A risk management look beyond the horizon

Events can lead to business interruptions and production shutdowns without causing any property damage. This is a difficult risk management starting point, especially for insurance companies. 

Natural disasters, power outages or a pandemic – all these events can lead to business interruptions and production shutdowns without causing any property damage. This is a difficult risk management starting point, especially for insurance companies. 

A major fire. Parts of the buildings and production facilities are damaged or even destroyed. There is a business interruption. Sales cannot be generated, revenues cannot be earned, and the ongoing costs cannot be financed. Damage of this kind can quickly run into the two to three-digit millions. Traditional property and business interruption insurance offers suitable cover in such cases. It provides compensation for the property damage as well as for the ongoing costs and loss of earnings.
 
However, established insurance concepts are unsuitable if a production stoppage or business interruption occurs without prior property damage, for example, due to the ash cloud over Europe in March 2010 or due to a widespread power outage, i.e. a blackout.
 
Currently, the best-known event that has led to shutdowns and outages in many industries is Covid-19. This event is derived from a single cause and occurred almost simultaneously worldwide. From an actuarial point of view, a risk transfer via insurance solutions is currently not possible without government involvement.

Alternative coverage concepts

For other failure scenarios, so-called non-damage business interruption policies, or NDBI for short, offer insurance coverage. Examples include natural events such as extreme cold, which causes river routes to freeze over, or regional flooding, which impedes access to and departure from operating sites and thus interrupts necessary raw material deliveries.

Limits to risk transfer and risk management

Many companies want to insure themselves against all the uncertainties that can occur in their value or supply chain, including market risk and price fluctuations. However, this is where the insurance industry reaches its limits. As in traditional insurance, innovative risk transfer solutions such as NDBI must meet criteria such as randomness, uniqueness, estimability and independence.

Here is a brief insight into the small 1 x 1 of insurability:

 Randomness means that the risk is uncertain and uncontrollable when the contract is concluded. To eliminate moral hazards, uncertainty must be present in both contracting parties. Besides moral hazard, information asymmetry is one of the biggest challenges for the insurance market. Often, the insurer does not have the same level of knowledge about the circumstances that may lead to a loss and may impose limitations on the scope of coverage. Customised solutions based on weather events as triggers, offer the advantage of objective risk assessment here, as the data is often provided by an independent third-party provider, such as NASA, satellites or weather stations.
 
Uniqueness requires that all essential characteristics of the event as well as the obligation to perform must be definable. Any residual risks must be borne by the policyholder. For example, the values from a weather station may have to be extrapolated to cover a larger area or region. In this case, the damage presented may deviate from reality.
 
Estimability is the ability to determine the expected value and spread of the loss distribution to be insured (loss amount and probability of occurrence). Estimability is not sufficiently ensured if there is not enough meaningful data to be able to create an appropriate risk model. Otherwise, subjective risk assessments – but with an increased risk of error – can also be considered.
 
Independence ensures that the risk can be diversified for the insurer. This means that many risks that do not materialise in the same event must be insured in the risk community of the insured. The aim is to avoid accumulation risk, i.e. the probability of a simultaneous or staged occurrence of loss for many insured risks. In a global value chain where just-in-time delivery is required, a strong correlation of various events can be assumed. A disruption at a manufacturer of certain components in Asia can cause massive damage and interruptions in Europe and vice versa.
 
These basic principles essentially define the limits in risk transfer. The criteria for insurability do not necessarily have to be met in full; a level at which risk equalisation is sufficiently ensured is adequate.

4 Findings for the Insurance and Risk Management Industry

The key findings of various studies on the development of global insurance markets by Deloitte, Ernst & Young, A.M. Best Rating Agency and Swiss Re show that:
 
1. The pandemic has highlighted the relevance of the insurance industry as a financial relief for households, companies and governments in times of crisis.
2. Supply chain disruptions require better protection to make businesses and society more resilient.
3. Insurers must adapt to widespread change, become more agile, and develop new solutions and even more specific services.
4. Digitalisation accelerated by the pandemic will enable improved risk assessment through Big Data & Co as well as more transparent pricing in the future. Optimised processes will lead to efficiency gains and favour the development of new, more attractive products based on AI and Big Data.
 
