When risk managers see green …

Sustainability is increasingly becoming a (compulsory) programme and ESG criteria pose new challenges for the risk and opportunities management of companies.

At the end of September 2015, the UN member states adopted 17 Sustainable Development Goals (SDGs) to make our planet a better place to live by 2030. While the previous Millennium Development Goals (MDGs) focused primarily on reducing poverty, the new goals focus on sustainable development worldwide.

The ESG criteria of environmental, social and corporate sustainability are also the starting signal for companies to reorient themselves in risk and opportunity management. The big advantage here is that risk managers can continue to apply the proven methods for identifying, assessing, handling and monitoring risks universally.

New, green coat of paint for best practices

The new challenge is to effectively adapt the risk management cycle. Complementary to this, the increasing demand for ethics, equal treatment, justice and human dignity must be taken into account. Reconciling all of this with the ostensible goal of increasing profits is a real challenge that risk managers must face today for tomorrow.

In order to approach the task in a goal-oriented manner, we recommend that risk managers use opportunity management as a guideline. Think ahead, anticipate possible positive and negative influences on the company and thereby strengthen your view of the future!

More important than ever: forecasting and simulation models

Digitalisation has long been an important ally for risk managers. The use of IT-based forecasting models and simulations will continue to gain influence. Simply illustrated, we see this in the dramatic changes in the area of natural disasters and the protective purpose of monitoring and forecasting in this area. The focus will be on the development of preventive measures resulting from possible future risk and opportunity scenarios. Classic corrective measures derived from past experience will continue to be necessary in the background but will contribute much more to standardisation than to innovation. The increasing dynamics in the risk landscape mean that companies will have to adapt to new situations more and more quickly, leaving no time to work through past influences. Unfortunately, we observe this again and again in the area of cybercrime. The developers of protection systems very often move behind the attackers in terms of time, which means they merely react instead of acting.

An essential methodology to approach the view into the future is Business Continuity Management (BCM). This involves evaluating weak points in corporate processes in order to calculate potential damage and derive preventive plans for business continuity measures. This process is rounded off with simulations in which the emergency is trained. The goal is to know what to do when a loss occurs. Particularly in the case of risks that cannot be influenced, such as the supraregional power failure in the context of a blackout, but also in the case of natural disasters, BCM is the only chance to avert or at least reduce expected damage in the best possible way.

In addition to the ability to anticipate, an important task of risk and opportunity management will be to find and apply the right methods to balance the costs of sustainable development goals against the benefits and opportunities.

Competitive disadvantage, yes or no?

One concern of companies committed to ESG is a possible competitive disadvantage compared to those that have not committed to the SDG goals. Consistently identifying opportunities can counteract this, and ESG now sometimes acts as a key innovation driver in the development of production processes, products and services. Classical risk management methods such as the scenario technique or forecasting models also support the methodologically consistent examination and assessment of uncertainties of opportunities here.

The professionals from GrECo

The core competence of GrECo Risk Engineering already consists of flexibly applying and modifying the classic methods of risk management – to a large extent also IT-supported. This enables us to respond specifically to the needs and requirements of our clients. We are happy to take on the challenge of anticipating future risks – and, above all, to point out the opportunities that arise. In this way, strategic considerations regarding risk appetite can be made quickly and flexibly. It also makes it possible to assess the passing on of new risks to the still rather sluggish insurance market at an early stage.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

Blackout – Risk and crisis management as the key to overcoming the crisis

While we are all still busy with the COVID-19 crisis, the next shutdown scenario might be just around the corner. Experts predict that a so-called blackout will occur within the next five years. This is a large-scale power failure that would result in the collapse of the entire infrastructure and thus catastrophically restrict the usual processes in our daily lives. After all, without electricity everything comes to a standstill: telecommunications, water and fuel supply, traffic control systems, heating and air conditioning, computer systems and much more are unavailable for an indefinite period of time, considerable personal restrictions as well as significant economic damage to companies due to business interruptions are to be expected.

