Nonprofits are cyber targets, too. Do you know your cyberrisk?

Any organization with a computer is at risk for cyberattack — and nonprofits are no exception.

In fact, nonprofits face unique challenges because they often don’t have the funds to build a strong IT infrastructure or purchase cyber insurance. Without an IT department, they also are likely to miss proactive steps like updating software and installing security updates, says Ryan Brandt, area vice president at Gallagher.

Smart Business spoke with Brandt about how nonprofits can mitigate their cyberrisk.

How common is it for nonprofits to experience cyberattacks?

It’s not something they’ll see every day, and nonprofit leaders may not be fully informed about cyberrisk and cyber liability insurance because it’s a new and rapidly changing risk area.

One leading cyber insurer studied cyber incidents since 2016 and found health care to be the largest industry to be impacted at 33 percent. This includes nonprofits that contract with health care entities and have access to medical records.

In addition, any nonprofit is susceptible to attack through its donation web page. This exposure falls into the retail sector in many surveys, and retail is another high-risk industry. In one instance, hackers donated $1,000 every month for six months, which was the time it took to penetrate the website’s vulnerable points. The hackers then stole 90 percent of the nonprofit’s grant balance.

Another study, commissioned by GuideStar, found that 78 percent of nonprofits have added mobile device capability to their donation traffic. This streamlined process creates ease of use, but it also increases the risk of a cyberattack.

What reasons do nonprofits give for why they don’t purchase cyber insurance?

It usually comes down to budgetary restrictions. Nonprofits have limited resources for cost items such as workers’ compensation, employee benefits and other insurances.

Also, some nonprofits rely on their IT vendor to provide the appropriate protection for their legal exposure following a breach. Unfortunately, in most instances, the protection is inadequate.

How should nonprofits address this risk, either through insurance or other activity?

Education is critical. Have someone come in to discuss the risks with your staff, such as the dangers of a phishing campaign, where, for example, your employees get an email that includes a chance to win Steelers tickets. However, when they click on the email’s link, it’s tied to hackers. Other risks are ‘spear phishing,’ which targets someone who handles the day-to-day finances like a controller, or ‘whaling,’ which specifically goes after someone in the C-suite.

Social engineering is a concern, especially if your nonprofit does international relief work. If the CEO or team leader is overseas, the home office may receive an email that looks legitimate, asking for money to be transferred. Ransomware, where the infrastructure is held for ransom, is another danger.

Cyber liability insurance is relatively inexpensive — yet too often it’s considered a luxury, not a necessity. Even if cyber insurance isn’t a line item on your budget, nonprofit leaders should evaluate whether their current insurance program could be modified to make the addition of cyber insurance a cost-neutral event.

As the threat environment continues to escalate across all industries, the insurance market is evolving to provide robust cyber solutions in a competitive market. Your risk management broker can assist you in developing a practical strategy to evaluate your cyberrisk and manage the financial risk of a cyber event in a prudent and thoughtful manner.

Insights Insurance/Risk Management is brought to you by Gallagher

Add dollars to a deal with the right captive insurance structure

From a high level, captive insurance programs offer companies flexibility to manage their unique risks.

Captives can also bring value to companies, and wealth to owners and stakeholders, but too often these opportunities aren’t recognized.

“Owners of a captive insurance program have access to the earned revenue that exists in the program,” says Andrew Seger, general counsel at Imprise Financial. “That money can be added back into the value of the company at the time of a sale or extracted when the owner exits. But the potential value that captives could contribute is commonly overlooked.”

Smart Business spoke with Seger about the ways captive insurance programs can be structured and how that affects company value.

What are the factors that determine how a captive insurance program is structured?
A captive insurance program’s structure is contingent on the needs of the business and the goals of ownership. Generally, structuring a captive as a subsidiary of a company places ownership of the captive with the operating company. Structuring as an affiliate puts ownership with the person or persons who own the company. In both instances, it’s a separate legal entity.

