When the insurance broker Aon Benfield published its latest annual survey of the major risks faced by companies, insurance managers in our largest corporations noted ruefully that it would be impossible to buy insurance for more than half the risks listed.
There are two reasons for this. One is because companies worry about big things which are often out of their hands. The risk of economic downturn, of regulatory intervention, of new, more innovative competitors, a commodity price surge or a liquidity squeeze are not something you can buy cover against.
But it is not all hopeless. There is usually some cover available to offset damage to reputation, business interruption, the departure of key people and losses caused by political uncertainty.
However, the problem is that companies and the worlds in which they operate have changed faster than the insurance industry in the last 20 years. The value of most large companies has moved from being represented by tangible assets, such as plant, machinery, buildings and so on, to intangibles. These are hard to measure things, such as reputation, intellectual property, brands, client goodwill, the R&D pipeline, technology and indeed the business model itself.
Today, with conventional processes outsourced, the value embedded in Western business comes from these assets and the associated soft skills, such as design and marketing for example, interacting with deeply embedded scientific knowledge.
This means that the conventional risks of yesteryear – fire, flood and theft – have been superseded by new and intangible dangers, such as reputational risk and cyber-security threats. That makes business and its risks far more unpredictable.
When it comes to a claim, it really matters what the policy covers and what is excluded
Clearly, reputational damage can come from many sources. Suppliers cause problems as with horsemeat or sweated labour; disaffected employees leak sensitive secrets or a disgruntled customer might just set of a media firestorm on Twitter. Co-operative chief executive Euan Sutherland felt he had to resign after his pay details were leaked and he misjudged the backlash that would come from defending himself publicly on Facebook.
And even when cover is available for reputational damage, it may well only cover the cost of emergency PR, not the long-term loss caused by customers who desert and don’t come back. That is like covering the cost of the fire brigade, but not of the burnt-down factory.
Similarly with cyber threats. Cover is available and is bought. But with risks evolving so fast, there are inevitable gaps. Indeed that is the insurance industry’s challenge. It is now more innovative than perhaps at any time in its history. But the rest of the world is moving even faster and that is leaving insurers behind – or leads to messy arguments about who or what should be paid.
That certainly happens with supply chain problems. After the 2011 floods in Thailand, London insurers were getting claims from Canadian companies who had been let down by South African suppliers who could no longer get an essential component from Japan because the manufacturer there had his power supply knocked out by the Tsunami and had quietly sub-contracted to a Thai firm whose factory had been washed away.
Certainly, there is a loss here. But which insurance policy covers which bit of the chain? In which country should the claim be made? And how does the client pay its bills while the arguments drag on?
According to John Hurrell of Airmic, the risk management association, companies are threatened from both ends. Changing business models mean the percentage of the corporate risk map which is coverable by insurance is shrinking all the time, while the range of risks and the suddenness with which they emerge is increasing.
Another nightmare is that even when a chief executive thinks he is insured, he may not be. Bruce Hepburn at Mactavish, a research firm expert in the ways of the insurance world, says many companies are paying for policies which are not worth the paper – or screen – they are written on. If disaster strikes, the companies will find their insurer would be legally entitled not pay out.
The problem usually lies in the way insurance contracts are written. Policy wordings are complex and, the way UK insurance law stands, the interpretations are heavily weighted towards the insurer rather than the client. It has been known for a breach of any clause, for example propping a fire door open, to be invoked by the insurer to invalidate a whole policy, even if the claim resulted from a flood.
Again, according to Airmic’s Mr Hurrell, companies need to raise their game, get into the detail of policy and its disclosure provisions before they sign the contract. This may be no easy task in a multinational organisation where it is hard for management to know what is going on let alone ensure full disclosure to the insurer, but it has to be done.
Boards of directors also need to change the way they think about cost. Mr Hurrell believes that boards still see insurance as a commodity where price is the only thing that matters. But small savings can be insignificant if they come at the expense of major gaps in coverage. Insurance policies are not all the same. When it comes to a claim, it really matters what the policy covers and what is excluded.
Meanwhile, corporate buyers say the insurance industry is not doing enough to help them. This is true on one level, but unfair on another because, as mentioned earlier, the insurance industry is struggling like everyone else to cope with the pace of change.
Even in its most traditional areas nothing stands still. One big issue is working out how to cope with the retreat of the polar icecap and the plan to open a shipping route to Asia over the North Pole. The nightmare would be if a giant tanker, owned by one of the great brand names, had its navigation damaged by a terrorist cyber attack so it foundered off Greenland and caused an environmental disaster.
Best not to think about it – except in the insurance business they have to.
CASE STUDIES
CYBER RISK
With the Lloyd’s of London Risk Index 2013 rating cyber risk at number three, more insurers are now offering cyber insurance policies, writes Ellie Duncan
Gavin Davey, of accountancy firm Moore Stephens, says cyber risk can impact brand image and result in regulatory penalties. He warns third parties are responsible for 40 to 60 per cent of breaches. According to the Ponemon Institute, criminal cyber attacks (41 per cent) and human error (33 per cent) are the main causes. Its 2013 Cost of Data Breach Study found the average organisational cost of a UK data breach is more than $3.1 million.
SUPPLY CHAIN RISK
Supply chains have become more complex due to companies’ growing reliance on outsourcing. Specialist supply chain policies have come to market in response to businesses’ increased exposure to natural catastrophes. Caroline Woolley, of risk adviser Marsh, says companies take into account suppliers’ locations when quantifying exposure to supply chain risk. However, a review into the supply chain insurance market by risk management association Airmic in December 2013 found that, while relevant supply chain disruption insurance products are being developed, take-up is limited.
REPUTATIONAL RISK
Reputation is an intangible risk, but one which can cause significant financial loss. The Reputation Review 2012, sponsored by Aon, revealed that organisations have an 80 per cent chance of losing 20 per cent of their value once every five years due to reputational issues. Rachel Griffiths, a partner at reputational management firm Reputation Consultancy, says policies typically provide cover for the immediate response to a crisis, enabling a company to bring in PR or consultancy to minimise further losses. She says the policies available are largely reactive and do not consider the longer-term impact on reputation.