Returning to the Workplace in Times of COVID-19, Webinar Recap

Norman Bertke, National Director of Operations for Global Workplace Solutions at CBRE, a leading real estate service provider, kicked off The Risk Institute’s “Returning to the Workplace in Times of COVID-19,” webinar on October 6, 2020.

Bertke’s presentation revolved around CBRE’s Workplace Sentiment Survey, undertaken to ascertain how the American workforce is thinking and feeling about remote work during the pandemic and office work in the future. The survey, with 10,000 respondents from 32 companies in 18 countries, provides insights into the perspectives and expectations of company leaders, managers, and employees. While these insights reflect a moment in time, they are a relevant gauge of workforce expectations and industry sentiment and will help real estate executives create strategies to redefine the work experience with the needs of everyone in mind.

Five Key Takeaways:

  1. Remote work looks and feels productive to most: 90%+ of employees and company leaders feel productivity is the same or greater while working remotely.
  2. Remote work is here to stay: 85% of employees prefer to work remotely at least two to three days a week in the future.
  3. The office is here to stay: 60% of respondents will return to the office in the future for community and collaboration.
  4. Real estate portfolios might look different: 43% of respondents would consider working for a company-provided location nearer their home, at least a few times a week.
  5. There is no one-size-fits-all for remote policies: 54% of company leaders prefer a hybrid arrangement for their team that combines working remotely and from the office.

In closing, Bertke highlighted the following points to consider, as we try to figure out what this new normal looks like. From an employee perspective, COVID-19 hasn’t impacted productivity, but it has certainly shifted sentiment toward the future. For many, the amount of time spent in the office may never return to pre-COVID levels, as employees have not only embraced remote work but have become accustomed to the autonomy that comes with it. However, with a renewed focus on the quality of both workplace experience and design, it is clear the role of the office as a destination for employees is still important for companies to maintain.

The long-term outcome of COVID-19 will be a combination of changes to workplaces, policies, and real estate portfolios, and each company will establish its own stance on remote work and the role of the office. Regardless of the destination, the road to this future should start with culture and be paved by a data-driven and people-centric approach to change.

Tim Spencer, Chief Financial Officer at Safelite, the nation’s leading auto glass specialist, expressed that the pandemic prompted his company to challenge conventional wisdom about the way they operate. And although it is difficult to predict the future, he said, we’re now in a unique position of reimaging how it might look.

Safelite does business in 34 countries on five continents, and when the pandemic led to the closures of France, Spain, and Italy, the company took notice and immediate action, developing a plan to protect both, first and foremost, its liquidity and its associates and customers.

Among the strategies they used were furloughing 8,000 non-essential staff, eliminating advertising, and renegotiating supplier payment terms and rents. Steps to protect customers and staff included increased cleaning and sanitization, implementing the use of PPE and social distancing, and providing touchless drop-off. The steps had some unexpected and positive outcomes. These included an increase in productivity while maintaining a high service level, achieving a higher Net Promotor Score, the acceleration and use of new forms of communication, and an increased share of the market.

Despite this enormously positive response in performance from associates, there were challenges that arose. The company experienced withdrawal in engagement from and with associates across the board. This is particularly difficult, notes Spencer, when engagement has always been a focal point of the company and building the culture with new hires a vital part of onboarding. In connection, the lack of face-to-face communication and collaboration onsite with peers has made it more difficult to establish and build relationships, potentially limiting creativity and innovation.

Technology plays a central role in how Safelite operates. With this new normal, associates have to be more resourceful and self-motivated to learn new technical skills and problem solve. In conjunction, inherent in remote work is the increased likelihood of hacks and/or cyberattacks.

Looking to the future, Safelite and other companies are compelled to weigh up the benefits/opportunities and the concerns/risks of a hybrid work model. While there are many considerations, benefits might include improved cost flexibility and responsiveness and increased flexibility for associates. Concerns relate to maintaining culture, brand, sense of identity, and required investment for long term technology solutions.

Spencer identifies four areas for measuring Safelite’s success in the future, specifically:

  1. People: Continuing to drive engagement to attract top talent by making purposeful investments in physical environments in order to address associates’ evolving needs and expectations.
  2. Place: Create a flexible and agile physical environment that supports innovation, reflects the company’s values and brand, and can evolve as business needs and people change over time.
  3. Technology: Integrate consistent technology across the workplace to provide effortless collaboration regardless of location.
  4. Savings: Achieve fixed cost reductions and increased cost flexibility by reducing the amount of square footage leased.

