This is the first paper of a series of five on the topic of risk appetite. Understanding of risk appetite is very much a work in progress in many organizations. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized and comprehend the links between risk and strategy. This is achieved either through painful and expensive crises, or through the less expensive development of a risk appetite framework (RAF). Paper 1 makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between them and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy. Paper 1: Introduction Since the global financial crisis (GFC), regulators, investors and boards have become determined to avoid a repetition of such a cataclysmic event and have increased demand for more effective risk management. As financial risk reporting failed to predict the GFC, there is growing recognition of the need to build organizational resilience through effective mapping of risks and to demonstrate the capability to manage low-probability, high-impact events. Concern is also growing over the increase in cybercrime and over digital risk. Some observations: 1. Directors and senior managers need a globally accepted guide on the attributes of an effective risk appetite framework. 2. Emphasis is shifting globally from risk management to building resilience. Risk optimization is achieved when risk and strategy are aligned with corporate objectives. Achieving this requires that both the board and executives master strategic, emerging and external/global risks through robust (risk) horizon scanning, proofing and testing. 3. “Strategic risks” are those that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” is “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action [when problems arise]. Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that requires  the time and attention of executive management and the board of directors’’¹ RMI thus defines board risk assurance as assurance that strategy, objectives and execution are aligned. 4. That alignment is achieved through operationalizing the links between risk and strategy. This involves:

• Strengthening the strategic planning process through organizational integration of the risk and strategy functions/processes, with authority derived directly from the board and CEO’s office,
• Establishing an effective risk appetite framework,
• Understanding, and improving, the organizational level of risk maturity,
• Building organizational resilience,
• Proofing and testing management’s ability to offer credible solutions when both exploiting and defending operations, the business model and reputation.

5. The risk appetite framework (RAF)² is to the board what risk management³ is to the rest of the organization. As such, there is a direct correlation between the efficacy of the RAF and the efficacy of the risk management framework⁴. The audit committee of the board and the risk subcommittee must have charters that provide a risk governance framework that mandates:

• Direct CEO oversight of an integrated risk and strategy capability,
• Board risk subcommittee oversight of:
  • The risk appetite framework,
  • Advancing and maintaining risk maturity, which can deliver value through:
    • Access to capital at lower cost than that achieved by less mature competitors,
    • More favorable credit ratings than those achieved by less mature competitors,
    • Optimization of risk transfer through both traditional and modern self-insurance methods.
• Risk data governance maintained to standards of rigor and consistency like those that apply for accounting data,
• Perpetual proofing and testing of management’s readiness to offer credible solutions when both opportunity strikes and abnormal and adverse events occur.

We agree with Peter Bernstein, author of Against the Gods: The Remarkable Story of Risk, when he says, “In the absence of certainty. . . [we must] focus on excellent execution and demonstrable resilience at the same time whilst taking as much acceptable risk as is reasonably possible.” We likewise agree with Robert S. Kaplan, author of Risk Management and the Strategy Execution System, who says: “Risk management. . . is about identifying, avoiding and overcoming the hurdles that the strategy may encounter along the way. Avoiding risk does not advance the strategy; but risk management can reduce obstacles and barriers that would otherwise prevent the organization from progressing to its strategic destination.” References ¹Source: Harvard Law School Forum on Corporate Governance and Financial Regulation: Strategic Risk Management: A Primer for Directors Aug 2012 ²The RAF is the ‘’overall approach including the policies, controls and systems, through which risk appetite is established, communicated and monitored.’’ ³Risk management: coordinated activities to direct and control an organization with regard to risk Source: ISO Guide 73 Risk Management – Vocabulary ⁴Risk management framework: set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout  the organization

• NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk.
• NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and  activities.
• NOTE 3 The risk management framework is embedded within the organization's overall strategic and operational policies and practices.

(Source: ISO Guide 73 risk management vocabulary)  

