Two recent class action lawsuits are likely to have a ripple effect on third-party liability claims and coverages in the future.

AvMed Inc., a Florida health insurance company, has agreed to a $3 million settlement, marking the first class action lawsuit in which plaintiffs are compensated without suffering actual financial harm as a result of a data breach.

Meanwhile, a federal appellate court gave the go ahead for a plaintiff to sue Spokeo Inc. for violating the Fair Credit Reporting Act (FCRA). The court conferred standing when it deemed this violation of a statutory right sufficient for the case to proceed even though the plaintiff suffered no actual harm.

Insurance carriers would do well to take note. Together, these two cases make it easier for plaintiffs to pursue data breach or class action lawsuits and to recover damages for identity theft and fraud—even when they’ve experienced no actual monetary harm. Also, it will become harder for such lawsuits to be dismissed under the simple 12(b)(6) motion and other standing-related issues that would lower the chances of cases getting their day in court.

The Spokeo case alone represents a potential sea change when it comes to clearing the hurdle of the standing requirement. It shows us that when a plaintiff’s statutory right is allegedly violated, he can more easily prove there is injury-in-fact and that the elements of causation and redress can be satisfied—and that’s without sustaining actual damages.

Though Robins v. Spokeo centers on an FCRA-related claim, smart plaintiff’s lawyers will apply the case to other statutory schemes that create a private right of action and grant automatic standing to anyone who alleges a claim for the willful violation of that statutory right. An easy application could be the violation of state breach notification statutes that allow private right of action and enforcement by that state’s attorney general.

When the cases are juxtaposed, we see that plaintiffs:

1. Can more easily proceed with a data breach or class action lawsuit when a plaintiff’s statutory right has been violated—even if the plaintiff has experienced no monetary harm—thanks to Spokeo.

2. Can recover damages for identity theft and fraud even absent compensable damages under AvMed. As the court in AvMed stated:

“Plaintiffs have pled a cognizable injury and have pled sufficient facts to allow for a plausible inference that AvMed’s failures in securing their data resulted in their identities being stolen. They have shown a sufficient nexus between the data breach and the identity theft.”

Savvy class action lawyers will recognize these two decisions for what they are: Two main hurdles to data breach litigation removed. Sure plaintiff’s lawyers still need to exercise some creativity to find the right statutory schemes to sue under, but taken together and in the right hands, these two cases could be game changers in the ongoing attempts to squeeze money from companies for data breach exposures.

The post AvMed, Spokeo Verdicts to Impact Third-Party Liability Coverage appeared first on insBlogs.

Each year, EY publishes our Canadian property and casualty insurance outlook, where we take the pulse of the industry and note what challenges – and opportunities – are in store for the year ahead.

It’s fair to say the industry is undergoing transformation like never before. Companies are finally starting to take a good hard look at how to effectively harness digital technology. They’re shifting greater attention to the customer. And in the midst of all this, 2013 ended up being a record claim year.

All things considered, there’s no shortage of challenges for Canada’s P&C insurers. But, as we know, where there’s a challenge, there’s often opportunity.

Take technology, for example. We all know insurers have been late adopters when it comes to digital. They’re aware of the benefits, but have taken time to understand how to use it effectively. The reality, however, is that technology can help insurers to better understand risks like flooding, while investments in state-of-the-art integrated platforms can enhance product pricing and improve the customer experience.

With increasingly severe weather, improving underwriting capabilities should be a priority. To do that, savvy insurers are tapping into the power of technology and analytics to help create better predictive models. Meanwhile, tapping into that power for things like vehicle telematics, for example, has the potential to completely change the industry.

But in all of this, it’s about so much more than simply capturing the right data. Insurers need strategies for deriving meaningful insights from the information they have, and insurers continue to lag behind other sectors in their implementation of a digital strategy.

In this new and dynamic environment, all companies need to work hard to sustain their competitive edge in the marketplace. But by taking advantage of the right opportunities, insurers can set themselves up for positive results going forward.

In our 2014 outlook, we note that to successfully position for growth, insurers need to understand and focus on the following:

• Product development and innovation, with an eye on expenses
• Digital technology and analytics
• Unpredictable weather and catastrophes
• Regulatory and accounting changes

To read more about these issues in the full report, visit www.ey.com/ca/propertyinsurance

It’s an exciting time for the P&C insurance industry. No doubt, there’s more to come. I look forward to weighing in on various industry issues on this blog – and hearing your thoughts, too.

The post Pressure is on to improve bottom line after catastrophic 2013 appeared first on insBlogs.

As insurers face the challenges of legislative and regulatory compliance, there is an argument to be made that large insurers will be in a better position to meet these challenges. As a means of meeting the regulatory requirements they face and of reducing the relative cost of adhering to those requirements, smaller insurers, especially those with a large proportion of Ontario automobile, may decide to consolidate.

Earlier this month, A.M. Best issued a briefing that pointed out that smaller companies may feel the impact of recent reforms and pricing targets to a greater extent than larger insurers. The Ontario government has mandated a 15% reduction in automobile insurance rates by August 2015 compared to the rates filed in August 2013. The target was for an 8% reduction by August 2014. In fact, rates were down by only 6%. As noted in its report, A.M. Best expects smaller companies having limited business profiles and resources will find the ‘choppy waters of the Ontario auto market difficult to navigate’ which could, in turn, ‘lead to changes in strategic direction and, possibly, more consolidation within the industry.’

It is not only legislative changes concerning Ontario automobile insurance that are impacting insurers. There are also increased regulatory requirements emanating from the Office of the Superintendent of Financial Institutions (OSFI). In a guideline issued last month, OSFI communicated its expectations with respect to the management of regulatory compliance risk by federally regulated financial institutions (FRFIs). In its guideline, OSFI defined regulatory compliance risk as the risk of an FRFI’s potential non-conformance with laws, rules, regulations and prescribed practice in any jurisdiction in which it operates, worldwide. Under the terms of the guideline, the overall responsibility for the assessment and management of regulatory risk compliance will be assigned to a designated Chief Compliance Officer (CCO), someone who is independent from operational management and who has sufficient stature and authority within the FRFI to influence the FRFI’s activities. OSFI’s guideline recognizes that for small, less complex FRFIs, the CCO may have other responsibilities beyond activities specifically related to regulatory compliance risk. In addition, OSFI will administer its supervisory program in ‘a manner appropriate to the circumstances of each FRFI’. Nevertheless, the costs of meeting the requirements of this guideline will be relatively larger for small insurers than for insurers with significant scale.

As of this year, insurers are also expected to complete an Own Risk and Solvency Assessment (ORSA). In a speech at the 2012 National Insurance Conference of Canada, Superintendent Julie Dickson commented that ORSA was being introduced because ‘it is not enough for companies to determine their capital needs based solely on OSFI’s capital requirements. Our capital rules are standardized and represent the minimum requirement. They are not tailored to address the specific risks to which each individual company is exposed, so companies cannot assume that using only OSFI’s capital rules will give them the appropriate risk valuation.’ The Superintendent went on to say that an insurer’s board of directors will be expected to understand how the company’s management is managing the risks identified through the ORSA process.

Whether wholly or partly due to changes in legislative and regulatory requirements, we have already seen consolidation within the mutual insurance community in Ontario. Just over a year ago, The Commonwell Mutual Insurance Group was formed by the amalgamation of Farmers’ Mutual Insurance Company (Lindsay), Glengarry Mutual Insurance Company and Lanark Mutual Insurance Company. Earlier this year, the proposed amalgamation of Kent & Essex Mutual Insurance with North Kent Mutual Insurance Company and West Elgin Mutual Insurance Company fell through when the policyholders of one of the mutuals failed to pass a motion that would have approved the amalgamation. Even though the proposed deal collapsed on the way to the finish line, the fact that the amalgamation was proposed in the first place is evidence that the boards of the three companies felt there was merit in joining forces.

There is no reason to think that the level of regulatory oversight will lessen in the future. Nor is there reason to think that the cost and effort of compliance will be felt equally by the small and the large. As noted in the A.M. Best briefing, insurers with ‘significant scale, robust segmentation capabilities and/or a niche focus are expected to be better-positioned to absorb the impacts of the challenges from recent reforms’.

The post Meeting regulatory requirements: Sometimes size matters appeared first on insBlogs.

Once again a big storm was forecast, once again, it failed to materialize (at least for many New Yorkers and New Jerseyans) and once again meteorologists are being criticized for dropping the ball. What’s more, weather models are also being blamed for at least part of the failure and people are, of course, again making the statement “If I was as wrong as often as the weather man, I’d be out of a job.”

