The Patient Protection and Affordable Care Act is well named, as its aim is to make health care providers accountable for delivering better care. As a result, the reforms make skilled health care risk management even more vital.

“The Patient Protection and Affordable Care Act has initiated a fundamental shift in the manner in which health care providers are going to be paid,” says Ron Calhoun, managing director and national health care practice leader with Aon Risk Solutions. “We are beginning a transition from volume-based methodologies to outcome-based methodologies. Prior to this, we have been on a fee-for-service model, as health care providers were compensated for volume.”

Smart Business spoke with Calhoun about how risk management integrates with health care in an age of reform.

What effect is health care reform having on the health care delivery system?

One of the consequences is that reform is creating the need for delivery systems to more fully integrate and provide a broader continuum of services. To take a bundled reimbursement, as opposed to the old pay-for-volume model, health care providers will be compensated based on outcomes. That creates a need for them to more fully integrate. On the front end, they will need to build out their ambulatory capabilities, and on the back end, they will need to improve post-acute capabilities.

How will the shift to outcome-based compensation affect providers?

The Centers for Medicare and Medicaid Services has implemented a compensation mechanism called the value-based purchasing program for providers to measure quality. There are 12 clinical process measures and nine patient experience measures. This program, which takes effect in fiscal year 2013, is about 70 percent weighed toward the 12 clinical processes and about 30 percent weighed toward the nine patient experience measures.

If health care providers have Medicare or Medicaid reimbursements in 2013, they can participate in this program. Then, those measures will have a real impact on their reimbursement thresholds. The measurements, plus the overall shift away from volume toward getting paid for outcomes, makes risk management programs even more critical than their historical place in patient safety.

How can a risk management program help with those measures?

Nationally, our health care delivery system does not have a standardized, systemic quality measuring process. When The Institute of Medicine issued its 1999 report, ‘To Err is Human,’ it started the patient safety movement.

Risk management has been proactive in patient safety since 1999, but we still have negative outcomes in our health care delivery service. After a six-year decline, we are starting to see an increase in the frequency of health care professional liability claims.

What factors affect the frequency and severity of health care liability claims?

From 2000 to 2006, there was a decrease in the frequency of health care professional liability claims, driven by three factors. One was the proliferation of tort reform. Second, there was an investment in patient safety systems at the provider level. Third, the provider community did a good job managing the perception of there being an availability-of-care crisis because of malpractice costs. Those have contributed to a downward pressure on health care professional liability claims.

From 2007 to the present day, there have been continued investments in patient safety initiatives, but we are seeing an increase in claims because of two factors. The first is tort reform erosion. In some states, tort reform bills have been either reformed or weakened. The second factor is economic stress.

There is an interesting correlation between the unemployment rate and an increase in health care professional liability and medical malpractice claims frequency. For every 1 percent increase in the unemployment rate, there is a corresponding 0.3 percent increase in health care professional liability and medical malpractice claims frequency, with a three-year lag. We are starting to see the post-2007 unemployment rate as a contributing factor to increasing claims frequency.

Unlike claims frequency, claim severity has increased at a steady rate, 4 percent over the past six years. That is cause for concern.

What can be done to improve outcomes and reduce medical claims?

One of the biggest barriers to improving risk management and patient safety is the ability to measure outcomes and the speed with which outcomes can be measured. One feature of the Patient Protection and Affordable Care Act is providing financial incentives to hospitals and physicians to further the meaningful use of electronic medical records (EMRs). The proliferation is dramatic, but it is still a fractured business.

There are three levels of sophistication in EMRs. The first level is simply making a paper file electronic. The second is computerized physician order entry, or CPOE. The third and most complex level is platforms with clinical decision support data. That third level will be necessary going forward to drive down the incidence of preventable medical errors.

More sophisticated EMRs will improve outcomes because physicians will have clinical decision support to help them adhere to clinical protocols at their fingertips. This is important because one of the biggest variables for integrated delivery systems to manage as they make the shift from volume-based to outcome-based methodologies is their ability to narrow physician practice pattern variation.

This technology comes with liabilities. If physicians have clinical decision support at their fingertips and depart from protocols, and an adverse event occurs, these errors could have a greater financial consequence than in the absence of such technology.

Ron Calhoun is managing director and national health care practice leader with Aon Risk Solutions. Reach him at (704) 343-4128 or ron.calhoun@aon.com.

Published in St. Louis

As retailers consider ways to control cost and increase revenue, many are achieving those goals by creating a captive insurance company.

Captives exist to underwrite the risk of their parent and affiliated companies, and can provide many benefits to retailers, says Adrian Richardson, managing director of Aon Risk Solutions, Global Risk Consulting.

“The concept is not new,” Richardson says. “Companies have had their own insurance companies financing their risks since the early 1900s. The idea was considered alternative then but has become a mainstream part of how insurance programs are put together.”

Smart Business spoke with Richardson and Terry Rodes, a senior vice president with Aon Risk Solutions, about how captive insurance companies can help retailers, as well as those in other industries, control costs and increase revenue.

Why should businesses consider joining or creating a captive insurance company?

Businesses should consider joining or creating a captive because captives can be an efficient methodology to finance their retained loss costs. The first step for a company that is considering moving from a guaranteed cost program is to determine whether it makes sense to retain risk.

Do you have a frequency of losses that is reasonably predictable? If so, it’s unlikely to  make sense for you to dollar swap with the insurance market. Paying $1 in premium and getting, say, 60 cents back from an insurer in paid losses might not be the most efficient way of insuring your risk.

