Identifying the risks

Traditional risks in their original form are understood and under control. However, what constitutes these risks is evolving and often traditional risks have turned into virtual risks. Ownership of assets is fluid while JVs and shared platforms add to the complex ownership structure of assets.

Outsourcing is a major potential risk issue. Control of assets and data is effectively lost to third parties leading to a more vulnerable supply chain.  When everything is outsourced, the revenue remains in the 'brand', usually a service, but the brand becomes harder to protect.  Despite the potential exposures, insurance and risk management functions often have little or no input in the outsourcing decision making process, so risk issues, including the terms and conditions of the contract, can be subordinate to commercial drivers.  Insurers rarely require full disclosure of these arrangements (as much is not actually covered by their policies) and sometimes seem to struggle to offer the relevant support or advice to their clients in respect of outsourcing risks. 

Compliance issues are increasingly burdensome: time, resource and the financial and reputational potential consequences of non-compliance.  Rather than understanding the risk, many companies adopt a one dimensional 'tick box' mentality to demonstrate compliance, which may not actually deal with underlying risk. 

Theft and infringement of Intellectual Property is a clear issue but the risks are not as high up the risk agenda as might be expected. However, e-Crime and Fraud is a major issue for many companies but hard to quantify due to its very nature. The need to hold customer information cannot be avoided and so this is an area where risks are generating a lot of interest and debate.

Social Networking concerns are a new risk phenomenon, both hard to control and to combat. Using this medium a small number of individuals can cause adverse media and brand damage disproportion to their actual representation. A reputation that took years to build, can be damaged by one guy with a video camera and a posting on YouTube. Conversely, even if brands find some credible way to communicate with consumers on a social media site, they will be trusted the least.

Data protection and privacy remains an area of concern.

Resilience of systems/hardware is a prime concern to many companies, downtime losing business and impacting income.  The whole premise of companies such as Google is that if they are sufficiently fast and reliable then people will choose them and advertising revenue will flow automatically.

These are some of the topics that we will be discussing at our next Emerging Risks event, where we will be joined by a number of insurers to debate these issues further with us. Further details of this event can be found here:

Emerging Risks Event - Are Insurers Responding to Meet New Coverage Needs?

Having come across many abbreviations and terms from other countries/regions during our day-to-day role in the Global Service Team, we thought it might be useful to create the following aide memoire...

1) ISR (Australia) - Industrial Special Risks

Industrial Special Risks; Property/Business Interruption insurance for commercial risks.

2) CTP (Australia) - Compulsory Third Party Liability

Compulsory Third Party Liability, the most common being Motor Third Party Liability.

3) Certificate of Currency (Australia, again!)

This is a Certificate of Insurance/' To Whom It May Concern' letter providing insurance details which Insured's are required to evidence to third parties.

4) PAR (Asia) - Property All Risks

Property All Risks.

5) Ingress/ Egress (USA)

The equivalent of Denial of Access under UK Business Interruption policies.

6) General Liability (GL) (North and South America)

General Liability policies cover all liability exposures of a business that are not specifically excluded. Coverage normally includes product liability and premises and operations (public liability).

When corresponding with the Americas on Public and Products Liability insurance, it may therefore make sense to state General Liability so that we are using the same policy names.

7) Employers Liability and Workers Compensation (Worldwide)

The UK is one of the few territories where Employers Liability insurance is mandatory. When dealing with countries outside the UK, we are more likely to encounter Workers Compensation insurance.

Although the policy names don't cause confusion it is worth pointing out a key difference.
Employers Liability covers an Employer's Common Law Legal liability for accidents or illnesses to employees.

Workers Compensation provides a no fault cover for accidents to employees and for industrial diseases, as defined, arising out of work.

---------------------------------------------------------

Commonly used UK abbreviations...