The triggers are manifold…

There can be many reasons for a blackout: Cyber-attacks and terrorist attacks, natural disasters, human error and above all insufficient network stability. The power supply is based on systems that are prone to errors due to their complexity, triggering chain reactions that then lead to supraregional failures in the power supply. It is not possible to eliminate all these potential causes permanently, so the threat of a future blackout is currently very real, even though the probability of this happening is mathematically low

…the solutions in risk and insurance management too!

Blackout scenarios should therefore also be taken into account in the emergency and business continuity plans (business continuity management). Especially municipalities and public institutions as well as companies of the critical infrastructure have a special responsibility in this regard. The preparation of the locally responsible authorities and emergency organizations for a blackout scenario varies widely throughout Austria, there are currently no uniform rules or procedures, and in many places an emergency plan, if it exists at all, has never been sampled or simulated.
All the more, the ability of the population to help itself is a central basis for all other necessary measures. Experts believe that this could take up to two weeks. There is little awareness of this among the population. It is essential to have the feeling of security, to be prepared for an emergency through open security communication and targeted risk and crisis management.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

The footprint in the insurance market

An IT-controlled risk assessment & monitoring tool from GrECo ensures the transparent depiction as well as the management and monitoring of operational location risks. This is increasingly important for property and business interruption insurances.

More and more insurers are focusing on restoring measures in property and business interruption insurance. Companies are therefore increasingly realising that it is difficult to find the necessary insurance capacities for badly protected or loss-affected risks, especially in exposed industries.

It is all the more important for companies to know their own risk quality and to manage it. Which improvement potentials make sense? How can the risk quality, implemented and planned improvement potentials and their positive effects for risk carriers and other stakeholders be presented transparently and interactively? These are the decisive factors not only to ensure the continuation of the operations in the best way possible, but also for tailored insurance solutions for property and business interruption risks. It is ultimately a matter of addressing the appropriate insurance markets as part of effective balance sheet protection.

The GrECo risk assessment & monitoring tool

GrECo Risk Engineering GmbH has developed a risk assessment & monitoring tool to create risk profiles; this tool has already been used successfully for several years. The tool depicts the entire risk management cycle from identifying and assessing to the management and monitoring of operational risks.

Risks are identified based on documents, on-site inspections and interviews with GrECo risk consultants. They prepare risk maps for specific industries in advance, that shows relevant topics and defines protection requirements. The data recorded as part of the risk identification is compared with the defined requirements and evaluated. Negative discrepancies reveal potentials for improvement that are documented in a list of measures. A risk ratio is determined and the risk profile is presented based on defined categories.

The GrECo risk assessment & monitoring tool therefore offers an objective, transparent and simple depiction of the risk situation. If a company has several similar locations, it is also possible to benchmark the risk quality of these locations. The tool can also be used for risk comparisons in an industry.

Cost-benefit analysis as a basis

The knowledge of its own risk profile evaluated by experienced and independent experts is an essential requirement for defining the future risk strategy and the effective use of safety equipment based on objective evaluation criteria. A cost-benefit analysis completes the functions of the tool.

This provides the management with a basis for making decisions on prioritising measures and the investment involved. All this strengthens the company’s underwriting footprint in order to ensure sufficient capacity at risk-adequate premium costs for property and business interruption insurance, even in an increasingly difficult insurance market.

If there are any questions about the risk assessment & monitoring tool, GrECo Risk Engineering GmbH’s team will be happy to answer them.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

Digitisation as a challenge and a new opportunity

Changes in the digital world also have an impact on the risk management of companies and pose new challenges to many risk managers, but also offer new opportunities. A report on practical experiences from Martin Cerny, Finance Insurance Manager at A1 Telekom Austria AG.

The digital transformation poses major challenges to companies. The complexity, the amount of data and the speed are increasing. Risk management is therefore encouraged to use the new options for digital data flows and to continue to develop its own instruments along with technological advances.

The objective of risk management to identify threats and dangers, assess and communicate risks generally remains unchanged. Risk management and risk control plays a central role in the risk management process. The aim of this process is to change the risk situation positively by implementing measures to prevent and reduce risks. However, modern risk management also has the task of identifying opportunities and making them transparent.