Owners who want to make sure the assets of the captive are going to be reported on the operating entity’s balance sheet should structure it as a subsidiary. In a situation in which only some of the shareholders are entitled to the profits of the captive, it’s best to structure it as an affiliate.

How does the structure of a captive program affect whether it is sold as part of the company?
Whether or not to include the captive in a sale is up to the buyers and sellers. Often it hinges on how important the captive is to operating the business. If it’s an entire franchise that’s being sold and all franchisees have insurance from the captive, that’s part of the value proposition and the acquiring company will want that program as part of the deal.

Other times, the buyer is not interested in the captive or it is not essential to business operations, which leaves the assets of the captive with the exiting owners to be extracted. In situations in which the captive is set up as an affiliate and more for long-term wealth building for the business owner, it’s not usually part of the deal.

How do buyers calculate a captive program’s value when it’s a part of the sale of a business?
When a captive is structured as a subsidiary of a company and the company is sold, bankers and private equity firms tend to add back to revenue the cost of its insurance premiums because it’s a risk management vehicle and not an expense — it’s not decreasing the revenue number that someone valuing a business would look at.

With the help of a captive manager, the purchaser will also project the future performance and profitability of the captive and work that into the value of the business. If the assumption is that the operating business is going to grow, the captive grows with it. It comes down to determining what the metrics will look like and how that affects EBITDA.

Valuing the unearned premium — money that’s tied to existing claims or policies and can’t be extracted — is accounted for differently. If there’s a lot of it, then there will be a larger risk of future claims. In that case, the captive manager will conduct an actuarial review of the projected future losses to help the parties agree upon a future valuation of the captive involved in the transaction.

That could also take into account the history of the captive’s operations and what the actuaries predict could happen while the premium is still unearned.

As with any business, there’s no perfect science to determining the value of a captive in a transaction, but the key is to get everyone involved to understand the captive’s operations and come to an agreement. That’s why having an experienced captive manager involved from the start of a program is critical.

They know how to get the most out of a captive based on the owners’ long- and short-term goals. Companies that don’t discuss their plans with a captive manager will have fewer options when major events, such as an exit or capital investment, occur.

Insights Insurance and Risk Management is brought to you by Imprise Financial

How to find the total cost of risk — and do something about it

When it comes to driving down your company’s risk management costs, employers may not always see the whole picture. In fact, depending on your individual business, you could save 20 percent of your insurance spend by focusing on additional risk cost drivers outside of your insurance premiums.

Six buckets of risks drive costs:

  • Insurance premiums.
  • Program structure.
  • Losses within a deductible/retention.
  • Uninsurable or uninsured losses.
  • Coverage gaps.
  • Contractual liability.

Most employers regularly manage their insurance premiums and program structure. The other cost drivers tend to slide under the radar.

“There’s no trigger that says I’ve got to be thinking about this right now — unlike your annual insurance renewal,” says Marshall Wunderlich, area president at Gallagher.

In other words, there’s no annual physical for the other cost drivers, even though they factor just as much into your total risk costs.

Smart Business spoke with Wunderlich about how to add the necessary checkups on all risk cost drivers to build a comprehensive risk management program.

Which companies are more successful at examining the total cost of risk?

The organization needs somebody who takes ownership for examining the frequency and severity of risk, with a process that’s connected to the business’s culture. Typically, that person is a risk manager in larger companies, or somebody on the executive team of a smaller company who has a passion for it.

How can organizations without an internal risk manager better manage these costs?

The solution is to find a risk adviser you trust who has the process down to a science, so you don’t have to. Your risk adviser needs a process that holds him or her accountable for delivering on measurable objectives on all these risk areas that drive your costs.

It’s not uncommon to find risk advisers who say they focus on more than your insurance program. It is uncommon to find firms that have it in their DNA and do it all the time for middle-market companies.

What are examples of manageable risk costs that can be decreased?

If you have a fleet of vehicles, you may decide to self-insure your first layer of risk with a high deductible. Then, you need to manage those costs as they come up, by asking questions. Should you be going to different garages? Why is a particular driver wrecking his vehicle multiple times?

