In our increasingly competitive business environment, companies everywhere are looking for the next new thing to give them a competitive edge. But perhaps the next new thing is applying new techniques and capabilities to existing concepts such as risk management. The exponential growth of data as well as recent technologies and techniques for managing and analyzing data create more opportunities.

Enterprise risk management can encompass so much more than merely making sure your business has purchased the right types and amounts of insurance. With the tools now available, businesses can quantify and model the risks they face to enable smarter mitigation strategies and better strategic decisions.

The discipline of risk management in general and the increasingly popular field of enterprise risk management have been around for years. But several recent trends and developments have increased the ability to execute on the concept of enterprise risk management.

First, the amount of data being produced everywhere has exploded and continues to accelerate. The typical executive today is swamped by data coming from all directions. Luckily, just as the raw amount of data has grown, the cost of the hardware to store data has decreased at an exponential rate. For example, in the last 10 years, retail hard-drive costs have dropped from about $1.20 per gigabyte (GB) in 2004 to about 4 cents per GB today. What’s more, the cost of hardware to store all that enterprise data is quickly becoming negligible.

But such huge amounts of data present a problem: Somebody has to manage and analyze it. All data is not equally important or relevant to the problems business executives need to solve or the risks they’re trying to manage. The explosion of data has created a greater amount of helpful and relevant data, but it can get lost in an even greater amount of useless, irrelevant, and distracting data. So an effective data management and analytics program is crucial to take advantage of the opportunities resident in the new flood of data.

One job of analytics is to sort the important from the unimportant and analyze and synthesize the data in new ways that create actionable information. Fortunately, the tools and techniques to manage large volumes of data have been progressing over the past several years. In particular, there has been a lot of buzz about big data. The field of big data has developed from a specific platform to manage large volumes of data into an entire ecosystem of related technologies. These tools are critical to the process of picking out the grains of useful intelligence from the vast quantities of distracting chaff that are characteristic of many big data sources.

Of course, all the recent technical developments and analytic techniques that make it possible to extract actionable information from a flood of data are all professionally exciting—if you’re an analyst. However, analytics for analytics’ sake does not help an organization. Often, analytics groups can remain isolated from the business itself. When such groups ultimately present what they have discovered, they may simply talk about the part most interesting to them—the analytics process—rather than focusing on the resulting information.

It is important to remember that actionable information is the ultimate goal of the entire exercise. The information must reach the decision makers in an understandable form when it is needed—the right information at the right place and at the right time. When designing information systems or even just presenting information to business executives, it is important for technical professionals to keep technical details to a minimum and focus on the actionable information. A feedback mechanism is critical. Users of the information must have a method to tell the creators of the information whether it was sufficient, correct, timely and understandable.

It’s been said that the three most important factors in real estate are location, location, and location. Similarly, the three most important factors in effective analytics are data, data, and data. Good data can sometimes make up for mediocre analytics, but even the best analytics will never produce anything useful from poor data.

Where should a business begin to leverage the new data and risk analytics? It has to start with the data itself. So start collecting and storing the data that’s available to you. Every business generates vast amounts every day. Collecting, managing, and analyzing internal data is necessary; but by looking outside the organization at social media, government data sources and third-party data vendors, a company can really begin to illuminate the environment in which it operates.

Managing data for analytics is a specialized field in its own right, and a topic for another day. But the business that can effectively leverage data and analytics to manage the risks it faces will be rewarded by seeing the future more clearly, making better decisions and ultimately being more successful than those companies that cannot.


While most risk professionals are satisfied with their insurers and brokers, those from of organizations with enterprise risk management (ERM) programs were the least content, according to the inaugural J.D. Power and Risk and Insurance Management Society (RIMS) 2014 Large Commercial Insurance Report.

The full report, based on findings of the J.D. Power 2014 Large Business Commercial Study, slated for release in February 2015, examines industry-level performance metrics among large business commercial insurers and brokers. The study, which interviewed almost 1,000 risk professionals, highlights best practices that are critical to satisfying them.

The 2014 Commercial Insurance Report is based on surveys of organizations with $100 million or more in annual revenue that have purchased a commercial property, workers’ compensation, or auto policy with a profiled insurer or broker. The report represents organizations from more than 20 industry sectors and provides comparisons of the nine largest industry segments:

  • Accommodations, Food Services, Arts, Entertainment, Retail, and Recreation
  • Administrative Services, Education, and Real Estate
  • Financial Services
  • Government
  • Information Technology, Professional, Scientific, and Technical Services
  • Healthcare and Social Assistance
  • Manufacturing and Wholesale Trade
  • Telecom and Utilities
  • Transportation, Warehousing, and Waste Management

ERM is steadily becoming a more prevalent function for risk management at many organizations—with nearly 40% of risk professionals indicating that ERM falls within their area of responsibility—but the survey found that risk professionals who are not responsible for their organization’s ERM function are generally more satisfied with their insurers and broker than those who are. In fact, overall satisfaction is lowest among risk professionals responsible for their organization’s enterprise risk management.

