These days, some risks present a greater degree of reputational and governance risk to a business than others. Traditional perils pose less of a reputational challenge than they once did. Long-established risk management techniques can help ensure that a company manages its property or public liability risks effectively.
But complex risks such as cyber, terrorism and environmental liability are more difficult to quantify and manage. From polluting a river in Brazil, to a cyber hack in Bangladesh and a terrorist event in Indonesia, for example, they can create huge potential to damage a company’s reputation – and today the scope of these risks is truly global. For these types of perils, corporate responsibility and governance must work hand in hand with insurance risk management to protect the business and the brand.
AIRMIC’s 2016 research suggests that reputational risk is the number three exposure concern among UK risk managers.¹ There is also an increasingly clear consensus that responsibility for reputational risk resides with the board and a survey by Deloitte² supports this idea: 36% think that the CEO is responsible, 21% believe it’s the chief risk offi cer, 14% suggest it’s the board of directors as a whole and 11% name the CFO. So, what do senior managers require their risk management teams consider when it comes to insuring complex risks, promoting good corporate governance and managing the threat to corporate reputations?
Three broad categories serve to illustrate the threat to corporate reputation from complex risks: privacy, people and pollution.
Many businesses are still learning about the liability arising from a data breach. AIRMIC’s survey indicates that over half of the risk managers surveyed don’t currently have insurance for cyber-related crimes even though few companies or industries are immune from a breach or attack and any serious event will be sure to damage the company’s reputation. The issue is also one of regional importance as the European Union introduces new Cyber Directives; this legislation expands jurisdictional oversight as the regulations don’t specify where a company is domiciled but rather where and with whom the company conducts business.
Many businesses are still learning about the liability arising from a data breach
Environmental incidents can also gain traction quickly in the public eye and damage a brand. While a petrochemical company has obvious exposures, today any company that owns, uses, buys or sells property; operates on third-party premises; or uses, stores or transports a substance that may cause contamination, can potentially be at risk. Moreover, there is a trend in several markets including Argentina, Australia, China, the EU and India for regulators to hold senior executives personally responsible for their company’s failures in this area.
Meanwhile, concerning people risk, Chubb’s research with European executives last year showed that most European employers have a good understanding of what constitutes effective duty of care to their employees and countries such as Germany, France and the Netherlands have enacted duty of care laws to protect employees.
Companies that fail to provide a consistent level of duty of care risk harming their employees and being subject to high-profile reputational and financial loss, and attracting public opprobrium from regulators and the public.
Terrorism events also pose a similar threat to a company’s corporate profile and people alike. The Thai riots in 2010 cost an estimated US$1bn in property damage alone.³ The cost of business interruption for businesses that weren’t targeted but were unable to function during the coup, and the after-effect of lost revenue from travel uncertainty is more difficult to calculate.
For these complex risks, good insurance is more than just about a policy wording and financial strength. A credible and sustainable solution will also help to promote good corporate responsibility and manage complex risks. It should include consultative expertise for pre- and post-loss event management, and responsibly mitigate any adverse impact on reputation.
It’s important to remember that stakeholders in today’s public multinational companies aren’t just customers. Interested parties include institutional shareholders, employees, municipalities, regulators and the board of directors. This expanded group will ask ‘how have you anticipated and prepared for this event? Who will pay and how will any crisis be managed?’
A key challenge for those responsible for corporate stewardship is to ensure that the right insurance solution is chosen. Protecting reputation and trust with all stakeholders depends on an enterprise risk management approach and should include consultative front-end and back-end services customised to different businesses.
For cyber risks, a prudent insurance programme should therefore include provision for reputation management and PR costs in a crisis. A full enterprise risk management approach should also include benchmarking before a policy is bound, supported by detailed risk engineering surveys that suggest measures to reduce the risks of breaches or attacks and enhance vigilance and preparedness generally. With the support of the right external partners, the insurer can also provide guidance to prepare, plan and test for an event, and offer access to expert consultants who help the company respond when an incident occurs.
For environmental risk, a complete solution should likewise include a focus on developing an effective crisis management plan and providing a crisis response helpline with access to specialist experts who can help the company contain the media or other fallout and get back on its feet quickly.
For employees who travel on business there are now additional benefits sometimes available under a group personal accident and travel policy. Smartphone apps give employees access to global alerts on political events or natural disasters, or medical and security assistance. Technology can also allow the company to send alerts directly to employees in the middle of an event and, importantly, to track and locate them using the GPS on their phones.
Increasingly these days, complex risks that pose reputational threats may not fit into clear-cut categories any more. Recognising this, Chubb Global Markets has also recently formed a Special Risks Unit. This is designed to bring together expertise from different regions, business areas and product lines, to meet the customised needs of large global companies with particularly bespoke and complex needs. The unit can also partner with external experts whose techniques measure brand and reputation in a more quantifiable way. Over time, we believe this unit may help us to define new areas of insurance that may never have been considered previously.
Local cyber, terror, environmental liability and business travel policies can be integrated into a wider multinational programme, but many clients remain unaware of this and continue to purchase cover for these risks with a single global policy.
In parts of Latin America for example, cyber is still an emerging product although insurers are now beginning to expand into the region and offer cover in an integrated multinational programme. The market for environmental liabilities is more mature, with Chubb playing a consultative role with regional regulators to develop new pollution protection regulation. While a global policy is compliant in the majority of circumstances, and may make sense when managing enterprise risk because the reputation of the brand is at stake, it can make local claims servicing and valuation of a local claim more challenging.
Not having a local policy can be even more detrimental in certain circumstances. Cover for accidental death or dismemberment is a good example. Without a local policy in place and not understanding where employees travel, the parent company may receive the death benefit and not the affected beneficiary resident in another country. This may create fiscal and tax issues for the parent that could have been avoided with a local policy.
From an oil spill in Australia to a terror attack at a shopping mall in Kenya, for multinationals the key element to structuring a credible and effective global programme has long been ensuring that the programme complies with the right regulations, from policy wordings to claims handling. Today, however – in addition to meeting the compliance challenge – tailored support services such as consultative local expertise, leading edge technology, and the ability to track the programme’s performance online should be “must haves” to help an organisation mitigate reputation risk.
All this leads to the conclusion that the importance of comprehensive insurance that includes a full suite of enterprise risk management options has never been greater, particularly for a multinational. With foresight, planning and expertise, insurance solutions can be designed to mitigate reputational damage as risks are becoming ever more complex and globalisation adds further layers of complexity. On our part, with our people, presence and technology, Chubb is in a strong position to work with risk and captive managers on all aspects of multinational insurance protection.
¹ AIRMIC pre-conference survey 2016
² Deloitte 2014 Global Risk Survey http://www2.deloitte.com/global/en/pages/governance-risk-and-compliance/articles/reputation-at-risk.html
³ Business Insurance: http://www.businessinsurance.com/article/20100530/ISSUE01/305309973/demonstrations-in-thai-capital-leave-more-than-1b-in-damage
He leads and manages the Global Client Executive Practice for Chubb’s Overseas General Insurance Division, which serves large multinational customers around the world with complex underwriting and servicing needs. Previously, Krishnan served as General Counsel for ACE (now Chubb) Group’s Multinational Client Group, General Counsel of ACE USA, the US-based retail operations of ACE, and General Counsel of ACE Financial Solutions, the company’s structured insurance division.