A risk management look beyond the horizon

Events can lead to business interruptions and production shutdowns without causing any property damage. This is a difficult risk management starting point, especially for insurance companies. 

Natural disasters, power outages or a pandemic – all these events can lead to business interruptions and production shutdowns without causing any property damage. This is a difficult risk management starting point, especially for insurance companies. 

A major fire. Parts of the buildings and production facilities are damaged or even destroyed. There is a business interruption. Sales cannot be generated, revenues cannot be earned, and the ongoing costs cannot be financed. Damage of this kind can quickly run into the two to three-digit millions. Traditional property and business interruption insurance offers suitable cover in such cases. It provides compensation for the property damage as well as for the ongoing costs and loss of earnings.
 
However, established insurance concepts are unsuitable if a production stoppage or business interruption occurs without prior property damage, for example, due to the ash cloud over Europe in March 2010 or due to a widespread power outage, i.e. a blackout.
 
Currently, the best-known event that has led to shutdowns and outages in many industries is Covid-19. This event is derived from a single cause and occurred almost simultaneously worldwide. From an actuarial point of view, a risk transfer via insurance solutions is currently not possible without government involvement.

Alternative coverage concepts

For other failure scenarios, so-called non-damage business interruption policies, or NDBI for short, offer insurance coverage. Examples include natural events such as extreme cold, which causes river routes to freeze over, or regional flooding, which impedes access to and departure from operating sites and thus interrupts necessary raw material deliveries.

Limits to risk transfer and risk management

Many companies want to insure themselves against all the uncertainties that can occur in their value or supply chain, including market risk and price fluctuations. However, this is where the insurance industry reaches its limits. As in traditional insurance, innovative risk transfer solutions such as NDBI must meet criteria such as randomness, uniqueness, estimability and independence.

Here is a brief insight into the small 1 x 1 of insurability:

 Randomness means that the risk is uncertain and uncontrollable when the contract is concluded. To eliminate moral hazards, uncertainty must be present in both contracting parties. Besides moral hazard, information asymmetry is one of the biggest challenges for the insurance market. Often, the insurer does not have the same level of knowledge about the circumstances that may lead to a loss and may impose limitations on the scope of coverage. Customised solutions based on weather events as triggers, offer the advantage of objective risk assessment here, as the data is often provided by an independent third-party provider, such as NASA, satellites or weather stations.
 
Uniqueness requires that all essential characteristics of the event as well as the obligation to perform must be definable. Any residual risks must be borne by the policyholder. For example, the values from a weather station may have to be extrapolated to cover a larger area or region. In this case, the damage presented may deviate from reality.
 
Estimability is the ability to determine the expected value and spread of the loss distribution to be insured (loss amount and probability of occurrence). Estimability is not sufficiently ensured if there is not enough meaningful data to be able to create an appropriate risk model. Otherwise, subjective risk assessments – but with an increased risk of error – can also be considered.
 
Independence ensures that the risk can be diversified for the insurer. This means that many risks that do not materialise in the same event must be insured in the risk community of the insured. The aim is to avoid accumulation risk, i.e. the probability of a simultaneous or staged occurrence of loss for many insured risks. In a global value chain where just-in-time delivery is required, a strong correlation of various events can be assumed. A disruption at a manufacturer of certain components in Asia can cause massive damage and interruptions in Europe and vice versa.
 
These basic principles essentially define the limits in risk transfer. The criteria for insurability do not necessarily have to be met in full; a level at which risk equalisation is sufficiently ensured is adequate.

4 Findings for the Insurance and Risk Management Industry

The key findings of various studies on the development of global insurance markets by Deloitte, Ernst & Young, A.M. Best Rating Agency and Swiss Re show that:
 
1. The pandemic has highlighted the relevance of the insurance industry as a financial relief for households, companies and governments in times of crisis.
2. Supply chain disruptions require better protection to make businesses and society more resilient.
3. Insurers must adapt to widespread change, become more agile, and develop new solutions and even more specific services.
4. Digitalisation accelerated by the pandemic will enable improved risk assessment through Big Data & Co as well as more transparent pricing in the future. Optimised processes will lead to efficiency gains and favour the development of new, more attractive products based on AI and Big Data.
 
