Ernst & Young Gets Real with Risk Managers – How Do You Know If Your Risk Program Does Anything


Ernst & Young released their 2014 Chief Risk Officers (CRO) survey examining trends in risk planning. Not surprising, a major trend is companies switching focus from reactive risk management to proactive risk planning, which BCS has previously reported on.

One fascinating point of data to emerge in the report is a new question Ernst & Young had not previously asked CROs. How Do You Know Your Risk Function or Program is Creating Value? Reminiscent of the scene in Office Space where outside consultants asked managers at a software company “what exactly would you say…you do here,” Ernst & Young was able to yield some interesting answers from the group risk officers.

This is often a tricky question for risk managers. A sales team knows their methods are working if they increase sales. It is more difficult to know if a program designed to lower costs through risk avoidance is effective without benefit of long-term data analysis.

A risk manager asks if the reason their company has had no vendor related claims the last 18 months is the result of finally implementing a vendor insurance auditing program, or if they have simply been lucky. 

Identifying these causal relationships is a long-term project. The reason companies know they should implement vendor insurance screening programs is because data proves they are effective at lowering costs and liability, but this is often not easy to identify in the short-term.

When asked How Do You Know Your Risk Function or Program is Creating Value, the top response was if the risk program was being integrated into the decision making of operationsIn other words, if after implementing a vendor risk auditing program you want to know if its working, you need to incorporate the program into your operations process so that you can identify the causal links of how and why it is effective, and to modify the risk program to maximize its benefits. To effectively transition from reactive short-term risk thinking to long-term risk planning, your risk program must become a part of your day-to-day operations. Failure to do so will not produce the data to backup suspicions of why the program may or may not be working. You need to take your risk planning off the graph paper and bring it into your operations meetings.

As the report stated, “CROs are seeking ways to embed more data-driven and analytics-based practices within their operations.” The focus is no longer on reacting to perceived risks, but implementing risk programs such as vendor insurance auditing and safety screenings, and integrating these programs into your operations department, so that when your risk department faces an Office Space type interview, you will have an answer to the question of whether the risk program you are responsible for is actually working.

Can Your Vendor Compliance Program Handle an Audit in 2014? One Might Be Coming.


Audit executives from several hundred organizations were surveyed in January to identify top emerging risks that audit teams at their companies would be focused on in 2014. 

The risk identified as top-priority was Compliance Management, surprisingly ranked even higher than cyber-security and IT governance, despite both being hot-topic issues in 2013 due to high profile data breach incidents.

Compliance Management was the top identified risk first and foremost because of the assertion that increasingly interconnected businesses need to rely on 3rd party vendors and suppliers more than ever. Because of this reliance, disruptions caused by 3rd party breakdowns can have immediate and expensive consequences for supply chains and operations. This is something which can only be addressed by focusing audit resources on Compliance Management.

Beyond the risks of interconnectivity and reliance on suppliers, the next stated reason for the heightened focus  is the escalating risk from enforcing uniform compliance standards in foreign markets in a way that still accounts for local regulations. 

As vendors and customers are increasingly overseas, the compliance survey found that organizations often rely too heavily on adherence to boilerplate contract or compliance language drafted for one jurisdiction, without scrutinizing compliance requirements in local jurisdictions. 

To ensure that a vendor operating in a foreign jurisdiction carries sufficient insurance coverage, for example, it is not sufficient for them to simply agree to adhere to a US-originated boilerplate contract. The organization hiring them needs to verify they are covered under the local insurance and regulations where the vendor is located or doing the work.

If you have a vendor risk management program, now is the time to address whether or not it is working, not while you are being audited.

The Critical Nature of Workers’ Compensation Insurance

Running a business requires a constant balance between keeping your ducks in a row and not suffocating them with an singular focus on clerical accuracy. Stress and worry can limit creativity and innovation, but unless you’re aware of the job’s minutia, it’s easy for tiny items like paperwork, permits, and insurance plans to fall through the cracks. Business Credentialing Service ensures your peace of mind by keeping these ducks in a row, and letting business owners focus on the more important issues.