Once you have a captive structure in place, you can build from an initial platform and consider what else to do with that insurance structure. How can you expand the use of the captive to not just simply finance retained loss costs in an efficient manner? How can you start creating some kind of revenue growth?

What are some ways retailers are expanding the use of their captives?

Many companies provide warranties or guarantees to their products. These  might be part of a program in which both administration and risk is assumed by a third party.  The opportunity could exist where these programs can be restructured so your captive insurance company accepts the risks associated with the warranty or guarantee.

If a retailer is using a third-party  warranty company to administer and underwrite the entire program, then there is no risk to the retailer. However, if there is a cost to the customer for the warranty, the retailer may have less control on customer experience and the whole revenue stream. In addition, the risks associated with the revenue stream are transferred to a third-party provider. It could make sense for your captive insurance company to take on that risk, control the program and customer experience more tightly and capture some of the profits being made by the third party.

Another way retailers are expanding the use of their captive insurance company is through the provision of supply chain insurance. Most retailers have several suppliers providing them with materials and goods, and as part of that cost of supply, suppliers have their own insurance programs. In many instances, the programs are smaller than the retailer’s. Retailers are therefore putting together suppliers’ risks programs and financing them through their captive. That method can remove some of the insurance costs to the supplier.

How can you tell if using a captive is the right choice for your company?

There are trigger points. How comfortable are you managing retained loss costs? Are your business’s retained loss costs at a level where you can absorb some of the frictional costs associated with a formal structure?

A captive structure is a formal mechanism to finance these risks. You are creating an entity or becoming part of a legal entity that is financing these risks, so there will be frictional costs associated with it. Understanding frictional costs and whether your retained loss costs are of the size that makes one of these options worth pursuing is a key aspect to this decision.

How can a risk consultant help companies make that decision?

A risk consultant will look at your program design and try to optimize it based on risk transfer costs and analyzing your loss costs. The consultant will do this to find the optimal level between risk transfer and risk retention.

You also should determine the best way to warehouse those retained loss costs. Can the company pay it from revenue? Do you want to set up a formal vehicle to finance those loss costs? Do you have subsidiaries or legal entities that all pay different premiums? Can you consolidate these costs through a single captive structure? These are some of the issues to examine with a risk consultant.

Review your options and the realistic costs. There might be collateral requirements, such as fronting costs. I recommend working with your consultant on a comparative exercise to determine whether a captive insurance company would help you derive the most efficiency in costs.

How can a company determine which type of captive insurance company to use?

There are a spectrum of captive structures, ranging from the wholly owned, single-parent captive in which a single entity owns 100 percent of the risk, through group-owned captives with multiple owners pooling their risk.

The single-parent captive is likely to be for those businesses that have taken the step of risk retention and are already retaining significant loss costs. Their costs are the size that it makes sense for them to create a full, wholly owned captive.

As a baseline, for a single-parent captive, annual operational costs are likely to be in the region of $75,000 to $100,000. You will want to absorb that cost within the financing of your retained loss costs. If your company is not large enough to take frictional costs on board of a single-parent captive, it might be opportune to consider a group captive scenario or perhaps other related structures, such as a cell company.

Adrian Richardson is managing director of Aon Risk Solutions’ Global Risk Consulting. Reach him at adrian. richardson@aon.com or (212) 441-2020.

Published in St. Louis
Thursday, 01 September 2011 11:13

Innovative solutions for higher education

Running a large educational institution poses a unique set of challenges. From the duty of care requirement, to campus safety, to bedbugs in the dorms, school administrators have to keep track of a lot more than just the average student’s GPA.

“One of the issues regarding colleges and universities is they are very complicated organizations,” says Anne Mulholland, director of Aon Risk Solutions’ Higher Education Alliance. “They tend to be very focused on institutional responsibility. Most complex entities tend to be that way because there are so many aspects to control.”

Smart Business spoke with Mulholland; Angela Tennis, COO of Aon’s Higher Education Alliance; and Joe Perry, vice president of Aon Risk Solutions, about how new solutions available to administrators are improving safety for colleges and universities.

Why are educational institutions particularly susceptible to risk?

Schools have a lot to consider. There are now students coming to school with mental or developmental issues who never would have been able to attend school in the past, but now can because of new medications.

Alcohol is still a huge issue in educational institutions. Some schools have nuclear labs, 100,000 seat arenas, or students traveling abroad, and each of those areas pose different risks.

What types of risks should concern those involved in higher education?

Student safety is a risk that everyone needs to be aware of. Consider the past 12 months, with man-made disasters such as the spring uprising in the Middle East, or the Japan earthquake and tsunami, and the resulting potential nuclear disaster.

When parents send their child to school, they trust that the college or university will meet its duty of care and take care of that student. They expect that if their child travels abroad that the college will have thought of any contingencies that may come up. Schools often turn to risk management companies to help answer that duty of care.

It’s difficult to underestimate how seriously schools take this, because the single biggest nightmare is having a student injured or killed.

When you have a mass loss, like a campus shooting, it can hang over the institution for a long time, and not just from a legal standpoint but from a cultural standpoint. It’s a malaise that’s hard to shake for years, and it carries a reputational risk, as well. Schools have done a lot of work to help make their campuses safer and more capable of being locked down.

Also, products such as Aon WorldAware can help keep people safe when they travel internationally. The program is an online country information service that tracks not only students but faculty and administration as they travel abroad. It is a coordination of whatever insurance the school has combined with the resources of the program.

The system does pretrip planning and training regarding culture, safety, political environment and recommended security procedures. WorldAware responds to both small issues, like a lost passport, and large issues, such as medical evacuation.

