Risk Assessments and Peer Reviews

December 2007

A few months ago, I was given the opportunity to provide to a bank group my opinion relative to potential risk and their current insurance program. This was the first time that an assessment had been conducted, and it coincided with an ongoing FDIC normal audit of the bank.

by Peter M. Polstein

The senior person who was responsible for bank security and risk was not an insurance person, but was extremely cognizant of the potential for loss emanating from a wide variety of circumstances. During our initial meeting, I was told that their insurance policies were maintained by their insurance agency, and that they retained a well-documented schedule of insurance.

Learn about the Risk

While the bank executive wanted to set up a review meeting quickly, I explained that I was not interested in reviewing the insurance program until such time as I had sufficient knowledge of the bank's physical and financial risk, and had interviewed critical senior employees who would provide a sufficient comfort level to proceed.

I simply cannot imagine how anyone could conduct a peer review without knowing more about the potential risk of the client than the client itself. In early exploration, it was noted that all of the bank's IT was under contract to an outside source. A substantial number of the bank's branches were in rented locations. The bank had a financial services unit which was significantly different in its operations than other departments, especially under Securities and Exchange Commission (SEC) regulation compliance.

Review All Contracts

I asked to review all of these contracts, some 20 or more, including the bank's armored car contract and any others which might have a profound effect on the bank's potential liability. Once having completed this review, I met with a number of senior employees to discuss what I perceived was their risk in varying degrees.

It is truly amazing when you conduct an assessment of this nature, how much risk is either retained by the client with or without their knowledge, or with their knowledge, where the perception of that risk is significantly less or greater than anticipated.

There is obviously no way that every risk can be covered, irrespective of whether insurance is, or is not, the solution. Nor, in many instances, can the risk be covered simply due to other economic considerations. But providing an understanding of those risks that are coverable and those which are not provides both a comfort level to the client and the potential in one form or another to mitigate risk.

Personally, I have always believed in a couple of theories when dealing with risk and coverage. There is no inconsequential risk, until you have an uncovered event. And, never tell me what you believe the intent of the contract is. What does it actually say? In this particular review, there were moments when both of these thoughts certainly came to bear.

Information Technology (IT)

The IT contract, with a well-known professional organization, I found to be quite remarkable in what I perceived to be a lack of fundamental protection in the event of the IT provider being unable to meet either certain performance goals, or simply unable to perform for whatever reason. The contract did provide a lengthy discourse relating to indemnities for "fixes" as well as a disaster plan that provided certain relief. Yet, nowhere within the document was a warranty and promise that this vital service would not be interrupted, error free, and continue to meet performance standards.

Many of the bank's indemnity agreements were limited to refund of fees, reasonable reconstruction costs, etc. But nowhere was there language relative to the so-called big fault. Hold harmless wording was evident but primarily covered infringement of patent and copyright. The bank's insurance was simply noted as a matter of record. Language relating to Internet Banking Services was extensive, and it was noted that their insurance, while available under certain conditions, had an aggregate stop loss, which posed the question of multiple claims by a variety of client base, leaving potentially little limits available in the event of loss.

In discussing at length the potential for risk with the bank's IT head, he assured me that the contract was fairly consistent with the industry. We talked about backup systems, both theirs and the bank's, and under a worst-case scenario, would the bank have to close its doors? Unfortunately, it could come to that. However, there were certain recommendations I suggested that could mitigate some of the potential for disaster.

Leases

When the leases were reviewed, most of them contained the usual boilerplate language, including hold harmless wording, the majority of which was uninsurable. However, in one case, the lease required that any and all damage to not only the premises leased but the building was the direct responsibility of the insured, irrespective of cause. As Fire Damage Legal now became only a partial cover under strict circumstances, their Financial Institutional package needed to be addressed.

Workers Compensation

In an interesting contract relating to financial services and certain regulations under SEC rules, some of the employees became "mutual employees" where there was a question as to workers compensation coverage. This was easily solved by adding an "Alternative Employee Endorsement."

Recommendations

By the time that a review of their insurance program was initiated, I had substantially full knowledge of their risk. I’m not going to dwell at length on those findings; for the most part, the program was reasonable, but needed a number of amendments immediately and upon renewal.

Areas such as liability limits should have been per location. The "Named Insured," as defined, was not broad enough. The umbrella insurance policy written by the same insurer did not contain the wording that "it would be no less broad than the underlying scheduled primary." There were a number of questions relating to limits that needed to be addressed, and certain language within the program was either inconsistent or irrelevant.

The bank received a 20-page document from me, broken down into three sections: an Executive Summary, contract recommendations, and insurance program recommendations. The review concluded with a meeting between senior bank officials, their insurance agent, and me. Ultimately, they agreed to implement both the recommendations that were immediately necessarily and those which could be held until renewal, whether premium-bearing or not. I will continue to monitor proceedings and will until the renewal has been successfully negotiated and bound.

The agent in this case was perfectly comfortable with the review, and welcomed, as did the bank, whatever recommendations resulted from the project. Far too many brokers and agents are uncomfortable in this type of situation, and perceive this sort of exercise as a personal affront to their expertise and performance. There is always the calculated risk that a client will dump a broker or agent over this sort of review, but generally, that isn’t the case.

Conclusion

Another set of eyes, other thoughts, and perhaps a different prospective never hurt anyone. In a way, it doesn’t really make any real difference whether the review comes from an outside professional or is conducted in-house, as long as it is accomplished without malice and with forethought.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author’s employer or IRMI. This article does not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.