These kinds of questions also can apply to safety costs. What’s your spend on personal protection equipment? Is it more cost effective to buy in bulk once a year, rather than as needed?

It’s a good idea to review your claims management process. Who is involved and when? How long does it take to report it? Who is communicating from the accident investigation back to the safety committee?

The same thing applies to contractual liability. As you enter into contracts, you are assuming risk. Somebody needs to be reviewing the language and tracking certificates of insurance.

Even if you’re reviewing trends, a deeper look may be warranted. If you had 100 claims last year and 70 this year, that’s good, right? But what’s driving the 70? Are there common denominators? How are you going to get from 70 to 35? Should you really feel good about the 70, or do your peers only have 10?

How can companies get started on this?

Executives understand that comprehensive risk management is important. There’s only so much you can save through insurance brokering. But it doesn’t have to be overwhelming or time consuming.

Start by identifying the top three to five risks that aren’t covered by your insurance program. Then, the next time you meet with your risk adviser, ask for help putting together a process to deal with them.

You’re paying your risk adviser to help you with costs that you’re insuring every year. So, create a relationship where you’re communicating regularly on these other buckets of costs. Then, agree on the objectives to be met and the process for holding each other accountable for the results.

Insights Insurance/Risk Management is brought to you by Gallagher

Know the rules and risk before flying a drone for commercial use

Years ago, the thought of drones being used in everyday life was something you would only see on the movie screen. However, this is the 21st century where technology is rapidly improving and becoming more advanced every day.

“Not too long ago, people stopped using drones just for a hobby and began to implement them as a part of their businesses,” says Patrick Zedreck, area assistant vice president at Gallagher. “The popularity of business owners using these unmanned aircrafts can be attributed to the decrease in cost, the portability and their easy to access information without putting an employee at risk.”

Smart Business spoke with Zedreck and Brad Meinhardt, managing director of Aviation Insurance & Risk Management, North America, Gallagher, to get a risk management perspective on drones.

How are drones being used by employers today?

The possibilities are limitless, but they have been used for things like motion pictures, documentaries, sporting events (ESPN College GameDay) or by the construction industry. Loss adjusters are even using them for significant disaster events. Drone use is also growing in the agriculture, aerial survey, mapping and security industries.

As commercial drone use increases, the Federal Aviation Administration (FAA) is trying to balance safety rules for unmanned aircraft systems against innovation. The FAA’s Drone Advisory Committee has dissenting opinions about how civilian drones should be tracked by authorities, but the FAA is considering the committee recommendations in order to create a rule about flights over people and beyond the pilot’s line of sight. After that rule is crafted, expanded commercial uses would be pipeline patrol, energy grid infrastructure oversight, package delivery or medical supply delivery to remote areas.

What kinds of risks and potential liabilities do employers need to be aware of?

Similar to manned aircraft exposures, the biggest risks are bodily injury and property damage to third parties, and invasion of privacy (personal injury).

Commercial use is governed under the FAA’s Small Unmanned Aircraft Systems Rule or Part 107. It requires the drone be registered and the pilot be certified through the FAA. Drones need to be under 55 pounds and fly within a visual line-of-sight, during daylight or civil twilight, at or below 400 feet. They can’t fly near other aircraft, over people or controlled airspace near airports without FAA permission. However, the FAA does issue waivers for certain Part 107 requirements.

FAA violations for not following Part 107 guidelines can be significant, and local law enforcement entities are empowered to enforce them. Those liabilities are not insurable. But ultimately, the worst case for careless operations would be impacting a manned aircraft and causing significant loss of aircraft and passenger lives.

How should these exposures be covered, through insurance or otherwise?

The insurance is the same as manned aircraft coverage, but excludes passengers. There is a robust insurance marketplace willing to insure $1 million of coverage for about $800 to $1,000 annually, but higher limits are available. Physical damage to drones can also be insured.

Most firms that hire a drone operator require evidence of insurance, including additional insured status. Government entities, colleges, universities and nonprofits require insurance to access their facilities.

