About Jared Wade

Jared Wade is a freelance writer and former editor of the Risk Management Monitor and senior editor of Risk Management magazine. You can find more of his writing at JaredWade.com.

Any Volunteers?

AIG head Edward Liddy has had enough. He is leaving the company.

He has reportedly been talking to the board for a while about his exit strategy and although he will stay on as both chief executive and chairman until a successor is found, I think it’s fair to say that these past few months will not be among his fondest memories.

“This isn’t exactly what I thought I’d be doing in retirement,” he said Thursday in an interview.

From Liddy’s perspective, catering to the demands of all the different “cooks in the kitchen” that now govern AIG is a near-impossible challenge.

He said the job entailed answering to the board, the Fed, the Treasury, Congress and 450 regulatory bodies in 130 countries.

“It doesn’t make sense to have one person do it,” he added.

Instead, he thinks the job he has been doing needs to become two separate roles: a chairman responsible for governance and “walking the halls of Congress,” and a chief exec to run operations.

Sounds like a good plan? Now…Who wants to do it?

Hiscox Studies Privacy & Data Security

On Monday at RIMS 2009, Hiscox unveiled its new study “Data Privacy and Corporate America: Who’s Recognizing the Risk.” So I sat down earlier today with one of the report’s authors Jim Whetstone, who is the company’s senior VP of technology E&O.

The chief finding is that 38% of Fortune 500 companies surveyed do not explicitly mention privacy/data breach in the risk factors section of their SEC 10-K filings, which when broken down by sector is even more alarming: 46% of diversified financial companies, 50% of telecommunications firms and an astounding 80% of utilities. 

Worse still is that, according to Whetstone, many of even those that do realize the financial and reputational risks associated with a potential security breach deem the easiest solution, encryption, to be too cost-prohibitive to use even though they realize it would largely mitigate the threat altogether. You see, currently around 45 states now have laws that require any organization that loses confidential consumer/patient/student/etc. data to notify anyone who was affected. And that’s when the lawsuits, complaints and horror stories of identity theft begin. Not only is this a huge financial burden — the costs of hiring computer forensic specialists, mailing notifications, setting up call centers and offering free credit monitoring adds up very, very quickly — but the comparable reputational fallout is nearly impossible to quantify.

All this could be averted in most cases, however, with data encryption since almost all those same state laws also include a “safe harbor” provision that allows companies who safeguarded the data to forego the onerous notification process.

To put this all in proper perspective, all Whetstone had to do was ask me one question: “You know why a car has brakes?” 

Since I learned this fact around first grade, I thought to myself “I got this one…to stop, right?”

But before I said anything he answered his own question: “So it can go fast.”

Most companies are prioritizing innovation — and rightly so. They’re trying to gather as much consumer data as possible to put this to use in sales, development and improved customer relations. But in making these technological advances, it’s also important to ensure you have the right safeguards in place. “It’s a constant battle between technology and the brakes on the car,” said Whetstone. “Companies are trying to be innovative — they’re trying to push the envelope — and that’s always dangerous.”

Whetstone has no delusions that any company should stall innovation for the sake of encryption and data security, however. On the contrary, he thinks gathering all this data is huge advantage for companies. They just have to be careful and understand their vulnerabilities. And all it takes is glancing at a few of the colorful charts in Hiscox’s report to realize that most companies are failing at the latter endeavor. In TJ Maxx’s infamous data breach, for example, the company was attempting to improve its store’s operations by implementing a wireless network yet it failed to realize that sub-par security opened up the location to nefarious data thieves.

Of course, it is indeed true that encryption is still expensive in some cases — back-archiving old legacy systems, for instance. But using encryption doesn’t have to be an all-or-nothing proposition and Whetstone believes that, at a minimum, companies need to at least encrypt the data stored on laptops, USB drives and back-up tapes. He includes this in what he calls a “defense-in-depth approach” to IT security. By securing those physical items that can be left at an airport or in a taxi cab, you allow risk managers and legal counsel to rest easy knowing that their employees at least won’t be giving confidential data away. Hackers can still breach the network and that will remain a concern, but protecting the physical storage devices provides a first level of defense.

