On the cusp of the 2015 Super Bowl, NFL Commissioner Roger Goodell surprised fans with an unusual focus for his annual state of the league press conference: player safety. He announced that the league would hire a chief medical officer to oversee the league’s health policies. This is good news. But first and foremost, Goodell must firmly plant the goalposts for this new hire. What does the new top doc need to accomplish to win? Here are four goals to start: Goal One: Make Concussions Rare In 2014, there were 202 concussions among players in practice, preseason and regular-season games. With approximately 1,600 players, my back-of-the-envelope math calculates one concussion for every eight players -- in one year alone. The new chief medical officer will have some momentum to build on to address this issue. In recent years, the league has implemented tough restrictions about when and under what conditions players can return to the field after an injury. The league has also improved equipment and changed the rulebook to penalize hits to defenseless players. The number of concussions is down by 25% from 2013, and defenseless hits are down by 68%. The new medical officer needs to accelerate that progress. Goal Two: Research and Enforce Best Practices To make a major impact on players’ health and safety, the new medical officer will need to rigorously examine the protocols in place to protect players. No one can argue with the notion that, at its core, football is a contact sport; injury is inevitable. However, some injuries are entirely preventable, yet they can easily topple the career of a valuable player. In my world, we’d call this kind of injury a “Never Event” -- it should never happen. The new medical officer needs to consider how the team functions as a whole, get solid research on best practices and create enforceable guidelines for prevention. To protect past, current and future players, he or she will have to shake up the entire enterprise and institute a culture in which making the play is balanced with protecting the player. Goal Three: Demand Safety off the Field, Too One in eight is a frightening statistic for concussions, but, surprisingly, players may be safer on the field than in a hospital. Players -- and league employees and their families -- depend on the healthcare system just like the rest of us. True, players often receive treatment at elite centers of care, at the hands of celebrated physicians. But our research finds that even places with big reputations can be equally unsafe. One in six admissions to a hospital results in an adverse event, and as many as 500 people die every day from preventable errors, accidents and injuries in hospitals. Even the most highly regarded institutions struggle to keep patient safety a top priority. But some providers are much safer than others, and the new NFL medical officer has a role to play in helping players and employees pick the winners. He or she can demand data on safety of hospitals and physician practices and use that data in decision-making. The NFL can structure health benefits packages to favor safest providers, encourage performance-based payment models and give employees transparent and candid information on quality and safety to encourage them to select the safest care. Many other employers and unions are successfully deploying these strategies, and they have good tools to help. Goal Four: Be a Champion Championship  isn’t exactly a standard element on boilerplate job descriptions, but it’s critical to this one. The NFL knows how to spot champions, and it should expect no less from this new hire. The new chief medical officer needs to inspire a good number of people: teams, to change the way they function; youth, increasingly wary about the game; retired players, whose health issues cast a shadow over the whole sport; and the millions of fans who love American football. Being a champion is the most important goal, because the NFL has the opportunity to go beyond defending its safety record and start playing offense. As a top-tier brand, the NFL could be a national leader, ensuring that safety comes first in America, on and off the field. By taking the right steps to protect players and the league, the new medical officer can inspire all the fans, not only to embrace the game, but to champion a healthier America. This article was originally posted on Forbes.com.

