Being aware of emerging risks to your business is your first, essential step to avoid being caught in a storm.
Solar flares, drones, driverless cars
, civil unrest, longevity, climate change, big data, 3D printing – there are endless changes coming our way and each carries its unique risks.
Consider the news that road deaths will be enormously reduced once driverless cars rule the streets, as human error will no longer be a factor. You would think such a development contains no downside, but it does. What about the tens of thousands of seriously ill people in hospitals waiting for donor organs that today are overwhelmingly provided by car accident victims?
Those same autonomous cars will never speed or park illegally, another great benefit for society, right? Actually, many local governments rely heavily on revenues from speeding tickets and parking fines. Some towns in the US Midwest raise 30 per cent of their budgets from fines for traffic infringements, Charlie Kingdollar, Gen Re’s specialist on global emerging risks, told the Australian and New Zealand Institute of Insurance and Finance’s Reinsurance Rendezvous conference in Canberra in 2016. Could driverless cars cause another global financial crisis?
These potential issues are very real challenges for the insurance industry and, increasingly, for directors of businesses who need to prepare their companies for all forms of risk.
“Consider global warming and rising sea levels,” says Chris Mackinnon, insurance company Lloyd’s general representative and country manager in Australia. “According to the Population Reference Bureau, if sea levels were to rise by four metres, almost every single coastal city in the world would be inundated. Directors that hadn’t planned their strategy around the knowledge that this could occur, and therefore hadn’t protected shareholder value, are going to be subject to regulatory or legal action.”
The insurance industry tracks emerging risks for various reasons. It’s a service to their clients to be able to inform them of all types of risk. The industry also has its own regulatory requirements, which include carrying sufficient capital to back up the risks they cover.
Lloyd’s, for instance, subscribes to Europe’s Solvency II directive, which states that any insurance company must be able to provide sufficient capital to survive an adverse balance-sheet movement based on a one-in-200-year chance of an occurrence. That means a strict analysis of not only current risk but also emerging risks, including some many of us may never have heard of.
Solar flares and solar storms are a good example, says Mackinnon. “The last one occurred 159 years ago, but specialists tell us such events have been modelled as a one-in-150 return event.”
This means the next major solar storm, which involves a large burst of electromagnetic radiation shooting off the sun and scoring a direct hit on earth’s atmosphere, is nine years overdue.
“These storms are a frequent occurrence – it’s what causes the northern lights effect in some regions,” Mackinnon says. “But when you get a big one, our atmosphere builds up a massive electrical charge, which looks to earth itself. When the last major solar storm was recorded in 1859 across North America, there were no electricity lines but there were overhead telegraph wires. Huge sections of wire were burned out, causing major interruption to communications, as well as property damage.”
He adds that in March 1989, a solar flare and geomagnetic storm tripped circuit breakers on Hydro-Québec’s electricity transmission system in Canada. Six million people in the province of Quebec lost power for nine hours, in winter.
Using such case studies, Lloyd’s has been modelling the solar flare situation. Its worst-case scenario says consequences could include economic losses of almost US$3 trillion, 40 million people impacted and a recovery time of up to two years.
The situation is so serious that in May 2017 the US Senate unanimously passed the Space Weather Research and Forecasting Act to support the research of space weather and the development of new technology to monitor solar flares.
It’s not just space weather that can cause serious business pain. Mackinnon mentions a US car maker that was forced to halt production for a fortnight when its supply chain was interrupted by floods in Thailand.
However, emerging risk is not all about doom and gloom, Mackinnon says. Businesses should simply be aware of emerging risks. They should plan and prepare. Doing so could lead to innovation, protect directors from legal or regulatory action, and save a business from being caught in a storm.
These are some of the most interesting emerging risks, according to experts in the field.
Risk management - assessing risk: This course examines the techniques commonly used to assess risk.
Cybercrime is the blockbuster of emerging risk. It’s a big issue right now, with the May 2017 WannaCry global ransomware attack still fresh in people’s minds, but it’s going to get bigger.
Ganesha Rajanaidu, CSL Limited’s regional information security officer for the Asia-Pacific, says the Ponemon Institute’s global 2016 Cost of a Data Breach Study put the average total cost of a single data breach at US$4 million. Cybersecurity Ventures, in its 2016 Hackerpocalypse: A Cybercrime Revelation report, predicted the global cost of cybercrime could reach US$6 trillion by 2021.
“Dwell time, or the amount of time a hacker has access to your system before the breach is detected, is an important measure of cybersecurity,” says Rajanaidu.
In its M-Trends 2017 report, US cybersecurity firm Mandiant found the median dwell time from compromise to discovery was 99 days in the Americas; 106 days in Europe, the Middle East and Africa; and 172 days in the Asia-Pacific region.
“These numbers are consistent with the level of investment we see in cybersecurity by region,” Rajanaidu adds.
A business that is doing a good job at mitigating cyber risk has executive engagement in the issue, including a report to the company board every six months, says Rajanaidu. It also typically has baseline preventative controls; a zero-trust approach; strong detection capabilities at various layers (the host, network/infrastructure or application); quick and effective response capabilities; and a combination of internal audits, vulnerability assessments and penetration tests to monitor the effectiveness of controls.
It appears there is still some way to go. EY’s Global Information Security Survey 2016 found 87 per cent of boards and C-level executives surveyed lacked confidence in their organisation’s level of cybersecurity.
Nick Sordon, casualty senior underwriter at Swiss Re Australia, says remote piloted aircraft (RPA), otherwise known as drones, are still considered an emerging risk by insurers. Their use in business is growing exponentially, but the laws and regulations governing drones are still evolving. Personal injury cases, property damage and, potentially, privacy claims are just beginning to work their way through to insurers and the courtroom.
