Beyond the Pain: Prioritizing Risk Management

Identifying weaknesses and shortcomings is the first step in moving toward a protective business solution, but risk management is the important next step all businesses need to take. In this episode of Risky Business, Colin Rooke explains risk identification, what to look for, the usual causes, the cost, what to do in the event of a breach and putting policies and procedures in place.

risk assessment

Listen to the full episode here, or read the full transcript below.


Getting Your Prescription with Your Diagnosis

Paul Martin: Welcome to Risky Business, Commercial Insurance with Butler Byers. This is Paul Martin, the business commentator here on CKOM, and joining me as always is Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers Commercial Insurance. And Colin, you know we’ve been at this a couple of years now, and we’ve talked a lot about the risk reduction program and the risk assessment program, so the step by step analysis that you would walk a client through, and say, “Here, let’s identify some risks, and then we’ll go and talk to insurance underwriters or carriers,” and say, “Here’s my client, this is their shopping list of things that we’ve identified, how do you wanna rate them?”

Paul Martin: But you don’t just stop there. You say, “All right, we’ve identified some risks, now …” That’s like going to the doctor and saying here’s your ailment, and you get no prescription. You also provide the diagnosis as well as the prescription of, These are the things you need to do to fix it.” So that’s what I wanna talk about today, if you’re alright with that. Let’s talk about the tools that you and Butler Byers bring to the table, if I was a commercial operator, I had a business, and I came to you and said, “I want you to be my insurance broker,” and you took me through the step by step plan. We identified some, perhaps weaknesses and shortcomings, you don’t just say, “Well tough luck buddy, you got them.” You’ve actually got some tools to fix those things, to actually correct them.

Colin Rooke: We do, and we’ve talked a little bit about other tools in past shows, so I won’t go on a cyber crime rant, but if there’s an exposure there, we’ve got a very in depth plan that explains what it is, what to look for, the usual causes, the cost, what to do in the event of a breach. There’s some policies and procedures. There’s a bring your own device policy for example. Lot of discussion, and there’s even a mini, I call it a disaster recovery plan. Covers everything from PR, who’s gonna look after handling the breech from a public relations perspective to, who does what within the organization. And so, we have a lot of those, I mean as we are identifying risks, we then say, “We’ve identified it, and now we’re prioritizing that risk with our clients, so what are we gonna do?”

Colin Rooke: We’re talking about it, we better have something. So, we have a lot of, like I said, we have a lot of those tools, a lot of those tools, but what we also have now and they’re newer, they’re tools to help, I’ll say, sell the risk internally, when we’re not around. So if we’re talking about employment practices and it’s at the workshop level, when we’re covering all sorts of risks in our initial assessment, we’re not really digging deep. I mean it’s a 10,000 mile high in the air approach initially. And it’s because we have to cover so much ground off the hop. But then, and part of the process is develop, or identify the hot buttons, and those topics that require more discussion. And sometimes the answers that we get vary. And you can attribute that to, I don’t think they’re on the same page on, again is this risk real to us?

Colin Rooke: So what we did, we developed a tool, in this case, that would allow you … I should say tools, to go back to the office, have a management meeting, discuss it with the group. It’s an interactive questionnaire. It scores it for you, and you can decide yourself. “So Colin mentioned this risk, I mean he brought it up and got us thinking, but is the risk real to us? Maybe we need to dig deeper.” And it’s about, like our traditional workshops are about 45-60 questions. These tools might have 45-50-60 questions, just on one risk. But I can assure you, once you’ve gone through that, you’ll all be on the same page, that this risk is real to us.

Colin Rooke: So it sells the plan. It sells, why work on this. Well, you decided as an organization that this is a problem. You filled it out, you talked it out, you got back to me with your answer, your score. So it’s just easier to sell, it makes it real, it makes it more I guess, front and center, top of mind. And it allows us to quite frankly, I’ll say implement our work a little more effectively.

Paul Martin: It’s an interesting observation or point that you’re making here, because obviously if I’m the owner of the business and I’m writing the check for the policy, the insurance policy, I’ve got a kind of a stake in this. But what you’re saying is now, you’re gonna help me as the owner actually push this down inside my organization, so as the guy writing the check, I’m motivated. I need to figure out how to get my front line people equally motivated. You bring me a tool that will enable me to do that?

Creating Motivation for Risk Management

Colin Rooke: Yeah, you know I have a skill set for creating pain, I’ll say, or freaking out the owner, and CFO, or whoever’s in the workshop. I mean I’m really good at that. And I’m not deliberate, but I am passionate about risk and so, but it’s one thing to say, “Okay, we’ve got a crime,” or, “We could have a crime problem. Colin brought out some really interesting stuff that we hadn’t thought about, and I’m really worried.” But then you take it back to the shop, and you talk to some middle managers, foremen, or just with the group, and you say, “You know, I don’t know. Maybe we talked ourselves, maybe we got a little excited. Maybe Colin’s just too good at this, at scaring people.” So we have these tools where you could say, “Well, look. We don’t wanna miss this. We wanna figure out, is this real to us? Where do we stack up?”