What are some other higher education risk issues?

Another issue is bedbugs. They can be a major headache for anyone in the hospitality industry, but specifically in dormitories. Typically, there is a heat process to remove them, or sometimes you’re just told to burn all your clothes.

Aon has developed a joint initiative with the leading pest control provider, which uses a methodology that freezes the affected area and reduces property damage. It also reduces the time necessary for rooms to be out of commission. A major residence hall infestation can cause the residence hall to be unavailable for months, creating quite a juggling act for the university.

How can administrators facing these risks manage them?

Enterprise risk management is a way for them to think of their risk, because it is a less silo-focused approach. It has the benefit of trying to capture all the risks the university faces in one overall analysis. One of the biggest questions is, ‘How do we know what we don’t know? How do we know what’s on the horizon?’

ERM is a good paradigm for organizations to use to interpret their current risk profile and what new risks may be coming at them. Then they can build a business plan to avoid it, mitigate it or deal with it.

Can other types of organizations use this approach to risk?

It is a framework that is useful not just for colleges and universities but for any complex organization. There is no one-size-fits-all approach to ERM.

ERM is not an insurance product; it’s a way of thinking about risk. It’s a major way to look at risks with a comprehensive focus.

Your risk management partner can help develop strategies to avoid the perception of ERM being an add-on, or something a consultant dreamed up. To work properly, it has to come from the culture itself, so it has the best chance of being successful. The analysis and implementation strategy have to fit the organization’s culture, or it’s just not going to work.

Anne Mulholland is director of Aon Risk Solutions’ higher education alliance. Reach her at anne.mulholland@aon.com. Angela Tennis is COO of Aon Risk Solutions’ Higher Education Alliance. Reach her at angela.tennis@aon.com. Joseph J. Perry is vice president at Aon Risk Solutions. Reach him at (248) 936-5272 or joe.perry@aon.com.

Published in Detroit
Thursday, 01 September 2011 17:08

Innovative solutions for higher education

Running a large educational institution poses a unique set of challenges. From the duty of care requirement, to campus safety, to bedbugs in the dorms, school administrators have to keep track of a lot more than just the average student’s GPA.

“One of the issues regarding colleges and universities is they are very complicated organizations,” says Anne Mulholland, director of Aon Risk Solutions’ Higher Education Alliance. “They tend to be very focused on institutional responsibility. Most complex entities tend to be that way because there are so many aspects to control.”

Smart Business spoke with Mulholland; Angela Tennis, COO of Aon’s Higher Education Alliance; and Mary Walkenhorst, senior account executive, Aon Risk Solutions, about how new solutions available to administrators are improving safety for colleges and universities.

Why are educational institutions particularly susceptible to risk?

Schools have a lot to consider. There are now students coming to school with mental or developmental issues who never would have been able to attend school in the past, but now can because of new medications.

Alcohol is still a huge issue in educational institutions. Some schools have nuclear labs, 100,000 seat arenas, or students traveling abroad, and each of those areas pose different risks.

What types of risks should concern those involved in higher education?

Student safety is a risk that everyone needs to be aware of. Consider the past 12 months, with man-made disasters such as the spring uprising in the Middle East, or the Japan earthquake and tsunami, and the resulting potential nuclear disaster.

When parents send their child to school, they trust that the college or university will meet its duty of care and take care of that student. They expect that if their child travels abroad that the college will have thought of any contingencies that may come up. Schools often turn to risk management companies to help answer that duty of care.

When you have a mass loss, like a campus shooting, it can hang over the institution for a long time, and not just from a legal standpoint but from a cultural standpoint. It’s a malaise that’s hard to shake for years, and it carries a reputational risk, as well. Schools have done a lot of work to help make their campuses safer and more capable of being locked down.

Also, products such as Aon WorldAware can help keep people safe when they travel internationally. The program is an online country information service that tracks not only students but faculty and administration as they travel abroad. It is a coordination of whatever insurance the school has combined with the resources of the program.

The system does pretrip planning and training regarding culture, safety, political environment and recommended security procedures. WorldAware responds to both small issues, like a lost passport, and large issues, such as medical evacuation.

What are some other higher education risk issues?

Another issue is bedbugs. They can be a major headache for anyone in the hospitality industry, but specifically in dormitories. Typically, there is a heat process to remove them, or sometimes you’re just told to burn all your clothes.

Aon has developed a joint initiative with the leading pest control provider, which uses a methodology that freezes the affected area and reduces property damage. It also reduces the time necessary for rooms to be out of commission. A major residence hall infestation can cause the residence hall to be unavailable for months, creating quite a juggling act for the university.

How can administrators facing these risks manage them?

Enterprise risk management is a way for them to think of their risk, because it is a less silo-focused approach. It has the benefit of trying to capture all the risks the university faces in one overall analysis. One of the biggest questions is, ‘How do we know what we don’t know? How do we know what’s on the horizon?’

ERM is a good paradigm for organizations to use to interpret their current risk profile and what new risks may be coming at them. Then they can build a business plan to avoid it, mitigate it or deal with it.

Can other types of organizations use this approach to risk?

It is a framework that is useful not just for colleges and universities but for any complex organization. There is no one-size-fits-all approach to ERM.

ERM is not an insurance product; it’s a way of thinking about risk. It’s a major way to look at risks with a comprehensive focus.

Your risk management partner can help develop strategies to avoid the perception of ERM being an add-on, or something a consultant dreamed up. To work properly, it has to come from the culture itself, so it has the best chance of being successful. The analysis and implementation strategy have to fit the organization’s culture, or it’s just not going to work.