“A slice in the data showed that any time they might have any particular role in ERM, the satisfaction levels for those that did not have an ERM role was much higher than those who did,” said Timothy Bebout, commercial insurance practice leader at J.D. Power. “Their interaction and their satisfaction with either the broker or the insurer, whether by product line or by particular key indicators, was lower.”

Why was this the case? “The study shows there is more expectation for ERM from a strategic role in companies,” Bebout continued. “Some of the risks are not easily quantifiable and if tied to the need for reliance upon a broker to understand their business, I can imagine that if the risk professional was having difficulty describing or quantifying the risk and the broker was unable to take any sort of action, that would be viewed as a lack of knowledge of their needs.”

The brokers that did well did so because “they clearly understood the risk professional’s business and how to prepare for that renewal, or perhaps a new business proposal to an underwriter. They understood the key things that would make a difference in terms of pricing, limits and specific coverages and deductibles,” Bebout said. As for their communications, “If the average broker interaction outside of a claim is one or two times, risk professionals are saying that is not enough.”

Satisfaction with insurance brokers was based on four factors: ease of contacting, reasonableness of fees, advice and guidance in selecting program offerings and timeliness of resolving contact.

The survey found that overall satisfaction was highest for brokers. This was followed by property insurers, auto and workers compensation. Risk management customers of large commercial insurers were significantly more satisfied with their commercial property, workers compensation and auto insurance providers based on five factors: interaction, program offerings, price, billing and payment and claims.

Billing and payment was found to be the lowest scoring factor in the areas of auto and workers compensation, and among the lowest scoring in the property index. However, billing and payment satisfaction was significantly lower among workers compensation customers than among property and auto customers.

Mary Roth, RIMS executive director noted, “Whether the results of the survey were surprising or expected, we hope that it encourages a meaningful dialogue and actionable performance initiatives. The primary objective is to foster improved customer satisfaction throughout the large commercial insurance industry.”

The 146-page, J.D. Power and RIMS Commercial Insurance Report is available for purchase by clicking here. RIMS members can receive the 13-page J.D. Power and RIMS Commercial Insurance—Special Report Snapshot for free as well as a discount on the full report.


bebe data breach

On Friday, retail chain bebe announced that it had identified an attack on computers that operate the in-store payment processing system. The attack may have exposed data from cards swiped in retail locations in the U.S., Puerto Rico, and the U.S. Virgin Islands between Nov. 8 and Nov. 26, including cardholder name, account number, expiration date and verification code. The breach did not impact customers who shopped online or in other international locations, bebe reported, and the company has hired a security firm to stop and investigate the attack.

Almost exactly a year after the massive Target hack, this latest incident comes after a steady stream of sizable breaches among retailers, including Home Depot, JPMorgan Chase and eBay. Consumers have begun to find these hacks increasingly less surprising, and stopped paying as much attention – a phenomenon many are calling “breach fatigue.”

But companies are not entirely off the hook. While Target is on the rebound and subsequent breach victims have endured less damage to consumer perception, these cybersecurity incidents still demand a notable amount of contingency planning and mitigation.

According to public relations and social media firm Affect, there are four keys to protecting brand reputation in the event of a security breach:

1) Develop a Fully Locked and Loaded Response Plan

In the digital age, it is essential to have a cyber attack plan in place as part of an organization’s crisis management strategy. Companies can get ahead of a crisis by leveraging social media to diffuse damaging situations. In order to prepare, be sure to anticipate and understand the kinds of threats that could influence your business and your industry.

“There are four phases of crisis communications: readiness, response, reassurance and recovery,” said Sandra Fathi, president of Affect. “In order to properly respond to a crisis, each stage must be ready to go at a moment’s notice — develop materials such as messages and prepared statements, prepare delivery channels like hotlines and social media platforms and train employees regarding awareness and organizational procedures.”

2) The Customer is Top Priority

Arguably the most important step in maintaining a brand’s image amid a breach is to be honest with customers and inform them about what has occurred — the sooner the better, especially if their personal information is at stake. In fact, 47 states have Security Breach Notification Laws that govern communication with customers in the face of a security breach including the timeline for those communications. Several weeks elapsed before Target released an official statement to their customers and as a result, experienced massive backlash from customers, other organizations and the media alike.

Adam Levin, chairman and founder of IDT911, a provider of data risk and identity management services, believes every company needs to demonstrate three things in the wake of a data breach. “Urgency, transparency, and empathy are all critical. I don’t think they [Target] showed enough of those three,” Levin said in an interview with Not being upfront with customers can result in a loss of confidence in the brand that can hinder not only the company’s reputation, but could lead to a loss in revenue.

3) Monitor the Situation in Real-Time

Social media can be a powerful tool but “with great power comes great responsibility.” While positive engagements boost a brand’s respect, companies must always monitor for negative interactions in real-time and be even more stringent during a security breach, as customers will turn to social media to respond to situations, regardless of their allegiance to the brand. Develop a Social Media Response Map that outlines anticipated situations and correlated standard responses to avoid any last minute shuffle. Don’t shy away from angry customers that continuously post adverse comments. Depending on the situation, it may be worthwhile to engage with these individuals in a private forum and resolve their concerns, taking the negative sentiments offline.