Most companies that take up risk management start out with subjective frequency-severity assessments of each of their primary risks. These values are then used to construct a heat map, and the risks that are farthest away from the zero point of the plot are judged to be of most concern. This is a good way to jump-start a discussion of risks and to develop an initial process for prioritizing early risk management activities. But it should never be the end point for insurers. Insurers are in the risk business.  The two largest categories of risks for insurers -- insurance and investment -- are always traded directly for money.  Insurers must have a clear view of the dollar value of their risks. And with any reflection, insurance risk managers will identify that there is actually never a single pair of frequency and severity that can accurately represent their risks. Each of the major risks of an insurer has many, many possible pairs of frequency and severity. For example, almost all insurers with exposure to natural catastrophes have access to analysis of their exposure to loss using commercial catastrophe models. These models produce loss amounts at a frequency of 1 in 10, 1 in 20, 1 in 100, 1 in 200, 1 in 500, 1 in 1000 and any frequency in between. There is not a single one of these frequency severity pairs that by itself defines catastrophe risk for that insurer. Once an insurer moves to recognizing that all of its risks have this characteristic, it can now take advantage of one of the most useful tools for portraying the risks of the enterprise, the risk profile. For a risk profile, each risk is portrayed according to the possible loss at a single frequency. One common value is a 1 in 100 frequency. In Europe, all insurers are focused by Solvency II regulations on the 1-in-200 loss. Ultimately, an insurer will want to develop a robust model like the catastrophe model for each of its risks to support the development of the risk profile. But before spending all of that money, there are two possible shortcuts that are available to rated insurers that will cost little to no additional money. SRQ Stress Tests In 2008, AM Best started asking each rated insurer to talk about its top five risks. Then, in 2011, in the new ERM section to the supplemental rating questionnaire, Best asked insurers to identify the potential impact of the largest threat for six risk types. For many years, AM Best has calculated its estimate of the capital needed by insurers for losses in five categories and eventually added an adjustment for a sixth -- natural catastrophe risk. Risk profile is one of the primary areas of focus for good ERM programs and is closely related to these questions and calculations. Risk profile is a view of all the main risks of an insurer that allows management and other audiences the chance to compare the size of the various risks on a relative basis. Often, when insurers view their risk profile for the first time, they find that their profile is not exactly what they expected. As they look at their risk profile in successive periods, they find that changes to their risk profile end up being key strategic discussions. The insurers that have been looking at their risk profile for quite some time find the discussion with AM Best and others about their top risks to be a process of simplifying the detailed conversations that they have had internally instead of stretching to find something to say that plagues other insurers. The difference is usually obvious to the experienced listener from the rating agency. Risk Profile From the SRQ Stress Tests Most insurers will say that insurance (or underwriting) risk is the most important risk of the company. The chart below, showing information about the risk profile averaged for 31 insurers, paints a very different story. On average, underwriting risk was 24% of the risk profile and market risk was 30%. Twenty of the 31 companies had a higher value for market risk than underwriting risk. For those 20 insurers, this exercise in viewing their risk profile shows that management and the board should be giving equal or even higher amounts of attention to their investment risks. Stress tests are a good way for insurers to get started with looking at their risk profile. The six AM Best categories can be used to allow for comparisons with studies, or the company can use its own categories to make the risk profile line up with the main concerns of its strategic planning discussions. Be careful. Make sure that you check the results from the AM Best SRQ stress tests to make sure that you are not ignoring any major risks. To be fully effective, the risk profile needs to include all of the company’s risks. For 20 of these 31 insurers, that may mean acknowledging that they have more equity risk than underwriting risk – and planning accordingly. Risk Profile From the BCAR Formula The chart below portrays the risk profiles of a different group of 12 insurers. These risk profiles were determined using the AM Best BCAR formula without analyst adjustments. For this group of companies on this basis, premium risk is the largest single category. And while there are again six risk categories, they are a somewhat different list. The risk category of underwriting from the SRQ is here split into three categories of premium, reserve and nat cat. Together, those three categories represent more than 60% of the risk profile of this group of insurers. Operational, liquidity and strategic risks that make up 39% of the SRQ average risk profile are missing here. Reinsurer credit risk is shown here to be a major risk category, with 17% of the risk. Combined investment and reinsurer credit is only 7% of total risk in the SRQ risk profile. Why are the two risk profiles so different in their views about insurance and investment risks? This author would guess that insurers are more confident of their ability to manage insurance risks, so their estimate of that risk estimated in the stress tests is for less severe losses than the AM Best view reflected in the BCAR formula. And the opposite is true for investment, particularly equity risk. AM Best's BCAR formula for equity risk is for only a 15% loss, while most insurers who have a stock portfolio had just in 2008 experienced 30% to 40% losses. So insurers are evaluating their investment risk as being much higher than AM Best believes. Neither set seems to be the complete answer. From looking at these two groups, it makes sense to consider using nine or more categories: premiums, reserves, nat cat, reinsurer credit, bond credit, equities, operational, strategic and liquidity risk. Insurers with multiple large insurance lines may want to add several splits to the premium and reserve categories. Using Risk Profile for Strategic Planning and Board Discussions Risk profile can be the focus for bringing enterprise risk into the company’s strategic discussions. The planning process would start with a review of the expected risk profile at the start of the year and look at the impact on risk profile of any major proposed actions as a part of the evaluation of those plans. Each major plan can be discussed regarding whether it increases concentration of risks for the insurer or if it is expected to increase diversification. The risk profile can then be a major communication tool for bringing major management decisions and proposals to the board and to other outside audiences. Each time the risk profile is presented, management can provide explanations of the causes of each significant change in the profile, whether it be from management decisions and actions or because of major changes in the environment. Risk Profile and Risk Appetite Once an insurer has a repeatable process in place for portraying enterprise risk as a risk profile, this risk profile can be linked to the risk appetite. The pie charts above focus attention on the relative size of the main types of risks of the insurer. The bar chart below features the sum of the risks. Here the target line represents the expected sum of all of the risks, while the maximum is an aggregate risk limit based upon the risk appetite. In the example above, the insurer has a target for risk at 90% of a standard (in this case, the standard is for a 400% RBC level; i.e. the target is to have RBC ratio of 440%). The plan is for risk at a level that produces a 480% RBC level, and the maximum tolerance is for risk that would produce a 360% RBC. The 2014 actual risk taking has the insurer at a 420 RBC level, which is above the target but significantly below their maximum. After reviewing the 2014 actual results, management made plans for 2015 that would come in just at the 440% RBC target. That review of the 2014 actual included consideration of the increase in profits associated with the additional risk. When management made the adjustment to reach target for 2015, its first consideration was to reduce less profitable activities. Management was able to make adjustments that significantly improve return for risk taking at a fully utilized level of operation.