The ability of many organizations to respond effectively to the post-COVID environment will be critically linked to planning and flexibility. Safelite is continually evolving and making decisions based on data with their team, and Spencer believes the company will come out of this experience a better organization.

John Mark Tichar, Vice President, Sales Leader at Oswald Companies, one of the nation’s largest independent insurance brokerage firms, provided attendees with insights into the current state of the insurance industry. As if the pandemic wasn’t challenging enough, he said, last year the industry started to go into a correction, following ten years of a soft market. This hard market, and with it a continued correction of pricing and terms, will continue through 2021. For the insureds, this means rate increases, reduced capacity, and higher attachments and deductibles.

COVID-19 brings with it its own set of real estate challenges related to business interruption insurance. States including NY, NJ, PA, OH, MA, and SC have been retroactively attempting to change policy language to cover communicable disease and/or pandemics. This despite the fact that in 2006 ISO successfully worked with states to get Virus Exclusions approved on policies. At the time, Tichar said, it was a risk that was not being rated, let alone changed for, but the industry wanted to make sure they didn’t get pulled into this exposure.

Since the onset of the pandemic, 1,000+ lawsuits have been filed against insurers for Business Interruption claims, the majority from retailers, and foodservice + dining places. While Tichar claims COVID-19 and other communicable diseases do not meet the definition of direct physical loss, by and large court is in favor of ruling as such. The takeaway being that Business Interruption Coverage continues to be tied to direct physical loss.

Pollution Exclusions are generally in all liability coverage, but in Ohio, for example, case law makes it difficult for carriers to deny coverage and exercise this exclusion. Ohio Bill 606, which grants immunity to essential workers who transmit COVID-19, compounds this problem insurers are facing in the state. In light of all this, many insurers are attempting to limit their liability by confronting circumstances that may excuse or delay their obligations to perform under existing contracts due to the occurrence of a force majeure event, or events that are “reasonably foreseeable.”

To date, the cancelation of sporting events like Wimbledon and the 32nd Olympic Games, and concerts from the likes of Sir Paul McCartney have cost $200+ billion. Germany’s Allianz, for example, is $794 million in the hole due to event cancelations.

The Risk Institute will be sponsoring more virtual webinars in the coming months on topics pertinent to the industry, Institute members, and the community at large.

Register here for The Risk Institute’s Annual Distracted Driving and Teen Driver Safety Forum, scheduled for Wednesday, October 21, 2020, from 9:00 am to 12:00 pm EST.

 

Written by Jack Delahunty, in association with The Risk Institute

A Grad Student’s Perspective of the 2020 Risk Institute Annual Conference

In many ways this year’s Risk Institute Annual Conference hosted by the Fisher College of Business was both the best in recent years and certainly the most unique. The global COVID-19 pandemic challenged the traditional format for the conference and questioned its ability to be delivered. However, within these challenges, the Risk Institute found the opportunities to deliver what may have been the best conference in recent memory.

Both speakers and attendees were provided new opportunities to engage with the Institute and the conference. With the support of video conferencing and Zoom, the conference was able to attract speakers and attendees from across the globe. The value of this global diversity was on full display throughout the conference with many of the speakers being from outside of the immediate Columbus, Ohio region and many from international backgrounds.

This increased global flavor was a key aspect given the conference’s theme of Geopolitical Risk. Not surprisingly, the growing risk posed by China to both the US and its Allies was at the forefront of many of the conversations during the conference. However, this risk shared the stage during Baroness Pauline Neville-Jones’ discussion with the new risks posed by fraying western alliances. During Baroness Neville-Jones’ discussion of the US and its recently contentious relationship with western allies took center stage. Baroness Neville-Jones provided analysis and advice based on her more than 50 years of experience in international relations and security. Many attendees, including myself, were delighted to hear her share support for western alliances and the value they have in managing global risks effectively. Baroness Neville-Jones also provided the attendees cautious warnings about the increasing global risk of cyber-terrorism and cyber-warfare.

As our conference continued, we dove further into the global risk facing all of us as global citizens, not just as citizens of our respective nations. Our sessions also began to welcome more corporate practitioners. This was notably valuable to me as a graduate student to hear the practices of successful companies and how they address the topics we discuss so thoroughly in the classroom and corridors of the Fisher College.

