Tag Archives: mitigation

The Many Questions Raised by Drones

State Farm, AIG and USAA have received preliminary approval from the Federal Aviation Administration to test drones for their claims and underwriting functions. On the surface, this sounds like a straightforward proposition. Drones can more quickly and easily survey damage sites after fires, tornados and hurricanes than personnel on the ground. Drones can be equipped to use global positioning software to identify insured structures and take pictures of damage to better and more quickly inform ground-based adjusters, leading to faster settlements and good press for insurers. Drones might also be used by adjusters to reveal hail damage on roofs, which will help to mitigate falls and other injuries to adjusters. The thought is that drones also might be helpful in certain loss control activities, such as identifying otherwise hidden internal or external fire hazards to large structures or plants.

Small portable drones may also find bodies or even survivors in the aftermath of storms. Drones and their operators may see crimes such as looting or arson being committed.

But questions arise: What responsibilities will insurers now have to report crimes to the authorities? How quickly will insurers be required to report? Some drones may use live streamed images to ground-based operators; others may take static pictures that will be retrieved when the drone returns to base. Will the drone-equipped disaster adjuster be required to analyze these pictures immediately or send them to the authorities via Internet uplink as soon as they are retrieved? To avoid problems, should drones not be sent in until after all rescue efforts have ended? However, would this also not create an ethical issue about delaying the use of lifesaving tools because of possible legal complications?

What issues of privacy of customer information or stranger images will insurers face as a result of these new capabilities? For example, the camera is left on while the drone ascends the side of the building, capturing images of people in various stages of dress, seeing a man beating a woman on the 14th or witnessing people shooting up at a party in the penthouse. What must the adjuster report and to whom? What if the party in the penthouse is for diabetics and the adjuster reports this to police as a suspicious incident? Will the adjuster now need to add police investigative skills to competency requirements? How secure will these drones be from tampering if they should malfunction, or how easily can hackers intercept image transmission? Will they be equipped to hear, meaning they can record conversations that may have otherwise been thought to be confidential? In other words, will the drone engender additional responsibilities for the adjuster or will issues otherwise be covered by existing laws and regulations?

We can argue that the courts have agreed that our expectations of privacy with airplanes flying overhead is already reduced. However, airplanes and other commercial or pleasure craft rarely fly under 1,000 feet for any length of time. Commercial drones will operate at a much more personal, in-your-face, level; today they cannot fly higher than 400 feet. Will the courts react the same way as they have with aircraft to privacy concerns associated with drones?

Underwriters will want to use drones, as well, to survey large property complexes to establish baselines not only for pricing and capacity purposes but to provide claims adjusters with a before-loss picture of the property. Drones may also capture more than their own customer’s property. For example, the drone captures a picture or a video of a new product being tested in a courtyard of another business. The other business, fearing industrial espionage, calls the police and gives the clearly visible drone FAA-issued ID number to them.

Ground-based adjusters can trespass or go where they aren’t wanted. However, most are trained to get permission directly from owners and others before trampling on private property. I do not think we will see distantly operated drones knocking on doors, “Greetings human, I am seeking permission to scan your property…please sign here or just nod your agreement.”

Then again, there is the psychological. The convoy of multiple insurer trucks shows up at the town just after a devastating tornado. Up go the drones, circling like buzzards over the wreckage and the dead. Townspeople make rude gestures to the eyes in the sky and clamor after the trucks to gain anything, any image of a missing relative or friend. And the police and fire officials are there, too, crowding the adjusters for information. Will the insurers need to circle the wagons, be available all together to the authorities in an approved command post so that the authorities can gain immediate access to their images? The authorities might have some immunity if they arrest looters from these pictures, but will the insurers, for giving the authorities pictures of the alleged crime? Will the drone bring more frivolous lawsuits from perpetrators of crimes at disaster sites for invasions of personal privacy?

I do not want this to be a Luddite’s rant against drones. Far from it; drones have useful purposes. While drone capabilities were honed in war, their peaceful use should be considered. There is no reason why realtors, insurers, surveyors and others should not have a shot at making their case to use drones in the course of their legitimate business. However, there will be others who use drones in less than legal ways, and we must provide some guidance to insurers and others what constitutes legal and authorized use. We must also have means within each drone’s system that provide credible and legal evidentiary documentation of use: authorized, legal or not. Because the drone increases the field of vision for its user, issues of privacy and legitimate acquisition of images and other information by authorities needs to be spelled out. Disposal of drones must also be spelled out in regulations so that they or any remnant information are destroyed so that they do not get into the wrong hands.

