Posted on 24 Apr 13 by Annie George
Cyber-threats, along with breaches in security and privacy, are forcing corporate risk managers to reconsider how they protect their company's data and proprietary business information, according to an annual survey by global professional services company Towers Watson. The survey examined how North American companies use outside resources, tools and frameworks to address their risk exposure across a variety of eventualities, ranging from a hardening property & casualty insurance market to natural catastrophes and the threat of terrorism.
The Risk and Finance Manager Survey found that the average policy limits purchased for network security/privacy liability policies were $18.1 million — a significant 46% increase year over year. In addition, nearly two-fifths (39%) of respondents purchased network security/privacy liability policies, an 11-percentage-point rise from last year. When asked why they had not purchased a policy, 31% (a 10-percentage-point decrease from last year) said their internal IT department/controls were adequate.
"Our survey results show a mounting awareness of cyber-attack capabilities, which require a more comprehensive protective net than reliance on even the most capable IT staff," said Larry Racioppo, vice president, Executive Liability Group, Towers Watson. "Yet, six in ten companies are still without a liability policy in place, and this is alarming. The financial and reputational costs companies face could be enormous if they don't develop comprehensive risk strategies to thwart cyber-attacks."
The survey of 123 risk managers revealed modest improvement for maintaining enterprise risk management (ERM) programs, with a full two-thirds (67%) saying they have an ERM program in place. This is a 10-percentage-point increase compared to last year, but this growth stems primarily from financial services companies, where 97% indicated they have an ERM program, compared to just 56% of non financial services organizations.
For those organizations with ERM programs in place, there is a gap between ERM process and ensuing ERM action within the company. Just two-fifths (40%) of the respondents with ERM programs regularly quantify their key risks and utilize these metrics in making business decisions. Only 28% of executive committee/boards of directors actively use ERM as part of their strategic decision-making process, and less than one-quarter (24%) integrate their risk metrics into budgeting and planning.
"Companies with ERM programs have well-defined processes in place, but they could do a better job of integrating ERM into their operations and the decision-making processes, especially if they want to benefit from a comprehensive risk detection and management program that benefits all of their stakeholders," said Steve Levene, Risk Advisory and Brokerage group leader, Towers Watson.
The survey also assessed companies' risk appetite and risk assessment, and the results revealed that a sizable portion (22%) had not explicitly set any risk appetite level. Moreover, once companies determined their risk assessment, many failed to communicate the findings across the operational level of their organization. Less than half (43%) trained their employees on general risk issues such as information security, employment practices and workplace safety, and only one-fifth (20%) trained their risk owners.
"Only with full company-wide participation will a holistic approach to risk management occur," said Levene. "There are evident lapses in the communication of risk assessment, from the corporate through the operational levels. These gaps are a call to action for a regular self-assessment process that needs to take place."
Participants also weighed in on their level of preparedness for Superstorm Sandy. Vendor identifications, such as those selected for restoration and forensic accountants, stood out as a shortcoming. Nearly one-quarter (23%) cited some deficiencies in vendor identification preparedness, while 7% said their companies were flat-out unprepared.
"Without adjusters and forensic accountants identified prior to major catastrophic losses, companies will have trouble getting their claim process moving quickly. They'll wait in line when a catastrophe strikes, and this time lost could have a critical impact on their long-term well-being," said Brendan Osean, Property practice leader, Risk Advisory & Brokerage group, Towers Watson.
Respondents also evaluated their terrorism insurance coverage. Two-thirds (66%) raised concerns about the implications of the sunset to the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA), and 62% are considering action in preparation for its possible outcomes, including 17% contemplating options for stand-alone terrorism placement. "This level of uncertainty, over 18 months away from TRIPRA sunset, is concerning and will only increase over time," said Christof Bentele, chief broking officer, Crisis Management practice, Towers Watson.
About the Survey
Towers Watson's fourth annual Risk and Finance Manager Survey examined how North American companies address risk. The online survey of 123 individuals was conducted from February 26 through March 13, 2013. Nearly three-quarters of participants were comprised of companies with total 2012 revenues of under $5 billion: 39% from $1 billion to $4.9 billion and 33% under $1 billion. One percent of companies ranked in the largest revenue range of $25 billion or more. The mean for all participants was $5.6 billion.