REVIEW OF 2012 What happened. And what it meant.€¦ · NEWS ANALYSIS CONTEXT & INSIGHT...

SPON

www.fmglobal.co.uk/touchpoints

SORED BY

What happened. And what it meant.

REVIEW OF 2012

SPON


SORED BY

NEWS ANALYSIS CONTEXT & INSIGHT

StrategicRISK

SPONSORED BY

StrategicRISK is the only title that comprehensively covers risk management, insurance, corporate governance and related matters for the UK and European markets.

This year, Touchpoints featured regular articles from StrategicRISK. This content was exclusive to FM Global and provided an overview of a burning issue in risk management together with expert commentary.

Our Review of 2012 brings together all ten articles.

January

1. Can hackers help in the fight against cyber crime?

February

2. Supply chain lessons

March

3. The lessons of hindsight

April

4. The insider threat

May

5. Focusing on resilience

July

6. Risk management priorities

August 7. Weather outlook clouded with uncertainty

September

8. Planning makes perfect

October

9. Nearing the void

November

10. Good migration


tr t

www strategic-risk eu

NEWS ANALYSIS [ CONTEXT & INSIGHT ]

StrategicRISK [ JANUARY 2012 ] www.strategic-risk.eu

SPONSORED BY

O UR DAILY LIVES HAVE become almost

entirely dependent on connected

online systems, making us increasingly

susceptible to malicious individuals,

institutions and nations that have the ability

to unleash devastating cyber attacks

remotely and anonymously, warned the

World Economic Forum’s Global Risks 2012

report, which is based on a survey of 469

international industry leaders.

Our increasing dependence on data

carrying systems doesn’t just empower us it

also empowers those with malicious or

criminal aims. The WEF thinks this “dark

side of connectivity” is one of the top three

global risks to watch out for over the next

ten years, being as it is a very systemic

threat which has the potential to cause

signifi cant harm the world over.

The report analyses potentially serious

threats to our future prosperity. When it

comes to cyber risk, the last few years have

been a wake-up call for many risk managers,

as numerous hacking attacks and malware

infi ltrations have shown how easily computer

systems can be damaged or exploited.

Correspondingly, the market for cyber

risk insurance is booming. The annual gross

written premium for computer security

liability, business interruption and

cybercrime is $500m, the main portion of the

market being in the US.

“The real concern is that you have

capability to shake the system, to actually

turn off some of the systems that allow us to

be connected,” said Lee Howell, Managing

Director of the Risk Response Network WEF.

He says cyber threats come in three

categories: Sabotage, espionage and

subversion. “Yet we are confronted with a

lack of empirical evidence for the actual

weight of this risk. Most research into the

fi eld is published by internet security

solutions vendors - a possible bias triggering

scepticism amongst potential victims.”

The key challenge is to create a full

picture of the true levels of risk and the need

CYBER RISKS

Can hackers help in the fi ght against cyber crime?

for investment in cyber security solutions,

says the WEF.

Paradoxically, according to the WEF,

while companies feel more informed about

cybercrime they are also less confi dent

about their cyber security measures than

ever before – and they are spending more on

improving their defences.

In an attempt to overcome the

“hackability” of their IT systems, companies

are trying to protect themselves from the

reputation damage that has haunted so

many corporations following cyber attacks

on their systems over the past few years.

But individual eff orts may be wasted,

what’s really needed, said the WEF, is a much

more joined-up approach. “Probably no single

institution can really address the risk in a

comprehensive way, what is needed today is

collaboration on various levels,” said the WEF.

Organisations that try to make their

cyber defences truly hacker-proof are faced

with a hopeless task. There are “no proven

systems, just systems whose faults have not

been discovered”, claimed the report. In this

sense the real priority should be to encourage

talented individuals to fi nd the faults in

particular systems and to develop remedies.

The Forum warns that the resources

devoted to these eff orts are nowhere near

adequate enough. In fact it’s almost the

opposite. When so� ware developer Charlie

Miller found a well-hidden bug in Apple’s

otherwise almost fl awless security system

earlier this year, the company banned him

from their developer network.

It is easily forgotten how valuable these

hacker skills are to organisations

themselves. Had Miller not found the bug

fi rst, it’s a safe bet that someone else with

possibly malicious intentions would have

found it at some stage.

Social networking behemoth Facebook

is taking the opposite approach. The

company recently introduced its “bug

bounty” solution. Facebook gives individuals

who manage to hack into their system the

chance to report how they did it and

promises a reward in return, consequently

making their systems stronger by constantly

improving them based on what talented

hackers fi nd and exploit.

Without legitimate markets to go to,

hackers are drawn to the thriving black

market. But the right way to safer systems

could be to understand and work with the

hacker community. This is something that

risk managers may want to ponder. SR

When 470m smartphones browse the World Wide Web and over fi ve billion

devices altogether are linked up to the Internet, being connected has never

been easier. But neither has it ever been so risky. Certain organisations are

trying some novel approaches to the problem.

Special_NewsAnalysis_FMGlobal_no5.indd 8Special_NewsAnalysis_FMGlobal_no5.indd 8 19/01/2012 14:1119/01/2012 14:11


StrategicRISK [ FEBRUARY 2012 ] www.strategic-risk.eu

SPONSORED BY

O NE OF THE ASPECTS THAT STRUCK Michel Dennery, FERMA (Federation of

European Risk Management Associations) vice-president and deputy chief risk offi cer, GDF SUEZ, was that the Japanese earthquake/tsunami and Thailand fl oods represented a ‘double whammy’ for companies in some industries.

“The earthquake/tsunami in Japan aff ected a lot of automobile and electronics companies that had production facilities in the region. But generally they were able to take this in their stride because they had a continuity plan and were also producing elsewhere. Unfortunately for many these alternative facilities were based in Thailand – and just a few months later were aff ected by the fl ooding there,” he said.

