Tag Archives: reputational risk

Social media influencers bear reputational risk that insurance may cover

Influencer marketing is a lucrative business. Top social media influencers can earn upwards of $25,000 per post in partnership with a brand or company. Still, social media influencers must think about reputational risks that can have a measurable effect on their revenue.

In this article, Milliman’s Madeline Johnson discusses why individuals who rely on their name for income may need some type of reputation risk or business interruption insurance. She also explains the factors insurance companies should consider if they design an individual reputation risk insurance product.

Here is an excerpt from the article:

Starting with the premise that our “good name” translates to our own individual “brand,” protecting one’s individual reputation correlates to protecting one’s personal brand – and the corresponding income stream and overall marketability contained therein. Just as Bruce Springsteen insured his voice or Heidi Klum her legs, for many professionals and celebrities their income is often dependent on the individual reputation they have created. As social media usage increases, the potential for a negatively received public comment does too. A negatively received post has potential implications not only for the social media star but also potentially for the partner company or brand. These companies hire influencers and pay them to endorse their products or services on various social media venues. Reputation risk insurance could provide a financial safety net by providing coverage if a significant negative media event occurred that quantifiably affected an influencer’s future revenue stream….

… In exploring a structure for a reputation risk insurance product for individuals, an insurance company would need to consider the ramifications of insuring an influencer’s potentially poor choice in posting. In most insurance policies, the insurer is offering protection from an outside risk exposure, not an intentional communication on social media. From an insurer’s perspective, issues to consider include defining the specific social media coverage event excluding instances where protocols were not used and, most importantly, the ability to quantify the premium and loss coverage accurately. The insurer would need a methodology to estimate the predicted occurrence of the negative social media event to determine the risk of loss to the insurer. We would expect the actuarial value of the covered losses to be a key component to the policy. Insurance companies would need to structure the policy using a set of assumptions related to how much has been damaged or lost and for how long. Evaluating past social media influencer income streams versus changes after varying posts and videos to form a predictive view may be helpful in understanding risk exposure. A prudent approach to determining insurance terms and pricing is to perform an actuarial study to evaluate the frequency and severity data from similar past events. This can be accomplished by evaluating relationships between social media influencers that have partnerships with certain brands or products, costs of the ultimate drop in followers and sales, and any existing mitigation activities.

Spotlight on operational and reputational risk

macdonnell-bridgetOperational and reputational risks have become areas of greater focus in recent times. There have been so many high-profile operational risk events that it is clear how important operational risk management is for all companies—Anthem, Volkswagen, and UBS are just a few examples of companies that have suffered significant losses because of operational risk events. In addition, for every publicly reported incident there are sure to be a host of smaller cases, which have not been large enough to hit the headlines, and which, of course, can have a cumulative detrimental effect over time. There is also a somewhat invisible aspect to operational risk, given that the damage does not always affect physical assets. Information can be stolen through a cyber breach, agents can act in their own interests, fraudulent activity can happen, and all of these events can go undetected.

Operational risk can also contribute to other risks that undertakings face, particularly reputational risk—a risk we don’t always fully appreciate until the damage is done. There are many strategies and marketing campaigns aimed at ‘one brand’ and ‘one vision’ which show the value organisations place on their reputations. Yet reputational risk management is not always given the attention it deserves. It’s worth pausing for a moment to take a closer look at operational and reputational risk management.

Operational risk
The challenges of quantifying operational risk are numerous—they include the lack of data to properly calibrate models and there are also challenges in relation to the models themselves. For example, the major shortcomings of the Solvency II standard formula calculation of operational risk capital are highly topical at the moment. Under Solvency II, operational risk capital must be held as part of the company’s Pillar 1 capital requirements. Criticism of this factor-based calculation includes its failure to capture many relevant elements of a company’s risk profile, such as the operating model and the specific processes within the company.

Interestingly, the solvency regime in Switzerland (known as the ‘Swiss Solvency Test’) does not require operational risk capital to be held. Rather, operational risk is considered as part of the company’s risk management, therefore treating it as a Pillar 2, as opposed to a Pillar 1, issue. Earlier this year, the Basel Committee on Banking Supervision imposed an outright ban on operational risk internal models for banks, acknowledging the widely differing approaches and complex modelling of this risk within the industry. Whether or not such developments will flow over to the EU (re)insurance solvency regime remains to be seen, but regardless of where operational risk sits from a regulatory perspective it is nonetheless an area where there are increasingly sophisticated methods being used in companies’ own risk assessments, such as, for example, Bayesian Network modelling.

