With public anxiety about companies running high after crashes, contaminations, cyber attacks and leadership failures, insurance buyers and sellers agree on the need for insurance solutions to protect reputations.
But they are still figuring out what should be covered, when coverage should be triggered, where to set insurance limits and how to pay out benefits.
There’s no denying the cry of need for reputation risk insurance — worries about brand and reputation are the top threats keeping executives up at night, according to the most recent “Aon Risk Solutions Survey.” But the take-up rate on the handful of current stand-alone policies has been “almost immeasurably low,” said Randy Nornes, executive vice president, Aon Risk Solutions and an author of the survey.
The failure so far of stand-alone products to catch on doesn’t mean risk must be left uncovered, said Tracy Knippenburg Gillis, global practice leader, Marsh Risk Consulting’s reputational risk and crisis management practice.
“As carriers figure out the optimal combination, many existing policies — including directors and officers, umbrella, cyber and property — currently have endorsements available for crisis response,” she said.
Examples of companies currently offering stand-alone policies, include:
- Only losses (Munich Re)
- Only crisis and/or communications management (Zurich and Lloyd’s)
- Both losses and crisis communications management (AIG and Steel City Re)
The policies that cover only crisis management and communications are a placeholder while the industry develops a more complete solution, said Ty Sagalow, chief executive officer and founder of Innovation Insurance Group and a 30-year C-suite alumnus of AIG General Insurance and Zurich North America. “Nobody thinks crisis management products that pay a couple hundred thousand are the answer, but where there’s a need, a solution will follow.”
Chief among the challenges for stand-alone policies that cover losses, Nornes said, is quantifying potential and actual losses. Another is that reputation damage itself is the result of other risks, which divert companies’ attention from reputational damage to the issues that drive them.
The issues most driving them are ethics and integrity; security, both physical and cyber breaches; product and service risks (such as those related to safety, health and the environment); and third-party relationships, with companies increasingly held accountable for the actions of their suppliers and vendors, according to Deloitte’s “2014 Global Survey on Reputation Risk.”
Working the Numbers
Quantification of reputational risk is “an inexact science,” reported a 2013 ACE Group reputation study, subject to vagaries stemming from an organization’s pre-crisis reputation, its response to the crisis, and how quickly it reassured stakeholders that the underlying problems had been addressed.
“These subtleties mean that quantification of reputational risk will inevitably rely on a number of assumptions, and that could generate a false sense of precision, leading companies to rely on estimations that may ultimately turn out to be wide of the mark,” it said.
Hart Brown, vice president, organizational resilience, HUB International, agreed that a mature insurance solution is around the corner.
Its development, he said, is inhibited by still-developing data analysis and predictive modeling tools, but the technology is “getting closer” to supplying a solution that will give actuaries more precise projected losses from reputation-damaging events.
Identifying possible risks starts with common sense — Emily Freeman, risk management, cyber and professional liability specialist, Lockton Cos.
Some industry players believe the solution is already at hand. Nir Kossovsky, co-founder and chief executive officer, Steel City Re, built his company, and his company’s reputation, on those very data analysis and predictive modeling tools.
Steel City Re, which provides reputation assurance solutions, measures the implied reputational values of 7,500 companies every week using metrics, many of which predict what will appear on profit and loss statements: revenue, employee expenses, credit costs, supplier costs, and fines and penalties associated with regulatory action.
Value also manifests in shareholder actions, merger and acquisition scenarios and equity investor optimism.
When stakeholders are disappointed in an organization, Kossovsky said, they jump ship. Customers leave, price points fall, suppliers charge more, credit is withdrawn, employees disengage and regulations are imposed. Typically, those consequences can equal two to seven times the cost of the original operations failure.
For example, Penn State University acknowledged a financial impact of $171.5 million two years after the 2011 Jerry Sandusky scandal, in which the former assistant football coach was convicted of assaulting young boys. That may not include such items as lost research grants and decreased out-of-state applications, which could push the bill higher.
The total number, Kossovsky said, could be derived from “very big data” — Penn State’s average resource allocations over the years compared to other institutions.
“Then you ask, ‘After the Sandusky scandal, did Penn State’s behavior relative to the average or control group change substantially?’ If it did, you could reasonably argue that the change reflects the Sandusky event.”
The scandal prompted an FBI investigation, shook up the university’s top leadership and resulted in a post-season ban of the football team. Headlines called out “Penn State” and “child sex abuse” in the same phrase.
But in fiscal year 2011-2012, the school received donations of $208.7 million — the second-highest annual amount in its history — according to the university.
The reason, Kossovsky said, was the institution’s reputation resilience. While out-of-state stakeholders might send their children to other storied universities until the incident faded from memory, Pennsylvania residents and fervently loyal alumni were willing to approach the indiscretion as an anomaly and move on.
