Risk Assessment Factors

Home For Business Risky Business Podcast Risk Assessment Factors

Creating an insurance program that suits your company’s needs. In this episode of Risky Business, Colin Rooke and Paul Martin go step-by-step through a risk assessment plan.

Listen to the full episode here, or read the full transcript below


Paul Martin: Welcome to Risky Business, commercial insurance with Butler Byers. This is Paul Martin. I am the business commentator on CKLM, and you’ve heard me talking about the Butler Byers risk assessment system. Today we’re going to dig much more deeply into that system itself. Joining me, as always, Colin Rooke, the commercial risk reduction specialist with Butler Byers commercial insurance. Colin, we have done this show for well, the better part of a year now, and we’ve been talking a lot about your step-by-step risk assessment plan and really some more generalized questions around the issues related to insurance and, more specifically, risk. Today I want to talk a little bit more about your step-by-step assessment program. Let’s dig into that a little bit so that someone who’s listening to this might understand exactly what you’re aiming for when you pull up the assessment. What’s the overarching objective that you’re trying to achieve with this thing? Why do you do it? Others don’t do it; you do. Why?
Colin Rooke: Good point, Paul. We spend a lot of time working on risk identification, and that’s really the design of the assessment. What risks can we identify together, and what areas can we work on? From there, and we’ve talked about this before, we put it into a plan. It’s a presentation, and this serves as okay, what are we going to do moving forward? This is really the difference-maker for us. We’ve got a working agreement. We’ve said okay, we are going to address the insurance needs. We will put together an insurance program that will suit the company, but, as we’ve learned, that’s just the tip of the iceberg. That’s just some of the risks our clients are faced with.
So how are we going to improve performance? How are we going to work with our clients to make them better? That’s really where the plan comes into play. We have people going through the process. When I’m just asked, out and about, about what the heck are you guys doing over there, we want to dig a little deeper and expand on that today. That okay, we’ve uncovered a risk. We’ve talked about it. We’ve put it in a plan. Now what? Your client of other buyers or a prospect of other buyers, what are you really going to do to help me? We’re going to discuss that today a little further.
Paul Martin: Exactly, because I think this is why we’re even having this conversation. It is such a departure from the traditional approach to writing a policy or writing insurance coverage for a client. Normally, a broker comes in and says, so talk to me about your physical assets, your buildings and your cars and that kind of stuff. Tell me about your cashflow because we can insure that for interruption. But that’s kind of where it ends. You say, I’ll get to that, but we’ve got a lot of water to cross between now and then because you’re trying to identify these risks. I guess my question to you is why is that so important?
Colin Rooke: It’s important because, again, we’ve worked together with our client, and we’ve identified a risk. Sometimes there is a solution that you can rely on financing that risk by way of an insurance policy, but sometimes, quite frankly, an insurance claim in an area is really just the tip of the iceberg. I mean, it’s really not what’s going to impact the organization as much as really an external factor that’s uninsurable. So we’ve talked a lot about cyber crime. What we’ve done is we’ve talked about statistics and the prevalence of cyber crime, how fast it’s growing in the world today. So we’ve touched on that, but what we haven’t really dug into is okay, so we’ve done an assessment. We’ve talked about cyber crime with the company, and I’m going to pretend it’s our worst-case scenario, that the plan moving forward is there is a significant threat there. So what the heck are we going to do about it? We’ve spent all this time identifying. Now what?
So I want to walk you through, again, what we would do with a client. So, initially, we’ve said okay, they don’t know a heck of a lot, or there’s a lot of exposure there. So the first step, what we’d do is we’d administer a personal cyber risk questionnaire to the management team. We need to know what do they know about cyber crime. What is it? What’s their level of preparedness? Then we have to judge that. Now, we also know that let’s say they’ve had talks as a management team about cyber crime. It doesn’t necessarily transcend to talks to the rest of the company. So then we do a company-wide sort of level of preparedness assessment as well. So what does the management team know? What have they done? Great. What does the company, and what are they doing?
From there, we’ll read the results, and we’ll say okay, we might need to move to a next step. From there, we do a cyber crime assessment, a company assessment where we really dig deep into specific issues. What could happen? What would be the results to the company? What would occur if this did happen? How would we address it and why? What would we do? So it’s very in-depth. We talk about all areas of operations. Again, we work on specific problems. Then let’s say that’s not enough. We’ve got a fourth level, so to speak. Really it’s our own proprietary product. It’s a toolkit we use, and we administer it company-wide. It explains to everyone what cyber crime is, what to look for, how it’s changing. There’s surveys you can provide to the staff to determine their level of preparedness. There’s even sort of a disaster, almost a mini reputation management program that we’ve developed built in. Again, we can administer that to the whole company.