Hoarding. Depression. Two instances of attention deficit disorder. These are personality characteristics of different people whom I have reported to over the years. Executives with titles like CEO, president, director or founder. I’m here to tell you that people in the executive suite, just like the rest of society, live with mental illness. I know this because I’ve worked for them and, more importantly, because I am one of them. I have lived with chronic depression since I was eight years old. I also, by many measures, have had a rewarding and successful career in consulting and financial services. I want to share my thoughts on three vital issues: first, why senior executives should lead more conversations in the workplace about mental illness, including suicidal behaviors and suicide prevention; second, why I think it is important; and third, some ways we might be able to start more meaningful dialogue. In the past, we’ve often treated mental health as a personal issue that individuals must overcome on their own or with a healthcare provider. But addressing mental health conditions such as depression, substance-related disorders, personality disorders and suicidal behaviors is just as important as addressing any other public health issue. Mental health problems are just as critical as childhood obesity, cancer, hypertension, heart disease, stroke or HIV/AIDS. Over the past few decades, medical science has had great success bringing the death rates down in many diseases. There has been no significant reduction in suicide in more than 50 years. Just as we have  handled other public health issues, we must tackle mental health problems like suicide together in an organized fashion as a total community. Suicide and suicidal behaviors (or SSBs) are complex heterogeneous behaviors commonly manifested in the presence of mental illnesses. They are multifactorial and complex because not all SSBs have the same underlying etiologic factors. I want to approach mental health from the perspective of my personal story. It is a story about one strategy I believe we can all support to improve mental health in the workplace by reducing stigma and increasing awareness and support, thereby lowering the number of suicides. While a change of culture has happened with many illnesses that were previously taboo, there is still a silence around mental illness and suicide. This is even more noticeable in the workplace. So, how do we break the silence? I think there are a number of strategies, many of which we see today: public service campaigns, mental health parity in insurance coverage and workplace programs that provide employee assistance, just to name a few. These are all important components to raising awareness, providing support and changing attitudes. However, I think one of the most effective ways to break the silence is for business leaders who have experience with mental illness and suicide – either personally or through someone close to them – to start talking about it. I have worked in places where we talked about religion, politics and even gun control. We talked about our physical health. We talked about our families and what we did over the weekend. We talked about our dreams and aspirations. So why in the world wouldn’t we talk about our mental health in the workplace? We don’t because the stigma is so strong that the topic is buried. Yet when leaders remain silent about mental illness, there is a discernable and substantial cost to the rest of society. Such silence contributes to the misperception that successful people do not get depressed. It keeps people from seeing that treatment allows many individuals to continue in or return to successful professional lives. Silence also contributes to the myth that people who are brilliant or full of life cannot possibly have so much despair as to kill themselves. They do.  Every day. Just look at Robin Williams. Most people I know were shocked at the news of his recent death. Honestly, I was shocked that everyone was so surprised. I didn’t know Robin other than as a fan, but I did know he had a history of depression and substance abuse. As a celebrity, this was both the fodder of tabloids as well as the legitimate press. He was very open about his challenges. And, as someone who has lived with depression all his life, I know that frequently depressed people use humor to hide the pain they feel – to keep people from seeing the dark inside that no one wants to see. Like many of us who live with the condition, I believe Robin Williams wore a brighter self in public to distract from the darkness that settled over him behind closed doors. Most people don't see depression in others, and that's by design. We depressed people simply hide ourselves away when we've dimmed so as not to shade those who live in the sun. So the fact that Robin Williams died by suicide was not surprising to me at all. It certainly is a tragic loss of a great entertainer. But watching the mass reaction highlighted to me how little people know about depression and suicide. I even sensed a restraint at first to report his cause of death as suicide. Then, when it became known he had Parkinson’s, it was almost a sigh of relief, as though that, instead of depression, was the real cause. It almost allowed the suicide to be explained away and silenced. It is this silence that helps perpetuate the stigma of mental illness. The notion is that successful people don’t get depressed and that depressed people are not successful. We know neither of those statements is true. But the stigma perpetuates the myths. These myths pervade all facets of society, and business leaders are the community gatekeepers. It does not matter whether you are speaking about mega-corporations or small business. Leadership is likely to come into contact with those at risk for suicide or mental health problems. However, these business leaders ordinarily are not trained to be influential. From the public health perspective, the reduction of stigmatization of mental illness including suicide must be a first step at prevention efforts on a large scale. There is a difference between those exhibiting a diagnosable mental health issue and those who are able to have access to proper mental health care. This, too, is part of the challenge. Business leaders and those in the public arena have a unique opportunity to lessen this stigma, to mobilize research efforts, to raise money and to educate others who do not have the same financial and educational advantages. Where I work, we do talk about mental health, depression and suicide. We talk about it because I talk about it. People look to me to set the tone of the workplace. More than anyone, I am responsible for establishing what is okay and what is not okay to say and do in the office. Whether I like it or not. Whether I recognize it or not. As the senior person in the office, setting the tone and defining what is acceptable is one of the most important roles I play. There are forward-thinking companies out there providing programs and assistance to employees. Prudential offers an employee assistance program, training for managers to spot distress among employees and health clinics that screen for mood instability and more. Still, the company recommends employees stop short of telling managers about their diagnoses, according to Ken Dolan-Del Vecchio, vice president of health and wellness. The reason he gives is, "We don't want managers to be acting as surrogate counselors." No company would say the same thing about heart disease or cancer. Dupont trains managers to identify signs of distress in workers. However, Paul W. Heck, global manager of employee assistance and WorkLife services, says conversations with a boss about a diagnosis "would never be encouraged." Managers at Dupont who do identify distress are asked to remind employees of the assistance program, which offers free counseling. While these efforts are laudable and provide valuable services to employees, it’s obvious that corporate America still views mental health as something not to be discussed. It is not just a matter of confidentiality concerns for the firm. The message is to keep silent. But there is no way to break the stigma if we keep silent. And the reality is that the fear is unwarranted, and, if discussion starts at the top, it can easily change attitudes and behaviors. There is much that business leaders can do. While leaders are more likely to be committed and indeed supportive if they understand what’s in it for the company, the most effective way to gain leadership support is if they personally relate to it. Senior executives like to have a cause, whether it’s cancer, homelessness, youth or any number of issues; business leaders frequently are champions. They use their position and influence to engage the staff, corporate communications, HR and other resources, including the community, to work together to address social needs. Their ability to effect change is vast and untapped when it comes to mental health and suicide. We just need to get them talking about it. Two years ago, I had wrist problems and had to get physical therapy for several months. In the beginning, I went to a see a therapist twice a week. Everyone knew about my wrist problem. They knew where I went twice a week, and they were sympathetic to what I was experiencing. Today, I no longer need physical therapy, but I do go to a doctor every week. I go to see a different kind of therapist. The kind you talk to and get advice from. In the beginning, I told people I was going to see my psychiatrist. Now, I don’t feel the need to re-enforce the point every time I go to see my therapist, because everyone already knows. Seeing this therapist is just like seeing my physical therapist. I have declared it okay to leave the office to see your doctor, even if that doctor is focused on mental health. I’ve set an example that it’s okay to talk about this at work, and, more importantly that mental health should be treated no differently than any other health concern. This openness definitely has an impact.  