Workers’ Compensation is a frequently overlooked aspect of running a business — coverage is always assumed (by both employers and employees), but what happens when there’s an unforeseen lapse in coverage? Or how will you respond when your insurance broker refuses to accept a charge that covers a workplace injury?

Failure to comply with state workers’ comp laws is a criminal offense. If the state is made aware of your situation, the DLSE (Division of Labor Standards) will issue a stop order, effectively shutting down your business until coverage is obtained. Actual penalty costs vary from state to state, but ignoring the stop order is considered a misdemeanor no matter where your business is. The DLSE can also issue a fine of up to $10,000, imprisonment in a county jail for up to 60 days, or both. There’s even the potential of an additional $1,000 fine per employee when the stop order is issued, up to a maximum fine of $100,000.

These steep penalties exist only because workers’ compensation insurance is critical for both the employer and the employee. Workers’ comp began as a way to protect businesses, and this is still one of the primary reasons to secure insurance. These funds make it impossible for employees to double dip in injury cases. Once they accept payment from the workers’ comp fund, they aren’t allowed to file a private suite as well. If your insurance is up to date, it provides a huge buffer against bogus claims. Insurance carriers and claims adjusters have the power, resources, and personal interest needed to sniff out dishonest claims.

But it’s crucial that this protective buffer isn’t ever abused, even if the cause is mere oversight. States will penalize your business if payments aren’t released promptly. For as great as workers’ comp funds are for companies, their main purpose is to ensure that the injured party doesn’t have to jump through hoops to get their bills paid. Even when the injury and incident in question may have been quite painful, workers’ comp insurance strives to make the aftermath as painless as possible.  

Perhaps the best way to show how beneficial an auditing service like BCS can be is to relay a recent California case that ended tragically with the death of a hard working family man. On December 20th, 2003, a Ralph’s Grocery employee named Charles Romano injured his shoulder and cervical spine while restocking shelves. After finally undergoing surgery for his injury in August 2005, Romano contracted methicillin-resistant staphylococcus aureus (MRSA), an infection that causes renal and pulmonary failure. If that wasn’t bad enough, Romano also became paralyzed from the shoulders down.

While Romano sought treatment for this debilitating infection, the third party insurance administrator refused to grant payment for the procedure. Instead, Romano had to opt into Medi-Cal, California’s version of Medicaid. Even when a workers’ compensation judged forced Ralph’s and the insurance company to cover this “compensable consequence,” they failed to comply. For whatever reason, the ruling was ignored, denying and delaying treatment for Mr. Romano. As a result, he unfortunately passed away on May 2, 2008, with the bills still unpaid.

Sedgwick CMS, the third party administrator, was referred to the Division of Workers’ Compensation’s Audit Unit for “unreasonably delaying or denying treatment to a patient who was dying from an infection he contracted after undergoing surgery for a compensable work injury.” This passive approach to such a critical case cost Sedgwick CMS thousands of dollars and their reputation; not to mention the inappropriate death of Mr. Romano.

The prompt and proper treatment of workers’ comp claims is a necessary first step in preventing similar tragedies. BCS realizes that an auditor’s presence wouldn’t have guaranteed Romano’s survival, but we would have been there to oversee the case and make sure the insurance channels were running as intended. While Charles Romano’s death is a depressing extreme, it’s a humbling example of how quickly insurance claims can get out of hand.

If any skeptics remain, let us outline a more realistic scenario that can still wreak havoc on your business’ bottom line. Thankfully, this scenario is also easier for BCS’ auditors to prevent.

What happens when you send an injured employee to the emergency room and realize that you don’t actually have the required workers’ compensation insurance? Coverage could have simply lapsed, or the initial processing could have been mishandled. Either way, your company’s situation just became substantially more dire.

