Mid-market risk management: Known unknowns

Risk management is a challenge but also an opportunity for mid-sized businesses. Risk Management for Mid-Sized Companies, produced by Insurance Times’s sister publication StrategicRISK, says that risk management adds value to mid-market companies’ business, providing competitive edge and enabling informed decision-making.

In the absence of disasters, it is difficult to assess the benefits of those risk management strategies that focus on safeguards against certain events happening.

But there are concrete financial benefits from risk management. These can include reducing absence costs and minimising insurance premiums. Indeed, without the resources to self-fund risks to any great extent, insurance is an important part of the risk management toolkit for mid-market companies.

Brokers’ assistance is valuable not just in placing cover but also because dealing with several companies means that they see the big picture and can benchmark a company’s risk performance against that of its peers. They can also help companies establish the basics of risk management. This includes advice on:

• evaluating risks in terms of likelihood and severity, so that the company can decide which to insure, which to self-fund, and which to prioritise for risk management; and
• measuring the business’s risk appetite to help it make the right decisions on risk treatment and insurance purchase.

Managing supply chains

Outsourcing globally has introduced new risks as companies relinquish direct control to suppliers in regions that present unfamiliar threats. With diluted control, more than ever before businesses need to ensure that they can continue functioning successfully if a key supplier is put out of action.
While natural catastrophes have hit the headlines in 2011, they are not the only threat that suppliers may face. Other risks include the effects of the political environment in which they operate and financial instability.

Understanding the components and any interdependencies of the supply chain is of vital importance and companies should, at the very least, check out their first-tier (immediate) suppliers.

Supply train breaks

Mid-market companies also need to be aware of several factors here. For example, holding minimal stocks and relying on ‘just in time’ deliveries may reduce their operational costs but will make them more vulnerable to breaks in their supply chain. And they should not believe all they hear from suppliers on the effectiveness of risk management controls and financial standing. Suppliers tend to say what they think their customers want to hear, for obvious reasons.

It is also important that companies establish whether they will be given priority if a key supplier has a problem that restricts production and consider alternative sources. Splitting production between two suppliers can minimise exposure in the event of problems.

If a company is sourcing specialist products or components, it needs to check further up the supply chain beyond its first tier of providers to ensure that there is not just one small business supplying most of the companies that it and its competitors are relying upon for deliveries.

And supply chain risks don’t just revolve around business continuity. Suppliers who do not comply with a company’s corporate ethics or quality assurance standards can damage its reputation.

What about the workers?

Good risk management can reduce employers’ liability premium and also costs associated with employees’ sickness and absence. Robust health and safety management cuts uninsured costs, such as lost time, staff turnover and retraining.

The StrategicRISK guide suggests that companies implement a framework for continuous health and safety improvement. As a basis, companies should identify and assess workplace hazards, introduce safe procedures for employees and train them in the risks and controls.

The savings from introducing an effective absence management programme can far outweigh the investment involved. The aim should be to achieve a balance between helping employees with health problems to stay in and return to work, and preventing others from exploiting occupational sick pay schemes.

Effective absence management requires accurate measurement and monitoring to identify trends and explore underlying causes. Interventions for managing long-term staff absence include involving occupational health departments and taking proactive measures to support staff health and wellbeing, as well as return-to-work interviews and rehabilitation programmes.

Managing product recalls and reputation

With the growing number of product recalls being required by authorities, this is another area where brokers’ mid-sized clients are likely to benefit from advice. While companies’ criteria for product sourcing are likely to relate mainly to costs, they should also be aware that China is the single greatest source of notified potentially dangerous products, representing as much as 62% of all UK consumer recalls last year.

Recall insurance has become more affordable and widely available, and cover can include the costs of specialist consultants to help companies avoid long-term reputation damage.

Insurance is worth considering as recall costs can be high, including tracing products, the costs of reclaiming them, advertising, product testing, repair or disposal, possible loss of business from disaffected customers and business interruption from closure of a production line being investigated.

Cyber risks

Although the cases of data breaches that hit the headlines tend to involve large companies and public sector organisations, mid-market companies cannot afford to be complacent. Reports suggest that hackers are more likely to target smaller rather than larger companies because they consider it will be easier to break into their systems.

Stricter data breach laws

Medium-sized companies can find the financial penalties significant. In 2010, the average cost of a data breach in Europe was about £1.9m and this figure is expected to rise, with stricter laws being implemented throughout Europe. Costs include issuing mandatory data breach notifications to customers and authorities, as well as civil regulatory fines and penalties.