A while back, we were in the office on a Monday morning talking about the weekend. One person had been at the family house on the lake with the extended family – grandparents, aunts, uncles. One of his aunts was going through another depressive episode. The employee admitted that in the past when his aunt was depressed he tended to leave her alone and felt she should “just get over it.” But this weekend, he spent time talking to her, listening to her and reassuring her. His exposure to someone living with depression in a different setting allowed him to be more sympathetic and understanding. I’m sure if friends or co-workers exhibited signs of depression, he would be able to be more supportive of them, too. Getting to know a co-worker living with a mental illness changed his attitude. While I would never have chosen to be born with depression, I have learned to appreciate what it has given me. True, it has presented some significant challenges and difficult times. But these challenges have also given me a tremendous amount of strength and resilience. I draw on this both in my personal and my professional life. Having been in financial services for much of my career, I have experienced significant work challenges. I led the effort to keep a major financial service provider funded and operating as it went through a downsizing from more than 14,000 to fewer than 4,000 employees. Back in 2007, during the early stages of the financial crisis, I was at a major financial services company when an industry analyst used the "bankruptcy" word speaking about the company. The press descended in droves, customers were concerned and a year later the company was acquired by another bank. In all these situations and many more, I have been counted on as a leader during substantial adversity. Yet these challenges cannot compare to the difficulties I have faced with depression. It is through the struggles with depression that I learned how to attack really difficult situations and how to get through the tough times at work. Depression has also given me an increased empathy toward others. While I think this manifests itself daily in the way I manage, it certainly helps in those situations when it is most needed. Once, as soon as I had started a new job, an employee whom I had not met did not show up for work for several days. No one knew what happened until we heard through one of his friends that he was in the hospital psychiatric ward after attempting suicide. He had served in Afghanistan and had post-traumatic stress disorder (PTSD). He had just bought a house that he and his fiancée were going to move into. But, before moving in, his fiancée broke up with him. When he got out of the hospital, he contacted another executive he knew. This person knew my background with mental illness and suggested the two of us meet. When we met, it was clear he wasn’t ready to come back to work, so I got him to agree to meet me for coffee twice a week. This was my way of making sure he got out of the house and allowed me to help him with referrals for things like therapists and support groups. I talked with him about being in therapy and how it had helped me. Because the people who hired me knew of my advocacy around mental health, I was brought into the conversation and was able to provide support as this young man started down the road to recovery. I’m happy to say he got the help he needed and now, years later, is thriving. In the alpha-male-dominated, type A, adrenalin-charged executive suites of corporate America, admitting to weakness of any sort is viewed as taboo and a job-killer. The prevailing view is that people at the top get paid a lot of money and should be able to handle whatever their job throws at them. It is incredibly difficult to find examples in the press of senior executives who have taken a leave or resigned for mental health reasons. And we know death by suicide is often attributed to other causes. However, we are seeing mental health in the press more and more. Last year, Barclay’s compliance chief resigned after taking a leave of absence for stress and exhaustion. In 2011, the new Lloyd's chief executive took a leave of absence after eight months on the job for stress-related problems. Last year, the CEO and the CFO of two different companies in Switzerland died by suicide, and their deaths were reported in the press. And I’m sure you are all aware of the recent string of Wall Street suicides. So, while the perception is that people at the top can and should handle anything, the reality is somewhat different. Clearly, there are people at the top who are experiencing mental health problems. People in the highest offices of corporate America do live with mental illness. Personally, I think depression is a much more common affliction with executives, entrepreneurs and leaders than society is willing to admit.  And, just going by the numbers, many, many more have a family member, relative or friend living with a mental illness. There have to be senior executives who have been affected by suicide. It seems to me depression is the family secret we all share. Frequently, a bereavement leads to depression, which, in turn leads to suicide of a family member, which can lead to another period of bereavement, depression and suicide. It can be an evil circle. So how do we create awareness and a sense of urgency around mental health in corporate America? How do we make sure suicide-prevention efforts are supported and sustained? There are many strategies. I’ve already mentioned things like anti-stigma campaigns, health care parity, wellness clinics and employee assistance programs. Together with mass media and extensive research into the causes and treatment of mental illness, we should see a change in corporate cultures. These are critical efforts, and we should continue supporting them. I’d like to propose one more strategy. That is a concerted campaign targeting senior executive leaders to become mental health and suicide prevention advocates. How do we accomplish that? Let’s reach out to senior executives in a number of ways. Above all, we have to make talking about, and then communicating about, mental health concerns acceptable in their rarified sphere of influence. Only then can we create support groups, arm them with thorough training about mental health and suicidal behaviors, create speakers bureaus of senior leaders who are open and sharing and teach them to become knowledgeable advocates. First, let’s provide support for the leaders themselves. Clearly, there are people at the top are who are experiencing mental health problems. Why not create a support network for these individuals? Let’s provide a safe environment for senior executives to talk with their peers about what they are going through – personally and professionally. Philip Burguieres was the youngest CEO of a Fortune 500 company. In 1996, this self-described workaholic had to leave his job because of depression. It was several years before he returned to work. Today, he is a vice chairman of the Houston Texans football team. He is actively sought by CEOs with similar stories. He has been rather public about his very private support of a secret network of CEOs with depression. We could extend Philip’s example to create a safe community for senior executives challenged by mental illness to talk, share, and find support. It could even be positioned as an extension of the increasingly popular executive coach strategy. Let me give you another example. Last year, the UK arm of Deloitte, the international business advisory firm, appointed a British senior partner, John Binns, as its mental health and personal resilience advisor. Deloitte is one of the most forward-thinking companies with respect to human resources of all the places I have worked. After taking a leave for depression, John created a group of nine mental health champions at Deloitte UK, partners in the firm who were trained to discuss and support mental health in the workplace. He provides one-on-one advice for individuals in the firm who want to speak about mental health issues affecting them or their family. He also provides mental health awareness and advisory services to other businesses across the UK. We know that most deaths by suicide are by individuals with a diagnosable mental health issue, but only a minority those individuals receive any mental health service. Confronting mental health in the workplace should be an effective method of reducing deaths by suicide. As the stigma is reduced and more people get the care they need to recover, efforts like zero suicides among people who are receiving care become more significant. Moreover, to the degree benefits like employee assistance programs, wellness programs and general awareness and prevention programs are used in the workplace, advocacy by senior management is the best way to make these efforts a sustainable and core part of the organizational culture. So why do I think this will work? Why should corporate leadership become a major force in mental health efforts including suicide prevention? Why will it make a difference for people with mental illness and suicide attempt survivors to be open in the workplace? For me, the answer is simple. I’ve been through this before. Coming out of the mental illness closet is not the first closet I’ve come out of. Twenty-three years ago, when I was accepted into business school, I made the decision to be open and honest about being gay. It may not have been a revolutionary act at the time, but it was a time when almost everyone in corporate America still was in the closet. I decided that I didn’t want the next generation to experience the same prejudice, ignorance and stigma that I experienced. I told myself that if I were someplace that didn’t want me because I’m gay, I could take my Stanford bachelor and Kellogg MBA degrees and go somewhere else. This spring marked my Kellogg 20^th anniversary. I ran into someone I knew quite well during school but had lost touch with over the years. While re-connecting at the reunion, he mentioned that he was against my being open while at business school. But now he sees what’s happening with gay marriage and thinks my being open must have made a difference. I look back at the past 25 years, and I know the important role every out and open gay person has played by simply being honest about who they are. And one important lesson we have learned is that to ask others to accept us means we have to accept ourselves. I think the people living with mental illness and suicide attempt survivors at the corporate level need to come out of the closet. We are the best positioned to shatter the silence. If we can combine this openness with change in the business world driven from the top down, I know we can make a significant impact on the stigma around mental illness and suicide. I talk about mental health in the workplace because it’s the best way I know to break down the stigma. I want to make a difference, and I can afford to take the risk in an effort to effect change. As the senior executive in charge, setting the tone and defining the organization’s core values is one of the most important roles I play. Living with depression has not always been easy. However, in many ways it has made me a better person, a better manager and a better business leader. Living with depression has been challenging, but it has not kept me from succeeding.