The question isn’t whether drones will be used for legitimate business reasons; the question is when. Because they increase the visibility of their users, issues are raised in the area of privacy that require discussion and perhaps court attention. There is also the unknown, the psychological—the vulture drones over the tornado-stricken town. People in war zones have learned to fear the drones because they are harbingers of death. Granted, we have not experienced drone warfare in the U.S., but we know that they have been used as impersonal killers in other places. Unlike whirring helicopters and buzzing planes, they are small, quiet, can hover low to the ground and will interface with individuals. What will we think of the drone climbing outside of our apartment building with its dark camera lens pointed directly at us? Will we think Big Brother, or will we come to accept this new technology as we have the convenience store video camera or the red-light camera at the busy intersection?

These questions must be asked and answered to some satisfaction before we go trundling off and build vast drone fleets. The time is now, because after drones are deployed is not the time to understand that the user has increased his or her company’s risk of lawsuit and even criminal prosecution that has not been properly identified, assessed, and managed.

Select articles and studies of the issues associated with drones.

— Calo, Ryan. “The Drone as Privacy Catalyst.” Stanford Law Review Online 64 (2011): 29-33. Abstract: Associated today with the theater of war, the widespread domestic use of drones for surveillance seems inevitable. Existing privacy law will not stand in its way. It may be tempting to conclude on this basis that drones will further erode our individual and collective privacy. Yet the opposite may happen. Drones may help restore our mental model of a privacy violation. They could be just the visceral jolt society needs to drag privacy law into the 21st century.

— Cavoukian, Ann. Privacy and Drones: Unmanned Aerial Vehicles. Information and Privacy Commissioner of Ontario, Canada, 2012. Summary: The aim of this paper is to provide a background for general privacy readers, as well as for potential users or regulators of UAV activities, as they relate to the collection, use, and disclosure of personal information.

— Friedenzohn, Daniel, and Alexander Mirot. “The Fear of Drones: Privacy and Unmanned Aircraft.” Journal of Law Enforcement 3, No. 5 (2013): 1-14. Abstract: The article focuses on the consequence of the use of unmanned aircraft systems, (UAS) or drones, planned to be integrated by U.S. in the national space. Topics discussed use of the technology by military forces, confirmation hearings of disclosed by Central Intelligence Agency (CIA) Director John Brennan and degradation of privacy as a result of law enforcement’s relation with the use of the UAS.

— Pasztor, Andy, and John Emshwiller. “Drone Use Takes Off on the Home Front.” The Wall Street Journal, April 12, 2012. Issue Discussed: With little public attention, dozens of universities and law-enforcement agencies have been given approval by federal aviation regulators to use unmanned aircraft known as drones, according to documents obtained via Freedom of Information Act requests by an advocacy group.

— Wesson, Kyle, and Todd Humphreys. “Hacking Drones.” Scientific American 309, No. 5 (2013): 55-59. Abstract: The article focuses on the lack of safety measures in drone aircraft. It states that drones can be used in various settings, which include search and rescue operations, scientific research and power line monitoring. Also mentioned are the Modernization and Reform Act of 2012 issued by the U.S. Federal Aviation Administration (FAA), effectiveness of jamming devices in the navigation system of drones and the challenges to balance the economic benefits of drones. considering the public safety.


The 1 Resolution for Insurers in 2015

Less than 10% of people keep their New Year’s resolutions for at least six months, according to research from Cancer Research UK, with half breaking their resolutions within a fortnight, blaming a lack of will power. 20% planned to cut back on alcohol, others to spend less money (34%), cut down on chocolate (21% and go to the gym (22%).

New Year’s resolutions aren’t just for individuals, though. They can also be found in the annual reports of most companies, including insurers, when they set out their strategic objectives for the coming year. Sadly, most insurers say the same thing, even if different language is used: reduce costs, improve efficiency, grow, focus improve service. There’s a more than reasonable chance that they will be saying the same things next year, as well.