Risk managers are also challenged to evaluate alternative solutions for risk transfer (e.g. in the form of an NDBI) to make decisions for targeted deployment. There are no standardised products or parameters for such solutions. Each contract is tailor-made and individual. Here, too, integrative networking of risk and insurance management is a recipe for success in supporting the company’s success in the long term.

Related Insights

Rudolf Schiel

Practice Leader Property & Engineering

T +43 664 822 27 58

Zviadi Vardosanidze

Group Practice Leader Energy, Power and Mining

T +43 664 962 39 04

When risk managers see green …

Sustainability is increasingly becoming a (compulsory) programme and ESG criteria pose new challenges for the risk and opportunities management of companies.

At the end of September 2015, the UN member states adopted 17 Sustainable Development Goals (SDGs) to make our planet a better place to live by 2030. While the previous Millennium Development Goals (MDGs) focused primarily on reducing poverty, the new goals focus on sustainable development worldwide.

The ESG criteria of environmental, social and corporate sustainability are also the starting signal for companies to reorient themselves in risk and opportunity management. The big advantage here is that risk managers can continue to apply the proven methods for identifying, assessing, handling and monitoring risks universally.

New, green coat of paint for best practices

The new challenge is to effectively adapt the risk management cycle. Complementary to this, the increasing demand for ethics, equal treatment, justice and human dignity must be taken into account. Reconciling all of this with the ostensible goal of increasing profits is a real challenge that risk managers must face today for tomorrow.

In order to approach the task in a goal-oriented manner, we recommend that risk managers use opportunity management as a guideline. Think ahead, anticipate possible positive and negative influences on the company and thereby strengthen your view of the future!

More important than ever: forecasting and simulation models

Digitalisation has long been an important ally for risk managers. The use of IT-based forecasting models and simulations will continue to gain influence. Simply illustrated, we see this in the dramatic changes in the area of natural disasters and the protective purpose of monitoring and forecasting in this area. The focus will be on the development of preventive measures resulting from possible future risk and opportunity scenarios. Classic corrective measures derived from past experience will continue to be necessary in the background but will contribute much more to standardisation than to innovation. The increasing dynamics in the risk landscape mean that companies will have to adapt to new situations more and more quickly, leaving no time to work through past influences. Unfortunately, we observe this again and again in the area of cybercrime. The developers of protection systems very often move behind the attackers in terms of time, which means they merely react instead of acting.

An essential methodology to approach the view into the future is Business Continuity Management (BCM). This involves evaluating weak points in corporate processes in order to calculate potential damage and derive preventive plans for business continuity measures. This process is rounded off with simulations in which the emergency is trained. The goal is to know what to do when a loss occurs. Particularly in the case of risks that cannot be influenced, such as the supraregional power failure in the context of a blackout, but also in the case of natural disasters, BCM is the only chance to avert or at least reduce expected damage in the best possible way.

In addition to the ability to anticipate, an important task of risk and opportunity management will be to find and apply the right methods to balance the costs of sustainable development goals against the benefits and opportunities.

Competitive disadvantage, yes or no?

One concern of companies committed to ESG is a possible competitive disadvantage compared to those that have not committed to the SDG goals. Consistently identifying opportunities can counteract this, and ESG now sometimes acts as a key innovation driver in the development of production processes, products and services. Classical risk management methods such as the scenario technique or forecasting models also support the methodologically consistent examination and assessment of uncertainties of opportunities here.

The professionals from GrECo

The core competence of GrECo Risk Engineering already consists of flexibly applying and modifying the classic methods of risk management – to a large extent also IT-supported. This enables us to respond specifically to the needs and requirements of our clients. We are happy to take on the challenge of anticipating future risks – and, above all, to point out the opportunities that arise. In this way, strategic considerations regarding risk appetite can be made quickly and flexibly. It also makes it possible to assess the passing on of new risks to the still rather sluggish insurance market at an early stage.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

Risk management goes hybrid & meets remote

How the new digital way of working has found its way into the world of GrECo Risk Engineering ─ ensuring the best support for GrECo clients in the future.