Anne Mulholland is director of Aon Risk Solutions’ Higher Education Alliance. Reach her at anne.mulholland@aon.com. Angela Tennis is COO of Aon Risk Solutions’ Higher Education Alliance. Reach her at angela.tennis@aon.com. Mary Walkenhorst is senior account executive, Aon Risk Solutions. Reach her at (314) 854-0702 or mary.walkenhorst@aon.com.

Published in St. Louis

For organizations with loss-sensitive casualty programs, posting collateral has become an increasingly burdensome and expensive requirement due to volatile economic conditions.

“Over the past few years, the costs and risks around collateral have gone up considerably,” says Michael Gruetzmacher, director of Collateral Advisory Services, Aon Risk Solutions. “The impact of rising collateral costs can be a severely deteriorating factor to a company’s total cost of risk.”

Fortunately, an innovative casualty product requiring zero-collateral is available in addition to several opportunities to improve a company’s current collateral situation.

Smart Business spoke with Gruetzmacher and Kevin J. Pastoor, CPCU, managing director of Aon Risk Solutions, about how companies can manage collateral issues and how some companies may be able to avoid them.

Why is collateral required in a large deductible casualty insurance program?

Insurance companies require collateral to manage the inherent credit risks associated with high-deductible casualty insurance programs that come from the client’s obligation to reimburse the insurer for obligations within its deductible.

While the high-deductible program creates many benefits for clients by minimizing costs and improving cash flow, these benefits can be offset by rising collateral costs. These rising costs manifest via rising letter of credit (LOC) fees, as well as the opportunity costs of tying up capital, limiting borrowing capacity and the ability to invest in strategic growth opportunities.

What factors influence insurers when determining what a collateral obligation might be?

Insurers are influenced by how they view the loss experience of the client, the go-forward structure of the program and how that structure may include retained losses, and how the insurer perceives the client’s credit risk.

How do companies address the collateral challenge while optimizing their insurance spending?

Traditionally, there are three ways to attack collateral issues:

? Aggressively manage claims pre and post loss

? Restructure the program to best balance collateral costs with other corporate needs

? Strategically negotiate the amount of collateral held by the insurers to reflect the true underlying credit risk

The first opportunity is finding ways to improve the loss experience. Risk management professionals should review their risk control programs to minimize losses, aggressively manage open claims to ensure reserves are appropriate and work to close losses for an appropriate amount as quickly as possible.

Second, insurance brokers and insurance companies need to work with clients to determine the right program structure. This includes a financial review to determine if retaining more risk, in favor of paying lower premiums, makes the most financial sense. Modeling needs to be a highly individualized process based on the client’s financial situation. Considerations include the cost of capital, cost of collateral and the overall objectives of a company’s risk management program.

The third part is helping clients with credit risk advocacy as the risk management professional negotiates collateral. The expert should make sure the insurance company understands what’s going on with the client from a credit risk standpoint, and understands its true credit picture. Then, the expert uses that information with robust benchmarking analytics to negotiate the best possible collateral outcomes.

How can companies reduce collateral obligations through minimizing losses?

Insurance brokers must understand how their clients prevent claims and also manage those claims that do happen throughout their full life cycle. Working with their client to implement the right safety programs and preventing losses from happening in the first place will have the clearest benefit from a collateral standpoint.

Not only will preventing losses have a direct cost-savings benefit, collateral is not needed to secure losses if losses don’t happen in the first place. Furthermore, from a post-claim standpoint, it is important to stay on top of third-party administrators and work with them to close out claims as fast as possible. There is a lot of money left on the table in this area.

What other advice can you provide to companies struggling with collateral obligations?

As companies think about collateral, they should develop an exit strategy. Working with a professional can help companies perform transactions such as a program close-out and loss portfolio transfers as a way to eliminate collateral obligations.

These transactions can make a lot of sense for companies that have a high collateral cost and place a lot of value on getting that collateral back.

Is there a zero collateral solution?

It’s very apparent that companies don’t like to post collateral, but they enjoy the benefits they get from high-deductible programs. The Aon Zero-Collateral Deductible Program is a high-deductible casualty program structured in a way that companies wouldn’t need to provide collateral. Instead, they pay a one-time, upfront fee based upon their creditworthiness, which eliminates the collateral obligation for the life of the program.

The company saves substantial money over time and frees up capital. Also, the program eliminates risks that companies typically face with collateral, such as untimely adjustments from the insurance company.

The program is best suited for organizations with expected annual losses of up to $5 million and a credit rating of BB or above. Even if a company is not rated or is private, it may be acceptable for the program.

Michael Gruetzmacher is director of Collateral Advisory Services with Aon Risk Solutions. Reach him at (312) 381-4472 or michael.gruetzmacher@aon.com. Kevin J. Pastoor, CPCU, is managing director of Aon Risk Solutions. Reach him at (248) 936-5346 or kevin.pastoor@aon.com.

Published in Detroit

The U.S. economy has traditionally been product based, with companies increasing revenue by selling more products. However, as technology has expanded, the emphasis has shifted, says Kevin P. Kalinich, co-national managing director of Aon Risk Solutions’ financial services group.

“There has been an evolution and transformation in the economy from product based to service based, and an increasing reliance on electronic data,” says Kalinich. “These two changes apply to all companies, both product and service oriented. As a result, analysis has determined that more than 75 percent of an entity’s value is in its information assets.”

Smart Business spoke with Kalinich and with John George, account executive with Aon Risk Solutions, about how to protect your company’s valuable information from cyber threats.

