Tag Archives: risk management

Managing Risks for Hydrogen Industry

Hydrogen is of growing importance for the substitution of fossil fuels in the fields of energy, supply, mobility and industry. Hydrogen has the potential to morph from a niche power source into big business, with countries committing billions to scale up their infrastructure and with projects being introduced around the globe. But there are challenges to overcome for hydrogen, such as the cost of production, supply chain complexity and a need for new safety standards.  

Allianz Global Corporate & Specialty (AGCS) just released a risk bulletin that highlights some of the opportunities and challenges of a trend at the forefront of the energy industry and assesses the risk environment of technologies associated with the production, storage and transportation of green hydrogen.

Backed by governments: Over 30 countries have produced hydrogen road maps

The global shift toward decarbonization has triggered strong momentum in the hydrogen industry. Hydrogen offers several options for the transition toward a low-carbon economy: as an energy carrier and storage medium for conversion back to electricity, as a fuel for all means of transport and mobility and as a potential substitute for fossil hydrocarbons in industries such as steel production or petrochemicals. 

Around the world, there is strong governmental commitment for hydrogen initiatives, backed by financial support and regulation: As of the beginning of 2021, over 30 countries have produced hydrogen road maps, and governments worldwide have committed more than $70 billion in public funding, according to McKinsey. There are more than 200 large-scale production projects in the pipeline. 

In the U.S., more than 30 states have already adopted plans to promote hydrogen technology. The goal is to build a broad-based hydrogen industry that will generate $140 billion in annual income and employ 700,000 people by 2030. China is also planning to invest several billion yuan in the promotion of fuel cell technology over the next four years, which should result in innovative hydrogen production facilities throughout the country. 

Assessing the risk environment 

Many of the technologies used for the generation of hydrogen or energy from hydrogen are well-known in principle. AGCS risk consultants have considerable experience with handling hydrogen projects in a number of different areas. From a technology perspective, the operational risks include:

Fire and explosion hazards

The main risk when handling hydrogen is of explosion when mixed with air. In addition, leaks are hard to identify without dedicated detectors because hydrogen is colorless and odorless. A hydrogen flame is almost invisible in daylight. Industry loss investigation statistics show approximately one in four hydrogen fires can be attributed to leaks, with around 40% being undetected prior to the loss.

Fire and explosion protection needs to be considered on three different levels. Preventing the escape of inflammable gases as much as possible. Ensuring safe design of electrical and other installations in areas where ignition sources cannot be excluded. Constructing buildings and facilities to withstand an explosion with limited damage.

Proper handling of hydrogen gas is critical, and any emergency requires appropriate fire safety equipment.

An AGCS analysis of more than 470,000 claims across all industry sectors over five years shows how costly the risk of fire and explosion can be. Fire and explosions caused considerable damage and destroyed values of more than €14 billion ($16.7 billion) over the period under review. Excluding natural disasters, more than half (11) of the 20 largest insurance losses analyzed were due to this cause, making it the #1 cause of loss for businesses worldwide.

Material embrittlement

Diffusion of hydrogen can cause metal and steel (especially high-yield steels) to become brittle, and a wide range of components could be affected, for example, piping, containers or machinery components. In conjunction with embrittlement, hydrogen-assisted cracking (HAC) can occur. For the safety of hydrogen systems, it is important that problems such as the risk of embrittlement and HAC are taken into account in the design phase. This is ensured by selecting materials that are suitable under the expected loads as well as considering appropriate operating conditions (gas pressure, temperature, mechanical loading). High-yield strength steels are particularly at risk of hydrogen-related damage. 

Business interruption exposures

Hydrogen production or transport typically involves high-tech equipment, and failure to critical parts could result in severe business interruption (BI) and significant financial losses. For example, in case of damage to electrolysis cells (used in water electrolysis) or heat exchangers in liquefaction plants it could take weeks, if not months, to replace such essential equipment, resulting in production delays. In addition, business interruption costs following a fire can add significantly to the final loss total. For example, AGCS analysis shows that, across all industry sectors, the average BI loss from a fire incident is around 45% higher than the average direct property loss – and in many cases the BI share of the overall claim is much higher, especially in volatile segments such as oil and gas. 

