IRMI Update—Issue #62
An E-mail Newsletter for Risk and Insurance Professionals
ISSN: 1530-7948
April 1, 2003
In This Issue
Colleague,
Last week the IRMI Update subscriber family grew to exceed 29,000 people.
While most of the risk and insurance professionals who subscribe reside in the
United States, many live elsewhere. We don't have the demographics to do a breakdown
of IRMI Update subscribers, but we do have them for IRMI.com. In 2002 there
were more than 100,000 IRMI.com visits from people in 19 other countries. In
order, the top ten countries were the United Kingdom, Canada, Australia, China,
India, Germany, Singapore, France, Malaysia, and Hong Kong.
International visitors constituted 16 percent of our Web traffic. If this
statistic is also representative of IRMI Update, there are nearly 5,000 international
subscribers. If you are one of them, I want you to know how happy we are to
have you in our subscriber family. I welcome your e-mails in response to my
editorials and hope you are finding our service to be helpful in dealing with
the issues you encounter in your work.
With so many international subscribers, we thought it would be interesting
and enlightening to invite you to send us a short report on the issues of the
day in your country. Is your insurance market as difficult as it is here in
the United States? How are you solving the problem of terrorism coverage? Are
larger organizations retaining more risk these days? What other problems are
you encountering, and how are you addressing them? Please e-mail me and we'll
compile the responses into an international report for everyone to read.
On another note, we hope to see you at the RIMS Conference in Chicago next
week. Please visit us at exhibit booth #817. Just look for the owl (our logo).
All the best,
Jack
Jack P. Gibson
President
IRMI
Plan Ahead for a Catastrophe—Most companies
keep emergency contact information on hand for each employee. This information
is usually stored in personnel files or a general Human Resource database. However,
in these uncertain times it may be of value to take the extra step and develop
a list of emergency contact phone numbers for staff who travel.
If there is a catastrophic event, staff members who are traveling on business
could be spread across the country, if not the world. Who will assist them with
arrangements for extended hotel stays, changes in airline reservations, or alternate
travel plans if air travel becomes unavailable? Provide these employees with
a list of phone numbers or downloadable instructions that can be stored in a
PDA or cell phone, just in case. It will increase their peace of mind and simplify
coordination in the event of an emergency.
By: Marcia DeWitt
President and CEO
GuilfordPare
Baltimore, MD
Suggest a Risk Tip. Future issues of IRMI Update will include more risk tips from our readers. Send
us a practical tip (less than 300 words) for identifying and managing risks,
buying insurance, managing claims, or filling gaps in insurance coverages. Submit your tips. We'll
give you credit for your contribution.
There are now 402 articles on IRMI.com, and many more are in production.
Below you'll find summaries of some recent additions with links to the articles.
Wedding Insurance: A Savvy
Purchase?—Spring brings not only flowers, but weddings too. Wedding
insurance should be purchased far in advance, before any expenses are incurred.
Rob Olson examines the product and the providers.
David Hale To Keynote
IRMI Construction Risk Conference—World-renowned global economist
David Hale, chairman of China Online and Prince Street Capital, will be a keynote
speaker at the 23rd IRMI Construction Risk Conference. Previously chief global
economist for Zurich Financial Services and chief economist for Kemper Services,
Mr. Hale has significant experience with the economics of the insurance industry.
He will share his view of the current and future U.S. economy, with particular
attention to the construction industry, as well as his expectations for the
commercial lines property and casualty insurance industry. For more information
on the Conference, to be held November 17-20 in Chicago see the Conference agenda.
Use Claims Management
to Control Comp Costs—Blueprint for
Workers Comp Cost Containment gives you tried and true strategies and
tactics for bringing escalating workers compensation costs under control. Written
by a practicing risk manager, this timely book will pay for itself over and
over again. For more information, visit Products and Services.
Online CE Testing
Available in North Carolina—Many continuing education (CE) courses
are available on IRMI.com for the incredible price of $49.95 and now North Carolina
agents can take their self-study exams online. Online exams are instantly graded
so agents will not need to worry about returning anything back. In addition,
unlike paper exams, online exams completed for North Carolina license renewals
DO NOT require a monitor. For more information, go to the Training & CE site for more information.
In IRMI Update #61, readers were asked what
they thought about the interplay between IT and risk management departments.
While all agreed the two must interact to the benefit of the organization, the
degree of overlap was a matter of personal opinion. Some of the responses follow.
- Since I am an independent risk management consultant and the IT guy
for our company, I think I can chirp in on this one. This is the case of
two levels at most companies that don't often get the respect they deserve,
from upper management and everyone else who follows upper management's lead.
This leads to mistrust amongst many IT and risk managers. It takes one major
attack on your network that can set a company into a deep freeze for productivity
before most upper levels of management realize the importance of this department.
The cybersecurity role does in the end land on the shoulders of the IT
department. However, the risk manager should know the risks that are out
there and the potential outcome of a malicious attack against the company's
network. This way, IT and risk managers can work together at making the
rest of the company understand the importance of the security rules that
are in place. They can together approach upper management and lobby for
newer and more expensive security measures. These measures may seem more
expensive or unnecessary, but in the long run, when they stop a major security
breach or cyber attack, will have saved 10 times as much in employee productivity.