What else should employers know about drone liability coverage or drone operation?

Be careful to study and follow guidelines of FAA Part 107 if your organization is operating its own drone. You also want to buy insurance, just like you would for any other manned aircraft on an annual basis.

When hiring an outside drone operator, vet the operator to make sure it’s legal and following best practices. Secure the insurance information with additional insured status, and consider non-owned aircraft liability insurance for yourself if your use of third-party operators is frequent.

Insights Insurance/Risk Management is brought to you by Arthur J. Gallagher & Co.

How to detect safety hazards in the oil and gas industry

Oil and gas well drilling and servicing can be dangerous. It involves many types of equipment and materials, and recognizing and working to minimize the hazards is critical.

Employers need to control or eliminate occupational injuries, illnesses and fatalities among workers by being aware of likely safety risks, and most importantly making planning and prevention part of the everyday culture, says Taylor Troiano, area vice president at Arthur J. Gallagher & Co.

Smart Business spoke with Troiano about the biggest hazards of the oil and gas industry and what employers can do about these concerns.

What do oil and gas industry employers find to be the biggest safety risks?

Three of every five on-site fatalities in the oil and gas extraction industry are the result of struck-by, caught-in or caught-between hazards, according to the Occupational Safety and Health Administration’s (OSHA) database. These can come from moving vehicles or equipment, falling equipment and high-pressure lines.

The risk of fire and explosion is another concern for workers in the oil and gas industry. Flammable gases, such as well gases, vapors and hydrogen sulfide, can be released from wells, trucks, production equipment or surface equipment. They can ignite by static, electrical energy sources, open flames, lightning, cigarettes, cutting and welding tools, hot surfaces or frictional heat.

In addition, workers are often required to enter confined spaces such as petroleum and other storage tanks, mud pits, reserve pits and other excavated areas, sand storage containers and other confined spaces around a wellhead. These confined spaces can ignite flammable vapors or gases, or cause asphyxiation and exposure to hazardous chemicals. Confined spaces that contain or could contain a serious atmospheric hazard must be classified as permit required, tested prior to entry and continuously monitored.

How should drilling and servicing companies plan for and prevent these hazards?

Each drilling and servicing company should have its own safety program, which can be developed with help from your insurance broker/risk manager. For process-specific and task-specific hazards and controls, OSHA has an Oil and Gas Well Drilling and Servicing eTool that may prove helpful. It identifies common hazards and possible solutions to reduce incidents that could lead to injuries or deaths.

Oil and gas companies need to regularly evaluate worksite hazards and find solutions to minimize those. They should establish ways to protect workers, including developing and implementing safe practices for:

  • Confined space; excavations.
  • Chemical handling; exposure.
  • Chemical storage.
  • Electrical work.
  • Emergency response.
  • Equipment/machine hazards.
  • Fall protection.
  • Fire protection.
  • Hot work, welding, flame cutting operations.
  • Personal protective equipment use.
  • Power sources (lockout/tagout provisions, safe distance from power lines).
  • Working in the heat, long shifts.

If a worker points out a hazard, respond and correct it quickly. Educate, train and retrain your workers about the site hazards to promote worksite safety and awareness. For example, workers need to be aware of the swing radius of tongs and/or a spinning chain on a drilling rig floor. Lines and hoses need to be properly secured with whip-checks and connections that aren’t worn. If a pipe is being moved, a properly attached tag line can keep loads from shifting or falling suddenly — workers need to take the time to set one up before a lift. While working at heights, tail ropes can keep tools from falling on workers below.

When engineering controls alone cannot protect worker overexposure to chemicals, noise or other hazards, the employer must provide personal protective equipment. In addition, don’t forget to make a plan for contractor safety and training.

Insights Insurance/Risk Management is brought to you by Arthur J. Gallagher & Co.

How to plan for potential business interruptions

Companies get interrupted by the unexpected — fire, machinery breakdown, street closure or supply chain issues. It happens. And like many things in business, planning is everything. More than 70 percent of companies that don’t have a comprehensive business continuity plan fail to recover from a significant business interruption event.