Risk managers are also challenged to evaluate alternative solutions for risk transfer (e.g. in the form of an NDBI) to make decisions for targeted deployment. There are no standardised products or parameters for such solutions. Each contract is tailor-made and individual. Here, too, integrative networking of risk and insurance management is a recipe for success in supporting the company’s success in the long term.

Related Insights

Rudolf Schiel

Practice Leader Property & Engineering

T +43 664 822 27 58

Zviadi Vardosanidze

Group Practice Leader Energy, Power and Mining

T +43 664 962 39 04

When risk managers see green …

Sustainability is increasingly becoming a (compulsory) programme and ESG criteria pose new challenges for the risk and opportunities management of companies.

At the end of September 2015, the UN member states adopted 17 Sustainable Development Goals (SDGs) to make our planet a better place to live by 2030. While the previous Millennium Development Goals (MDGs) focused primarily on reducing poverty, the new goals focus on sustainable development worldwide.

The ESG criteria of environmental, social and corporate sustainability are also the starting signal for companies to reorient themselves in risk and opportunity management. The big advantage here is that risk managers can continue to apply the proven methods for identifying, assessing, handling and monitoring risks universally.

New, green coat of paint for best practices

The new challenge is to effectively adapt the risk management cycle. Complementary to this, the increasing demand for ethics, equal treatment, justice and human dignity must be taken into account. Reconciling all of this with the ostensible goal of increasing profits is a real challenge that risk managers must face today for tomorrow.

In order to approach the task in a goal-oriented manner, we recommend that risk managers use opportunity management as a guideline. Think ahead, anticipate possible positive and negative influences on the company and thereby strengthen your view of the future!

More important than ever: forecasting and simulation models

Digitalisation has long been an important ally for risk managers. The use of IT-based forecasting models and simulations will continue to gain influence. Simply illustrated, we see this in the dramatic changes in the area of natural disasters and the protective purpose of monitoring and forecasting in this area. The focus will be on the development of preventive measures resulting from possible future risk and opportunity scenarios. Classic corrective measures derived from past experience will continue to be necessary in the background but will contribute much more to standardisation than to innovation. The increasing dynamics in the risk landscape mean that companies will have to adapt to new situations more and more quickly, leaving no time to work through past influences. Unfortunately, we observe this again and again in the area of cybercrime. The developers of protection systems very often move behind the attackers in terms of time, which means they merely react instead of acting.

An essential methodology to approach the view into the future is Business Continuity Management (BCM). This involves evaluating weak points in corporate processes in order to calculate potential damage and derive preventive plans for business continuity measures. This process is rounded off with simulations in which the emergency is trained. The goal is to know what to do when a loss occurs. Particularly in the case of risks that cannot be influenced, such as the supraregional power failure in the context of a blackout, but also in the case of natural disasters, BCM is the only chance to avert or at least reduce expected damage in the best possible way.

In addition to the ability to anticipate, an important task of risk and opportunity management will be to find and apply the right methods to balance the costs of sustainable development goals against the benefits and opportunities.

Competitive disadvantage, yes or no?

One concern of companies committed to ESG is a possible competitive disadvantage compared to those that have not committed to the SDG goals. Consistently identifying opportunities can counteract this, and ESG now sometimes acts as a key innovation driver in the development of production processes, products and services. Classical risk management methods such as the scenario technique or forecasting models also support the methodologically consistent examination and assessment of uncertainties of opportunities here.

The professionals from GrECo

The core competence of GrECo Risk Engineering already consists of flexibly applying and modifying the classic methods of risk management – to a large extent also IT-supported. This enables us to respond specifically to the needs and requirements of our clients. We are happy to take on the challenge of anticipating future risks – and, above all, to point out the opportunities that arise. In this way, strategic considerations regarding risk appetite can be made quickly and flexibly. It also makes it possible to assess the passing on of new risks to the still rather sluggish insurance market at an early stage.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

Blackout – Risk and crisis management as the key to overcoming the crisis

While we are all still busy with the COVID-19 crisis, the next shutdown scenario might be just around the corner. Experts predict that a so-called blackout will occur within the next five years. This is a large-scale power failure that would result in the collapse of the entire infrastructure and thus catastrophically restrict the usual processes in our daily lives. After all, without electricity everything comes to a standstill: telecommunications, water and fuel supply, traffic control systems, heating and air conditioning, computer systems and much more are unavailable for an indefinite period of time, considerable personal restrictions as well as significant economic damage to companies due to business interruptions are to be expected.