It's hard to imagine that Humphrey Bogart became one of the fashion setters of his time by wearing a wristwatch in his films. That made pocket watches a novelty. Since then, wristwatches have been a cool men's accessory. There were glow-in-the dark watches -- until radium was discovered to be dangerous. Other styles have added lunar phases, chronographs, timers and alarms, and don’t forget the trendy but forgotten 1970 Pulsar red LED watch. Now, is the wristwatch at risk of being replaced by new wearables? The real question in my mind from a risk management perspective relates to our personal habits vs. technological advances. Historically, relying on technology alone to change behavior has been more hope than strategy. People like style, convenience, comfort and practicality, and many old habits are hard to change. How many devices do I need to wear? Will a wearable ever truly be a personal protective device (PPD) in the workplace? Gadgets like Fitbit or Nike Fuelband do specific health-monitoring tasks that have a cool factor, joining yoga pants and headbands. Well, maybe not headbands anymore, but I'm an Olivia Newton-John fan. Anyway, for my daily walks, I use an app on my iPhone that seems to do very well in tracking my steps. The real holy grail of wearables would be a simple device that could monitor your blood pressure 24/7 and communicate to you and your medical provider. Now, joining the battle for your wrist, the Apple watch (around $350-plus) is poised for release in April. A companion device with your iPhone, these colorful wrist devices strive to pack all of your wearable potential into one Dick Tracy-like, walkie-talkie-style statement with three colorful base models. Similarly, Android Wear is in the works, with as many as 15 devices packing Google’s wearable tech system anticipated to hit the market by the end of 2015. Apple admits that users are going to wind up charging the watch daily but has declined to go into specifics. A watch runs on a small battery for a year or more. Wearables are about to explode into an array of novel, single-function devices. The big question in my mind is something the designers of wearable tech seem to have forgotten: Does the item in question solve a need or make life easier for its user? The fact is that most wrist devices do nothing more complex than that already done on a smart phone. Look at what happened with Google Glass in 2013 -2015. This $1,500 gizmo fizzled in the social scene although commercial uses, including in medicine, firefighting and manufacturing, seem promising. Besides its nerdiness, Google Glass lost because of legal and privacy issues. The real killer in my mind was when users were dubbed “glassholes.” Google is retooling that invention for another shot at it down the road. Perhaps the biggest obstacle standing in the way of wearables is complexity. There may very well come a day when people are decked out from head to toe in technology, but it’s not going to happen unless it’s nearly invisible technology. Consumers don't buy gadgets, as much as they buy experiences. They buy access to content and services they desire. They buy brands that deliver style and status, social acceptance and recognition. Remember the 2001 invention, codenamed Ginger, that was destined to change the world of transportation? It’s called the Segway. "Disruptive innovation," a term coined by a Harvard University professor, Clayton Christensen, describes a process by which a product or service takes root initially in simple applications at the bottom of the market and then relentlessly moves up-market, eventually displacing established competitors. Wearables could bring dramatic improvement  to health monitoring and safety and assistance, but issues like battery life, transparency and simplicity need to be solved before we can expect real disruptive change like the smart phone brought us. Over half of the world's 7.2 billion people use mobile phones, with smartphone users growing to 2.5 billion in 2015. Besides communication and computing, think of the incredible photo and video capabilities smartphones bring to our planet's inhabitants. What would more wearables give us?

This is Paper 3 of a series of five on risk appetite and associated questions. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards comprehend the links between risk and strategy. This is achieved either through painful crises or through the less expensive development of a risk appetite framework (RAF). Understanding of risk appetite is very much a work in progress for many organizations, but RAF development and approval can lead boards to demand action from executives. Paper 1, the shortest paper, makes a number of general observations based on experience with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. This paper, Paper 3, answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between risk appetite frameworks and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and risk maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy. Paper 3: Should all organizations have a risk appetite framework? The relationship between risk and strategy is a function or neither risk management nor strategic management. Rather, it is simply good management in an uncertain world, where business models are:

1. Increasingly driven to be available on a 24/7 global footprint,
2. Online using telecom networks,
3. Becoming more dependent on third-party service providers,
4. Becoming more connected within larger financial, supply chain and energy supply chains.