What is cyber liability?

Cyber liability is the potential exposure of losing, destroying, or unauthorized disclosures of that goldmine of data. The data can be trade secrets, customer lists, or third-party data, such as customers’ personally identifiable information, credit card, Social Security or bank account numbers.

The unique exposure issue with cyber liability is that it is not based on the size of your company. If you look at directors’ and officers’, property insurance or general liability, the biggest factors are the capitalization of the company, revenue or amount of property. Analyzing these factors is how you evaluate exposure. With cyber liability, a small or medium-sized company could have catastrophic amounts of data.

What are the most common cyber threats?

The highest profile threats are hacking attacks. Third-party hacker attacks are getting the most attention now that the federal government created a cyber protection policy and is promoting an international strategy for cyber space. The larger exposure is social engineering, which is the negligence of entities in dealing with their data and mistakes people make apart from any IT security issues.

Both types of exposure can be addressed. To combat third-party hackers, entities must understand the best methods for risk mitigation. Companies can also ensure they have the best IT standards implemented.

For insider or negligence exposures, training and implementation of those practices is still important, but so is human behavioral engineering. When your HR department employees interview someone, are they trained on what they should or shouldn’t be doing? Do you have annual usage monitoring of employee computers? Do employees take an updated training course every year and click a box stating they understand the company’s data protection policy? While third-party hacking is more about IT security and encryption, there are more policies, procedures and guidelines involved in avoiding negligence.

How can employers fight these threats?

The first steps are identifying critical information and classifying the data. Critical information could involve credit card numbers for a business, patient information for a medical organization, or student information for an educational institution. You should classify critical data versus not-as-critical data, such as e-mail addresses or addresses without personal information. Once you classify that data, treat it differently. Different people might have access or there might be different protections; for example, critical data may have 100 percent encryption.

Why is it important to classify lower-priority data as less critical?

Because of cost and efficiency. You can paralyze yourself if key employees don’t have access to the data they need to do their jobs efficiently without being burdened. There is also a greater cost involved to implement more stringent IT procedures. It’s just not practical for everything to be 100 percent encrypted.

How can cyber threats hurt your company?

You can have third-party liability for the breach, in which you must pay defense costs and indemnity for individuals who have been harmed. You can have a loss of reputation. Also, there could be fines and penalties from government authorities, HIPAA, or credit card companies. Data exposures introduce a number of potential lawsuits.

How can companies determine if they need cyber liability insurance?

There are a few issues to handle before considering insurance. Most entities have outsourced information and you have to make sure that third-party vendors are in compliance with your IT security protections. You need a representation and warranty from the vendor stating that its company is up to standard and will hold harmless and indemnify you, because it has your critical data.

Contractual allocational liability is a critical component of the risk transfer, because cyber insurance is based on how much exposure the entity has versus how much is outsourced to third parties and how liability is allocated.

The next step is drafting and implementing a data breach response plan that identifies what to do in the event of a breach. The plan should identify a legal expert to assist with the breach, a forensics expert to determine the extent of the breach and how to stop it, and whether an auditing investigation or credit monitoring is necessary. Also, explore your existing insurance. Look at your general liability, property, crime and D&O policies. You may already have coverage for breaches of data, data loss and media, copyright and trademark issues.

What should companies do if they find gaps in those areas?

If you’ve identified gaps, then consider cyber insurance, which is intended to address the gaps in privacy and security exposures in current policies. Begin to address it and continually evolve. You can use data and technology as a tool to differentiate and enhance your company, instead of it being used as a weapon against you.

Kevin P. Kalinich is co-national managing director of Aon Risk Solutions’ financial services group. Reach him at kevin.kalinich@aon.com.

John George is an account executive with Aon Risk Solutions. Reach him at (248) 936-5264 or john.george@aon.com.

Published in Detroit

The U.S. economy has traditionally been product based, with companies increasing revenue by selling more products. However, as technology has expanded, the emphasis has shifted, says Kevin P. Kalinich, co-national managing director of Aon Risk Solutions’ financial services group.

“There has been an evolution and transformation in the economy from product based to service based, and an increasing reliance on electronic data,” says Kalinich. “These two changes apply to all companies, both product and service oriented. As a result, analysis has determined that more than 75 percent of an entity’s value is in its information assets.”

Smart Business spoke with Kalinich and with Chris Mower, senior vice president of Aon Risk Solutions’ financial services group, about how to protect your company’s valuable information from cyber threats.

What is cyber liability?

Cyber liability is the potential exposure of losing, destroying, or unauthorized disclosures of that goldmine of data. The data can be trade secrets, customer lists, or third-party data, such as customers’ personally identifiable information, credit card, Social Security or bank account numbers.

The unique exposure issue with cyber liability is that it is not based on the size of your company. If you look at directors’ and officers’, property insurance or general liability, the biggest factors are the capitalization of the company, revenue or amount of property. Analyzing these factors is how you evaluate exposure. With cyber liability, a small or medium-sized company could have catastrophic amounts of data.

What are the most common cyber threats?

The highest profile threats are hacking attacks. Third-party hacker attacks are getting the most attention now that the federal government created a cyber protection policy and is promoting an international strategy for cyber space. The larger exposure is social engineering, which is the negligence of entities in dealing with their data and mistakes people make apart from any IT security issues.

Both types of exposure can be addressed. To combat third-party hackers, entities must understand the best methods for risk mitigation. Companies can also ensure they have the best IT standards implemented.