From there, on an ongoing basis, we focus on continued education. So we don’t just drop off assessments and say, work on it and we’re done

From there, on an ongoing basis, we focus on continued education. So we don’t just drop off assessments and say, work on it and we’re done because we know cyber crime changes all the time. So we will provide ongoing articles, research. We’ve got a quarterly newsletter on the topic that we would provide, and we also work on a lot of education. So we have a cyber crime expert coming in, it’ll be mid-November, to again, talk to our clients again. If the exposure is there, we’ll even do one-on-one meetings with the cyber crime expert. So it really gets in-depth, really involved, depending on the level of exposure.
Paul Martin: Now, let me see if I got this right. You come in, and you administer this assessment, and you’ll start with the management team and ultimately through the whole organization. You’ll come back with a rating. So you’ll say let’s, for the sake of argument, say the company rated two out of five. You say now, we’re going to put steps in place to move you from two to four out of five. Have I got this right?
Colin Rooke: Exactly. Yeah, that’s the plan.
Paul Martin: So I guess the question I ask about that, obviously you’re investing heavily in this. What difference does it make if I’m a two or a four? Why do you care? How does it help you do business?
Colin Rooke: It helps us do business because when we’re working on risk, we have a better understanding of our client’s needs, but also it helps with retention. It helps with loss ratios. I mean, ideally we’d like to sell you a policy that you don’t use. We find, of course, and it makes absolute sense, through education and training and understanding, the likelihood of the organization having a claim is going to be far lessened. We also, just as a company, believe that it’s the right way to do business. We don’t want to sell our clients a policy and say, now we know there’s a risk, so we’ve sold you some insurance on that risk, but we’re going to leave you to navigate the ship by yourself. So, I mean, I think it helps us perpetuate as a company, and we’ve been around almost 110 years, and that’s not by accident.
Paul Martin: You’re listening to Risky Business, commercial insurance with Butler Byers. You’ve been hearing Colin Rooke, who is the commercial risk reduction specialist with Butler Byers commercial insurance. This is Paul Martin. We’re going to take a little break, and when we come back, we’re going to dig into this just a bit further.
Paul Martin: Welcome back to Risky Business, Commercial Insurance with Butler Buyers. My guest again today is Colin Rooke, the Commercial Risk Reduction Specialist with Butler Buyers commercial insurance. Now, just before the break, we were talking about how you assess or provide, can guide a company and say, “We can give you a kind of an empirical evaluation of how prepared you are for this problem or that potential problem.” But when you take that back and you say, “We’re going to build a plan that will move you from, let’s say two out of five to four out of five,” does that help you get a better policy for them? Does it help you make the case when you go to insurance companies on their behalf?
Colin Rooke: Absolutely. Again, all things being equal, if company A fills out the standard application, which will really focus on procedures, it’ll focus on receipts. It’ll focus on the website, the areas of business. Are you into eCommerce or not? These are all just flags for really your rate. I mean, that’s about it. So the application doesn’t help the insurance company really separate the great companies from the not so great. They’re very, very standardized. They’re looking for areas that are red flags. Now, if the nature of your business happens to be that you are in areas that are red flags from a cybercrime perspective. We feel that you shouldn’t be automatically penalized for that. You chose to be in that area for a reason and there’s a threat in this world that’s growing daily so we are exploring a and insurance coverage for that.
But having said that, that business won’t be alone. They’re not the only ones holding files on their clients. So what can we do to make this company, company A, standout from the pack? Well, that comes from understanding. That comes from saying we had a discussion, heaven forbid, on cybercrime and we learned some stuff and we learned that this company didn’t have all the answers, which they never do. We’ve decided to put a plan in place and we’re going to work on their level of understanding, their level of preparedness. We’re going to talk about things like social media policies, bring your own device to work policies and procedures. We’re going to educate on the topic. So the likelihood of things getting missed is greatly reduced.
And we’ve said this before, but if you are an underwriter and you are determining a rate and you’ve got company A that’s done what we’ve just discussed, company B just filled out the application, who looks better in your eyes, regardless of claims history? Someone that’s working on, maybe they made some mistakes in the past or someone that just fill out the application, And that’s all you got?
Paul Martin: As the underwriter, you have no real information beyond physical assets, Principally.
Colin Rooke: Exactly.
Paul Martin: And you’re saying that if you as a broker can work with a client, get to know them better, understand by providing, doing this research on them. You can assess the company better and say you’ve got strengths and weaknesses here. Let’s you and I work out a plan that’s going to make your weaknesses go away, that you can spin a better tail when you go to the … That Colin can spin a better tail when he goes to the insurance company on their behalf?
Colin Rooke: Absolutely, and really, again, we want to work on improving performance because we do know that when it comes to cybercrime or data breach, specifically the policy limit is the least of the company’s concern. It’s the reputation risk associated with it. But again, if there’s an insurance product required, if we’ve uncovered the need, it’s still our job to negotiate the best rates on behalf of our clients. I mean that’s what we’re here for. We can’t do that unless we’re armed with knowledge. And again, you can fool an underwriter once, but into lowering the rate, maybe you’re owed a favor, but to keep those rates low is, you need to put together a plan to show that this is going to be a risk and that’s what they’re labeled all businesses are risks to an Underwriter.
We need to show them that they are going to continue to be best in class, they’re going to continue to improve ongoing basis that they deserve lower sustainable rates. That if the insurance company has paid out huge dollars in the cybercrime, or cyber liability space that, that doesn’t matter because this company is still working on it so they shouldn’t be penalized for the mistakes of others. And that’s what we work on. So it’s, yes, it’s lowering the cost of insurance initially but also working to keep it low and avoiding market fluctuations that are going to impact our clients as well.
Paul Martin: Well, that strikes me, I mean, we’re talking about this in the context of how you make an argument on behalf of a client or a prospect to an insurance company, but it just strikes me, this is just plain old good business anyway. If you come in as an expert and say, “You know what, Paul, you’ve got a problem over here that I didn’t recognize. You helped me identify it.” And you actually help me build a plan that will get me, improve my processes. I should do that anyway, regardless of whether I’m buying insurance or not. This is a bonus that insurance is tied to it. Just good business.
Colin Rooke: We’d like to think so.
Paul Martin: So the company ends up better off whether they buy the policy or not I suppose.
Colin Rooke: Well, and not in every case, we’re going to recommend the policy. There are things where the exposure is quite low or if there is a breach we can determine whether or not our clients can handle that in-house regardless, but nevertheless, they still need to know what a breach is. They still need to know what constitutes cybercrime. We still need to know their level of preparedness. Really, whether we’re going to rely on an insurance product to help in paying out any claims. That’s a totally separate conversation then what are you doing to protect your company?