Colin Rooke: And yes, so I have self assessments you can push downward, get everyone else on board. They will understand why we’re doing this, what the problem is. It’s their own answers to our questions. So I mean, if they identify the need as a group, it’s more real, and it allows us to really be effective with the work we do.

Paul Martin: Well I could envision a situation where, different departments within the same company would have differing views. I would think you could scare the CFO into thinking there was a cyber security issue, but IT denies that. So now you’ve got this scrap going on with two departments inside. This will overcome that?

Colin Rooke: Yeah and that’s a great example with CFO versus IT, because I’m scaring CFO and then, CFO reaches out to IT, and so if you’re not coming from an insurance, or a proactive risk, kind of a reputation risk angle with IT, what I’m not doing is saying, “Your IT department isn’t doing their job.” I’m never saying that, and really that’s not the issue. Wen you hear of all these worldwide breeches, it’s not the IT department not doing their job. That’s never the cause. It’s human error. And so, when you explain what we’re talking about, and when you go through the self assessment, and it talks about, “Do you allow employees to bring their own devices to work?” And, “What are the rules and regulations around that?”

Colin Rooke: Then if IT is seeing this questionnaire, or working on it again, with the CFO or the management group, the light comes on. “Okay, no one is pointing a finger at us. This is designed to help make our lives easier, so then we have less problems to deal with.” And we get true engagement that way. They’re part of the plan, the team, and I think that’s the real benefit of these tools, these score cards.

Paul Martin: So this is all part of the program, I mean we have the step by step risk management program, but then this is the risk reduction component of it, that follows behind it.

Colin Rooke: Yeah, because again, if I get the CFO excited, and say, “Moving forward we need to do the following,” and we leave that meeting with a game plan, you get resistance from IT. It’s maybe not worth the fight, and then things don’t happen. But, if we could just explain to everyone involved what our angle is, it appeases a lot of the anxiety. So as you deal with larger organizations, they will often have loss control. Someone in charge of loss control, or maybe a loss control department. And so a common objection would be, “Oh Colin, it really sounds great, this risk reduction and risk management stuff, and I bet you there’s a lot of small businesses that really take advantage of this, and you’re doing great things for the industry, but we have loss control already.”

Colin Rooke: And I say, “That’s fantastic. Well I’m gonna make their lives really easy, and I can’t wait to meet them. But in no way is this designed to replace loss control. I’m working with them. I’m gonna augment what they’re doing, and I’m gonna make their lives easier with so much support the won’t believe it. But in no way am I suggesting that you wouldn’t have loss control. I’m coming at it from a completely different angle.”

Paul Martin: All right, we’ve gotta take a little break. If you don’t mind just standing by, we’ll take a little break, and by the way, we have a new sponsor on this program, Wawanesa’s so perhaps we’ll hear from them, you never know. Anyway, you’re listening to Risky Business, Commercial Insurance with Butler Byers and Colin Rooke.¬†

Paul Martin: Welcome back to Risky Business, Commercial Insurance with Butler Byers. This is Paul Martin and joining me, as always, is Colin Rooke the commercial risk reduction specialist with Butler Byers Commercial Insurance. Just before the break we were talking about how you work in hand in glove really with the more technical departments within a business. You will work not just with the CEO or the owner, but actually you will get involved with line departments and people who work in there to kind of bring everybody to a common understanding of what the risks are, and what you can do to help, and how you can help make their lives better.

“What we are selling is a team approach to commercial insurance.”

Colin Rooke: Yeah. I was thinking about it during the break and really what we are selling is a team approach to commercial insurance. I mean, I think a lot of times the client’s surprised that I want to bring more people into the circle, but if we’re working on risk, it’s not a one man show. It’s an organizational-wide problem or initiative, and so the more the merrier. The more they’re on the same page, the more that understand what we’re doing and why. Ultimately, we’re trying to make our clients less risky, or we are making our clients less risky. The buy-in is … We just find that the buy-in is there. When it comes to the policy itself, for example, I wouldn’t want someone else to sell the policy on my behalf, and so then why would I want someone inside the organization to sell these topics to the group.

Colin Rooke: Then, often it’s hard to get everyone in the same room, so again, we made it easy. Our model at Butler Byers Insurance is insurance made easy and this is one of those tools where we made selling the need, the risk easy and you can work through it yourself. These questions, I mean, again, I might create pain initially, but the tools aren’t designed that you fail. I mean, not everyone fails and in fact, most people don’t fail, but you’ll get a very clear understanding of where you fit from a benchmarking perspective. You might be fantastic, and we’re talking about directors and officers for example, you might be doing everything right. You work on this tool, you give it back to me, I have proof that you’re doing everything right.