“The goal of a business continuity program is to minimize, if not avoid, the impact from any given business interruption event,” says Dereck Malzi, area assistant vice president at Arthur J. Gallagher & Co. “At a high level, it prioritizes the recovery of business processes and establishes an incident management structure designed to lead an organization through a crisis.”

Smart Business spoke with Malzi about how to set up a business continuity program before disaster strikes.

What steps should employers take now to prepare for business interruption?

A proper business continuity plan covers planning and preparation, response, recovery, and continual review and revision.

Start with a business impact analysis (BIA) and risk assessment to determine post-event recovery strategies and priorities before an event occurs. The BIA helps determine ‘what is at risk,’ the adverse impact of critical business functions if they’re interrupted and the ideal post-event recovery sequence. A risk assessment identifies the type of risks that have the potential to impact the company’s operations.

When a crisis strikes, time is of the essence. But typically, these events aren’t addressed in the policies and procedures. Developing emergency policies and procedures beforehand can save valuable time.

Timely and accurate communication is essential. The inability to communicate can result in unnecessary loss of life, business and customers. Having a process to handle the heavy volume of information gives companies the ability to make timely and accurate decisions. Poor communication and sharing of information is the No. 1 reason companies fail to fully recover from significant business interruption events.

Other important factors are:

  • Plan testing: Exercising or testing helps train staff and evaluate the completeness of written plans.
  • Education/awareness: No plan will be effective unless all employees and key external parties understand what is expected of them. An educational or awareness campaign helps ensure the successful execution of company plans.
  • Continual review and revision: It is extremely important that business recovery plans and strategies are revised on a continual and regular basis. Without this constant review and revision, plans can quickly become out of date.

How can a table top exercise help? How often does it need to be revisited, reviewed and practiced?

A table top exercise can facilitate discussion and preparation for any scenario, such as closed roadways, key personnel who are absent and power outages. This exercise helps review roles and responsibilities, and the participants can identify which functions are impacted and how to meet recovery time objectives for each. It helps them prioritize what to recover first and includes things like vendors, phone service, IT and data backup.

Once you’ve completed the exercise, make sure all gaps, new ideas and recommendations for improvement are identified, recorded and assigned to personnel for follow-up. Next steps can be to build on what was learned by making changes and clarifications to your written plan. Consider developing focused exercises for key business processes. Also, complete formal post-mortems on any event that impacts or has the potential to impact business operations and employees. Always keep learning to improve your plan.

What kinds of insurance are available to manage business interruption risk?

There is no cookie-cutter policy that will work for everyone. Business interruption insurance is designed to cover loss of income that a business suffers after a disaster. This can be paired with self-insured tools such as an 831b captive, depending on your appetite for risk. Your agent can help you put together the right program for your organization.

Insights Insurance/Risk Management is brought to you by Arthur J. Gallagher & Co.

Critical risks in the energy industry — and what to do about them

The energy sector seems to be doing well, especially in the Pittsburgh market. But with that upswing comes two challenges that growing employers are facing: staffing shortages and increasing automobile insurance rates.

While these challenges aren’t limited to the energy industry, nearly all companies in the sector are struggling with them, says Tony DeRiggi, area vice president at Arthur J. Gallagher & Co.

Smart Business spoke with DeRiggi about what he’s hearing from the energy industry and ideas for managing these challenges.

Why are energy companies having trouble finding employees?

As these companies grow, they’re struggling to find good people. Certain jobs are especially hard to fill, such as welders or drivers with a commercial driver’s license (CDL). Most people who are skillful and have experience are already working. Many of the younger generation, those ages 22-30, aren’t choosing to do these jobs, even though they pay very well.

With difficult, physical jobs, many of the potential candidates willing to perform them have challenging work history issues, such as a DUI, a history of quitting jobs or they haven’t been working. The hiring company may be afraid that if it invests the time for new hires to get drug tested and trained, they may end up quitting. It’s a balancing act — managing turnover while striving for an acceptable return on investment.

