Our list of emerging risks for 2015 covers the kind of perils that keep risk managers up at night: cyber risk, oil price volatility, the changing demands of today’s workforce, the over-confidence corporations have in the ability of their entity to withstand a negative event and more. It’s a long, eye-opening – but certainly not all-encompassing – list. [To read the full article from which this post is taken, visit WillisWire.]
While it is a bit axiomatic to say, it doesn’t make it less true: The world is becoming increasingly complex and uncertain. As the Internet of Things continues to grow, we have access to more and more data on anything and everything. This is good news – more information tends to lead to greater understanding. However, in this age of information overload, it is important to make sure you are using the right data to answer the right questions. We believe the rise in analytic tools will make a significant difference in the way risks are understood, measured, mitigated and transferred.
Political: Oil Volatility
The price of a barrel of oil has slipped by almost 40% in the last few months. Although this price reduction should contribute toward the growth of the world economy in the long run, it has a potential adverse and significant impact on oil-producing countries. These countries are now faced with the risk of either having their economies de-stabilized or run the risk of defaulting on their debts. As a consequence, some of the de-stabilized economies may begin witnessing a mix of risks.
Cyber: The Risk of the Cloud
Cloud computing is rapidly becoming a key component of many organizations’ technology-enablement strategies as they continue to seek differentiation in competitive markets. Cloud, however, is a significant issue from a risk perspective, both in the context of governance and compliance. An example: geographic location of data – are you sure where personnel data is resident, and is that consistent with the jurisdiction of geographies where client organizations operate? Also, distributing data across many cloud service providers means that accidental aggregation that can compromise the re-aggregated credentials is a real issue. Cloud, therefore, constitutes an arena where we are only now coming alive to some of the dimensions of complexity with which we are going to have to wrestle in the coming 12 months.
With oil prices tumbling and margins expanding, the fuel-intense transportation industry is perhaps a little more relaxed about the risks it is facing. There is, however, a fast-growing aviation risk that could affect businesses across all sectors: drone usage. Unmanned aerial vehicles (UAVs), or drones, are now being used by utility, construction, leisure and media companies, to name but a few. Our lives would really change if our online orders were delivered to our drone landing pad! Regulation of the operation of these aircraft varies widely across the world, and, sadly, as a result of this and some ignorance, “near miss” stories are frequent. Drone technology is very familiar from military activity, but commercially it does have the power to change, save and protect lives. With these rewards come risks, and these need to be understood and managed if you have an eye in the sky!
The risk I’m keeping an eye on this year is a development of one that is already extant: the further growth of Islamic extremist ideology and militant action globally. With the so-called Islamic State seeking to consolidate fundamentalist governance in Syria and Iraq and al Q’aeda and its affiliates seeking to expand further into South Asia, the risks to organizations and individuals from new recruits to and returnees from jihad will grow and mutate. This will include the cyber-sphere as a vehicle for the spread of the ideology that drives militant fundamentalism and as a means of attack. Fragile states will find difficulty in containing Islamic extremism while intelligence agencies will be challenged to detect small armed cells or individuals acting on their own initiative.
Financial Institutions: Technology Partners
Banks jumping into bed with Apple and person-to-person lenders? Isn’t that fraternizing with the enemy? Maybe, maybe not. Financial institutions are smart to be pragmatic about how fast the world is changing and trying to find the right technology partners, but mistakes will be made. I have no doubt that there will be regrets by some institutions as they find their partners are not who they thought they were. Partners may become direct competitors or their partner’s technology may create weaknesses in the company’s online security. Or partners will be accused of bad behavior (think red-lining or insider trading), and suddenly your firm has serious regrets, and your reputation is damaged, as well.
Outsourcing might just be the most common business management earnings booster of the past 10 years – which means that it is also a top candidate for becoming a major emerging risk in the near future. There are two basic ways of controlling the risks of outsourcing – by specifying standards at the outset of the arrangement and by inspection of the process and output on a continuing basis. But with the explosion of outsourcing over the past 10 years, even firms that had set down extensive and clear standards at the time of the original agreement and that have allocated the needed resources for inspection of the processes and outputs are at risk from the complacency that comes from the passage of time without serious incident, the changing individuals on both sides of the agreement and the changing pressures on both organizations. An outsourced process is out of sight. If it also becomes out of mind, then it will likely move out of the emerging risk category into the current problem category.