It is our view that the term "risk management" will, within the 2010 decade, become supplanted by the term "resilience management" and that the latter term will become an integral part of risk culture in organizations that are trading internationally or vulnerable to international supply chains. Maintaining a risk appetite framework will thus, before the end of this decade, be a matter of necessity, and not a matter of choice. The driver in this regard will be the pace of change. Look at the pictures above, both at a papal blessing, and you see what a difference less than a decade years can make. What is leading organizations to put formal risk appetite frameworks in place? Greater investor and regulatory focus, combined with a recognition that risk practices are becoming increasingly professional, has caused organizations to change attitude toward risk from a broadly negative stance to a more positive and engaged approach. We note a global scarcity of skilled chief risk officers and unwillingness by organizations to commit resources in the current economic climate. Nevertheless, enlightened organizations are gaining appreciation of the links between risk and strategy and in turn toward putting in place the necessary resources and supports to provide greater risk professionalism. How are risk appetite and strategy related? The diagram below describes the relationship. Earlier in these papers, we described board risk assurance as assurance that strategy, objectives and execution are aligned. We further explained that alignment is achieved by operationalizing the links between risk and strategy. This is done by integrating each of the seven numbered elements described in the diagram above as follows: 1.     Reaching a determination as to long-term purpose and formulating those strategic initiatives and objectives that are required to achieve it[1], 2.     Understanding obstacles to the achievement of objectives: This needs to be understood practically in terms of a motor journey from say Dublin to Cork or Berlin to Paris. Before the journey, people need to understand, and manage, what can stop them, slow them down or distract them on the journey. Once people understand risk management in these simple and practical terms, they understand that risk management is more about achieving objectives (getting from point A to point B) than compliance with regulations. It is about improving performance on the journey. What people? In the simplest of terms, they are the owners of the car (shareholders represented by the board), the driver (CEO and executives) and passengers (primary stakeholders, i.e. customers, employees, investors, suppliers and secondary stakeholders and others with a legitimate interest in the business). 3. Setting objectives and getting balance and alignment (Note: strategy maps, e.g. Balanced Scorecard): This is done in risk management terms by: a. Strengthening the strategic planning process; for example: i.     Increasing rigor, formality and consistency in the strategic planning office (SPO), which derives its authority from the board and  the CEO's office, ii.     Aligning strategy, risk and audit board subcommittees (through cross-representation) in a manner that largely mirrors the conventional three lines of defense model[2] and reflects the requirement to strengthen board risk oversight, reporting and monitoring[3], iii.     Embedding risk management competence within the SPO[4], iv.     Explicitly articulating corporate and organizational objectives, v.     Testing the alignment of group, corporate and organizational objectives through development and review of risk appetite statements. b. Establishing an effective risk appetite framework, which includes: i.     Statement of purpose and values of the organization, ii.    Explicitly stated board risk assurance requirements; factors to consider would include:

1. Mapping objectives to a risk appetite continuum,
2. Qualitatively expressed risk appetite statements,
3. Quantitatively expressed risk criteria related to both risk tolerance and risk limits.

c. Understanding and improving the organizational level of risk maturity Risk maturity is outside the scope of this paper; however, discussion on the topic would be welcomed by RMI. RMI has developed a five-level RMI Risk Maturity Index, which provides a road map to risk optimization. The index scores risk maturity capability requirements, etc. In summary, it describes:

• Level 5: "Value-Driven" -- Optimizing value through aligning risk and strategy with corporate objectives,
• Level 4: "Managed" -- Gaining value through aligning risk and strategy in pursuit of corporate objectives,
• Level 3: "Insight" -- Gaining insights into how to better align risk and strategy in pursuit of corporate objectives,
• Level 2: "Awareness" -- Developing awareness  into how to align risk and strategy in pursuit of corporate objectives,
• Level 1: "Basic" -- Seeking awareness of the links of risk and strategy in pursuit of corporate objectives.

d.   Building resilience: i.     Ensuring that the SPO engages in systematic risk horizon scanning as well as: 1. Understanding near misses and escalation reports in the organization and externally, 2. Monitoring performance of risk treatments[5], 3. Proofs and tests of the quality of decision making, and decision making processes, through simulated threat and opportunity crisis[6] scenario(s) exercises, ii.     Anticipating Emerging Risks[7]. 4.     Evaluating the amount of risk the organization is prepared to accept in pursuit of the long-term statement of purpose; and then deciding how to treat risks: Just as implementation is critical to performance[8], risk treatment is at the cutting edge of risk management and managing risks! Disappointingly, however, very many organizations commit disproportionate resources to risk assessment with inadequate attention paid to what really matters; that is, treating risks. In essence, very many organizations concentrate on the P in the PDCA (plan, do, check, act) cycle, with not enough attention paid to doing, checking and acting on continuous improvement requirements. This is pretty much in evidence in a review of many of the risk registers we have examined on behalf of clients. The majority of the surface area/content of the report (sadly, and sometimes tragically, an Excel, Word or Power Point document, as distinct from a credible database solution[9]) is given to risk assessment. In our experience, often, precious little detail is given to:

1. Who, specifically is responsible for individual risk treatments,
2. Change management and resource requirements supporting risk treatments,
3. The project/risk treatment key performance indicators (KPIs), milestones and gateways,
4. The expected residual effect of risk treatments on likelihood and impact,
5. The role of management in reviewing performance against KPIs, milestones and gateways. 

Risk treatment reports, which are presented to the level of detail described above and which are evaluated by the SPO in a manner that provides a feedback loop to the performance of objectives, become leading indicators of the future state of health of objectives. 5.       Weighing the odds consistently throughout the organization: This is the function of the chief risk officer (CRO), a most important role within the organization, and risk committee. The ability of the CRO and risk committee to efficiently and effectively perform this function is directly proportional to the efficacy of the assurances delivered as described above. Typical weaknesses and challenges that can occur include: 1. Frequency of changes required to risk criteria (tolerances and limits) in early stage (risk) maturity organizations as a consequence of:

• Pace of change internally and externally in the organization,

Identification of emerging and external risks hitherto not understood. 2. Inability to undertake real time dynamic tests of risk aggregations:

• Around discrete objectives,
• Across risk categories.

The weaknesses and challenges described above often result in: 1. Meetings where questions asked can only be answered in terms of: i.     This is the historic "point in time" information we have prepared. ii.     We will need to revert with answers to your query in X days. 2. Risk aggregation tests not being run and emerging/known unknown risks not being identified until there is an occurrence. 6.     Compliance with laws and regulations: Organizations are established to achieve superior returns, with limited liability to risk takers. However, they are expected to do so having full regard for all legal requirements. Clearly, it is axiomatic to assume the lawful intent of a company’s original promoters, and thereafter its directors and the executive. To this extent, compliance is an operational imperative and a sunken cost. Compliance alone does not drive value, but without it value cannot be created. It would seem inappropriate to place compliance at the center of board agenda, just as it would be a mistake to place compliance at the center of the diagram above, which describes the relationship between risk and strategy. However, compliance is a mission-critical element within the risk/strategy governance framework. 7.    Tough governance, setting policy and monitoring performance: In the context of the relationship between risk and strategy, tough governance means risk culture. "Risk culture" is a term describing the values, belief, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organization or of teams or groups within an organization. This applies whether the organizations are private companies, public bodies or not-for profits, wherever they are in the world.[10]. Risk culture, as an aspect of culture, can be practically described thus: Culture: The way we do things around here! Risk culture: The freedom we have to challenge around here! Risk culture is capable of being demonstrably and credibly evidenced by: 1. Board and executive messaging[11] on threats and risks to operations and jobs when people fail to act/report when they: i.     Identify a smarter way of completing a task, achieving an objective, ii.     See a threat or risk to the organization. 2. Escalation reports and their treatment by the executive and management, 3. Near misses reported and averted.