While this is a problem across the board, the energy companies that didn’t downscale as drastically during the downturn rebounded quicker. Obviously, businesses couldn’t pay for more people than needed, but when the energy sector turned around, there was a bit of a hiring frenzy. The people with the most favorable employment history were picked up first, and now there’s not enough qualified people in the talent pool.

How can companies overcome these staffing shortages?

Employers can get creative about finding candidates and increase recruiting efforts. Training and mentoring programs may need to be improved. Experienced employees can record detailed videos for operating important heavy equipment, for example, or rotate assignments to broaden experience and increase knowledge transfer.

Consider adding programs to make your organization a more attractive destination. This includes flexible schedules, paid time off, child care, employee assistance programs, and a total rewards program that incorporates an attractive compensation and benefits bundle with the promise of potential growth in the company.

What’s happening with automobile insurance rates? What can companies do about it?

In general, insurance companies are charging higher rates for any type of automobile exposure — it doesn’t matter if a business has heavy trucks or small vehicles on the road. The reason for the increase is more frequent and more severe accidents than history would predict, which is largely attributed to distracted driving.

Every company should implement hands-free driving and Bluetooth devices. Many companies don’t allow handheld devices in the car. Some have rules where employees aren’t allowed to answer their cellphone, Bluetooth or not, while they’re driving.

A few companies have added technology, such as Lytx or GreenRoad, to help safety ratings. These fleet safety solutions are usually used for commercial vehicles because it’s an investment per vehicle. They score drivers and let them know when they accelerate too fast, swerve, speed or hit the brakes abruptly. The problem is if a driver slams the brakes to avoid a deer, it’s a ding on the score. However, this technology should bring down close calls and accident claims.

Whether or not a company invests in safety technology, employers can create bonus structures for safe driving with different award levels. If someone’s score is low enough, management can move them to a different job or provide additional training.

If a company’s driving record improves, insurance companies will notice. That requires a strong fleet safety program with management support, ongoing supervision, driver training and ongoing education, vehicle maintenance and accident investigation. As a safe risk, insurance companies will be more inclined to compete for your business, even in a market where rates are generally rising.

Insights Insurance/Risk Management is brought to you by Arthur J. Gallagher & Co.

How to get back in your underwriter’s good graces

Effective risk management often involves avoiding risks before they occur, but accidents will happen and frequent accidents may cause the insurance company to raise your rates. Perhaps, a project was plagued by job site accidents and cases became difficult to manage, so your workers’ compensation experience modification factor rating shifts unfavorably. Now what?

Employers must consistently make safety a priority and part of the overall culture. If they increase awareness and incorporate risk management, risk control and claims management into each department, there will be fewer employee injuries and vehicle accidents and reduced public liability. This lower cost of risk will help insurance companies see your company in a more favorable light.

Smart Business spoke with Patrick Zedreck, assistant vice president at Arthur J. Gallagher & Co., about how to control your losses and lower your costs.

How far back do underwriters look when determining rates? How long does it take to overcome a poor claim experience?

Underwriters use five years of claims history for most types of insurance. It can take three to five years to overcome a poor claim experience, but a business can argue that it has improved its accident prevention efforts and the past doesn’t predict the future.

If a company has claims that drive up rates, how can it lower those?

Any business, not just companies with poor experiences, should get into these habits.
Start by reviewing claims management and risk exposures, such as safety policies, work practices and procedures, training and management practices that promote safety. Analyze loss-run claims and accident data to identify the causes driving loss trends.

Review covered vehicles or machinery to make sure everything is still being used. If you’ve experienced turnover, update your driver list. You may be insuring a problem driver you no longer employ. Make sure your employees are classified correctly, so workers’ compensation rates are accurate.