By now, we are used to many restrictions that this pandemic has brought. Risk and insurance management has not been spared either. Fortunately, most classic risk transfer activities are very suitable for home office and online meetings.

However, one very essential area of GrECo Risk Engineering (GREG) poses a particular challenge: the performance of risk surveys of operational site risks and the preparation of the corresponding risk reports as a basis for property and business interruption insurance. Comprehensive, detailed and up-to-date risk information is indispensable for the design of the corresponding insurance solutions, today even more than in the last decades with a comparatively soft market environment.

The pandemic has accelerated the hardening of the insurance market. In many cases, this means that without high-quality risk information, capacity cannot be purchased or can only be purchased at very high cost. Travel restrictions, the lockdown, and the understandable caution of many companies only allow very limited appointments at their own operating sites which makes it difficult to obtain high-quality risk information.

Special measures in special times

In the past year, replacement strategies emerged to provide the best possible support to national and international companies. In addition to traditional risk survey services with a pure on-site presence, GREG also focused on “hybrid” surveys, i.e. a combined approach of an online meeting followed by a personal site visit. Particularly abroad, “remote” models, i.e. purely digital visits, have already gained acceptance in the past year.

Hybrid is the trump card

The hybrid approach aims to minimize face-to-face contact and avoid large group meetings. Good preparation for the meeting is essential for success and largely outweighs any disadvantages compared with a purely face-to-face meeting. Experience shows that discussions on topics such as maintenance and repair, business continuation, and financial data are generally very well suited to virtual meetings. The on-site appointment takes place close in time to the online meeting so discussed information is still present. Care must be taken to keep the group small, as all internal areas are visited. This approach will continue to play a role in the future in order to achieve effective results very efficiently, even during the initial inspection of new locations.

Remote as an alternative or for follow-up

“Remote” risk survey services, i.e., fully virtual site analyses, are used when travel or visits are not possible due to pandemic constraints. Again, GREG starts with an online meeting and, as a first step, undertakes a detailed discussion of the available information and documentation.

What is new is that a detailed route for the virtual walk-through is planned during the meeting. GREG’s risk engineers work with the plant manager to determine critical or relevant infrastructure and other areas of interest. A responsible person at the site then walks all areas according to the plan, providing a live video stream.

The remote model is especially suitable for follow-up visits, if good site plans are available and ideally the people in charge on the site are familiar with the process of such visits. The equipment that is suitable for such video streams are, for example, cell phones using Messenger, Google glasses or GoPro cameras. Some of these devices require a WLAN connection, others work via mobile communications. It is also not impossible that certain exposed locations such as basement areas or more distant parts of the company premises cannot be covered if transmission problems occur. Using purely digital recordings such as video streams, it is incomparably more difficult to compile complete risk reports including recommendations. However, such reports are quite suitable and very helpful to provide a property insurer with up-to-date feedback on site risks as a follow-up.

What remains of the pandemic?

On-site, hybrid or remote risk survey services. The pandemic has created many forms of innovation, including in risk management. The GREG remains a toolkit of instruments that can be targeted in the future as needed or adapted to the situation.

Related Insights

Markus Husa

Risk Consultant

T+43 5 0404 895

The footprint in the insurance market

An IT-controlled risk assessment & monitoring tool from GrECo ensures the transparent depiction as well as the management and monitoring of operational location risks. This is increasingly important for property and business interruption insurances.

More and more insurers are focusing on restoring measures in property and business interruption insurance. Companies are therefore increasingly realising that it is difficult to find the necessary insurance capacities for badly protected or loss-affected risks, especially in exposed industries.

It is all the more important for companies to know their own risk quality and to manage it. Which improvement potentials make sense? How can the risk quality, implemented and planned improvement potentials and their positive effects for risk carriers and other stakeholders be presented transparently and interactively? These are the decisive factors not only to ensure the continuation of the operations in the best way possible, but also for tailored insurance solutions for property and business interruption risks. It is ultimately a matter of addressing the appropriate insurance markets as part of effective balance sheet protection.

