2222222222

Risk Scenarios Live!

Unhinged

The co-morbidities of age and weight and a stubborn failure to adhere to his physical therapy regimen spell trouble for an injured, middle-aged construction foreman.
By: | April 19, 2016 • 11 min read
Topics: Risk Scenarios
Risk Scenarios are created by Risk & Insurance editors along with leading industry partners. The hypothetical, yet realistic stories, showcase emerging risks that can result in significant losses if not properly addressed.

Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.

The Injury

The scenario begins with the brief video below:

 

Heading South

It’s five weeks since the day Reggie first felt that twinge in his knee. The pain is still not so great that Reggie can’t live with it, but he’s getting a little tired of it.

After work one day, Reggie is having beers with Smitty Cheeks, one of the company’s mid to long-range truckers, who’s done driving for the week and will be spending the weekend in Memphis.

Smitty and Reggie are engaged in game of 8-Ball at their local blues and barbecue joint. Smitty slams the 8 ball into the corner pocket, winning the game.

“My game,” says Smitty.

Reggie eyes the waitress delivering food to their nearby booth.

“Good thing,” Reggie says. “ ’Cause our food is here.”

Partner

Partner

The two are tearing into some serious barbecue when Reggie notices Smitty pulling a pill from a vial in his pocket. Reggie’s already had a couple of beers, which makes him a little bolder.

“Watcha’ got there partner?” Reggie says.

“Vicodin,” Smitty says.

“My back’s a mess and I’ve been taking these Vicodins for a while. They help a good deal. Probably not best to drink and use these, but hey, whatever gets you through the night,” Smitty says with a beery wink.

Reggie pauses and then blurts out.

“Could you hook me up with a few of those? I’ve been having some aches and pains myself.”

Smitty pauses, then very efficiently strips the smoked meat off of a turkey wing.

“I can get you all you need buddy and the price is right,” he says, his lips smeared with barbecue sauce and this time not smiling.

The next day, Reggie, whose become more inactive and out of condition since his knee injury, is coming out of the bathroom at home with a towel around his waist.

He’s limping worse than he has been recently. The knee has begun to lock on occasion and feels like it might be giving out. His wife Arlene addresses him.

“When are you going to see a doctor?” she says to him with a worried expression on her face.

“I really don’t know,” says Reggie.

“I really think you should,” she says. “You don’t know what’s going on there and you should at least get it checked out.”

Reggie pauses, embarrassed. Arlene is looking at him compassionately and it softens his defenses.

“I tweaked my knee at work a while back. Tell you what, I’ll tell my boss on Monday and go see somebody.”

“Good,” Arlene says.  “You don’t want to go too long before figuring out what’s up.”

RSL_2015

Reggie tells his supervisor about his injury. Reggie’s injury is in turn reported to the company’s insurance carrier. But neither the claims adjuster or the employer discuss the idea of Reggie being offered modified duty.

Reggie is referred to an in-network physician, an occupational medicine specialist. The Occ-Med prescribes an anti-inflammatory for Reggie. He also orders an MRI for him and gives him a prescription for four sessions of Physical Therapy and orders him a hinge knee brace, due to the “giving out” feeling Reggie has reported in his knee.

The Occ-Med specialist gets the MRI results, which reveals a tear. Without calling Reggie into have another look at him or gauge how he’s done in therapy, the Occ-Med refers Reggie to an orthopedic surgeon.

Reggie is in the surgeon’s office looking at the MRI results with the surgeon when he gets the news.

“The MRI scan reveals a 4 mm acute medial meniscus tear, Reggie,” the surgeon says.

“We’re going to want to repair this,” he continues.

“You mean surgery?”

“Yes. I don’t want to let this sort of thing go in a man your age,” the surgeon says, patting Reggie on the shoulder compassionately.

Mollified by the surgeon’s kindly tone, Reggie doesn’t question the decision or seek a second opinion.

Reggie doesn’t think to ask about a less invasive approach, like more physical therapy, and the surgeon doesn’t bring it up. The surgeon puts in a request for surgery, which is approved by the adjustor with no follow up or questioning as to its necessity.

Reggie undergoes preauthorized, minor arthroscopic surgery and is initially given six weeks off of work under the direction of the surgeon.