“No-one had really thought that the same companies could be hit by two diff erent events in diff erent countries arising from diff erent causes. And this has posed some new considerations.”

In addition to supply chain issues which have been much in the news lately, risk managers of course also need to ensure that their own companies’ assets are safe if located in hazardous areas. But just how much input do risk managers have on where new premises will be located – and how easy is it for them to persuade the board to make existing property more robust?

Stanislas Chapron, CEO of Marsh France, said that it depends very much on the corporation concerned and how the risk manager operates within it. “We recently

conducted a study involving risk managers, fi nance directors and CEOs of companies in diff erent areas in the world, looking specifi cally at earthquakes. This showed that much depended on an individual corporation’s awareness. O� en this related to the history of the company. If it had had experience of earthquake damage in the past, the CEO tended to be very sensitive about this issue,” he explained.

“The ability of risk managers to infl uence decision-making and encourage investment in mitigation strategies also relates to their position within the business. Clearly, if they are acting as the chief risk offi cer they will be used to dealing with the board and will have more clout,” he added.

Chapron said that his company is o� en called upon to provide detailed risk modelling in respect of certain hazards to measure the value of expenditure on mitigation. “O� en you need to prove the case to the CFO or CEO,” he said. “It’s a question of risk managers engaging with them to ensure the right decisions are made.”

Adopting the right strategy can be vital in order to minimise business interruption. Chapron cited the case of a company in Japan that moved its central storage facility to an area away from its distribution hubs, reducing the impact of a major earthquake.

However, it is diffi cult to plan for the unexpected and past experience is not always a guide. For example, telecoms infrastructures endure signifi cant risk from natural hazards. Although in some areas tropical storms can be considered as nearly routine, not everything that happens when such a catastrophe occurs can yet be predicted.

Alain Hocquet is risk manager at France Telecom/Orange, one of the world’s leading

RISKS

Supply chain lessonstelecommunications operators. He said that the company always had its share of natural hazards: fl oods, storms, etc especially since it operates also in the French overseas territories located in cyclonic regions.

When the south-west of France was devastated at the end of 1999 by the windstorms Lothar and Martin, there were huge costs – which were partly insured – to reconstruct the network, but costs were only part of the story.

The fi rst thing that happened when the storms hit was that all electricity went down everywhere at the same time. The Orange technical premises most aff ected were in a very rural region, being fairly small structures housing either fi xed line equipment with an average of 600 lines per location or a base transmitting station of the mobile network. They were powered by electricity lines, with a backup by batteries designed for several hours but, unlike larger facilities, no long term backup by diesel generators.

Hocquet explained that the logical move was to go out and buy portable generators, the type needed being a fairly common 220V/2.5kW. This move had proved successful in a smaller area during a lasting snow episode a few years earlier. However, this time France Telecom/Orange found itself in competition with: farming, because cows cannot be milked without electricity and if they are not milked they can die, retirement homes, a high security prison, water pumping stations and a few other organisations, with the government arbitrating as regarded priorities. “Once we had the generators, delivering them where they were needed, involved sometimes waiting for some path to be cleared amidst the fallen trees, and there again our needs were in competition with higher priorities, like saving people fi rst,” said Hocquet.

When power was eventually available, mobile networks went on again, generally requiring maintenance like readjustment of the tilt of the antennae. For land lines torn away by the storm, estimating the damages took around one week and rebuilding the lines – many thousands of kilometers were concerned – was more a matter of months or even years for the most remote or damaged lines.

Natural hazards are likely to remain an important issue for risk managers in the years to come, particularly if their frequency and severity are exacerbated by climate change. Clearly it pays to think ahead. SR

In the a� ermath of 15 months that included some major natural catastrophes, notably aff ecting Australia, New Zealand, Japan and Thailand, it was not surprising that dealing with such hazards loomed large in the minds of delegates at the Rencontres of the French risk management association AMRAE in February.



StrategicRISK [ MARCH 2012 ] www.strategic-risk.eu

SPONSORED BY

A GOOD EXAMPLE IS GLOBAL intelligence company Stratfor. Over the

Christmas period it reportedly ‘lost’ more than fi ve million emails. Hackers (allegedly from the now notorious dissident group Anonymous) gained access to the company’s data fi les and stole details of clients’ and employees’ emails and other private information.

The situation was compounded when Wikileaks said that it would publish these emails on its whistle-blowing website and certainly some of them did appear on the internet. With important subscribers including former US Secretary of State Henry Kissinger, former Vice President Dan Quayle and many American intelligence, FBI and military offi cials, this was clearly bad news for the company.

Stratfor founder and CEO George Friedman responded with a reassuring statement some time a� er the event, admitting the breach of data security but assuring subscribers and other contacts that “The disclosure of these emails does not mean that there has been another hack of Stratfor’s computer and data systems. Those systems, which we have rebuilt with enhanced security measures, remain secure and protected.” He added that the company is committed to “meeting the highest standards of professional and ethical conduct” and pointed out that some of the published emails were fabricated or altered.

Friedman’s statement was a laudable attempt at damage containment from the top – a good example for other CEOs that when an organisation has clearly had a

major problem it should not be swept under the carpet but tackled head on at the most senior level. But what is likely to be more interesting for risk managers and their companies is what Stratfor actually did in the wake of the disaster.

Remedial activity included a number of strategies. The fi rst and basic one was to notify credit card issuers about compromised credit cards – hopefully something that most companies would do when faced with this kind of data breach.

Second came off ering all current and former paid subscribers identity protection services from identity protection company CSID. Again, this was something that most organisations might have done in this situation but arguably companies with a strong internet presence might actually consider off ering identity protection services before the worst happens.