Helping others to help themselves as the standard

The measures arising from the risk management process are often only taken in accordance with legal requirements and risks are transferred by taking out insurance policies. A guideline was implemented in ISO standard 31000:2018, that integrates all company divisions into risk management. This specifically involves analysing risks and opportunities from the operational processes right up to strategic management.

Digitisation in the telecommunications industry

Taking the example of telecommunications, the complexity of changing from the analogue world to the digital age can be demonstrated in a very striking manner. The telephone system was originally simple voice transmission from one location to another. Telephone networks were later used to transfer data. Telephone technology then became digital and increased in complexity. Nowadays, the exchange of information increasingly occurs between networked machines. A technical separation of networks and services is now being carried out with the introduction of IP-based networks. Thanks to increasing data transfer speeds, these networks allow for new applications such as cloud services. Lastly, virtual connections can be established in the digital network and this means that a physical connection between two communication end points is no longer required.

Digitisation ultimately leads to a transformation of value-added processes and entire value-added networks, and risk management becomes considerably more complex as a result of this.

Digitisation in risk management

Digital opportunities can be used as part of risk identification in order to work with a wider database using big data. Risk managers use machine-based real-time analyses, artificial intelligence and early warning systems to help them with the risk analysis. This is essential in a world of dynamic changes in the risk landscape. With the growth in the development of digital networks, the focus of risk management is increasingly on cyber risks, and not only in technology sectors. This is also shown by the renowned risk barometer of Allianz Global Corporate & Specialty, in which cyber incidents topped the list of the most significant business risks for the first time in 2020. There are also increasing regulatory requirements for handling data such as, for example, the EU GDPR (the basis of general data protection law since 25 May 2018).

Risk assessment also uses the numerous IT-based evaluation options such as data and predictive analysis methods. The resulting risk ratios are used in the form of reports for the decision-making process.

When it comes to managing risks, the opportunities and dangers of digitisation are closely connected. Digitisation enables identified risks to be monitored in real time and risk measures to be adapted rapidly. The complexity of digital networking, on the other hand, involves increased interactions between individual measures.

Martin Cerny
Finance Insurance Manager
A1 Telekom Austria AG
T +43 50 664 21572

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

“We consider ourselves as a service company”

The better the risk situation of clients can be assessed, the more specific the GrECo insurance specialists can make individual and tailored insurance concepts. The key to this is risk engineering.

Risk engineering depicts risk management professionally and creates an essential basis for the tailored servicing of our clients. In order to fulfil this key role, in 2012 GrECo founded its own successful subsidiary in GrECo Risk Engineering GmbH, GREG for short. The tasks of GREG are divided into two areas:

  • underwriting support and
  • risk management and engineering services.

“We consider ourselves as a service company for our clients and for the GrECo Group. This enables us to make a major contribution to providing all-around service as the leading Austrian risk and insurance consultant. As a result of the large number of different projects and a targeted training and further education programme, my team is continuously developing both professionally and personally. This is also the basis for expanding and professionalising services. The main objective is to promote risk awareness and improve the risk quality of our clients,” explains Johannes Vogl, General Manager of GREG.

Underwriting support

Underwriting support includes the actuarial risk evaluation of existing GrECo clients and the provision of risk information for sales projects. The same applies there: the better known the risk situation is, the better the GrECo insurance specialists can make individual and tailored coverage concepts. The focus here is on the insurance segments of business interruption, liability and technical insurance policies.

The structured evaluation and transparent presentation of the actuarial risk is carried out using the self-developed risk assessment and monitoring tool (see article “The footprint in the insurance market”). There is also an increased focus in GREG risk analyses on newer insurance lines such as cyber or reputation. The priority here is to determine possible loss potentials as a basis for defining the scope of cover.

Risk management & engineering services

Companies will be supported directly with risk management and engineering services. The main objectives here are loss prevention, continuous risk improvement and crisis and business continuity management. However, if a loss should still occur, structured claims management and post-loss analyses will be offered so that the “lessons learned” can also be identified and effectively implemented.