And most importantly, risk managers need to be involved in the IT discussion. The ideal balance between the legal team, IT and risk management is unique for each company. But unless everyone is talking and understands the priorities and recommendations of the others, data breaches are only going to happen more often.

Hiscox found that only 7% of US companies have implemented end-to-end encryption on their confidential personal data.

Hiscox found that only 7% of US companies have implemented end-to-end encryption on their confidential personal data.

Risk Management at a Crossroads

In talking to the risk managers, brokers and insurers populating RIMS 2009, there are two themes that run constant. The first is the unique opportunity that last year’s financial meltdown has presented risk managers to raise their profiles within their organizations and prove their value to senior management. Finally, after the onslaught of calamities of the past decade — September 11 then Enron then Katrina — the economic crisis seems to be the final straw in forcing boards of directors to understand the importance of risk management.

shutterstock_26618866

Conversely, however, is the other reality of the economic crisis: Few companies have the resources to devote to non-revenue generating endeavors. So while many risk managers may be getting heard by the board for the first time and receiving the encouragement they have always desired, they are not always getting that support in the form of resources. 

For insurers, the predicament is different — yet similar.

Given the economic climate, there must be a return to underwriting discipline. Earlier today I spoke with Bob Petrelli, who is a managing director in Swiss Re’s insurance division, and he emphasized this need. “Last year’s crisis has shown us that you can’t put all your faith in your investments,” he said. “You need to have that underwriting discipline.”

But, obviously, this is easier said than done, and even though we’re seeing signs of a return to the hard market, many insurers have been unable to actually stick to their guns and practice what they preach. “If everyone would do what they say they are going to do, we would see a hardening market,” said Petrelli’s colleague at Swiss Re, Nikolaj Beck, who is also a managing director on the company’s insurance side.

But more so than simply tightening prices and limiting exposures, both Swiss Re’s executives as well as those I spoke with at Zurich stressed the need for innovation. Given their market footprints and name brands, neither company likely needs to worry about coming out of the economic crisis in good shape. But each seemed hopeful that when the turnaround does occur, they will not only emerge comfortably, but with a distinct competitive advantage in their markets. 

Zurich, for instance, has recently released a new D&O policy it is promoting at RIMS 2009 that it hopes can set a new standard for coverage. By enhancing some aspects of its Side A coverage for individual directors (including retired directors) as well as including an extension for “environmental mismanagement claims” resulting from climate change retaliation claims, the company is hoping that this type of innovation will differentiate it from a marketplace where many of the players are content to just tread water. The goal, according to  Zurich chief innovation officer Ty Sagalow is “raising the bar in D&O.”

And, thus far, the feedback he’s received is encouraging. “One broker’s response was ‘It kicks ass,'” said Sagalow. Sagalow was particularly committed to such forward thinking in the realms of climate change and globalization-related risks still on the horizon — like those supply chain risks that the recent spike in piracy off the Somali coast are illustrating far too often — and is trying to find a good balance between those things that policyholders are asking for and those things that his team has identified as the emerging risks affecting all organizations.

“Whether it’s a soft market or a hard market, it’s always a market for customer-centric innovation,” said Sagalow. “When we go to [our clients] and tell them we’re responding to their needs, they are very receptive.” 

Swiss Re, too, sees a balance between innovation and underwriting discipline as a cornerstone of its strategic future. And as one of the most technically advanced companies in the market, it believes it has the ability to do both. The company executives are hoping risk managers looking for better coverage at better prices in this tough economic climate will come to them with better information about their specific risks to help the underwriters placing the coverage. “We have the technology and expertise to take that information and use it to better understand and price the risks an individual company faces,” said Nikolaj Beck.