For insider or negligence exposures, training and implementation of those practices is still important, but so is human behavioral engineering. When your HR department employees interview someone, are they trained on what they should or shouldn’t be doing? Do you have annual usage monitoring of employee computers? Do employees take an updated training course every year and click a box stating they understand the company’s data protection policy? While third-party hacking is more about IT security and encryption, there are more policies, procedures and guidelines involved in avoiding negligence.

How can employers fight these threats?

The first steps are identifying critical information and classifying the data. Critical information could involve credit card numbers for a business, patient information for a medical organization, or student information for an educational institution. You should classify critical data versus not-as-critical data, such as e-mail addresses or addresses without personal information. Once you classify that data, treat it differently. Different people might have access or there might be different protections; for example, critical data may have 100 percent encryption.

Why is it important to classify lower-priority data as less critical?

Because of cost and efficiency. You can paralyze yourself if key employees don’t have access to the data they need to do their jobs efficiently without being burdened. There is also a greater cost involved to implement more stringent IT procedures. It’s just not practical for everything to be 100 percent encrypted.

How can cyber threats hurt your company?

You can have third-party liability for the breach, in which you must pay defense costs and indemnity for individuals who have been harmed. You can have a loss of reputation. Also, there could be fines and penalties from government authorities, HIPAA, or credit card companies. Data exposures introduce a number of potential lawsuits.

How can companies determine if they need cyber liability insurance?

There are a few issues to handle before considering insurance. Most entities have outsourced information and you have to make sure that third-party vendors are in compliance with your IT security protections. You need a representation and warranty from the vendor stating that its company is up to standard and will hold harmless and indemnify you, because it has your critical data.

Contractual allocational liability is a critical component of the risk transfer, because cyber insurance is based on how much exposure the entity has versus how much is outsourced to third parties and how liability is allocated.

The next step is drafting and implementing a data breach response plan that identifies what to do in the event of a breach. The plan should identify a legal expert to assist with the breach, a forensics expert to determine the extent of the breach and how to stop it, and whether an auditing investigation or credit monitoring is necessary. Also, explore your existing insurance. Look at your general liability, property, crime and D&O policies. You may already have coverage for breaches of data, data loss and media, copyright and trademark issues.

What should companies do if they find gaps in those areas?

If you’ve identified gaps, then consider cyber insurance, which is intended to address the gaps in privacy and security exposures in current policies. Begin to address it and continually evolve. You can use data and technology as a tool to differentiate and enhance your company, instead of it being used as a weapon against you.

Kevin P. Kalinich is co-national managing director of Aon Risk Solutions’ financial services group. Reach him at kevin.kalinich@aon.com. Chris Mower is senior vice president of Aon Risk Solutions’ financial services group. Reach him at (314) 854-0806 or chris.mower@aon.com.

Published in St. Louis

The U.S. economy has traditionally been product based, with companies increasing revenue by selling more products. However, as technology has expanded, the emphasis has shifted, says Kevin P. Kalinich, Co-National Managing Director of Aon Risk Solutions’ financial services group.

“There has been an evolution and transformation in the economy from product based to service based, and an increasing reliance on electronic data,” says Kalinich. “These two changes apply to all companies, both product and service oriented. As a result, analysis has determined that more than 75 percent of an entity’s value is in its information assets.”

Smart Business spoke with Kalinich and with Martha Jacobs, a Senior Vice President with Aon’s Financial Services Group, about how to protect your company’s valuable information from cyber threats.

What is cyber liability?

Cyber liability is the potential exposure of losing, destroying, or unauthorized disclosures of that goldmine of data. The data can be trade secrets, customer lists, or third-party data, such as customers’ personally identifiable information, credit card, Social Security or bank account numbers.

The unique exposure issue with cyber liability is that it is not based on the size of your company. If you look at directors’ and officers’, property insurance or general liability, the biggest factors are the capitalization of the company, revenue or amount of property. Analyzing these factors is how you evaluate exposure. With cyber liability, a small or medium-sized company could have catastrophic amounts of data.

What are the most common cyber threats?

The highest profile threats are hacking attacks. Third-party hacker attacks are getting the most attention now that the federal government created a cyber protection policy and is promoting an international strategy for cyber space. The larger exposure is social engineering, which is the negligence of entities in dealing with their data and mistakes people make apart from any IT security issues.

Both types of exposure can be addressed. To combat third-party hackers, entities must understand the best methods for risk mitigation. Companies can also ensure they have the best IT standards implemented.

For insider or negligence exposures, training and implementation of those practices is still important, but so is human behavioral engineering. When your HR department employees interview someone, are they trained on what they should or shouldn’t be doing? Do you have annual usage monitoring of employee computers? Do employees take an updated training course every year and click a box stating they understand the company’s data protection policy? While third-party hacking is more about IT security and encryption, there are more policies, procedures and guidelines involved in avoiding negligence.

How can employers fight these threats?

The first steps are identifying critical information and classifying the data. Critical information could involve credit card numbers for a business, patient information for a medical organization, or student information for an educational institution. You should classify critical data versus not-as-critical data, such as e-mail addresses or addresses without personal information. Once you classify that data, treat it differently. Different people might have access or there might be different protections; for example, critical data may have 100 percent encryption.

Why is it important to classify lower-priority data as less critical?

Because of cost and efficiency. You can paralyze yourself if key employees don’t have access to the data they need to do their jobs efficiently without being burdened. There is also a greater cost involved to implement more stringent IT procedures. It’s just not practical for everything to be 100 percent encrypted.

How can cyber threats hurt your company?