Delivering against strategy objectives is as much a matter of leadership as it is of planning. I wonder how many business leaders are also abject failures in keeping their New Year’s resolutions? After all, a leopard doesn’t change its spots.

Maybe the answer is to set up a project team and delegate some responsibilities. I imagine an interesting conversation in the office: “Jim, I’ve decided that your role this year is to give up chocolate for me….”

Maybe it’s about having an incentive? Insurers might say to a policyholder that they will give a 20% discount on premiums if the policyholder gives up booze. Such a discount, coupled with the money saved, could be a compelling argument. And, after all, isn’t that what user-based insurance is fundamentally about?

I wonder: Will future insurance models need to have greater alignment between risk mitigation plans of insurers and personal behavior of the individual? I suspect we are already close to having that capability, as insurers increasingly use analytics to understand their customers and create more compelling offers at renewal. Can’t we extend that thinking?

So here’s a challenge for insurers – not to promise the same old stuff but rather to make a single big resolution for their organization which will be differentiating, ambitious, maybe even bold! Perhaps insurers need to look into the crystal ball and imagine not only themselves, but also the industry in 2030, and start to realize how different the insurance business will be by then. And then, in 2015, do “just one thing” of significance to take them along that journey.

As for me and my resolution? I asked a friend what she thought I needed most, and she suggested a visit to the opera, on the basis that it’s apparently good for the soul. How I see myself, and how she saw me, are apparently different. Isn’t that the same for all of us, and for the insurance industry as a whole?

I’ll tell you when I’ve been to the opera!

5 Issues for Boards on Risk Appetite

Many have struggled to find and articulate a risk appetite. It is actually not too hard to find, if you know where to look. It is right there – on the border.

Risk appetite is the border between the board and management. Once management has proposed a risk appetite and the board has approved it, then management is empowered to take risks. As long as the risks are within the risk appetite, then management does not need to inform the board until after taking those risks. If management plans to take risks that are outside of the risk appetite, then executives must go to the board in advance for permission.

That, of course, is just the bare minimum communication with the board about risk. There are five topics that make up a good level of board communications:

1. Risk appetite and plan
2. Risk position and profile
3. Top=risk mitigation and capabilities
4. Emerging risks
5. Major changes to risk environment and risk plan

The first and last items are the subject here. The other topics will be covered in later posts.

Notice that the first item on the list above is appetite AND Plan. Before discussing risk appetite, both management and the board need to be very familiar with the company’s historic levels of risk and the intentions for risk level. If there is no history of risk planning, it is totally premature to even discuss risk appetite.

It is doubtless true in all cases that management has vast experience with risk taking, as well as experience with risk taking that ended up creating losses or other undesirable adverse consequences. But unless there has been experience of planned and monitored risk taking, there is a natural propensity to start with the presumption that, in the past, the highest-risk activities are those that ended in losses and that activities that did not end up with losses were lower-risk. While losses are a good indication of one sort of risk, they are not the only way to assess risk.

Imagine the risk of an earthquake in a specific area. There have been no earthquake losses there in living memory. But that doesn’t mean that there is no risk. There was a devastating earthquake there just 150 years ago, thus there is certainly some potential for future events.

Risk is not loss, and loss is not risk. Risk is the potential for loss. It only exists in advance of an event. Loss is the negative outcome of an event.

Risk appetite sits on another border. That is the border between regular and extraordinary – mitigation, that is. For each of the major risks of a firm, we have a regular process for control, mitigation and treatment of risk that we have and and that we acquire. We also should have some idea of what we might do if the level of risk gets out of hand. For example, a life insurer writing variable annuities might have a hedging program that is used to mitigate unwanted equity market risk. A P&C insurer might have a reinsurance program to lay off excess aggregations of property risk. A bank might have a securitization program to mitigate the portion of mortgage risk that it does not want to keep. In all three cases, an unexpected jump in closing rate or a new very successful distributor might suddenly cause the level of residual risk after normal mitigation to become excessive.