The GrECo risk assessment & monitoring tool

GrECo Risk Engineering GmbH has developed a risk assessment & monitoring tool to create risk profiles; this tool has already been used successfully for several years. The tool depicts the entire risk management cycle from identifying and assessing to the management and monitoring of operational risks.

Risks are identified based on documents, on-site inspections and interviews with GrECo risk consultants. They prepare risk maps for specific industries in advance, that shows relevant topics and defines protection requirements. The data recorded as part of the risk identification is compared with the defined requirements and evaluated. Negative discrepancies reveal potentials for improvement that are documented in a list of measures. A risk ratio is determined and the risk profile is presented based on defined categories.

The GrECo risk assessment & monitoring tool therefore offers an objective, transparent and simple depiction of the risk situation. If a company has several similar locations, it is also possible to benchmark the risk quality of these locations. The tool can also be used for risk comparisons in an industry.

Cost-benefit analysis as a basis

The knowledge of its own risk profile evaluated by experienced and independent experts is an essential requirement for defining the future risk strategy and the effective use of safety equipment based on objective evaluation criteria. A cost-benefit analysis completes the functions of the tool.

This provides the management with a basis for making decisions on prioritising measures and the investment involved. All this strengthens the company’s underwriting footprint in order to ensure sufficient capacity at risk-adequate premium costs for property and business interruption insurance, even in an increasingly difficult insurance market.

If there are any questions about the risk assessment & monitoring tool, GrECo Risk Engineering GmbH’s team will be happy to answer them.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

Well protected against weather extremes

The GrECo Risk Engineering GmbH offers individual analyses for protection concepts against floods & Co. A targeted risk management can protect your business facilities or the appropriate crop insurance can minimize the risk of harvest loss as well as seed and fruit damage.

If you think back to the beginning of the Corona crisis and the time in the home office, you will especially remember the beautiful April with early summer temperatures that made the lockdown and exit restrictions a challenge.

The ZAMG (Central Institute for Meteorology and Geodynamics) speaks of the fourth warmest April since the beginning of measuring history (i.e. since the 18th century) and of one of the driest springs ever. There were almost 20% more hours of sunshine than on average (+ 55% in April) and temperatures were almost 1 °C above average (+ 2.1 °C in April). In the months of March and April there was 45% less precipitation than the long-term average (1981-2010), in Eastern Austria even 71% less. The rain in May could not compensate the extreme dryness of the previous months. Overall, this year there was about 30% less rainfall.

Due to the mild beginning of the year, many plants sprouted up to three weeks earlier. The rain-prone month of May could just about prevent a catastrophic crop failure. Nevertheless, the missing harvests resulted in a lack of grass cuttings, which are urgently needed as fodder for the animal supply. Conclusion: In addition to the corona crisis, the situation for agricultural enterprises has worsened immensely.

The number of extreme events is increasing worldwide

An ongoing project of ZAMG showed that since 2000 a significant increase of weather conditions with bad weather potential of 30% – 50% is visible. This is, among other things, a direct consequence of the increase in the water vapor content of the air caused by the rise in temperature. Due to the increasing warming, the thunderstorm season in Austria is extending towards spring and autumn.

Evidence of the increase in such weather extremes was already evident in June. The long heavy rainfall in Lower Austria led to flooded fields, debris flows, local flash floods, roadblocks, flooded cellars and demanded about 100 storm-operations by the local fire departments. In July, the series of storms continued in the western provinces of Austria such as Salzburg and Tyrol.

The trend towards such extreme events is also evident worldwide. Severe thunderstorms with heavy rainfall swept over areas of the USA, while at the same time heat waves were announced in other parts of the country, such as California. China was hit by a catastrophic flood at the end of June, triggered by the heaviest rainfall in 70 years. The rising number of forest fires, as e.g. in Australia and the USA, is also attributed to the consequences of the weather extremes.

Preventive protection concepts against floods & Co.

Unlike weather phenomena such as drought and aridity, hydrological hazards such as floods, debris flows and surface runoff are much more predictable and can be dealt with at a local level. In general, especially in Central Europe, superregional flood protection is taken over by the state. However, if the properties of companies are located in areas that were not designated as flood areas at the time of construction, it is necessary to take your own preventive protection measures.

