Tag Archives: carrier management

Is Terrorism the New Normal for Insurers?

After several mass shootings across the U.S. – in Orlando, San Bernardino, Charleston and elsewhere that, whatever the motivation, created terror – the insurance industry is responding with new “standalone terrorism” coverage.

Does this reflect a level of acceptance of such incidents, and of gun violence, as a “new normal,” something we’ll just need to live with?

I don’t think so. In fact, the responses of insurers illustrate their key role: helping individuals, businesses and other organizations deal with unforeseen harm and tragedy, and recover from it.

As cited by Carrier Management in August, the FBI’s “Study of Active Shooter Incidents Between 2000 and 2013” reported that 70% of incidents took place in either a commerce/business or educational environment. The findings establish an increasing frequency of incidents, the report said.

Until this year, insurance didn’t respond to “lone wolf” shooting incidents because of two factors. One is the parameters set forth by the Terrorism Risk and Insurance Act (TRIA). Staggered by the massive losses from the 9/11 attacks, Congress passed legislation that provided for similar, large events. To qualify for coverage through the act, losses from a terrorist event must total at least $5 million – far exceeding the property damages that have resulted from shootings and similar attacks.

See also: How to Develop Plan on Terrorism Risks  

The other factor is the lack of clarity regarding what’s covered by commercial general liability insurance. In the same article, John Powter, president of GDP Advisors in McKinney, Texas, says the general liability part of a commercial policy doesn’t clearly cover or exclude active shooter incidents. “There is a concern, or gray area, with the general liability policy – in reality, it was never designed to cover an active shooter incident,” he said.

The shift in the nature of terror

Earlier this year, Insurance Business reported on research by KPMG that noted that the changing nature of ideologically motivated crime has yet to be addressed by insurance coverages.

“There is a shift in the nature of terror,” the publication quoted KPMG partner Paul Merrey as saying. “In the 1990s, it was about property damage. The incidents we’re seeing now are about maximizing casualties. There is a gap between what insurers are providing cover for and what customers actually want.”

He added that the gap will “go from a gray area to excluded,” as was the case with cyber risks – which, in turn, led to entirely new cyberrisk insurance.

In a similar response, insurers introduced new standalone terrorism insurance earlier this year.

Bermuda-based insurer XL Catlin introduced an “active assailant” policy in February. The policy provides “time element” coverage, which includes business interruption and extra expense coverage.

Ben Tucker, head of U.S. terrorism and political violence insurance for the company, told Insurance Business that “the level of awareness is increasing quite dramatically, and it’s not limited to large-risk management types of exposures.” The company has received inquiries about the coverage from agents and brokers representing school districts, public buildings and small hospitality firms.

The policy, the publication reported, is triggered when an event involving a handheld weapon affects three or more people. In this policy, “affects” has a broad definition: a person affected could simply be a witness to such an event.

GDP Advisors in February introduced an Active Shooter Insurance Program underwritten through Lloyd’s of London. Powter told Carrier Management that the coverage originally was intended for educational institutions, but soon after it was launched GDP received inquiries from banks, hotels, sports venues, amusement parks and other businesses.

The real value: preventing injuries and losses

Powter added that the “real value of the policy” is in its provision of risk management and crisis response services. Those are important, he said, because many businesses and educational institutions are now learning how to best respond if an incident occurs at their facility.

And that’s perhaps the most important response by insurers. When they insure any organizations, insurers take steps — risk management services — to help prevent losses from occurring.

Those services are especially valuable to businesses and other entities that have purchased active assailant coverage. Students and teachers at schools where shootings have occurred said that the safety drills and procedures they practiced helped to minimize injuries and losses and, perhaps, save lives.

Does coverage for such attacks imply an acceptance of them? Only in the same sense that other types of insurance imply an acceptance of fires, storms or other natural disasters. They’re incidents that could happen, and require specific safeguards, preparation and insurance.

See also: How to Find Coverage for Terrorism Risks

Society must address the threat of terrorism, whether via large attacks or the actions of one individual. Anyone who follows the news is familiar with the many options being discussed and debated by policymakers.

But as those threats persist, insurers must deliver both preventive measures and coverage for damages, whether to property or the psyches of survivors and witnesses. That’s the type of response we expect from insurance companies.