Jeff Williams widens the walking path in front of the storefront where he works in Patchogue, N.Y., Wednesday, Jan. 28, 2015. While much of the New York City region breathed easier after eluding serious damage from a deadly blizzard, highway crews helped eastern Long Island residents recover from a storm that dumped more than two feet of snow in some places. (AP Photo/Seth Wenig)

To recap, an historic Nor’easter was set to strike New York, New Jersey and the New England states as well as Atlantic Canada beginning the evening of Monday, January 26 through to Tuesday the 27th. Cities like Boston and New York were set to get hammered with snow. But when the white stuff settled, NYC only got about seven inches, not the two or three feet that was forecast for much of the region.

To be fair, forecasts rang true for much of the area in question, particularly New England, where high winds, large snow drifts, storm surge, a seawall failure, flooding and power outages were rife.

But that was of little comfort in NYC, where costly and disruptive measures were taken, including a shutdown of the NYC subway system and implementation of a travel ban.

So what happened with the forecast for NYC?

According to NOAA, there was a very narrow gradient, measuring just 50 to 150 miles across, that demarcated a ‘western wall of snow’. If you were on one side of the gradient, there would be little snow, if you were on the other – a lot. This gradient didn’t go where the model indicated it might, and missed NYC by about 50 miles to the east.

The tool used for this particular forecast was a European model that, by all reports, has proven to be more accurate on average than the model built by the U.S. weather service. It was the same model that called Superstorm Sandy almost perfectly.

There is no doubt that tools and methods for forecasting weather can (and will) improve), particularly as the two GOES satellites that currently provide weather forecast data for North America are replaced next year with more advanced GOES-R satellites, which will take images with higher resolution and be able to sense parts of the electromagnetic spectrum.

But this latest forecasting blip has put a spotlight on a pair of other issues that must be looked at in tandem with the technical side of weather forecasting.

The first is sensationalism. We live in a world of hyperbole, where people choose to use such words in the normal course as ‘unbelievable, ‘amazing’ and ‘incredible’ when lesser descriptors would do just fine. It’s a world where small flubs are called ‘epic fails’ and where ‘literally’ is often used figuratively. A place with a non-stop news cycle that seems to subscribe very much to philosopher Walter Benjamin’s idea of the ‘permanent emergency’. It’s a world where labels (and, these days hashtags, like ‘Snowmageddon’ and ‘Snowpocalypse’) do nothing but add fuel to the fire. People, I believe, can easily spot exaggeration (though they may be guilty of it themselves) and have learned to tune it out. It’s unclear to me how society can address this problem, which now appears to be deeply embedded in our popular culture. But perhaps a good start is if social media users out there refused to take part in the labelling and hash tagging of average events as ‘exceptional.’ Maybe, in time, we can move this mountain.

The second issue, one that is more tangible and much more likely to be able to be addressed institutionally – is the matter of communicating forecast uncertainty.

Essentially, weather is non-linear, and regardless of model capability, computer processing power and forecaster experience, there will always be uncertainty. Weather forecasters are essentially trying to make an educated guess about something they do not control. As one warning coordination meteorologist for NOAA put it, “There is a limit to predictability when it comes to forecasting and it’s always going to be there. Human behavior behaves like that, the stock market behaves like that and weather behaves like that.”

Weather forecast output from models includes confidence levels, and these must somehow be used when communicating to the general public and policymakers.

Whether we use the very same lingo as the forecasting models (eg. Low confidence, High confidence, Very high confidence etc.), or whether some other system is devised (such as a colour-coded warning system or a scale of one to ten); the level of confidence in a forecast must be made clear to end-users. Indeed, brand new (and very timely) research from the University of Washington released January 27 indicates that the public may respond best to severe weather warnings if they include a probability estimate.

Seeing as though it is not up to the weatherman to decide to shut down public transit, implement a travel ban or order an evacuation, for instance, it is critical that those who are responsible for such calls be given every piece of info they need to make good decisions and set the overall tone of an impending event, without going overboard.

Better and/or greater use of certainty statements will aid in this endeavour.

In the meantime, there will be more missed calls. Get used to them, and don’t shoot the messenger.

The post Everyone talks about the weatherman… appeared first on insBlogs.

The Court of Appeal for Ontario has held that a hospital can be sued (in a proposed class action) for a privacy breach.

In Hopkins v. Kay, the class plaintiff alleged that her records as a patient at the Peterborough Regional Heath Centre were improperly accessed. She based her claim on the common law tort of intrusion upon seclusion, set out in Jones v. Tsige.

The hospital brought a Rule 21 motion to dismiss the claim on the ground that the Personal Health Information Protection Act (“PHIPA”) is an exhaustive code that ousts the jurisdiction of the Superior Court to entertain any common law claim for invasion of privacy rights in relation to patient records.

About PHIPA

By way of background, PHIPA is an Ontario law that governs the collection, use and disclosure of personal health information within the health sector. The statute’s object is to keep personal health information confidential and secure. The Information and Privacy Commissioner of Ontario is responsible for the administration and enforcement of PHIPA.

The Court of Appeal for Ontario ruled that a hospital can be sued, in a class action, for breach of privacy.

An individual who has reasonable grounds to believe that another person has or is about to contravene a provision of PHIPA may complain to the Commissioner. The Commissioner is given extensive procedural and investigative powers in relation to complaints and the power to make a variety of orders following a review. The Act gives the complainant the right to make representations to the Commissioner but does not contemplate a formal adversarial hearing for the resolution of complaints. An appeal from the Commissioner’s order on a question of law lies to the Divisional Court.

Of note is section 65 of PHIPA, dealing with remedies:

65. (1) If the Commissioner has made an order under this Act that has become final as the result of there being no further right of appeal, a person affected by the order may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of a contravention of this Act or its regulations.
(2) If a person has been convicted of an offence under this Act and the conviction has become final as a result of there being no further right of appeal, a person affected by the conduct that gave rise to the offence may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of the conduct.
(3) If, in a proceeding described in subsection (1) or (2), the Superior Court of Justice determines that the harm suffered by the plaintiff was caused by a contravention or offence, as the case may be, that the defendants engaged in wilfully or recklessly, the court may include in its award of damages an award, not exceeding $10,000, for mental anguish. [emphasis added]

With respect to bringing actions against a custodian of personal information:

71. (1) No action or other proceeding for damages may be instituted against a health information custodian or any other person for,

(a) anything done, reported or said, both in good faith and reasonably in the circumstances, in the exercise or intended exercise of any of their powers or duties under this Act; or

(b) any alleged neglect or default that was reasonable in the circumstances in the exercise in good faith of any of their powers or duties under this Act.

(2) Despite subsections 5(2) and (4) of the Proceedings Against the Crown Act, subsection (1) does not relieve the Crown of liability in respect of a tort committed by a person mentioned in subsection (1) to which it would otherwise be subject.

Superior Court Motion

The motion judge dismissed the motion, holding that it was not plain and obvious that the claim based on Jones v. Tsige could not succeed.

Court of Appeal

On appeal, the defendants submitted that PHIPA amounts to a comprehensive code that reflects a careful legislative attempt to balance various conflicting interests. They contend that PHIPA’s careful balance would be disturbed if claims based on Jones v. Tsige were entertained by the courts in relation to personal health information. They argued that allowing these common law claims would contradict the statutory scheme, defeat the intention of the legislature, and undermine the policy choices embodied in PHIPA.

The Court of Appeal dismissed the appeal.

After setting out the various provisions in PHIPA, the Court found that there was nothing in PHIPA – either implicitly or expressly – that suggested a legislative intention to confer exclusive jurisdiction on the Privacy Commissioner to resolve all disputes over misuse of personal health information:

I conclude that the language of PHIPA does not imply a legislative intention to create an exhaustive code in relation to personal health information. PHIPA expressly contemplates other proceedings in relation to personal health information. PHIPA’s highly discretionary review procedure is tailored to deal with systemic issues rather than individual complaints. Given the nature of the elements of the common law action, I do not agree that allowing individuals to pursue common law claims conflicts with or would undermine the scheme established by PHIPA, nor am I satisfied that the review procedure established by PHIPA ensures that individuals who complain about their privacy in personal health information will have effective redress. There is no basis to exclude the jurisdiction of the Superior Court from entertaining a common law claim for breach of privacy and, given the absence of an effective dispute resolution procedure, there is no merit to the suggestion that the court should decline to exercise its jurisdiction.

The Aftermath

In Jones v. Tsige, the Court of Appeal created a new privacy tort that allowed individuals to sue people or companies for privacy breaches. This new decision brings the Jones v. Tsige tort to the healthcare sector, arguably the custodian of the most sensitive kind of personal information.

We live in an age of increasing privacy threats and awareness. Hopkins provides yet another example of how lawmakers and courts are doing whatever they can to protect personal information, while punishing those who mishandle it. We expect to see many more court decisions that not only protect privacy, but also expand upon the tort of intrusion upon seclusion.