The Risk Institute’s 2020 Annual Conference was unlike one we have ever seen. The national and global environment under which the conference took place can only be described as challenging. Despite our distance in the time of COVID, we are more connected than ever before and more reliant on each other to manage the risk we all face. This conference allowed us to reflect, expand our knowledge, and propel ourselves forward into our professional passions.

Q+A with Rt Hon Baroness (Pauline) Neville-Jones DCMG

The Risk Institute is pleased to have Rt Hon Baroness (Pauline) Neville-Jones speak at this year’s Annual Conference on September 22nd and 23rd.  As a conservative peer in the UK House of Lords and National Security Strategy Joint Committee Member, she will offer a fascinating perspective on geopolitical risk.  She and Moderator Mark Policinski, CEO of the Ohio-Kentucky-Indiana Regional Council of Governments, will talk about how risk mitigation is now a way of life.  Read below for a preview of some of the topics that will be discussed. Don’t forget to register for the conference!

 

“Great Decoupling”: Current Geopolitical conversations speaks to the “Great Decoupling” where the US/Chinese tech sectors are disrupting the bilateral flow of technology, talent and investment. Can you speak from your experience on what appears to be a rapidly developing geopolitical risk and/or opportunity, depending upon perspective?

Baroness: The decoupling has gone beyond bilateral trade issues and is beginning to oblige third countries to take sides.  We are on the edge of a new political split in the world which will dominate the international scene for many decades.  Unlike the Soviet Union which competed effectively with the West only in defence and nuclear industries, China is very competitive economically and technologically and is willing to subsidise its exports to third countries.  She does not have much soft power attraction but plenty of hard power and will be a formidable challenger of Western democracies.  As risk escalates in the cyber world and the danger of physical conflict eg in the S China Sea or over Taiwan, increases, the US needs to develop a joint China strategy with her European and five Eyes Intelligence allies. It is short sighted to ignore them.

 

Multinational corporations (MNC’s) are facing greater pressure from political officials on issues ranging from cyber security challenges, slowing global growth and widening social inequality. Interested in your perspective from government on these areas. 

Baroness: COVID, slowing growth and widening inequality (partly the result of Chinese competition and – especially in the US – tax policies-) the role being played by big corporations is attracting attention from government.  In Europe the state is growing once again and paying for it and for COVID losses is likely at some point- not immediately- to result in increased corporate taxation and more progressive income tax.  The social and political role of the giant tech companies is also controversial and likely to result in more regulation.

 

Articles are appearing mentioning Geopolitical Europe as a framed discussion.  Some speak to that the EU should defend itself more aggressively against competing economic and political models. As someone who has more exposure than we do in this region, very interested in your perspective on regulation, trade rules enforcement and tariffs on certain tech products, especially technology. 

Baroness: European attitudes to economic competition can often be very defensive, betraying lack of confidence in European capabilities.  France in particular has a long history of protectionism where as the free trade tradition is much stronger in the UK and Germany.  The new element is the growing feeling that the US is no longer much of a friend politically or economically and the more the US acts alone in the world and does not offer inclusive leadership,  the more the EU sees itself as a separate entity with competing rather than cooperative territorial jurisdiction. In this climate cooperation on issues affecting data can get very difficult as priorities diverge.

 

Politics versus the economics of Climate change.  The world appears on a collision course between government, investors and society when choosing between ambitious investment to reduce emissions and corporate bottom lines. Especially true as global warming trends continue, frequency and intensity of storms grow, all coupled with the Covid-19 Pandemic.  How do we manage to accomplish all this in the shorter term? 

Baroness: European attitudes to economic competition can often be very defensive, betraying lack of confidence in European capabilities.  France in particular has a long history of protectionism whereas the free trade tradition is much stronger in the UK and Germany.  The new element is the growing feeling that the US is no longer much of a friend politically or economically and the more the US acts alone in the world and does not offer inclusive leadership, the more the EU sees itself as a separate entity with competing rather than cooperative territorial jurisdiction. In this climate cooperation on issues affecting data can get very difficult as priorities diverge.

 

Interested to hear your thoughts on the United Kingdom’s Geo-Strategic plans in the post-Brexit world.  Any thoughts on the UK’s hopes for US policy?

