Exclusive Q&A On Insurance and Risk Management with Joseph L. Petrelli

Can you outline the current insurance & risk management landscape?
 
Excellent question!  There are paradigm shifts taking place on both the insurance and risk management landscapes. In the insurance landscape, alternative capital has discovered the property reinsurance marketplace. Primary carriers are utilizing the availability of alternative capital, whether catastrophe bonds or other insurance linked securities, as an alternative to traditional reinsurance to save money and to leverage reinsurance rates per se.  Concurrently, as reinsurance rates soften, multi-billion dollar reinsurers are evaluating or initiating merger opportunities to remain profitable as well as to remain relevant in the marketplace.  As to risk management, changes in the level of documentation and corporate cultures are being driven by enterprise risk management and the implementation of the National Association of Insurance Commissioners Own Risk and Solvency Assessment process.   These two emerging issues will reshape the insurance. The next generation of leaders should be watching, studying and understanding these phenomena.
 
What risks are most likely to affect businesses, and which of these would have the biggest financial consequences were they to occur?
 
In terms of emerging issues, cyber liability, data breaches and related access to and the abuse of personal information have the biggest impact and capacity to create widespread financial consequences – for the consumers involved and for the entities that were unable to safeguard the information.  Despite daily headlines of government agencies, health insurers and international retailers being hacked, I believe that the amount of protection purchased and standards for internal safeguards on IT infrastructure are woefully lacking.  While the headlines have indicated that the number of records hacked can be staggering and the amount of information obtained incredibly detailed, I suspect that soft targets – restaurants, vendors, insurance agents, blue collar trades people utilizing credit cards, etc, – will eventually be targeted. 
 
What role can insurers have in driving improvements in cyber security risk management?
 
Although insurers should be encouraged to develop meaningful coverages that provide funds or assistance to consumers and businesses that have been hacked, i.e., attempt to unring the bell, the reality is that insurer options to drive improvement are somewhat limited.  Premium differentials based upon an insurer’s assessment of the underlying cyber security risk management at a risk/insured must be approved by the respective departments of insurance.  Although the insurance industry can accept or reject cyber risk based upon the insurer’s underwriting criteria and its assessment of the consumer or business’s cyber security, we may be approaching a situation where the tail of cyber liability might wag the dog of account acceptability. In other words, would an insurer decline a business owners policy, farmowners or commercial multiperil policy that has been profitable or is properly priced simply because the insured or prospective insured now requests cyber liability insurance and presents below average risk management function for this aspect of its exposure and therefore above average exposure to the insured?  Will susceptibility to cyber liability become an underwriting criterion as opposed to an opportunity to provide another coverage to the insured?
 
What procedures should a firm take when outsourcing or contracting work which contains important data and security, and are there any legal or regulatory requirements that need to be taken into account?
 
An emerging verification criterion or consideration with regard to outsourcing or contracting work containing important data is to require that the vendor or contractor have successfully fulfilled the requirements of and can provide a Statement on Standards for Attestation Engagements 16, a protocol associated with an independent verification.  The statement of controls may consist of a SOC 1 report, SOC 2 report or SOC 3 report.  Traditionally, publicly traded carriers have requested these of their vendors.  The specific situation under review determines whether a SOC 1, 2 or 3 would be applicable.  For a smaller business, the annual cost of a review and report can be equivalent to the cost of a part-time employee.   
 
Why is it important to differentiate between risk analysis and risk management?
 
When I ask my grandchildren to do something and they agree to do so yet the deadline for completion passes without action, I remind them that ‘talking ain’t doing.’  I differentiate the two terms risk analysis and risk management as ‘talking’ and ‘doing’, respectively.  Risk analysis is a preliminary step in the risk management process.  It is necessary but it is not sufficient.  Getting it done or at least moving toward a solution is implicit in the term ‘management’.  From my perspective, the critical link between analysis and management is that the analysis component should create a sense of proportionality in the management phase so that you prioritize your time commitment.  If you have limited resources, spend them where you get the superior return. 

To what extent is there a culture amongst board of directors to consider risk management as a luxury rather than a necessity, and why is it a grave error to possess this mind set?
 
With respect to the fine boards of the past, it seems to me that the more effective boards have changed their role and perspective.  Other business cycles and eras have permitted, maybe even encouraged, boards to be passive in their interaction with key personnel.  More recently, there have been revisions to corporate regulations as well as substantive changes in the procedures and practices of the independent parties that tend to report to boards.  Two such examples are changes in the breadth and scope of statements of actuarial opinion as regards loss and loss adjustment expense reserves as well as changes in the breadth and scope of independent audits.  There are dozens of highly rated (by others than Demotech) insurers that self-report chronic loss reserve inadequacy.  Although the level of reserve inadequacy does not appear to impair their solvency, it has a definite impact on the quality of their previously reported earnings.  In my opinion, balance sheet integrity and quality of earnings should be a board level issue.  How can one manage the risks associated with an insurance company if one does not first manage the integrity of the insurer’s loss and loss adjustment expense reserves?
 
What key trends or strategies do you expect to see come to fruition over the coming year?
 
Demotech believes that a key trend in insurance is a move even further toward a barbell structure. Larger companies and smaller, niche players are at the ends with mid-sized companies being squeezed in the middle.  The mid-sized companies must compete against the name recognition, capital and operating efficiencies of the giants while simultaneously being responsive and supportive of the needs of consumers and insureds that require the high level of personal service and consultancy associated with smaller insurers.  An example of this situation exists in the United States domestic property and casualty insurance industry.  If you count captive insurers, mutual protective associations, farm mutuals, risk retention groups, self-insured pools, public and private stock companies, mutuals, reciprocals and all risk bearing entities operating in the US, there are likely to be more than 8,000 such entities competing for P&C business.  Ten percent of these companies, 800, write in excess of 90% of the direct premium written in the US.  Ninety percent of the companies by count compete for less than of the business written!
 
Joseph L. Petrelli is the President and Founder of Demotech, Inc.  Organized in 1985, Demotech, Inc. is a Columbus, Ohio based financial analysis and actuarial services company.  Demotech, Inc. provides services to regional insurance companies, title underwriters, risk retention groups and specialty insurance markets.  Financial Stability Ratings® of A or better are accepted by the secondary mortgage marketplace, virtually all mortgage lenders and an increasing number of umbrella insurance markets, insurance agents errors and omissions insurance carriers, hospitals and other informed third parties.

Prior to forming Demotech, Petrelli was employed by Nationwide Mutual Insurance Company, Countryway Insurance and ISO.  Petrelli is a member in good standing of the Casualty Actuarial Society, American Academy of Actuaries, the Conference of Consulting Actuaries and the Society of Financial Examiners. 

Petrelli and his wife, Sharon, reside in Columbus Ohio.  They have two adult children, Vickie and Joe, and four grandchildren, JJ, Marissa, Luca and Ellis.