See also: How Insurers Can Step Up on Climate Change

Significant increase in demand for insurance expected 

While standalone hydrogen projects have been rare in the insurance market to date, hydrogen production as part of integrated refining and petrochemical facilities, and as a part of AGCS’ coverage of industrial gas programs in its property book, has long been a staple of AGCS’ insurance portfolio. Given the numerous projects planned around the world, insurers can expect to see a significant increase in demand for coverage to construct and operate electrolysis plants or pipelines for hydrogen transportation.  

As with any energy risk, fire and explosion is a key peril. Business interruption and liability exposures are also key, as are transit, installation and mechanical failure risks. We are developing a more detailed underwriting approach for hydrogen projects, ensuring that we can serve clients globally. There is rightly great enthusiasm around hydrogen solutions as a key driver toward a low-carbon economy, but we shouldn’t overlook that these projects involve complex industrial and energy risks and require high levels of engineering expertise and insurance know-how to be able to provide coverage. We will apply the same rigor in risk selection and underwriting for hydrogen projects that we do on our existing energy construction and operational business.

For the full overview of loss prevention measures for the hydrogen economy, download the new risk bulletin here.

Transformation of the Risk Landscape

There is little doubt that the risk landscape has changed in the past few years. Natural catastrophes are increasing in number and severity, low probability risks are coming to fruition, higher probability risks (such as cyber) are looming larger and new risks are emerging. Here are some of the ways insurers can address the changing risk landscape.

From single-event scenarios to multiple-simultaneous-event scenarios

It has been common for insurers to test their solvency by creating several scenarios and estimating what each would do to capital levels. Typically, each scenario tested one variable at a time; for example, what would a 1-in-250-year event or an-XX basis point interest rate drop do to capital strength in a given year? However, as the risk landscape intensifies, single variable scenarios are no longer sufficient.

More robust and multi-event scenarios need to become the norm if the potential risk to capital is to be evaluated effectively. For example, what would the result be if 1-in-250-year event happened while equities plunged 35% in value? Or what would the effect be if two 1-in-250-year events occurred at the same time inflation rose by 40%? What would happen if three 1-in-150-year events happened in the same year? The macro-economic environment constantly changes, and individual company conditions are unique, so scenarios need to be tailored and updated as appropriate.

From virtually ignoring low probable risks to paying more attention to low probability risks 

Scoring risks is done on the basis of both their potential impact (dollar impact to profits, revenues, expenses) and their probability of occurring (high medium, low). Other things may come into play, too, such as how imminent the risks are (one year away, three years away, more than three years away). This kind of scoring makes it possible for companies to decide which risks should get the most focus and resources in an effort to mitigate their impact. The problem has been that the impact of low probability risks is hard to quantify and is often underestimated. Additionally, the very fact that their likelihood is not high means these risks tend to be taken less seriously than perhaps they should be.

The current pandemic — with all its ripple effects — has shown that low probability/high impact risks can and do happen. Some insurers realized the loss potential if a virus became widespread and incorporated virus exclusions in various policies. This has served them well, because those with such exclusions are better protected against claims for coverage that was never intended. 

Some low probability/high impact risks emanate from the broader environment and some come from a particular company’s business model or operations. In either case, the risks need to be properly vetted and commensurate mitigation plans need to be implemented. 

From focusing on current risks to focusing on both current and emerging risk

That there are so many current risks insurers must attend to leads to emerging risks not being identified or being pushed to the back burner.  Even though emerging risks can be hard to identify and assess and may not seem imminent, they should not be marginalized. Given the speed of change, these risks can emerge as full-blown risks sooner than might be anticipated. Significant ones can quickly cause serious consequences.  

Any insurer ignoring emerging risk identification and mitigation is opening itself up to potential loss or impairment that could have been minimized or avoided. Some emerging risk categories are: AI; cyber; environmental, social and governance (ESG) developments; and new energy sources.