The CEO of a large insurance company once confided to me that the toughest innovation challenge he faced was that, “Every time we try to innovate, the agents turn around and kick us in the nuts.” The dance between Uber and Google around drone taxis reminds me of that conversation. Google invested in Uber in 2013 but has recently distanced itself from Uber amid indications that it is considering offering its own ride-hailing service using driverless cars. While such a service might make sense for Google and might be the way of the future, imagine how Uber’s drivers will react if Uber attempts the transition to driverless cars. Both the insurance CEO and his agents knew that the most innovative thing his company could do was to eliminate the agents as middlemen between him and his customers. This insurer was paying about 15% of its premiums to agents in commissions and bonuses. Eliminating agents would have translated into lower expenses for the insurer and lower premiums for customers. GEICO, for example, pays no agent commissions. It takes advantage of its structural cost advantage to out-market and out-price its agent-based competitors. The problem was that this insurer depended on its agents. Going from agent-mediated sales to no agents was fraught with danger. Sometime in the future, whether five, 10 or 15 years from now, Uber will confront a similar predicament as it confronts the adoption of drone taxis. Fully autonomous cars will enable Uber-quality service at much lower prices -- and at a fraction of the cost of car ownership. The only difference is that there will be no human drivers. Drone taxis are an opportunity that Uber has long foreseen. It was likely a part of the calculation for accepting Google’s $258 million investment in 2013. Travis Kalanick, Uber’s CEO, was clear about the opportunity when he told a technology conference in 2014 that: "The Uber experience is expensive because it’s not just the car but the other dude in the car. When there’s no other dude in the car, the cost [of taking an Uber] gets cheaper than owning a vehicle." And, as I discussed I a recent column, Uber just put a lot of money behind that vision. So, by the time driverless cars become viable, Uber will have had a hand in its development for a long time. But here’s the rub. By that time, Uber will no longer be a feisty startup with nothing to protect. It will most likely be a highly profitable and richly valued public company. It will be servicing millions of customers in thousands of cities across hundreds of countries all around the world. And its success will depend on the allegiance of hundreds of thousands of independent human drivers. As with insurance agents’ power over the aforementioned CEO, drivers will have tremendous leverage over Uber. Will Uber drivers accept a drone option on the Uber app? No. It is easy to imagine work stoppages and mass defections to competitors that promise not to offer drones. It is also easy to imagine intense campaigns by drivers and third parties to save drivers’ jobs and livelihoods. Uber will find itself at the very uncomfortable heart of the technology vs. jobs debate. Will Uber management have the audacity to risk changing Uber’s business model? Could Uber weather the bad publicity and potential disruption to its revenue and profits? Would its board and investors allow management to put the company at risk? Uber will be in much the same position that Kodak found itself with digital photography. Kodak had the foresight to invest in research that yielded many of the core inventions enabling digital photography. Yet it struggled for decades to capitalize on those inventions -- even as digital photography inexorably replaced film-based photography. Kodak failed even though it had immense resources, technical expertise and management talent. It failed because it could never negotiate the business model transition to digital photography. If you had a very profitable and dominant film, chemical and paper business, when would you choose to accelerate its demise? Kodak management stuck with film until the company's early advantages in digital photography no longer mattered. The iconic “Kodak moment” used to conjure up images of heart-warming pictures. It now symbolizes companies grappling with complete and utter technology disruption. Uber will no doubt have all the prerequisite resources, technical expertise and management talent to fully comprehend the strategic implications of driverless cars. Like Kodak, it will have a very long time to prepare. Do you think it will survive its Kodak moment?

Recent workplace and school shooting incidents underscore the importance of having comprehensive prevention and response policies and plans in place. We are finally coming to grips with the reality that workplaces are veritable lightning rods for violence. In an article titled, "Business Continuity for Small Businesses," Dr. Robert F. Hester said, "Safety, security and preparedness aren’t routinely a focus in our lives. Being on guard is not something Americans are used to or like doing. Still. . . the threat never goes away; only fades in memory.” Workplace violence reflects employee perceptions of their workplaces and their personal issues. Workplaces are veritable lightning rods for violence. Our job is to minimize the risk through strategies and preparation. Minimizing risks requires a critical assessment of your workplace security; prevention and response procedures; physical security measures; and administrative and operational policies. Workplaces must appreciate that unhappy employees don’t wake up one morning consumed with getting even. They don’t! The escalation toward homicidal retaliation probably started months earlier, if not years, and the clues were missed or misunderstood. Supervisors need to examine work sites for autocratic supervision, toxic employees and criminal elements. Sometimes, workplace policies create misunderstandings, when the workforce is taken for granted, and that can lead to conflict. Supervisors and managers need to intervene swiftly by monitoring and then communicating. They can show sensitivity to changes in family, medical, personal, financial and workplace relationships that are often exacerbated by workplace relationships. Workplace violence prevention really requires a comprehensive view of workplaces and how best to integrate resources, collaborate on strategies and coordinate efforts. (Developing Your Comprehensive Workplace Violence Prevention Policy/Plan). Workplaces must review their policies and plans annually and design the right atmosphere. Workplaces must be critical of their capabilities and limitations by asking tough questions. We must not allow convenience to dictate management’s decisions and attitudes. Employees (supervisors and managers alike) must be held accountable for inappropriate conduct as part of building credibility in violence prevention. We must ask the following questions:

• Do we understand the risks?
• Are we responding properly?
• Do we monitor and track incidents, situations and people?
• How could an incident happen?
• What did we miss that could have prevented the outcome through care, consideration and attentiveness?
• What did we take for granted and why?
• How do we interact or fail to intervene?

I ask that senior leaders begin a process today to assess their workplace settings to uncover hazards and resolve security gaps. Why wait to answer such questions tomorrow when posed by the media, OSHA or a jury? Research shows that people delay because of:

1. Denial about whether they have a problem;
2. The resources required;
3. A belief that they can simply terminate troubled employees;
4. An inability to act quickly;
5. Lack of staff and support;
6. The cost of training;
7. The expense of hiring a consultant.

