Tag Archives: Risk Management

What Insurers Can Learn From Errant Forecasts

Most actuaries know about projections that go awry, so we have quite a bit of sympathy for the weather forecasters who missed the mark early this week, says I.I.I.’s Jim Lynch:

Weather forecasts have improved dramatically in the past generation, but this storm was odd. Usually a blizzard is huge. On a weather map, it looks like a big bear lurching toward a city.

This storm was relatively small but intense where it struck. On a map, it looked like a balloon, and the forecasters’ job was to figure out where the balloon would pop. They were 75 miles off. It turned out they over-relied on a model — the European model, which had served them well forecasting superstorm Sandy, according to this NorthJersey.com post mortem.

There are lessons for the insurance industry from the errant forecast and the (as it turns out) needless shutdown of New York City in the face of the blizzard that wasn’t:

  • – Models aren’t perfect. Actuaries, like weather forecasters, have multiple forecasting models. Like forecasters, actuaries have to know the pros and cons of each model and how much to rely on each one given the circumstances. Actuaries and forecasters both bake their own experience into their final predictions.
    Property catastrophe models are considerably cruder than the typical weather forecasting model. By crude I mean less accurate. Cat models project extreme events, where data are sparse and everything that happens has an oversize influence on everything else that is happening. Woe to the insurer that over-relies on cat models, something cat modelers themselves say regularly.
  • – It’s hard to pick up the flag once you have planted it. Forecasters suspected late Monday that New York City would be spared the brunt of the storm, but acknowledge now they were reluctant to make too big a change because it could hurt their credibility, particularly if the new forecast had proved too mild. This is a human failing both by the forecaster and its recipient, both of whom worry about crying wolf.
    The tendency also helps explain why it is hard to project market turns, whether they are from growth to recession or from rising insurance rates to falling.
  • – Policymakers have egg on their faces today, but they appear to have been following sound risk management principles. It’s not unusual to prepare for disasters that don’t happen, something to think about next time you unbuckle a seatbelt or unlock a door. The scale this week was much larger, but the principle was the same. Needlessly closing a subway is better than stranding hundreds on it, and the occasional forecaster’s error is certainly better than the crude prognostication that gave us the Galveston hurricane or the Schoolchildren’s Blizzard.

I.I.I. has Facts and Statistics about U.S. catastrophes in general and winter storms in particular.

Check out this timelapse video of the blizzard hitting Boston:

Cyber Value-At-Risk

Measures and methods widely used in the financial services industry to value and quantify risk could be used by organizations to better quantify cyber risks, according to a new framework and report unveiled at the World Economic Forum annual meeting.

The framework, called “cyber value-at-risk” requires companies to understand key cyber risks and the dependencies between them. It will also help them establish how much of their value they could protect if they were victims of a data breach and for how long they can ensure their cyber protection.

The purpose of the cyber value-at-risk approach is to help organizations make better decisions about investments in cyber security, develop comprehensive risk management strategies and help stimulate the development of global risk transfer markets.

Among the key questions addressed by the cyber value-at-risk model concept are: how vulnerable are organizations to cyberthreats? how valuable are the key assets at stake? and, who might be targeting them?

The proposed framework is part of a new report, Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats, that was created in collaboration with Deloitte and the input of 50 leading organizations around the world.

As the report states:

The financial services industry has used sophisticated quantitative modeling for the past three decades and has a great deal of experience in achieving accurate and reliable risk quantification estimates. To quantify cyber resilience, stakeholders should learn from and adopt such approaches in order to increase awareness and reliability of cyber threat measurements.”

One potential option, it suggests, is to link corporate enterprise risk management models to perspectives and methods for valuing and quantifying “probability of loss” common to capital adequacy assessment exercises in the financial services industry, such as Solvency II, Basel III, albeit customized to recognize cyber resilience as a distinct phenomenon.

The report points out that the goal is not to provide  a single model for quantifying risk.  Indeed for cyber resilience assurance to be effective, it says participants need to make a concerted effort to develop and validate a shared, standardized cyber threat quantification framework that incorporates diverse but overlapping approaches to modeling cyber risk:

A shared approach to modeling would increase confidence regarding organizational decisions to invest (for risk reduction), distribute, offload and/or retain cyber threat risks. Implicit is the notion that standardizing and quantifying such measures is a prerequisite for the desirable development and smooth operation of cyber risk transfer markets. Such developments require ERM frameworks to merge with insurance and financial valuation perspectives on cyber resilience metrics.”

 

Risk Managers Turn up Volume on Cyber Security

Emerging risks  that risk managers expect to have the greatest impact on business in the coming years could be on the cusp of a changing of the guard, according to an annual survey released by the Society of Actuaries.

It found that the risk of cyber attacks and rapidly changing regulations are of growing concern to risk managers around the world, and may be slowly replacing the risk of oil price shock and other economic risks which were of major concern just six years ago.

Some 47 percent of risk managers saw cyber security as a significant emerging risk in 2013, up seven points from 40 percent in 2012.

The SOA noted that this perceived risk predates recent cyber security events (read: the December 2013 Target breach) that have opened up new corporate data security vulnerabilities. The online survey of 223 risk managers was conducted in October 2013.

Regulatory framework/liability regimes was also perceived to be an emerging risk of impact by 23 percent of risk managers, an increase of 15 points from just eight percent in 2012.

The survey noted that as the regulatory framework takes shape post-financial crisis, risk managers are currently trying to implement voluminous and changing regulations on short time frames with: limited additions to staff; and regulators who often have limited understanding of risk tools.