Additional strategies raise some question marks about the actual security of Stratfor’s website and are defi nitely pointers for risk managers in businesses where the web is key. • Friedman said that the company had

commissioned “a respected internet security fi rm” to help rebuild its website, email system and internal

RISKS

The lessons of hindsightinfrastructure. The question here has to be why the website, email system and infrastructure were not built securely with professional advice in the fi rst place. Risk managers need to be assured that the company’s IT people are using qualifi ed advice – if they don’t have adequate inhouse skills – to avoid a Stratfor type debacle.

• Stratfor has moved its entire e-commerce process to a “highly secure, PCI compliant third-party system”, eliminating the need for it to store any credit card information. Again this suggests some uncertainty – well founded as it turned out – as to how secure its original system was. Also putting the onus on someone else for your e-commerce security can minimise any data breach costs, although it will not prevent any reputational damage.

• The organisation has also enhanced the way it encrypts and stores passwords and implemented new password requirements, once more a refl ection of a less than sound system before.Risk managers would do well to take

heed of the lessons here. Getting down to the detail and not being fobbed off by IT jargon is important if they are to safeguard their organisations,

Stratfor is just one of the latest in a long line of reputable organisations that have been hacked recently. Leaving aside the activities of blatantly criminal organisations that hack to steal purely for fi nancial gain, it must be a concern that members of hacktivists like Anonymous appear to be so much more cyber savvy than those actually paid to protect businesses.

Perhaps the greatest lessons to be learnt from Stratfor are to implement some of the organisation’s “remedial” strategies before the event. Off ering clients, employers and other e-systems users identity protection facilities, using security professionals for e-design, not storing credit card payment information on-site and generally smartening up on password protocol all sound like good ideas.

They could prevent your CEO having to echo Friedman’s words. “We are working closely with law enforcement offi cials in an ongoing federal investigation, and we have commissioned security consultants to investigate this serious privacy breach. We are determined to prevent it from ever happening again.” SR

Hindsight is a great teacher but it’s a tough way to learn. It’s better to study the experience of other organisations that face the same kind of risks that you do. You may discover ways to shut the stable door before the horse has bolted!

Friedman’s statement was a laudable attempt at damage containment from the top – a good example for other CEOs that when an organisation has clearly had a major problem it should not be swept under the carpet



StrategicRISK www.strategic-risk.eu

SPONSORED BY

WHILE THE FOCUS GENERALLY is on the potential losses for

fi nancial institutions and the public sector, European businesses face a growing threat of internal fraud. Governmental anti-recessionary moves such as higher taxation and reduced benefi ts in some countries as well as business operational changes such as downsizing, place greater fi nancial stress on employees. And, human nature being what it is, greed remains a powerful motivator.

erent types of fraud. According to a report by BDO LLP, in the past there was a focus on procurement type frauds – organisations paying too much for goods and services. However, a move towards “revenue dilution fraud” was emerging whereby managers either set up ‘companies within companies’ or divert lucrative contracts away from the company to third party accomplices.

How can risk managers and their colleagues detect a possible problem? Anti-fraud consultancy UKFraud.co.uk recently published a list of ten common early warning signs.

1 Erratic reporting: As applicable to suppliers and contractors as to internal departments and functions, erratic, incomplete, late or excuse laden management

en a classic sign that something is wrong. Further investigation may reveal that lip service and increasingly tenuous explanations are given assertively to thwart follow up activity. Common excuses are the frequent occurrence of IT failures and technology compatibility issues. Once reports are complete, there may be delays in them reaching those who need to review the data.

ACTION: Insist on up-to-date reporting, within a set timetable and build this into the internal governance risk and compliance systems. Wherever appropriate adopt an enterprise-wide approach to technology to help with systems issues.

2 Apparent process laziness: Anti-fraud and data security systems may get weaker over time. This may just be the natural adjustment of systems to the practicalities of working life and busy peaks or it could be an alarm call.

ACTION: Make sure you implement the suggestions of your internal compliance managers and organise appropriate training to reinforce attitudes and practice. Ensure that the control processes, especially in tendering, purchasing, invoicing and customer controls and identifi cations

RISKS

The insider threat

are kept strong, managed and regularly reviewed. Where systems/processes are under pressure when used in practice, introduce a review process – and then adapt them promptly.

3 Organisational change and dumping data: A major indicator can be the act of

to delete, remove or otherwise dump past records following a restructure, a new division launch, a JV or acquisition. Where international operations are involved it can far harder to fi nd or recreate evidence.

ACTION: Establish and log where paper documents are and when they should and should not be stored. Identify who is in control of the system processes and who is responsible for and has ownership of the records. Ensure that scanning, and indexing works properly and that no-one can intercept/edit documents. Also ensure that storage capacity is enough and controlled properly. Where acquisitions and mergers are concerned, ensure that all documents are available and stored appropriately and securely, especially those that relate to IP protection, IP development records, audit trails

contracts. In particular, if you are acquiring a business make sure that you have indemnities/penalty clauses built into the acquisition agreements that relate to the availability of data, logs, audit trails and so forth.

In March Stephen Harrison, chief executive of the UK National Fraud Authority, announced that the er a loss of £73bn from fraud this year. If the UK experience is echoed

around Europe, the total loss from fraud will be colossal in 2012.

Anti-fraud and data security systems may get weaker over time. This may just be the natural adjustment of systems to the practicalities of working life

4 Inconsistent or absent data: Although factual inconsistencies can occur naturally, missing or wrong archive data or cross reference checks can indicate that a fraudster is trying to conceal the evidence.