The post Ontario appeal court expands privacy breach tort to health care sector appeared first on insBlogs.

The role of the Chief Risk Officers (CROs) today is more multifaceted than it used to be. The financial crisis has expanded the CRO role, making risk management in the insurance industry more of a team sport than ever before. In fact, according to EY’s latest CRO survey, nearly one-third of respondents cited this shift in role as their biggest accomplishment for 2014. But more needs to be done to integrate risk management with the rest of the business.

It’s reassuring to see organizations beginning to recognize and embrace the risk function. But unlike many other areas, the efforts of the risk team aren’t a clearly defined metric. One way to show value is to have regular conversations with company management. In EY’s survey, 37% of CROs reported that dialogues they’ve had with management demonstrate the value they bring to the organization.

This two-way communication is key to being better prepared. It helps insurance companies build a solid foundation to withstand external challenges facing the industry today. Forty percent of respondents cited regulation and capital standards as their biggest risk challenges. Cybersecurity followed at 14% of respondents. And, 13% of these companies cited interest rates and the economy as major risk challenges.

Despite acknowledging these challenges, only 53% of respondents actually have a formal model of risk governance/validation practice in place. There still remain many gaps in a company’s line of defense risk organizational structure. While 74% of CROs said they have some form of three-line defense structure, there are issues to be worked out.

External challenges are plentiful for the CRO, but they can be overcome with teamwork. If CROs can keep having important conversations with key business leaders and show the value of integrating the risk function in everything an insurance company does, they will be able to meet the challenges that come their way.

You can learn more about the survey findings by reading EY’s Chief Risk Officers at Insurance Companies Concerned by Capital Standards and Increased Regulation.

The post Insurers must make risk management a team sport appeared first on insBlogs.

For a broker interested in writing and retaining commercial accounts, there is a lot to be said for conducting a thorough review of a business owner’s operations, making recommendations for appropriate limits and types of coverage, and then ensuring that the client understands what is – and isn’t! – covered under the insurance programme he or she selects. A broker who regularly engages in this type of comprehensive review will be a broker that stands out from the crowd and who should therefore enjoy greater success in sales. In addition, this risk management approach to clients can help shield a broker from an Errors & Omission (E&O) claim.

A recent study by Harris Poll Online in the United States revealed that, among other things, 66% of the small business owners surveyed said they did not have business interruption coverage. It’s always dangerous to draw conclusions for Canada based on survey results from another country, even results from our neighbour south of the border. But, even if a similar survey conducted in Canada elicited a similar response from small business owners, I would have difficulty believing that two-thirds of the insurance programmes actually lack a business interruption component. What seems more likely is that two-thirds of the owners think their programme lacks business interruption coverage. Many if not most small businesses would be covered under a package insurance policy that automatically provides some measure of business interruption coverage. Whether the automatic coverage is sufficient is another question, but at least some coverage is there. If the owners aren’t aware that this basic and crucial coverage is there, it’s because no one has sat down with them to discuss coverage and to determine appropriate limits.

Earlier in my career, I worked for an insurance company that sold niche, commercial insurance on a direct basis to business owners. The company’s mandated procedure when quoting on a new account, and then at every subsequent renewal, was to sit down with the business owner to review coverage and limits. A form was filled out that detailed the coverage and limits that were being purchased as well as the coverage that was being declined. At the end of the meeting, the client would sign the form. A copy of that form was then placed in the client’s file. One of my clients was the owner of a mid-sized company that had been in his family for a few generations. Every year, I reviewed coverage with him and, every year, he declined to purchase business interruption coverage. I didn’t go through this process because it was my brilliant idea: I did it because it was a mandated procedure. As luck would have it, one day this particular client suffered a devastating fire that destroyed the building and contents. When my sales manager visited the business owner to console him on the damage to his business and to help him in the preliminary stages of preparing his claim, the owner of course regretted not purchasing business interruption coverage when he had the chance. But at least he knew and acknowledged that he had been offered coverage.

As things turned out, that business never re-opened after the fire. Sadly, this is all too common. According to the Federal Emergency Management Agency (FEMA) in the United States, 40% of businesses do not re-open after a disaster and another 25% fail within one year. Along the same lines, the United States Small Business Administration reports that 90% of businesses fail within two years of a devastating loss. Although these are U.S. statistics, my sense is that the results for Canadian small businesses would be no better.

This company that I worked for at the time did not present itself to the market as the cheapest provider of insurance. There were definitely lower-cost providers. The reason business owners purchased insurance from this company, rather than its competitors, is that they knew the company understood its clients’ businesses, designed customised insurance programmes to meet those needs, and took the time to meet with clients on a regular basis throughout the year in order to stay on top of their clients’ evolving needs. The business owners knew they could almost certainly obtain a cheaper programme elsewhere, but they wouldn’t take the risk of being improperly advised.

There is a lesson for all of us, I think, in this. Based on my experience, anyone looking to build up a portfolio of commercial business, to maximise commission income, and to minimise the exposure to an E&O claim, is well advised to take this kind of risk management approach with current and prospective clients.

The post Advantages of a Risk Management Approach to Clients appeared first on insBlogs.

Your professional development has never been more cutting-edge.

Consider the fascinating research of Qui Trieu, manager of personal insurance at Perth Insurance, a wholly owned subsidiary of Economical Insurance. Qui (pronounced as ‘key’) is currently a candidate in the Insurance Institute’s Fellow Chartered Insurance Professional (FCIP) program.

Qui is looking for ways to attract Millennials into Canada’s property and casualty insurance industry. Born between 1980 and 2000, Millennials have a reputation for ‘thinking outside the box’ and seeking like-minded, innovative workplaces. Qui says his challenge is to confirm that Millennials have a home in the insurance industry despite being exposed to inaccurate public stereotypes.

“I guess the misguided perception exists that the industry is old, archaic and very boring,” Qui says. “But after having gone through these six online FCIP courses, you can see that the insurance industry is pretty dynamic. It’s as big as you want it to be. It’s as dynamic as you want it to be. And it will give you as much as you want to put into it.”

Relevant Education

The FCIP is the highest designation in Canada’s p&c insurance industry. Every day, FCIPs like Qui are conducting state-of-the-art research to help their organizations find practical solutions to emerging issues facing today’s insurance industry.

An FCIP education today carries limitless potential to help p&c organizations and clients deal with any conceivable issue.

Right now, the insurance industry is helping Fort McMurray, Alberta residents deal with the devastation wrought by giant wildfires. Our hearts and thoughts go out to those who have been displaced and/or lost everything. This is a tragic catastrophic event, and it brings to mind research conducted two years ago by FCIP grad Greg Crawford.

For his capstone project, Greg researched new ways for the insurance industry to handle large-scale claims events generated by our changing global climate. Greg’s FCIP research offered practical solutions to help ease the minds of clients in times of need.

Innovative Education

Innovation is a hallmark of the program’s final course, Integrative Learning for the P&C Sector, featuring the ‘capstone’ research project. Let’s take a quick look at what FCIPs are researching in aid of their organizations and clients in 2016. Their topics read like daily headlines in the insurance trade press:

• Auto insurance for Uber/Uber’s impact on insurance
• Insurance for driverless vehicles/the impact of driverless vehicles on the p&c industry
• Drone insurance/the impact of drones on insurance industry
• The impact of climate change on insurers and reinsurers
• Cyber insurance, including development for new markets and growth strategies for existing markets
• Commercial lines growth and reputation
• How reinsurers can maintain relevance
• Hypothetical start-up business model in insurance

Again, this is a modest sampling of research projects conducted in just one course. Each of the six FCIP courses includes opportunities to tackle relevant business topics in the areas of strategy, leadership, financial management, enterprise risk management and emerging issues.

Qui Trieu is right: an FCIP education is as diverse, dynamic and creative as the Canadian insurance industry itself. Clients and the industry benefit when FCIPs create practical business solutions that distinguish their p&c organizations.

If you would like to play a role in helping your company deal with real-world issues, consider taking the Institute’s FCIP designation. More information about the FCIP is available at the Insurance Institute’s website.

Are you contemplating if the FCIP is your next move? Hear from FCIP candidates about the program and see if it’s right for you at this time. Register now for 3 Candid Student Stories, a complimentary Insurance Institute webinar held on May 31 at 1 pm eastern time.

The post Insurance Education that Matters appeared first on insBlogs.

Two recent class action lawsuits are likely to have a ripple effect on third-party liability claims and coverages in the future.

AvMed Inc., a Florida health insurance company, has agreed to a $3 million settlement, marking the first class action lawsuit in which plaintiffs are compensated without suffering actual financial harm as a result of a data breach.