“Recently the Federal Aviation Administration said that by 2021 the domestic [hobbyist] use of drones in the US will grow from 1.1 million to 3.6 million and that commercial use will grow from 42,000 to almost 442,000,” Sordon says. “One of the drivers is that drones are being used for the ‘triple D’ jobs – dirty, dull, or dangerous.
“There is personal injury risk when drones drop out of the sky from a variety of causes,” he says. “A drone crashed on a female athlete during a triathlon in Western Australia [in 2014] and caused significant head injuries. In the UK, a child lost an eye when a drone operator lost control and the drone struck the child’s face. For these reasons and others, there are strict rules around drone operation.”
“What could the consequences be when there is not enough food and water for 1.2 billion people?”
Simon Hooper, QBE’s aviation underwriter, says a lot of companies don’t have a good understanding of aviation regulations and operations. “There might be a civil engineer who brings a drone in to work and says, ‘Look at this, boss. It’s amazing.’ The manager rings and asks if they can take out public liability cover. That rings alarm bells because it shows they haven’t done any research. They don’t need public liability; they need aviation third-party liability cover.”
Drone pilots in Australia who are flying the machines for money need a remote pilot’s licence and/or an RPA operator’s certificate from the Civil Aviation Safety Authority. That’s a good thing, says Hooper, as it helps the pilot become familiar with regulations, identify hazards and risks and, of course, become competent in drone control. There are safety guidelines for those flying drones for fun, too (see www.casa.gov.au/rpa).
Singapore, Malaysia, Hong Kong, New Zealand and many other jurisdictions also have regulations and permit systems covering drone flights.
In the typical manufacturing environment, if a product causes an injury, there’s usually a fairly clear chain of responsibility leading to the manufacturer. With 3D printing, however, that line of responsibility is blurred, says Sordon. The fault could be with the manufacturer of the printer; with the person or business that released the design; the printing filament producer; the person who did the printing; or the person who sold the printer. Additionally, through 3D printing, the traditional centralised manufacturing process is altered; products can now be printed on demand at any location.
“There is potentially a huge complexity around the chain of responsibility, which will be similar to driverless cars in terms of figuring out who, or what, is responsible for an accident,” he explains. “Who owes the injured person a duty of care and who has breached this duty? Technology is creating new and evolved chains of responsibility and it is vital that businesses are aware of these complexities.”
Social media means bad news stories travel much further, much faster than they used to, says Ben Crowther, JLT Australia’s divisional manager – risk. That can have a huge impact on a business’s reputation. United Airlines found that out after a video of a passenger being forcibly removed from one of its flights in April 2017 went viral. The rough handling the man received saw the incident make headlines around the world.
When United Airlines CEO Oscar Munoz sent staff an email defending the actions – seats were needed for United Airlines crew members – the call on social media to boycott the airline got louder. In the following week, the value of United Airlines shares dropped by 4 per cent, wiping US$770 million off the company’s market cap to bring it to US$21.5 billion.
“Brand and reputation are not necessarily something that one can fully insure,” Crowther says. “Insurance cover is not going to keep you off the front page of the newspaper.”
This issue, however, also flags up the positive side of emerging risks. They can help a business to improve its systems ahead of time, as United Airlines is no doubt wishing it had done.
“The solution is to build resilience and maturity within an organisation, in order to deal with risks as they appear,” Crowther says. “In the corporate context, there are often discussions around red sky and blue sky thinking. Adopting a similar way of thinking about risk could also prove beneficial.
“Looking at existing sources of risk and how they evolve, then looking at completely different sources – such as international security – improves the business and makes it far more mature.”
Businesses are now having to seriously think about procedures to do with climate change, Sordon says. It’s not only about trying to become carbon neutral, but should also cover what businesses will do when they, or their supply chain, are affected by weather events.
“The interconnectivity of risk and the accumulation of exposure is something that perhaps businesses did not previously appreciate,” he says. “Major weather events have identified chain-of-supply and manufacturing-chain risk. An event on the other side of the world can cause quite a large loss. Furthermore, as exemplified in recent bushfire and flood events, a business may find that they are exposed to public liability claims through major weather events.”
Food and water security
Food and water may seem relatively secure in your own country, but what happens if China experiences a water shortage?
“If there are issues with food and water security in China, what sort of supply-chain risks does that affect?” Crowther asks. “What could the consequences be when there is not enough food and water for 1.2 billion people?
“China plays a huge role in the manufacturing supply chain for a lot of businesses and is a key export customer for many nations. What are some of the issues and some of the risks?”
Managing an organisation’s risks is not only about responding to current hazards, but about anticipating future dangers. The bad news is that risks seem to be emerging from everywhere. The good news, however, is that almost any business risk can be prepared for and successfully defused if you have access to the right information.
Tip of the iceberg
There are many more emerging risks than those mentioned in this article. Swiss Re’s SONAR New Emerging Risks
report, released in 2016, highlights issues such as:
- Legal risks from the sharing economy
- Mass migration, such as the influx of refugees into Europe
- Health implications of increasing meat consumption
- Potential economic impacts of central-bank interest easing or raising
- Political, economic or other crises in emerging markets
- Crises of trust in public institutions such as governments, banks and companies
- Artificial intelligence and robotics in the workplace
- Internet fragmentation
- Viral spreading of messages and calls to action via mobile technology
- Phoney data resulting from the ever-increasing importance of digital analytics
- Human-induced earthquakes caused by practices such as hydrofracking
- Ocean pollution from microplastics
What a data breach means to your business