A July 2021 post on ISACA’s Engage platform considered how insurance coverage can be proposed as a risk response when presenting the risk to senior management and the board of directors (BOD). Although there were quite a few replies to the post, I would like to answer from an operations perspective.
Insurance is sometimes treated as a risk response/risk transfer to cover the financial loss of risk materialization. A key aspect of risk materialization is how it impacts the organization, including its operations and its image in the eyes of its key stakeholders (i.e., the customers).
Consider the insurance business. Insurance companies offer to cover the losses of an organization in the event of a risk materializing for certain cost considerations: premiums. It is in the insurance company’s best interest that they evaluate the risk to gauge the probability of the pay-out materializing should the risk come to fruition. This evaluation is based on exposure to threats, controls implemented by the insured organization to reduce vulnerabilities and the likelihood or impact of threat materialization, among others. If an organization does not have the appropriate controls, then the insurance company may refuse to cover the losses or charge a very high annual premium, which would make the proposal unviable.
From an insurance company’s operations’ perspective, a pay-out would only occur within a predetermined threshold. If operations needed to manage that threshold, then why not go the extra mile to prepare and mature processes to minimize the materialization of risk? Customers typically do not hold risk against the organization if they know that it has taken precautions to mitigate risk, at least, that which is under its control. When the organization is impacted by risk, it is safe to say that other organizations may have been impacted as well. From a management perspective, what matters most is that the insurance coverage could potentially reduce the financial impact.
Since insurance is a “risk business,” insurance companies are keen to verify the claims of the insured because if they settled claims without verification, then they would be out of business. I view this process in a positive light; that is, if an insurance company settles a claim, then that is a good indication that there was a proper control framework in place. Insurance, however, cannot be the only response to risk. It should always be coupled with risk mitigation, where an organization implements controls to reduce the likelihood or impact of risk. Insurance coverage provides the funds required to recover from the damage of such sources of risk.
It is important to understand what insurance coverage includes and excludes. An organization may be surprised to realize that certain types of expenses are not covered by the insurance company. The most common exclusions are:
- Changes in business levels resulting in higher losses
- The cost escalation for the replacement of insured assets due to inflationary conditions
- Costs associated with rebuilding reputation
- Loss of skills due to employee injuries or even casualties
- The difference between the costs of lost assets and their value to the organization. This could vary, depending on accepted inclusions and exclusions for particular types of insurance coverage.
When analyzing the risk profile of an organization, insurance should not be considered a holistic risk response until the residual risk is assessed without consideration for insurance covers. One should then consider insurance to be a valid source for financing recovery in case risk materializes.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.