ACTION: Make sure that all fi les are electronically stored, with appropriate back-ups as part of your compliance systems and that no-one has the access to any fi les that include a delete capability. It is also worth having internal or external auditors sample check key fi les from time to time as a part of the audit programme. In addition, arrange for the HR department to make it a gross misconduct issue to destroy data without recorded approval from above – a strategy that may not deter the fraudster but will make it easier to spot him or her.

5 Audit time delays: Excuses and confusion when disclosing to auditors, be they internal or external, can be a telltale sign too. However, remember that the audit team is not there to fi nd fraud, rather to ensure that the correct processes are in place that will deliver appropriate protection.

ACTION: Ensure that everyone treats audits as important and make sure that they are completed on time and properly, and with appropriate audit skills. Investigate any delays or

culties by drilling down into the detail. Make sure that the business critical and fi nancial exposure areas take priority and act upon all failings both quickly and completely, with follow-up audits if necessary.

6 Behavioural anomalies: These can range from acute defensiveness and resistance to attending review meetings, through to blaming strategies or even aggression when specifi c questions are asked about processes or fi gures.

ACTION: Get HR closely involved in specifi c cases. Then if you still have concerns about people upon closer inspection, pull and check all the relevant fi les or even consider a private investigator to look deeper into the processes used by such high risk people.

7 Gossip: whispers and rumours “that

all is not right” should always be taken seriously.

ACTION: Listen, take all such rumours seriously and investigate the reality.

8 Twitchy non-execs: Good non-execs provide a considered, independent and external perspective. If they express concern about something that does not add up or

en have good reason to worry. So must you.

ACTION: If non-execs have concerns about particular issues, they should be allowed to bring in the appropriate specialist experts that can investigate matters more deeply.

cial IT work: conducting

en outside normal hours can also be a worrying sign.

ACTION: look and think further than just password

expiry issues? Make sure that someone ,

(people spending all day on of IT

assets. Make sure you have a proper asset register and IT audit system in place.

10 Scapegoating: Where people are given a title without

ectively cover up what is going on with those who do have responsibility or power in a situation. The fraudster’s hope is that should the balloon go up the scapegoat takes the blame, at least long enough for records to be destroyed and evidence removed.

ACTION: Make sure that you have strong and cascaded accountabilities. Ensure that people know what they should be doing, and that they are doing what is required of them. Make sure that everyone is contributing to the business objectives. Make sure HR is involved in creating or reviewing job specifi cations.

“A cohesive anti-fraud strategy is an essential part of organisations’ core management cultures,” concludes Bill Trueman CEO of UKFraud.co.uk. As BDO’s report said: “The key message is to think the unthinkable, question the good, the bad and the inconvenient news, look for any anomalies in the fi nancial statements and any signifi cant lifestyle changes of the people around you.”



The insider threat



SPONSORED BY

WHILE THE FOCUS GENERALLY is on the potential losses for

fi nancial institutions and the public sector, European businesses face a growing threat of internal fraud. Governmental anti-recessionary moves such as higher taxation and reduced benefi ts in some countries as well as business operational changes such as downsizing, place greater fi nancial stress on employees. And, human nature being what it is, greed remains a powerful motivator.

erent types of fraud. According to a report by BDO LLP, in the past there was a focus on procurement type frauds – organisations paying too much for goods and services. However, a move towards “revenue dilution fraud” was emerging whereby managers either set up ‘companies within companies’ or divert lucrative contracts away from the company to third party accomplices.

How can risk managers and their colleagues detect a possible problem? Anti-fraud consultancy UKFraud.co.uk recently published a list of ten common early warning signs.

1 Erratic reporting: As applicable to suppliers and contractors as to internal departments and functions, erratic, incomplete, late or excuse laden management

en a classic sign that something is wrong. Further investigation may reveal that lip service and increasingly tenuous explanations are given assertively to thwart follow up activity. Common excuses are the frequent occurrence of IT failures and technology compatibility issues. Once reports are complete, there may be delays in them reaching those who need to review the data.

ACTION: Insist on up-to-date reporting, within a set timetable and build this into the internal governance risk and compliance systems. Wherever appropriate adopt an enterprise-wide approach to technology to help with systems issues.

2 Apparent process laziness: Anti-fraud and data security systems may get weaker over time. This may just be the natural adjustment of systems to the practicalities of working life and busy peaks or it could be an alarm call.

ACTION: Make sure you implement the suggestions of your internal compliance managers and organise appropriate training to reinforce attitudes and practice. Ensure that the control processes, especially in tendering, purchasing, invoicing and customer controls and identifi cations

RISKS

The insider threat

are kept strong, managed and regularly reviewed. Where systems/processes are under pressure when used in practice, introduce a review process – and then adapt them promptly.

3 Organisational change and dumping data: A major indicator can be the act of

to delete, remove or otherwise dump past records following a restructure, a new division launch, a JV or acquisition. Where international operations are involved it can far harder to fi nd or recreate evidence.

ACTION: Establish and log where paper documents are and when they should and should not be stored. Identify who is in control of the system processes and who is responsible for and has ownership of the records. Ensure that scanning, and indexing works properly and that no-one can intercept/edit documents. Also ensure that storage capacity is enough and controlled properly. Where acquisitions and mergers are concerned, ensure that all documents are available and stored appropriately and securely, especially those that relate to IP protection, IP development records, audit trails

contracts. In particular, if you are acquiring a business make sure that you have indemnities/penalty clauses built into the acquisition agreements that relate to the availability of data, logs, audit trails and so forth.

In March Stephen Harrison, chief executive of the UK National Fraud Authority, announced that the er a loss of £73bn from fraud this year. If the UK experience is echoed

around Europe, the total loss from fraud will be colossal in 2012.


StrategicRISK [ MAY 2012 ] www.strategic-risk.eu

SPONSORED BY

L AST YEAR SHOULD HAVE BEEN A wake-up call for risk managers. As if the

Japanese tsunami or Thai fl oods were not enough as single events, many businesses were caught by both. For those desperate to relocate from earthquake-prone Japan, Thailand must have seemed a safe haven. They could not have expected to be washed out of their temporary homes so soon.