The carrier’s claims adjustor makes a note of the surgery but doesn’t contact the employer or Reggie to check in on his condition.

“It’s a pretty minor procedure,” she tells herself while alternating between looking at her computer monitor, where the details of Reggie’s case are displayed, and checking her cell phone.

Then her phone rings.

“This is Janice,” she says, and clicks to another screen on her computer. Reggie’s case is out of sight, out of mind.

No one from Reggie’s company checks in with him to discuss the future possibility of modified duty or to check on his overall welfare.

The Wheels Come Off

It’s one week post-op and Reggie pays a visit to the surgeon for a wound check.

“Let’s have a look here,” the surgeon says, gently peeling off the adhesive bandage.

“Looking good,” he says.

“Good,” Reggie says.

The surgeon swabs Reggie’s knee with some antiseptic and distracts Reggie as he pulls out the sutures with a discussion about planning for the way forward.

“So, I’m going to give you a prescription for therapy. I want to see you do at least 12 visits to work on regaining full range of motion in the knee and getting your strength back.”

“Got it,” said Reggie.

Advertisement




“How’s your pain?” the surgeon says.

“It hurts, no doubt,” Reggie said.

“Well let me know if you need more pain medication,” the surgeon says.

“I just might do that,” Reggie says before gingerly slipping down from the table.

***

It’s a week later and Reggie is sitting on the couch at home with the channel changer in his hand and his leg up.

Reggie checks his iPhone, scanning his e-mail inbox.

“Have you heard anything about your physical therapy appointment?” Arlene says from the kitchen where’s she’s pouring some tea for her and Reggie.

“Nothing,” Reggie says.

“I think I’m going to call them,” she says. “We need to get you into physical therapy.”

“Go ahead. I doubt they’ll call you back,” Reggie says. He’s not out of it but his manner is resigned and sluggish.

“It hasn’t been approved or processed yet by the insurance company.”

“Has anybody from your company ever contacted you?” Arlene says.

“Nope. But I’m still getting my workers’ comp checks, I guess I can be thankful for that,” Reggie says.

Reggie palms a pain pill from a vial and swallows it with a sip of water. Arlene can’t see him do this from her vantage point in the kitchen.

“I don’t like it, they should be in touch,” Arlene says.

“You’re probably right,” Reggie says, over his shoulder, taking a break from look at the television.

***

It’s another week before Reggie gets into therapy. The therapist greets Reggie as he’s ushered into the treatment area.

“Hi, I’m Maggie,” the therapist says. “Come on over to this table and lie down. I want to put some electrical stimulation on your knee and then we’ll get to work on it a little bit.”

Reggie walks over to the table, limping noticeably.

“You had surgery when?” Maggie the therapist says.

“Three weeks ago,” Reggie says.

“Hmmm, you’re late getting in here,” the therapist says.

“After we get through our work here today, I’m going to give you some home exercises to help you get caught up. We need to keep this knee moving and build your strength back up,” she says.

***

We cut forward to see the therapist working on Reggie’s knee. She flexes the knee slightly and Reggie almost jumps off of the table.

“This joint is stiff,” the therapist says.

“It sure is,” Reggie says.

Reggie’s reacting to the pain and eyes the therapist warily.

Reggie’s back at home and back in front of the television set. This time he’s got the pain medication bottle out in full view.

Arlene comes in carrying some groceries.

“Have you done your therapy exercises today?” she says.

“Not yet,” Reggie says.

She eyes the vial of pills on the table next to Reggie.

“I thought you were done with those,” she says.

“I’m not taking that many of them,” Reggie says. “And I did move. I went to the bathroom.”

Arlene just looks at him. She’s concerned but clearly doesn’t want to start an argument.

Without another word, Arlene heads to the kitchen with the groceries.

It’s five weeks since Reggie’s last visit to the orthopedic specialist and he uses a cane to get into the examination room. The use of the cane was approved by the adjustor.

The surgeon enters the room and sees the cane propped next to Reggie as Reggie sits on the examination table.

The surgeon is very alarmed.

“What’s the cane for?” he says. “I didn’t order you one.”

“I need it to walk,” Reggie says. “My knee’s still killing me and it’s hard to move it.”

“Where’d you get it, the cane?” the surgeon says, clearly disturbed.

“The therapist gave it to me,” Reggie says.