PDBI - Property Damage Business Interruption
E&O - Errors and Omissions
EML - Estimated Maximum Loss (Property/BI Insurance)
IBNR - Incurred But Not Reported (Claims)
NDBI - Non-Damage Business Interruption
CBI - Contingent Business Interruption

This exposure does not only relate to Pharmaceutical or Chemical Companies (traditionally considered high polluter activities) but also, by way of example, to an office-based company that has a heating storage tank, which could pollute the environment should it leak. This company could be a potential polluter. Equally, if a company owns or operates in premises that have storage tanks containing potentially hazardous substances that leak, they will need some insurance protection, as they would potentially be liable under the Directive for any damage to the environment caused by those leaks.

What are the consequences?
Well, the EU Directive requires the "Polluter" to pay for cleaning up the areas polluted (traditional clean up cost). However it also states that the company will fully "Re-mediate" the effected area, so that it is truly returned to its pre-incident state. For example, if a sewage treatment company were to accidentally flood a fishing river with poisonous chemicals resulting in the fish being killed, that company would not only have to pay for the river to be cleaned, but also to be completely re-stocked with fish. If this is not possible because the habitat of the fish has been completely destroyed, the EU directive requires you, at your expenses, to find another ideal habitat to restore the fish (so called "biodiversity damage").

This EU Directive became law in the UK in April 2009 and all the EU members will have to implement this new European legislation by the end of 2011.

Environmental Impairment Liability (EIL) Insurance coverage is now available in respect of this exposure on a National, EU-wide or Global basis. It provides cover for both gradual and sudden and accidental pollution, as well as remediation costs of the type described above. With the new and wide liabilities to which the EU Directive exposes businesses, more and more companies are now investigating this insurance and the comprehensive cover for those liabilities which it can provide.

Related links:
Environmental Impairment Liability (EIL)

Buyers now demand fully integrated systems and mobile devices, 100% uptime and real time delivery of personalised and relevant information.  The pace of change is exhilarating but it brings a host of new risks and blurs the old boundaries and definitions we have all been familiar with.
It seems that communications, technology and media companies are becoming a single business model and may be facing something of an identity crisis. 

In the 'old days' media was where you held your information, communication was how you sent it and technology was the tool you used to send it. Businesses and consumers bought products and services from a number of diverse suppliers. We had to lug around a heavy laptop, a PDA and a mobile phone if we wanted to keep up with what was happening.

Fast forward to today and both consumers and commercial businesses are only satisfied with products and services that deliver real time information, integrate seamlessly across applications and provide mobile working with devices the size of a playing card. Products and services must be delivered immediately, securely and provide 24/7 system uptime. 

As well as the technical challenges of meeting such demanding requirements it is now critical for the industry to capture detailed information about customer preferences, usage patterns and geographical locations in order to deliver tailored services.  The industry has therefore become responsible for a level of customer information not previously gathered or recorded. Which only goes to show that the old adage 'less is more' still holds true. Whilst the buyer enjoys getting products and services in one small integrated package the industry has to identify and manage increasingly complex risks. This was one of the findings of research we have recently undertaken, which also considered how the insurance market was responding to the changing needs of the industry.  The findings of our research can be found in our White Paper - Identity Crisis in the Air: Emerging Risk Challenges in the Communications, Technology and Media Sectors.

We are really interested to hear your views on this subject so please share them by posting a response to this blog below or e-mail me here.

Related Items:

JLT White Paper - Identity Crisis in the Air: Emerging Risk Challenges in the Communications, Technology and Media Sectors

JLT Event - Emerging Risks Seminar for the Communications, Technology and Media Sectors

But, whilst Stuxnet is currently 'Worm of the week' due to its sophisticated nature and its possible high value targets, the reality is that cyber attacks and their potential impact are on the rise at all levels, and increasingly complex cyber threats hit organisations every day.

So, how real is the threat of a cyber attack and how should companies start protecting themselves?

As more businesses invest in computerising their systems and data, and use solutions like cloud computing to improve processes and take advantage of financial opportunities, the risk of sophisticated cyber attacks is increasing, posing threats to data protection and privacy, reliability and security.