3 Criticisms of ERM: Justified?

A large retailer gets hacked, and customer data is taken, which costs millions in expense and lost revenues. A product recall is perceived to be badly handled, which tarnishes a manufacturer’s reputation and seriously erodes revenue, as well as margins. An acquisition fails to produce the expected profit lift and hurts a technology company’s share price. These organizations have implemented ERM, and, clearly, ERM has failed. Or has it?

Let’s look at three criticisms of ERM:

ERM Cannot Identify and Protect Against All Significant Uncertainties

This criticism is fair in the most literal sense only. Even a very robust and well-administered ERM process cannot find every major risk that an organization is subject to, nor can it protect against all risks, whether identified or not. However, without ERM, the ability to identify a majority of significant uncertainties facing an organization is greatly diminished. Not only that, without an ERM approach to risk, the mitigation of known risks is more likely to be addressed silo by silo even when an enterprise-wide solution is necessary.

In addition, with ERM, organizations are generally better prepared to rebound from unexpected, unidentified risks that do hit them. For example, ERM organizations typically have very robust business continuity and business recovery plans, have done tabletop exercises or drills that simulate a crisis and have maintained a lessons-learned and special expertise file that can be called upon, as needed.

According to a post by Carrier Management, citing RIMS, “A whopping 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies.”

These survey results do not suggest that chief risk officers or risk managers, who are responsible for the ERM process, are cyber experts or that all cyber risks can be specifically ascertained. Rather, the survey suggests that ERM better positions a company to discover cyber risks, just as it does with other categories of risk.

If ERM can reduce business uncertainties and surprises by identifying risks and managing them better than other forms of risk management, despite not being able to do so 100% of the time, it has not failed. In fact, it has most probably added great value. Consider a CEO who can avoid even one unnecessary sinking feeling when realizing that a risk that should have been spotted and dealt with has hit the company. How much is it worth to that CEO to prevent that feeling?

ERM Focuses on the Negative Rather Than the Positive

This criticism is not fair in any sense. It requires an upside-down view of ERM. Think about it. In almost any definition of ERM, there is some sort of statement as to the purpose or mission of ERM. The purpose is to better ensure that the organization achieves its strategy and objectives. What could be more positive?

By dealing with risks that challenge the ability of the organization to meet its targets, ERM is fulfilling an affirmative and important task. That most risks pose a threat is not disputed. But by removing, avoiding, transferring or lessening threats, organizations have a better chance of succeeding.

This is not the only positive result that can emanate from ERM’s handling of risk. Often, a thorough examination of a risk will result in opportunities being uncovered. The opportunity could take the form of innovating a product or entering a new market or creating a more efficient workflow.

Consider a manufacturer that builds a more ergonomic chair because it has identified a heightened risk of lawsuits arising from some new medical diagnoses of injuries caused by a certain seat design. Or, consider an amusement park that is plagued by its patrons throwing ticket stubs and paper maps on the ground, thereby creating a hazard when wet or covering dangerous holes or obstacles. Imagine that the company decides to reduce the risk by increasing debris pick-up and offering rewards to patrons for turning in paper to central depositories, then turns it into “clean” confetti sold to a party goods manufacturers.

These are hypothetical examples, but real-life examples do exist. Some are quite similar to these. Many risk managers, unfortunately, are reticent to share their success stories in turning risk into a reward. For that matter, many are reluctant to share their successes of any kind. One could speculate why this is so. It may be as simple as not wanting to tempt the gods of chance.

ERM Is Too Expensive

Those who criticize ERM for being too expensive to implement may lack information or perspective. Consider the following questions:

  • Has ERM been in place long enough to produce results?
  • Has the organization started to measure the value of ERM (there are ways to measure it)?
  • Can an organization place a dollar value on avoiding a strategic risk or a loss that does not happen; does it need to?
  • Has the number of surprises diminished?
  • Are there successes along with failures?
  • How much is it worth to enhance the company’s reputation because it is seen as a responsible, less volatile company because of ERM?
  • How efficiently has the ERM process been implemented?
  • Is too much time being spent on selling the concept rather than implementing the concept?
  • Has the process and reporting of ERM results been kept clear and simple?

To answer the criticism of a too expensive process, the following are things that a company can do to make sure the process is cost-effective:

  • Embed the process, as far as feasible, into existing business processes, e.g. review strategic risk during strategic planning, hold ERM committee meetings as part of or right after other routine management meetings, monitor ERM progress during normal performance management reviews, etc.
  • Assign liaisons to ERM in the various business units and functional departments who have other roles that complement risk management.
  • Do not try to boil the ocean; keep the ERM process focused on the most significant risks the company faces.
  • Measure the value that ERM brings, such as reduction in suits or lower total cost of risk or whatever measures are decided upon by management.

