodity and instead becomes a necessity. Something that people are simply willing to pay more for. That makes their offerings more price competitive—but not because they’re matching lower-priced competitors. Rather, despite the higher price point, people view these firms as delivering good value, in light of the rational and emotional satisfaction they derive from the companies’ products. The lesson: Hook customers with both the mind and the heart, and price commoditization quickly can become a thing of the past. Gain Greater Pricing Latitude Creating a highly appealing brand experience certainly can help remove a company from the morass of price-based competition. But the reality is that price does matter. While people may pay more for a great customer experience, there are limits to how much more. And so, even for those companies that succeed in differentiating their customer experience, it remains important to create a competitive cost structure that affords some flexibility in pricing without crimping margins. At first blush, these might seem like contradictory goals: a better customer experience and a more competitive cost structure. But the surprising truth is that these two business objectives are actually quite compatible. A great customer experience can actually cost less to deliver, thanks to a fundamental principle that many businesses fail to appreciate: Broken or even just unfulfilling customer experiences inevitably create more work and expense for an organization. That’s because subpar customer interactions often trigger additional customer contacts that are simply unnecessary. Some examples:

• An individual receives an explanation of benefits (EOB) from his health insurer for a recent medical procedure. The EOB is difficult to read, let alone interpret. What does the insured do? He calls the insurance company for clarification.
• A cable TV subscriber purchases an add-on service, but the sales representative fails to fully explain the associated charges. When the subscriber’s next cable bill arrives, she’s unpleasantly surprised and believes an error has been made. She calls the cable company to complain.
• A mutual fund investor requests a change to his account. The service representative helping him fails to set expectations for a return call. Two days later, having not heard from anyone, what does the investor do? He calls the mutual fund company to follow up on the request.
• A student researching a computer laptop purchase on the manufacturer’s website can’t understand the difference between two closely related models. To be sure that he orders the right one for his needs, what does he do? He calls the manufacturer.
• An insurance policyholder receives a contractual amendment to her policy that fails to clearly explain, in plain English, the rationale for the change and its impact on her coverage. What does the insured do? She calls her insurance agent for assistance.

In all of these examples, less-than-ideal customer experiences generate additional calls to centralized service centers or field sales representatives. But the tragedy is that a better experience upstream would eliminate the need for many of these customer contacts. Every incoming call, email, tweet or letter drives real expense—in service, training and other support resources. Plus, because many of these contacts come from frustrated customers, they often involve escalated case handling and complex problem resolution, which, by embroiling senior staff, managers and executives in the mess, drive the associated expense up considerably. Studies suggest that at most companies, as many as a third of all customer contacts are unnecessary—generated only because the customer had a failed or unfulfilling prior interaction (with a sales rep, a call center, an account statement, etc.). In organizations with large customer bases, this easily can translate into hundreds of thousands of expense-inducing (but totally avoidable) transactions. By inflating a company’s operating expenses, these unnecessary customer contacts make it more difficult to price aggressively without compromising margins. If, however, you deliver a customer experience that preempts such contacts, you help control (if not reduce) operating expenses, thereby providing greater latitude to achieve competitive pricing. Putting the Strategy to Work If your product category is devolving into a commodity (a prospect that doesn’t require much imagination on the part of insurance executives), break from the pack and increase your pricing leverage with these two tactics:

• Pinpoint what’s really valuable to your customers.

Starbucks tapped into consumers’ desire for a “third place” between home and work—a place for conversation and a sense of community. By shaping the customer experience accordingly (and recognizing that the business was much more than just a purveyor of coffee), Starbucks set itself apart in a crowded, commoditized market. Insurers should similarly think carefully about what really matters to their clientele and then engineer a product and service experience that capitalizes on those insights. Commercial policyholders, for example, care a lot more about growing their business than insuring it. Help them on both counts, and they’ll be a lot less likely to treat you as a commodity supplier.

• Figure out why customers contact you.

Apple has long had a skill for understanding how new technologies can frustrate rather than delight customers. The company used that insight to create elegantly designed devices that are intuitive and effortless to use. (Or, to invoke the oft-repeated mantra of Apple co-founder Steve Jobs, “It just works.”) Make your customer experience just as effortless by drilling into the top 10 reasons customers contact you in the first place. Whether your company handles a thousand customer interactions a year or millions, don’t assume they’re all “sensible” interactions. You’ll likely find some subset that are triggered by customer confusion, ambiguity or annoyance—and could be preempted with upstream experience improvements, such as simpler coverage options, plain language policy documents or proactive claim status notifications. By eliminating just a portion of these unnecessary, avoidable interactions, you’ll not only make customers happier, you’ll make your whole operation more efficient. That, in turn, means a more competitive cost structure that can support more competitive pricing. Whether it’s coffee, sneakers, laptops or insurance, every product category eventually matures, and the ugly march toward commoditization begins. In these situations, the smartest companies recognize that the key is not to compete on price but on value. They focus on continuously refining their brand experience—revealing and addressing unmet customer needs, identifying and preempting unnecessary customer contacts. As a result, they enjoy reduced price sensitivity among their customers, coupled with a more competitive cost structure. And that’s the perfect recipe for success in a crowded, commoditized market. This article first appeared on carriermanagement.com.