CHAPTER 4: Roadmap to Creativity Culture of Creativity Creating a culture of creativity is an essential building block for a successful product development company. To succeed, every profit center leader should ingrain a culture of creativity into every aspect of its daily routine. The start of this creative journey begins with the support, process, rewards and goals. Each of these steps is discussed in this chapter. New Product Directors It is advantageous for each profit center or business unit to appoint a new-product director as a resource charged with overseeing product idea generation and development. This can be a full-time or part-time position. Responsibilities could cover a wide range of activities, including:

• Idea generation – Interact with staff, brokers and clients about product needs.
• Idea validation – Review ideas with the product innovation council.
• Project oversight – Assign a product champion to each new idea.
• Post-launch performance review – Track new product sales.

Having a new-product director who is responsible for this journey -- “the navigator” -- can be extremely helpful to a profit center’s success. Experience has shown that it is most effective if the new-product director is a full-time, dedicated employee who is an experienced executive who can command respect and attention. If the organization has a centralized new-product department, this department partners with each new-product director and assigns a staff member who will provide support and assistance. Product Innovation Council The formation of a product innovation council in each profit center can provide the company and its new-product director with an organized approach to finding and vetting ideas. The new-product director will lead and organize the product innovation council within that division and should consist of managers from each of the profit center’s major product lines. Regional, legal and marketing participation should also be included. The purpose of the product innovation council is to find new products ideas, review ideas submitted and recommend to senior management developed ideas for evaluation. For smaller organizations, a single product innovation council, sometimes called a product innovation steering committee, can be very satisfactory.   New-Product Champion Finally, for each individual new product, the profit center should choose a champion who steers a particular product through development. The new-product champion will be a crucial part of the product development team. Usually, the new-product champion is a manager or underwriter who will have the ultimate responsibility for the product once launched. Product Development Process The key to the success of a creative culture is the establishment of a methodology to develop, design, test, launch and confirm the validity of a new product. New-Product Award Program To maintain momentum on this creative journey, it is important to recognize profit center participants who contribute to the development process. Therefore, it is advantageous to have some standing reward program. A program might look like this:

• Idea Accepted for Development, $100
• Launched Product Idea, $500
• Financially Successful Product, a percent (usually very small) of the first-year revenue, up to a fixed amount, such as $10,000

Non-monetary rewards, however, should not be underestimated. Psychologists tell us that a nice letter of recognition from the CEO or an acknowledgment in the company newsletter can often be more valued by the employee than a $100 gift card. Some companies use sophisticated surveying techniques to find the most optimal combination of rewards, often finding that the monetary rewards do not have the level of impact they were thought to have. The following are a few examples of items that could be offered:

• A letter of appreciation from the profit center executive
• Recognition in the profit center newsletter
• Lunch with the profit center executive
• A photo with the CEO
• An additional personal day off

Specific New Product Goals That which is measured is that which is done. It thereby goes without saying that a product in development must have specific, measurable goals before launch. Also, however, the entire organization should have specific, measurable goals for product development. How much are new products contributing to the top line? To the bottom line? What are the other measurements such as speed (“cycle of development”), account retention, cross-selling impact, etc.? Once the firm has its overall goals, these must be incorporated within the budget and goal setting of every profit center so that the goals and strategies of the profit center align with those of the firm as a whole.

The Affordable Care Act can help workers' compensation professionals close claims. Now that injured workers can buy private health insurance regardless of pre-existing conditions, parties can calculate case value according to the cost to fund health insurance premiums. Uncertain about the cost of future premiums? You're an old hand at this -- the cost of future medical care is an issue you’ve always dealt with in settlements. Consider likely future use changes and inflation. Use all the resources you have and negotiate. The big objection to closing out future medical is uncertainty about the future. Expanded Medicaid, available in 27 states and the District of Columbia, provides a safety net. Expanded Medicaid (Medi-Cal in California) does away with resource rules. Individuals aged 19 to 64 who have modified adjusted gross income less than 138% of the federal poverty level can access public health benefits, no matter how much money they just received to settle their claim. Expanded Medi-Cal enrollees cannot be Medicare beneficiaries, pregnant or incarcerated, and they must meet their state’s citizenship requirements. For some types of injuries in California, this may include undocumented workers. Read more. Although the term "Obamacare" is a nickname for the Affordable Care Act, many people think those are two separate things, and politics gets in the way of clear thinking. When discussing settlement with counsel and clients, talk about using "The Affordable Care Act" to avoid the emotions the term "Obamacare" triggers. Make sure you mediate with someone who understands all the options for replacing medical benefits in our new healthcare environment.

