Isn’t Insurance Enough?

Written by Søren Bisgaard Vase, Head of Analysis

As a security risk management company, we obviously have close linkages with the insurance business. They are our clients, we are their clients, and we also share clients between us.

A common catchphrase of mine is that ‘our work begins where insurance ends’, since we deal with all those low probability/high impact risks that are so difficult to make statistics about because they are too unique and unpredictable. But this is of course a simplification – after all, you can insure anything if the price is right. Natural disasters – the classic example of low probability/high impact events – are routinely insured against. So, with a good enough insurance cover, why bother with duty of care?

Any risk professional can tell you about the four ways of managing risks: avoid, accept, transfer or reduce. Some have added a fifth ‘exploit’ option, which may seem optimistic, but is actually a quite valuable perspective that I will return to. Insurance epitomises risk transfer: you protect yourself against the volatility by accepting a known premium. Because the insurance company collects a lot of risks (and therefore a lot of premiums), the law of averages turns your devastating loss – e.g. a fire in the office – into a small bump in the road for them. And since the insurer can go around and reinsure their worst-case risks with other insurers, almost any catastrophe is manageable by the multi-trillion-dollar global insurance industry. We could therefore also refer to the world of insurance as risk sharing or risk diffusion.

I apologise to those of you who will find this trivial, but I feel obliged to touch briefly on the other risk management strategies before getting back to the topic of the day. Risk avoidance is self-explanatory to a certain extent. You assess the risk of a given action and find it to be too high to justify the potential benefits, and thus decide to stay clear. In the real world this is of course a messy process. How do you assess the risk of not taking a particular action? Still, among all the complex risk management techniques, we should never forget the avoidance option. Another option is to accept the risk. Here, we don’t mean turning the blind eye, but making an informed decision to take the risk on yourself. The informed consent requirement, which we have discussed earlier in the article series, is an example of risk acceptance, since the employees confirm that they are cognisant of the risks involved in whatever action they are set to perform. However, you would rarely accept any risk without at least having explored the fourth option, risk reduction. This is basically all the things you can do to bring down the probability and/or the impact of the risk. We sometimes refer to this as risk mitigation or vulnerability reduction, and it is of course the bread and butter of a security risk management company. Finally, there is risk exploitation. Only a thin membrane separates risks from opportunities, and the two are often seen as two sides of the same coin. Thus, political upheaval in a country where you operate could obviously create problems for you, but then again, maybe you will be able to stay while others run away? The thought is wonderful, but I am hesitant to include risk exploitation as a risk management technique on par with the others. It is a mirror image of the other techniques, an open invitation to see the upside of risk.

These four (five) risk management techniques are of course ideal types – we use a little bit of them all in almost everything we do. This also applies to security, and that brings me back to the central question of this article: isn’t insurance enough?

In a way, it is strange that small companies tend to have a significantly higher risk appetite than larger corporations. After all, you would imagine that a small, vulnerable company would be more careful, as a wrong move could result in the end of its existence, whereas a large, stable one could easily absorb a loss here and there. The best explanation I can find is that large organisations treasure predictability over everything else. That is why they tend to insure themselves against more or less anything. ‘We’re covered’ is a wonderful thing to say to your bosses if they express worry about the risks in your project. It gives certainty: even in the worst case, we will not lose money. All upside, no downside… If only!

Of course, this is not how the world works, and nothing shows this more clearly than duty of care. You may have all the best insurances with all the right coverages for your staff. You might even go above and beyond what is required by law because you want your employees to be content and quickly recover if they need surgery, for example. It could even extend to their families. Risk successfully transferred! But what happens if the incident is caused by the work? The insurance company may fight back and say that you did not do enough to prevent an incident, that you were negligent or did not fully disclose the level of risk when you signed the policy. You could hit the ceiling of your coverage. Even if you were covered, there may be fallout from the incident, like we saw in the Dennis v. NRC case (see article 9, ‘Duty of Care in Action’). And then of course, we need to remember that insurance is simply a means of financing a risk retroactively. The incident still needs to be handled: someone needs to tell the family, someone needs to communicate to the rest of the staff and the external world, and someone needs to revisit the incident and determine if it warrants a change of procedure. Most importantly, someone needs to take responsibility.

The nature of risk means that there can be no (potential) upside without a (potential) downside. Even insurance only gives us some level of (financial) certainty, and only in known risks. As a manager, it is your task, and in my opinion your most important task, to continuously identify new risks and apply the four (five) risk management techniques intelligently. This is what we call ‘responsibility’ and only nuances distinguish it from duty of care.

A final word: After having read the above again, I realised that a very critical reader could get the impression that I am against insuring your risks. This is not the case – I am a big fan. What I have tried to do is to show why we must accept that it is one among a whole group of risk management techniques. More importantly, ‘manager’ would be an utterly redundant and even meaningless position if all risks were transferrable. This is the central message of this entire article series: manage your risks, but remember that your responsibility remains. It’s your duty to care.