As Halloween approaches and darkness falls earlier every day, we at WillisWire find ourselves reflecting not on make-believe monsters but on the frightening real risks our clients faced during the year. Thirteen of our bloggers submitted what they thought were the scariest. Which one keeps you up at night? Take our poll at the end and let us know.
“The Economy, Stupid”
Forget cyber. Forget regulation. In the words of the political advisors of the 1990s, “It’s the economy, stupid.” When we asked 150 C-Suite executives and financial industry leaders from across the globe, to rank different risks in difficulty and severity, they overwhelmingly chose macroeconomic factors as their number 1 (a.k.a. “scariest”) risk. The risk of inflation, deflation or stagnation gives our financial leaders nightmares, and it’s not difficult to see why. Businesses need the right economic conditions to flourish. With many firms still recovering from the financial crisis and managing ever increasing costs, a downturn in the economic environment could significantly impact their organisation and employees. 20 years later the economy remains the number-one risk. Sometimes it’s scary how little things can change. For further information, read Willis’s Fi Risk Index online
Undetected Cyber Breaches
2015 saw continuations of hacking trends seeking to steal personally identifiable information and financially regulated information, and new focuses on the airline industry and infrastructure. But perhaps the most challenging issue is the attack we don’t know about. Here we need to reflect on the Verizon breach report that suggests that 60% of organisations that are breached learn about it from 3rd parties. This suggests that most breaches are not known about by the victims. The kind of insidious attack described here is where information upon which we make judgments and decisions is altered without our knowledge. Obvious examples are someone amends our databases or our sensors that input to our control systems, and we then go on to make decisions and judgments on the basis of that altered data. Imagine this is the reserve assumptions for an energy company or purity assumptions for a mining company.
The Enemy Within the Company
Malicious insiders, also known as dishonest employees, can attack your organization in numerous ways and on several levels. Malicious insiders can conceal themselves in many forms: in the mailroom or the executive office-, a new hire or long-term trusted employee. The release of sensitive information, the embezzlement of funds, theft of trade secrets, destruction of company property, or the disruption of organizational services are just a few examples of the havoc and harm they can rain down upon an organization. Companies should never neglect the possibility of disgruntled employees causing significant damage, which may negatively impact customers, clients, patients, and the business itself. This risk should be of serious concern for both public and private organizations. How vulnerable are you to the attack of the malicious insider—or perhaps a better question is how prepared are you to prevent or manage this potential nightmare?
Like the monster that hides under your bed, some scary things are not lurking out there somewhere, but are right inside the house. The house in this case is the insurance industry, and the risk is carrier consolidation. Risk managers we know are staying up at night worrying about disappearing underwriters, vanishing markets, and the emergence of giant monster carriers crushing marketplace competition under their heavy stomping feet. In spooky fashion, a new policy delivered after a seemingly simple renewal could come from a mysterious source – a different company – bearing eerie similarities to your previous policy and carrier. Is it business as usual or not? It could be quite unsettling. The underwriter you know best may be gone to another insurer or another department. That relationship, which offered as much comfort and confidence as the limits you buy – poof, gone in a second. And the marketplace you’ve learned to navigate as easily as a trick-or-treater filling a sack full of candy on Halloween – suddenly changed or vanished completely! Keep your eyes open and occasionally glance over your shoulder: we have seen a lot of carrier consolidation in the past year and there may be more ahead.
The Death of Class Action
Increasingly, employees of US financial institutions are being asked to waive their right to bring class action for civil rights violations. In its place employees are asked to accept arbitration. Is this a terrifying turn of events for bank employees? Or are banks simply trying to control the fierce litigation monster that threatens their existence? With some high-profile discrimination cases now working their way through the legal system, institutions are more hell-bent than ever to steer employees to arbitration. The plaintiffs’ bar will argue that arbitration behind closed doors can never replace an employee’s right to bring a public action claim. Financial institutions, on the other hand, argue that such claims, true or frivolous, can mutilate a firm’s reputation. Class action may survive in other forms, but we may be seeing the death of civil right claims, replaced by the shadow of arbitration.
Regulators Targeting Directors
“Corporations can only commit crimes through flesh-and-blood people. …It’s only fair that the people who are responsible for committing those crimes be held accountable. The public needs to have confidence that there is one system of justice and it applies equally regardless of whether that crime occurs on a street corner or in a boardroom.”
These words would be scary enough if delivered at an average industry conference or seminar by a prosecutor wanting to sound as if he or she means business. They were in fact part of a speech delivered by US Deputy Attorney General Sally Yates when releasing new tough guidelines issued to all US states attorneys on plea bargaining. The approach echoes that of regulators the world over. In the UK for example the Head of the Financial Conduct Authority said earlier this year:
“Industries characterised by weak accountability – or by individuals seeking to protect themselves on a ‘Murder on the Orient Express’ defence (it wasn’t me, it could have been anyone) – are almost invariably less financially stable, and more prone to misconduct.”
What this means is that whenever the next corporate scandal comes along (and it seems we never have to wait too long) you can be sure the regulators will be toeing the line with the press and the Plaintiffs Bar to have a tilt at the directors.