In 2012, a young scam artist based in Asia posing as a private investigator simply purchased the personal information for more than 200 million users directly from credit reporting giant Experian and then posted it for sale online. The only reason we know about the incident is that the U.S. Secret Service caught it.  Experian didn’t. Cyber criminals know that the weakest link in most computer networks is the people using it. Verizon’s highly respected Data Breach Investigations Report has repeatedly noted that most attacks start with employees. Attackers use “social engineering” to trick their victims into allowing unauthorized system access, data theft and even specialized stealthy attacks used to quietly steal massive amounts of sensitive data over time. These attacks frequently exploit our natural tendency to want to help others. They can be in person, electronic or over the telephone, and there are a variety of ways they can be used to take advantage of you: “Phishing” attacks are designed to steal your personal, financial or log-in information through an email, text message (referred to as “smishing”) or even an automated phone call (“vishing”). The attacks often appear to come from well-known and trusted companies like banks, airlines or industry groups and contain attachments or links to websites that look legitimate but are really there to steal account log-in information or host malware ready to attack the recipient’s computer as soon as he clicks on any of the links. These emails and messages can also be used to lure victims into contact with scam artists posing as potential clients or officials offering to release substantial funds if only the target would be so kind as to hand over detailed personal information or a sum up front. A spear phishing email is a personalized version of a phishing attack looking for the weak link in an otherwise strong network. It will be aimed at a specific target (rather than a general phishing email intended to ensnare whoever falls for it) and typically includes personal or professional information to make the recipient trust the sender. These details can come from online sources like LinkedIn, Facebook and other social networks and contain information available via business-related websites, as well as particulars obtained directly from coworkers via social engineering. Spear phishing emails often appear to come from a familiar source like a friend, family member, colleague or a business you deal with regularly. This is because of a process known as "spoofing," in which the actual sender hides his identity, and the “from” field in the email shows the fake sender’s name, not the real one. The data breach at Forbes earlier this year began with an early morning spear phishing attack against a senior executive. Whaling is an attack that deliberately goes after senior executives, partners and other high-profile targets within a business. The idea behind this approach is that these targets are “big fish” who have wide access within the network yet may not take the precautions needed to keep their own accounts secure. Pretexting is effectively in-person phishing to gain information or access to a restricted area. The term “pretexting” refers to the setup used to convince the target that there is a justifiable reason (or pretext) to divulge the information or access the person is after. These attacks can take a wide variety of forms, often revolving around someone (or a team) creating a distraction or masquerading as someone who could have legitimate access to the system they're targeting. It could be someone who claims to be from "corporate," a fake contractor, fake IT personnel or something as random as a "fire inspector" allegedly checking the office for imagined safety hazards while an assistant/accomplice surreptitiously places devices to monitor or siphon sensitive data from the victim network. Another in-person bit of trickery is “tailgating.” That’s when someone who claims to have forgotten their company ID, etc. asks you to hold the door behind you, allowing him into a restricted area. The same term is also sometimes used to describe someone asking to briefly borrow your phone, tablet or laptop to check something quickly and actually downloading malware instead. Live social engineering attacks can also come by phone, such as fake “technical support” calls offering to fix imaginary problems with your computer if you will just allow the caller to briefly take control of it remotely. Baiting is a type of attack in which a piece of portable electronic storage media like a CD-ROM, laptop or USB stick drive is left at or close to the target's workplace to tempt the curious victim into seeing what's on it. These will often include an official-looking logo or markings to make them especially tempting. How curious would you be to look at something labeled “Senior Executive Compensation – 2014” (with your company’s logo on it)? Of course, once the card, laptop or stick drive is connected, it will quietly download malware onto the network. And, yes, this initial intrusion into the network will likely be traceable back to you. What can you do to avoid being the weakest link? The one thing these attacks all have in common is that they rely on you to go along with the story they’re selling. The single best thing you can do whenever you receive an unsolicited electronic message or call from a business or someone you don’t know personally is to assume that it’s fake. Never click on links, open attachments, call phone numbers or use any other method of contact contained in any unsolicited emails, texts or calls. If you think the email, etc. could be legitimate, contact the alleged sender via phone or their official website. If an email that appears to be from someone you know seems out of character, unexpected or strange in any way, give the sender a call to see if it really came from her. When someone asks you to help her access something – or someplace – restricted, ask yourself why she needs your help. Also, it never hurts to take a moment to check out the story you’re given. A quick phone call (not using a number she gives you) can derail a social engineering attack before it starts. Tempting though it may be, opening that conveniently abandoned stick drive, etc.  yourself is a bad idea. Take it to your company security or IT personnel. Speaking of which, an IT department can (and should) take steps to help protect a network from electronic intruders, including the installation of network security software, but don’t forget that the first line of defense against a social engineering attack is you.