See also: Building an Effective Risk Culture

From reality to perception 

Insurers’ perception of themselves can be quite different from the way they are perceived by stakeholders outside the industry. And it is the external perception that forms the basis of an insurers’ reputation. Any one insurer may have a better or worse reputation than the universe of insurers, but all are affected to some extent by the umbrella perception.  

Some of these negative aspects of insurers’ reputations stem from many retail buyers not always understanding the insurance mechanism and from thinking insurers make greater profits than they actually do. Some retail buyers would rather not buy insurance at all but are forced to by laws or lenders. Commercial buyers can find insurers slow, cumbersome and not very transparent.

In reality, insurers tend to be ethical in honoring their contractual obligations and are price competitive while also trying to improve processes and customer experience. This is largely true because insurers are heavily regulated, have publicly available ratings by rating agencies and exist in a competitive marketplace.   

Despite this reality, a poor reputation contributes to low customer loyalty, fraudulent claims, extra scrutiny by third parties and other risks or threats.  Now, insurers face more reputational risk than ever before as things like example, the legitimate, but unfortunate, denial of COVID-19 related business interruption claims has dented insurer reputations. How this will play out in the long run is unknown.

What this means in terms of insurers’ enterprise risk management (ERM) is that, when they look at their reputational risk picture, they need to assess the risks to their reputation from the outside in. They need to see how they appear in the eyes of customers, regulators and the community at large. Improvement can take the form of improved communication starting with clearer policy language but can move well beyond that to more frequent communication with customers, greater transparency and more responsible advertising.

All in all, insurers of all sizes need to take note of changes in the risk landscape and must continuously improve their ERM practices.

Beware the Grey Swan

As the U.S. steadily emerges from the pandemic — and we all hold out hope for India — the temptation is to dismiss it as a one-off, a once-in-a-century health disaster, a black swan. But the pandemic is actually what’s coming to be known as a grey swan — something that, while rare, relates to a known problem and that can be planned for, if we come to grips with the cognitive biases that blur our ability to see them.

As we’ve learned the hard way over the past 20 years, there are a lot of grew swans out there, so we as an industry need to learn to prepare better for them, both for our own sakes and for those of our many clients.

This report from Aon on dealing with grey swans’ effect on corporate reputations includes a daunting list of those that have been broadly ignored over the past two decades, starting with the 9/11 terrorist attacks — which somehow caught the world by surprise even though Islamic terrorists were known to want to strike in the U.S., even though plots had been uncovered to hijack and crash planes into high-profile targets or blow them up and even though terrorists had attacked the World Trade Center itself and tried to make it collapse eight years earlier (right across the street from my office at the time).

The dangers that a hurricane posed to the levees in New Orleans were well-known long before Hurricane Katrina devastated them. So were the perils of subprime mortgages — a member of the Fed’s board of governors saw the crisis coming so far ahead of time that he published an alarmist book in 2007 yet was largely ignored until after the Great Recession of 2008-9 began. The tsunami that caused the disaster at the Fukushima nuclear plant in 2011 was eminently foreseeable. And, of course, many had been predicting a pandemic for years before COVID-19 pretty much shut the world down starting last spring and killed millions — Bill Gates even got most of the particulars of COVID right in a dire TED talk in 2015.

Why do we keep missing these grey swans?

Drawing on the seminal work of behavioral economist Daniel Kahneman, the Aon report lists six cognitive biases that cloud our judgment on risks more complicated than “white swans” — which are common enough that we have clear data on them and routinely incorporate them in our risk management.

The biases are: the ambiguity effect (our minds don’t like options with unknown probabilities); normalcy bias (we underestimate the likelihood and severity of disasters); optimism bias (we underestimate the probability of being affected directly); the ostrich effect (we ignore negative information to avoid the anxiety that comes with decision-making); herd instinct (we align with the behavior of a group to avoid conflict); and status quo bias (we prefer to keep doing what we’re doing).