In the author’s purview of ERM in various organizations, the function tends to be kept very lean (without diminution of its efficacy). If the above suggestions are adopted, along with other economical actions, the costs associated with the process can be kept in balance with the value or well below the value.

Conclusion

It is possible for an ERM process to be poorly executed, and thus deserve criticism. It is also possible for an ERM process to be well-executed and deserve nothing more than continuous improvement.

The caution is that no one should expect perfection or suppose that one unanticipated risk that creates a loss denotes a total failure of this enterprise-wide process. Organizations are sometimes faced with situations that are beyond a reasonable expectation of being known or managed.

It would be fair to lodge criticism of ERM under certain circumstances; for example, if an organization’s ERM process did not reveal a risk that all its competitors recognized as a risk and addressed. But even in that case, perhaps there were reasons to think the risk would not penetrate protections the organization already had in place. Suffice it to say, every process and situation must be evaluated on its own merits and within the proper context.

Disjointed Reinsurance Systems: A Recipe for Disaster

Insurers’ numerous intricate reinsurance contracts and special pool arrangements, countless policies and arrays of transactions create a massive risk of having unintended exposure. The inability to ensure that each insured risk has the appropriate reinsurance program associated with it is a recipe for disaster.

Having disjointed systems—a combination of policy administration system (PAS) and spreadsheets, for example—or having systems working in silos are sure ways of having risks fall through the cracks. The question is not if it will happen but when and by how much.

Beyond excessive risk exposure, the risks are many: claims leakage, poor management of aging recoverables and lack of business intelligence capabilities. There’s also the likelihood of not being able to track out-of-compliance reinsurance contracts. For instance, if a reinsurer requires certain exclusion in the policies it reinsures and the direct writer issues the policy without the exclusion, then the policy is out of compliance, and the reinsurer may deny liability.

The result is unreliable financial information for trends, profitability analysis and exposure, to name a few.

Having fragmented solutions and manual processes is the worst formula when it comes to audit trails. This is particularly troubling in an age of stringent standards in an increasingly internationally regulated industry. Integrating the right solution will help reduce risks to an absolute minimum.

Consider vendors offering dedicated and comprehensive systems as opposed to policy administration system vendors, which may simply offer “reinsurance modules” as part of all-encompassing systems. Failing to pick the right solution will cost the insurer frustration and delays by attempting to “right” the solution through a series of customizations. This will surely lead to cost overruns, a lengthy implementation and an uncertain outcome. An incomplete system will need to be customized by adding missing functions.

Common system features a carrier should look out for are:
  • Cession treaties and facultative management
  • Claims and events management
  • Policy management
  • Technical accounting (billing)
  • Bordereaux/statements
  • Internal retrocession
  • Assumed and retrocession operations
  • Financial accounting
  • AP/AR
  • Regulatory reporting
  • Statistical reports
  • Business intelligence
Study before implementing

Picking the right solution is just the start. Implementing a new solution still has many pitfalls. Therefore, the first priority is to perform a thorough and meticulous preliminary study.

The study is directed by the vendor, similar to an audit through a series of meetings and interviews with the different stakeholders: IT, business, etc. It typically lasts one to three weeks depending on the complexity of the project. A good approach is to spend a half-day conducting the scheduled meeting(s) and the other half drafting the findings and submitting them for review the following day.

The study should at least contain the following:

  • A detailed report on the company’s current reinsurance management processes.
  • A determination of potential gaps between the carrier reinsurance processes and the target solution.
  • A list of contracts and financial data required for going live.
  • Specifications for the interfaces.
  • Definitions of the data conversion and migration strategy.
  • Reporting requirements and strategy.
  • Detailed project planning and identification of potential risks.
  • Repository requirements.
  • Assessment and revision of overall project costs.
Preliminary study/(gap analysis) sample:

1. Introduction
  • General introduction and description of project objectives and stakeholders
  • What’s in and out of scope
2. Description of current business setting

3. Business requirements

  • Cession requirements
  • Assumed and retrocession requirements
4. Systems Environment Topics
  • Interfaces/hardware and software requirements
5. Implementation requirements
6. System administration
  • Access, security, backups
7. Risks, pending issues and assumptions
8. Project management plan

The preliminary study report must be submitted to each stakeholder for review and validation as well as endorsement by the head of the steering committee of the insurance company before the start of the project. If necessary, the study should be revised until all parts are adequately defined. Ideally, the report should be used as a road map by the carrier and vendor.