The risk manager should be the IT department's advocate, and understand
some of the security measures that can be taken.
In order to earn the trust of the IT department, a risk manager must
first learn about some of the dangers that are out there: viruses, cyber
attacks, identity theft, and so on. Then they must learn all the computer
procedures that the IT department is trying to enforce, some they would
like to enforce, and also for those that are not being enforced, they need
to take up the torch and help enforce. This will earn them the trust and
show that they truly understand the risks in the computer world and that
these risks are real and need to be addressed on a continual basis. Doing
this shows IT that the risk manager is concerned about those real risks
and is willing to take action to prevent any incident from occurring which
is the risk manager's job.
The best way risk managers can acquire the information they need to be
able to understand is in three ways: (1) Read articles whether online or
in print, (2) Take courses on anything to do with the computer that you
don't think you fully understand, and (3) Talk to IT people whether in your
company or someone else's. Ask them questions about what they have been
seeing happening lately. These three things will give you a better understanding
of the problems that the IT departments face everyday.
—Liam K. Donoghue, Kevin F. Donoghue & Associates, Boston
- I believe risk professionals should become involved in cyber security;
it should not be the sole realm of IT professionals for several reasons.
- Risk professionals can help set priorities for their organizations'
risk management department; IT needs to address cybersecurity.
- Risk professionals can help see that their organizations allocate
resources to overburdened IT departments and that cyber issues are addressed.
- Risk professionals can help identify and implement the behavior
changes, physical barriers, operating procedures, and other non-IT components
of an effective cybersecurity program.
- Risk professionals need to be better informed by their IT counterparts
about cybersecurity so they can address the issues above and make better-informed
decisions about how to insure against the risks.
—Curtis H. Smith, Vice President, Medcor, Inc.
- I personally believe that risk managers should work hand in hand with
the IT people in order to identify, evaluate, control, and finance the exposures
which are inherent in this new technological warfare. It is only through
extensive consultations with IT experts that a risk manager can be able
to understand the nature and size of these exposures. In this regard, seminars
and workshops should be done in order to make it a point that the risk managers
fully understand the exposures to enable them to make informed decisions.
Nevertheless, all this needs to be done by way of risk managers assuming
a consultative role so that no rivalry can develop between IT and risk management
departments where the former feel that the risk managers are now intruding
into their affairs.
—James Mharadze, Aig Zimbabwe Ltd., Nust, Zimbabwe
- I am in unusual position in that my employer is in the business of providing
consulting service in the area of risk management, contingency planning,
disaster recovery, and systems security monitoring for IT departments nationwide.
I have been involved with risk management for over 20 years and I have no
idea what these people talk about on a day-to-day basis.
The point is that unless you have a background in information technology,
there is no basis for the risk manager to be involved -- except to be satisfied
that our colleagues in IT have in fact done their job. We can possibly try
to develop some estimates of the damages that can be done, but I believe,
based on my limited knowledge of IT infrastructures, that the risk manager
ought lead, but not march in this parade.
—Bruce J. Birney
- In my organization, Risk & Insurance Management is a catchall division.
If it can be classify as a "risk", then it is in the realm of our position.
Realistically though, cybersecurity really should be left to the IT experts.
MIS/IT is ever changing, endlessly requiring the staff to learn new information
to keep up with the changing technologies. For a risk manager to have a
full understanding, would require extensive education that they would only
use for a small portion of their job.
In my opinion, the bottom line is cybersecurity is a matter for the IT
specialist.
—Carrie Kolodji, Risk & Insurance Management, Leech Lake
Band of Ojibwe, Cass Lake, MN
- In the early days of Disaster Planning, the IT Departments of many corporations
treated the risk manager's involvement as an intrusion into their realm.
Over time, IT management began to realize that risk professionals played
a vital role in the development of the disaster recovery plans, ultimately
welcoming their involvement. In the final analysis, Disaster Planning expanded
to become Business Continuity Planning of which IT was a component.
Today, the Business Continuity Plans must be upgraded to incorporate
cybersecurity issues. Risk professionals will gain credibility with IT managements
when they demonstrate a strong knowledge of the issue, exposures, and loss
control approaches. This will place them on equal footing with the IT professionals.
Risk professional do not need to become programmers, but they must be able
to master the language of IT to be a successful contributor and equal partner
in the process.
—Michael J. Glapion, ARM, Sales & Risk Management Services,
Gillis, Ellis & Baker, Inc., New Orleans
- How do you trust the IT department? You don't. Unfortunately conflict
of interest prevents anyone being able to depend on the assurances given
by the department responsible for the operation. Such is the reason behind
the need for external auditors as well as internal auditors. There will
be a new position to address the security needs of the corporation and its
board of directors. It will be a position which reports directly to the
board and will be known at the Chief Security Officer just like the head
of audit. The mandate will be to provide independent review of a corporation's
security systems and provide assurance or advice to the board on the status
of a company's security.
—Don Waugh
A subscription to IRMI Update is absolutely free. Use the e-mail registration form to initiate or terminate
your subscription.