Just 33 percent of risk managers said economic risks – such as oil price shock, devaluing of the U.S. dollar, and financial volatility – will have the greatest impact over the next few years, versus an all-time high of 47 percent in 2009.

In fact, the economic risk category is at an all-time low in 2013, the SOA said.

Hat tip to The Wall Street Journal’s CFO Report which reported on the survey here.

Super Bowl XLVIII

It’s Super Bowl weekend and whether you’re cheering for the Denver Broncos or the Seattle Seahawks, or have no idea who even made the final, the big game wouldn’t be able to happen without the support of the risk management and insurance community.

While it doesn’t look as if a blizzard will disrupt Sunday’s title game at MetLife Stadium in New Jersey, it’s no surprise that event-cancellation policies have been making the headlines.

Earlier this year New York-based broker DeWitt Stern announced that it had designed an event cancellation policy to protect businesses from lost revenue if for any reason the Super Bowl was cancelled or moved more than 60 miles.

In the event a terrorist attack or blizzard causes the game to be cancelled, the policy would respond and cover businesses for loss of estimated potential revenue. The policy is underwritten by Houston Casualty Company.

There are many other risks that insurers will cover, from the Bruno Mars and Red Hot Chili Peppers halftime show (remember the infamous wardrobe malfunction during Janet Jackson’s performance with Justin Timberlake in 2004?), to coverage for broadcasters in the event their transmissions are interrupted due to a technical problem (think back to last year’s championship game in New Orleans when a power outage halted play for 34 minutes).

For more on Super Bowl risks, check out this post at KYForward.com by Kevin Moore, director of Risk Management Services for Roeding Insurance.

And for the betting among you, check out the Super Bowl Prediction System of John Dewan to see which team you should be backing.

May the best team win!

Study: Companies Recognize Nat Cat Risks, But Mitigation Plans Lacking

Despite recognizing natural catastrophes as a growing threat, many companies have insufficient mitigation plans in place, and considerably more effort will be required before the risks of natural catastrophes are adequately controlled, according to a global survey by Zurich Insurance Group.

The study, conducted in January 2013 by the Economist Intelligence Unit and sponsored by Zurich, polled 170 executives from medium-sized and large companies around the world.

The findings confirm a widespread perception among organizations that natural catastrophes are becoming both more frequent and more severe, and that commensurate importance is assigned to assessing and mitigating the associated risks.

Survey respondents were asked to rate the severity of potential disruptions to distinct areas of their business operations in the event of a natural catastrophe occurring within the next three years.

Combining the top two most severe ratings on a scale of five puts continuity of IT support as facing the most severe disruption (46 percent), followed by supply-chain logistics (44 percent) and business-critical functions (44 percent).

While most companies have taken some steps to mitigate associated threats to IT systems, the adoption of systematic, integrated approaches to risk management is surprisingly low, the survey found.

Fewer than half (45 percent) of the companies surveyed use some form of scenario analysis to assess the risks of natural catastrophes.

Moreover, while a large majority of respondents say they have addressed the challenges of mitigating IT risks from natural catastrophes, only 31 percent say that their risk-management strategy explicitly addresses the interconnectedness of different types of risk.

Zurich says the findings suggest that while businesses are aware of the challenges they face, most have not yet developed a holistic approach to confronting these risks.

Company executives consider inadequate budgets for business-continuity planning and/or disaster recovery as the biggest obstacle to adopting more effective risk management strategies. An inability to present compelling business cases for risk management initiatives is cited as another significant hurdle.

Canadian Underwriter has more on this story.

School Bullying: Managing the Risk

The problem of school bullying has become a hot topic in recent weeks after a number of high profile cases of young people committing suicide after bullying incidents.

In 2007, about 32 percent of students ages 12-18 reported having been bullied at school during the school year, according to a school crime survey from the National Center for Education Statistics.

Bullying generally is defined as an attack or intimidation with the intention to cause fear, distress or harm by an individual or group usually repeated over time that involves an imbalance of power. The act of bullying can take various forms, including physical, verbal and psychological acts.

With increased access to and use of technology, cyberbullying  is a growing concern. Cyberbullying has been defined as an aggressive, intentional act by an individual or group using electronic forms of contact, repeatedly over time against a victim who cannot easily defend him or herself.

The beginning of a new school year reminds us of the everyday risks that school-age children face and in turn the growing liability exposure facing parents and schools.

For example, a recent Chubb survey of parents of school-age children found that more than two-thirds (67 percent) agreed that today’s kids are exposed to more risks than they encountered during their own childhoods.

However, the same study revealed that parents tend to focus on severe but rare incidents, rather than everyday risks like bullying.

Some 38 percent ranked kidnapping/abduction as the “traditional† risk that concerns them the most, above car accidents (30 percent) and harassment/bullying (22 percent).

For technology-related hazards, parents listed online predators as the top threat (38 percent), followed by identity theft (25 percent), cyberbullying (18 percent) and sexting (14 percent).

It’s not just parents that are dealing with how to manage this risk. School districts increasingly are facing lawsuits due to their alleged failure to take action when notified of bullying incidents.

The National Conference of State Legislatures (NCSL) notes that since 2001, more than half the states have enacted legislation to combat bullying. But NCSL also observes that state policies vary widely in how they address bullying.

A new student risk guide by Chubb offers tips on back-to-school safety and helps parents protect their kids against these risks.

The Public Entity Risk Institute (PERI) lists the numerous Web resources available for training and information on combating bullying and school violence.