Risk Management Bulletin

Computer Technician Examining Server ca. 2003

Probably less than you think.

Three in four U.S. companies don’t have Cyber Risk or Network Security insurance, according to a study by Towers Watson & Co. What’s more, many small and midsized businesses that do carry these policies have left themselves vulnerable to costly losses by failing to develop proactive data security and crisis response plans.

A data security plan begins with the human element. Training employees – particularly those who regularly deal with proprietary information in-house or stored on portable electronic devices – offers a cost-effective approach. A study by NetDiligence found that more than one in four liability data breach claims were due to lost equipment and other staff errors.

To help keep confidential information safe, managers should:

1. Identify those employees who could create the largest exposures for the company in case of lost or misplaced data and make sure that they’re diligent in protecting this data.
2. Make compliance with data security procedures a part of worker performance review.

If you should suffer a data security breach, you’ll need a crisis response plan, with responsibilities assigned ahead of time. The risk management and legal departments will deal with coverage-related issues such as cross-policy response and claims processing, while IT managers and auditors investigate the source and extent of the breach. Planning should also include guidelines for contacting law enforcement, and forensic investigators, as well as communicating with providers and business partners to address continuity issues.

The plan should designate personnel to handle media inquiries and public statements, interact with providers, and notify affected customers, using dedicated and updated contact lists.

We can help you create comprehensive, cost-effective protection for your confidential information by combining insurance coverage with risk management techniques.

According to the U.S. Commerce Department, employee crime costs American businesses more than $50 billion a year – that’s “billion with a ‘B” – and three out of four employees have stolen from their employers at least once.

To help prevent a fox from getting into your hen house, a leading risk management group recommends these guidelines:

1. Screen job candidates. You might discover that a potential employee was fired from another job for stealing. A thorough background check can give you hard evidence when doing an interview. Look for discrepancies between what the candidate says and what’s on paper; too many differences will point to a problem.

1. Reduce the temptation to steal. Be careful when making operational changes. The thief might become familiar with the change and believe that they have specialized and private information they can use to their advantage. To avoid this danger, let everyone know about new procedures. Also, lock and bar all windows in warehouses or storerooms, create employee sign-ins in these areas, and never leave anything lying around to be picked up easily.

1. Protect monetary assets. Thieves sometimes write checks to ghost employees or vendors and use the money for their own finances. Separating accounts payable from accounts receivable will reduce the chances of such a fiasco. Also, if Jim in sales never, ever takes a vacation, something might be amiss; he might be snooping around or doing something besides genuine hard work.

1. Schedule periodic audits. If this isn’t possible, have an outside party review your accounting and bookkeeping practices.

1. Create a zero-tolerance policy. Potential in-house thieves won’t be as inclined to steal if they know that they’re risking their job.

1. Investigate suspected fraud. The Association of Certified Fraud Examiners (www.acfe.org) offers expertise in this field.

For an in-depth review and analysis of your in-house security precautions, please contact our risk management specialists.

Three out of five firms that suffer a major disaster go out of business or are sold. Preparing your business to survive a disastrous event involves a multi-step process: assessment, planning, implementation, testing, and documentation.

1. Assessment: Brainstorm and list all potential losses. Then rate them on a 1-10 scale, with 10 being the most disastrous and 1 having the least impact on the business.
2. Planning: Formulate a comprehensive, detailed action plan, using both in-house and outside sources. The plan should include both steps to prevent the loss and remedies to take if the loss occurs. Be as specific as possible.
3. Implementation: Act on the plan. Determine what steps you must take to now insure a positive outcome if disaster strikes; Who will be accountable for taking these steps when and to whom will they report?
4. Testing: For example, if you’re planning to deal with a computer crash, data recovery is essential. Test back-up media regularly to ensure that they will be available when needed. All too many businesses lose data due to malware or mechanical breakdown only to find that their backup is either corrupted or unavailable when needed.
5. Documentation: Put the details of the plan (who, what, when, and where) in writing. Keep one copy in the office, another on the computer, a third off premises – and make sure that every manager knows these locations. Finally, review and update the plan every six months.

Although nothing is foolproof, implementing these five steps can go far to prevent a disastrous loss, or at least, mitigate its impact.

To learn more about developing a disaster plan for your business, feel free to give us a call at any time.

During the past few decades, the workplace has changed significantly, and one of the biggest shifts has been in the number of years an employee remains with one employer. While a half century ago, it was “normal” practice for the majority of employees to remain with an employer for many years — sometimes entire careers — today’s employees are likely to change employers every few years.

That’s bad news for employers: Workers who remain longer with a company attain a far deeper knowledge of the company, its brand, its products and its customer base, making them much more valuable than any new hire. And unlike a new hire that’s an “unknown quantity,” loyal, long-term employees can actually help reduce a company’s level of risk.