The triggers are manifold…

There can be many reasons for a blackout: Cyber-attacks and terrorist attacks, natural disasters, human error and above all insufficient network stability. The power supply is based on systems that are prone to errors due to their complexity, triggering chain reactions that then lead to supraregional failures in the power supply. It is not possible to eliminate all these potential causes permanently, so the threat of a future blackout is currently very real, even though the probability of this happening is mathematically low

…the solutions in risk and insurance management too!

Blackout scenarios should therefore also be taken into account in the emergency and business continuity plans (business continuity management). Especially municipalities and public institutions as well as companies of the critical infrastructure have a special responsibility in this regard. The preparation of the locally responsible authorities and emergency organizations for a blackout scenario varies widely throughout Austria, there are currently no uniform rules or procedures, and in many places an emergency plan, if it exists at all, has never been sampled or simulated.
All the more, the ability of the population to help itself is a central basis for all other necessary measures. Experts believe that this could take up to two weeks. There is little awareness of this among the population. It is essential to have the feeling of security, to be prepared for an emergency through open security communication and targeted risk and crisis management.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

Risk management goes hybrid & meets remote

How the new digital way of working has found its way into the world of GrECo Risk Engineering ─ ensuring the best support for GrECo clients in the future.

By now, we are used to many restrictions that this pandemic has brought. Risk and insurance management has not been spared either. Fortunately, most classic risk transfer activities are very suitable for home office and online meetings.

However, one very essential area of GrECo Risk Engineering (GREG) poses a particular challenge: the performance of risk surveys of operational site risks and the preparation of the corresponding risk reports as a basis for property and business interruption insurance. Comprehensive, detailed and up-to-date risk information is indispensable for the design of the corresponding insurance solutions, today even more than in the last decades with a comparatively soft market environment.

The pandemic has accelerated the hardening of the insurance market. In many cases, this means that without high-quality risk information, capacity cannot be purchased or can only be purchased at very high cost. Travel restrictions, the lockdown, and the understandable caution of many companies only allow very limited appointments at their own operating sites which makes it difficult to obtain high-quality risk information.

Special measures in special times

In the past year, replacement strategies emerged to provide the best possible support to national and international companies. In addition to traditional risk survey services with a pure on-site presence, GREG also focused on “hybrid” surveys, i.e. a combined approach of an online meeting followed by a personal site visit. Particularly abroad, “remote” models, i.e. purely digital visits, have already gained acceptance in the past year.

Hybrid is the trump card

The hybrid approach aims to minimize face-to-face contact and avoid large group meetings. Good preparation for the meeting is essential for success and largely outweighs any disadvantages compared with a purely face-to-face meeting. Experience shows that discussions on topics such as maintenance and repair, business continuation, and financial data are generally very well suited to virtual meetings. The on-site appointment takes place close in time to the online meeting so discussed information is still present. Care must be taken to keep the group small, as all internal areas are visited. This approach will continue to play a role in the future in order to achieve effective results very efficiently, even during the initial inspection of new locations.

Remote as an alternative or for follow-up

“Remote” risk survey services, i.e., fully virtual site analyses, are used when travel or visits are not possible due to pandemic constraints. Again, GREG starts with an online meeting and, as a first step, undertakes a detailed discussion of the available information and documentation.

What is new is that a detailed route for the virtual walk-through is planned during the meeting. GREG’s risk engineers work with the plant manager to determine critical or relevant infrastructure and other areas of interest. A responsible person at the site then walks all areas according to the plan, providing a live video stream.