Analytics: Balance Sheet Overconfidence
An emerging risk I’d like to mention is the overconfidence corporations have in the ability of their balance sheets to withstand a severe reversal of fortune. Many if not most of the world’s largest companies are looking for ways to retain more risk and in the process to reduce their insurance expenditures. One of the reasons mentioned is that many insurers have lower credit ratings than the corporation itself; so why would a company entrust its financial health to weaker institutions? This argument makes sense in an average year, or indeed in most years. However, when a crisis strikes a company, its strong credit rating is a mirage, and insurance coverage becomes very welcome. Approaching the issue of optimizing insurance as a hedge to protect corporate financial objectives is therefore a critical need for most large corporations. When looked at this way, insurance takes on its rightful role as a way to reduce volatility of financial results.
Environment: Extreme Weather Related Risk
Weather-related environmental risk and natural hazards and disasters continue to make the Top 10 list for many risk managers and insurance professionals across the globe. Why? Because we learned some very unfortunate lessons over the years, thanks to the likes of super storm “Katrina,” “Sandy” and other natural catastrophes in terms of the unexpected frequency and severity of pollution losses because of excessive rain, storm surges and overall damage caused by water (e.g., pollution release from floating drums of chemicals, cross-contamination of neighboring properties from historic/pre-existing contamination, sewer authority system back-ups, landfill containment breaches, mold growth, etc.). Many businesses were hurt financially via legal liability, penalties, government regulations, financial disclosure requirements or simply public relations problems surrounding responsible corporate citizenship. If there are any golden rays of sunshine forecast to break through the dark clouds up ahead, then it would be the increased level of awareness by the risk management community and the acknowledgment of the need for adaptation and proper planning. Some can be in the form of reducing overall carbon footprint and greenhouse gas emissions and others via amendments to site improvement or development plans that incorporate better surface water management systems. We’ve blogged about this risk in the past (here and here), and it’s important to address this business risk now as the underwriting community will continue to modify the risk appetite and terms and conditions for certain classes of risk.
D&O: Certification Requirements
Directors have rightly been concerned for some time about the uptick of claims activity and the focus on individual personal liability. Less attention has been paid to the tactic now deployed increasingly by regulators to tilt the evidential burden in their favor when a claim is brought. The single most-favored method of achieving this is “certification”: i.e. the process whereby regulators insist as part of a senior manager’s duties that she certify that everything in her particular part of the garden is rosy. Then, when a storm comes along – perhaps several years later – the certificate is taken out of the filing tray, dusted down and relied on as evidence of neglect in having “allowed” the problem to have arisen. Whether these “early trigger” exposures are adequately addressed in conventional claims made policies is open to question.
Warren Buffett famously said in his 2002 annual report to shareholders, “In my view, derivatives are financial weapons of mass destruction, carrying dangers that, while now latent, are potentially lethal.” In the world of D&O insurance, “derivative” refers to a specific type of lawsuit that is brought by a shareholder on behalf of a company against a third party – usually the D&Os of that company. In a nutshell, the allegations are that the D&Os mismanagement harmed the company. While not a new exposure, it sure seems to have increased. The unofficial top three derivative litigation settlements (not including judgments) that have the largest cash component have now occurred in the last 24 months, with each well over $100 million. And those cash component settlements would most likely have to be funded by the personal assets of the individual D&Os…or, and, more likely, the oft-discussed Side A portion of a D&O insurance program. But what could a board of directors allegedly mismanage?
- M&A transactions
- Cyber-security issues
- Compliance issues (think costly FCPA or other regulatory (civil or criminal) investigations)
- Environmental issues
- Whistleblower issues
- Questionable executive compensation programs
The list goes on!
Asset Management: Demand for Transparency
A key emerging risk in the asset manager space is fees, transparency and conflicts of interest. As the number of retirees increases, there will be increasing pressure on asset and wealth managers and annuity and pension providers to demonstrate value for money and to maximize the size of retirees’ pension pots. Regulators, in particular, will be under political pressure to look closely at this sector. Asset managers should act now to ensure that they understand their obligations to all stakeholders and to ensure that they have achieved a sufficient level of disclosure and transparency.