Meanwhile, a federal appellate court gave the go ahead for a plaintiff to sue Spokeo Inc. for violating the Fair Credit Reporting Act (FCRA). The court conferred standing when it deemed this violation of a statutory right sufficient for the case to proceed even though the plaintiff suffered no actual harm.

Insurance carriers would do well to take note. Together, these two cases make it easier for plaintiffs to pursue data breach or class action lawsuits and to recover damages for identity theft and fraud—even when they’ve experienced no actual monetary harm. Also, it will become harder for such lawsuits to be dismissed under the simple 12(b)(6) motion and other standing-related issues that would lower the chances of cases getting their day in court.

The Spokeo case alone represents a potential sea change when it comes to clearing the hurdle of the standing requirement. It shows us that when a plaintiff’s statutory right is allegedly violated, he can more easily prove there is injury-in-fact and that the elements of causation and redress can be satisfied—and that’s without sustaining actual damages.

Though Robins v. Spokeo centers on an FCRA-related claim, smart plaintiff’s lawyers will apply the case to other statutory schemes that create a private right of action and grant automatic standing to anyone who alleges a claim for the willful violation of that statutory right. An easy application could be the violation of state breach notification statutes that allow private right of action and enforcement by that state’s attorney general.

When the cases are juxtaposed, we see that plaintiffs:

1. Can more easily proceed with a data breach or class action lawsuit when a plaintiff’s statutory right has been violated—even if the plaintiff has experienced no monetary harm—thanks to Spokeo.

2. Can recover damages for identity theft and fraud even absent compensable damages under AvMed. As the court in AvMed stated:

“Plaintiffs have pled a cognizable injury and have pled sufficient facts to allow for a plausible inference that AvMed’s failures in securing their data resulted in their identities being stolen. They have shown a sufficient nexus between the data breach and the identity theft.”

Savvy class action lawyers will recognize these two decisions for what they are: Two main hurdles to data breach litigation removed. Sure plaintiff’s lawyers still need to exercise some creativity to find the right statutory schemes to sue under, but taken together and in the right hands, these two cases could be game changers in the ongoing attempts to squeeze money from companies for data breach exposures.

The post AvMed, Spokeo Verdicts to Impact Third-Party Liability Coverage appeared first on insBlogs.

Each year, EY publishes our Canadian property and casualty insurance outlook, where we take the pulse of the industry and note what challenges – and opportunities – are in store for the year ahead.

It’s fair to say the industry is undergoing transformation like never before. Companies are finally starting to take a good hard look at how to effectively harness digital technology. They’re shifting greater attention to the customer. And in the midst of all this, 2013 ended up being a record claim year.

All things considered, there’s no shortage of challenges for Canada’s P&C insurers. But, as we know, where there’s a challenge, there’s often opportunity.

Take technology, for example. We all know insurers have been late adopters when it comes to digital. They’re aware of the benefits, but have taken time to understand how to use it effectively. The reality, however, is that technology can help insurers to better understand risks like flooding, while investments in state-of-the-art integrated platforms can enhance product pricing and improve the customer experience.

With increasingly severe weather, improving underwriting capabilities should be a priority. To do that, savvy insurers are tapping into the power of technology and analytics to help create better predictive models. Meanwhile, tapping into that power for things like vehicle telematics, for example, has the potential to completely change the industry.

But in all of this, it’s about so much more than simply capturing the right data. Insurers need strategies for deriving meaningful insights from the information they have, and insurers continue to lag behind other sectors in their implementation of a digital strategy.

In this new and dynamic environment, all companies need to work hard to sustain their competitive edge in the marketplace. But by taking advantage of the right opportunities, insurers can set themselves up for positive results going forward.

In our 2014 outlook, we note that to successfully position for growth, insurers need to understand and focus on the following:

• Product development and innovation, with an eye on expenses
• Digital technology and analytics
• Unpredictable weather and catastrophes
• Regulatory and accounting changes

To read more about these issues in the full report, visit www.ey.com/ca/propertyinsurance

It’s an exciting time for the P&C insurance industry. No doubt, there’s more to come. I look forward to weighing in on various industry issues on this blog – and hearing your thoughts, too.

The post Pressure is on to improve bottom line after catastrophic 2013 appeared first on insBlogs.

As insurers face the challenges of legislative and regulatory compliance, there is an argument to be made that large insurers will be in a better position to meet these challenges. As a means of meeting the regulatory requirements they face and of reducing the relative cost of adhering to those requirements, smaller insurers, especially those with a large proportion of Ontario automobile, may decide to consolidate.

Earlier this month, A.M. Best issued a briefing that pointed out that smaller companies may feel the impact of recent reforms and pricing targets to a greater extent than larger insurers. The Ontario government has mandated a 15% reduction in automobile insurance rates by August 2015 compared to the rates filed in August 2013. The target was for an 8% reduction by August 2014. In fact, rates were down by only 6%. As noted in its report, A.M. Best expects smaller companies having limited business profiles and resources will find the ‘choppy waters of the Ontario auto market difficult to navigate’ which could, in turn, ‘lead to changes in strategic direction and, possibly, more consolidation within the industry.’

It is not only legislative changes concerning Ontario automobile insurance that are impacting insurers. There are also increased regulatory requirements emanating from the Office of the Superintendent of Financial Institutions (OSFI). In a guideline issued last month, OSFI communicated its expectations with respect to the management of regulatory compliance risk by federally regulated financial institutions (FRFIs). In its guideline, OSFI defined regulatory compliance risk as the risk of an FRFI’s potential non-conformance with laws, rules, regulations and prescribed practice in any jurisdiction in which it operates, worldwide. Under the terms of the guideline, the overall responsibility for the assessment and management of regulatory risk compliance will be assigned to a designated Chief Compliance Officer (CCO), someone who is independent from operational management and who has sufficient stature and authority within the FRFI to influence the FRFI’s activities. OSFI’s guideline recognizes that for small, less complex FRFIs, the CCO may have other responsibilities beyond activities specifically related to regulatory compliance risk. In addition, OSFI will administer its supervisory program in ‘a manner appropriate to the circumstances of each FRFI’. Nevertheless, the costs of meeting the requirements of this guideline will be relatively larger for small insurers than for insurers with significant scale.

As of this year, insurers are also expected to complete an Own Risk and Solvency Assessment (ORSA). In a speech at the 2012 National Insurance Conference of Canada, Superintendent Julie Dickson commented that ORSA was being introduced because ‘it is not enough for companies to determine their capital needs based solely on OSFI’s capital requirements. Our capital rules are standardized and represent the minimum requirement. They are not tailored to address the specific risks to which each individual company is exposed, so companies cannot assume that using only OSFI’s capital rules will give them the appropriate risk valuation.’ The Superintendent went on to say that an insurer’s board of directors will be expected to understand how the company’s management is managing the risks identified through the ORSA process.

Whether wholly or partly due to changes in legislative and regulatory requirements, we have already seen consolidation within the mutual insurance community in Ontario. Just over a year ago, The Commonwell Mutual Insurance Group was formed by the amalgamation of Farmers’ Mutual Insurance Company (Lindsay), Glengarry Mutual Insurance Company and Lanark Mutual Insurance Company. Earlier this year, the proposed amalgamation of Kent & Essex Mutual Insurance with North Kent Mutual Insurance Company and West Elgin Mutual Insurance Company fell through when the policyholders of one of the mutuals failed to pass a motion that would have approved the amalgamation. Even though the proposed deal collapsed on the way to the finish line, the fact that the amalgamation was proposed in the first place is evidence that the boards of the three companies felt there was merit in joining forces.

There is no reason to think that the level of regulatory oversight will lessen in the future. Nor is there reason to think that the cost and effort of compliance will be felt equally by the small and the large. As noted in the A.M. Best briefing, insurers with ‘significant scale, robust segmentation capabilities and/or a niche focus are expected to be better-positioned to absorb the impacts of the challenges from recent reforms’.

The post Meeting regulatory requirements: Sometimes size matters appeared first on insBlogs.

Once again a big storm was forecast, once again, it failed to materialize (at least for many New Yorkers and New Jerseyans) and once again meteorologists are being criticized for dropping the ball. What’s more, weather models are also being blamed for at least part of the failure and people are, of course, again making the statement “If I was as wrong as often as the weather man, I’d be out of a job.”

Jeff Williams widens the walking path in front of the storefront where he works in Patchogue, N.Y., Wednesday, Jan. 28, 2015. While much of the New York City region breathed easier after eluding serious damage from a deadly blizzard, highway crews helped eastern Long Island residents recover from a storm that dumped more than two feet of snow in some places. (AP Photo/Seth Wenig)

To recap, an historic Nor’easter was set to strike New York, New Jersey and the New England states as well as Atlantic Canada beginning the evening of Monday, January 26 through to Tuesday the 27th. Cities like Boston and New York were set to get hammered with snow. But when the white stuff settled, NYC only got about seven inches, not the two or three feet that was forecast for much of the region.

