Managing Risk: When Your Firm Doesn't Need Insurance

It’s a bit counter intuitive for someone who works at insurance broker and risk consultant Marsh to state that companies do not always need insurance.
“You look at the frequency and severity of the risks,” says Lei Yu, Head of Corporate Services at Marsh for large global institutions and commercial corporations in Hong Kong. ““If the risk is very infrequent or the impact is not severe, then maybe you don’t buy insurance, but should look for other ways to mitigate the risk.”
She spoke with CFO Innovation’s Cesar Bacani about changing mind sets in Asia with regards to business insurance, the trend of big companies setting up their own captive insurance arms, and other risk management issues. Excerpts:
Tell us about how risk management advisors like Marsh go about designing a risk program for companies in Asia.  
First, we help the company define their risk. It’s very important because they are in different businesses, they have different exposures, different unique products, so you need to define what is most important for them.
Then you design what kind of insurance program you need to buy for them. You look at the frequency and severity of the risks they face. If the risk is very infrequent or the impact is not severe, then maybe you don’t buy insurance, but should look for other ways to mitigate the risk [such as improving processes and strengthening internal controls].
Many years ago, a lot of companies chose to insure company-owned hand phones. Some now think they don’t want to do that anymore because the value has become small . . . In this case, we will assess the probability [of hand phone losses] and look at their history, then we decide whether it makes sense for them to stop buying the insurance.
Have there been cases where companies continued buying insurance for things they no longer need such as this coverage for hand phones?
I remember we used to have a property company as client. They used lots of glass panels in their building, so they bought glass insurance. Later they renovated and took out the glass panels, but they continued buying glass insurance. Sometimes people don’t know; paying and renewing insurance become very routine.
I’m been hearing more about cyber insurance these days as stories come out about companies being hacked and having the personal data of their customers stolen. Should companies think about cyber insurance? Does every company need to have it?
To start with, every company should definitely have a risk management policy on data privacy, which is very important. In Hong Kong, you have the Private Data Ordinance. It’s one of the important regulations a lot of countries are imposing now. So every company should have a company policy on how to protect their data.
That’s one. Beyond that, it depends on the nature of the business.
Cyber insurance is not really meant to protect against data leakage, which can happen whether you have a policy or not. What the insurance policy actually does is give you working capital, or extra money, when the data leaks, to make sure your company still continue to operate. Some of the extra spending you incur will be paid by the insurance policy.
Including regulatory fines?
No. A cyber insurance policy doesn’t cover government fines. But it will cover [expenses for] a government investigation, engaging PR firms or notification of customers.
You asked whether there is an insurance product [to cover prosecution under] China’s anti-corruption law. Insurance doesn’t cover that. But you can buy insurance coverage [for situations where] you get investigated by the government and you have associated expenses. There can be a policy to cover those expenses, but not the actual fine.
Sometimes your current D&O [directors’ and officers’ liability] policy can cover something like that. But you can’t buy a policy [that in effect allows you to] tell your colleagues: OK, go ahead, regardless of regulation, do whatever you want . . .
Are you seeing more companies buying insurance policies because of the anti-corruption drive in China and stricter enforcement of anti-corruption legislation in the US and the UK?
Yes, we now have [more] clients that buy crime insurance policies and D&O insurance to cover. There are more investigations, for sure . . . You might have to travel overseas, to New York to meet with the SEC and so on, and you might to hire external lawyers to defend you as well.
Compared with property insurance or fire insurance, would crime insurance have a higher premium?
When you buy a crime policy or a D&O policy, you have a policy limit, what they call the limit of liability. So for example, the policy will pay only [a maximum of] US$20 million, for which you may pay US$100,000 [in annual premium].
But for the property policy, your asset may be valued in the hundred millions of dollars, but you might pay a hundred thousand dollars. If the event being protected happens, you’ll be getting more [than the policy limit in a crime or D&O policy].
You don’t have to insure 100% of the value of your property, though.
You can insure at full value, say HK$1 billion in Hong Kong, or half – HK$500 million – or 30%. It depends on how much risk the company is willing to take. But I think in Asia, people are more risk-averse, so they want to buy 100%.
It seems unlikely that a building will be completely destroyed. Maybe it’s more like a fire on one floor . . .
On the other hand, the World Trade Centre in the US was insured 100% . . . At the time, acts of terrorism were part of insurance policies. Now, you have to buy standalone terrorisms insurance; it’s no longer part of regular property insurance.
One CFO at the recent CFO Innovation Hong Kong Forum said his company is thinking of establishing a captive insurance unit, so the insurance premiums the group pays will in effect stay within the group.
Yes, there are people thinking about it, especially if the company is very confident or comfortable about their risk management. They ask: Why pay US$100,000 to the insurance company? I can pay [the premiums] to myself.
And then if something happens, then the re-insurers will take care of paying the captive, which will then pay the company. But the captive will have to pay premiums to the reinsurers as well.
Maybe not US$100,000, maybe it pays only US$50,000 . . . But there’s a lot of associated costs if you set up your own insurance company. It’s not easy. Between running your company and the captive [insurance subsidiary], if anything happens . . .
Is there a company in Asia that has successfully set up a captive, to your knowledge?
Marsh has actually helped companies set up captives in Singapore, which provides incentives for people to set up captives there.
What about Hong Kong?
No, Hong Kong doesn’t have as attractive incentives as Singapore.
But if the captive is in Singapore and the assets are in Hong Kong, then I would need to buy insurance in Hong Kong?
Hong Kong is an open market. The insurance regulations here say a company can [insure with] any kind of insurance company.
Not like Malaysia, for example. You can only buy from a Malaysia-based insurance company [if the assets are in Malaysia]. It’s the same in the Maldives and in China.
What is Marsh’s experience in terms of the response of companies in Asia to your risk recommendations? Do they normally say, we’ll follow, or will they argue, or will they say, go away, this is not good?
In the past few years, we see more and more companies being willing to implement our risk recommendations. We have clients in Mainland China. They tell us the reason they buy insurance is not [primarily] because they wanted to get cover in case there is a fire; it’s because they want to better manage their risks.
So the mindset is changing. If you go talk to a US company, they are very willing to improve their risk [profile]; their concept [of insurance] is different. For the Asian company, they sometimes think of insurance [for the business] like it is car insurance . . .

But now more companies are coming to us and saying: We want you to look at our procedures, we want you to look at our internal controls. We don’t want to just think insurance as something we buy. We want to manage [our risks]. 


Click here to read Part 1 of this interview.



Suggested Articles

Some of you might have already been aware of the news that Questex—with the aim to focus on event business—will shut down permanently all media brands in Asia…

Some advice for transitioning into an advisory role

Global risks are intensifying but the collective will to tackle them appears to be lacking. Check out this report for areas of concern