Real estate is a brick and mortar (OK, glass and steel) industry that would seem to be immune from cyber crime. But owners, particularly residential owners, are increasingly interacting with tenants online, which may include payment of rent. If owners are taking online payment (or if they’re just keeping online records), they are going to be collecting potentially sensitive information. While the tenant portals that the owners maintain are likely to use up-to-date security measures, we’re learning that there may be no place in the cyber realm that is completely safe. A large residential REIT just sustained a data breach of tenant information when someone hacked into its tenant portal. This is probably the leading emerging risk for the real estate sector.
The Millennial generation is at your door with fresh ideas about making work (and life) meaningful. It’s time to stop just strategizing on how to manage Millennials – and time to start truly retooling your human capital strategies to succeed and grow with a workforce that will be driven by their generation. From the C-suite, human resources and every management level on down, reviewing your organization’s value proposition and its ability to attract, retain, motivate and engage employees should be your highest priority heading into 2015. (Because you’d better believe, Millennials absolutely require engagement.) I’ll be going into this in more detail in my Thursday post, The Changing Face of Human Capital in 2015.
Brazil is at a delicate time. The news of corruption cases is growing, and it creates consequences in some types of insurance. The search for protection by these executives is increasing the number of D&O claims. This situation also affect the works and construction sector, because many engineering companies are under investigation; construction and infrastructure suffer a delay in the works, which decreases the hiring of engineering insurance risk. Cash flow problems are also now faced by engineering firms because the irregularities found in their contracts are generating delays in payment of invoices. This makes the public and private works – even those that are not under investigation – have trouble in meeting their schedules, which certainly result in an increase in guarantee insurance claims/sinister. Faced with this whole picture, and if the economy does not grow in 2015, other sectors will also be vulnerable, such as:
- Transport insurance: because of the decline of the industry and trade
- Automobile insurance: impact generated by the decrease in production and vehicle sales
- Benefits insurance: reducing the number of employees as result of the fall in trade
One of the fastest-growing risks we face on a daily basis is being victimized by the accessibility and convenience offered through the growth of online devices. One of last year’s most alarming revelations was a Russian website broadcasting thousands of unsecured webcams from across the world, including several infants in cribs. More than likely, this is the first in what will be a growing trend as the number of Internet-connected devices grows into the Internet of Things (IoT). The more our devices are connected to the Internet, the greater the opportunities available to hackers for exploiting potential security lapses. Exploiting security flaws is especially easy when one installs a new device but does not change any of the default settings. Fortunately, taking an active role in your home’s Internet security can mitigate most of the potential for risk. As the British Information Commissioner’s Office pointed out,
The danger of using weak passwords has been exposed… after a new website was launched that allows people to watch live footage from…insecure (Internet connected) cameras across the world. The website, which is based in Russia, accesses the information by using the default login credentials, which are freely available online, for thousands of cameras.
This type of revelation should immediately make everyone take a few moments to examine the settings on all their devices and the quality of all passwords used in home Internet security.
As I have maintained for some time, “emerging risk” is a somewhat misused term. It has been used in the insurance industry to mean new risks that were not or are not currently insurable in any meaningful way; i.e., the market is not sufficiently developed by way of capacity, geographical spread or the number of capital providers. In fact, I believe risks are the same as they ever were; it’s just which ones come to prominence. What drives this may not be the apparent real threat but more a perceived threat, which, fueled by media, can become the risk of the moment. Think H1N1, Ebola, terrorism, gun control, data privacy, etc. The real measure of a risk is still severity and likelihood, and these are not constant; they are continually moving. It is therefore really important to stay focused on which risks are the real threats to achieving the enterprise objectives and manage these as a priority. Of course, some of the issues I mention may be more or less significant depending on your sector and location. My consistent message is that risk managers should maintain the position of the voice of reason in their organizations so that resources do not get diverted away from managing, reducing and controlling the risks that will have the most impact on the organization into the latest ’emerging’ risk.