The GrECo Risk Engineering GmbH (GREG) offers consulting services such as risk identification and analysis, evaluation and risk assessment of threat potentials from natural disasters as well as preventive action planning. In this way, technically efficient and economically feasible solutions are developed together with the companies in order to be prepared in case of floods, for example, and to prevent potential damage and shutdown of operations.
The risk consultants of our GREG team rely on internationally proven protection measures and the state of the art in natural hazard management and flood protection in particular.

Tailor-made insurance solutions covering property damage and business interruption due to natural events round off an effective protection concept.

Crop insurance as a protective shield for farmers

Due to climate change, farmers also face new challenges in their risk management. Beside sustainable farming methods, dry periods and drought can often only be countered with artificial irrigation. Since such a measure is tied to a multitude of factors (infrastructural conditions, available water resources, soil conditions, etc.) and generally requires very high investment costs, GREG offers individual analyses, which at the same time provide a basis for appropriate insurance protection.

A risk-adequate crop insurance contributes to keeping the economic risk of losses and damage low by providing appropriate coverage.

Related Insights

Günther Kundela

GrECo Risk Engineering

Tel.: +43 5 0404 354

Digitisation as a challenge and a new opportunity

Changes in the digital world also have an impact on the risk management of companies and pose new challenges to many risk managers, but also offer new opportunities. A report on practical experiences from Martin Cerny, Finance Insurance Manager at A1 Telekom Austria AG.

The digital transformation poses major challenges to companies. The complexity, the amount of data and the speed are increasing. Risk management is therefore encouraged to use the new options for digital data flows and to continue to develop its own instruments along with technological advances.

The objective of risk management to identify threats and dangers, assess and communicate risks generally remains unchanged. Risk management and risk control plays a central role in the risk management process. The aim of this process is to change the risk situation positively by implementing measures to prevent and reduce risks. However, modern risk management also has the task of identifying opportunities and making them transparent.

Helping others to help themselves as the standard

The measures arising from the risk management process are often only taken in accordance with legal requirements and risks are transferred by taking out insurance policies. A guideline was implemented in ISO standard 31000:2018, that integrates all company divisions into risk management. This specifically involves analysing risks and opportunities from the operational processes right up to strategic management.

Digitisation in the telecommunications industry

Taking the example of telecommunications, the complexity of changing from the analogue world to the digital age can be demonstrated in a very striking manner. The telephone system was originally simple voice transmission from one location to another. Telephone networks were later used to transfer data. Telephone technology then became digital and increased in complexity. Nowadays, the exchange of information increasingly occurs between networked machines. A technical separation of networks and services is now being carried out with the introduction of IP-based networks. Thanks to increasing data transfer speeds, these networks allow for new applications such as cloud services. Lastly, virtual connections can be established in the digital network and this means that a physical connection between two communication end points is no longer required.

Digitisation ultimately leads to a transformation of value-added processes and entire value-added networks, and risk management becomes considerably more complex as a result of this.

Digitisation in risk management

Digital opportunities can be used as part of risk identification in order to work with a wider database using big data. Risk managers use machine-based real-time analyses, artificial intelligence and early warning systems to help them with the risk analysis. This is essential in a world of dynamic changes in the risk landscape. With the growth in the development of digital networks, the focus of risk management is increasingly on cyber risks, and not only in technology sectors. This is also shown by the renowned risk barometer of Allianz Global Corporate & Specialty, in which cyber incidents topped the list of the most significant business risks for the first time in 2020. There are also increasing regulatory requirements for handling data such as, for example, the EU GDPR (the basis of general data protection law since 25 May 2018).

Risk assessment also uses the numerous IT-based evaluation options such as data and predictive analysis methods. The resulting risk ratios are used in the form of reports for the decision-making process.

When it comes to managing risks, the opportunities and dangers of digitisation are closely connected. Digitisation enables identified risks to be monitored in real time and risk measures to be adapted rapidly. The complexity of digital networking, on the other hand, involves increased interactions between individual measures.