Cyber threats in-line with advancements of technology and here to stay no matter how robust an organisation's prevention strategies are, there is no 100% guarantee of safety from viruses, terrorism or cyber extortion. These issues are further complicated by a network of outsourced and offshore third party providers who increasingly provide critical IT and business process services and are also at risk.

The existence of Stuxnet confirms that cyber threats are extremely real. To properly face the challenges of any cyber threat to critical assets like software and data businesses should think about robustness of their business continuity solutions, especially in that their cover doesn't exclude cyber terrorism. They must ensure they are covered for the expenses related to loss of digital assets, business interruption and even cyber extortion related to an attack, the likelihood of a cyber threat will not go away and a solution must be considered should the worst happen.

Related articles:

BBC Technology: Stuxnet worm 'targeted high-value Iranian assets'

Imagine receiving an email like that! A US financial services company recently did, from a disgruntled customer.

It went on, "By the way: Yes, I am crazy. Yes, I am vindictive. Yes, I am extremely upset."

The would-be cyber extortionist was demanding as much as $3 million or he would unleash a tidal wave of spam emails with an aim to ruin the reputation of the company he believed had wronged him.

Cyber extortion is a growing racket that is increasingly attractive to cranks and organized criminals alike. It comes in many forms, with cyber extortionists threatening reputational damage or promising to release stolen data and intellectual property.

Another favourite threat, sometimes followed by a taste of what's in store, is a costly "distributed denial of service" attack. And if your business relies heavily on the internet, and you have a big customer base, you're a juicy target.

A couple of years ago, just prior to the Super Bowl, a team of cyber extortionists targeted online casinos, threatening that the betting process would be interrupted before the game unless a significant payment was transferred via Western Union.

Why is cyber extortion a growth area? Because unlike kidnapping a person or running a protection racket, cyber extortion can be done remotely. Plus, it isn't easy to catch an extortionist in cyber space.

We hear about a lot of incidents anecdotally but no-one really knows the full extent of cyber extortion because cases don't always come into the public domain in order to spare corporate blushes.

It could be even more embarrassing to be the victim of an expensive extortion and then find out that insurance could have taken the sting out of it.

In fact, it is possible to buy very cost effective insurance that protects against the financial damage a cyber extortion attempt can wreak. That means coverage for the ransom payment, the professional negotiators and also any specialist PR advisors that have to be drafted in.

Cyber extortionists don't always get away with it. We heard about a teenage extortionist in Wales who gave his home address for the ransom payment.

I reckon the East European mafia gangs active in this area have a little more nous than that.

In Germany however, it is also relatively common practice to provide Personal Liability cover for senior personnel and their families under commercial General Liability policies both inside and outside Germany. This extension is an added benefit for senior personnel and is normally provided at nil deductible and nil additional premium. It is provided under local policies issued under global programmes as well as policies issued on a stand alone basis. 

Where companies may not wish to have policies covering non-business activities, we recommend that they check whether this extension is in place.  

Various provinces in China are now making similar moves. The China Insurance Regulatory Commission (CIRC) in Guangdong Province (capital Guangzhou) has advised that with effect from 1st August 2010, all policies with a premium below RMB100,000 (approx. GBP 9,700) issued by insurers in Guangdong should not be effected until payment is received (i.e. even if the client is paying more than RMB100,000 on a whole account basis, those policies with premium lower than RMB100,000 would be subject to this requirement - the same would apply to mid-term endorsements). 

This rule will also apply for local policies forming part of a global programme or a fronting programme.

This regulation is already in effect for Motor & Group PA / Medical business in Guangdong and is now being extended to other non-motor lines with a few exceptions. 

It is expected that similar policies will be adopted in other provinces and cities (for example - 1st  September 2010 for Shenzhen), and in 2011, we expect that this law will be in place throughout China - although the minimum premium trigger may differ from province to province, or even city to city.