For risk managers the question remains, how resilient is the supply chain? It is not enough to assume that, in the wake of one disaster, a supplier can simply up sticks and move elsewhere. Risk managers need to be looking at where the “elsewhere” might be and asking if that new home also poses a risk.

In a world of 24/7, it is easy for businesses to believe that if their preferred supplier goes down, another will pop up fairly instantly. The danger with that is the end cost for the product can rise as the new supplier may deliver on time but demand a higher price for what has become a distress purchase.

And the risks may not always be in far fl ung places. The Icelandic volcano and its ash cloud caused chaos across Europe as airports shut down and other transport networks clogged up. Suppliers may well have produced goods on time but there was no chance of delivery.

Again, it may not always be a natural catastrophe on an epic scale. In FM Global’s report, The New Supply Chain Challenge: Risk Management in a Global Economy, author Ruud Bosman, then executive vice president, stresses the importance of not focusing purely on managing catastrophic supply chain disruptions. He points out that a series of minor disruptions can have a similar impact.

“If companies are consistently a week late meeting customer demand, for example,

or if retailers’ shelves routinely are not stocked with their products, the chances of staying in business fall precipitously,” says Bosman.

In fact, research from the logistics and transport insurer, the TT Club, reveals 80% of incidents are caused by human error. The overall breakdown of claims showed 63% resulted from operational causes, 33% from maintenance issues and just 4% were weather related.

Laurence Jones, TT Club’s director of global risk assessment, warns supply chain claims are rising and that globalisation is undoubtedly intensifying the complexity and potential disruptions for transport and logistics operators.

To build more resilient supply chains, companies should adopt an approach that includes an organisation’s total exposure, including non-physical perils, aligned to the value it derives from key products or other sources of revenue. This approach, which relies heavily on the use of analytics, can help an organisation identify single points of failure in its supply chain along with risk

RISKS

Focusing on resiliencemitigation and fi nancing options.

Risk managers are also encouraged to become more familiar with emerging supply chain insurance products, which are considerably broader than traditional contingent business interruption (CBI) and contingent extra expense (CEE) products on which risk managers have previously relied.

In addition to indemnifying for business interruption and extra expenses resulting from physical damage to suppliers, supply chain insurance products also off er insureds protection against non-physical interruptions to their supply chains. These can include strikes, riots, ingress/egress, service interruption, and pandemics.

While Bosman acknowledges that managing supply chain risk can add costs, he points out that companies might easily earn back their investment many times over if precautions prevent or minimise a supply chain disruption. He adds that the costs of a risk management programme that places an emphasis on prevention and control can be off set in the form of lower insurance premium – not to mention increased capacity and higher limits – for property, casualty and business interruption insurance.

Whatever route risk managers choose to go in terms of risk mitigation, it’s clear that resting on your laurels and assuming another supplier will be happy – and able – to pick up your business is a potentially dangerous thing to do. It seems lightning can strike twice a� er all. SR

Last year’s natural catastrophes showed risk managers that lightning really can strike in the same place twice



StrategicRISK [ JULY 2012 ] www.strategic-risk.eu

SPONSORED BY

COMMUNICATION PROVED TO BE AT the heart of the key concerns facing

UK risk managers as they met this year in Liverpool for the annual Airmic conference.

Issues at the top of the agenda included reservation of rights, supply chain risks and cyber liabilities. All three headed the list of concerns in a member survey conducted by Airmic before its annual event and dominated the discussions both in open forum and in a series of round table events.

However, it was communication – or lack of it – that emerged as the central problem behind all these, with risk managers identifying issues in communication with internal colleagues and with insurers as contributory factors. A lack of dialogue has le� companies exposed to potentially massive claims from supply chain risks and from cyber liabilities, while once a claim has emerged communication can also lead to problems through the process resulting in an unsatisfactory conclusion for many.

Reservation of rightsRisk managers reported a perception that the use of reservation of rights in major claims appeared to be on the increase, despite Airmic fi gures which actually showed little if any increase in their use.

Perception also plays a major part in the sentiment of insureds – 67% of the respondents to an Airmic survey say they

did not think the claim ended satisfactorily a� er a reservation of rights letter had been issued and a large proportion also believed the issue of the reservation of rights had not been fair.

Airmic has been working closely with lawyers Herbert Smith to design a clause for general use that would encourage a holding period before any reservation of rights letter could be issued, to give both parties time to establish the facts and communicate more openly.

Risk managers and brokers were reporting that the use of reservation of rights was threatening the ongoing tripartite relationship between insured, broker and insurer. They were calling for greater dialogue and more precise use of specifi c reservation of rights rather than a non-specifi c use that threatened the whole claim.

There is also growing concern about the impact of reservation of rights on an insured’s accounts. Companies are unable to show mitigation of risk on large claims where such a letter has been issued, potentially leaving a large gap in the accounts – something shareholders are increasingly looking at and questioning.

Supply chainThe wake-up call to industry following the Japanese earthquake and Thai fl oods is still not being heeded by everyone. Many businesses relocated from Japan to Thailand a� er the earthquake, only to be adversely aff ected by the fl ooding. Few had anticipated two such major natural catastrophes aff ecting their businesses.

However, a year on, Tom Teixeira, practice leader at Willis, claimed that, despite the double whammy of the Japanese earthquake and Thai fl oods, “there are still a number of sectors that

RISKS

Risk management prioritieshave not changed their approach to supply chain management”.

He blames a lack of interaction between risk managers and organisations’ procurement and sourcing functions: “In many of the companies I talk to there is no interaction or regular dialogue between group risk and procurement.