Still, when it’s time to take stock of a company’s assets, valuing employee loyalty can prove problematic; many companies wind up ignoring the value of loyal employees in favor of focusing on easy-to-grasp tangible assets. Likewise, many companies don’t bother to learn how to retain employees for the long term, or even know where to start.

Motivating employees to stay on board doesn’t have to be difficult. If you’re interested in learning what you can do, Monster.com offers the following tips:

• Implement career paths that offer opportunity for advancement, and let employees know how to advance in your company.
• Proactively monitor morale and seek out ways to help improve morale in ways that are meaningful to your employees.
• When devising management training programs, consider what makes a good, effective manager from a worker perspective rather than focusing in what management wants.
• When considering compensation, think beyond salary to include health insurance, vacation time, pension plans and other perks.
• Teach your managers how to provide consistent and valuable feedback and mentoring, and ensure they understand how to listen to employees and value their input.

Learning to retain employees isn’t rocket science; but it does take commitment and time. Take some time today to brainstorm ways your company can develop a workforce that’s as committed to your company’s success as you are.

Safety consciousness tends to slip over time – and it’s your responsibility to make sure that this doesn’t happen. A well-prepared and well-executed safety audit/inspection program can play a key role in your risk management by uncovering conditions and work practices that could lead to job accidents and industrial illnesses.

Stated more positively, this means checking to see that things are in good shape. In addition to help preventing accidents, the inspection program will keep management informed about the “safety status” of your organization, provide a consistent method of recording observations, and reduce the possibility of important items being overlooked.

Safety inspection tours are like preventive maintenance. Every piece of equipment wears down and deteriorates sooner or later, and needs to be checked. Similarly, employee work procedures fall into routines – some of them unsafe – over time, which means that you need to evaluate them at regular intervals.

Safety inspections have a number of objectives:

• Spotlighting unsafe conditions and equipment.
• Focusing on unsafe work practices or behavior trends before they lead to injuries.
• Uncovering the need for new safeguards.
• Getting all employees to buy in to the safety program.
• Re-evaluating the safety standards of the organization.
• Comparing safety results against safety plans.
• Gauging the relative success of safety training efforts.
• Anticipating problems in advance of any OSHA inspection.

Our agency’s risk management professionals would be happy to work with you on developing and implementing a comprehensive safety inspection program for your business. Feel free to get in touch with us at any time.

Any business owner knows that sound risk management provides a foundation on which to stack all other operation strategies — and a great way to reduce accidents and injuries and lower your Workers Comp premiums. Because this is such an important topic, here are the seven essential benefits of a risk management program, according to The National Alliance for Insurance Education & Research:

1. Reduced cost of accidents
2. Providing adequate protection
3. Economy of operations
4. Integration of safety plans
5. Reduced risk of criminal liability
6. Ability to plan and budget more effectively
7. A clearer focus on the big picture

If you hire someone to oversee risk management, the Alliance recommends that they:

• Develop and communicate risk-management policies
• Prepare recommendations and reports
• Conduct risk-identification surveys
• Analyze and measure exposures
• Review leases and contracts
• Coordinate compliance with regulations
• Implement risk-control programs
• Investigate accidents
• Manage claims and litigation
• Arrange risk financing (including insurance); establish retention programs
• Determine and allocate cost of risk
• Monitor results

Our agency would be happy to review your risk management program at your earliest convenience and recommend precautions that can help keep Comp premiums under control.

As your business grows, the risks you face become more complex, potential losses grow, along with your insurance premiums. At some point, you’ll need to decide whether it makes sense to turn over the responsibility for risk management to a full-time professional.

Before making this decision, experts recommend that you weigh two key factors: 1) the cost of paying a full-time risk manager, and 2) the potential savings that this manager can generate.

The first element is relatively easy to determine, it’s the salary and overhead of the manager, plus whatever clerical support that he or she needs.

The second item requires you to analyze the extent which a full-time risk manager can:

• Centralize and compartmentalize responsibility for risk management in a single department. This improvement in efficiency should more than offset the increase in administrative costs.
• reduce losses by providing analysis of loss control needs, careful scrutiny of reports, and knowledge of whom to contact for specialized help. Careful attention to loss reserves and adjusting practices can help cut costs dramatically. For example, adjusting liability and workers compensation claims requires special expertise. Insurance companies generally provide adjusters, it’s always helpful to have someone on your team who can evaluate their conclusions.
• help lower your premiums by paying closer attention to coverage criteria, negotiating with agents, brokers, and insurance companies, and using familiarity with industry terminology.

If you’d like our input on making this key decision, feel free to get in touch with the risk management professionals at our agency at any time. We’re here to serve you.

Some people — managers and business owners included — are just better at managing risk. Maybe it has something to do with personality or natural ability, maybe it has something to do with a more developed skill set or greater understanding of the risk management process — most likely, it’s a little of both.