It's pretty clear that patent infringement risks are becoming more common, and more costly. We're talking millions of dollars and often that is just the legal costs, let alone potential damages. And for companies in the communication and technology sectors in particular, it's a major risk, as they are the ones at the forefront of pushing new products, new technologies and new designs.

Perhaps not surprisingly, insurers are concerned about the potential for large claims and the difficult nature of underwriting such risks. It seems to me that patent infringement is rarely clear cut - it can often be a negotiating tactic between competitors, or part of the growing compensation culture globally. And so insurers are either scared off altogether, or require vast amounts of due diligence to be carried out, and charge a high premium.

But patent infringement isn't unique in this regard. Let's face it, there are plenty of other areas where there are major risks, but where insurance isn't providing the protection it should. Take credit risks for example. Does this mean patent infringement is effectively uninsurable? I don't think so.

Let's go back to basics for a moment. Insurance has always been about the premiums of many paying for the losses of a few. What insurers require is a diversified exposure, so the answer for patent infringement liability insurance, as with many other areas of risk, is to provide insurers with a higher volume of risks. And this is exactly what we're trying to achieve for clients. It just requires experienced and committed insurers, and realistic and understanding buyers.

To read our Risk Specialist article on Patent Infringement, please click here.

Global insurers, until recently, could not include India into global programmes in the same way they could for other countries, relying on the Difference in Conditions/Difference in Limits clauses in the master contract.  This in itself causes problems when a loss occurs.

Local insurers are obliged to retain as much risk as possible in India, ceding a compulsory 10% cession to the GIC (General Insurance Corporation).

More and more manufacturing and outsourcing is moving to India from Europe and the USA.  More and more of our clients want control of the local insurance arrangements, the widest possible wordings with the maximum ceded back to their master programme and Captive.

Some risks qualify as 'Mega Risks' - if your largest location has a property/business interruption sum insured above Crore 2,500 (GBP 375,000,000) an application can be made to the regulators to qualify for a Mega Policy.
 
A Mega Policy allows the Insured to combine various coverages into one policy, it does not need to be a tariff wording and allows between 70% and 87.5% of the premium and risk to be exported. 

NOTE: 1 Crore = Rupees 10,000,000 (GBP 149,254)

Supply chain integrity has never been a bigger or more complex challenge for today's global businesses. Increased pressure for improved financial performance, combined with the need to optimise assets and resources, has resulted in a growing reliance on out-sourcing and off-shoring,often to developing countries. But with the benefits of reduced costs comes the increased and more complex threat of supply chain interruption. Increasing numbers of company financial reports now make mention of supply chain risks as being one of the key business exposures - but many do not seem to have an integrated model to identify, quantify and manage risk.

Argentina
Argentina continues to take a number of steps to align its regulations with international standards. After implementing new rules on GCP, which set out the regulatory and legal basis for planning, developing and following up on clinical research, on the one part, and a regulation that mainly deals with the functions and activities of ethics committees and the rights, safety and integrity of experimental subjects, on the one part, the regulatory agency ANMAT reinforced the process regarding information and consent within the Clinical Trial Protocol submission (contact me for a copy of the exhibit).

Australia
Pursuing the implementation of enforcement guidelines in the Clinical trials area, the Australian government implemented Therapeutic Goods Amendment Regulations 2009 (No.5) enabling issuing of infringement notices.

The Therapeutic Goods Amendment Regulations (the Regulations) were registered on the Federal Register of Legislative Instruments on 10 September 2009, and commenced on 11 September 2009.

The said Regulations allow an issuing officer (the National Manager of the Therapeutic Goods Administration (TGA), or an Assistant Secretary of a Branch or Office of the TGA) to give a person alleged to have committed a strict liability offence or contravened a civil penalty provision of the Act, and in relation to whom legal proceedings will otherwise be brought by the Commonwealth, the option of addressing that matter by paying a penalty specified in an infringement notice, as an alternative to being taken to court.