“In order to get better risk management in place there has to be close collaboration between the risk management function and the procurement function. For us to get the best risk assessment solution in place, followed by the actual risk management solution, you need both to be working closely together.”

CyberCommunication is also a concern when it comes to cyber liability. Research from Marsh and Chubb, unveiled at Airmic, shows European risk managers have become more concerned about cyber risk over the past year, however more than half do not even know if they have suff ered an attack.

Marsh and Chubb also revealed that 69% of financial services, insurance and law delegates surveyed said their concern about cyber risk had increased during the previous 12 months. Of more concern is 54% of those surveyed did not know whether their organisation had been subject to a cyber attack and only 41% had estimated what the financial impact would be to their organisation. One-quarter felt a cyber attack could cost more than £3.2m.

It seems confusion reigns as organisations fail to decide which department is responsible for cyber risk. Marsh CMT practice leader for Europe, the Middle East and Africa Fredrik Motzfeldt said: “Risk managers continue to have a minority stake in the management of cyber risk. Our research found 33% of respondents believed the IT department was responsible for cyber risk management in their organisations, compared with only 13% who thought it was a matter for the risk management function.”

Another worrying statistic was that only 21% of those surveyed said their organisation had purchased cyber insurance cover and a mere 11% felt confident their cyber insurance provision met their organisational needs. SR

Relishing the chance to meet fellow risk managers, delegates at the Airmic conference in June revealed that communication is the key to improved risk prevention and in buying the right insurance



StrategicRISK [ AUGUST 2012 ] www.strategic-risk.eu

SPONSORED BY

T HIS SPRING, AFTER THE LONGEST dry spell in centuries, water authorities

across central, eastern and southern parts of the UK-imposed a draconian hosepipe ban. The following day, without a hint of irony, the heavens opened and barely closed again in more than three months.

April and June were the wettest ever recorded in the UK, May was close to breaking new ground statistically, and July appeared to be seeking headlines of its own for the same reason even before reaching St Swithin’s Day.

The South West, Midlands and North East have been perhaps worst aff ected and few places have escaped the deluge. With the average cost of a household fl ood estimated at around £17,000 per home, according to Lloyds TSB, claim damage is being witnessed on a vast scale.

Flooding in parts of England in the summer of 2007 cost the economy around £3billion, Environment Agency data revealed. The bill for 2012 is likely to be much higher as the fl ooding this summer is on an even greater scale.

Rain is, by its very nature, indiscriminate and businesses have been also aff ected badly. Supply chains have been disrupted, aff ecting industry and this will have a knock-on eff ect on production, sales and exports. The high street has also been delivered a potentially fatal blow with shoppers deserting stores or failing to purchase specialist summer clothing ranges, garden furniture or even barbeque food.

But the wet summer weather has not been restricted to the UK alone, many other parts of northern Europe such as Norway and Sweden have also experienced widespread disruption from the rain. In some countries the consequences have been tragic: early in

July Russia’s worst fl oods in recent memory killed more than 150 people and le� thousands homeless.

In Southern Europe it is a diff erent story. Record-breaking heat has seen employees in some Balkan countries, for example, working reduced hours to cope with searing temperatures.

A shi� in the positioning of the jet stream appears to be the cause of Europe’s extraordinary summer weather. Its normal path to the north of the UK brings warm air and clear skies over Britain and other north European countries. The consequences of this realignment of fast-moving air have been all too apparent this year - but is the summer of 2012 just an isolated season of horror or the start of a trend which becomes the norm?

BBC Science editor David Shukman calls the situation a “big unknown”. He said: “The high-altitude winds that make up the stream are themselves still racing along but their path remains stuck in place so our battering continues. This is one of the major puzzles for weather specialists and the science behind this is fairly young.”

The movement of the jet stream is highly complex. Dr Andrew Charlton-Perez, from the University of Reading’s Department of Meteorology, said: “The jet stream has been in its current position for a long time, and a� er some warm

RISKS

Weather outlook clouded with uncertainty

conditions in May we’re now experiencing much colder and wetter conditions. It’s hard to say why this is, but research [at the University of Reading] is exploring how waves in the jet stream, breaking and moving south, create ‘regime change’ in our weather.”

Will there be a repeat washout next year? Unlikely, but it is almost impossible to predict with any certainty over the long term. What is becoming clear, however, is that so-called weather “events” appear to be getting more extreme - and climate change is the trigger.

A recent report, Explaining Extreme Events of 2011 from a Climate Perspective, includes contributions from the Met Offi ce and many other research institutions from around the world.

Dr Peter Stott, Head of Climate Monitoring and Attribution at the Met Offi ce and one of the editors of the report, said: “While we didn’t fi nd evidence that climate change has aff ected the odds of all the extreme weather events we looked at, we did see that some events were signifi cantly more likely. Overall we’re seeing that human infl uence is having a marked impact on some types of extreme weather.”

Jonathan Clark, Director of Corporate and Technical Risks at loss adjustment and claims management company Cunningham Lindsey, blames some of the scale of extremes on micro-climates.

“We are defi nitely seeing more incidents that are unpredictable that yield damage and this seems to be a trend,” he says. “We have a lot more variation in the climate that is localised because of cities. As such the weather is becoming more unpredictable and more people are being aff ected by the impact of this because more people are living in those cities.”

Climate change or just extreme weather? Or one infl uencing the other? It is too early to tell but risk managers will no doubt be among those analysing the situation most closely. SR

That Britons are pre-disposed to talk about the weather is hardly a new concept but this year discussion has been more focused than perhaps ever before on one topic: relentless rain



StrategicRISK [ SEPTEMBER 2012 ] www.strategic-risk.eu

SPONSORED BY

A FTER YEARS OF PLANNING, THIS summer’s London 2012 Olympic Games

fi nally took place amid tremendous worldwide acclaim. London had held a “fabulous” Games, according to Olympic Chairman Jacques Rogge, who thanked organisers for their eff orts saying he was “a very happy and grateful man”.

