Crisis Management

Plan to Survive

Employers are still slow to take the necessary steps to ensure that their organizations are prepared for violence.
By: | January 25, 2016 • 11 min read

You’re at your desk, engrossed in a report. From somewhere on the other side of the building, you hear a loud muffled noise. Furniture-moving mishap? Backfiring car? It barely registers in your mind until you hear it again.

Advertisement




Then you hear screams. The icy grip of fear tightens your chest. There’s a shooter in the building.

Your vision blurs for a moment as you try to decide in that split second what to do next. Fifteen minutes from now, you will either be a survivor, or you will be a statistic.

Armed killing sprees have long been a troubling fact of life in the U.S. and elsewhere. As far back as August 1966, Charles Whitman opened fire from the clock tower of the University of Texas at Austin, killing 16 people and wounding 31.

The massacre shocked and horrified the world in 1966. But in 2016, our capacity for shock has been dulled by the increasing frequency of the type of violence we now commonly refer to as active shooter incidents.

In 2015, there were 330 incidents in the U.S. in which four or more people were shot or killed using firearms, resulting in 367 deaths and 1,317 injuries. Incidents at schools, universities and public spaces took up most of the media attention until December, when an employee of the Inland Regional Center in San Bernardino, Calif., left work and returned with his wife and a small arsenal of firearms. Fourteen people were killed, and 22 were wounded. Suddenly employers that gave workplace violence only a passing thought began asking “What if it had happened here?”

The question is long overdue. The FBI reports that 45 percent of active shooter incidents occur at places of business, making them the most common target for these attacks.

Be Proactive

There are multiple categories of active shooter or other workplace violence situations. The San Bernardino shooters are alleged to have had ties to terrorist factions, but acts of political terrorism in the workplace are rare. Acts perpetrated by unstable individuals are far more common, as are domestic violence incidents.

active shooter chartWithout question, there are situations where a target is chosen at random, and there is absolutely no way an employer could have seen it coming. But more often there are signs or signals along the way — red flags, both subtle and obvious, that were brushed off or even deliberately ignored out of a reluctance to create conflict. That is a mindset that desperately needs to change, say experts.

“Many of the incidents that we see could have been avoided because there were clear precursors,” said Sean Ahrens, Aon Global Risk Consulting’s Security Consulting practice leader. He adds that “incidents where there’s a straw that broke the camel’s back are happening more and more.”

The culture of silence happens for a variety of reasons. Coworkers don’t speak up for fear they’ll be branded as troublemakers. Employers worry they will be accused of defamation or discrimination if they take a hasty action against an employee.

In the well-intentioned quest to create a solid, documented case for taking action, sometimes employers wait too long. The results can be tragic.

Advertisement




Experts agreed that risk managers must work to cultivate a “see something, say something” culture. To increase the chance of being able to identify a burgeoning threat, experts strongly advise employers to have a means in place for employees to report concerns anonymously.

Sean Ahrens, security consulting practice leader, Aon Global Risk Consulting

Sean Ahrens, security consulting practice leader, Aon Global Risk Consulting

“Employers should afford as many ways as possible to communicate this information,” said Ahrens. That could an online email form, an anonymous hotline, a third-party hotline, or whatever methods make the most sense for the organization.

From there, an internal threat assessment team can gather further intelligence and decide how to proceed or attempt to de-escalate the situation. Simply terminating an at-risk employee isn’t necessarily the smart play, and could actually make things worse. Crisis management experts can be a useful resource for employers working to avoid a misstep.

The Survival Plan

The bottom line for risk management is that there is no iron-clad means to eliminate the risk that your workplace will experience an active shooter event. Even the best preventative measures have to be backed up by a solid emergency plan paired with response protocols spelling out what needs to happen during an event.

Communication is the first line of defense. A clear warning can give everyone out of the line of fire a better chance of evacuating safely. The simplest method is using overhead audio such as a P.A. system.

“Don’t use codes, just plain English,” said Ahrens. Be straightforward: “There’s an aggressor in the building near the Northwest stairwell. We’ll provide updates when available. Evacuate now if you can, or shelter in place.” Then provide continuous updates, he said.

Other environments may require additional measures. A noisy manufacturing floor or warehouse, for example, may need to use a strobe light to alert workers to turn off machines so that they can hear the emergency message.