Baroness: I would feel more comfortable if I felt the UK government had worked out what it wanted to do in the world post Brexit.  Slogans like Global Britain are just that.  The commitment to free trade is genuine enough but the UK has to face the fact that trade agreements do not result in Christmas presents.  Relations with the EU are currently fraught with the increasing possibility of no agreement at the end of the transition period on 31 December 2020.  The UK/Canada/Australia/NZ political and trading quadrilateral is set to grow.  And relations with Japan are developing well. The UK needs to make the most of our strength in services, in data technologies, the medical and bio sciences, in the quality of our universities.  We will retain a military and intelligence capability. The relationship with the US is very important to us but for all that the current Administration supports Brexit,  I do not think the bilateral relationship is on an especially sure foundation currently.  Trust is a commodity in short supply in the world.

 

Register here to hear from Baroness Neville-Jones on September 22nd!

GeoPolitical Risk: An Overview of the Seventh Annual Conference September 22-23, 2020

The Risk Institute is proud of the annual conference topics we have hosted over the past few years. We have always sought to highlight wider Enterprise Risk issues that are currently facing our community and membership. That said, our topic chosen for the 2020 Annual Conference, GeoPolitical Risk is one that will influence and shape our future in multiple ways. By definition, the traditional conversation about GeoPolitical Risk centers around how geography and economics influence politics and relations between countries.  These are all true statements, but the world in the 21st Century, and as such, GeoPolitical Risk, is so much more complicated. We are now in the midst of a global pandemic, that in many ways is shaping how we as citizens of the world respond, to the greatest crisis faced in the last 100 years.

As we think of Geopolitical Risk in the 21st Century, so many things come to mind.  Topics like US/China decoupling, Cyber Risk and the Repercussions of the Digital Age, Changing Global Order, and Geopolitical Consequences of Migration are but a few examples of GeoPolitical Risk facing society.

Our sessions during these two days will seek to explore these and many more GeoPolitical Risks our world faces.  We are very fortunate to be able to bring a true global representation of experts, that will approach the topic from an Academic, Political and Business perspective.   We are confident The Risk Institute will be able to provide a much deeper understanding of the topic when considering the varied perspectives of our world class line up of experts.

For details and registration for the Annual Conference, click here.

The Risk Institute Survey on COVID-19 Pandemic – Spring 2020

We asked our members how their companies have managed risk during the COVID-19 Pandemic to continue their operations and avoid financial distress. We identified that a majority of respondents have navigated risks (and opportunities) well during the pandemic due to their strong risk management and liquidity positions built prior to the shock. However, for many firms, there have been significant changes in how they do business. Significant uncertainty about the future of their businesses remains real, making the role of corporate governance and Enterprise Risk Management (ERM) even more vital.

We surveyed risk executives from about 80 firms, spanning a wide range of firms in terms of revenue: About 35 percent had less than $100 million; 20 percent had more than $10 billion; and 45 percent were mid-sized in terms of revenue as of fiscal year end 2019. Out of these surveyed firms, 42 percent are financial firms from Insurance and Banking industries. Among nonfinancial firms, Professional Services (12 percent), Retail and Wholesale Trade (7 percent), and Food, Beverage & Franchised Restaurants (6 percent) are three industries with the largest representation.

Liquidity (cash flow) risk is ranked as one of the top risks not only during the crisis but also before the COVID-19 shock:

As firms had recognized the importance of liquidity prior to the pandemic, most of them were not liquidity constrained when the crisis hit, with only about 5 percent of respondents reporting they were illiquid while 64 percent responded that they had stored liquidity as cash holdings.

Firms that needed more liquidity during the COVID-19 shock mostly borrowed from banks through existing lines of credit and new loans (12 percent) or from the government-sponsored borrowing facilities (10 percent).

 Majority of firms were highly resilient to the COVID-19 shock:

Although 68 percent of firms experienced a revenue decline, 76 percent of respondents reported that they were highly resilient: 77 percent did not furlough any associates at all; 65 percent did not close any locations; 83 percent of firms did not experience any change in their ability to secure insurance neither in terms of capacity nor cost; and almost all of the firms that deemed essential had the ability to meet customer demand.

Better governance and increased ERM helped in bad times:

About 40 percent of firms responded that their board of directors have been more engaged since the COVID-19 shock hit, with the risk and audit committees meeting more regularly. In about 30 percent of firms, the ERM function has been more involved in assessing risks related to the COVID-19 pandemic! While risk appetite of most firms (71 percent) did not change during the shock, 12 (17) percent of firms said they increased (decreased) their risk appetite due to the shock.