To be fair, forecasts rang true for much of the area in question, particularly New England, where high winds, large snow drifts, storm surge, a seawall failure, flooding and power outages were rife.

But that was of little comfort in NYC, where costly and disruptive measures were taken, including a shutdown of the NYC subway system and implementation of a travel ban.

So what happened with the forecast for NYC?

According to NOAA, there was a very narrow gradient, measuring just 50 to 150 miles across, that demarcated a ‘western wall of snow’. If you were on one side of the gradient, there would be little snow, if you were on the other – a lot. This gradient didn’t go where the model indicated it might, and missed NYC by about 50 miles to the east.

The tool used for this particular forecast was a European model that, by all reports, has proven to be more accurate on average than the model built by the U.S. weather service. It was the same model that called Superstorm Sandy almost perfectly.

There is no doubt that tools and methods for forecasting weather can (and will) improve), particularly as the two GOES satellites that currently provide weather forecast data for North America are replaced next year with more advanced GOES-R satellites, which will take images with higher resolution and be able to sense parts of the electromagnetic spectrum.

But this latest forecasting blip has put a spotlight on a pair of other issues that must be looked at in tandem with the technical side of weather forecasting.

The first is sensationalism. We live in a world of hyperbole, where people choose to use such words in the normal course as ‘unbelievable, ‘amazing’ and ‘incredible’ when lesser descriptors would do just fine. It’s a world where small flubs are called ‘epic fails’ and where ‘literally’ is often used figuratively. A place with a non-stop news cycle that seems to subscribe very much to philosopher Walter Benjamin’s idea of the ‘permanent emergency’. It’s a world where labels (and, these days hashtags, like ‘Snowmageddon’ and ‘Snowpocalypse’) do nothing but add fuel to the fire. People, I believe, can easily spot exaggeration (though they may be guilty of it themselves) and have learned to tune it out. It’s unclear to me how society can address this problem, which now appears to be deeply embedded in our popular culture. But perhaps a good start is if social media users out there refused to take part in the labelling and hash tagging of average events as ‘exceptional.’ Maybe, in time, we can move this mountain.

The second issue, one that is more tangible and much more likely to be able to be addressed institutionally – is the matter of communicating forecast uncertainty.

Essentially, weather is non-linear, and regardless of model capability, computer processing power and forecaster experience, there will always be uncertainty. Weather forecasters are essentially trying to make an educated guess about something they do not control. As one warning coordination meteorologist for NOAA put it, “There is a limit to predictability when it comes to forecasting and it’s always going to be there. Human behavior behaves like that, the stock market behaves like that and weather behaves like that.”

Weather forecast output from models includes confidence levels, and these must somehow be used when communicating to the general public and policymakers.

Whether we use the very same lingo as the forecasting models (eg. Low confidence, High confidence, Very high confidence etc.), or whether some other system is devised (such as a colour-coded warning system or a scale of one to ten); the level of confidence in a forecast must be made clear to end-users. Indeed, brand new (and very timely) research from the University of Washington released January 27 indicates that the public may respond best to severe weather warnings if they include a probability estimate.

Seeing as though it is not up to the weatherman to decide to shut down public transit, implement a travel ban or order an evacuation, for instance, it is critical that those who are responsible for such calls be given every piece of info they need to make good decisions and set the overall tone of an impending event, without going overboard.

Better and/or greater use of certainty statements will aid in this endeavour.

In the meantime, there will be more missed calls. Get used to them, and don’t shoot the messenger.

The post Everyone talks about the weatherman… appeared first on insBlogs.

The Court of Appeal for Ontario has held that a hospital can be sued (in a proposed class action) for a privacy breach.

In Hopkins v. Kay, the class plaintiff alleged that her records as a patient at the Peterborough Regional Heath Centre were improperly accessed. She based her claim on the common law tort of intrusion upon seclusion, set out in Jones v. Tsige.

The hospital brought a Rule 21 motion to dismiss the claim on the ground that the Personal Health Information Protection Act (“PHIPA”) is an exhaustive code that ousts the jurisdiction of the Superior Court to entertain any common law claim for invasion of privacy rights in relation to patient records.

About PHIPA

By way of background, PHIPA is an Ontario law that governs the collection, use and disclosure of personal health information within the health sector. The statute’s object is to keep personal health information confidential and secure. The Information and Privacy Commissioner of Ontario is responsible for the administration and enforcement of PHIPA.

The Court of Appeal for Ontario ruled that a hospital can be sued, in a class action, for breach of privacy.

An individual who has reasonable grounds to believe that another person has or is about to contravene a provision of PHIPA may complain to the Commissioner. The Commissioner is given extensive procedural and investigative powers in relation to complaints and the power to make a variety of orders following a review. The Act gives the complainant the right to make representations to the Commissioner but does not contemplate a formal adversarial hearing for the resolution of complaints. An appeal from the Commissioner’s order on a question of law lies to the Divisional Court.

Of note is section 65 of PHIPA, dealing with remedies:

65. (1) If the Commissioner has made an order under this Act that has become final as the result of there being no further right of appeal, a person affected by the order may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of a contravention of this Act or its regulations.
(2) If a person has been convicted of an offence under this Act and the conviction has become final as a result of there being no further right of appeal, a person affected by the conduct that gave rise to the offence may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of the conduct.
(3) If, in a proceeding described in subsection (1) or (2), the Superior Court of Justice determines that the harm suffered by the plaintiff was caused by a contravention or offence, as the case may be, that the defendants engaged in wilfully or recklessly, the court may include in its award of damages an award, not exceeding $10,000, for mental anguish. [emphasis added]

With respect to bringing actions against a custodian of personal information:

71. (1) No action or other proceeding for damages may be instituted against a health information custodian or any other person for,

(a) anything done, reported or said, both in good faith and reasonably in the circumstances, in the exercise or intended exercise of any of their powers or duties under this Act; or

(b) any alleged neglect or default that was reasonable in the circumstances in the exercise in good faith of any of their powers or duties under this Act.

(2) Despite subsections 5(2) and (4) of the Proceedings Against the Crown Act, subsection (1) does not relieve the Crown of liability in respect of a tort committed by a person mentioned in subsection (1) to which it would otherwise be subject.

Superior Court Motion

The motion judge dismissed the motion, holding that it was not plain and obvious that the claim based on Jones v. Tsige could not succeed.

Court of Appeal

On appeal, the defendants submitted that PHIPA amounts to a comprehensive code that reflects a careful legislative attempt to balance various conflicting interests. They contend that PHIPA’s careful balance would be disturbed if claims based on Jones v. Tsige were entertained by the courts in relation to personal health information. They argued that allowing these common law claims would contradict the statutory scheme, defeat the intention of the legislature, and undermine the policy choices embodied in PHIPA.

The Court of Appeal dismissed the appeal.

After setting out the various provisions in PHIPA, the Court found that there was nothing in PHIPA – either implicitly or expressly – that suggested a legislative intention to confer exclusive jurisdiction on the Privacy Commissioner to resolve all disputes over misuse of personal health information:

I conclude that the language of PHIPA does not imply a legislative intention to create an exhaustive code in relation to personal health information. PHIPA expressly contemplates other proceedings in relation to personal health information. PHIPA’s highly discretionary review procedure is tailored to deal with systemic issues rather than individual complaints. Given the nature of the elements of the common law action, I do not agree that allowing individuals to pursue common law claims conflicts with or would undermine the scheme established by PHIPA, nor am I satisfied that the review procedure established by PHIPA ensures that individuals who complain about their privacy in personal health information will have effective redress. There is no basis to exclude the jurisdiction of the Superior Court from entertaining a common law claim for breach of privacy and, given the absence of an effective dispute resolution procedure, there is no merit to the suggestion that the court should decline to exercise its jurisdiction.

The Aftermath

In Jones v. Tsige, the Court of Appeal created a new privacy tort that allowed individuals to sue people or companies for privacy breaches. This new decision brings the Jones v. Tsige tort to the healthcare sector, arguably the custodian of the most sensitive kind of personal information.

We live in an age of increasing privacy threats and awareness. Hopkins provides yet another example of how lawmakers and courts are doing whatever they can to protect personal information, while punishing those who mishandle it. We expect to see many more court decisions that not only protect privacy, but also expand upon the tort of intrusion upon seclusion.

The post Ontario appeal court expands privacy breach tort to health care sector appeared first on insBlogs.