After discovering a lapse in coverage (it’s unfortunate that the most common method of discovery is actually filing a legitimate claim), contact your insurance broker immediately. They may reinstate your coverage, but action on their part is far from guaranteed. Their decision is usually based on your overall pay history in addition to other risks that will be calculated by your underwriter. Transparency is absolutely necessary, and your insurance broker won’t make multiple accommodations to this situation.

Which means it’s in your business’ best interest to avoid this point at all costs. It’s more than preventing headaches and ensuring profits, the actual lives of your employees may be at risk. Burying your head is never a valid option, and Business Credentialing Services exists to help you understand whatever nightmare results from a lapse in coverage. Otherwise, the employees have the right to come after your and your business, as the protections offered by workers’ comp aren’t in effect. These funds have nothing to do with fault. As long as the injury was related to their job, employees are entitled to benefits if the injury was their fault, your fault, or nobody’s fault.
It isn’t often that such radical consequences result from something as simple as a clerical oversight. Delays of benefits can come from an understaffed claims office, an overworked or poorly trained adjuster, a vindictive employer, an improper incentive program, and more. It’s a lot to monitor when your mind is (and should be) focused on growing your business. This is why BCS Audit can be such an asset. Business Credentialing Services routinely examines your insurance paperwork to make sure it’s always up to date. If real life is indicative of anything, it’s that disaster will strike at the most inopportune moment. With BCS Audit, there won’t be any inopportune moments.

Cyber Liability Price Hike Leaves Retailers Feeling the Pinch


As a result of Target’s major data breach last year, insurance carriers are lowering coverage limits offering and raising prices on cyber liability coverage.

The Target data breach exposed personal information of 70 million+ Target customers and has resulted in numerous lawsuits against the retailer.

The data breach was caused by malware installed on its checkout registers, which led to theft of financial credit card information of millions of customers.

Businesses were able to purchase approximately $350 million of cyber risk insurance capacity, but after the Target breach, the new limit many carriers offer has been lowered to approximately $250 million. Businesses will also likely be paying higher premiums for this coverage. 

As BCS previously reported, there has been a large upswing in companies purchasing cyber liability coverage over the last 3 years, and most analysts agree that despite these new coverage restrictions stemming from the Target data breach, the growth in acquisition of cyber liability coverage will continue on current trends.

Three Changes to Additional Insured Endorsements You Need to Know about in 2014


The Insurance Services Office (ISO) recently made changes to 24 additional insured endorsements, restricting coverage in some instances for additional insured entities.

To ensure your organization will be covered by vendors’ insurance policies, it is necessary to closely read and scrutinize the additional insured endorsement forms associated with vendor’s policies.

The first change to the additional insured endorsement states that coverage is only available “to the extent permitted by law.” In states which prohibit indemnification for a party’s sole negligence this will have an impact.

The second change specifies that AI coverage may not be broader than is granted in the contract, meaning that the scope of coverage offered an additional insured entity may now be defined by the contract rather than the policy. If a contract arguably specifies a lower dollar amount of coverage than the policy, then the contract language may prevail.

The third endorsement changes state that liability limits may not be greater than what is specified in the contract. Previously where an additional insured entity may have been covered by a $1 million policy of the insured, if the contract specifies on only $500,000 of coverage, the additional insured entity may be limited to that lower amount of coverage.

What this means for businesses is clear. A mere certificate of insurance is insufficient to know what kind of coverage a vendor or supplier actually carries. The only way to know if a vendor or contractor meets the terms of their contract is to read the policy endorsements to see if exclusions such as detailed above do not meet the contract terms the vendor agreed to.

Business Credentialing Services protects organizations’ by reviewing and auditing vendor and supplier insurance certificates and endorsements to ensure they meet our client’s terms and conditions. Contact BCS today for a complimentary analysis of your vendors’ insurance.