Over the past few years, firms have been discovering that using a comprehensive and integrated risk management approach leverages collaboration across business functions, increasing their ability to achieve corporate objectives and enhance shareholder value.  The COVID-19 shock has been a real stress test for risk management of both financial and nonfinancial firms. Our survey results confirm that strong governance and enterprise risk management have helped firms manage their cash flow and other risks associated with the crisis. We look forward to continuing our conversation about risk management with you in the future as we know ERM will continue to help firms survive shocks like the COVID-19 pandemic, balance their risks, and create value for their stakeholders.

Written by: Isil Erel, David A. Rismiller Chair in Finance; Academic Director, The Risk Institute at The Ohio State University Fisher College of Business

Business Resilience and COVID-19: Webinar Recap

Ohio State’s Risk Institute at the Fisher College of Business continues to adapt and find creative ways of leading the pack and maintaining connections with innovative industry leaders and partners within the community. On June 23, over 100 nationwide businesses collaborated via Zoom for a virtual webinar to discuss Business Resilience.

This topic, which historically has been of paramount importance – in the current climate of the global COVID-19 pandemic – has taken on new meaning and necessitates conversation with a sense of urgency. The disruption, coupled with the expansion of digital commerce and the increasing complexity of supply chains, forces the industry to innovate, consider new tools and processes, and alternative approaches to build resiliency.

In this conversation, industry experts discussed supply chain vulnerabilities and identified ways to build internal and external collaboration to reinforce the enterprise resilience ecosystem.

Speakers included Keely Croxton, OSU Professor of Logistics and Co-Director of Full Time MBA Program and Joseph Fiksel, OSU Professor Emeritus, Integrated Systems Engineering, Former Executive Director, Center for Resilience, and facilitator Philip Renaud, Executive Director of the Risk Institute.

Resilience is seen as the capacity to survive, adapt, and prosper through unpredictable and turbulent times. Business resilience can be seen as an opportunity, during disruption, to bounce forward and find solutions to stabilize communities, supply chains, and resources.

“The increasing volatility, complexity, and ambiguity of the world … calls for a resilience imperative – an urgent necessity to find new opportunities to mitigate, adapt, and build resilience against global risks through collaboration among diverse stakeholders.” – WEF Global Risk Report, 2016

The World Economic Forum’s (WEF) top cascading forces for challenging business resiliency are as follows: Ecological/Environmental, Political, Economic, and Societal. In 2020, specifically, the top-ranked long-term global risk focus was on environmental threats (from storms and tsunamis to wildfires); Pandemics were not only receding as a perceived threat but also were identified as being one of the least likely to occur.

COVID-19 is perceived as a “black swan” event, blindsiding the industry, and serving to highlight the limitations of traditional Risk Management, which has historically followed a more systematic, linear trajectory. This approach illustrates that one can’t necessarily anticipate what risks will arise nor which ones will cause the most harm.

Armed with this information, it’s apparent that adaptation to a changing risk environment needs to be at the forefront of the conversation for risk professionals. Risks cannot always be anticipated, they may be hard to quantify, and adaptations may be needed to remain competitive. We are urged to ask, how can we be proactive, is there a more effective response, what can we do differently and, in turn, leverage our competitive edge?

In an age of global turbulence, resilience is a key competency for corporations. How can a company improve the resilience of its supply chain processes so that it can recover rapidly from unexpected disruptions, assure business continuity, and adapt effectively to changing external conditions?

Croxton identified vulnerability factors exposed by a disruption such as the COVID-19 pandemic. These include turbulence, deliberate threats, external pressures, resource limits, connectivity, and overall sensitivity. In turn, she identifies the concept of capabilities, which act to balance out or diffuse the vulnerability factors.

Let’s take turbulence, for example, COVID-19 would fit into this category, along with natural disasters, political disruptions, currency fluctuations, demand volatility, and/or technology failures. Capabilities that counteract turbulence might include Collaboration (such as risk-sharing with suppliers), Organization (such as creating a problem-solving culture or utilizing a diverse skill repertoire), Market position (for example using existing ties within a community and/or having loyal customers that support the brand).

According to Fiksel and Croxton, a company’s goal is to be in the “zone of balanced resilience”.