You can have third-party liability for the breach, in which you must pay defense costs and indemnity for individuals who have been harmed. You can have a loss of reputation. Also, there could be fines and penalties from government authorities, HIPAA, or credit card companies. Data exposures introduce a number of potential lawsuits.

How can companies determine if they need cyber liability insurance?

There are a few issues to handle before considering insurance. Most entities have outsourced information and you have to make sure that third-party vendors are in compliance with your IT security protections. You need a representation and warranty from the vendor stating that its company is up to standard and will hold harmless and indemnify you, because it has your critical data.

Contractual allocational liability is a critical component of the risk transfer, because cyber insurance is based on how much exposure the entity has versus how much is outsourced to third parties and how liability is allocated.

The next step is drafting and implementing a data breach response plan that identifies what to do in the event of a breach. The plan should identify a legal expert to assist with the breach, a forensics expert to determine the extent of the breach and how to stop it, and whether an auditing investigation or credit monitoring is necessary. Also, explore your existing insurance. Look at your general liability, property, crime and D&O policies. You may already have coverage for breaches of data, data loss and media, copyright and trademark issues.

What should companies do if they find gaps in those areas?

If you’ve identified gaps, then consider cyber insurance, which is intended to address the gaps in privacy and security exposures in current policies. Begin to address it and continually evolve. You can use data and technology as a tool to differentiate and enhance your company, instead of it being used as a weapon against you.

Kevin P. Kalinich is Co-National Managing Director of Aon Risk Solutions’ Financial Services Group. Reach him at kevin.kalinich@aon.com. Martha Jacobs is a Senior Vice President with Aon’s Financial Services Group. Reach her at (412) 594-7535 or martha.jacobs@aon.com.

Published in Pittsburgh

There are more than 17,000 environmental laws and regulations worldwide. How sure are you that your business operations are in compliance?

Environmental insurance has become a hot topic the last several years, mainly because even though most companies have environmental exposures, those risks are excluded from most liability and property policies, creating a major gap in coverage.

“An experienced, specialized broker can help you recognize exposures, understand the regulatory climate and provide solutions, whether it is insurance or other risk mitigation options to satisfy coverage needs or financial assurance requirements,” says Michael R. Szot, executive vice president, global practice leader, Environmental Service Group, Aon Risk Solutions.

Smart Business spoke with Szot, Gregory E. Schilz, managing director, Environmental Service Group, Aon Risk Solutions, and Dale Cira, director, Specialty Environmental, Aon Risk Solutions, about how to protect your company from environmental risk.

Why should businesses be concerned about environmental risk?

Many companies are unaware that they do not have proper protection against environmental risk, but virtually any company that owns or leases property has exposure to environmental risk. If a company transports potentially harmful materials, it has environmental exposure. An experienced environmental broker can point where exposure exists and whether companies have coverage for it in their current program. Companies may have some limited environmental coverage built into their current policies, but a broker can identify if they have a gap.

How can businesses assess whether they have a gap in their environmental coverage?

Companies may not  understand their environmental risk. The starting point is a coverage gap analysis, in which a broker reviews current policies to determine if their insurance program provides any environmental coverage. The answer generally depends on the company and the country in which the company operates, but usually, coverage for environmental exposures is limited, at best.

Next, the broker will make a site inspection and perform a policy review highlighting  where the company has exposures and its gaps in coverage to environmental risk. Then, the company will receive solution sets showing how to fill any gaps with an environmental insurance product or other mechanism.

In many cases, they may choose not to buy insurance; they may intentionally self-insure risk. But to not know the risk level would be a mistake for any organization.

What types of problems are covered with environmental insurance?

The biggest issue is pre-existing, unknown conditions. Whenever a business considers buying a property, whether it is an undeveloped or currently developed piece of land, there is always a question about the historical use of that property. Even an undeveloped piece of land with grass growing on top of it could have been used 30 years ago as a plating facility, with lead, zinc or toxic minerals in the ground. That is the single largest driver that causes businesses to consider environmental insurance — what they don’t know about a property they are buying.

How does environmental insurance handle new issues?

Typically, this coverage focuses on insuring unknown issues that may be associated with a site. But there are also insurance policies for situations in which you have existing contamination on a site and you are trying to cap the potential cost of that risk.

You may think the risk is a $5 million problem and you don’t want it to end up being a $30 million problem. By capping that cost, businesses know if a risk becomes a larger problem than anticipated, additional insurance can protect them from that worst-case scenario. Also, most pollution policies are written on a ‘claims-made’ basis — a claim has to be reported during the policy term. However, environmental insurance policies, if crafted correctly, can have full pre-existing coverage conditions applying, with no retroactive limitation. So if the policy is placed today, it covers everything that happened in the past but that you don’t know about yet.

Why is environmental insurance growing in popularity?

It is a very advantageous market for companies considering environmental insurance for the first time or renewing their coverage. Conditions are favorable primarily due to the fact that the market has grown. Three years ago, only a few major insurance carriers offered environmental products or coverage. Today, more than 20 active markets offer some form of pollution liability coverage.

Current events — the Gulf Oil Spill and the Japanese earthquake and tsunami — cause people to think about the environment. Those are dramatic events, but smaller issues happen every day. Awareness is augmented by public and government regulators and the number of laws in place — more than 17,000 worldwide — many of which are conflicting and very complex. Companies require individuals who are staying on top of those issues to advise them on their potential liability and how best to mitigate that liability.

The market is also growing in response to major regulatory changes in the European Union. The regulatory framework of the EU’s Environmental Liability Directive creates new liability — a ‘polluter pays’ model. It also requires financial assurance, which can usually be satisfied by insurance, bonds, surety, escrow accounts, trust funds or cash.