Management consulting firm Accenture decided to explore the question of just what makes a business owner or manager truly effective at handling risk, and here’s what they found:

Top-performing owners and managers:

• Advice when developing and maintaining risk management programs and activities
• Are involved more with their boards of directors in discussing potential risks and how to handle them
• Focus more on emerging risks and strategic risks than day-to-day management of known weaknesses, leading to greater effectiveness and responsiveness when new risks emerge
• Are at the head of the pack when it comes to analytics
• Excel at recruiting and retaining employees, as well as training them
• Face fewer obstacles with regard to board buy-in, employee skill and even budgets

Some of these factors are advantages that not all businesses enjoy. For instance, most managers and even owners find themselves up against budget constraints more often than not, especially where risk management is concerned. But other factors are clearly skills that can be developed and honed.

For instance, getting bored buy-in might be easier if you take the time to develop ways to reward your board members in meaningful ways to let them know they’re valued. We’re not talking kickbacks here — just simple ways to let them know you appreciate their time, like a phone call or a thank-you card.

Likewise, learning how to screen employees during the hiring process and implementing effective ways to retain good employees are skills that can be learned. In fact, both of these factors — dealing with the board and handling employees — are people skills that involve a certain degree of insight. If you’re lucky, that insight comes naturally; if not, it’s certainly a skill worth cultivating.

Employees who don’t learn the safe way to work are accidents waiting to happen — and that means that workplace safety training should play an integral role in your company’s risk management program. Repetition is essential to this process.

Make sure that your trainers repeat essential work safety concepts, information, and terms several times. Look at it this way: At any moment during a training session, some trainees probably aren’t going to be paying full attention — and if they don’t hear something, they’re not going to do it when they get back on the job. What’s more, many people might need to hear, see, or experience things at least twice before they understand.

Repetition is also important when it comes to practical applications of safety information. Employees need the opportunity to practice what they’ve learned until it’s locked into their heads and their performance is flawless. So when a safety procedure involves a practical act, be sure that the trainers give a demonstration, repeat it a few times until everybody catches on, and provide feedback while trainees practice.

You’ll also need repetition to make sure that workers don’t forget what they’re supposed to have learned. Training industry leader Bob Pike says that people can remember 90% of what they’ve learned one hour after training, 50% after a day, 25% after two days, and only 10% 30 days later. According to Pike, full retention of subject matter requires no fewer than six repetitions! That means plenty of follow-up and refresher training — especially for more complex material. Other experts recommend spacing safety reinforcement training so that employees can practice new procedures and skills or use new information on the job supported by coaching before they go back to the classroom for review and additional training.

Evacuation plans are essential for your small business as you protect your staff, customers and visitors. Consider seven factors as you plan your evacuations. With this checklist, everyone can exit peacefully and safely.

1. List Conditions that may Force an Evacuation

   Weather, fire, terrorism, toxic material release, workplace violence, civil disturbances and other conditions may force you to evacuate your business. When you make a list of conditions that could affect you, you can prepare comprehensive evacuation plans. For example, your evacuation strategy may include staying indoors during a civil disturbance, but you’ll want to go outside if a fire breaks out.

1. Create a Clear Chain of Command

   Chaos will rule if you have several people in charge of an evacuation. Create a clear chain of command when you assign wardens. Ideally, you’ll have one warden per 20 people, and you’ll assign one warden to be in charge as the highest-ranking responder. He or she will assume command, make the call to evacuate and report to the onsite emergency coordinator.

1. Post Specific Evacuation Procedures

   Every employee should know the evacuation procedure from anywhere in the building. A floor diagram map will designate exit routes, mark emergency equipment locations and direct staff to the assembly location. Additionally, exits must be clearly marked, well lit, wide enough accommodate employees and unobstructed at all times.

1. Plan for Visitors

   If you welcome customers, clients or other visitors into your building, you must make sure they can get out safely during an emergency. Assign one person in each department to assist visitors. Also, make sure that visitors with special needs or disabilities can exit safely.

1. Designate the Last Employees Out

   The department wardens will usually take on the role of last employees out. They shut down critical operations and know how to turn off the electricity or gas. They also check office spaces, bathrooms and other areas to ensure everyone has evacuated, understand when to evacuate themselves and close the fire doors when everyone has left the building.

1. Account for Employees

   To make sure all employees evacuated safely, plan a way to account for everyone. Designate areas indoors and outdoors where employees will meet. These spaces must have adequate room for everyone. Be prepared to take a head count, too, since it enables emergency personnel during rescue attempts.

1. Comply With OSHA Emergency Standards

   Every section of your emergency evacuation plan must comply with OSHA standards. Review your emergency plan regularly to ensure it remains current as your business grows.

Safety comes first in your small business. With these seven considerations, your evacuation plan will help your employees and visitors stay safe.