Why Thoughtful Strategic Risk Planning is Making a Comeback in 2014


In a report issued by Deloitte on risk planning for 2014, they identified a strong trend towards adoption of “Strategic Risk” planning.

There are several areas of traditional risk planning that companies undertake; operational, financial and compliance. Strategic Risks, on the other hand, are a type of risk either created by the businesses’ main strategy or that directly affect the companies’ operation.

The Director of Enterprise Risk Management for Coca-Cola phrased it by saying “It used to be that if certain risks were to happen, a company could have up to one news-cycle to respond, but the speed of risk is so much greater now… That’s one of the biggest differences today versus even three or four years ago.”

An example of this quick loss of reputation was July 2013 when federal prosecutors indicted five men from Russia and the Ukraine in the single largest cyber fraud case in history, costing several hacked companies more than $300 million dollars. Hackers targeted various companies to steal credit card information such as JC Penney, Visa Inc., Jet Blue Airways, and others. The incident affected companies operating in numerous jurisdictions with litigation and reputation costs in the hundreds of millions of dollars.

Because of factors such as continued globalization, social media and fast spreading information, companies no longer have time to allow traditional or slow moving risk strategies to govern their risk planning. Strategic Risk planning must involve the CEO and directors of a company and be integral to the organization’s strategy.

The Deloitte study found that for 2014, over 81% of surveyed companies are now explicitly focusing on a Strategic Risk strategy, rather than a silo’d risk strategy.

The single biggest change in the transition from silo’d risk planning to central Strategic Risk planning over the last 4 years has been a resurgence of long term, rather than short term strategy. In fact, over 94% of companies surveyed said they have actively changed focus over the last four years from a reactive, silo’d corporate risk strategy to a long-term, Strategic Planning approach.

The causation behind this dramatic shift to Strategic Planning which 94% of companies are now embarking is the heightened fear of reputational risk, driven by the aforementioned fast news cycle and proliferation of social media. Smart companies are recognizing that a reactive risk strategy is no longer sufficient to protect their organization from litigation, supply chain disruption and loss of reputation.

An integral part of developing a long-term Strategic Planning focus at any company is effective financial screening and certificate of insurance tracking for vendors and suppliers. Before a vendor-related incident leads to unexpected litigation or loss of reputation, every vendor in a supply chain should undergo a thorough legal screening, safety screening and certificate of insurance tracking and audit process.

The Perils of Viewing Risk Management as a “Software Problem”


The Corporate Governance Consultancy Services recently conducted a study to determine the internal process that leads to an organization creating and executing on an internal risk management program.

Surprisingly, a whopping 63% of companies said risk management programs came from their IT Departments, compared to only 13% from Legal and 13% from Operations. An overwhelming number of companies look to their IT Department to solve and implement risk planning.

While it makes sense for companies to ask IT Departments to spearhead the creation of an internal risk program, it can lead to an over-reliance on software and technology to promote risk management compliance, when you consider that of those same companies, over 60% report that there is either little or absolutely no communication between the IT Department and Operations or Legal departments. 

The combination of lack of resources with the silo effect of solely placing an isolated IT Department in charge of implementing internal risk management practices is problematic because tech and software solutions are given priority over human interaction, client communication and improving relationships with vendors, contractors and suppliers.

When asked what solutions they hoped to achieve from the technology side of their internal risk program, the top response was Risk Assessment, which is a natural expectation to have from an IT driven approach. However, the fourth most sought outcome was listed as Incident Response and Management, something which is more elusive to improve when the solution is coming from a purely IT Department implementation.

While it makes sense that many organizations look to their IT Department for the creation and implantation of a risk management program, if 60% of those companies also completely silo the IT Department from communicating and working with Operations and Legal, the scope of the risk program will inherently be limited.

Human interactions and hands-on personal review of insurance and compliance documents by trained risk management personnel cannot be replaced with a pure technology solution, and creating a workable risk management program should never result in a silo’d approach separating IT, Operations and Legal.


Get every new post delivered to your Inbox.