Tag Archives: strategic planning

Strategic Planning in the COVID-19 Era

No one will mistake 2020 for just another year. The turmoil caused by the pandemic, lockdowns and social unrest is unlike any other year. Businesses, individuals and governments have all been forced to make dramatic changes and adapt to new realities.

The P&C insurance industry has responded admirably amid the chaos and continues to adapt to the evolving environment. As insurers develop strategies and plans for 2021, the logical question is, where to start? The traditional planning processes may need to be supplemented with new approaches, given the great uncertainty brought about by the events of 2020. One approach to consider is scenario planning.

Scenario planning is most valuable when there are considerable uncertainties regarding the future. By definition, strategic planning always has to deal with an uncertain future. However, a new set of variables is now layered on to the traditional factors that influence strategic decisions. In a new research report, SMA has evaluated a wide range of variables and has developed four scenarios for the future for P&C insurers. P&C Insurance Post-COVID-19: 4 Scenarios for the Future, looks at the implications of different possibilities for economic recovery and the nature of digital transformation in the world at large. The four resulting scenarios that SMA has described are:

  • Survival of the Fittest: In this grim scenario, insurers would be forced to adapt to decreased demand and growth by cutting back the workforce, expenses and investments in digital transformation and innovation.
  • Digital Prevails: In this possible future, the pandemic would be embraced as a change event, and the lessons learned would be catalysts for finding creative ways to invest.
  • Back to the Future: The world of P&C insurance would be similar to what it was like pre-COVID-19.
  • Innovation Abounds: A robust economy and an acceleration of digital transformation in the world will require insurers to take innovation to the next level and accelerate their own transformation.

See also: How Risk Managers Must Adapt to COVID

What would each of these potential scenarios mean for the industry as a whole? For individual insurers? For different lines of business and business areas within an insurance company? That is the essence of scenario planning.

I wish I could travel to the future so that I could tell my clients what future they should plan for. But because time travel is not available yet, the next best thing is to engage in scenario planning to help think through the implications and strategic responses for various possible futures, then use that thinking as input into the traditional strategic process.

Insurance Industry Can Solve Cyber

Before explaining the basis for the strong statement in the headline, it’s necessary to redefine what “solve” means. After all, we live in a world where the myth of impenetrability was long ago debunked, where there are no silver bullet technology solutions and where continued cyber events are as certain as the sun rising tomorrow. Anybody who knows anything about cyber is likely thinking, “It’s impossible to solve cyber risk!” But what if we redefine “solve” as: “to provide security leaders and firms with an accurate picture of their cyber exposure, with the ability to effectively manage the risk and with resiliency when an event happens.”

With that as the definition, why is the insurance industry best-positioned to solve cyber? It’s a matter of insight and the scope of that insight. The insurance industry is the only industry that has the ability to correlate controls and protective actions (insight gained during the underwriting process) with losses resulting from the failure of such controls and protective actions (insight gained by paying claims), thus occupying a front-row seat to what is working and what is not. Most importantly, because the industry serves this function across all classes of risk, across all industry verticals and on a continuous basis, the insurance industry should be the primary source of actionable cyber risk management insight. No technology or network appliance can do that, and even the best assessment is merely a snapshot in time.

Let’s drill a little deeper by considering each element of the new definition individually.

First, the ability to provide firms with an accurate picture of their risk is a critical step toward managing it. An insurance-linked approach can help firms understand the context of their cyber exposure and do it in a way that is both easily comparable and lays a foundation to capture loss and claims data. We recommend starting with four categories of loss: 1st party financial, 3rd party financial, 1st party tangible and 3rd party tangible. Then drill deeper within each category, with subcategories tied to specific types of insurance coverage and areas of un-insurability — an incredibly helpful data point itself (meaningful areas of un-insurable cyber risk should see an overweight deployment of controls). Ultimately, this approach paints a complete picture of the cyber risk spectrum and then facilitates the easy utilization of claims data for exposure modeling and benchmarking.