Assurance is voluntary, but several countries have committed to moving to compulsory financial security, and there is pressure for others to do so in the name of consistency.

For affected companies, specific pollution legal liability coverage is a solution. It can be modified  to match ELD requirements and exposure for environmental liability.

Michael R. Szot, CPCU, ARM, is executive vice president and global practice leader, Environmental Service Group, Aon Risk Solutions. Reach him at michael.szot@aon.com or (213) 630-3253. Gregory E. Schilz is managing director, Environmental Service Group with Aon Risk Solutions. Reach him at gregory.schilz@aon.com or (415) 486-7652. Dale Cira is director, Specialty Environmental, Aon Risk Solutions. Reach him at (314) 854-0724 or dale.cira@aon.com.

Published in St. Louis

There are more than 17,000 environmental laws and regulations worldwide. How sure are you that your business operations are in compliance?

Environmental insurance has become a hot topic the last several years, mainly because even though most companies have environmental exposures, those risks are excluded from most liability and property policies, creating a major gap in coverage.

“An experienced, specialized broker can help you recognize exposures, understand the regulatory climate and provide solutions, whether it is insurance or other risk mitigation options to satisfy coverage needs or financial assurance requirements,” says Michael R. Szot, executive vice president, global practice leader, Environmental Service Group, Aon Risk Solutions.

Smart Business spoke with Szot, Gregory E. Schilz, managing director, Environmental Service Group, Aon Risk Solutions, and Paul D. Maxwell, senior account executive, Aon Risk Solutions, about how to protect your company from environmental risk.

Why should businesses be concerned about environmental risk?

Many companies are unaware that they do not have proper protection against environmental risk, but virtually any company that owns or leases property has exposure to environmental risk. If a company transports potentially harmful materials, it has environmental exposure. An experienced environmental broker can point where exposure exists and whether companies have coverage for it in their current program. Companies may have some limited environmental coverage built into their current policies, but a broker can identify if they have a gap.

How can businesses assess whether they have a gap in their environmental coverage?

Companies may not  understand their environmental risk. The starting point is a coverage gap analysis, in which a broker reviews current policies to determine if their insurance program provides any environmental coverage. The answer generally depends on the company and the country in which the company operates, but usually, coverage for environmental exposures is limited, at best.

Next, the broker will make a site inspection and perform a policy review highlighting  where the company has exposures and its gaps in coverage to environmental risk. Then, the company will receive solution sets showing how to fill any gaps with an environmental insurance product or other mechanism.

In many cases, they may choose not to buy insurance; they may intentionally self-insure risk. But to not know the risk level would be a mistake for any organization.

What types of problems are covered with environmental insurance?

The biggest issue is pre-existing, unknown conditions. Whenever a business considers buying a property, whether it is an undeveloped or currently developed piece of land, there is always a question about the historical use of that property. Even an undeveloped piece of land with grass growing on top of it could have been used 30 years ago as a plating facility, with lead, zinc or toxic minerals in the ground. That is the single largest driver that causes businesses to consider environmental insurance — what they don’t know about a property they are buying.

How does environmental insurance handle new issues?

Typically, this coverage focuses on insuring unknown issues that may be associated with a site. But there are also insurance policies for situations in which you have existing contamination on a site and you are trying to cap the potential cost of that risk.

You may think the risk is a $5 million problem and you don’t want it to end up being a $30 million problem. By capping that cost, businesses know if a risk becomes a larger problem than anticipated, additional insurance can protect them from that worst-case scenario. Also, most pollution policies are written on a ‘claims-made’ basis — a claim has to be reported during the policy term. However, environmental insurance policies, if crafted correctly, can have full pre-existing coverage conditions applying, with no retroactive limitation. So if the policy is placed today, it covers everything that happened in the past but that you don’t know about yet.

Why is environmental insurance growing in popularity?

It is a very advantageous market for companies considering environmental insurance for the first time or renewing their coverage. Conditions are favorable primarily due to the fact that the market has grown. Three years ago, only a few major insurance carriers offered environmental products or coverage. Today, more than 20 active markets offer some form of pollution liability coverage.

Current events — the Gulf Oil Spill and the Japanese earthquake and tsunami — cause people to think about the environment. Those are dramatic events, but smaller issues happen every day. Awareness is augmented by public and government regulators and the number of laws in place — more than 17,000 worldwide — many of which are conflicting and very complex. Companies require individuals who are staying on top of those issues to advise them on their potential liability and how best to mitigate that liability.

The market is also growing in response to major regulatory changes in the European Union. The regulatory framework of the EU’s Environmental Liability Directive (ELD) creates new liability — a ‘polluter pays’ model. It also requires financial assurance, which can usually be satisfied by insurance, bonds, surety, escrow accounts, trust funds or cash.

Assurance is voluntary, but several countries have committed to moving to compulsory financial security, and there is pressure for others to do so in the name of consistency.

For affected companies, specific pollution legal liability coverage is a solution. It can be modified  to match ELD requirements and exposure for environmental liability.

Michael R. Szot, CPCU, ARM, is executive vice president and global practice leader, Environmental Service Group, Aon Risk Solutions. Reach him at michael.szot@aon.com or (213) 630-3253. Gregory E. Schilz is managing director, Environmental Service Group with Aon Risk Solutions. Reach him at gregory.schilz@aon.com or (415) 486-7652. Paul D. Maxwell is a senior account executive with Aon Risk Solutions. Reach him at (248) 936-5356 or paul.maxwell@aon.com.

Published in Detroit