The surgeon quickly scans his electronic pad, looking for the report from the therapist.

“You had six visits. You were late getting in there but you had six visits. Although you should have had 12,” the doctor says, not quite panicking but clearly unnerved.

“You should have been going twice a week.”

Reggie ignores him.

“You said I could have more pain pills if I needed them, right?”

“What?” the doctor says, jarred that Reggie is ignoring him and taking up another subject.

“Yes I said that but I didn’t think you’d…” the doctor says before Reggie interrupts him.

“I’m gonna’ need more pain pills,” Reggie says with an edge.

The doctor says nothing. He’s at a loss.

“Doctor, I want more pain pills,” Reggie says.

The Session

This scenario was originally presented at the 2015 National Workers’ Compensation and Disability Conference in Las Vegas.

As part of the discussion, panelists discussed key aspects presented in the scenario.

Panelists included Dr. Robert Goldberg, chief medical officer, Healthesystems; and Dr. Jeffrey Sugar, Associate Medical Director, Sharp Rees-Stealy Medical Group. The session was moderated by Tracey Davanport, director, National Managed Care, Argo Group.

Insights from their discussion are highlighted below:

 

 

 




Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]

Cyber Resilience

No, Seriously. You Need a Comprehensive Cyber Incident Response Plan Before It’s Too Late.

Awareness of cyber risk is increasing, but some companies may be neglecting to prepare adequate response plans that could save them millions. 
By: | June 1, 2018 • 7 min read

To minimize the financial and reputational damage from a cyber attack, it is absolutely critical that businesses have a cyber incident response plan.

“Sadly, not all yet do,” said David Legassick, head of life sciences, tech and cyber, CNA Hardy.

Advertisement




In the event of a breach, a company must be able to quickly identify and contain the problem, assess the level of impact, communicate internally and externally, recover where possible any lost data or functionality needed to resume business operations and act quickly to manage potential reputational risk.

This can only be achieved with help from the right external experts and the design and practice of a well-honed internal response.

The first step a company must take, said Legassick, is to understand its cyber exposures through asset identification, classification, risk assessment and protection measures, both technological and human.

According to Raf Sanchez, international breach response manager, Beazley, cyber-response plans should be flexible and applicable to a wide range of incidents, “not just a list of consecutive steps.”

They also should bring together key stakeholders and specify end goals.

Jason J. Hogg, CEO, Aon Cyber Solutions

With bad actors becoming increasingly sophisticated and often acting in groups, attack vectors can hit companies from multiple angles simultaneously, meaning a holistic approach is essential, agreed Jason J. Hogg, CEO, Aon Cyber Solutions.

“Collaboration is key — you have to take silos down and work in a cross-functional manner.”

This means assembling a response team including individuals from IT, legal, operations, risk management, HR, finance and the board — each of whom must be well drilled in their responsibilities in the event of a breach.

“You can’t pick your players on the day of the game,” said Hogg. “Response times are critical, so speed and timing are of the essence. You should also have a very clear communication plan to keep the CEO and board of directors informed of recommended courses of action and timing expectations.”

People on the incident response team must have sufficient technical skills and access to critical third parties to be able to make decisions and move to contain incidents fast. Knowledge of the company’s data and network topology is also key, said Legassick.

“Perhaps most important of all,” he added, “is to capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defense stronger.”

Cyber insurance can play a key role by providing a range of experts such as forensic analysts to help manage a cyber breach quickly and effectively (as well as PR and legal help). However, the learning process should begin before a breach occurs.

Practice Makes Perfect

“Any incident response plan is only as strong as the practice that goes into it,” explained Mike Peters, vice president, IT, RIMS — who also conducts stress testing through his firm Sentinel Cyber Defense Advisors.

Advertisement




Unless companies have an ethical hacker or certified information security officer on board who can conduct sophisticated simulated attacks, Peters recommended they hire third-party experts to test their networks for weaknesses, remediate these issues and retest again for vulnerabilities that haven’t been patched or have newly appeared.

“You need to plan for every type of threat that’s out there,” he added.

Hogg agreed that bringing third parties in to conduct tests brings “fresh thinking, best practice and cross-pollination of learnings from testing plans across a multitude of industries and enterprises.”