The remote model is especially suitable for follow-up visits, if good site plans are available and ideally the people in charge on the site are familiar with the process of such visits. The equipment that is suitable for such video streams are, for example, cell phones using Messenger, Google glasses or GoPro cameras. Some of these devices require a WLAN connection, others work via mobile communications. It is also not impossible that certain exposed locations such as basement areas or more distant parts of the company premises cannot be covered if transmission problems occur. Using purely digital recordings such as video streams, it is incomparably more difficult to compile complete risk reports including recommendations. However, such reports are quite suitable and very helpful to provide a property insurer with up-to-date feedback on site risks as a follow-up.

What remains of the pandemic?

On-site, hybrid or remote risk survey services. The pandemic has created many forms of innovation, including in risk management. The GREG remains a toolkit of instruments that can be targeted in the future as needed or adapted to the situation.

Related Insights

Markus Husa

Risk Consultant

T+43 5 0404 895

The footprint in the insurance market

An IT-controlled risk assessment & monitoring tool from GrECo ensures the transparent depiction as well as the management and monitoring of operational location risks. This is increasingly important for property and business interruption insurances.

More and more insurers are focusing on restoring measures in property and business interruption insurance. Companies are therefore increasingly realising that it is difficult to find the necessary insurance capacities for badly protected or loss-affected risks, especially in exposed industries.

It is all the more important for companies to know their own risk quality and to manage it. Which improvement potentials make sense? How can the risk quality, implemented and planned improvement potentials and their positive effects for risk carriers and other stakeholders be presented transparently and interactively? These are the decisive factors not only to ensure the continuation of the operations in the best way possible, but also for tailored insurance solutions for property and business interruption risks. It is ultimately a matter of addressing the appropriate insurance markets as part of effective balance sheet protection.

The GrECo risk assessment & monitoring tool

GrECo Risk Engineering GmbH has developed a risk assessment & monitoring tool to create risk profiles; this tool has already been used successfully for several years. The tool depicts the entire risk management cycle from identifying and assessing to the management and monitoring of operational risks.

Risks are identified based on documents, on-site inspections and interviews with GrECo risk consultants. They prepare risk maps for specific industries in advance, that shows relevant topics and defines protection requirements. The data recorded as part of the risk identification is compared with the defined requirements and evaluated. Negative discrepancies reveal potentials for improvement that are documented in a list of measures. A risk ratio is determined and the risk profile is presented based on defined categories.

The GrECo risk assessment & monitoring tool therefore offers an objective, transparent and simple depiction of the risk situation. If a company has several similar locations, it is also possible to benchmark the risk quality of these locations. The tool can also be used for risk comparisons in an industry.

Cost-benefit analysis as a basis

The knowledge of its own risk profile evaluated by experienced and independent experts is an essential requirement for defining the future risk strategy and the effective use of safety equipment based on objective evaluation criteria. A cost-benefit analysis completes the functions of the tool.

This provides the management with a basis for making decisions on prioritising measures and the investment involved. All this strengthens the company’s underwriting footprint in order to ensure sufficient capacity at risk-adequate premium costs for property and business interruption insurance, even in an increasingly difficult insurance market.

If there are any questions about the risk assessment & monitoring tool, GrECo Risk Engineering GmbH’s team will be happy to answer them.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

Digitisation as a challenge and a new opportunity

Changes in the digital world also have an impact on the risk management of companies and pose new challenges to many risk managers, but also offer new opportunities. A report on practical experiences from Martin Cerny, Finance Insurance Manager at A1 Telekom Austria AG.

The digital transformation poses major challenges to companies. The complexity, the amount of data and the speed are increasing. Risk management is therefore encouraged to use the new options for digital data flows and to continue to develop its own instruments along with technological advances.

The objective of risk management to identify threats and dangers, assess and communicate risks generally remains unchanged. Risk management and risk control plays a central role in the risk management process. The aim of this process is to change the risk situation positively by implementing measures to prevent and reduce risks. However, modern risk management also has the task of identifying opportunities and making them transparent.