For those who may be unfamiliar with Bayesian Network modelling, it is a technique that is gaining more and more traction as companies continue to develop their understanding of their operational risk exposures. This technique aids the understanding of operational risk exposures through workshops with various experts within the business, in order to establish the key underlying drivers of operational exposure and the relationships between these drivers. They are often not obvious at first glance and tend to involve quite nonlinear relationships. Once these exposures are well understood, the company can focus its attention on managing and mitigating the risks.

Continue reading

Responding to privacy and security issues

Mark GreisigerFounded in 2011, the Milliman Risk Institute provides scientific-based thought leadership on all facets of enterprise risk management (ERM). Composed of senior risk executives, actuaries, and university professors, the Milliman Risk Institute Advisory Board meets semiannually to discuss ERM trends, research, and key topics.

In this blog series, members of the Milliman Risk Institute Advisory Board share their views on ERM research and development and how it can support business insight.

In enterprise risk management (ERM), we talk a lot about privacy. Privacy is tied to security—you can’t have one without the other. One growing area of risk in the privacy realm is tied to ethical privacy practices. This is called “wrongful data collection” or “wrongful sharing.” It’s one of the fastest growing areas of litigation, according to defense lawyers with knowledge of these practices.

Many marketing departments want to employ analytics to leverage big data from their consumers. They’re collecting enormous amounts of private information in covert ways. Sometimes they do it through third-party partners and technologies, but it’s all done under the radar outside of the scope of their internal privacy policies. That can be viewed as deceptive trade practices by plaintiff lawyers or state attorney generals. There are companies telling customers one thing in their privacy policy, but doing the opposite when they collect information. In some companies, the internal risk manager doesn’t even know what is happening.

This risk centers on data management and privacy ethics. Organizations need to ask their employees important questions related to these areas. These questions can include what actions are you taking to collect data, are you following privacy protocol, and are you being transparent. Not following proper procedures can cause problems for some risk managers because their organizations end up being sued.

Reputational risk is a related issue. There are response crisis services that employ lawyers from around the country as data breach coaches. A data breach coach helps organizations assess the infiltration of data, alert clients of a breach, and facilitate crisis communications. Among other responses to a breach, a company will get a free call from the coach after a breach. Interestingly, it’s reported that one in four clients that experienced a breach event—a privacy violation—have been unresponsive to a breach coach’s guidance.

The attorney, or the breach coach, might literally say, “Here’s what you need to do. We need to get forensics in there to figure out the scope of the breach. Then we’re going to probably have to notify these victims. We’ll also have to notify the state attorney general and the state because that’s part of the law,” and so forth, laying out the gravity of the situation. Many organizations respond by saying, “Okay, we’ll get back to you,” but they never do. They quantify the reputational risk involved with the process and stick their heads in the sand, putting their business at further risk.

Certain sectors like healthcare tend to handle these issues appropriately. Healthcare organizations know they are in a high-compliance industry where regulators are looking at them proactively. However, in other sectors, there aren’t as many events being reported, even though they’re happening because traditionally they have marginal security practices. Such willful nondisclosure is another trend in the realm of privacy and security that is being studied more closely.

Legislation has even been proposed to include jail time for corporate executives who willfully decide not to disclose a big breach. It hasn’t come about yet, but could happen, certainly at the state level. These risks can be identified and fixed. Ultimately, companies need to think about the trade-offs between reputational risk and the potential for greater legal and financial risks if they become embroiled in a suit brought by a state attorney general based on issues of privacy and security.

A cyber pioneer and thought leader, Mark Greisiger serves as the President of NetDiligence, a cyber risk assessment and data breach services company. In October 2015, Mark presented at the Milliman Risk Institute Advisory Board Meeting as a keynote speaker. His remarks were well-received and followed by a robust Q&A session. As part of this blog series, we invited Mark to provide some additional commentary to his speech and share his views on trending topics in ERM.