A new study from the Workers Compensation Research Institute (WCRI) showed that Georgia’s changes to the reimbursement rules for physician-dispensed drugs reduced the average price per pill paid by 25% to 40% for most of the drugs commonly dispensed by physicians. However, the post-reform prices paid for physician-dispensed drugs were still 20% to 40% higher than the prices paid to pharmacies for the same drug. “In many states across the country, policymakers are debating whether doctors should be paid significantly more than pharmacies for dispensing the same drug,” said Dr. Richard Victor, WCRI’s executive director. “Policymakers in Georgia adopted new rules to narrow the price difference, and the research continues to show the new regulations did not discourage physicians from continuing to dispense these drugs at lower prices, which was a concern.” The study, Impact of Physician Dispensing Reform in Georgia, 2nd Edition, is an update to the 2013 WCRI study that examined the early results of Georgia’s reform using pre- and post-reform data. With an additional year of data, the study found that there was little change in the prevalence of physician dispensing in the second post-reform period after an initial drop (from 36% pre-reform to 28% in the first post-reform period and 27% in the second post-reform period) while the share of drug costs for physician-dispensed prescriptions had a further five-percentage-point decrease (from 49% to 34% and now 29%). Georgia’s rule changes, effective in April 2011, capped the reimbursement amount for physician-dispensed prescriptions to the average wholesale price (AWP) of the original drug product used in the repackaging process if a repackaged drug is dispensed. The reform did not limit physicians’ ability to dispense prescription drugs. Georgia is one of the 16 states that have made legislative or regulatory changes to address cost issues related to physician dispensing. Before the rule change, for example, a prescription for hydrocodone-acetaminophen was paid at $0.48 per pill when filled at a pharmacy, but $1.06 per pill when filled at the doctor's office—a price difference of 121%. In the two post-reform periods, the price difference for the same drug was significantly reduced but still at 34% to 39%. The data used in this analysis of Georgia’s pharmacy fee schedule reform came from payers in Georgia that represented 46% of the claims in the state workers’ compensation system. The pre-reform data consist of claims from 3,851 injured workers with more than one week of lost time. These claims arose between April 1, 2010, and Sept. 30, 2010, with 24,672 prescriptions filled through March 31, 2011. The data for the first post-reform period consist of 3,960 claims that arose between April 1, 2011, and Sept. 30, 2011, with 24,925 prescriptions filled through March 31, 2012. The data for the second post-reform period consist of 4,164 claims that arose between April 1, 2012, and Sept. 30, 2012, with 25,325 prescriptions filled through March 31, 2013.

Let’s face it, insurance is not an industry known for the quality of its customer experience. Rather, it’s an industry known more for its complexity, its lack of transparency and its stubborn adherence to old-fashioned ways of doing business. Granted, some insurance providers are trying to counter this reputation -- a few have even been so bold as to appoint chief customer officers (yes, sadly, that qualifies as “bold” in the staid insurance industry). Still, the idea of investing in a better customer experience is often met with skepticism in the insurance C-Suite. Those occupying the corner office may publicly affirm the importance of the customer experience, but, privately, they question the value of customer experience differentiation, unsure of the financial return it really delivers. In an industry where actuaries are kings and numbers rule the day, the seemingly “soft” benefits of a great customer experience don’t carry much weight when it comes to allocating capital. In reality, those benefits are far from soft -- it’s just that many firms aren’t well-versed in the economic calculus of customer experience, which requires a holistic, cross-silo view of financial impacts. (For example, the benefits of a plain-language policy summary from an underwriter may only manifest themselves downstream -- by reducing customer confusion, and preempting phone calls, to a service center.) What many numbers-oriented insurance executives seem to crave is quantifiable evidence that, at least at a macro level, a great customer experience really does pay dividends. And now they have that evidence. The graphic below illustrates the results of Watermark Consulting’s “2014 Customer Experience ROI Study.” The Watermark analysis sought to determine the long-term value of customer experience differentiation using a language that most any CEO would understand – shareholder value. The study calculated the cumulative total stock returns for two model portfolios -- composed of the Top 10 (“leaders”) and Bottom 10 (“laggards”) publicly traded companies in Forrester Research’s annual Customer Experience Index rankings. For the seven-year period ending in 2013, the Customer Experience Leader portfolio outperformed the S&P 500 market index by an astounding 26 percentage points. Perhaps even more striking was the performance of the Customer Experience Laggard portfolio, which posted a 2.5% decline in value, despite a big rally in the broader market. The results underscore the benefits enjoyed by companies that invest in, and effectively execute on, a customer-experience strategy: higher revenues (because of better retention, less price sensitivity, greater wallet share and positive word-of-mouth) and lower expenses (because of reduced acquisition costs, fewer complaints and the less intense service requirements of happy, loyal customers). Conversely, the study also provides a sober reminder of how customer dissatisfaction saps business value, by depressing revenues and inflating expenses. Whether your firm is a public or private entity, the lesson here is clear: The market believes that companies that deliver a great customer experience over the long-term are simply more valuable than those that do not. And that’s a message that insurance traditionalists should take to heart, because a great policyholder experience really is good for business. Note:  A complimentary report describing the 2014 Customer Experience ROI Study, including commentary on how the leading firms differentiate themselves, is available from Watermark Consulting.