The role of the Chief Risk Officers (CROs) today is more multifaceted than it used to be. The financial crisis has expanded the CRO role, making risk management in the insurance industry more of a team sport than ever before. In fact, according to EY’s latest CRO survey, nearly one-third of respondents cited this shift in role as their biggest accomplishment for 2014. But more needs to be done to integrate risk management with the rest of the business.

It’s reassuring to see organizations beginning to recognize and embrace the risk function. But unlike many other areas, the efforts of the risk team aren’t a clearly defined metric. One way to show value is to have regular conversations with company management. In EY’s survey, 37% of CROs reported that dialogues they’ve had with management demonstrate the value they bring to the organization.

This two-way communication is key to being better prepared. It helps insurance companies build a solid foundation to withstand external challenges facing the industry today. Forty percent of respondents cited regulation and capital standards as their biggest risk challenges. Cybersecurity followed at 14% of respondents. And, 13% of these companies cited interest rates and the economy as major risk challenges.

Despite acknowledging these challenges, only 53% of respondents actually have a formal model of risk governance/validation practice in place. There still remain many gaps in a company’s line of defense risk organizational structure. While 74% of CROs said they have some form of three-line defense structure, there are issues to be worked out.

External challenges are plentiful for the CRO, but they can be overcome with teamwork. If CROs can keep having important conversations with key business leaders and show the value of integrating the risk function in everything an insurance company does, they will be able to meet the challenges that come their way.

You can learn more about the survey findings by reading EY’s Chief Risk Officers at Insurance Companies Concerned by Capital Standards and Increased Regulation.

The post Insurers must make risk management a team sport appeared first on insBlogs.

For a broker interested in writing and retaining commercial accounts, there is a lot to be said for conducting a thorough review of a business owner’s operations, making recommendations for appropriate limits and types of coverage, and then ensuring that the client understands what is – and isn’t! – covered under the insurance programme he or she selects. A broker who regularly engages in this type of comprehensive review will be a broker that stands out from the crowd and who should therefore enjoy greater success in sales. In addition, this risk management approach to clients can help shield a broker from an Errors & Omission (E&O) claim.

A recent study by Harris Poll Online in the United States revealed that, among other things, 66% of the small business owners surveyed said they did not have business interruption coverage. It’s always dangerous to draw conclusions for Canada based on survey results from another country, even results from our neighbour south of the border. But, even if a similar survey conducted in Canada elicited a similar response from small business owners, I would have difficulty believing that two-thirds of the insurance programmes actually lack a business interruption component. What seems more likely is that two-thirds of the owners think their programme lacks business interruption coverage. Many if not most small businesses would be covered under a package insurance policy that automatically provides some measure of business interruption coverage. Whether the automatic coverage is sufficient is another question, but at least some coverage is there. If the owners aren’t aware that this basic and crucial coverage is there, it’s because no one has sat down with them to discuss coverage and to determine appropriate limits.

Earlier in my career, I worked for an insurance company that sold niche, commercial insurance on a direct basis to business owners. The company’s mandated procedure when quoting on a new account, and then at every subsequent renewal, was to sit down with the business owner to review coverage and limits. A form was filled out that detailed the coverage and limits that were being purchased as well as the coverage that was being declined. At the end of the meeting, the client would sign the form. A copy of that form was then placed in the client’s file. One of my clients was the owner of a mid-sized company that had been in his family for a few generations. Every year, I reviewed coverage with him and, every year, he declined to purchase business interruption coverage. I didn’t go through this process because it was my brilliant idea: I did it because it was a mandated procedure. As luck would have it, one day this particular client suffered a devastating fire that destroyed the building and contents. When my sales manager visited the business owner to console him on the damage to his business and to help him in the preliminary stages of preparing his claim, the owner of course regretted not purchasing business interruption coverage when he had the chance. But at least he knew and acknowledged that he had been offered coverage.

As things turned out, that business never re-opened after the fire. Sadly, this is all too common. According to the Federal Emergency Management Agency (FEMA) in the United States, 40% of businesses do not re-open after a disaster and another 25% fail within one year. Along the same lines, the United States Small Business Administration reports that 90% of businesses fail within two years of a devastating loss. Although these are U.S. statistics, my sense is that the results for Canadian small businesses would be no better.

This company that I worked for at the time did not present itself to the market as the cheapest provider of insurance. There were definitely lower-cost providers. The reason business owners purchased insurance from this company, rather than its competitors, is that they knew the company understood its clients’ businesses, designed customised insurance programmes to meet those needs, and took the time to meet with clients on a regular basis throughout the year in order to stay on top of their clients’ evolving needs. The business owners knew they could almost certainly obtain a cheaper programme elsewhere, but they wouldn’t take the risk of being improperly advised.

There is a lesson for all of us, I think, in this. Based on my experience, anyone looking to build up a portfolio of commercial business, to maximise commission income, and to minimise the exposure to an E&O claim, is well advised to take this kind of risk management approach with current and prospective clients.

The post Advantages of a Risk Management Approach to Clients appeared first on insBlogs.

Your professional development has never been more cutting-edge.

Consider the fascinating research of Qui Trieu, manager of personal insurance at Perth Insurance, a wholly owned subsidiary of Economical Insurance. Qui (pronounced as ‘key’) is currently a candidate in the Insurance Institute’s Fellow Chartered Insurance Professional (FCIP) program.

Qui is looking for ways to attract Millennials into Canada’s property and casualty insurance industry. Born between 1980 and 2000, Millennials have a reputation for ‘thinking outside the box’ and seeking like-minded, innovative workplaces. Qui says his challenge is to confirm that Millennials have a home in the insurance industry despite being exposed to inaccurate public stereotypes.

“I guess the misguided perception exists that the industry is old, archaic and very boring,” Qui says. “But after having gone through these six online FCIP courses, you can see that the insurance industry is pretty dynamic. It’s as big as you want it to be. It’s as dynamic as you want it to be. And it will give you as much as you want to put into it.”

Relevant Education

The FCIP is the highest designation in Canada’s p&c insurance industry. Every day, FCIPs like Qui are conducting state-of-the-art research to help their organizations find practical solutions to emerging issues facing today’s insurance industry.

An FCIP education today carries limitless potential to help p&c organizations and clients deal with any conceivable issue.

Right now, the insurance industry is helping Fort McMurray, Alberta residents deal with the devastation wrought by giant wildfires. Our hearts and thoughts go out to those who have been displaced and/or lost everything. This is a tragic catastrophic event, and it brings to mind research conducted two years ago by FCIP grad Greg Crawford.

For his capstone project, Greg researched new ways for the insurance industry to handle large-scale claims events generated by our changing global climate. Greg’s FCIP research offered practical solutions to help ease the minds of clients in times of need.

Innovative Education

Innovation is a hallmark of the program’s final course, Integrative Learning for the P&C Sector, featuring the ‘capstone’ research project. Let’s take a quick look at what FCIPs are researching in aid of their organizations and clients in 2016. Their topics read like daily headlines in the insurance trade press:

• Auto insurance for Uber/Uber’s impact on insurance
• Insurance for driverless vehicles/the impact of driverless vehicles on the p&c industry
• Drone insurance/the impact of drones on insurance industry
• The impact of climate change on insurers and reinsurers
• Cyber insurance, including development for new markets and growth strategies for existing markets
• Commercial lines growth and reputation
• How reinsurers can maintain relevance
• Hypothetical start-up business model in insurance

Again, this is a modest sampling of research projects conducted in just one course. Each of the six FCIP courses includes opportunities to tackle relevant business topics in the areas of strategy, leadership, financial management, enterprise risk management and emerging issues.

Qui Trieu is right: an FCIP education is as diverse, dynamic and creative as the Canadian insurance industry itself. Clients and the industry benefit when FCIPs create practical business solutions that distinguish their p&c organizations.

If you would like to play a role in helping your company deal with real-world issues, consider taking the Institute’s FCIP designation. More information about the FCIP is available at the Insurance Institute’s website.

Are you contemplating if the FCIP is your next move? Hear from FCIP candidates about the program and see if it’s right for you at this time. Register now for 3 Candid Student Stories, a complimentary Insurance Institute webinar held on May 31 at 1 pm eastern time.

The post Insurance Education that Matters appeared first on insBlogs.

The National Association of Insurance Commissioners adoption of the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) of 2015 required insurance organizations to take a broader approach to risk management. I would like to revisit this regulation and discuss the importance of insurers taking a step back, leveraging their existing risk management operations, and developing their RMORSA efforts with a mind to the future.