Work with your agent on premium reduction and risk management strategies. You can take on more risk by increasing deductibles or eliminating an exposure, and implement preventive actions that eliminate or greatly reduce the possibility of a large claim happening again. You also could subcontract out the types of accidents causing exposures and eliminate them from your insurance. If you take this approach, it’s critical to have appropriate risk transfer agreements with the subcontractor (i.e. hold harmless/indemnification agreements and adequate insurance requirements).

What training are underwriters looking for? 

They typically want training to address the types of claims an organization is having. If employees are experiencing back strains, then underwriters want to implement safe lift training. If vehicular accidents are too common, require a defensive driving class.

How can a business improve its safety plan? 

Training employees in workplace safety, automobile operation, property protection and employment practices liability is just the beginning. Employers need to make supervisors responsible for safety, with their compliance to the safety plan part of their evaluation. Workplace safety committees also should be used as a vehicle for employee engagement and ownership of the risk management program. If employees don’t ‘buy in’ to what an organization is trying to implement, programs cannot succeed.

Identify additional sources of injury and unsafe work practices with your agent. A comprehensive service plan to mitigate hazards, correct unsafe behaviors and improve supervisory controls needs to remain a priority, not sit on a shelf. To make safety part of everyday life, add activities throughout the year, such as:

  • Safety and security assessments of facilities and properties.
  • Comprehensive site-specific emergency response plans that are discussed regularly.
  • Table-top training exercises with the staff and random site audits to benchmark safety and security readiness.
  • Workplace safety committees that promote employee involvement and ownership of risk management.

Any company needs to manage its risk and loss experiences, but to lower your rates, you’ll have to show that you’re taking steps to lower your risk profile.

Insights Insurance/Risk Management is brought to you by Arthur J. Gallagher & Co.

Enhance your risk management program with data-driven strategies

It’s not unusual for a company’s finance department to manage the insurance premiums and program structure, while HR and safety manages claims and loss control programs.

“Each department measures its own results, but until the company reviews all top drivers of the risk management costs holistically, it isn’t truly measuring the success,” says Kathy Betts, Area Vice President at Arthur J. Gallagher & Co.

For example, a company might resolve a workers’ compensation claim. But that payment might not be the best financial decision, could set a precedent for future claims or not address the root cause, such as a problematic shelving unit.

Smart Business spoke with Betts about implementing data-driven strategies for a holistic view of your risk management costs.

How do successful companies measure their risk management and safety programs?

It’s surprising how many companies don’t know how to effectively measure the success (or failure) of their programs. A few key considerations allow successful companies to get it done. Identifying, capturing and tracking the right data is the first step. Then, communicate goals and results throughout the company while encouraging employee input. To sustain long-term consistency and success, keep it simple.

What should be tracked and communicated?

Identifying key performance indicators (KPIs) and tracking them as a function of a meaningful exposure — payroll, sales or even number of units or pounds shipped — provides a clearer picture. KPIs should focus on common and costly types of losses or exposures. It’s important to capture and use accurate information and consider variables like state of operation, a recent acquisition or a law change. Beyond tracking KPIs, understand how those components affect the total cost of risk, which includes contractual risk transfer, program structure, etc. Are you getting worse or better?

How do companies bring it together to accomplish a holistic view?

Have finance, HR and safety all involved in understanding the full consequences of a program they’re purchasing, the size of the deductible, whether to settle a claim or even whether to insure something. Companies typically have internal one-pagers the leadership team reviews regularly, so top leadership should add some measurement of risk to the overall KPIs. Then, filter those throughout the organization. With more awareness, employees take ownership. If it’s not looked at holistically, you miss learning opportunities. If different disciplines look at what happened and how to prevent it, people may say, ‘That’s an easy fix.’

How can your insurance agent help implement a data-driven strategy?

The challenge with measuring and making data-driven decisions is capturing the right data — not only about your company, but also your industry. You need accurate information to make accurate decisions.

By working with someone who deals with different companies, he or she can help identify best practices and places to start. It takes sophistication to measure and track this. Plus, you have to prioritize; you can’t do it all. Beyond that, it’s important to convey what you’re doing to stakeholders, like insurance companies, so that you’ll get the best results. Your agent can provide some brief reports and assist you with communicating all your efforts. Your agent can also help identify an emerging issue so you can consider taking proactive measures, like driver training to prevent hijacking.