If we’re only discussing risks that are insurable and we’re not really uncovering the need or the gap in performance, are we really doing our job?

So again, if we’re just relying on an insurance product, if we’re only discussing risks that are insurable and we’re not really uncovering the need or the gap in performance, are we really doing our job? I mean, we don’t think so, which is why we’ve done this, which was why we spend so much time investing into resources, developing again, assessments like these to really get to the root of the problem.
Paul Martin: All right. We’ve talked a lot about the example of cybersecurity, cybercrime, cyber breaches. That’s obviously not the only topic in your assessment that’s just one of dozen or more than a dozen different topic areas that would affect the business.
Colin Rooke: That’s right. When we are putting together these assessments, they’re unique for every client. The topics that we discuss are relevant to your industry. Depending on the nature of your business, we might not discuss cybercrime at all or it might be so low on the sort of the assessment list. There’s far more topical risk that we could discuss at this time. You’ve mentioned again the cybercrimes. Just one topic. I mean we could have six shows just on succession planning alone. We’ve put a lot of work into that as well. But yes, we’ve got assessments that we’ve got tools in place, we have experts in place for darn near any risk.
Paul Martin: Yeah. I just wanted to make sure that we didn’t create the impression that the only thing your assessment looks at is cybersecurity. In fact, it’s, as you mentioned, succession planning. We’ve talked in earlier programs about employee engagement.
Colin Rooke: That’s right.
Paul Martin: And just reputation management, it’s a real waterfront of topics that you’re putting in front of a business owner and saying, “Did you think about this.” And, “How do you rank on that?” And, “Have you given any consideration to this one?”
Colin Rooke: Yeah, great point. The goal of today’s show is not to say, “We hang our hat on cybercrime,” but just to show that if that is a red flag, look at how in depth we actually go. I mean, we will go to extreme lengths if we need to help our clients work on the risk depending on the nature of their business.
Paul Martin: It’s a fascinating thing. We don’t have a lot of time left, but just what kind of reaction do you get when you go in and you talk to a business owner and you say, “I’m going to come at this from a completely different perspective.” How do they react to that?
Colin Rooke:: Quite frankly, often they say, “Well, how much is this going to cost?” Or else, “Why would you that? Why do you do this?” We spend a lot of time defending why we do it. And you said earlier it just seems like good business practice. The market is just not used to discussing anything outside of the insurance product that we do spend a lot of time defending why we are talking about new emerging risks and why our only presentation material is not just relevant to insurable product.
Paul Martin: It’s one of those be careful if it’s too good to be true?
Colin Rooke: Yeah, exactly.
Paul Martin: And it actually is true. Colin, thank you as always, very insightful. I really appreciate you taking the time to talk to us today. You’ve been listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Buyers Commercial Insurance and you’ve been listening to Risky Business, Commercial Insurance With Butler Buyers. And I would just encourage you, give Colin a call if he tweaked your interest today because he is quite pleased to sit down and talk one-on-one with anybody. There’s no charge for that. You just would be more than willing to sit down with a business owner and say, “Let me walk you through this. There was no conditions. There’s no sort of expectation. I’m just here to help.” All right. That’s been Risky Business, Commercial Insurance with Butler Buyers. Thanks very much for joining us and we’ll talk to you next time.