The audience is introduced to an innovative purpose-built tool that companies can utilize in their pursuit of reaching this zone of balanced resilience. SCRAM™, developed by researchers at The Ohio State University in collaboration with the U.S. Air force, Dow Chemical, and L Brands, among others, is a facilitated process supported by a computer-based toolkit, that provides a diagnostic assessment of an organization’s preparedness and fitness for coping with turbulent change.

The process offers businesses a unique, comprehensive approach to understand the pattern of their potential vulnerabilities and to design a portfolio of supply chain capabilities that will offset those vulnerabilities. This not only creates shareholder value, but strengthens a company’s capacity to survive, adapt, and flourish – this opposed to the more conventional risk management approach of “steer and adjust.”

The Chinese word for “crisis” (simplified Chinese: 危机) is composed of two Chinese characters signifying “danger” and “opportunity” respectively. Fiksel takes this opportunity to remind attendees that every disruption, no matter how damaging, provides a learning opportunity and a chance to bounce forward.

The Risk Institute will be sponsoring more virtual webinars in the coming months on topics pertinent to the industry, Institute members, and the community at large.

September 22-23 is The Risk Institute’s Annual Conference, featuring two sessions per day from 10:00-12:00 and 2:00-4:00 EST. Registration will be opening soon.

Written by Jack Delahunty in partnership with The Risk Institute at Ohio State’s Fisher College of Business

Webinar Recap: Cyber Risk in Today’s Changing Environment

Speakers: Helen Patton (Chief Information Security Officer, The Ohio State University), Emre Koksal (Founder, DAtAnchor, Professor, The Ohio State University), and Dakota Rudesill (Assistant Professor of Law, The Ohio State University, Moritz College of Law).

In response to what seems to be evolving as the new normal, Ohio State’s Risk Institute at the Fisher College of Business, in partnership with representatives from the insurance industry, found an innovative way of discussing some of the pertinent questions surrounding COVID-19’s impact on business with over 300 listeners through a virtual webinar on Zoom, June 10, 2020.

When asked what keeps them up at night, many risk professionals place cybersecurity near the top of their lists. With the changes in how we work amidst the COVID-19 pandemic, this discussion around cyber risk – particularly the protection of data – becomes even more relevant.

Previous to the outbreak, it was not unusual for a portion of the workforce to work from home, at Starbucks, or the airport. For years security teams have had to work across multiple clouds, with multi-national companies, and with workers in differing locations and on a variety of platforms and devices. This in itself is not new, but the degree of which is. The first speaker of the afternoon, Helen Patton, views the current changes as not necessarily an acceleration or drastic change in risk profile, but more a change in the risk flavor.

Every time an employee works remotely, an organization’s security team has to monitor and secure that user’s endpoint. When thousands of employees are at different locations, this becomes a near-impossible task. Furthermore, when working with associates outside an organization, companies have to find ways to verify that vendors are doing what is expected to maintain security and processes are in place to leverage the relationships to protect both parties.

In this new normal of distributed workers, it’s harder to rely on technology to control the work environment. Risk is the human element. It’s now “easier” for employees to make “bad” risk choices, therefore training and processes are more important than ever to guide them to make “good” risk choices.

Accompanying this problem is the fact that data is ever-growing, and it all needs to be stored, replicated, and shared accurately. Each step heightens the risk. There are an average of 25 data breaches every day, varying in scope, frequency, targets, and attackers. According to a report from IBM, in 2019 the average data breach cost $3.92 million, with the healthcare industry experiencing the most expensive and damaging losses, at an average of $6.45 million per breach and an average loss of 25,575 records.

In early-March, during the first weeks of the COVID-19 shutdowns, some sectors saw a doubling of attacks. According to research undertaken by Barracuda Networks and Cloudflare, phishing emails have increased 667% since the end of February, while general cybercrime activities increased by 37%.

To protect themselves and their organization from data breaches or cyberattacks, people working from home are advised to keep their personal online activities separate from work and to ensure their systems remain updated as the first line of defense, as home computers are often non-secured and operating on a home WIFI network. Tools like Virtual Private Networks (VPNs) can help protect data and online connections, but workers may need to adapt in other ways.

This is where the second speaker, Emre Koksal, and his discussion around data security – in particular a security model called “Zero Trust” – comes into play.