Usually, this is evidenced by a weakening solvency margin. The company must go into extraordinary mitigation mode. That means that for the risk that has become excessive, or for another risk if they have a nimble risk steering function, there will need to be some major change in operations to bring the level of risk back into line. The choices for these extraordinary mitigations may be simple adjustments to the normal mitigation processes, a shift in hedging targets, a drop in the reinsurance retention or an increased emphasis on securitizing all tranches. But most often these extraordinary mitigations involve real changes to plans, such as a change in pricing structure, risk acceptance procedures, a change in product or distribution strategy to discourage the least profitable or highest risk sales or a change in a share buy-back plan. In the most extreme cases, there might be a need to temporarily shut down the source of the excessive risk.

Unexpected losses might also cause a sudden shift downward in risk capacity and therefore in risk appetite. In such cases, extraordinary mitigations will favor options that might speed the rebuilding of capital. In the most extreme cases, the final stage mitigation would be to sell an entire operation along with the embedded risk exposures.

Almost all of those extraordinary mitigation choices are not decisions that management prefers for businesses. But good managers have some advance idea of the priority order in which they might apply those tactics as well as the triggers for such actions. Those triggers are the boundary for risk taking. They are reflective of the risk appetite.

So if you recognize that risk appetite is this boundary condition, you realize that the talk you hear in some places of “allocating risk appetite” is not the approach that you want to take. What you really need is a risk target that is allocated. The risk target is your plan. It is not totally “efficient,” but there should be a buffer between the risk target and the risk appetite. That buffer allows for the fact that we do not control and may not even immediately notice all of the things that might cause our risk level to fluctuate, but we need a risk target because risk appetite is really the border that we hope not to cross.

What Insurers Can Teach Others on ERM

The risk management practices of insurance companies have been scrutinized by rating agencies, regulators, analysts and others for years because insurers are financial institutions that deal with high levels of risk that, improperly managed, could not only hurt their creditworthiness but damage the financial well-being of their customers. As a result of this scrutiny, insurers have developed robust and comprehensive risk management processes, increasingly known as enterprise risk management (ERM). The ERM process covers the entire company, from strategy setting to core business operations and even relationships with external stakeholders. The maturity of insurers’ models means that there are some best practices worthy of emulation or adaptation by other industries.

A selection of these is presented in this article: aggregation of risk, correlation of risk and opportunity risk management.

Aggregation of risks

Within the ERM process step of “risk identification,” insurers pay special attention to aggregation of risk. How much of the same risk can be prudently taken, and how much risk is represented by one catastrophic event?

A simple example would relate to how much property insurance is being written in Florida, which is prone to hurricane losses. Or, how much workers’ compensation is being written for one industry group that could be affected by a pervasive occupational health hazard such as mesothelioma.

A proper assessment requires: 1) knowledge of what business is being written (sold), 2) fine-tuned understanding of that business (e.g., not all property in the state of Florida is subject to the same degree of hurricane loss), 3) recognition of what could be a potential risk issue within a book of business (e.g., workers in industries that still handle asbestos or operate in older buildings that have not been remediated).

Having taken account of accumulations, insurers proceed to reduce their exposure to them. This can take many forms, including: 1) writing less business within the geography, customer segment or type of coverage making up the accumulation, 2) adding exclusions or sub-limits into the insurance policy to eliminate or reduce what is covered if the risk produces a loss, 3) requiring/ helping customers to make themselves less vulnerable to the risk and 4) developing rapid responses to minimize the extent of loss after the risk has created a loss.

Moving outside the insurance company realm, any company can be subject to a variety of types of aggregations that can be above a normal, acceptable range of risk. Some examples might include:

• Shopping center management companies with many centers in neighborhoods with poor economic outlooks
• Banks with loan portfolios too heavily balanced toward governments or businesses in countries with low ratings for economic or political stability
• OEM manufacturers that supply parts to only one industry — one that may be in the process of technological obsolescence or some other life cycle dip
• Consumer goods manufacturers with narrow product lines that are tied to one demographic group that is fickle or is becoming economically pinched

Consider a large company with many silos, one that is not very good at sharing information and not tightly managed. What would happen if: 1) one unit of that company placed its call center in one of the BRIC countries (Brazil, Russia, India and China), 2) another unit opened a major manufacturing plant in that country, 3) another unit outsourced its IT code development to that country and 4) the finance unit invested in bonds from that same country — and that country suddenly had a debilitating natural catastrophe, the government or currency collapsed or a nationwide problem developed? The point is that the company in the example should be aware that it is creating an aggregated risk potential by having so many ties to that country with varying exposures.