As the report explains, the ambiguity effect, normalcy bias and optimism bias “relate to our limitations as natural statisticians. We gravitate toward information that we can process and organize [while avoiding]… uncertain, ambiguous data…. To help us navigate through the storms of life, we tend to be optimistic about our chances. Despite knowing the health risks associated with smoking or obesity, for example, we believe that ‘it won’t happen to me,’ yet we buy lottery tickets equally believing that, ‘it might be me!'”

The ostrich effect, herd instinct and status quo bias “relate to managing our emotional state. Evidence that conflicts with our rosy view of the world is uncomfortable and unpleasant…. It is easier to go along with the majority than stand one’s ground and cause waves.”

So, how can we do better?

The report’s conclusion: “Effective risk management strategies will acknowledge these flaws openly and institute measures to combat their most harmful effects.”

It suggests considering, in particular, the possibility of “a large-scale cyber attack with physical consequences. Cyber physical risk is not new, but its threat is growing rapidly, as adoption of the Internet of Things (IoT) accelerates and increases the ‘attack surface’: the number of connected systems and devices through which an attacker can enter or extract data.”

That kind of attack certainly seems plausible — as the SolarWinds attack by Russia showed, nation-states have the ability to sabotage each others’ infrastructure, such as electric grids, pretty much whenever they want.

The report adds: “We could turn our minds also to the ‘green swan,’ the term coined by the Bank for International Settlements to describe black swan events related to climate change.” It’s always hard to trace a disaster to climate change — some will say the recent Texas freeze may stem from climate change’s tendency to cause more extreme weather; some won’t — but the likelihood of green swans is certainly increasing.

One caution: I think the evaluation of disasters after the fact is often Monday morning quarterbacking: “It’s obvious that we should have punted/shouldn’t have punted,” “should have passed/should have run,” “should have seen that that player would be a star/a bust,” etc. You can’t just prepare for one grey swan and hope that’s the one you should have headed off. You have to prepare for all the grey swans you can imagine — you don’t just fix the levees in New Orleans; you prepare for what hurricanes might do up and down the Gulf Coast.

That can be expensive. So, there has to be some real calculation involved based on the odds of an event, the likely cost of a disaster and the expense associated with avoiding all such problems — and the nature of grey swans is that none of these figures are easily quantified.

All we really know for sure is that grey swans are occurring faster than we’ve expected and have been far costlier — COVID-19 has cost trillions of dollars in the U.S. alone, and the devastation in terms of lives lost has been even greater. So, we’d do well to confront our biases and keep trying to make ever-more-realistic evaluations of the risks we’re facing.

Stay safe.

Paul

P.S. Here are the six articles I’d like to highlight from the past week:

How Social Inflation Affects Liability Costs

The industry is probably looking at several more years of accident year combined ratios above 100%.

The Future Isn’t What It Used to Be

Customers, risks, operations and the workforce all have been transformed over the last year. This makes strategic planning a challenge.

How Geospatial Data Lowers Traffic Risk

The cadence and granularity of data about travel behavior need to be enhanced. Geospatial analytics can be the engine.

A New Environment for Insurers

Environmental, social and governance (ESG) is a chance for the insurance industry to do well by doing good.

The B2B Digital Payment Opportunity

As trends point to rapid adoption of alternative payment methods, insurers must determine how to meet B2B needs.

Long-Haul COVID-19 Claims and WC

Employers and workers’ comp carriers must tread lightly; accepting a COVID claim can have a big impact, beyond the initial care and recovery.

CISOs, Risk Managers: Better Together

Not so long ago, many chief information security officers (CISO) and other information-security professionals were offended by suggestions that their organizations should buy cyber insurance. After all, CISOs reasoned, if they did their jobs well, insurance would be unnecessary.

Fast forward to 2021. There probably isn’t a single CISO who believes that their organization is immune to potentially devastating cyberattacks. Recent news of alleged Russian penetration of well-protected government agencies and major corporations is one more reminder that any and every organization is vulnerable. Still, many CISOs are skeptical of insurance’s benefits and often are only tangentially involved in cyber insurance decisions.