A person issued with an infringement notice is under no compulsion to pay the penalty stated in the notice, and may elect instead to have the matter dealt with by a court. If a person issued with a notice does pay the penalty in accordance with the Regulations, the person's liability for the offence or contravention will be discharged in full, and no further action may be taken against the person for the offence or contravention.

Austria
The Austrian Agency for Health and Food Safety (Österreichische Agentur für Gesundheit und Ernährungssicherheit GmbH / AGES) published guidance for Clinical Trial Applications (CTAs) for the conduct of a clinical trial according to Austrian Medicinal product Act (contact me for a copy of the exhibit). This publication was the occasion to obtain current and precise information on regulatory and practice concerning clinical trials implemented in Austria, in particular about the sponsor's obligations.

In particular, on the basis of the AGES checklist of the Information required by the Austrian Competent Authority (CA) for the request for authorisation of a clinical trial on a medicinal product for human use, the sponsor must provide provision for indemnity or compensation in the event of injury or death attributable to the clinical trial as well as for any insurance or indemnity to cover the liability of the sponsor or investigator (contact me for a copy of the exhibit).

Belgium
The Belgian Federal Agency for Medicines and Health Products has published a special Guidance to the Conduct of Exploratory Trials in Belgium (contact me for a copy of the exhibit). As precised in this guidance, this is a working document concerning the conduct of clinical exploratory trials in Belgium, while awaiting the development of guidelines at the European level.

Denmark
As it has received many enquiries about amendments to clinical trials, the Danish Medicines Agency has drawn up a form containing a list of significant changes for which it is necessary to apply for an authorisation. The form also indicates which changes are only to be provided to the regional ethics committee (contact me for a copy of the exhibit).

This was the occasion to the Danish Medicines Agency to publish forms regarding the authorisation to make changes/amendments to the clinical investigation, the notification of completion of the clinical investigation of medical devices and the notification for serious adverse events or near-incidents with medical devices during the clinical investigation (contact me for a copy of the exhibit)

Germany
The German Federal Drug Law has implemented a specific procedure for variations (national, MRP and DCP) based on the assessment of paediatric clinical trials with authorised medicinal products in accordance with Article 45 of Regulation (EC) No1901/2006 (Paediatric Worksharing).

Spain
The Spanish Ministry of Health took a "resolucion" dated October 26, 2009 as regards the Clinical Trials electronic register, describing all clinical trials realised in Spain (contact me for a copy of the exhibit).

Regarding European regulation, the last version of the "Guidance Documents Applying to Clinical Trials" in the European Union is available - please contact me for a copy. As far as insurance is concerned, this version states that:

According to Article 3(2) (f) of Directive 2001/20/EC, a clinical trial may be undertaken only, if provision has been made for insurance or indemnity to cover the liability of the investigator and sponsor.

There are no specific Community provisions on when this insurance coverage can stop. However, the purpose of Article 3(2)(f) of Directive 2001/20/EC is to ensure that a clinical trial subject can obtain compensation for damages caused by the clinical trial- independently of the financial capacity of the investigator/sponsor. In view of this purpose of the provision, and in the absence of specific Community rules, the insurance should provide coverage for the period in which such damages can arise and lawfully be claimed by the clinical trials subject.

As a Community Directive by definition is binding to the result to be achieved while leaving open to EU Member States the choice of form and methods, it is up to the Member State to establish specific rules, if any. If no such rules are established at Member States level, it is up to the sponsor to assess, on the basis of the principle set out above and the clinical trial in question (in particular in view of the risk it implies for the clinical trials subject), the necessary period of coverage. Note, that, in accordance with Article 6(3)(i) of Directive 2001/20/EC, aspects of insurance or indemnity to cover the liability of the investigator and sponsor are considered by the Ethics Committee or, in accordance with Article 6(4) of Directive 2001/20/EC, by the national competent authority of the Member State concerned.