What happens after the warning is broadcast will likely make the difference between life or death, which is why failure to train employees is not a valid option.

Michelle Colosimo, director, Black Swan Solutions

Michelle Colosimo, director, Black Swan Solutions

“Yes, you have to call 911,” said Michelle Colosimo, director of Black Swan Solutions, “but look how quickly these events can [unfold]. You now need to leverage your own employees to make sure that they’re doing the right things to help keep themselves safe.”

In 2012, the City of Houston produced a 6-minute video called “Run. Hide. Fight.,” funded by the Department of Homeland Security. The video has become the standard training model endorsed by the FBI and DHS for teaching civilians how to protect themselves and others around them.

Other training models have gained traction, such as “Avoid, Deny, Defend,” but most have same underlying message at their core:

    * Escape if you can do so safely
    * If not, then get to a location that can be locked or barricaded, if possible
    * Fight back as a last resort, using any improvised weapon within reach

“You don’t have a means in place to be able to take down that gunman,” said Colosimo, “nor do you want to be encouraging employees to try to take down that

gunman. So what are you doing to help educate and train them? Because it’s really up to the employee to make the right decisions.”

Some risk managers may find upper management squeamish about the phrase “active shooter training,” because their perceptions have been shaped by stories in the news about unannounced active shooter drills that traumatized employees.

The goal of drills is not fear, it’s understanding, said Mike Payne, organizational resilience manager at iJET International.

“You want to walk everybody through and talk everybody through what the expectations are, where the decision points are, and how to effectively respond.”

Jay Hart, director, Force Training Institute

Jay Hart, director, Force Training Institute

“This kind of training is very easy to get wrong. It’s very easy for it to be fear-based,” said Jay Hart, director of Force Training Institute. “I’ve noticed that’s what a lot of executives struggle with.”

Those same misperceptions may tempt some to provide training without drills, but that strategy is ill-advised, experts said, because in an emergency, there’s no accounting for how people might respond without a frame of reference.

Most will revert to habit – perhaps attempting to exit the building via their normal exit route, even though that route might be in the line of fire. Others may simply freeze in place.

“When chaos strikes and fear takes over, we’re typically not thinking clearly,” said John Stevens, senior vice president at Keenan.

“I think you’d be amazed by how many people would just sit at their desk and process that information.” agreed Ahrens. Drills help people move past that paralysis by ingraining the right behaviors and turning them into reflex or “muscle memory.”

“[They have to] go through the motions, pretend something is happening — make sure they actually have to take those steps necessary to protect themselves, kind of like a dry run,” said Colosimo.

“Give them all of the tools and the means necessary.”

Drills are important not only to help employees refine their instincts, she added, but also to identify potential flaws in the emergency response plan.

Advertisement



“It may look great on paper,” she said, but when you actually test it, you may find that some escape routes are obstructed or that a particular route didn’t lead where you thought it would.

Keep in mind that there’s always the potential for some employees to react negatively to whatever training you provide. But Ahrens suggested putting it in perspective.

“You have people saying, ‘I can’t believe you showed us that, that training was over the top.’ But if they remember it during an incident, I think it’s worth the couple of people who don’t like it.”

Far-Reaching Repercussions

While employers are no longer burying their heads in the sand about workplace shooter risks, most are still a long way from being truly prepared.

Mike Payne, iJET International

Mike Payne, iJET International

“People are putting plans in place,” said Colosimo, “and maybe [some are] training people. But when you get to the drill level, specific to active shooters, those numbers are still low. And that’s what needs to change.”

Risk managers may still be struggling to get the buy-in they need, and the problem doesn’t necessarily revolve around the bottom line. Taking steps toward active shooter preparedness can involve some uncomfortable decision making, explained Payne, so “by not having a background in handling those types of risk decisions, it creates a level of denial. And while that is a response, it’s not the preferred one.”

To help the C-suite move past reluctance, experts recommend framing the language in terms of safety as well as presenting the bigger picture and the potential impact to the business.

To help the C-suite move past reluctance, experts recommend framing the language in terms of safety as well as presenting the bigger picture and the potential impact to the business.

While the frequency of an active shooter incident may be less than any other risk that a business faces, stressed Stevens, “the severity and the magnitude of the circumstance become greater than anything else they face because you’re dealing with human lives.”