Of course, most organizations lack Penn State’s mythology, which produced its reputation resilience.
“It doesn’t matter if it’s a data breach or product recall. We can come to a good approximation of what it will cost.” — Randy Nornes, executive vice president, Aon Risk Solutions
For others, quantifying losses is a “math problem” requiring a decision tree based on a series of questions about the event, Nornes said.
“It doesn’t matter if it’s a data breach or product recall. We can come to a good approximation of what it will cost.”
First is the magnitude of the event. Was it widely reported? Did litigation or liabilities follow? Was it a data breach that disclosed personal information? How will it affect future sales? Then there are subcategories. Was it a safety event? What kind?
Stop the Bleeding
A company’s response to a crisis — the purview of crisis management and communications insurance coverage — profoundly affects losses.
“A mismanaged crisis response will bring down a company faster than anything else,” said Mike Swenson, president, Crossroads, a public relations and crisis communications management firm that represents numerous food manufacturers.
In the age of Twitter and Facebook, that requires a lightning-fast response, which in turn means having a well-practiced crisis plan and wholehearted buy-in from the C-suite and the board of directors.
“There are no longer any news cycles,” Swenson said. “After an event, you have no planning time with social media. If something goes wrong, you have minutes, not hours, to respond.”
To be effective, he said, the plan must:
- Identify the team that will leap into action in a crisis.
- Identify all the imaginable and unimaginable risks, and all possible variations facing the company.
- Map a response to each crisis.
- Develop key messages consisting of three to five talking points for each crisis.
Some carriers align their policies with a selected panel of agencies, vetted and retained for their experience, reputation, cost, service package, geographical scope and industry expertise, said Emily Freeman, risk management, cyber and professional liability specialist, Lockton Cos. Carriers may consider vetting and pre-approving a client’s own external PR or crisis management firm.
AIG’s ReputationGuard is one of the products that uses a panel of crisis management and communications agencies.
Typical of its peer products, coverage responds to extraordinary events, not day-to-day business operations, such as a crime by an executive or on the company’s premises, said Jeanmarie Giordano, chief underwriting officer, professional liability, AIG.
Atypically, coverage is triggered when the insured contacts the agency either to prepare a response to a still-hypothetical threat or to an actual one that may go public. The firm helps the company respond through social media, publicity, public appearances and image monitoring.
Plan for the Worst
Identifying possible risks starts with common sense, Freeman said. “If the company has exposure to children, it needs to think about personal safety. If it offers public facilities, it needs to think about violence. If it’s involved in transportation, it needs to think about accidents.”
A lot of tangential issues emerge in the process, said Aon’s Nornes, such as climate change. A company might ask, ‘Are we good environmental stewards?’
“You can make a pretty good list of risks,” he said. “The question is, are you running exercises and drills around situations you thought about? Not every company does the second piece.”
Eerily, he said, when Aon mapped out risk scenarios by industry in 1999, its aviation category contemplated two 747s flying into the World Trade Center.
The ACE study advises companies to listen, engaging in “more frequent dialogue with stakeholders to understand their views and monitoring the external environment more systematically to identify the emerging reputational threats that put their relationships at risk.”
Commitment starts at the top. Boards of directors should take time at board meetings to discuss customer satisfaction, brand identity, customer loyalty and elasticity measures.
This organizational soul-searching makes companies “better firms and better prepared” for crises, said Nornes, because it “translates to changes in both process and traditional insurance related to perils that drive reputational risk.”
Publicity about poor customer service or some mishap can be repeated multiple times over social media. “There’s a high value in thinking the response through,” he said.
A crisis response plan can shake a company out of the complacency that can leave exposures hiding in plain sight.
For example, Freeman said, “A company may have excellent cyber security and so neglect to put a crisis plan in place for a data breach even though it collects sensitive customer information and processes their credit cards.”
A thorough examination of risks and responses would catch that kind of exposure.
Scenario planning also picks up the slack left by failing attention spans, which — for people who use multiple digital devices — are now shorter than that of a goldfish, according to a recent Microsoft study.
“Who can actually forget a school shooting or an oil spill that kills 11 people?” said Leslie Gaines-Ross, chief reputation strategist, Weber Shandwick, which is on several carriers’ panels of crisis communications experts.
But people move on to the next threat. For example, Gaines-Ross said, privacy was the top threat on executives’ minds last year; this year it’s reputation risk, but privacy threats haven’t gone away, especially in the minds of miscreants.
A well-thought-out response can turn a bad story into a good one, said Swenson of Crossroads.
For example, he recalled, when the story of horse DNA in some of Taco Bell’s European locations hit the Internet, the result of a supply chain failure, the restaurant chain used the bad publicity to drive people to its website, which staunchly defended the purity of its American product.
“They created viral marketing to turn a bad thing into a good thing. It works both ways. You have to be prepared for an adverse event.”