Next, the ability to effectively manage cyber risk certainly trumps the other two elements based on what is most sought by the security community right now. I’ve often described the job of a cyber security leader as akin to putting together a puzzle in which one-third of the puzzle pieces are missing, another third don’t fit together and, to make matters worse, the board changes every 30 minutes. This characterization of cyber will probably never tire — hence the need to redefine “solve” — but this is the very challenge that the insurance industry is best positioned to attack. Why? Because the insurance industry underwrites the cyber security programs of firms of all shapes and sizes on a daily basis and pays claims resulting from the failure of those cyber security programs on a daily basis. If information on both fronts can be appropriately harnessed and correlated in something akin to real time, the underwriting process itself should serve not as an interrogation but rather as an actionable intelligence session for firms to understand how to best evolve their cyber programs. And why stop there? Security leaders should welcome the opportunity to call their insurance companies anytime for an update on the risk climate and for guidance with strategic planning.

Finally, the ability to provide resiliency. This is where insurance coverage itself comes into play — as it is the only type of control that can reduce, or even eliminate, the cost of an event. The ability to survive is the true measure of resiliency, so while a robust set of controls, policies and procedures wards off antigens and increases the likelihood of surviving, the financial resources to pay for an event will be most meaningful in determining the firm’s and security leaders’ fates.

Imagine the post-event press conference if the insurance industry solved cyber: “Ladies and gentlemen, we’ve experienced a cyber event. It will likely be large but nowhere near catastrophic. We’ve been planning accordingly; we knew what our exposure was, and we have been continually updating our defenses in accordance with best-in-class recommendations from our insurance partners. We can validate that by virtue of the fact that we have been able to maintain a comprehensive insurance program that will cover all of our costs as well any claims against us. The organization will emerge whole.”

The insurance industry has answered the challenge before. Decades ago, insurers started to correlate the causes of events like fire and boiler explosions and subsequently provided invaluable risk-engineering insight to firms. Nobody can dispute the relevance of the industry for minimizing property risk. While some characteristics of cyber are definitely unique, all of the foundational pieces are in place for the insurance industry to do the same here. If the industry succeeds, cyber can be solved.

Personal Effectiveness – The Continuing Challenge

I was recently going through my notes, preparing to give one of my workshops on the subject of Personal Effectiveness. In preparation for the workshop each participant is requested to read some background material so all who attend have a passing understanding of (1) what the Best Practice looks like in action, (2) what it contributes to the business, and (3) if it’s truly beneficial, how a business team would put it to work.

The material I pondered that caused me to start writing about it in this article is a Harvard Business Review article: Beware the Busy Manager by Heike Bruch and Sumantra Ghoshal.

The authors ask an intriguing question — Are the least effective executives the ones who look like they are doing the most? Hmmmmm.

Of course, being seasoned scholars, the authors backed up their observations in their article with some impressive research. For about a ten year period they studied the behavior of busy managers in companies in the US, UK, Germany and Switzerland, interviewing hundreds of managers. Their findings were not particularly encouraging. They report fully 90% of managers squander their time in all sorts of ineffective activities. In other words, a mere 10% of managers spend their time in a committed, purposeful, and reflective manner. Okay, what does that look like?

It seems the highly effective 10% had these common traits: (1) concentrated attention — focus, (2) vigor fueled by intense personal commitment, and (3) selecting a manageable number of projects for early contribution. From both my CEO days as well as consulting experiences, these patterns are absolutely what I have observed in highly productive executives. Of the three, I want to elaborate a bit more on the last one, the number of projects currently under management.

In our consulting practice I have facilitated a significant number of strategic planning sessions. As part of preparing an annual Strategic Plan, one of the very significant by-products is the Action Plan, which schedules accomplishment for all the projects that enable the achievement of the Strategic Plan. Most companies struggle with the above three traits — focus, commitment and scope in the Strategic Plan implementation process (the Action Plan). In fact, I would say just about 10% really do it well. Of the traits, the scope (number of initiatives) seems most troubling.

We urge clients approaching the Action Plan for the first time to limit the number of goals / projects / activities to a critical few, get them accomplished as soon as possible, then select some others and do the same.

The tendency is to select way too many initiatives and then get bogged down, get discouraged and abandon a potentially powerful process.

In support of simplifying the focus and reinforcing vigor and commitment, I developed the Law of Three. Applying this principle, you are encouraged to pick three high-impact projects and work like heck to get them accomplished in the next three months.

Variations on this theme are encouraged as long as it supports the accomplishment of the critical few projects that will have the greatest impact. This is where strategy and personal effectiveness team up for high performance. It is effective!