CISOs are often concerned about perceived gaps in insurance coverage, about underwriting criteria that are misaligned with an organization’s security policies and procedures and about the willingness of insurers to pay claims. Some concerns are valid. For example, if an organization’s hardware is damaged by a malware attack, not every policy provides “bricking coverage,” which pays to replace impaired equipment. However, many CISOs’ concerns are based on now-outdated policy language and underwriting and claims practices. As cyber insurance has matured, underwriters are offering broader coverage with less burdensome underwriting requirements. Rather than avoiding claims, insurers are often trusted partners in responding to cyber events and managing their consequences.

Cyber insurance coverage may be more expansive now, but insurance buyers must still ensure that the protection they purchase is adequate and appropriate for their organization and its specific risk profile. In most large organizations, the risk manager buys cyber insurance. However, risk managers are rarely experts in network security and may not fully understand their organization’s cyber risk profile and control environment. This may result in purchasing insurance that does not adequately cover significant exposures, while over-insuring low-priority or well-managed risks. To ensure that cyber insurance aligns with the organization’s risk management needs, risk managers need to work with a broker who specializes in this type of coverage offering. Additionally, the risk manager and the broker need to include the CISO in the buying process. 

CISOs and risk managers have a common mission — to protect the assets of their organization. In many organizations, they haven’t effectively collaborated — along with their broker and carrier partners — to achieve their common goals. Even when insurance is recognized as an essential part of the overall cyber risk management strategy, organizational silos, the lack of a common risk vocabulary and differences in risk management frameworks can impede cooperation.

According to a SANS Institute report, Bridging the Insurance/Infosec Gap, “InfoSec and insurance professionals acknowledge they do not speak the same language when defining and quantifying risk, leading to different expectations, actions and justification for outcomes.”

The SANS Institute does not offer a one-size-fits-all solution for closing the gap. Within an organization, successful coordination and cooperation depend on corporate culture, institutional obstacles and how motivated CISOs and risk managers are to cooperate on their common goal.

See also: How Risk Managers Must Adapt to COVID

A coordinated approach is more essential today than ever before. With so many employees working from home during the COVID-19 pandemic, using their personal networks and often their own equipment, IT departments and security professionals struggle to ensure network security. A survey of 250 CISOs by Resilience (named Arceo at the time of the study) found that cloud usage, personal devices usage and unvetted apps or platforms posed the most significant threats during this period of increased telework. 

With so many factors outside the direct control of IT and information-security professionals, insurance becomes essential. But cyber insurance policies can materially vary, and not all insurers offer enough of the right coverage to satisfy an organization’s risk-transfer requirements. Once the corporate risk management and information-security functions are aligned, a broker can help navigate the universe of cyber insurance and help the client understand nuances in policy language to satisfy the organization’s risk-transfer requirements.

The outcome is an integrated program where insurance from secure and knowledgeable carriers is fully aligned with the organization’s risk profile and information-security strategy.

COVID-19 Trio Tops Global Business Risks

A trio of COVID-19-related risks heads up the Allianz Risk Barometer 2021, reflecting potential disruption and loss scenarios that companies are facing in the wake of the pandemic. Business interruption (with 41% of respondents citing it as a risk) and pandemic outbreak (at 40%) are this year’s top business risks, with cyber incidents (40%) ranking a close third. The 10th annual survey on global business risks from Allianz Global Corporate & Specialty (AGCS) incorporates the views of 2,769 experts in 92 countries and territories, including CEOs, risk managers, brokers and insurance experts. 

The COVID-19 crisis continues to represent an immediate threat to both individual safety and businesses, reflecting why pandemic outbreak has rocketed 15 positions up to #2 in the rankings at the expense of other risks. Prior to 2021, it had never finished higher than #16, a clearly underestimated risk. However, in 2021, it’s the #1 risk in 16 countries and among the three biggest risks across all continents and in 35 out of the 38 countries that qualify for a top 10 risks analysis. Japan, South Korea and Ghana are the only exceptions. 