In the aftermath, the fallout would likely be a tangle of workers’ comp and liability claims related to fatalities and potentially catastrophic injuries. Property damage could be extensive in some situations, and many organizations could face significant business interruption expenses. In addition, questionable security procedures or a failure to respond to threats made prior to an incident may expose employers to a Pandora’s box of employment liability actions.

“In the world we live in now,” said Ahrens, “courts aren’t going to recognize ‘We didn’t see it as a risk.’ ”

As if that wasn’t enough, some businesses could find themselves in violation of workplace violence prevention laws, which are on the books in several states. And many companies may not even be aware of their obligations under OSHA.

While there is no federal workplace violence standard, OSHA asserts that it has the authority to cite employers for failing to take steps to prevent workplace violence under the General Duty Clause, which requires employers to keep workplaces “free from recognized hazards likely to cause death or physical harm.” Courts have generally agreed.

In addition, some say, there are multiple OSHA standards related to emergency action plans and job hazard training that can be interpreted to apply to active shooter training. Those claims have not yet been legally tested. But if the frequency of incidents continues to climb, it may only be a matter of time.

Reputational harm is also a very real possibility — not just among customers, but among vendors. Some companies may choose not to do business with a company it perceives as having lax security measures. Not least of all is the company’s reputation among both existing and prospective employees.

“If you have a workplace where people don’t feel safe, they’re not going to come to work,” said Colosimo. “If they don’t come to work, your productivity is gone.”

Insurance recovery may not be as straightforward as some assume. In the wake of a workplace shooting, business interruption losses may or may not be covered depending upon policy wording.

Workers’ compensation typically will cover costs related to injuries or fatalities that occur at work. However, a targeted, personal attack on an employee with a clear motive that is unrelated to the workplace — such as an attack by a jilted spouse — could negate some workers’ comp claims because it falls outside of the “scope of employment.”

Workers’ comp costs can wreak havoc on employers and insurers. The California death benefit of $250,000 for a single dependent survivor was multiplied many times over for those that died in the San Bernardino attack. But those that survive such an event with catastrophic injuries can potentially cost 10 times that amount over the long-term.

Advertisement




Until recently, there were no insurance products designed specifically for the risk of gun violence. But Willis Towers Watson now offers active shooter insurance. The coverage was intended for universities, but the company is now fielding inquiries from hotels, hospitals, and other institutions.

The policies, underwritten by Beazley, an affiliate of Lloyd’s, can cover up to $5 million of liability against claims that the company didn’t take the necessary precautions to prevent a mass shooting. It also covers the “on the scene” costs of a shooting incident, as well as any counseling or consulting expenses needed after the event.

What companies need to guard against is being lulled into false assumptions about the scope of the problem. After 911, there was a similar spike in interest in protecting workplaces from violence, noted Colosimo.

But eventually the interest waned, as the media moved on to fresher territory. Her hope is that it won’t require more incidents like San Bernardino to keep risk managers focused on what needs to be done.

“We’ve got to keep the momentum going because this isn’t stopping,” she said. “People have to be prepared.”

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Report: Hospitality

Bridging the Protection Gap

When travelers stay home, hospitality companies recoup lost income through customized, data-defined policies.
By: | October 12, 2017 • 9 min read

In the wake of a hurricane, earthquake, pandemic, terror attack, or any event that causes carnage on a grand scale, affected areas usually are subject to a large “protection gap” – the difference between insured loss and total economic loss. Depending on the type of damage, the gap can be enormous, leaving companies and communities scrambling to obtain the funds needed for a quick recovery.

Advertisement




RMS estimates that Hurricane Harvey’s rampage through Texas could cause as much as $90 billion in total economic damage. The modeling firm also stated that “[National Flood Insurance Program] penetration rates are as low as 20 percent in the Houston area, and thus most of the losses will be uninsured.”

In addition to uninsured losses from physical damage, many businesses in unaffected surrounding areas will suffer non-physical contingent business interruption losses. The hospitality industry is particularly susceptible to this exposure, and its losses often fall into the protection gap.

Natural catastrophes and other major events that compromise travelers’ safety have prolonged impacts on tourism and hospitality. Even if they suffer no physical damage, any hotel or resort will lose business as travelers avoid the area.