Epidemic diseases such as Ebola present a significant threat to the safety of both victims of the disease and the individuals who come into contact with those who are infected. Even with advanced medical facilities and protocols, healthcare workers are particularly vulnerable to outbreaks of infectious diseases because they work in close proximity to the victims for extended periods. Further, the facilities themselves tend to be densely populated with workers who run the risk of secondary exposure from medical equipment and other workers who may have been exposed to the disease. Self-insured workers’ compensation plans are very popular among the large health facilities that are likely to deal with these outbreaks. It is therefore important for risk managers and hospital executives at these facilities to not only prevent these infectious diseases from spreading to their employees, but to protect the hospital financially if such an outbreak does occur. An excess workers’ compensation policy provides reimbursement to self-insured employers for any workers’ compensation claim that exceeds the policy’s self-insured retention (SIR). Under most policies, a claim is defined as an occurrence or event that causes a loss. This provision allows the self-insured employer to combine the losses from multiple individuals injured in the same event under a single SIR rather than individually for each employee. Most policies however, require a separate SIR per employee for claims of occupational disease and illness. Therefore, if 10 employees contract the same disease in the course of their employment, the self-insured employer would be required to retain the SIR 10 times (once for each employee) under most basic policy forms. Clearly, this is an area of potential concern for self-insurers especially because most excess workers’ compensation carriers require minimum SIRs of $500,000 (or more). To help self-insured employers manage the expense of occupational disease claims, many excess workers’ compensation carriers offer a communicable disease coverage either as part of their policy form or as an endorsement to the underlying policy. A communicable disease coverage combines the losses of multiple employees suffering from the same disease or illness under a single claim and, therefore, a single SIR. Unfortunately for self-insurers, not all communicable disease coverage is created equally. Unlike traditional workers’ compensation policies, where carriers use the same policy form, each excess workers’ compensation policy is unique. My current excess policy has a communicable disease endorsement, so I don’t need to worry… right? Just because an excess workers’ compensation policy contains a communicable disease provision doesn't mean the policyholder is fully protected from this exposure. Communicable disease coverage is unique to the underlying policies to which it is attached and the carriers that issue them. In many instances, the only consistency between various carriers’ coverage forms for this potentially serious exposure is the name of the coverage itself. Each communicable disease coverage has its own set of definitions, rules and limitations, so it’s important for the policyholder to understand the key provisions that determine how the coverage is triggered and how it responds to potential claims. In general, communicable disease coverage can be compared using four basic criteria: covered diseases, transmission sources, symptom manifestation and coverage limits.  What’s in a name? The definition of a communicable disease is extremely important. Some coverage forms define communicable disease in very broad terms while others define such illnesses very narrowly. Forms that use the terms “disease” or “illness” generically but do not specifically enumerate covered or excluded diseases are most favorable to the policyholder. Forms with non-specific definitions can provide the policyholder with coverage for virtually any type of work-related communicable disease ranging from the common cold to meningitis. Some carriers’ communicable disease forms will specifically list the names or types of diseases that will be covered or the types of diseases that will be excluded under the policy. Much like a named-peril insurance policy, a communicable disease form that lists specific illnesses will only respond if two or more employees contracted a disease that was listed on the coverage form. If the policyholder suffers a claim that does not appear on the list of covered diseases, it’s not likely to be subject to the communicable disease coverage. Narrow definitions of covered losses can be particularly problematic when an outbreak of a previously unknown illness occurs. Again, if it isn't listed, it’s probably not covered. Conversely, coverage forms that exclude specific diseases not only prevent the self-insurer from seeking coverage for such losses under the communicable disease provisions but may also exclude coverage under the basic occupational illness section of the underlying excess workers’ compensation policy, as well. Consider the source One of the few universal components among communicable disease coverage forms is that the disease must be transmittable between individuals to be covered. Diseases such as black lung and asbestosis are often considered to be occupational illnesses but are not subject to communicable disease coverage because they cannot be transmitted from person to person. These specific diseases can only be contracted by prolonged exposure to coal dust and asbestos, respectively, and not merely by being in close contact with someone suffering from those diseases. The term “transmission” (or some similar term) appears in all communicable disease forms, but the manner in which the disease is transmitted is far more important. Generally speaking, some policies require a disease to be transmitted directly from one person to another to qualify for communicable disease coverage while others allow for both direct and indirect transmissions. Indirect transmissions are commonly referred to as source-to-source exposures. Forms that require a disease to be transmitted directly from person to person are far more restrictive than those that permit diseases to be transmitted from source-to-source. For example, if a group of hospital workers contracts swine flu after being exposed to an infected patient or even another co-worker who was previously exposed, the incident would likely be covered under both the person-to-person and source-to-source rules. If, however, a janitor and a nurse contracted swine flu after handling a soiled pillowcase, communicable disease coverage would only be triggered under a policy with a source-to-source provision because the individuals contracted the disease from an object and not directly from another person. Tell me the truth – how long do I have? Communicable disease coverages typically require individuals to contract the same disease or manifest symptoms within a specified period to be eligible for the coverage. If two employees treat a patient suffering from SARS and both exhibit symptoms of the disease a couple of days later, this would likely meet the coverage triggers required under most communicable disease forms. Conversely, if one employee develops SARS within a few days of exposure and the second begins to exhibit symptoms eight weeks later, the communicable disease coverage would be unlikely to respond. The incubation period for this particular disease is normally seven days, therefore, even though both employees ultimately contracted the same disease, it is highly unlikely that they contracted it from the same exposure. Thus, their claims would not be combinable. Illnesses with long incubation periods are sometimes more difficult to classify under communicable disease coverages because of the time constraints required under some forms. Some forms set forth very specific time frames in terms of hours or days between the time when a group of employees is first exposed to a particular disease and the time the symptoms manifest. Coverage forms that allow symptoms to be manifested at some point during the policy period are generally more favorable to the policyholder. Such forms can combine losses for a successive string of employees infected by one another over a prolonged period (weeks or even months) as long as the infections took place during the policy period and their respective illnesses can be traced back to the same original source. One potential downside to the policy period provision can occur when the event straddles two different policy periods. If an infection occurs during one policy period and continues to affect employees through a second policy period, it is likely that two separate claims would be developed, thus requiring the employer to satisfy the SIR twice. In this instance, the communicable disease coverage from the first policy would respond to the employees who exhibited symptoms from the time of exposure up until the end of the policy period. Any employees who exhibit new symptoms after the effective date of the new policy period would constitute a separate claim under the new policy’s communicable disease coverage. Take it to the limit Coverage extensions and endorsements sometimes share the same limits as the underlying policies to which they are attached. In other cases, coverage extensions carry their own limits in addition to the underlying policy limits or sub-limits, which may erode the underlying excess policy’s shared limit. These limits can be provided on an occurrence basis, aggregated basis or both. Communicable disease forms that carry coverage limits outside of the underlying policy’s basic limits can pose a very significant (and hidden) exposure to the policyholder and therefore should be examined closely. If communicable disease coverage shares its limits with the underlying policy, the policyholder need only determine an adequate coverage limit for the underlying policy. If, however, the communicable disease coverage carries its own limits, it’s important for the policyholder to make certain those limits will provide adequate protection in the event of a loss. In some instances, communicable disease coverage can carry per-occurrence or aggregated limits as low as $1 million. Although the policyholder gets the benefit of combining multiple claimants under a single SIR, the collective losses can also serve to erode the occurrence limit very quickly, especially for diseases that require significant amounts of treatment and lost time. Aggregated limits are typically shared over the course of a policy period and are likewise eroded by each communicable disease claim filed during the policy period, thus leaving less coverage available for future claims. More importantly, once the limit is exhausted under communicable disease coverage, any amounts exceeding the coverage limit would be ineligible for reimbursement under the communicable disease coverage and possibly the underlying excess policy, as well. Depending on the circumstances of a given loss and the coverage provided under the applicable communicable disease form, it is possible that the communicable disease coverage could actually end up costing the employer more than a basic, unendorsed policy. That’s great information, but what can I do with it? Many excess insurance carriers do allow at least some flexibility in the coverage they offer. In many instances, limits are negotiable on the underlying coverage, and those limits can sometimes be increased even after the policy has been issued. There may be an additional premium required to add communicable disease coverage to an underlying excess policy or to increase the limits on existing communicable disease coverage but the cost is typically modest as compared to the excess policy and the overall self-insurance program. Self-insurers may also want to consider adding aggregate excess coverage to limit the collective unreimbursed costs resulting from multiple occupational disease or communicable disease claims occurring during a single policy period. Lastly, it may be prudent for self-insurers to take the terms and limitations of various communicable disease coverage forms into consideration when choosing an excess workers’ compensation policy. Epidemic diseases represent potentially one of the greatest financial risks to self-insured employers with exposures to such claims, especially hospitals and other healthcare providers. It is therefore important for those self-insured employers to make the communicable disease and occupational disease coverage a priority and not simply an add-on. Again, not all communicable disease coverage forms are created equally. Choose carefully.

