Risk round-up

The real job of risk managers

The collapse of the financial system has changed the way people think about risk. This is the result of a classic human trait – when we witness dramatic events first-hand, our reaction to those events is disproportionate. So the perception of risk becomes more important than the reality.

As Dan Gardner explains in his book, Risk, the number of people travelling by commercial aircraft plummeted after the 9/11 attacks – despite the fact that air travel is one of the safest ways of getting around.

The fear of being the victim of a terrorist hijacking was so overpowering that more people took to the roads, which they thought was safer. The increase in post-9/11 road traffic has been directly linked to a growth in accidents; irrational risk aversion actually contributed to more deaths on the road.

Applying the same theory to the corporate world can help explain the current state of risk aversion. Watching respected and successful institutions falling foul of the economic crisis has made all businesses edgy.

Counterparty risk is one of the biggest monsters lurking in the corporate closet. Organisations are terrified of being dragged under by their business partners that go to the wall. Without access to the proper details, including total transparency into a third party’s supply chain, accounts and financial position, organisations are being cautious.

Credit insurers, for example, have scurried away from markets that they consider too risky. For this they have been rightly criticised. Businesses, which sometimes rely on credit insurance to operate, want insurers to spend more time analysing the risks and working together to mitigate them rather than cutting off whole sections of the market.

Some risk managers could be accused of similar arbitrary decision-making when assessing the security of their insurance partners. Take AIG. Instead of assessing what the real risks were to the solvency of AIG Insurance – a division of AIG Inc, but one that is separately capitalised and ring-fenced – some clients decided to jump ship. In so doing, they may have left themselves exposed without any insurance cover at all.

The job of the risk manager is to distinguish between myth and reality; to present to his or her superiors accurate information about the level of risk and to help them make sensible decisions in order to reap commercial rewards. With the right information, companies can take on more of the risks they want in an environment that, as far as possible, they can control.

The problem is that recent events, while creating a more risky trading environment, have also revealed the inadequacy of some supposedly sophisticated risk information systems.

Banks spent billions on models, tools and other resources to help them quantify the risks in their business. Regulators wanted them to focus on risk management so they asked the banks to set aside capital to offset those risks. The banks, seeking bigger and bigger market share, decided to pervert the rules by creating ever more complicated instruments to mask the risks – which meant instead of hoarding capital they could lend more of it out (and make more money). It ended in disaster for some of them.

The danger is that in witnessing these failures, companies will give up on risk management altogether. That would not be a smart move. Illogical risk decisions can lead companies into more danger. The risk function is crucial to a successful enterprise and it should be treated with the respect it deserves.

Risk managers themselves need to learn from their mistakes. They should make sure they have the skills, expertise and business knowledge to present the right information to their superiors. It is essential that this information is accurate, timely and persuasive.

Eco liability

On 1 March, the European Environmental Liability Directive was transposed into UK law. This has given the Environment Agency and local authorities new powers to punish companies that cause damage to species and habitats, as well as water and risks to human health from contamination of land.

The Department for Environment, Food and Rural Affairs has insisted the regulations are more about reversing environmental damage than penalising companies. But the costs of clean-up remain unclear.

The rules require polluters to return natural habitats to the state they were in before the damage was done. If that is not possible because, for example, an indigenous species has been wiped out, the law says the polluter has to “make amends”.

How does a regulator quantify the intrinsic value of a species that has been wiped off the face of the earth?

“To address these issues, [the insurance industry] will require some certainty as to how the authorities will apply a value to a damaged environmental resource, the level of remediation that authorities will require and the likelihood of successful appeals against notices of liability for remediation,” says Angela Mouton, an environmental lawyer at Lovells.

Companies that have operations in sensitive ecosystems, areas of high biodiversity or near sites of special scientific interest are at greatest risk. They might want to audit their sites to make sure they are carrying out sufficient safety and mitigation activities.

But if such an investigation uncovers environmental damage or the threat of damage, the company is required by law to disclose that to the authorities, explains Mouton. For that reason, as well as the recession, the new law is unlikely to prompt a flurry of environmental audits around the UK.

This might be unwise, however. “Innocence may not be a defence,” warns Caroline May, head of environment, planning and health and safety practice at Norton Rose. “It will be essential for business plans to include environmental assessments.”

Environmental insurers sell products designed to cover the new liabilities, but the ambiguity over the type of remediation required makes it difficult for the policies to cover the costs with complete certainty.

“Commentators are suggesting the directive is not adequately provided for under general liability insurance coverage or specialist environmental impairment liability coverage,” says Michael Salau, an environmental partner at Berrymans Lace Mawer.

Mouton adds: “Claims by the regulator, losses arising from gradual pollution and those relating to compensatory remediation are generally excluded from public liability insurance.”

Insurance and risk managers should be reviewing their policy coverage to ensure they have adequate cover. “It may be that consideration should be given to purchasing a standalone environmental liability directive solution to provide for the extended liabilities under the directive,” says Salau.

Crime on the rise

As economic pressures mount, some individuals turn to crime. For businesses, this means an increase in fraudulent claims and in theft. As information becomes more valuable and an attractive “soft target” for organised criminals, protecting data becomes a key consideration.

Falsifying claims is a crime few people seem to have a moral objection to in a recession. An RSA survey released in February found that 1.4 million Britons think committing insurance fraud as more acceptable now than 12 months ago.

Commercial insurers also report an increase in arson and motor scams. Figures from the ABI show that the cost of fire damage rose to £1.3bn last year, up 16% on 2007.

With less money around, companies are also more likely to spot discrepancies in their books. These discoveries can create a new set of liabilities for the affected firms. Madoff and Stanford are the cases in the headlines but, with billions disappearing around the world, shareholders are fighting their way to the courtroom.

Hank Greenberg, the former AIG boss, is suing the insurer for securities fraud after shares he bought for 5,437c (3,859p) in January 2008 fell to just 42c.

Other types of crime thrive in a downturn. Insiders pose the biggest security threat to companies because they have privileged access to information. If employee morale is low as a result of financial pressures or lay-offs, criminals may be handed a way in.

“We have seen examples of cleaning staff being targeted outside work and threatened with violence unless they deliver corporate data to the criminals,” says Jay Abbott, a security specialist at PricewaterhouseCoopers (PwC).

Steve Wright, senior manager, risk assurance services, at PwC, adds: “Only a fraction of the organisations that house data have the necessary controls in place to protect it.”