“Collaboration is key — you have to take silos down and work in a cross-functional manner.” — Jason J. Hogg, CEO, Aon Cyber Solutions

Legassick added that companies should test their plans at least annually, updating procedures whenever there is a significant change in business activity, technology or location.

“As companies expand, cyber security is not always front of mind, but new operations and territories all expose a company to new risks.”

For smaller companies that might not have the resources or the expertise to develop an internal cyber response plan from whole cloth, some carriers offer their own cyber risk resources online.

Evan Fenaroli, an underwriting product manager with the Philadelphia Insurance Companies (PHLY), said his company hosts an eRiskHub, which gives PHLY clients a place to start looking for cyber event response answers.

That includes access to a pool of attorneys who can guide company executives in creating a plan.

“It’s something at the highest level that needs to be a priority,” Fenaroli said. For those just getting started, Fenaroli provided a checklist for consideration:

  • Purchase cyber insurance, read the policy and understand its notice requirements.
  • Work with an attorney to develop a cyber event response plan that you can customize to your business.
  • Identify stakeholders within the company who will own the plan and its execution.
  • Find outside forensics experts that the company can call in an emergency.
  • Identify a public relations expert who can be called in the case of an event that could be leaked to the press or otherwise become newsworthy.

“When all of these things fall into place, the outcome is far better in that there isn’t a panic,” said Fenaroli, who, like others, recommends the plan be tested at least annually.

Cyber’s Physical Threat

With the digital and physical worlds converging due to the rise of the Internet of Things, Hogg reminded companies: “You can’t just test in the virtual world — testing physical end-point security is critical too.”

Advertisement




How that testing is communicated to underwriters should also be a key focus, said Rich DePiero, head of cyber, North America, Swiss Re Corporate Solutions.

Don’t just report on what went well; it’s far more believable for an underwriter to hear what didn’t go well, he said.

“If I hear a client say it is perfect and then I look at some of the results of the responses to breaches last year, there is a disconnect. Help us understand what you learned and what you worked out. You want things to fail during these incident response tests, because that is how we learn,” he explained.

“Bringing in these outside firms, detailing what they learned and defining roles and responsibilities in the event of an incident is really the best practice, and we are seeing more and more companies do that.”

Support from the Board

Good cyber protection is built around a combination of process, technology, learning and people. While not every cyber incident needs to be reported to the boardroom, senior management has a key role in creating a culture of planning and risk awareness.

David Legassick, head of life sciences, tech and cyber, CNA Hardy

“Cyber is a boardroom risk. If it is not taken seriously at boardroom level, you are more than likely to suffer a network breach,” Legassick said.

However, getting board buy-in or buy-in from the C-suite is not always easy.

“C-suite executives often put off testing crisis plans as they get in the way of the day job. The irony here is obvious given how disruptive an incident can be,” said Sanchez.

“The C-suite must demonstrate its support for incident response planning and that it expects staff at all levels of the organization to play their part in recovering from serious incidents.”

“What these people need from the board is support,” said Jill Salmon, New York-based vice president, head of cyber/tech/MPL, Berkshire Hathaway Specialty Insurance.

“I don’t know that the information security folks are looking for direction from the board as much as they are looking for support from a resources standpoint and a visibility standpoint.

“They’ve got to be aware of what they need and they need to have the money to be able to build it up to that level,” she said.

Without that support, according to Legassick, failure to empower and encourage the IT team to manage cyber threats holistically through integration with the rest of the organization, particularly risk managers, becomes a common mistake.

He also warned that “blame culture” can prevent staff from escalating problems to management in a timely manner.

Collaboration and Communication

Given that cyber incident response truly is a team effort, it is therefore essential that a culture of collaboration, preparation and practice is embedded from the top down.

Advertisement




One of the biggest tripping points for companies — and an area that has done the most damage from a reputational perspective — is in how quickly and effectively the company communicates to the public in the aftermath of a cyber event.

Salmon said of all the cyber incident response plans she has seen, the companies that have impressed her most are those that have written mock press releases and rehearsed how they are going to respond to the media in the aftermath of an event.

“We have seen so many companies trip up in that regard,” she said. “There have been examples of companies taking too long and then not explaining why it took them so long. It’s like any other crisis — the way that you are communicating it to the public is really important.” &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected] Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]