The Earth is a living, breathing planet, rife with hazards that often hit without warning. Tropical cyclones, extra-tropical cyclones, earthquakes, tsunamis, tornados and ice storms: Severe elements are part of the planet’s progression. Fortunately, the vast majority of these events are not what we would categorize as “catastrophic.” However, when nature does call, these events can be incredibly destructive. To help put things into perspective: Nearly 70% (and growing) of the entire world’s population currently lives within 100 miles of a coastline. When a tropical cyclone makes landfall, it’s likely to affect millions of people at one time and cause billions of dollars of damage. Though the physical impact of windstorms or earthquakes is regional, the risk associated with those types of events, including the economic aftermath, is not. Often, the economic repercussions are felt globally, both in the public and private sectors. We need only look back to Hurricane Katrina, Super Storm Sandy and the recent tsunamis in Japan and Indonesia to see what toll a single catastrophe can have on populations, economies and politics. However, because actual catastrophes are so rare, property insurers are left incredibly under-informed when attempting to underwrite coverage and are vulnerable to catastrophic loss. Currently, insurers’ standard actuarial practices are unhelpful and often dangerous because, with so little historical data, the likelihood of underpricing dramatically increases. If underwriting teams do not have the tools to know where large events will occur, how often they will occur or how severe they will be when they do occur, then risk management teams must blindly cap their exposure. Insurers lacking the proper tools can’t possibly fully understand the implications of thousands of claims from a single event. Risk management must place arbitrary capacity limits on geographic exposures, resulting in unavoidable misallocation of capital. However, insurers’ perceived success from these arbitrary risk management practices, combined with a fortunate pause in catastrophes lasting multiple decades created a perfect storm of profit, which lulled insurers into a false sense of security. It allowed them to grow to a point where they felt invulnerable to any large event that may come their way. They had been “successful” for decades. They’re obviously doing something right, they thought. What could possibly go wrong? Fast forward to late August 1992. The first of two pivotal events that forced a change in the attitude of insurers toward catastrophes was brewing in the Atlantic. Hurricane Andrew, a Category 5 event, with top wind speeds of 175 mph, would slam into southern Florida and cause, by far, the largest loss to date in the insurance industry’s history, totaling $15 billion in insured losses. As a result, 11 consistently stable insurers became insolvent. Those still standing either quickly left the state or started drastically reducing their exposures. The second influential event was the 1994 earthquake in Northridge, CA. That event occurred on a fault system that was previously unknown, and, even though it measured only a 6.7 magnitude, it generated incredibly powerful ground motion, collapsing highways and leveling buildings. Northridge, like Andrew, also created approximately $15 billion in insured losses and caused insurers that feared additional losses to flee the California market altogether. Andrew and Northridge were game changers. Across the country, insurers’ capacity became severely reduced for both wind and earthquake perils as a result of those events. Where capacity was in particularly short supply, substantial rate increases were sought. Insurers rethought their strategies and, in all aspects, looked to reduce their catastrophic exposure. In both California and Florida, quasi-state entities were formed to replace the capacity from which the private market was withdrawing. To this day, Citizens Property Insurance in Florida and the California Earthquake Authority, so-called insurers of last resort, both control substantial market shares in their respective states. For many property owners exposed to severe winds or earthquakes, obtaining adequate coverage simply isn’t within financial reach, even 20 years removed from those two seminal events. How was it possible that insurers could be so exposed? Didn’t they see the obvious possibility that southern Florida could have a large hurricane or that the Los Angeles area was prone to earthquakes? What seems so obvious now was not so obvious then, because of a lack of data and understanding of the risks. Insurers were writing coverage for wind and earthquake hazards before they even understood the physics of those types of events. In hindsight, we recognize that the strategy was as imprudent as picking numbers from a hat. What insurers need is data, data about the likelihood of where catastrophic events will occur, how often they will likely occur and what the impact will be when they do occur. The industry at that time simply didn’t have the ability to leverage data or experience that was so desperately needed to reasonably quantify their exposures and help them manage catastrophic risk. Ironically, well before Andrew and Northridge, right under property insurers’ noses, two innovative people on opposite sides of the U.S. had come to the same conclusion and had already begun answering the following questions:

• Could we use computers to simulate millions of scientifically plausible catastrophic events against a portfolio of properties?
• Would the output of that kind of simulation be adequate for property insurers to manage their businesses more accurately?
• Could this data be incorporated into all their key insurance operations – underwriting, claims, marketing, finance and actuarial – to make better decisions?

What emerged from that series of questions would come to revolutionize the insurance industry.