Helping others to help themselves as the standard

The measures arising from the risk management process are often only taken in accordance with legal requirements and risks are transferred by taking out insurance policies. A guideline was implemented in ISO standard 31000:2018, that integrates all company divisions into risk management. This specifically involves analysing risks and opportunities from the operational processes right up to strategic management.

Digitisation in the telecommunications industry

Taking the example of telecommunications, the complexity of changing from the analogue world to the digital age can be demonstrated in a very striking manner. The telephone system was originally simple voice transmission from one location to another. Telephone networks were later used to transfer data. Telephone technology then became digital and increased in complexity. Nowadays, the exchange of information increasingly occurs between networked machines. A technical separation of networks and services is now being carried out with the introduction of IP-based networks. Thanks to increasing data transfer speeds, these networks allow for new applications such as cloud services. Lastly, virtual connections can be established in the digital network and this means that a physical connection between two communication end points is no longer required.

Digitisation ultimately leads to a transformation of value-added processes and entire value-added networks, and risk management becomes considerably more complex as a result of this.

Digitisation in risk management

Digital opportunities can be used as part of risk identification in order to work with a wider database using big data. Risk managers use machine-based real-time analyses, artificial intelligence and early warning systems to help them with the risk analysis. This is essential in a world of dynamic changes in the risk landscape. With the growth in the development of digital networks, the focus of risk management is increasingly on cyber risks, and not only in technology sectors. This is also shown by the renowned risk barometer of Allianz Global Corporate & Specialty, in which cyber incidents topped the list of the most significant business risks for the first time in 2020. There are also increasing regulatory requirements for handling data such as, for example, the EU GDPR (the basis of general data protection law since 25 May 2018).

Risk assessment also uses the numerous IT-based evaluation options such as data and predictive analysis methods. The resulting risk ratios are used in the form of reports for the decision-making process.

When it comes to managing risks, the opportunities and dangers of digitisation are closely connected. Digitisation enables identified risks to be monitored in real time and risk measures to be adapted rapidly. The complexity of digital networking, on the other hand, involves increased interactions between individual measures.

Martin Cerny
Finance Insurance Manager
A1 Telekom Austria AG
T +43 50 664 21572
martin.cerny@a1.at

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

“We consider ourselves as a service company”

The better the risk situation of clients can be assessed, the more specific the GrECo insurance specialists can make individual and tailored insurance concepts. The key to this is risk engineering.

Risk engineering depicts risk management professionally and creates an essential basis for the tailored servicing of our clients. In order to fulfil this key role, in 2012 GrECo founded its own successful subsidiary in GrECo Risk Engineering GmbH, GREG for short. The tasks of GREG are divided into two areas:

  • underwriting support and
  • risk management and engineering services.

“We consider ourselves as a service company for our clients and for the GrECo Group. This enables us to make a major contribution to providing all-around service as the leading Austrian risk and insurance consultant. As a result of the large number of different projects and a targeted training and further education programme, my team is continuously developing both professionally and personally. This is also the basis for expanding and professionalising services. The main objective is to promote risk awareness and improve the risk quality of our clients,” explains Johannes Vogl, General Manager of GREG.

Underwriting support

Underwriting support includes the actuarial risk evaluation of existing GrECo clients and the provision of risk information for sales projects. The same applies there: the better known the risk situation is, the better the GrECo insurance specialists can make individual and tailored coverage concepts. The focus here is on the insurance segments of business interruption, liability and technical insurance policies.

The structured evaluation and transparent presentation of the actuarial risk is carried out using the self-developed risk assessment and monitoring tool (see article “The footprint in the insurance market”). There is also an increased focus in GREG risk analyses on newer insurance lines such as cyber or reputation. The priority here is to determine possible loss potentials as a basis for defining the scope of cover.

Risk management & engineering services

Companies will be supported directly with risk management and engineering services. The main objectives here are loss prevention, continuous risk improvement and crisis and business continuity management. However, if a loss should still occur, structured claims management and post-loss analyses will be offered so that the “lessons learned” can also be identified and effectively implemented.

Risk engineering services include preparing or verifying (“second opinion”) safety concepts (fire protection, physical security, natural disaster protection), risk due diligence checks of new buildings and M&A projects, as well as added value analyses along the entire supply chain.