How do companies ensure long-term consistency and success?

A program may run smoothly until someone leaves. Again, keep it simple; if you get too in the weeds, it becomes hard, or frankly impossible, to manage. Accountability is key. Depending on the company size, it helps to split risk management into finance, HR and safety/physical activities, with one person to pull it all together. Update your plan annually, identifying top indicators and what activities you can perform to address those exposures, along with consistent internal communication. Set goals and see how you did at the year-end. Prevent as much of the cost of risk as you can by being proactive and getting input from the field. If you have good prevention systems in place, you’ll feel more comfortable assuming more risk.

Insights Insurance/Risk Management is brought to you by Arthur J. Gallagher & Co.

Rethink the need for D&O

For many private companies and nonprofits the cost of defending and settling an uninsured lawsuit could significantly impair or destroy the entity itself. This isn’t news. But spending a little more premium to package directors and officers liability (D&O) insurance onto your employment practices liability coverage could turn out to be one the most important assets for your organization.

Many people think that by being a smaller private, nonprofit and/or family run business, there is no potential for a D&O claim to occur. However, this unfortunately is not the case, says Dereck M. Malzi, area assistant vice president at Arthur J. Gallagher & Co. Regardless of the talent or strength of the organization or its management, even frivolous lawsuits can occur and the costs to defend them are on the rise. Even if your organization doesn’t have a large board, the coverage may kick in for any individual who is acting in the capacity of a director or officer.

“There’s a reason why some board members won’t agree to join your organization without D&O coverage,” Malzi says.

Smart Business spoke with Malzi about the importance of D&O and why spending a little more may be worth it to your organization.

What are some examples of claims scenarios where D&O could come into play?

Let’s say the vice president of a manufacturer determines that diversifying into a different product line presents tremendous sales potential for his company. Instead of presenting that opportunity to his employer, the VP shares his idea with his brother who forms a new company to produce that product. On behalf of the company, a shareholder might sue the VP, alleging that he wrongfully took advantage of an opportunity belonging to the corporation.

Another example would be if investors file a $5 million derivative lawsuit alleging breach of fiduciary duty. They might claim some of the officers had personal connections to a third-party contractor hired to re-tool the assembly line, so the contractor wasn’t hired to further the interests of the company. The suit could allege that other officers and directors breached their duty of care by undertaking the project without properly investigating the qualifications of the contractor.

Another scenario could involve misuse of funds. A state attorney general might sue a charitable foundation, alleging the trustees were excessively compensated and devoted insufficient time and resources to support the foundation’s intended purpose.

In all three of these examples, the settlements and attorney’s fees could run to several million dollars, which would put a significant strain on almost any organization.

How does fiduciary liability insurance differ from D&O?

D&O and fiduciary are typically bundled together, but D&O provides coverage for mismanagement, conflicts of interest, unwarranted compensation, failure to fulfill the organization’s mission, etc. Fiduciary liability insurance is specially designed to protect against claims alleging violations of the Employee Retirement Income Security Act of 1974.

What types of D&O insurance are available?

D&O insurance has three sides to it:

  • ■ Side A, ‘non-indemnified individuals’ — This provides coverage for individual directors and officers on claims that are not indemnified by the corporation, usually since it is either not legally permissible to indemnify or there are no funds to indemnify. Generally, Side A coverage has no deductible.
  • Side B, ‘indemnified individuals’ — This provides coverage reimbursement on claims against individuals who are indemnified by the corporation.
  • Side C, ‘entity coverage’ — This provides coverage to an organization for claims made against it, and separate and apart from claims made the directors and officers.

This information is the tip of the iceberg on the subject. Make sure you speak with a D&O insurance expert before you decide to pass on this protection for you and your company.

Insights Insurance/Risk Management is brought to you by Arthur J. Gallagher & Co.