But there is a need to be prepared for the when it happens rather than if it happens. The threat can come from a: current employee, former employee, disgruntled customer, client, patient or student, criminal or a domestic/intimate partner. I will not scare readers with immaterial statistics not specific to your respective workplaces at this point, but I will implore you to take immediate action to improve your workplace security.

It’s a brand new year. I hope last year’s numbers were where you wanted them to be: solid growth, increased revenue and expenses under control. But for those agencies that didn’t add to their book, there’s always an excuse or six. It’s easy to rationalize why things didn’t go your way. Of course, sometimes, it really isn’t your fault; maybe you lost a major account for reasons beyond your control. This column highlights a half-dozen common excuses and suggests ways to slap them down. No time to sell. No producer ever has enough time to sell; yet it’s their most valuable commodity. There are innumerable ways to gain more selling time, including: wiser time management; more selective prospecting and quoting; using instant digital communications; shifting small, no-growth accounts to a skilled in-house agent or a less busy outside producer. Enact these approaches, and others, to extend the clock in your favor. Not enough commercial prospects. Be preemptive. Work mainly with new business leads that align with your personal interests, plus pricing and underwriting strengths. Count the approximate number of prospects within each niche you want to target, and broadly pre-qualify them, before doing any actual solicitation. If you don’t, your sales results may not be adequate to offset your time and marketing expenses. Our personal lines rates are too high. Competing head-to-head with direct marketing carriers isn’t entirely about price. Professional advice, a local presence, smart proposals, regular communications/reviews, plus a competitive premium, all generate appealing value. Besides, rates are fluid; they go up and down, relative to the competition. Focus on the elements that are within your agency’s control instead of lamenting about what is not. No one has heard of our companies. If you tout your leading carrier as your agency’s brand, you are making your job harder than necessary. You are not your carrier. Besides, agency carriers never advertise as much as direct and captive-agent companies. Instead, concentrate on building your own brand through social media and traditional means. Adequately market and sell your agency, and people will buy from you — not the underwriting carrier. Inadequate sales training. You can’t expect serious sales from unskilled salespeople. So, provide continuous sales training to every producer and front office staffer. To help, there are state association-sponsored programs such as the American Insurance Marketing and Sales (AIMS) Society’s CPIA designation for producers, plus a variety of sales training sources for in-house client reps. There are also independent vendors with worthwhile training tools (including my own Agency Ideas resources). Too many rivals. Endless rivals, on all levels, challenge today’s independent agencies. Retailers, banks, captive and direct marketers, traditional competitors and more are all shooting for your business. Plus, the digital universe reduces the barriers of entry to anyone with an insurance license, a website/app and a willing policy writer. It can seem like you against the world. Don’t use this as an excuse. Instead, think of it as a clarion call to stop being a generic office and start being different — in terms of both marketing and sales. Are excuses that important?  As Jeff Goldblum’s character Michael famously said in The Big Chill, “I don’t know anyone who could get through the day without two or three juicy rationalizations. They’re more important than sex. . . . Ever gone a week without a rationalization?” Excuses are normal, everyday occurrences. It’s common to imagine them. Just don’t let them interfere with the growth of your agency. Let your endless competitors get lost in the rationalization maze instead. This article first appeared in Insurance Journal. 

The second-most read article from Health Affairs in 2014 was a fantastic piece by the employee benefits professionals from Pepsi and researchers from the RAND Corp.

The Pepsi team and the RAND researchers evaluated PepsiCo’s wellness program over a seven-year period and found the following:

• The disease management component of the overall wellness program lowered healthcare costs by $136 per member per month (PMPM) and decreased hospital admissions by 29%
• Lifestyle management/wellness showed a return on investment (ROI) of .48 to 1 (in other words, it LOST money)
• Disease management's ROI was 3.78 to 1
• Combined ROI for wellness and disease management was 1.46 to 1
• Findings were consistent with RAND's workplace wellness programs study, which found that lifestyle management did not lower healthcare costs
• Lifestyle management program's cost was $144 per participant per year

The article concludes that "blanket statements like ‘wellness saves money’ are not warranted."

As employers evaluate their healthcare strategies, it is important to keep these findings in mind.