4) Don’t Repeat the Same Mistakes

For brands, it is especially important to not make the same mistakes twice. Customers may or may not forgive a first offense, so a second go-around is even harder to rebound from. Companies must carefully document and analyze each breach to identify how it happened, why it happened and how to prevent such an event in the future. Consider changing security vendors, deploying new software, re-training staff and amending company policies. It is also important to communicate these changes to customer to reassure them that a similar breach will not reoccur.


Captives under Scrutiny

by Robert Myers on December 8, 2014 · 0 comments

A mere decade ago, captive insurers were viewed by most regulators as a small, even exotic part of the insurance industry. Most were assumed to be offshore and aroused little attention. Now, captives have gone mainstream. A sizable, but undetermined, portion of the property casualty coverage is placed through, or issued by, captives. A good guess is 30% to 40%, but no one has been able to establish an accurate number. Thirty-nine states have some form of captive or self-insurance law. Captives are now part of everyday life for regulators and the result is more scrutiny.

The issues now on the agenda for captives are significant:

• XXX and AXXX Reinsurance Captives

According to Superintendent Joseph Torti (Rhode Island), 80% to 85% of life and annuity insurance is ceded to reinsurers. Much of the so-called “excess reserves” required by Rules XXX and AXXX are ceded to captive reinsurers or special purpose vehicles owned by the same licensed life and annuity companies which cede the risk. Because the amount of this risk is so large, any trouble collecting this reinsurance could have a major effect on the industry. Some regulators, even a few who approved these cessions, have criticized these arrangements. In some cases, the collateral for the reserves has been subject to parental guarantees, which tends to undermine the confidence which can be placed in the transaction. The NAIC is continuing its examination and has met some stiff resistance from the industry.

• Multistate Insurers 

The proposal to amend the preamble to the NAIC Accreditation Standards to treat captive reinsurers as “multistate insurers” (with some limited exceptions) was withdrawn at the last NAIC meeting in Louisville. A new proposal should be forthcoming (and may have already been issued by the date of publication of this Newsletter). The premise of this proposed change is that non-domiciliary regulators need to know how insurance issued in another state may affect the citizens of their state. The opposite point of view is that the regulators of the domicile have done their job and should be trusted by their regulator colleagues and that the transaction should not affect third parties, anyway. Some say the risk to the domestic captive industry is existential. If enacted and enforced, the proposed change could, ironically, drive much of the industry offshore and therefore beyond the authority of the regulators promoting it.

• Nonadmitted Risk and Reinsurance Act

Captives have been inadvertently drawn into the regulatory structure imposed by this federal legislation intended to streamline the reporting and payment of surplus lines taxes. It has shined a spotlight on the payment (or non-payment) of state self-procurement taxes, but, ironically, does not in any way alter either the application of them or their payment. While risk retention groups (RRGs) were able to get an exemption from the law during its formative phase, captives, because they are (generally) single state entities and therefore not doing business as a “non-admitted” insurer, did not even attempt to get an exemption. Now there is a group, the Coalition for Captive Insurance Clarity, which is seeking a legislative exemption on Capitol Hill.

• Insurance Company Income Taxation

The Internal Revenue Service is investigating several insurance pooling mechanisms and, in some cases, the captives that have utilized them to establish third party risk—which is essential for an insurer to get the benefit of insurance tax treatment. This investigation is presumably a response to the rapid growth of “micro-captives” as mechanisms to assist with avoidance of taxation in estate planning and wealth transfer. This process is in its early stages, but is likely to produce some dramatic results.

• Federal Home Loan Bank (FHLB)

Who would have thought that the FHLB would have anything to do with captives?  It appears that some captives, and at least one risk retention group, are members of the FHLB, which allows them to obtain federal funds at advantageous rates. The Federal Housing Finance Agency (FHFA), which regulates the twelve FHLBs, has proposed a rule that would exclude all captives from membership by defining “insurance company” to mean an entity which “has as its primary business the underwriting of risk for nonaffiliated persons.”

Why is this happening now? While there are numerous reasons for these kinds of actions, there are two primary motivators. First, regulation is always subject to the problem of “what’s worth doing is worth overdoing.” Reasonable minds can differ on the interpretation of statutes and regulations. Each of the above includes an element of “pushing the envelope,” which can be significant or insignificant issues depending on your point of view. Second, captives have been caught in the vortex of regulatory competition. As we have discussed before in this column, the National Association of Insurance Commissioners (NAIC), the Federal Insurance Office (FIO), and the International Association of Insurance Supervisors (IAIS) are jockeying for position and power. Add to the mix the position of the Organization for Economic Cooperation and Development (OECD) that captives may be used as a device to avoid taxation (“base erosion” in OECD parlance), and you have a tumult of regulatory action which at the same time can be challenging and conflicting in its goals and implementation.

What does this bode for the future of captives? Once you have been seen on the radar, it is hard to drop off. Captives can expect more of the same for the foreseeable future.

This blog was previously published on the Morris, Manning & Martin, LLP website.