Of course, it may seem easier for giant, multi-billion-dollar insurance companies to find opportunities to increase their profile and market value in this current environment than it is for a solitary risk manager to raise organizational awareness about his discipline and get more authority. But those opportunities do exist. Risk managers need to find them and, more importantly, take advantage of them.

For those still struggling to be heard, Bob Petrelli of Swiss Re at least has a few words that may give some inspiration. “The boards of directors know who their risk managers are now.”

That may not sound overwhelmingly encouraging on the surface, but it’s a start.

Aon Unveils “Global Risk Management Survey ’09” at RIMS 2009

This morning at 9:00 am in the Orange County Convention Center, Aon unveiled its “2009 Global Risk Management Survey” and — unsurprisingly — fear of economic slowdown ranked as the number one concern for the 500-plus global organizations that responded. Stephen Cross, CEO of Aon Global Risk Consulting and one of the presenters detailing the survey results for the some 50 people attending the session, illustrated the largest concern for risk professionals if the slowdown continues to worsen.

“One outcome might be cost-cutting in risk management, which would be unfortunate,” said Cross. “We may be dealing with a situation where you have to do more with less.”

And as anyone who has ever tried likely already knows, you can’t do more with less; you can only do less with less.

The report went into more detail:

“Perhaps the most difficult risk management issue we face amidst this turmoil is ensuring that organizations remain committed to established, effective risk management strategies. Seeking short-term gains may restrict or reduce the long-term success of risk management programs. Risk controls, for example, should not be ignored for the sake of immediate expense cutting as they are essential to long-term cost mitigation.

Following the threat of a deeper global recession on the list of top risks came some other familiar suspects, as well as a few concerns that didn’t even register in last year’s top ten. Here’s the full breakdown.

1. Economic Slowdown
2. Regulatory/Legislative Change
3. Business Interruption
4. Increasing Competition
5. Commodity Price Risk
6. Damage to Reputation
7. Cash Flow/Liquidity Risk
8. Distribution or Supply Chain Failure
9. Third Party Liability
10. Failure to Attract or Retain Top Talent

In addition to tallying these results, Aon also asked companies how prepared they were for each of these risks. Shockingly, 60% said they were ready for the economic slowdown — something that sounded particularly dubious to Cross. “I was very surprised to see that 60% of people reported they were prepared for the economic slowdown because I’ve yet to meet this 60%,” said Cross. “If Warren Buffet lost billion personally, I don’t know where these 60% of people are.

To me, the realities of the economic slowdown are undeniable and even the most optimistic of economists seem to put the global recovery coming no sooner than early 2010. The inevitable and likely-soon-coming regulatory backlash from the financial sector meltdown, however, seems even more unpredictable. After AIG’s bonusgate plus the general populist outrage against everything from banks to carmakers, who really knows what Congress is going to draft?

Cross aptly summed up this fear. “It’s possible that the reaction may be over-reation.” Or as the report termed it:

“In the wake of the global economic crisis, an increase in regulation within the financial sector is widely anticipated; however, it is still unclear whether more stringent regulation will expand to other industry sectors. For multinationals, the cost, quantity and complexity of regulations presents serious challenges in terms of managing compliance with regulatory risks.”

Cross’ co-panelist Theresa Bourdon, who serves as Group Managing Director of the Americas for Aon Global Risk Consulting, raised another interesting concern. “The risks for companies is the inability to comply with these regulations, ” she said. “If you don’t comply, the penalties can be severe…More importantly, there is a lack of market share and reputation.

The panelists went on to discuss the new realities of supply chain risk and some emerging issues reported in business interruption. For even more info, read the full report.

And in other Aon-related news, you can also check out all the company’s RIMS 2009 events and activities over at its “Client World” website where the company is providing real-time updates from Orlando. You can also follow Aon live at RIMS 2009 on Twitter at @AonCorp.