“The hospitality industry is reliant on people moving freely. If people don’t feel safe, they won’t travel. And that cuts off the lifeblood of the industry,” said Christian Ryan, U.S. Hospitality and Gaming Practice Leader, Marsh.

Christian Ryan
U.S. Hospitality and Gaming Practice Leader, Marsh

“People are going away from the devastation, not toward it,” said Evan Glassman, president and CEO, New Paradigm Underwriters.

Drops in revenue resulting from decreased occupancy and average daily room rate can sometimes be difficult to trace back to a major event when a hotel suffered no physical harm. Traditional business interruption policies require physical damage as a coverage condition. Even contingent business interruption coverages might only kick in if a hotel’s direct suppliers were taken offline by physical damage.

If everyone remains untouched and intact, though, it’s near impossible to demonstrate how much of a business downturn was caused by the hurricane three states away.

“Hospitality companies are concerned that their traditional insurance policies only cover business interruption resulting from physical damage,” said Bob Nusslein, head of Innovative Risk Solutions for the Americas, Swiss Re Corporate Solutions.

“These companies have large uninsured exposure from events which do not cause physical damage to their assets, yet result in reduced income.”

Power of Parametrics

Parametric insurance is designed specifically to bridge the protection gap and address historically uninsured or underinsured risks.

Parametric coverage is defined and triggered by the characteristics of an event, rather than characteristics of the loss. Triggers are custom-built based on an insured’s unique location and exposures, as well as their budget and risk tolerance.

“Triggers typically include a combination of the occurrence of a given event and a reduction in occupancy rates or RevPar for the specific hotel assets,” Nusslein said. Though sometimes the parameters of an event — like measures of storm intensity — are enough to trigger a payout on their own.

For hurricane coverage, for example, one policy trigger might be the designation of a Category 3-5 storm within a 100-mile radius of the location. Another trigger might be a 20 percent drop in RevPAR, or revenue per available room. If both parameters are met, a pre-determined payout amount would be administered. No investigations or claims adjustment necessary.

Advertisement




The same type of coverage could apply in less severe situations where traditional insurance just doesn’t respond. Event or entertainment companies, for example, often operate at the whim of Mother Nature. While they may not be forced to cancel a production due to inclement weather, they will nevertheless take a hit to the bottom line if fewer patrons show up.

Christian Phillips, focus group leader for Beazley’s Weatherguard parametric products, said that as little as a quarter- to a half-inch of rain over a four- to five-hour period is enough to prevent people from coming to an event, or to leave early.

“That’s a persistent rainfall that will wear down people’s patience,” he said.

“A rule of thumb for parametric weather coverage, if you’re looking to protect loss of revenue when your event has not actually been cancelled, you will probably lose up to 20 to 30 percent of your revenue in bad weather. That depends on the client and the type of event, but that’s the standard we’ve realized from historical claims data.”

The industry is now drawing on data to establish these rules of thumb for more serious losses sustained by hospitality companies after major events.

“Until recently the insurance industry has not created products to address these non-physical damage business interruption exposures. The industry is now collaborating with big data companies to access data, which in turn, allows us to structure new products,” Nusslein said.

Data-Driven Triggers

Insurers source data from weather organizations that track temperature, rainfall, wind speeds and snowfall, among other perils, by the hour and sometimes by the minute. Parametric triggers are determined based on historical storm data, which indicates how likely a given location is to be hit.

“We try to get a minimum of 30 years of hourly data for those perils for a given location,” Phillips said.

“Global weather is changing, though, so we focus particularly on the last five to 10 years. From that we can build a policy that fits the exposure that we see in the data, and we use the data to price it correctly.”

New Paradigm Underwriters collects their own wind speed data via a network of anemometers that stretch from Corpus Christi, Texas, all the way to Massachusetts, and works with modeling firms like RMS to gather additional underwriting information.

The hospitality industry is reliant on people moving freely. If people don’t feel safe, they won’t travel. And that cuts off the lifeblood of the industry.– Christian Ryan, U.S. Hospitality and Gaming Practice Leader, Marsh

While severe weather is the most common event of concern, parametric cover can also apply to terrorism and pandemic risks.

