Risk management
Insurance and business recovery planning after the Christchurch earthquakes.
The Christchurch earthquakes put business risk management firmly back on the agenda. Two years on from the crisis, we asked a selection of industry experts two questions:
- How has the insurance industry changed since the Christchurch quakes and how should businesses react to the changes?
- What are the main errors businesses make when putting together a business continuity/disaster recovery plan?
Higher costs of insurance
Daniel Donaldson, Executive Broker, Crombie Lockwood Risk Partners, was Branch director Crombie Lockwood Christchurch before, during and after the earthquakes.
“Insurance will cost more and there is not much you will be able to do about that,” Donaldson says.
“The sheer size and scale of the event has put NZ firmly on the radar in terms of global risk which, in short means that the cost of re-insurance is much higher. For insurers to survive, these underlying costs must be passed on. Without this, there would be no insurance industry. Without insurance, you would likely not get finance. You get the picture.”
He says insurers are pricing risk more cautiously, and the terms on which they will accept deals, especially for “high risk” propositions, are far more aggressive.
GT Risk Management Director Rodger Fulford says this means New Zealand has moved from being one of the cheapest places in the world to buy earthquake insurance to being more in line with other areas of the globe with similar geological and seismic profiles.
“One way companies can claw back these higher insurance costs is to negotiate a ‘fee for service’ with your insurance broker/agent rather than the traditional brokerage as a percentage of premium,” Fulford says.
“Some earthquake premiums have gone up sixfold but this increase should not be directly reflected in the brokerage earnings. It is fairer and more equitable for the consumer to pay premiums net of brokerage and negotiate a fee.”
Alastair Grigg, Xero COO, says moving core IT systems to cloud-based service offerings like Xero will mitigate against both material damage to servers and other equipment that would otherwise typically have located on premise and equally minimise any subsequent impact from business interruption.
“Another point often not well understood is that business interruption policies do not cover loses from 'de-population', being the movement of customers to live in a different city or area following a disaster,” Grigg says.
“Cloud-based solutions like Xero provide accountants with the ability to mitigate this risk by being able to service clients over a wider geographic area, even offshore customers, by providing a shared platform to collaborate and work with clients remotely.”
Donaldson also recommends taking measures to mitigate risk, such as greater fire protection, changing business processes, or discontinuing marginal business activities.
He also says increasing excesses, and trading off cover over minor loss exposures to benefit major loss exposures, can improve the value of your insurance.
“Ensure that your broker has fully represented your business to the market in the best possible light. If you do things better than what insurers consider the industry average, then they need to be told.”
Business continuity/disaster recovery
Donaldson also puts insurance squarely at the heart of a business continuity/disaster recovery plan.
He says business should view insurance as a set of promises, not simply an expense.
“It is crucial that business owners understand how these promises work in the event certain things happen, in particular the biggest things. When designing an insurance programme, business owners should start with the catastrophic events; those events that would end their business. These should be the first things to insure, and insure fully.
“For example, many businesses could survive if a car was uninsured but could they survive if they traded for two years without their turnover insured correctly? The unfortunate reality is that the car probably gets more attention.”
But by far the most common mistake identified by the experts is treating the plan as a compliance exercise.
“Too often these plans are inert documents dusted off every couple of years rather than being living, dynamic, essential company tools in times of disaster,” says Hamish Bowen, National Director, IT Advisory at Grant Thornton.
“A large paper file on a dusty shelf cannot be brought to life by the people responsible for managing a crisis,” says Paul Meehan, Executive Director, Crombie Lockwood Risk Partners.
“It’s critical that these people are trained to respond quickly with clear leadership and communication in order to effectively manage the situation; and in a real crisis, no one sits down to read a plan unless all other avenues have been exhausted.”
Meehan says often a business will charge off and put together a business continuity/disaster recovery plan without taking time to actually analyse the most likely risks that the business is exposed to, and the immediate crisis management needs arising from them.
“Typically a company will create a business continuity or disaster recovery plan in order to satisfy certain audit requirements. This plan will contain the answers to some (but not all) situations; will not have been tested in any meaningful way and will be difficult to access and convert into action in a disaster scenario.”
He says the best course of action is to first identify the most likely exposures and then establish the most effective means of minimising short-term interruption so that better long-term plans can be developed while the business continues to operate.
His concern is echoed by Grigg, who says research shows only a minority of businesses have a formal business continuity plan, and even fewer have trained their staff on what the plan involves, and actually practiced it.
“Crisis management is the first step towards getting the wheels of a disaster recovery plan moving, but this is not normally the first thing considered,” Grigg says.
An effective business continuity plan has to cover all the key functions and processes required to run your business.
“Some plans will cover just the most obvious processes like raising invoices and collecting or making payments. But if customers full records are not available, can you answer customers enquiries and provide them with the level of support and advice necessary to deliver a viable service?”
“Grigg says business continuity plans also need to be practiced or rehearsed with staff.
“Obviously, this training and rehearsal is significantly easier to undertake where the core IT systems and processes used by staff are cloud based and so remain practically unchanged even following the need for staff relocation or remote working.”
Bowen says that all businesses, irrespective of size, should undertake an appropriate level of planning. Key questions he suggests need to be answered include:
- Who are your best leaders? Leadership does not necessarily follow hierarchical order, often the best leaders in crisis are at an operational level.
- What are the key risks that may impact your business the most? Often the smaller things which can happen at any point in time are not considered, such as power outages, not being able to access offices, business facilities and systems.
- Do you know how to get hold of all your employees? Often traditional office communications are not available and other non-traditional methods must be considered, eg Facebook, personal email, personal cell phone, physical address.
- Have you considered the transition from crisis management to your new business as usual? A lot of organisations pull through the immediate crisis but fail to transition effectively and in a timely manner to a normal method of operation that is sustainable to its employees and customers.”
September 2012