Building an effective risk culture is much more than changing your organizational culture in line with your vision, mission, corporate values and risk appetite -- you must factor in the interests of competing national cultures, sub-cultures, Maslow’s theory on individual self-actualization and the informal groups in the company. The interactions among all of these are not predictable, and variables cannot accurately be isolated. An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of “conviction” -- a corporate state of mind where human beings can take well-informed risk decisions because they want to, not because they have to. ERM policies, systems and reporting dashboards are all part of the foundation for good risk management. Once you have all of these in place, you can start building an effective risk culture. Remember also that there is too much complexity and subjectivity in culture to assume that individual reactions and responses can be aggregated to reflect or give an accurate picture of the whole organization’s  risk culture. You cannot “pop” an effective risk culture in the microwave; it takes a lot of preparation, dedication and time to get it to perfection. You can have the best staff retention rates in the industry or the most awards for long service -- both of these can also indicate a high risk of employee fraud. According to ACFE research:  53% of fraudsters have more than five years of  service and the median loss for fraudsters with six to 10 years of service is $200 000. 52% of fraudsters are between 31 and 45 years old, and older fraudsters tend to cause larger losses. Scanning the horizon might just be the most important thing to do. You cannot control or stop what is coming; you have to prepare to respond to it. So many organizations spend large amounts of money to focus and report only on what is happening inside the organization, where they actually have control. Your biggest risks are outside of the organization, where you have no control. Key elements for the future of your risk strategy should include internal networking; you have to talk to the informal groups and their informal leaders just as much as you do talk to the executives and managers, maybe even more. The real business does not always get done in the formal “boxes and lines” structure. Just as important are the aspects of desk research and external networking. To have a good risk management strategy and action plan, you have to know everything about your industry, markets, competitors, supply chain, alternative supply chain, global risks in a connected world and many more. Failure to adapt your business model to the ever-changing internal and external risk environments will lead straight to the corporate graveyard. The future of risk management is just: “risk management through people.” You can have the best systems, great models and scenario analysis with elaborate dashboards; at the end of the day a person will take a decision. Are your employees aiming at more than one target, or do you have a clearly defined risk for reward strategy and risk appetite statement to guide them? Business strategy and risk culture are parts of an interdependent system. Start working on your success by training every employee with some basic risk management skills. As my Moody's colleague Sarah Tennyson wrote last year: “Enterprise-wide risk management requires a shift in the behavior and mindset of employees across an organization. To realize the full benefits of improved systems, tools and analytical skills, people need to learn new ways of perceiving situations, interpreting data, making decisions, influencing and negotiating.” This was originally published at Zawya.

As we get rolling in 2015, enterprises continue to approach a technology tipping point. According to our Digital IQ survey, 35% to 50% of technology spending is outside of the CIO’s budget. This data raises the question: Is it possible for CIOs to continue to influence how the enterprise is leveraging technology? The short answer is yes, but CIOs need to transform their approach to leadership. The New Year calls for a new CIO. The top-down days of technology leadership are over. Budgets, standards, procurement and governance…these concepts of control have been central to the CIO’s playbook, but they are increasingly ineffective as CIOs lose the ability to dictate how technology dollars are spent. Rather than instituting rules, CIOs must inspire executives across the enterprise to follow their lead. The measure of a successful CIO is shifting from how well the IT department functions to whether the entire enterprise has the ability to both drive and deflect digital disruption. If CIOs are the Pied Piper, the music is the “art of the possible.” Through a bold vision combined with deep listening, CIOs must guide the organization in maximizing technology’s full potential. The old C-I-O stood for Control, Infrastructure and Organization. The new C-I-O stands for Catalyst, Integration and Outside-in. Let me explain. From Control to Catalyst or Consultant or Communicator The CIO has no choice but to shift from one who controls technology spending to a catalyst who sparks action. The best way to persuade the enterprise to push the boundaries of technology is to build relationships and introduce big ideas through demos, prototypes and market intelligence. CIOs need to use demos to show the enterprise how business goals can be accomplished through the hands-on exploration of emerging technology. From Infrastructure to Integration Shadow IT has led to siloed systems such as SaaS and cloud applications that have to be integrated so businesses can get the most value out of them. Gluing together best-of-breed solutions isn’t new for CIOs. Integration was a critical skill set as we used middleware to stitch together customer relationship management (CRM) and enterprise resource planning (ERP) systems with legacy platforms. But integrating legacy systems with digital is different, given new vendors, technologies and sourcing models. CIOs need to take a hard look at their team’s integration skills and partnerships to make sure they are up to speed. From Organization to Outside-in In the past, we haven’t looked very far for inspiration to innovate. Most corporations have a history of learning about new technologies by tapping a few trusted vendors, attending a conference or two and reading a handful of trade publications. For the most part, organizations have turned their gazes inward toward their own organizations for innovation ideas. In the age of digital, where new technologies are plentiful, CIOs need to lead the charge of outside-in innovation, looking outside to communities such as makers, universities, open source, contests, crowd funding sites and global innovation hubs for inspiration. The role of the CIO is undergoing a seismic shift, and it’s creating a great deal of uncertainty and angst. Change is difficult, but it’s also exciting as it leads us to discover strengths and interests that we didn’t even know we had. It’s incredible what we can achieve when the future is on the line, as it is now. For CIOs to come out on the other side of this haze, they need to make themselves “tomorrow ready” by reshaping their roles today.