Martin Cerny
Finance Insurance Manager
A1 Telekom Austria AG
T +43 50 664 21572
martin.cerny@a1.at

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

“We consider ourselves as a service company”

The better the risk situation of clients can be assessed, the more specific the GrECo insurance specialists can make individual and tailored insurance concepts. The key to this is risk engineering.

Risk engineering depicts risk management professionally and creates an essential basis for the tailored servicing of our clients. In order to fulfil this key role, in 2012 GrECo founded its own successful subsidiary in GrECo Risk Engineering GmbH, GREG for short. The tasks of GREG are divided into two areas:

  • underwriting support and
  • risk management and engineering services.

“We consider ourselves as a service company for our clients and for the GrECo Group. This enables us to make a major contribution to providing all-around service as the leading Austrian risk and insurance consultant. As a result of the large number of different projects and a targeted training and further education programme, my team is continuously developing both professionally and personally. This is also the basis for expanding and professionalising services. The main objective is to promote risk awareness and improve the risk quality of our clients,” explains Johannes Vogl, General Manager of GREG.

Underwriting support

Underwriting support includes the actuarial risk evaluation of existing GrECo clients and the provision of risk information for sales projects. The same applies there: the better known the risk situation is, the better the GrECo insurance specialists can make individual and tailored coverage concepts. The focus here is on the insurance segments of business interruption, liability and technical insurance policies.

The structured evaluation and transparent presentation of the actuarial risk is carried out using the self-developed risk assessment and monitoring tool (see article “The footprint in the insurance market”). There is also an increased focus in GREG risk analyses on newer insurance lines such as cyber or reputation. The priority here is to determine possible loss potentials as a basis for defining the scope of cover.

Risk management & engineering services

Companies will be supported directly with risk management and engineering services. The main objectives here are loss prevention, continuous risk improvement and crisis and business continuity management. However, if a loss should still occur, structured claims management and post-loss analyses will be offered so that the “lessons learned” can also be identified and effectively implemented.

Risk engineering services include preparing or verifying (“second opinion”) safety concepts (fire protection, physical security, natural disaster protection), risk due diligence checks of new buildings and M&A projects, as well as added value analyses along the entire supply chain.

In terms of risk management, GREG helps its clients to establish and develop management systems for operational risks and enterprise risk management systems. Special topics such as cyber and crime or system and machine security round off the extensive range of services; this also involves cooperating with a selected partner network.

About GrECo Risk Engineering

GREG has grown continuously since it was founded. The core team in Austria currently consists of five highly-qualified engineers. They are supported by an extended team from Austria and the other GrECo countries. The cooperation between the different specialists allows clients to be offered an extensive range of services. The team is characterised by its great flexibility and creativity. It understands the clients’ requirements and implements them in the form of tailored services.

GREG focuses on uniform standards and quality. A regular exchange of ideas is a key success factor here. Close cooperation with the entire international insurance market makes it possible to recognise the latest trends at an early stage and to prepare clients for them.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

High risk, excellent fire protection

Competitive insurance market for timber industry and recycling companies

The premiums in corporate property insurance are currently rising in all industries and loss-affected insurance contracts and types of establishments that are classified as critical, such as the timber industry and recycling companies, are especially hard hit by the consequences.

The triggers for market hardening were primarily the negative results of international corporate insurers and the lower number of providers as a result of company mergers. In addition to the premium increases, the different, more cautious risk and underwriting policy is also particularly evident among insurers with less capacity available for “risky” industrial risks (compared to the “normal” core business) on the market.

Few providers

A particular challenge at present is posed by the placement of insurance solutions for timber processing businesses and recycling companies: there are currently very few providers that accept requests for these industries. The majority of market players refuse to submit an offer from the start because claims experience does not suggest a positive business development. The remaining insurers now focus mainly on compliance with safety standards, preventative and precautionary fire protection, and the general attitude towards risk management in companies. They are checking in detail the extent to which their minimum requirements have been met and are also requesting additional detailed information on the current risk situation.

