Covering up your exposure

How does effective risk management/risk engineering impact a company’s insurance programme and improve its overall performance?

Insurers have a process for selecting liability risks. Identification of the risk profile of customers will be more or less elaborate depending on the insurer. This is based on in-house criteria, some of this is simple but sometimes these are very precise questions depending on the trade sector.

One key issue is the existence of a liability risk management policy. When the corporation has a risk management action plan in place then they are in a much better position to answer the questions raised by the insurer and give them adequate answers.

Risk engineering is also about quantifying risks. If a customer can demonstrate to the insurer that their exposures are managed then they are again in a better position to start discussions. Insurers want to minimise uncertainty and are loath to take risks blindly.

For example insurance policies often limit or exclude risks, but once a customer has identified and engineered that risk then they can better negotiate to avoid or mitigate those exclusions or to acquire higher limits. That’s one way to enhance the programme.

The area of liability risk engineering is still pretty much in an early stage of development. Few organisations have researched and devoted time to investigate it as a way of dealing with liability risks.

Even the larger customers have sometimes a partial view of their liability risks. Our target is to develop tools and processes to support risk managers.

For me, effective risk management is openness and sharing information so that the business transaction is fair and balanced.

Around the world there is an increasing risk of litigation, exposing businesses to the threat of liability claims. How can effective risk engineering help reduce the impact of liability issues?

Litigation is well known for being the primary driver for steadily increasing the cost of liability losses. This trend is spreading for good – protection of the public - and less good – pure litigiousness - reasons.

Effective risk engineering means to minimise the frequency and severity of losses. In liability and this is one of the main differences with property risk engineering the legal dimension plays a significant role both in loss prevention and loss mitigation.

Risk managers can be most effective by raising awareness within their organisations about liability risk exposures and how they can be engineered. This role is most often not easy since in general they are not directly involved nor in charge of the process oriented management systems like ISO 9001, ISO 14001, ISO 18001 dealing with quality, environment, health and safety or human resources.

The next stage is to bridge the gap between these management systems and risk management. Liability risk engineering will review legal-type risk mitigation solutions such as: contractual risk management, incident reporting (for example for slips, trips and falls), etc. The people who are in front of the risk may not always have the right options at their fingertips to deal with it.

One major tool is also to make best use of loss lessons including analysis of loss statistics. This data is also a useful resource when looking at the severity of losses, how the cost of a claim is split between property damage, bodily injury, penalties, legal fees, etc. Understanding better where the money goes can help optimise the way claims are settled.

At AXA Corporate Solutions the liability risk engineering folks work closely with their colleagues in claims and legal departments in order to develop the best suited risk mitigation analysis and tools.

The risk managers can have access to these tools and processes which could help reduce liability – and litigation - risks and to convey the right information and instructions to the persons directly involved in the business processes.

How can a comprehensive risk engineering programme manage and reduce a company’s exposure to liability claims arising from third party contractors?

I believe risk engineering can help significantly reduce the exposure to liability claims. Most often, being aware of the problem is the first part of the solution.

For example, in many cases operational managers pay scant attention to supplier or subcontractor contracts. On top of that, risk managers simply do not have access so they don’t know what clauses are in the contract.

You have to make sure you have a contract. Everything has to be in writing especially the liability clauses. That’s the first step and in many cases the first step is not there.

We routinely check this item when conducting client’s surveys and this has quite often triggered a whole process of auditing the contractual status with the suppliers.

Many other aspects also have to be considered in detail. We have for example developed a specific risk analysis process for assessing the more and more often encountered case of “facility management”. Having worked from both sides of the fence with both suppliers and their customers has provided us with significant insight.

Risk managers may find it hard to increase their investment in risk engineering when times are tough. What advice do you have for them? How can they make the case for investment?

Even during the good times it is a challenge to secure adequate funding for safety where the yield may not be immediately apparent. The stigma is that there is no apparent return on investment.

Risk managers have to sell their investments by speaking the same language as the finance crowd. That is why we have tried for a long time to give risk managers figures, enabling them to show their boards what the return on investment really is. It is difficult, particularly in liability, to quantify exposures. But this is necessary in order to put risk mitigation costs in perspective.

In times of economic downturn the strong become leaner and the weak die. It is survival of the fittest. If you have a safety margin you may be able to survive, but if a company has a significant loss now they are more likely to disappear or be taken over. During this period of cash crunch if you have a big loss it can be fatal - it’s as simple as that.

So for me, in this period, not spending time and money on risk mitigation is not the wisest management decision. A number of organisations are realising that and interest in liability risk engineering is on the rise.

To make the right decisions on risk a company needs comprehensive up-to-date information that is easily accessed and simple to work with. With this risk data, they are able to track the status of improvements and benchmark locations.

What advice do you have for companies to improve the quality of their risk information systems?

Information technology development is becoming an important and key expenditure in the risk management arena. We are keenly aware of that and have invested significantly for client services and internal needs.

My advice to risk managers is definitely to have on-line access to relevant risk data so that they can control and implement their risk management policy. Basically risk managers need three sets of data:

• Exposures to risk: geo-coded locations, products, processes, etc

• Risk data: loss expectancies and risk assessments

• Losses: insured and retained.

I would also encourage customers to build up an incident reporting system because the majority of losses are self insured or below a deductible. If you want to truly better control risk you have to have data on those incidents so that you can identify the root causes, the areas which are more prone to faults and then take action.