“We offer a terror attack quote on every one of our event policies because everyone asks for it,” said Beazley’s Phillips.

Advertisement




“We didn’t do it 10 years ago, but that’s the world we live in today.”

An attack could lead to civil unrest, fire or any number of things outside an insured’s control. It would likely disrupt travel over a wide geographic region.

“A terrorist event could cause wide area devastation and loss of attraction, which results in lost income for hospitality companies,” Nusslein said.

Disease outbreaks also dampen travel and tourism. Zika, which was most common in South America and the Caribbean, still prevented people from traveling to south Florida.

“Occupancy went down significantly in that region,” Marsh’s Ryan said.

“If there is a pandemic across the U.S., a parametric coverage would make sense. All travel within and inbound to the U.S. would go down, and parametric policies could protect hotel revenues in non-impacted areas. Official statements from the CDC such as evacuation orders or warnings could qualify as a trigger.”

Less data exists around terror attacks and pandemics than for weather, though hotels are taking steps to collect information around their exposure.

“It’s hard to quantify how an infectious disease outbreak will impact business, but we and clients are using big data to track travel patterns,” Ryan said.

Hospitality Metrics

Any data collected has to be verified, or “cleaned.”

“We only deal with entities that will clean the data so we know the historical data we’re getting is accurate,” Phillips said.

“There are mountains of data out there, but it’s unusable if it’s not clean.”

Parametric underwriters also tap into the insured’s historical data around occupancy and room rates to estimate the losses it may suffer from decreased revenue.

Bob Nusslein, head of Innovative Risk Solutions for the Americas, Swiss Re Corporate Solutions.

“The hospitality industry uses two key metrics to measure loss of business income. These include occupancy rate and revenue per available room, or RevPAR. These are the traditional measurements of business health,” Swiss Re’s Nusslein said.  RevPAR is calculated by multiplying a hotel’s average daily room rate (ADR) by its occupancy rate.

“The hotel industry has been contributing its data on occupancy, RevPAR, room supply and demand, and historical data on geographical and seasonal trends to independent data aggregators for many years. It has done an exceptional job of aggregating business data to measure performance downturns from routine economic fluctuations and from major ‘Black Swan’ events, like the 9/11 terrorist attacks, the 2008 financial crisis or the 2009 SARS epidemic.”

Claims history can also provide an understanding of how much revenue a hotel or an event company has lost in the past due to any type of business interruption. Business performance metrics combined with claims data determine an appropriate payout amount.

Like coverage triggers, payouts from parametric policies are specifically defined and pre-determined based on data and statistical evidence.

This is the key benefit of parametric coverage: triggers are hit, payment is made. With minimal or no adjustment process, claims are paid quickly, enabling insureds to begin recovery immediately.

Applying Parametric Payments

For hotels with no physical damage, but significant drops in occupancy and revenue, funds from a parametric policy can help bridge the income gap until business picks up again, covering expenses related to regular maintenance, utilities and marketing.

Because payment is not tied to a specific type or level of loss, it can be applied wherever insureds need it, so long as it doesn’t advance them to a better financial position than they enjoyed prior to the loss.

Advertisement




Parametric policies can be designed to fill in where an insured has not yet met their deductible on a separate traditional policy. Or it could function as excess coverage. Or it could cover exposures excluded by other policies, or for which there is no insurance option at all. Completely bespoke, parametric coverages are a function of each client’s individual exposures, risk tolerance and budget.

“Parametric insurance enables underwriting of risks that are outside tolerance levels from a traditional standpoint,” NPU’s Glassman said.

The non-physical business interruption risks faced by the hospitality industry match that description pretty closely.

“Hotels are a good fit for parametric insurance because they have a guaranteed loss from a business income standpoint when there is a major storm coming,” Glassman said.

While only a handful of carriers currently offer a form of parametric coverage, the abundance of available data and advancement in data collection and analytical tools will likely fuel its popularity.

Companies can maximize the benefits of parametric coverages by building them as supplements to traditional business interruption or event cancellation policies. Both New Paradigm Underwriters and Beazley either work with other property insurers or create hybrid products in-house to combine the best of both worlds and assemble a comprehensive risk transfer solution. &

Katie Siegel is an associate editor at Risk & Insurance®. She can be reached at [email protected]