Any significant concentration of geography, market segmentation or product offering can pose a risk to a business.

What makes ERM so powerful is that all important risks get identified, whether insurable or not, especially strategic risks, and that these risks get addressed through mitigation action plans. It is surprising how often companies do not see the magnitude or variations of risks they are facing; an effective ERM process should prevent that blindness.

Having identified an aggregation risk, companies can create mitigation plans for managing the risk. Mitigation tactics for aggregation risks in non-insurance businesses could include:

• Diversification in geographic spread
• Diversification in product portfolio
• Diversification in customer segmentation
• Innovation around uses of current products
• Innovation around ways to be more profitable with current products such that margins could increase while sales decrease
• Growth limits in risky areas; growth goals in less risky areas

Correlation of risks

Insurers have also become adept at identifying correlated risks. These are risks that may not appear to be connected but could be realized as part of the same event. Or they could be risks that have a cause and effect relationship on each other — a domino effect.

Correlated risks could dramatically strain an insurer’s ability to pay claims or remain fiscally viable. A hurricane, for example, might not only trigger covered property damage but also business interruption, supply chain, losses from canceled event and so on. Unless the insurer understands the totality of correlated losses, it cannot determine how much business it should write in any single hurricane-prone territory. Also correlated to the hurricane is an increase in the cost of repair and rebuilding property because of what is termed “storm surge” — when goods or services are in greater demand after a major event. So, the insurer is not only paying out on claims from different policies (or lines of business) but may also be paying more than usual because of inflated costs.

The concept of correlated risk is not very prevalent in non-insurance companies but could be just as serious an exposure. Consider an electrical power company. It knows that its dependence on an adequate supply of water leads to a risk that drought could affect its output capabilities and its customer satisfaction. The utility may not be fully cognizant of the correlated risks. Therefore, its risk mitigation and contingency planning may not include those risks. These might include: 1) the risk that government subsidies or support could be cut as the government attends to other issues arising from drought; 2) the risk that the cost of water or expense for routing the water supply will increase because of low water levels; 3) the risk that malfunctions will occur with power plant equipment because of lower or inconsistent water supply feeds, or 4) the risk that business customers that do not get sufficient water for their operations may sue the supplier. Without a robust ERM process to help identify both insurable and non-insurable risks, these risks may go unrecognized and unmitigated and without an effective response plan.

In fact, all companies fear that “perfect storm” where many risks materialize at once that could damage and destabilize the business. Yet, some correlations might have been identifiable and action taken to ameliorate the risks, had an effective ERM strategy been in place.

Opportunity risks

There is risk in both taking and missing a potential opportunity. It may be too much to ask businesses to identify the risks and calculate the cost of not taking every opportunity that management decides against for strategic, risk-related or other reasons. However, it is expected, within an ERM oriented business, that the risks of taking or avoiding an opportunity are considered and addressed.

When an insurer offers a new type of coverage for exposures such as supply chain, or cyber or reputation for the first time, the risk is great. That is because there is often no historical loss data upon which to estimate losses and price the product. For initial losses, there is no historical data to use in setting up an adequate reserve. Additionally, there is no guarantee that enough business will be written to create a large enough pool of policy holders (law of large numbers) to spread the odds of loss enough to produce favorable outcomes.

The ERM process that insurers employ compels them to look for opportunity risks and to devise ways to ameliorate the risks. How do insurers do this? They build their risk mitigation action plans using expertise across their many functions.

For new product risk, insurers might start out by: 1) offering low limits, 2) requiring higher deductibles or self-insured retentions, 3) buying more reinsurance or partnering with a reinsurer on the new book of business, or 4) charging prices that may appear to be high but that take into account the risk-adjusted cost of capital.

In other industries, new products also pose opportunity risks. Key questions to ask include: Will the new product reach the required ROI set for it within the timeframe set? Will the new product cannibalize some existing product or products? Will the new product create issues related to product recall, patent infringement or other lawsuits?

Through the application of a robust ERM process, all or most of the risks can be identified and mitigation action plans developed. This creates a safety net for the company and makes it more likely that it will get more comfortable and proficient at product innovation. There are so many types of opportunity risk beyond new products. ERM can help with each of them.