Political Risk to Supply Chains
In times of geopolitical turbulence – exemplified by recent and ongoing events in North Africa, the Middle East, and Ukraine – we often think about the threat of political violence to people, goods, and transportation routes. But – as shown this summer by the Tianjin port explosion, the collapse of a shoe factory in Zhejiang, and two building collapses near Mumbai – political risk can also manifest itself in the form of poor building codes and lax enforcement. A 2011 Accenture study found that most organizations take a somewhat fatalistic approach to political risks: either accepting such risks as inevitable, or forgoing opportunities because of the associated political risk. But there are many strategies that can be deployed to manage and mitigate political risks – including insurance.
Just in the past two years, we’ve seen drones on the White House lawn, the Japanese PM’s residence, supplying drugs to a prison, exploring French nuclear reactions, harming a triathlete, and in one case, a New York drone operator even lost his life after his drone lost control. This past summer, firefighters in California were unable to bring in aerial support because of the plethora of rogue drones at the scenes of fires – assessing damage to property or obtaining footage. Even a small drone can get in a helicopter’s way and cause an accident if it hits a rotor. A quadcopter with a camera can be purchased for as little as $46; more sophisticated models are available for five thousand plus and can travel up to a few miles. Even when operating within the FAA’s limits – what sorts of liabilities are drone owners susceptible to, and how will we price them? Until all the legislation is figured out, let’s hope that our swarm of drones helps us assess catastrophes instead of causing them.
Terrorism as a Message, Not a Group
Terrorism, by definition, seeks to scare: The proliferation of extremist groups declaring fealty to ISIS or becoming part of the al-Qaeda franchise continue to feed off and exacerbate the fragility of their host nations, in places as distant from each other as the Philippines, Sulawesi, Nigeria and Libya. In more robust states the lone, extremist ideologue seeks to terrify or to plan ‘spectaculars’. It is a concept, not a list of events that scares me: An increasingly connected world reliant on inter-dependent systems , infrastructure and supply chains as the focus of hatred for a connecting message, not a system, that drives dispersed, comparatively independent groups and individuals to violence. Were they all ‘lone wolves’ terror would still exist, but—armed with an arsenal ranging from the knife to media operations, the precursors of chemical weapons and, of course, cyber-attack—the terror will persist until the ‘message’, and the conditions in which it is amplified, changes.
Mergers and acquisitions continue unabated, especially for US hospital systems. Provider organizations have grown and continue to grow rapidly by acquiring other hospitals and physician practices. With patients paying more out-of-pocket costs, we expect those accessing services to have higher expectations of service delivery and quality. Will bigger healthcare providers be able to deliver on those expectations?. Claim frequency and severity may be dramatically impacted in the future by the consolidation now occurring in the health care industry.
Our Aging Workforce
Advancements in modern medicine, strong progress on health and wellness, and uncertainty with personal finances are amongst the forces keeping workers in the labor pool longer. In fact, between the years 2000 and 2014, the percentage of workers over 55 increased from 13% to 21%, allowing industry to benefit from their experience and institutional knowledge longer. But, just like a bad guy in a horror movie, Father Time cannot be stopped. The older a worker is, the longer it generally takes him/her to recover from an on-the-job injury, increasing both a company’s Workers Compensation costs and lost productivity from absence. One of the scariest developing trends with older workers is the increasing workplace accident fatality rate in workers 55 and over. Within the last year there was a 9% increase in workplace accident related fatalities for workers over 55. Even scarier was the 17.7% increase in workplace accident-related fatalities in workers over 65.
As the days get shorter and colder, our thoughts turn to Halloween—and another flu season. A truly scary risk that presented itself to the world in 2015 – and every year – is Mother Nature’s various viruses that could lead to a potential pandemic. In 2015 world populations faced variations of the H3N2 flu virus that were challenging because they were somewhat different from the strains the flu vaccination was designed for. Additionally, we faced the threat in China that the bird flu could jump in a significant way from animal populations to humans.
The threat of a pandemic applies not only to human populations but also insurance carriers and reinsurance companies with heavy concentrations of mortality risk. People can try to protect themselves by getting the flu vaccine, paying attention to the news and being thoughtful about hygiene. Insurance carriers and reinsurance markets need to understand their risks and model various scenarios to be certain they can honor their obligations in the event there is a pandemic. A well designed reinsurance program can be one of the tools carriers and reinsurers can utilize to provide protection against a pandemic.
Reporting Benefits to the IRS
Most employers that sponsor group medical plans (all applicable large employers and those smaller employers that self-fund their plans) have a new reporting obligation for 2016, thanks to the PPACA. The IRS means it this time — no more delays. It’s time to report benefits coverage to employees (and other covered individuals) as well as to the IRS. Employers need to get their 1095 and 1094 form reporting obligations started or risk fines and penalties. While there are limited extensions available — predicated on reasonable, good faith efforts — procrastination and the inability to find a vendor will likely not be sufficient. (A hurricane that destroys the company’s computer? Maybe…)
This is going to be a scary time for many employers — even for those who know what they are going to do and are currently implementing their solution. Some are going to have to scramble, along with their advisors, to find other solutions that will at least get them in through the “IRS deadline door.” It will truly be “trick or treat” as they may not know what they will face until the door opens…
Did we miss any? Tell us about it in the Comments section. Meanwhile, tell us which of these you worry about most in your business.