All project risks and issues identified at this stage will be incorporated into the project planning. It saves much time and money to discover them before the implementation phase. One of the main reasons why projects fail is poor communication. Key people on different teams need to actively communicate with each other. There should be at  least one person from each invested area—IT, business and upper management must be part of a well-defined steering committee.

A clear-cut escalation process must be in place to tackle any foreseeable issues and address them in a timely manner.

A Successful Implementation Process
Key areas and related guidelines that are essential to successfully carry out a project.

Data cleansing
Before migration, an in-depth data scrubbing or cleansing is recommended. This is the process of amending or removing data derived from the existing applications that is erroneous, incomplete, inadequately formatted or replicated. The discrepancies discovered or deleted may have been originally produced by user-entry errors or by corruption in transmission or storage.

Data cleansing may also include actions such as harmonization of data, which relates to identifying commonalities in data sets and combining them into a single data component, as well as standardization of data, which is a means of changing a reference data set to a new standard—in other words, use of standard codes.

Data migration

Data migration pertains to the moving of data between the existing system (or systems) and the target application as well as all the measures required for migrating and validating the data throughout the entire cycle. The data needs to be converted so that it’s compatible with the reinsurance system before the migration can take place.

It’s a mapping of all the data with business rules and relevant codes attached to it; this step is required before the automatic migration can take place.

An effective and efficient data migration effort involves anticipating potential issues and threats as well as opportunities, such as determining the most suitable data-migration methodology early in the project and taking appropriate measures to mitigate potential risks. Suitable data migration methodology differs from one carrier to another based on its particular business model.

Analyze and understand the business requirements before gathering and working on the actual data. Thereafter, the carrier must delineate what needs to be migrated and how far back. In the case of long-tail business, such as asbestos coverage, all the historical data must be migrated. This is because it may take several years or decades to identify and assess claims.

Conversely, for short-tail lines, such as property fire or physical auto damage, for which losses are usually known and paid shortly after the loss occurs, only the applicable business data is to be singled out for migration.

A detailed mapping of the existing data and system architecture must be drafted to isolate any issues related to the conversion early on. Most likely, workarounds will be required to overcome the specificities or constraints of the new application. As a result, it will be crucial to establish checks and balances or guidelines to validate the quality and accuracy of the data to be loaded.

Identifying subject-matter experts who are thoroughly acquainted with the source data will lessen the risk of missing undocumented data snags and help ensure the success of the project. Therefore, proper planning for accessibility to qualified resources at both the vendor and insurer is critical. You’ll also need experts in the existing systems, the new application and other tools.

Interfaces

Interfaces in a reinsurance context relate to connecting to the data residing in the upstream system, or PAS, to the reinsurance management system, plus integrating the reinsurance data to other applications, such as the general ledger, the claims system and business intelligence tools.

Integration and interfaces are achieved by exchanging data between two different applications but can include tighter mechanisms such as direct function calls. These are synchronous communications used for information retrieval. The synchronous request is made using a direct function call to the target system.

Again, choosing the right partner will be critical. A provider with extensive experience in developing interfaces between primary insurance systems, general ledgers, BI suites and reinsurance solutions most likely has already developed such interfaces for the most popular packages and will have the know-how and best practices to develop new ones if needed. This will ensure that the process will proceed as smoothly as possible.

After the vendor (primarily) and the carrier carry out all essential implementation specifics to consolidate the process automation and integrations required to deliver the system, look to provide a fully deployable and testable solution ready for user acceptance testing in the reinsurance system test environment.

Formal user training must take place beforehand. It needs to include a role-based program and ought not to be a “one-size-fits-all” training course. Each user group needs to have a specific training program that relates to its particular job functions.

The next step is to prepare for a deployment in production. You’ll need to perform a number of parallel runs of the existing reinsurance solutions and the new reinsurance system and be able to replicate each one and reach the same desired outcome before going live.

Now that you’ve installed a modern, comprehensive reinsurance management system, you’ll have straigh-tthrough automated processing with all the checks and balances in place. You will be able to reap the benefits of a well-thought-out strategy paired with an appropriate reinsurance system that will lead to superior controls, reduced risk and better financials. You’ll no longer have any dangerous hidden “cracks” in your reinsurance program.
This article first appeared in Carrier Management magazine.