The Importance of Contingent Business Interruption

Keys To Understanding Risks—Supply Chain Mapping

Supply chain mapping is an efficient process that allows risk managers (RMs) to identify and quantify BI and CBI risk. The primary component of supply chain mapping is the people network and looking at the enterprise business by business to assess the risks and opportunities. RMs must include internal and external enterprises and look at building components versus buying, corporate procurement, and contract manufacturers.

Each business has principal products and operating sites that need to be evaluated case by case and documented. Then, using technology, RMs pull all of the data together, creating a data base spreadsheet of gross versus net exposures, with the delta being redundant capacity and/or inventory.

Below is a Pro-Forma Exposure Report that can be used in supply chain mapping to obtain CBI net exposure. This is an illustrative example that may require further detail for actual submission.

Global Risk Management (GRM)

To gather the information for such a report, risk managers must look to both the Intranet and extra-net components. Global risk managers have a multitude of functional areas to consider for the Intranet. They include risk management, global operating sites, finance, operations, security, information technology, real estate facilities, contracts, logistics, procurement, legal department, human resources, and environmental health and safety. For the extra-net, evaluating risks at outsourced locations is vital to controlling CBI exposure and must be included in the evaluation.

The next step is to assess the risk components in order to aggregate the enterprise exposure. Data acquisition for the enterprise should include, but is not limited to, the following areas: the enterprise business direction; contract manufacturer's data, assets, and inventory valuations, logistical service needs; industry data; procurement requirements; and business continuity plans.

Capturing and evaluating CBI exposure requires a good deal of time and team effort. The net time element and recovery comments are the most critical elements of the analysis.

Net Time Element

The delta between the gross and net BI is the time element. The net time element is the time it takes to get up and running again after interruption. It is reported in terms of months or percentages of a month. An analysis of the operations, restoration times, and recovery strategies illustrates where the largest impact loss would be. All options—including in-process and finished goods inventory on hand, availability of sister plants, and availability of subcontractors—must be evaluated. Each supplier may produce more than one product or have more than one location, and each variable needs to be considered.

Recovery Comments (RC)

The RC should state if there is a confirmed recovery strategy in place. Mitigating comments should also include answers to the following questions.

• Is there excess capacity at other sites, where are those sites, and how much they can cover during a BI?
• Are alternate supply sources available?
• Is buffer inventory available and how much?
• If no second source is available, is one being evaluated?
• Is the use of subcontractors possible (for example, IBM can shift to three European Union facilities)?
• What is the time frame for recovery?
• Do recovery time elements vary and why?

Aggregating Exposure

It is important to consider in these evaluations that this is only one site, one product. If a company has 200 product lines and 15 businesses, the aggregate exposure escalates very rapidly. Understanding clients' aggregation processes and underlying data is essential to insurers' effectiveness in aggregating their portfolio risk assessment.

Once exposures have been quantified on a product-by-product basis, then it is necessary to evaluate risks across accounts and the portfolio. In quantifying exposure, different considerations must be given to different suppliers. They are not all created equal in terms of risk. For example, a sole source supplier has more critical implications than one with many alternative choices.

Validating Exposure: Total Gross Earning = BI + CBI

Checks and balances are necessary at the end of the risk analysis process to validate the exposure. This analysis can be broken down on a product-by-product basis with a focus on the percentage vertical integration of a particular product.

Risk Assessment—Use of Technology

Technology can be applied once the people and processes in the supply chain mapping process have been clearly identified. Only then can you take this information and use technology to aggregate the data, calculate net aggregation, and perform exposure assessment. Technology helps bring together real-time components of the Intranet and extra-net. In other words, the data from inside the company as well as that from the outside world of suppliers, and contract manufacturers can come together using technology.

Standard platforms must be used so that information can be easily transferred between all parties. Historically, many companies sought proprietary technology that was expensive to maintain and difficult to communicate with others. The best technology to use is that which is simple, basic, and allows data files to be shared easily. It includes software such as Microsoft Office 2000 Professional or XP Office Professional so that information and data between programs such as Access, Excel, Word and Powerpoint can be easily shared and transferred.

Reporting Must Be Standardized

Standardization of reporting is critical because you can't compare apples to oranges. We must define the terms to be used carefully and similarly across companies. Otherwise, the value of information is truly diminished.

Summary

Evaluating CBI risk is a complex and timing-consuming process; however, insurers can move along way forward by ensuring they have the following:

1. Communication Vehicles—You may consider requesting a copy of the written RM policy statement that has been endorsed by senior management or the board of directors. This communication can also obtain good calibration on an RM's priorities and perhaps provide some insight on how the general management of the firm measures success.
2. Built-in Risk Hedges—Are you considering risk impact to the business versus amount of insurance purchased? Risks, both direct and indirect, must be hedged in addition to considering insurance. Hedging is having built-in work arounds for alternative sources of supply.
3. Disaster Recovery Plans—Are there actual plans in place should a business interruption occur? September 11 has undoubtedly shown us that in the event of a catastrophe, companies must have in place a well-designed and up-to-date communication and disaster recovery plan. According to Roger Morton (in conjunction with Joel Childs of FedEx, "Hope for the Best; Plan for the Worst"), some of the primary steps to follow after a business interruption include the following.

• Provide top management with disaster recovery roles.
• Assign staff members to disaster teams.
• Know where to get disaster recovery assistance.
• Develop and implement the plan.
• Test the plan and train all employees.

A firm's failure to respond to the disaster effectively can be more destructive than the emergency itself. Public perception is critical to the company's ability to maintain brand reputation, customer loyalty, and therefore stakeholder value.

This article has focused primarily on assessing, aggregating, and validating the CBI exposure. Underwriters can choose to ignore and exclude CBI; however, it will be done with an opportunity cost in terms of premium income.