The groundwork for RMORSA was laid with International Association of Insurance Supervisors’ (IAIS’) Core Principle 16 – Enterprise Risk Management – and much of the ORSA requirements can be fulfilled with the adoption of an ERM framework:

• Risk Culture and Governance
• Risk identification and Prioritization
• Risk Appetite and Tolerances
• Risk Management and Controls
• Risk Reporting and Communication

Before you scoff at the scope of these requirements, consider that the ORSA Guidance Manual stipulates that insurers with appropriately developed ERM frameworks “may not require the same scope or depth of review” as organizations with less defined processes. In this blog series, each of the core elements will be examined with an emphasis on preparing your organization for ORSA compliance. Today’s post will explore the first key principle: Risk Culture and Governance.

As defined by the NAIC, Risk Culture and Governance provides defined roles, responsibilities, and accountability in risk-based decision making. In effect, the principle builds off of a 2010 SEC mandate requiring corporate boards to document their role overseeing enterprise risk. This rule extends the board’s role in risk oversight from C-level risks, activities and decisions to now having accountability at the business process level.  Boards are explicitly given a choice between either having effective risk management, or disclosing their ineffectiveness to the public. If they do neither, it is now considered fraud or negligence. Enforcement actions by the SEC have doubled in recent years, so it’s likely your board has already established risk management as a priority, but what does this mean for your organization?

The first practical issue is that it is no longer sufficient to rely on the audit function as a hub for risk management. Risk responsibility has always been the responsibility of process owners, and ORSA is now mandating better oversight under the guidance of a risk management function. For many organizations, the critical first step has been taken by establishing executive responsibility in a Chief Risk Officer (a CRO is actually required to sign off on the ORSA assessment), but without the appropriate tools to make risk management actionable, accountability beyond the CRO is never properly defined. Front line managers hear “Risk Responsibility” and take the same action they would for other lofty strategic initiatives – that is to say, they take no action at all.

To engage process owners in a Risk Culture, each business area must take ownership for a subset of the enterprise risks. Risk managers, in effect, do not own the risks to the organization; on the contrary, they own the ERM process. Their primary role is to lay the groundwork for risk assessments, aggregate risk intelligence for board reports, and create actionable initiatives for business areas in need of oversight.

Engaging process owners has the dual effect of permeating an enterprise-wide risk culture, while also creating a sense of shared responsibility. The structure defined above also creates three levels of defense, a concept adopted and well-articulated by The Institute of Internal Auditors. The operational risks are owned by the process owners. The risk management function provides guidance and strategic alignment. And finally, Internal Audit ensures adherence to the proper policies and regulatory standards.

Risk Culture and Governance cannot be accomplished overnight, but significant progress can be made by adopting and articulating the best practices outlined above.

For more information on how you can engage process owners, implement a standardized risk assessment process, and report this information to the board, download our complementary eBook, “Presenting Risk Management to the Board.”

The post RMORSA Part 1: Risk Culture and Governance appeared first on insBlogs.

The first step in Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) implementation, risk culture and governance, lays the groundwork and defines roles for your risk management function. The second step, risk identification and prioritization, defines an ongoing risk intelligence process that equips an organization with the data needed for risk-based decision making.

The engine behind this process – the enterprise risk assessment – isn’t a new concept, but organizations are finding that the traditional, intuitive ideas for how to conduct risk assessments are inadequate. Too often, risk managers are interviewing process owners and collecting huge quantities of data, only to find that their top 10 risks are entirely subjective and lack any actionable component. And what good is a top 10 risk if you can’t answer the inevitable question: what are you going to do about it?

Take a Root-Cause Approach

The first and most common hurdle risk managers face is that the risks expressed by process owners are so specific to their business area that they can’t possibly be measured against the rest of the enterprise. For example, the IT department may be struggling to find candidates with enough JavaScript experience, or the Health & Safety department might be concerned with an endless string of EPA regulations. Process owners can’t help but think in terms of their immediate environment, but you can make use of their insight by adopting a root-cause approach.

The key to this root cause approach is a common risk library, or Taxonomy, that orients the concerns of business areas to a category that you as the risk manager can take action upon. When IT says it can’t find candidates with JavaScript experience, for example, what it’s really expressing is an issue with hiring practices, just as health and safety is expressing its concern with the company’s regulatory environment.

By categorizing risks, it becomes easy to spot when more than one business area is expressing the same concern, allowing the risk management function to identify and address systemic risks.

Use a Single Set of Criteria

When engaging a variety of business areas for risk assessments, ensure you’re using a single set of criteria. Often risk managers will begin with a monetary value that represents a critical loss, and they’ll evaluate risks based on that amount. But consider how many process owners in your organization have the financial transparency to operate off of monetary values. Chances are, the answer will be very few.

To combat the lack of financial awareness, qualitative criteria is essential for operational risk assessments. Create qualitative criteria that will apply to multiple functions. For example, a major risk—such as fraud or embezzlement—might result in a work stoppage, or result in a serious variation from an organization’s business values.

Tell a Story to Your Board and Executive Leadership

The key to any good story is not only an identifiable villain (your top 10 risks), but also a damsel in distress (your company’s strategic goals). Tying risks to strategic objectives allows you to demonstrate ORSA compliance by orienting your initiative to the executive objectives of the company. When the question is asked “why is this risk a priority?” your top 10 list won’t exist in isolation, but will be mapped back to the priorities already set by the board.

Demonstrating risk-based decision making is one of the more difficult elements of ORSA compliance, but it can be accomplished by gathering meaningful, contextual risk intelligence with well-designed risk assessments.

Start implementing risk assessment best practices at your organization today by downloading this complimentary best practice risk assessment template.

The post RMORSA Part 2: Risk Identification and Prioritization appeared first on insBlogs.

Every business, in every industry, is liable to suffer a scandal. However, in all my years of experience, I have never come across a scandal that wasn’t entirely preventable.

In a recent interview I had with business journalist L.A. Winokur regarding the Wells Fargo cross-selling scandal, I made a prediction: “Once the dust of this scandal settles, perhaps in two or three years, Wells Fargo will remain vulnerable in other areas of its operations to risk management failures.”

Lo and behold, the only part I didn’t get right was the timeline. In less than a year of paying $185 million in penalties, the largest fine ever levied by the CFPB, the bank finds itself in headline news for yet another scandal: this time, a leak of personal identifiable information for over 50,000 accounts’.

I predicated this outcome because I have always maintained that if a company does not address the root cause of a failure in risk management, the problem is not solved, and other scandals with the same root cause will arise again and again.

Wells Fargo and their customers have fallen victim to ineffective risk management, brought on by poor governance. After a 6-month independent board committee investigation into the root cause of their cross-selling scandal, the bank found ineffective governance structures and poor risk management processes to be at the heart of the problem. However, after identifying these factors, the Wells Fargo board did very little to materially change their operations, culture, and leadership in way that would better protect their employees, customers, and shareholders.

Let’s look at Wells Fargo’s original scandal with an eye towards how their failure to mitigate the root cause of their risk led to the bank’s most recent headlines.

Failed Risk Identification Causes Wells Fargo Cross-Selling Scandal

In 2013, rumors circulated that Wells Fargo employees were engaging in aggressive sales tactics to meet their daily cross-selling targets. It began with 30 employees in San Francisco fired for opening new accounts and issuing debit or credit cards without customer knowledge. One Wells Fargo spokesman said, “We found a breakdown in a small number of our team members. Our team members do have goals. And sometimes they can be blinded by a goal.”

Of course, as we now know, this was no small breakdown. Over five years, 2 million false accounts were created.

As the investigation unfolded, it became clear that Wells Fargo was reluctant to admit that this issue was systemic, stemming from poor culture and ineffective monitoring of separation of duities. Former CFO Tim Sloan stated, “I’m not aware of any overbearing sales culture,” and proceeded to list the “multiple controls” Wells Fargo had in place to prevent abuse such as the employee handbook and a whistleblower program to notify senior management of violations.

The bank evidently maintained that the fault lay with their front-line employees’ inability to adhere to these protocols, as 5,300 front-line employees were fired, while retail banking head Carrie Tolstedt retired with a pay package valued at $124.6 million.

But as director of the Consumer Financial Protection Bureau Richard Cordray asserted, the bank failed “to monitor its program carefully, allowing thousands of employees to game the system and inflate their sales figures to meet their sales targets”

Ultimately, Wells Fargo built a cross-selling program that forced people into a bad situation. Companies should never put employees in the position of choosing between themselves and the customer. There is nothing inherently wrong with ambitious sales goals, as long as there are systems in place to ensure the customer and the employee are secure. In this case however, sales employees had the ability to directly open false accounts, thereby enabling them to disturb the customer’s security.

Herein lies the root cause of the scandal: separation of duties and access rights. Yes, the sales culture was extreme, and the pressure high. But employees tasked with these sales goals should not have been the same employees in charge of opening new accounts, and should not have had the access rights to do so. If these duties and access rights fell under employees that would not have benefited from the creation of these accounts, then there would be no incentive to create them, no conflict of interest, and this scandal would have never occurred.