Risk engineering services include preparing or verifying (“second opinion”) safety concepts (fire protection, physical security, natural disaster protection), risk due diligence checks of new buildings and M&A projects, as well as added value analyses along the entire supply chain.

In terms of risk management, GREG helps its clients to establish and develop management systems for operational risks and enterprise risk management systems. Special topics such as cyber and crime or system and machine security round off the extensive range of services; this also involves cooperating with a selected partner network.

About GrECo Risk Engineering

GREG has grown continuously since it was founded. The core team in Austria currently consists of five highly-qualified engineers. They are supported by an extended team from Austria and the other GrECo countries. The cooperation between the different specialists allows clients to be offered an extensive range of services. The team is characterised by its great flexibility and creativity. It understands the clients’ requirements and implements them in the form of tailored services.

GREG focuses on uniform standards and quality. A regular exchange of ideas is a key success factor here. Close cooperation with the entire international insurance market makes it possible to recognise the latest trends at an early stage and to prepare clients for them.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

Identify your risks, don´t burn your money!

Cyber-crime loss potential analysis

Cyber security has long since arrived on the management floor of SMEs. Budgets are being increased, the outsourcing of IT services is becoming increasingly popular and the training of IT employees is being promoted. The essential aspect of cyber security, i.e. raising awareness among employees with relevant training courses, is increasingly becoming a standard element of training plans.

However, the number of successful cyber attacks is on the rise, which is also due to the increasingly sophisticated methods, especially in relation to manipulating employees with social engineering, and the more aggressive behaviour of the attackers. Cyber attacks still have a very high success rate for criminals, with minimal effort and a low probability of being caught.

Comprehensive risk assessment

GrECo offers you a 360° support for cyber risks and advises you comprehensively from the identification and evaluation of possible cyber risks to the customized coverage of cyber insurance.

Risks are identified and assessed along the risk management cycle in order to objectively define a strategy to manage these risks, including costs and benefits.
A comprehensible and transparent risk assessment is essential for using existing resources where they have the greatest impact, especially given the rising need for investment in cyber security.

GrECo Risk Engineering – GrECo’s subsidiary specialised in risk management – evaluates the following losses as part of the cyber loss potential analysis.

1. First-party loss potential analysis

A key part of the analysis of first-party loss is the impact of a potential cyber incident on business interruption or business restriction. This is especially important for manufacturing companies due to the increasing dependence on functioning IT processes. The analysis includes evaluating the impact on bottleneck systems and production-critical, infrastructure facilities. However, the IT systems used for production management or warehouse logistics are also an important part of the analysis.

The availability and integrity of data play an essential role for service providers and local authorities. Other internal cost positions are intra-company friction costs incurred from finding the causes of damage, determining the damage and repairing the damage. First-party losses also include the costs for obligations to provide information to authorities and customers, possible penalties and contractual penalties or blackmail payments. The first-party loss potential is also supplemented by reputational damage and theft of trade and business secrets, the monetary valuation of which poses a particular challenge.

Providing proof of damage and losses to the insurance company may also involve considerable costs. The burden of proving the existence of a cyber incident lies with the companies.

2. Third-party loss potential analysis

Assessing third-party losses that may essentially result from risks of liability to third parties is very important. These losses may have a significantly greater impact than the first-party losses and are often more difficult to assess, as company stakeholders such as customers, suppliers and its own employees must be taken into account in the analysis. The applicable legal situation also plays a key role, as it is necessary to clarify individually whether there is a liability and to what extent. The legal situation may very different in specific countries. According to the General Data Protection Regulation, the parties affected by a data breach are entitled to compensation for pecuniary or non-pecuniary damages. However, the final supreme court decisions that can serve as precedents have yet to be made.

3. External cost positions

The costs for external consulting services for damage forensics, damage repair (e.g. restoring data) and for crisis communication, legal consulting costs or the reduction of reputational damage which may represent a significant cost factor for cyber damage and often be underestimated, are assigned to the external cost positions. Internal personnel are often not able to perform these services due to a lack of expertise or a lack of resources.

Assessing the loss potential is an important prerequisite for taking out cyber insurance both in terms of defining the sum insured and for the design of a risk-adequate scope of cover.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160