 Zero Trust Security, a Data-Centric Approach

Koksal began his discussion by pointing out that many network security protocols don’t offer adequate protection against today’s cyber criminals. Currently, most organizations have a network-centric approach, where data is confined to and accessed via a protected network. This data is created and stored outside the network, so organizations rely on 3rd parties for fully distributed generation and storage that permits full access for its remote workers. He reminds us that almost any organization’s data is worth stealing and with a large majority of people working from home, this valuable data is being consumed over shared, potentially vulnerable infrastructures.

Because of these complexities, there’s no way to track openings or vulnerabilities in a network. In this new normal, this network-centric security approach is not enough, the reason being that it’s not sufficient to focus solely on protecting the network. The focus needs to be on protecting the data itself through a data-centric approach. Enter Zero Trust, an information security model that does not implicitly trust anything inside or outside its network perimeter. Instead, it requires authentication or verification before granting access to sensitive data or protected resources.

The philosophy behind it is this: anytime a user is connecting to a website or application they are given
“zero trust” until they can prove they are secure. This is particularly important for remote work, as workers often change locations or internet networks. Each time a user tries to access data, it must be clear they are abiding by rules of organization and that they have permission to access it. This way, from a security standpoint, it doesn’t matter where the data is accessed.

With Zero Trust there is no notion of securing a network boundary (the network-centric approach), rather, data is its own security boundary – so the security travels with the data. Zero Trust also utilizes multi-level encryption, which translates data into another form, or code, so that only people with access to the keys can access it. With this approach, boundaries are built around the data and the keys, not around the network itself.

This security model helps eliminate data loss and maintain control of files even when employees are connected to personal networks, on personal devices. Zero Trust’s data-centric security solution also enables access and data sharing without an organization having to fully give up ownership of the data.

State of the Art in Zero Trust:

  • Military-grade encryption made simple (can be applied for all data everywhere)
  • Fully transparent to the legitimate user (they won’t even know that there’s something between them and the data)
  • Geofencing and location tracking (for employee accountability)
  • Real-time audit logs (who accessed what and when)
  • Governance rules baked into key manager (leading to dynamic revocation if rules are broken)

Impact on Business:

  • Retain control of sensitive data, even outside office walls
  • Simplified compliance (HIPAA, GDPR, NIST, CCPA)
  • Secure and frictionless data sharing
  • Monitoring and real-time audit logs
  • Secure workflow for remote workforce
  • Low IT overhead

Balancing Liberty and Security in the New Normal

The new normal of increasing numbers of remote workers has prompted changes in regulation. Organizations falling under the scope of data protection regulations and standards like PCI DSS, HIPAA or GLBA, have now been forced to reconsider their stance on remote work and have begun adopting it as a strategy across the board.

Some compliance measures for confidentiality have already been suspended to help sectors such as telemedicine be more accessible and improve their ease of use. Business processes are being altered. Changes are being considered to allow for an easier digital transmission of data and digital signatures.

The Risk Institute’s third speaker, Dakota Rudesill, talked briefly about privacy, or more specifically the balance between liberty and security, as a potential obstacle in this new normal. Most workers – and certainly customers – don’t want to be tracked.

Consider the opposition of some to COVID-19 contact tracing. To let Apple or Google track where you go is a risk choice for yourself but also for the community around you. People are more likely to be comfortable being tracked, driven by a focus on public health, but less likely if the information could be used for marketing or purposes that might be considered an invasion of privacy.

Moving forward, this balance between liberty and security is only going to get tougher, especially as the Internet of Things (IoT) continues to exponentially infiltrate our homes and offices. As of now a clear end to the COVID-19 pandemic is impossible to determine, but when that happens, the question is will these current changes in-the-making become the new standard or will things snap back to the way they were before?

 

Written by: Jack Delahunty, in partnership with The Risk Institute at The Ohio State University

Business Interruption in Light of COVID-19: Webinar Recap

In response to what seems to be evolving as the new normal, Ohio State’s Risk Institute at the Fisher College of Business, in partnership with representatives from the insurance industry, found an innovative way of discussing some of the pertinent questions surrounding COVID-19’s impact on business with over 300 listeners through a virtual webinar on Zoom, May 13, 2020.