Risk mitigation measures

The insurability of their member companies has been a hot topic for the professional associations of the aforementioned industries for years, which is why the decision has been taken proactively to help improve the claims situation. The professional association of the Austrian timber industry and recently the association of Austrian waste disposal businesses, for example, has published its own guidelines for fire protection. These were produced in conjunction with fire protection experts and the insurance association. This means that specific recommendations for improving risk quality are provided, along with an overview of the fire protection measures requested by many insurers.

The extent to which existing fire protection equipment meets the recommendations of these guidelines can be checked using GrECo’s self-assessment tool. A corresponding report is generated after all relevant data has been entered, and clearly depicts the current risk situation. From the report, our risk engineers can then develop a tailored set of risk improvement measures.

GrECo Risk Engineering GmbH is pleased to offer advice here and is also available for individual analyses of the existing risk situation and to specify risk-improving measures.

Related Insights

Rudolf Schiel

Practice Leader Property & Engineering

T +43 664 822 27 58

Identify your risks, don´t burn your money!

Cyber-crime loss potential analysis

Cyber security has long since arrived on the management floor of SMEs. Budgets are being increased, the outsourcing of IT services is becoming increasingly popular and the training of IT employees is being promoted. The essential aspect of cyber security, i.e. raising awareness among employees with relevant training courses, is increasingly becoming a standard element of training plans.

However, the number of successful cyber attacks is on the rise, which is also due to the increasingly sophisticated methods, especially in relation to manipulating employees with social engineering, and the more aggressive behaviour of the attackers. Cyber attacks still have a very high success rate for criminals, with minimal effort and a low probability of being caught.

Comprehensive risk assessment

GrECo offers you a 360° support for cyber risks and advises you comprehensively from the identification and evaluation of possible cyber risks to the customized coverage of cyber insurance.

Risks are identified and assessed along the risk management cycle in order to objectively define a strategy to manage these risks, including costs and benefits.
A comprehensible and transparent risk assessment is essential for using existing resources where they have the greatest impact, especially given the rising need for investment in cyber security.

GrECo Risk Engineering – GrECo’s subsidiary specialised in risk management – evaluates the following losses as part of the cyber loss potential analysis.

1. First-party loss potential analysis

A key part of the analysis of first-party loss is the impact of a potential cyber incident on business interruption or business restriction. This is especially important for manufacturing companies due to the increasing dependence on functioning IT processes. The analysis includes evaluating the impact on bottleneck systems and production-critical, infrastructure facilities. However, the IT systems used for production management or warehouse logistics are also an important part of the analysis.

The availability and integrity of data play an essential role for service providers and local authorities. Other internal cost positions are intra-company friction costs incurred from finding the causes of damage, determining the damage and repairing the damage. First-party losses also include the costs for obligations to provide information to authorities and customers, possible penalties and contractual penalties or blackmail payments. The first-party loss potential is also supplemented by reputational damage and theft of trade and business secrets, the monetary valuation of which poses a particular challenge.

Providing proof of damage and losses to the insurance company may also involve considerable costs. The burden of proving the existence of a cyber incident lies with the companies.

2. Third-party loss potential analysis

Assessing third-party losses that may essentially result from risks of liability to third parties is very important. These losses may have a significantly greater impact than the first-party losses and are often more difficult to assess, as company stakeholders such as customers, suppliers and its own employees must be taken into account in the analysis. The applicable legal situation also plays a key role, as it is necessary to clarify individually whether there is a liability and to what extent. The legal situation may very different in specific countries. According to the General Data Protection Regulation, the parties affected by a data breach are entitled to compensation for pecuniary or non-pecuniary damages. However, the final supreme court decisions that can serve as precedents have yet to be made.

3. External cost positions

The costs for external consulting services for damage forensics, damage repair (e.g. restoring data) and for crisis communication, legal consulting costs or the reduction of reputational damage which may represent a significant cost factor for cyber damage and often be underestimated, are assigned to the external cost positions. Internal personnel are often not able to perform these services due to a lack of expertise or a lack of resources.

Assessing the loss potential is an important prerequisite for taking out cyber insurance both in terms of defining the sum insured and for the design of a risk-adequate scope of cover.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160