The conclusion must be that companies in all sectors need to protect against hacker attack, lost data or human error. In addition to the costs mentioned, specific cyber risk insurance policies can also cover the cost of hiring a specialist IT security firm to investigate how a data breach has happened and what to do to prevent a recurrence, and payment of public relations specialists to manage reputational fallout.

Risk management controls include making employees aware of the company’s data privacy policy, ensuring data loaded onto mobile devices is encrypted, and due diligence over third-party vendors.

Meeting legal requirements

There is a huge amount of law applying to companies in the UK. The StrategicRISK guide looks at some of the more recent legislation and areas that mid-market companies are likely to find most challenging.

For example, although corporate manslaughter legislation may not have imposed any new duties or obligations, it is an added incentive to take health and safety seriously - penalties can include unlimited fines. Demonstrating a responsible and proactive approach to health and safety management could make the difference between a successful or an unsuccessful defence.

The Bribery Act, which came into force in July, focuses on core principles designed to ensure that businesses compete fairly and ethically, both at home and overseas. The maximum penalty for individuals found guilty of bribery is 10 years’ imprisonment, a fine or both, while corporations could face an unlimited fine.

Compliance means that commercial organisations must incorporate anti-corruption elements into their code of conduct, risk management, due diligence, decision-making, procurement and contract management, employee vetting and disciplinary procedures.

Meeting the requirements of anti-discrimination legislation can also be particularly difficult for mid-sized companies. But here again the penalties for non-compliance can be severe, so companies need to ensure that all employees are treated equally and that recruitment advertisement is worded in a way that does not exclude specific sectors of the potential workforce.

Company directors and officers also need to take care to protect themselves against allegations of wrongful acts. In mid-sized companies actions against directors often stem from company failure - bankruptcy and insolvency - and claims of wrongful trading.

Wrongful employment practices are also a source of claims in this sector and companies with US offices should be particularly careful to comply with the stringent regulations there.

Environmental considerations

The vastly increased amount of environmental regulation introduced in recent years makes it much more likely that companies could face a claim for pollution. Public liability insurance only provides very limited cover for sudden and accidental pollution, so they should consider buying a specific environmental impairment liability policy.

The costs of pollution can include third-party liability, on-site and offsite clean-up, business interruption should the company need to close a site during clean-up and third-party business interruption costs, as well as legal defence costs. Further, a pollution incident can damage a company’s reputation, affecting customers’ view of the business and willingness to deal with it.

Insurance and claims

In addition to specific advice on specialist risks, the StrategicRISK guide also provides some basic pointers on what companies need to do to comply with policy conditions and enhance their chances of getting full settlement of any claims. Brokers will be well aware of the issues here relating to disclosure, accurately setting sums insured, and building claims defensibility into systems and processes.

Risk tips for your clients

Absence management

Effective interventions in managing short-term absence include:

• A proactive absence management policy
• Return-to-work interviews
• Disciplinary procedures for unacceptable absence levels
• Use of trigger mechanisms to review attendance
• Involving trained line managers in absence management
• Providing sickness absence information to line managers
• Restricting sick pay
• Involving occupational health professionals.

Effective interventions in managing long-term absence include:

• Occupational health involvement and proactive measures to support staff health and wellbeing
• Restricting sick pay
• Changes to work patterns or environment
• Return-to-work interviews
• Rehabilitation programmes.

Source: Chartered Institute of Personnel and Development

Bribery and corruption

• Take actions proportionate to the risks you face and to the size of your business
• Get board leadership on issues like a zero-tolerance culture, an anti-bribery code of conduct, risk assessment and general oversight of breaches of procedures
• Assess external bribery risks such as country, sector, transaction, opportunity and business relationship risk and put in place procedures to mitigate such risks
• Know exactly who it is you
are dealing with, particularly those who are conducting business on your behalf, as you have responsibility for third parties and agents
• Communicate your policies and procedures to staff and other associated organisations and people, backed up with effective scenario-based training
• Update procedures over time and test whether they are operating effectively.

Source: BDO

Directors’ and officers’ liability

• Be aware of your responsibilities and be able to demonstrate that you have taken appropriate measures to comply with legislation
• Enforce good employment practices reflecting local cultures
• Train employees on what behaviour is acceptable - and what is not
• Err on the side of caution, use common sense and always act in good faith.

Insurance and claims

• Make full disclosure of any facts that could affect how insurers view your business
• Make sure your property valuations are accurate to avoid insurers scaling down compensation
• Consider a business interruption review that takes account of suppliers’ disruption as well as your own to ensure sums insured and period of indemnity accurately reflect your risk
• Notify insured claims within the time specified by the underwriter
• Substantiate the amount of any property loss
• Maximise your chances of defending liability claims successfully by demonstrably robust risk management and full documentation of incidents.