In terms of risk management, GREG helps its clients to establish and develop management systems for operational risks and enterprise risk management systems. Special topics such as cyber and crime or system and machine security round off the extensive range of services; this also involves cooperating with a selected partner network.

About GrECo Risk Engineering

GREG has grown continuously since it was founded. The core team in Austria currently consists of five highly-qualified engineers. They are supported by an extended team from Austria and the other GrECo countries. The cooperation between the different specialists allows clients to be offered an extensive range of services. The team is characterised by its great flexibility and creativity. It understands the clients’ requirements and implements them in the form of tailored services.

GREG focuses on uniform standards and quality. A regular exchange of ideas is a key success factor here. Close cooperation with the entire international insurance market makes it possible to recognise the latest trends at an early stage and to prepare clients for them.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160

Identify your risks, don´t burn your money!

Cyber-crime loss potential analysis

Cyber security has long since arrived on the management floor of SMEs. Budgets are being increased, the outsourcing of IT services is becoming increasingly popular and the training of IT employees is being promoted. The essential aspect of cyber security, i.e. raising awareness among employees with relevant training courses, is increasingly becoming a standard element of training plans.

However, the number of successful cyber attacks is on the rise, which is also due to the increasingly sophisticated methods, especially in relation to manipulating employees with social engineering, and the more aggressive behaviour of the attackers. Cyber attacks still have a very high success rate for criminals, with minimal effort and a low probability of being caught.

Comprehensive risk assessment

GrECo offers you a 360° support for cyber risks and advises you comprehensively from the identification and evaluation of possible cyber risks to the customized coverage of cyber insurance.

Risks are identified and assessed along the risk management cycle in order to objectively define a strategy to manage these risks, including costs and benefits.
A comprehensible and transparent risk assessment is essential for using existing resources where they have the greatest impact, especially given the rising need for investment in cyber security.

GrECo Risk Engineering – GrECo’s subsidiary specialised in risk management – evaluates the following losses as part of the cyber loss potential analysis.

1. First-party loss potential analysis

A key part of the analysis of first-party loss is the impact of a potential cyber incident on business interruption or business restriction. This is especially important for manufacturing companies due to the increasing dependence on functioning IT processes. The analysis includes evaluating the impact on bottleneck systems and production-critical, infrastructure facilities. However, the IT systems used for production management or warehouse logistics are also an important part of the analysis.

The availability and integrity of data play an essential role for service providers and local authorities. Other internal cost positions are intra-company friction costs incurred from finding the causes of damage, determining the damage and repairing the damage. First-party losses also include the costs for obligations to provide information to authorities and customers, possible penalties and contractual penalties or blackmail payments. The first-party loss potential is also supplemented by reputational damage and theft of trade and business secrets, the monetary valuation of which poses a particular challenge.

Providing proof of damage and losses to the insurance company may also involve considerable costs. The burden of proving the existence of a cyber incident lies with the companies.

2. Third-party loss potential analysis

Assessing third-party losses that may essentially result from risks of liability to third parties is very important. These losses may have a significantly greater impact than the first-party losses and are often more difficult to assess, as company stakeholders such as customers, suppliers and its own employees must be taken into account in the analysis. The applicable legal situation also plays a key role, as it is necessary to clarify individually whether there is a liability and to what extent. The legal situation may very different in specific countries. According to the General Data Protection Regulation, the parties affected by a data breach are entitled to compensation for pecuniary or non-pecuniary damages. However, the final supreme court decisions that can serve as precedents have yet to be made.

3. External cost positions

The costs for external consulting services for damage forensics, damage repair (e.g. restoring data) and for crisis communication, legal consulting costs or the reduction of reputational damage which may represent a significant cost factor for cyber damage and often be underestimated, are assigned to the external cost positions. Internal personnel are often not able to perform these services due to a lack of expertise or a lack of resources.

Assessing the loss potential is an important prerequisite for taking out cyber insurance both in terms of defining the sum insured and for the design of a risk-adequate scope of cover.

Related Insights

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160