Colin Rooke: I mean, I can … At that point, so I say, “Geez, the first zero in my whole career.” I mean, every single marker. I mean, I can’t wait to go to market with this. You literally made no mistakes. I mean, that could be the result as well. I guess what I’m saying is I’m not trying to make it seem worse than it is, but it will give me a true clear understanding of the topic if we have more people involved in identifying the need.

Paul Martin: Well, my guess is most businesses probably wouldn’t have a very good sense of where they stack up in a benchmarking context, but [crosstalk 00:03:14]-

Colin Rooke: No.

Paul Martin: The competition, or those in the industry, or the whole universe of business in general, most of us wouldn’t have a clue about where we stack up in that kind of assessment.

Colin Rooke: No. It’s sort of a … It’s a really great feeling when you can go back to a client and say, “So, when it comes to cyber crime, you’re actually low risk overall. I mean, you’re not absent from risk, but you’ve really done a lot of meaningful stuff, especially on the education and risk management side.” Again, one of the questions that is not on that assessment is, “Do you have an IT department?” I mean, that’s assumed. Again, so we’re not after IT. We want to know how are you dealing with the risk. Are you explaining the risk? Are you educating the risk? Are you talking about the risk? In addition to understanding what we’re doing and why, again, as far as selling the story to the insurance market, this really helps. I mean, if we can pick a topic, dig deep, and have 25-30 easy to answer questions in front of us, again, it just does wonders when we’re selling your business to the insurance market, which is the ultimate goal here.

Paul Martin: Well, you know the thing that really stands out for me in what you said so far in this program on risk management, is that it validates for me as a business owner just where I stack up in the industry. Because probably, you’ve got I don’t know how many different questionnaires. You probably cover 50 topics or something.

Colin Rooke: Yeah.

Paul Martin: [crosstalk 00:04:45] How would I know how I stack up in 50 different angles or lines of when I look at my business? How do I stack up in IT compared to sales, compared to employee engagement? I wouldn’t have a clue on those things and you bring all of that under … Into one sort of spot for me.

Colin Rooke: Good point. I mean, it’s also something that you can … As a business owner, you can hang your hat on. We’re doing okay. We’ve worked on it, we’re doing okay, but I mean it is nice to know that, okay, among … Whether it’s across all business or even in your category, here’s where you fit. One thing I really want to stress for anyone out there that’s ever filled out an insurance application, I am not referring to questions that are on an insurance application.

Colin Rooke: Again, back to the cyber crime just because we were talking about it, I don’t want to know how many files you have, I don’t need to know your web address to answer this questionnaire, I don’t need to know annual sales. Again, we are not discussing what requires Butler Byers or any broker to generate a quote. I truly want to know your approach on the subject, what you’re doing internally. It’s those types of questions. It’s not a roundabout way to ultimately get to the end goal of quoting, it’s true proactive risk management. It’s true benchmarking against what the best are doing, what you should be doing, as opposed to just information gathering.

It’s not a roundabout way to ultimately get to the end goal of quoting, it’s true proactive risk management. It’s true benchmarking against what the best are doing, what you should be doing, as opposed to just information gathering.

Paul Martin: The other thing that I find intriguing, and this is … If I do that with you this year, two years from now I can come back and do it again, and I can see if I made progress.

Colin Rooke: Yeah.

Paul Martin: As a manager or a leader of my business, am I actually improving the quality and the performance of my organization?

Colin Rooke: I mean, exactly. It’s not only are you benchmarked against, I guess, the industry as a whole, but you’re sort of benchmarking against yourself in a way, where you can say, “Geez, we’ve done a lot. I mean, we’ve really moved the needle on crime and fraud inside the organization.” I think that’s a great thing as well. Again, it’s something that we can take to the market and say, “We did an assessment. They were high risk for crime. I mean, they virtually had no controls in place.” We talked about it, they saw the need. We’ve changed things and they’re, I’m happy to report, low risk and the proof is in the pudding. Here it is.

Paul Martin: I suppose if I go back to the insurance industry two years from now with a benchmarking from two years ago to today, they can actually see the improvement as well-

Colin Rooke: [crosstalk 00:07:30] Yeah.

Paul Martin: It’s validated right there.

Colin Rooke: Exactly. The pricing on a policy, it’s not just everything lumped into one. I mean, each line of coverage has a rate. If you say, “Geez, we were high risk, we were paying, in my opinion, a high rate for crime coverage, and looking back, we I guess, probably should’ve been. Now, we’ve put in the work.” They’ve sold that work. The rate went down and I feel comfortable with what we’re being charged for the exposure.

Paul Martin: Colin, we’ve run out of time. Not out of stuff to talk about, but out of time. Thanks, as always, for joining us. You’ve been listening to Colin Rooke, the commercial risk reduction specialist with Butler Byers Commercial Insurance. My name is Paul Martin. You’re listening to Risky Business, Commercial Insurance with Butler Byers. See you next time.