If you want to manage risks you have to have comprehensive risk documentation and decision-making tools. If you don’t have these data you don’t have a clue about which risks to handle first.

The next step would be to have all the above in inter-related databases with on-line access and reporting capabilities. Such systems advantages lie in uniqueness of data and in the immediateness of the information provided. You should not have to wait several weeks or months for a report, which would give not very reliable and most often outdated information.

This is no easy task and few risk engineering providers propose within their package an online database management tool meeting the above characteristics.

AXA Corporate Solutions will release an update next January 2010. Coupled with proprietary risk mapping and benchmarking tools this is a powerful and modern option available to risk managers.

How can corporate risk managers add real insight to the management and communication of strategic risks? And how can they improve risk management processes and business continuity and resilience, quickly and effectively?

In large organisations this is one of the main duties of the corporate risk manager. They have to watch for the risks within and without their company and take this information and present it to the board on a regular basis.

Sustainable growth has become prominent on these agendas. In the field of liability the one area that has also gained visibility is the emerging risks. Insurers have been keeping a close watch on this for a long time: what could be the next asbestos crisis?

In this respect our group is doing its own risk management which can also benefit the customers. At group level we have an emerging risk group that shares knowledge and information amongst group member companies.

The risk manager has to convey information to their top managers. The management runs the business - steers the company to achieve its objectives - while the risk manager’s duty is to draw attention where the potential risks are.

Identifying the information you want to convey is important. At least as important is the ability to put in perspective this information and use visual display tools such as Isorisk and VisioRisk which can bring credibility to the message. Our aim is to glean and put together the relevant information and help risk managers to present it to their boards.

How can companies make sure risk management is a fundamental part of their project management, to ensure that resources aren’t wasted when the organisation undertakes a large scale project, such as a major asset purchase?

Acquisitions is an area where the risk management process could bring more benefit than is at present the case. Some risk managers are doing this but not always in a very integrated manner.

Such projects usually are focused on financial and legal matters. The people in charge should be aware that insurance liabilities should also be assessed and taken into account. It is not something that companies have always a good handle on at the moment. It is opportunistic, and could be improved.

I worked in the past in a risk management team for a company that did a lot of acquisitions. We had an integrated process for managing risks in large acquisitions. We were most often amongst the first to go and visit the future acquisitions and do audits. Our objective was to identify the liabilities in the widest understanding of the term.

For example: did the acquisition have environmental non-compliance issues? High on the list was: did they have an active risk management policy and achievements to prove it? We were digging for these kinds of issues.

Supporting acquisitions should be part of the risk management process. Where this not the case the risk manager should sell the risk management concept and process to his colleagues within the organisation.

In a world where supply chains are increasingly complex and interdependent, what challenges can risk managers expect to encounter when identifying business interruption exposures within their supply chain and estimating and mitigating the expected loss?

The first problem to be tackled is the issue of the globalisation of supply chains. Today, supplies come from everywhere in the world, very often far from central decision-making and with few controls, if not none at all. We’ve seen a number of claims where the client was not even aware of the location of their end suppliers.

Second is the chain of subcontractors where actual production is passed downwards through a string of suppliers and as a consequence control is increasingly diluted. Today even the trade sectors most advanced in this exercise such as the automotive or aerospace industries struggle in identifying their suppliers.

The third item, which can lead to aggravated claims and losses is purchasing. Procurement natural bend is to favor the lowest bidder. In today’s world economy buying cheap is not always the wisest business decision.

It is a real daily risk where awareness is key. Purchasing departments should more than ever include risk in their criteria for selecting suppliers. Again this comes with knowledge and data. Does this supplier have a history of bad incidents or events?

Labels and certification may also not be enough. The ISO labels for example should be carefully reviewed. A company may say that it is ISO 9000 compliant on its web-site, and you can buy safely from it. In reality only two plants out of 25 are ISO certified.

It is dangerous to blindly trust unchecked affirmations. You have to investigate and ask questions. If you do have to outsource, make sure it is to someone who knows your objectives and your operations.

What impact could a potential swine flu pandemic have on a global business? And how can they prepare and minimise the potential impact and business interruption?

The only information that we have about the pandemic is historical: how many people have contracted the flu and the number of fatalities. That is past data. The future is uncertain. It could be an ordinary seasonal flu or it could be the next 1918 Spanish flu pandemic. We don’t know and the international health organisations do not want to make forecasts.

The only reasonable precautions a company can take is to try and be as prepared as it can. Our clients have asked what they need to do to be prepared. Their primary concern is the effect of a pandemic on their own employees and facilities, and the effect of employees staying at home caring for their family instead of going to work.

We should consider a present case which is the AIDS epidemic in southern Africa, which has been raging for several years now. The figures are appalling. South Africa, which is the largest country in the region, is suffering dreadfully, but somehow the economy is managing it.

I think it is an example worth looking at. It gives us some idea of the effect. The AIDS pandemic is of dramatic proportion, some organisations have lost a significant percentage of their personnel. But they have set up systems to help their employees better cope.

My advice is to take the usual risk management approach: to try to identify and quantify the risk so that you can then devise risk mitigation options. Where in the world do you have facilities which are the most exposed to the pandemic?

Within AXA we have done that analysis. We have advised people in exposed areas to reduce travel and take precautions. The key is to keep the awareness up.

Letting your employees know that the company cares is the most important point. That means if an employee is in trouble he knows the company will support him. Corporations have a duty to provide this peace of mind for their employees and their families.