Three experts from the insurance field, Dean Fadel, President of the Ohio Insurance Institute, Joseph Petrelli, President of Demotech, and insurance industry attorney Kirk Pasich of Pasich LLP collaborated with Philip Renaud, Executive Director of the Risk Institute, to talk about business interruption and the impact of COVID-19 from the insurer and policyholder perspectives. Specifically:

  • The dynamics of what is happening across the country and how various jurisdictions are interpreting coverage or lack thereof.
  • Does revenue loss due to supply chain problems and business shutdowns by government directives trigger coverage? (Either direct business interruption losses, or contingent, resulting from a supply chain’s inability to provide good or services).
  • How underwriters and actuaries looked at pandemic clauses and the risks associated with policies were originally written compared to today.

Dean Fadel believes that the insurance industry so far has been good corporate citizens. For customers, auto insurers have returned $10.5 billion to date through premium relief. For employees, many insurers are pledging no layoffs during the ongoing crisis. That said, the insurance industry as a whole will begin to see an increase in claims and a decrease in premium revenue moving forward.

One area relevant for insurers to consider given the current climate is business interruption insurance. Legislation is currently being discussed or introduced in eight states, including Washington D.C., thus far. These potential changes would retroactively enact business interruption coverage into existing policies — despite an absence of the physical damage required in property policies, and/or express exclusions for communicable diseases in those policies.

It is estimated that 40% overall and less than 30% of small commercial consumers purchase business interruption insurance. Mandating business interruption payouts would cost insurers at least $255 billion per month. Meaning, in three months the industry’s nearly $800 billion surplus would be depleted. Moving forward, companies need to not ask “what can I afford?” but rather “what did I sell this customer and what are my responsibilities under that policy?”

Joe Petrelli, President of Demotech, reiterates the fact that the insurance industry as a whole is not made up of just “the giants.” Out of 11 different insurance business models, the overwhelming majority are small companies (52% operate in one state or in one particular line of insurance). These companies will be waiting to hear about decisions made in that line of insurance or the decisions made in their particular state of operation.

The National Association of Insurance Commissioners (NAIC) have issued their own discussion for the federal government to consider. The Association thinks it’s inappropriate to ask for retroactive business interruption coverage and argue these companies should not have to “step up” just because they may have the financial wherewithal to do so.

The final speaker at the Risk Institute’s virtual webinar was insurance industry attorney Kirk Pasich of Pasich LLP, who began by touching on the relevancy of the distinction between a “virus” and a “disease.” For the record: the disease (coronavirus/COVID-19) causes the virus (Severe acute respiratory syndrome coronavirus two (SARS-CoV-2).

Some policies have exclusions for viruses, others have exclusions for communicable diseases. The baseline is that claims come because the spread of the virus can cause the disease. COVID-19 itself is not communicable, but the virus is. Therefore, the closings are to stop the virus. This begs the question, Is there physical loss or damage to property?

Pasich highlights the fact that insurers are likely to argue that the introduction of a virus does not constitute direct physical loss or damage to insured property nor is it a covered peril. This reality is reflected in a letter written March 18 by industry insiders:

“Business interruption policies do not, and were not designed to, provide coverage against communicable diseases such as COVID-19.”

-March 18, 2020, letter, National Association of Mutual Insurance Companies, Independent Insurance Agents & Brokers of America, Council of Insurance Agents and Brokers, and American Property Casualty Insurance Association, to House Committee on Business.

 According to Pasich, it depends on the policy language and what jurisdiction the company is in. Courts in individual jurisdictions will be responsible for interpreting that language amidst the current pandemic.

Furthermore, most insurers did not include virus/pandemic exclusions in their policies, despite knowledge of the potential threat since the early 2000s. If an insurance company elected not to use an available, standard, industry-wide exclusion then it can be held accountable for that, Pasich argues. He says there have been many warnings over the last 20 years about this risk and that the industry knew it was coming. It was a question of when not if.

In closing, Pasich reiterates that he doesn’t support changes in state law to force insurance companies to insure what they didn’t assume. But at the same time, those companies shouldn’t be able to walk away from the risk that they knowingly assumed.

The Risk Institute will be sponsoring more virtual webinars in the coming months on topics important to the industry, Risk Institute members, and the community at large. Registration is now open.

As Executive Director Philip Renaud highlights in his closing remarks:

“Be safe, stay well, and follow the CDC orders to wash hands, sanitize, and social distance as we move forward.”

 

Written by: Jack Delahunty, in partnership with the Risk Institute at The Ohio State University