Market developments (#4, at 19%) also climbs, reflecting the risk of rising insolvency rates following the pandemic. According to Euler Hermes, the bulk of insolvencies will come in 2021. The trade credit insurer’s global insolvency index is expected to hit a record for bankruptcies, up 35% by the end of 2021, with top increases expected in the U.S., Brazil, China and core European countries. 

Further, COVID-19 will likely spark a period of innovation and market disruption, accelerating the adoption of technology, hastening the demise of incumbents and traditional sectors and giving rise to new competitors. Other risers include macroeconomic developments (#8, at 13%) and political risks and violence (#10, with 11%), which are, in large part, a consequence of the coronavirus outbreak, too. Fallers in this year’s survey include changes in legislation and regulation (#5, with 19%), natural catastrophes (#6, with 17%), fire/explosion (#7, with 16%) and climate change (#9, with 13%), all clearly superseded by pandemic concerns.

Pandemic drives disruption — now and in the future

Prior to the COVID-19 outbreak, business interruption (BI) had already finished at the top of the Allianz Risk Barometer seven times, and it returns to the top spot after being replaced by cyber incidents in 2020. The pandemic shows that extreme, global-scale BI events are not just theoretical but a real possibility, causing loss of revenue and disruption to production, operations and supply chains. 59% of respondents highlight the pandemic as the main cause of BI in 2021, followed by cyber incidents (46%) and natural catastrophes and fire and explosion (around 30% each).

In response to heightened BI vulnerabilities, many companies are aiming to build more resilient operations and to de-risk their supply chains. According to Allianz Risk Barometer respondents, improving business continuity management is the main action companies are taking (62%), followed by developing alternative or multiple suppliers (45%), investing in digital supply chains (32%) and improving supplier selection and auditing (31%). According to AGCS experts, many companies found their plans were quickly overwhelmed by the pace of the pandemic. Business continuity planning needs to become more holistic, cross-functional and dynamic; monitor and measure emerging or extreme loss scenarios; and be constantly updated and tested and embedded into an organization’s strategy. 

Cyber perils intensify

Cyber incidents may have slipped to #3 but remain a key peril, with more respondents citing it than in 2020 and still ranking as a top three risk in many countries, including Brazil, France, Germany, India, Italy, Japan, South Africa, Spain, the U.K. and the U.S. The acceleration toward greater digitalization and remote working driven by the pandemic is also intensifying IT vulnerabilities. At the peak of the first wave of lockdowns, in April, the FBI reported a 300% increase in incidents alone, while cybercrime is now estimated to cost the global economy over $1 trillion, up 50% from two years ago. Already high in frequency, ransomware incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands, as highlighted in the recent AGCS cyber risk trends report

See also: 3-Step Framework to Manage COVID Risk

Risers and fallers 

Macroeconomic developments is up to #8, and political risks and violence (#10) returns to the top 10 for the first time since 2018, reflecting the fact that civil unrest, protests and riots now challenge terrorism as the main exposure for companies. The number, scale and duration of many recent events, including Black Lives Matter protests, anti-lockdown demonstrations and unrest around the U.S. presidential election, have been exceptional. As the socioeconomic fallout from COVID-19 mounts, further political and social unrest is likely, with many countries expected to experience an increase in activity in 2021 and beyond, particularly in Europe and the Americas.

Changes in legislation and regulation drops from #3 to #5 year-on-year. Natural catastrophes falls to #6 from #4, reflecting the fact that, although aggregated losses from multiple smaller events such as wildfires or tornadoes still led to widespread devastation and considerable insured losses in 2020, it was also the third consecutive year without a single large event, such as Hurricane Harvey in 2017. Climate change also falls to #9. However, the need to combat climate change remains as high as ever, given that 2020 was the hottest year ever recorded. 

To learn more about this year’s findings, please visit Allianz Risk Barometer 2021.