Failed Risk Mitigation Causes Wells Fargo Data Breach

Wells Fargo later admitted that to prevent this risk and others from recurring, it needs to strengthen its risk management program. And yet, their latest scandal reveals that they have not yet taken sufficient action to uncover the root cause of their risk.

The bank is attracting renewed scrutiny after an unauthorized release of tens of thousands of clients’ information. The data breach began as a financial squabble between a pair of brothers, Gary and Steven Sinderbrand, who formerly worked at the company together. Gary Sinderbrand’s lawyer had been inquiring about documents related to the fees Sinderbrand was allegedly not paid when he received a trove of 50,000 account numbers, names, addresses, and social security numbers.

The data was sent by Wells Fargo’s representation Angela Turiano without a protective order or confidentiality agreement between the parties. Turiano asked for the data back after she was informed of the breach.

How does this relate back to the original cross-selling scandal? Root cause. Wells Fargo is again guilty of their failure to implement systems that ensure appropriate separation of duties and access rights.

Although it is her responsibility to facilitate communication between legal parties, it should not be within Turiano’s access rights and duties to obtain or even view records with the personal identifiable information attached, as this information does not relate to the evidence Sinderbrand’s lawyer was seeking.

If Wells Fargo had implemented an ERM framework that implemented stronger governance structures and placed priority on identifying and mitigating the root cause of risks, they would have avoided this data breach.

Until the company realizes that they aren’t doing enough to fill the major gaps in their risk management program, they will continue to put their customers at risk and suffer the reputational damage of doing so.

For in the time it took me to write this article, Wells Fargo yet again dominated headlines again for tacking on $80 million in insurance charges to the accounts of 800,000 auto loan customers.

Download this complementary eBook to learn how you can leverage stronger risk assessments to keep your company out of the news and protect your reputation.

The post Wells Fargo Data Breach: The Saga Continues (Part 1) appeared first on insBlogs.

The blows keep on coming for Wells Fargo. Within a year of their cross-selling scandal, two more scandals have risen to the top of news headlines.

In part one of this series, I set out to make good on a prediction I presented to business journalist L.A. Winokur. I predicted that after the dust settled for the original cross-selling scandal, Wells Fargo would remain vulnerable in other areas of its operations, unless they address the gaps in their risk management program.

In the time it took me to examine and expose the similarities between the sales incident and their latest data breach, news broke of yet another Wells Fargo scandal, proving once again that the bank has not taken sufficient measures to improve the governance of their risk management program, and that they are still just as vulnerable to risk management failures and negligence lawsuits in different areas of their business.

In my blog post, “What is Good Governance, and Why Do We Care?” I walked through why business scandals are 100% preventable with effective enterprise risk management. Since systemic negligence in effective risk management is the cause of these scandals, organizations are highly likely to have multiple scandals over time until effective enterprise risk management is put into place.

Let’s take a look at the bank’s auto loans scandal with an eye towards how their failure to mitigate the root cause of their first two failures set them up for another appearance in the news, and more record breaking penalties and lawsuits.

The Wells Fargo Auto Loan Scandal: What Happened?

Many standard auto loan contracts require customers to have comprehensive insurance for potential damage to their vehicle. These contracts also stipulate that if the purchaser of the vehicle cannot prove they have this coverage, the bank who grants them the loan may purchase the insurance for them and add the cost of coverage to the cost of the loan.

Last week, Wells Fargo admitted that they had charged 800,000 customers for insurance they did not need. The added cost to their premiums caused 274,000 customers to default on their loan payments and resulted in the wrongful repossession of 25,000 vehicles.

In a statement, head of Consumer Lending Franklin Codel said, “We take full responsibility for our failure to appropriately manage the collateral protection insurance program and are extremely sorry for any harm this caused our customers, who expect and deserve better from us. Upon our discovery, we acted swiftly to discontinue the program and immediately develop a plan to make impacted customers whole.”

To this end, Wells Fargo named a new head of the auto business, and centralized collections operations to improve the customer experience, boost consistency and minimize risk to the business, according to an internal memo. The bank is also in the process of refunding customers the $80 million they were wrongfully charged, and alerting credit bureaus on customers’ behalf.

The Wells Fargo Auto Loan Scandal is Another Failure in Risk Management

After the news broke, New York City Comptroller Scott Stringer said, “This is a full-blown scandal—again. It’s unbelievable, outrageous, sad, and yet quintessential Wells Fargo.”

Such a statement assuredly resonates with millions of people whose eyes so much as glanced this latest headline. Scandals are always met with a feeling of outrage because they are preventable. What makes this particular scandal so outrageous is that it is tantalizingly similar to the risk management failure in their cross-selling scandal.

Wells Fargo is an innovative bank. Most banks dream of having a cross-selling program or offering products like Guaranteed Asset Protection products. But as I’ve said before in regard to big name companies like Chipotle, BP, and Volkswagen, with innovation comes risk.

As I explained in part one, with the innovation of cross-selling came the risk of access rights and separation of duties. Without a proper governance structure in place to identify and control the risks inherent to these new processes, scandal was bound to materialize.

Of course, as I’ve mentioned, Wells Fargo and many others incorrectly saw the root cause of this scandal as an overzealous sales program. The OCC and myself came out and said that it wasn’t a sales culture problem, but a risk governance problem, and mandated that the bank implement an effective enterprise risk management program.

However, the bank seems to have interpreted the OCC too narrowly. Instead of understanding the root cause as a failure in enterprise risk management, they identified the root cause as a failure in risk management in the one department where the scandal occurred, i.e. sales.

Clearly, this was the wrong interpretation, as the newest auto loans scandal shares the same root cause: a failure to see the side effects of innovation and govern their processes effectively. Same root cause, different department.

In a statement, Wells Fargo spokeswoman Jennifer Temple said that the bank took steps to improve the administration of their Guaranteed Asset Protection products back in 2014. While it is unclear what these steps were, it is evident that the risks associated with this “improvement” were not identified or properly controlled.

Let’s take an excerpt from my first Wells Fargo blog regarding their cross-selling practices: “Where were the risk assessments on these sales and booking processes? What about internal audits of both the risk management process and governance oversight on these areas?”

These questions are directly applicable to the current situation. Before you implement a policy, it’s imperative to perform objective risk assessments on the processes involved to uncover any potential risks before they materialize.

Having done so, the auto loans department would have seen that there was an inherent risk in their collateral protection insurance policy, that is, a risk of charging a customer for insurance they didn’t need. From there, controls would have been implemented to ensure that employees were conducting proper due diligence and ensuring that customers did in fact lack auto insurance before purchasing it for them. From there, the scandal would have never occurred.

The Reputational Damage of the Wells Fargo Scandals

Admittedly, Wells Fargo has blamed the problem on “inadequate checks and balances” and “inadequate internal controls.” To correct these inadequacies, they’ve taken actions involving changes in front-line employees, after-the-fact refunds, and the centralization of collections. The intentions of these actions are all well and good, but we’ve seen good intentions with little result before.

After the cross-selling scandal, which I’ve said was also a result of inadequate checks and balances, 5,300 sales employees were fired, the retail banking head retired, and the board committed to strengthening its risk management program.

What good did this do if the auto loans scandal manifested from the same root cause? How much can we trust Wells Fargo when they say they are working towards improving their programs and processes?

Herein lies the truly devastating side effect of poor risk management: reputational damage. Stringer’s comment hardly stands out in a crowd of voices exclaiming their frustrations with Wells Fargo. The fact is, $80 million in refunds is a drop in the bucket for a bank this size. The decline in market value and customer loyalty are the major consequences Wells Fargo will struggle to amend for years to come.

How to Avoid Future Scandals

Wells Fargo isn’t the only corporation facing multiple lawsuits related to failures in risk management. It seems that big name corporations such as Target and Chipotle, to name a couple, are in desperate need of some risk management rehab if they want to successfully avoid financial and reputational damage.

Ultimately, the method of prevention is to ensure a policy is followed in operations. Studies show that only 20% of employees operating under a policy are actually following that policy in their daily routine, even after training.

Here are the steps to operationalize a policy:

1. Identify the stakeholders of the policy
2. With their help, identify the root-cause risks that threaten adherence to that policy across the organization
3. Address those risks with appropriate controls
4. Monitor the effectiveness of these controls

Since this method is proven to work 100% of the time, failure to do so is considered by regulators, shareholders and the courts to be negligence and is at the core of every lawsuit. Implementing this policy gives every organization the means to avoid litigation and the resultant reputational damage.

Download this complimentary eBook to learn how your organization can fill the gaps of your risk management program and prevent your future scandals.

The post Wells Fargo Auto Loan Scandal: The Saga Continues (Part 2) appeared first on insBlogs.