Planning had been taking place for these Games ever since the bid was awarded back in July 2005. Amid the elation of bringing the Olympic fl ame to London for the fi rst time since 1948 was a harsh realisation in government of the work that lay ahead, and the risk to ‘UK plc’ should they get it wrong.

Work began on the Olympic Park as early as 2008 when the Olympic Delivery Authority (ODA) oversaw the removal of 52 electricity pylons from the site at Stratford. With memories of the new Wembley’s farcical construction still fresh in the public’s memory, the ODA was certain to be under the most intense scrutiny to ensure the Olympic Park would be delivered on time and to budget.

For David Law, Chief Risk Offi cer at the ODA, gaining stakeholder buy-in was key to the programme’s success: “The early challenge was carrying our many, many diff erent stakeholders with us, be they government stakeholders, various Olympic-type bodies, or UK sporting bodies. We had to persuade them that we were competent enough to build the park.”

Wembley had come in three years overdue, and knowing that time was immoveable the ODA aimed to complete

the park by summer 2011. “We took a deliberate decision to manage the time risk in the programme, and so we aimed to fi nish the project by summer 2011 to allow 12 months to test the venues and any snagging,” says Law.

“We were monitoring the eff ectiveness of the individual management of each programme across time dealings. We were reporting regularly on the various scheduled performance index (SPI) measures that allowed us to ascertain the performance of each project at any one point in time,” Law continued.

Many of the major venues were completed ahead of schedule, and hosted major sporting events such as the World Cup Cycling Event which took place at the velodrome. These eff ectively helped test these venues’ capabilities, atmospheres and accessibility ahead of the London 2012 Games.

Accessibility had always been a concern for the Games, particularly for anyone living in London. Many doubted how the world’s oldest underground network would be able to cope with an infl ux of visitors from across the world. Even Mayor, Boris Johnson, explicitly warned people “to avoid London if possible”.

Yet while the Tube carried over 60 million passengers during the games – a 30 per cent increase on the same period in 2011 – it did not grind to a halt. According to David Hancock, Head of Risk and Value at Transport for London (TfL), the fl ow of travellers was helped by the fact that there were “three peaks which coincided with when the Olympic village let people in and out. So we had a normal peak in the morning and one in the evening, but then we also had one at lunch time.”

Another problem for TfL was how to direct visitors around the capital’s

RISKS

Planning makes perfect

sprawling transport network in a way which would not further disrupt the fl ow of people. “The big question for us was ‘how do you transfer all these people?’ says Hancock. “In order to smooth the fl ow of people we used Travel Ambassadors and employed extra people on stations. By having the travel ambassadors around equipped with iPads we were able to direct them and get information to them immediately.”

Even a late risk to Olympic security failed to disrupt the Games a� er an extra 3,500 British servicemen and women were called in to shore up operations a� er G4S was unable to provide the contracted number of guards. While it is diffi cult to know what threats did or did not exist, it appeared that one rogue bottle-thrower at the 100m fi nal was as dangerous as things got.

If the ODA built the park, then LOCOG put on the show, and what a show it was. All in all these Games have gone down as one of the most well managed and best executed in Olympic history. It can only be hoped that the same will one day be said of the Olympic legacy that we’ve been promised so much about. SR

When it was announced that the world’s greatest sporting event was coming back to London, many people wondered how it would be possible to successfully manage risk on such a global level. Yet in the end London 2012 provided a text-book example of just how it can be done



StrategicRISK [ OCTOBER 2012 ] www.strategic-risk.eu

SPONSORED BY

W HEN THE US ELECTIONS TAKE place on 6 November, the President-

elect will be in control of a government that is $16.1 trillion in debt, and by the end of the year that fi gure will have increased by roughly $102 billion.

President Barack Obama and Republican hopeful Mitt Romney diff er along very traditional Democratic and Republican lines when it comes to thinking about the economy and how to fi x it. Republicans want to cut spending and avoid raising taxes, while Democrats are looking for a combination of spending cuts and tax increases.

With just three weeks until the election, both men have unsurprisingly focussed much of their economic policy proposals towards job creation. This is because unemployment is still the biggest domestic issue for many Americans, despite job fi gures improving in recent months.

Obama intends to provide stimulus for companies that would be hiring workers, but keep more social spending than Romney intends to. The theory being that there needs to be a social safety net both for people who are out of work, and in order to get people back into work.

Romney, on the other hand, like many Republicans before him, has campaigned on the back of lowering taxes on businesses, holding on to the traditional theory that lower taxes will increase businesses’ profi ts and make them more inclined to hire more workers. He has been stressing the need to lower the individual

tax rate as well, arguing that many small businesses actually fi le under an individual tax rate.

Right now, however, both men’s policies pale into consideration in face of the ‘fi scal cliff ’ that is looming at the end of the year – the rapidly approaching end of a series of tax breaks and government spending programmes. At midnight on 31 December 2012 there will be an end to last year’s temporary payroll tax cuts, tax breaks for businesses and the Bush tax cuts, while taxes related to Obama’s Patient Protection and Aff ordable Care Act 2010 and the terms of the Budget Control Act 2011 will come into eff ect.

According to Alexia Ash, head of North America forecasting at Exclusive Analysis, “the contractionary impact of [the fi scal cliff ] is likely to be huge unless something is done beforehand”. She adds that “it’s unlikely that the Senate – which is going to be up for grabs during the election, and has struggled to act prior to the election – is going to prevent some of these things from disappearing. I can’t see any scenario in which the Senate is likely to completely counteract the contractionary impact of the fi scal cliff .

“Not only are you talking about the recovery from the fi nancial crisis, but also the potential impact of the beginning of

RISKS

Nearing the void2013. That being said, either man who gets elected is going to have an uphill battle. And it’s not just on him, it’s also on Congress, and Congress is not likely to become more conciliatory towards each other a� er the election. The lines in the sand are still going to be just as deep.”

If all of the current laws stated for 2013 go into eff ect, the impact on the economy will be dramatic. A report by the Congressional Business Offi ce (CBO) recently estimated that the policies set to go into eff ect would result in an estimated $560 billion reduction to the defi cit; however, it said that these would cut US GDP by 4% and add 2 million Americans to the unemployment register. This would plunge the economy into a recession that would send shockwaves around the world.

While the race for the Presidency is uncertain, you can be sure that the winner will not want to see such a contraction on their watch. However, with neither Obama nor Romney likely to sound the alarm bells as they attempt to win votes in the run-up to the election, it is doubtful that what little can be agreed in the Senate will be done so until the eleventh hour. A� er witnessing last year’s debt ceiling debacle, the rest of the world can only hope that this time political deadlock will give way to common sense. SR

There is much talk about job creation in the run-up to November’s US elections, but there is a much more pressing issue at hand



StrategicRISK [ NOVEMBER 2012 ] www.strategic-risk.eu

SPONSORED BY

I N JUNE THIS YEAR, a report published by the Organization for Economic

Cooperation and Development (OECD) confi rmed for the fi rst time a rise in emigration from countries at the forefront of the euro zone crisis.

Unemployment – particularly among the young – continues to rise in southern-European countries such as Greece, Spain, Portugal and Italy as governments implement blanket programmes of austerity across public services, and the OECD’s recent annual report on migration trends said there is “tentative” evidence to show that people are beginning to leave them.

Tens of thousands of Europeans have moved outside of the continent altogether, raising concerns of a brain-drain as the brightest minds seek out better prospects in emerging economies such as Brazil where employment is all but guaranteed. The number of Portuguese alone that have migrated to the former colony jumped from 276,000 in 2010 to just below 330,000 in 2011.

However, migration outside of Europe isn’t something that’s attainable for everyone. Typical shortlist countries like Brazil, Australia and the USA have strict immigration controls which are favourable only to those who are highly educated and who in certain instances must be in possession of a job off er.

Relocation within the European Union, however, carries none of these or any other statutory restrictions as per Article 45 of the Treaty on the functioning of the European Union which provides free movement rights for those within the EU. With job opportunities dissipating in the

south of the continent, tens of thousands are relocating to more northern European states where they have active social networks among already-existing diasporas.

“We have seen a signifi cant increase in people going to the UK and Germany, in particular,” according to Madeline Sumption, senior policy analyst at Washington-based Migration Policy Institute (MPI) who says that their respective favourable economic climates are attracting swathes of southern-European migrants seeking employment and an improved quality of life. “Emigration from Greece seems to be somewhat moderated towards Germany at the moment, while the UK has been the top destination for Spanish nationals.”

Offi cial statistics confi rm this. Research from the Federal Statistical Offi ce of Germany reveal that the number of Spanish immigrants arriving in the country doubled from 2009 levels to just below 21,000 in 2011. The number of immigrants coming from Greece, meanwhile, nearly tripled during the same period to roughly 25,000. Last year in the UK, nearly 30,000 Spaniards registered for national insurance numbers, a fi gure that is up substantially from between 10,000 to 12,000 in the mid-2000s.

RISKS

Good migration“Economic opportunity is always one

of the major drivers of immigration,” says Sumption. “Unemployment is still quite low among Europeans in the UK, and they remain less likely to be unemployed than Britons in the UK. So the economic opportunities are still there despite the fact the economy is not doing as well as it has done in the past.”

Nevertheless these sorts of immigration fi gures are giving concern to economists and nationalist politicians across northern Europe who argue that already-strained job markets and swollen welfare states will not be able to cope with an infl ux of immigrants.

But Sumption says this view is far too simplistic. Any adverse impact of intra-European migration on welfare would be “pretty small” she says, pointing out that unemployed migrants tend to claim benefi t at lower rates than unemployed national-born citizens. “You would expect unemployment benefi t claimants to go up, but not by as much as the number of unemployed people might go up.”

Meanwhile, a study published by the Migration Advisory Committee to estimate the impact of migration on competition, currently suggested immigration within the EU (not considering the recession) would not have an impact on the employment prospects of British people.

In fact, immigration (especially when highly skilled) tends to have a positive impact along various dimensions – particularly for business. By bringing more skilled people into the country it provides an opportunity to increase productivity. These people earn signifi cant amounts and so they pay fair amounts of taxes. “One of the interesting things about European migration to the UK and Germany is that you o� en have highly-skilled people working in low-skilled jobs,” says Sumption. “For employers this is a big benefi t, because they’re getting o� en college educated people to do jobs that don’t usually attract that calibre of person.”

Meanwhile, the longer the economic situation in the PIIGS countries continues to deteriorate it can only be expected that greater numbers of disenfranchised youth will migrate to more favourable climates. Our main concern should be that the brightest and youngest minds stay within the European Community, and do not venture outside it. SR

As the economic situation in southern Europe continues to deteriorate, tens of thousands are migrating north in search of employment and an improved quality of life


SPON


SORED BY

What happened. And what it meant.

REVIEW OF 2012

SPON


SORED BY

REVIEW OF 2012 What happened. And what it meant.€¦ · NEWS ANALYSIS CONTEXT & INSIGHT...

Documents

Transcript of REVIEW OF 2012 What happened. And what it meant.€¦ · NEWS ANALYSIS CONTEXT & INSIGHT...