Operational Risk Management
Risks and Liabilities
Working from home and socially distanced office work during the pandemic have created unforeseen risks that have never been a concern before. If you aren’t clear, concise and thoughtful about remote work and office safety policies, you may be at risk for a wide variety of claims.
A few examples of risks you may face are:
- Workers’ compensation claims for at-home injuries
- Negligence and even wrongful death claims due to covid infection in the workplace
- HIPAA and privacy issues upon accidental disclosure of covid-positive staff
Risk Prevention and Risk Shifting
The best way to protect your business from risk is through prevention. A strong call center training program, current policies and procedures and a good complaint system (both for internal and external feedback) can catch potential issues before they get out of hand.
For unavoidable risks, there are still measures you can take to be prepared. Be sure you fully understand the contracts you have with vendors and clients, so you know what you are responsible for when situations arise. Also become familiar with your insurance coverage. Are you covered in the areas you most need? Are there new areas of risk you should get covered?
When and Where to Consider New Risk Management Strategies
Contracts With Clients and Vendors
Look to existing and future contracts for protection from unforeseen events. Written agreements with both vendors and clients can help your organization manage risks as they arise. Early termination of a contract or early termination of your services may cause disruptions to your business or daily operations. Consider adding early termination penalties into the contracts you use, protecting your agency in the event of a broken contract.
“If you are a collection agency, you may want to think about crafting some provision about limits on any suspension of work that a client may have or require in the future,” says Valenzuela. If work is suspended for a prolonged period, requiring a fee from the client can help you maintain your business during that time.
Requiring vendors to have minimum insurance limits before entering a contract may also be helpful. However, ask your vendors ahead of signing these contracts how many other clients they have. Is the minimum limit they are covered for enough to help all applicable clients if the insurance is needed?
Credit Reporting Suspension
Right now, with special guidance surrounding some debt collection practices, Valenzuela says suspending certain risky activities – like credit reporting – may be beneficial.
She suggests performing a cost benefit analysis of credit reporting in your agency. Does the benefit of this (and other risky activities) outweigh the risks they may create? For credit reporting, consider:
- Costs of dispute handling
- Increase in complaints
- Lawsuit/defense costs
- Do clients require it?
Covid-Related Risk Mitigation
“With Covid impacting many aspects of our businesses, you may want to consider creating Covid-related audits, training, policies and procedures as part of your risk mitigation strategy,” says Valenzuela.
Working from home due to covid has created unique challenges in managing remote workers. You may experience payroll or staffing issues if you don’t create guidelines up front for employees. Create and communicate diligent timekeeping rules for remote hourly workers and create an effective monitoring program.
In states like California, where wage laws are especially strict, it’s essential to be accurate. Ensure you can prove that employees are taking breaks and lunches and are clocking in and out at the appropriate times.
OSHA and WHO Safety Protocols
OSHA and WHO have both released physical workplace safety protocols your business must follow. In addition, the state you operate in may have further guidelines you are required to follow to keep workers safe.
Because Covid infection is an ongoing concern, you may find there are special emergency orders in your area aimed at preventing workplace outbreaks. Some actions you may be required to take into consideration are:
- Creating a written, site-specific plan that includes preventative protocols
- Additional safety training for employees
- Airflow assessments for indoor spaces
- Documented proof of safety inspections
- In the event of an outbreak, free covid testing for staff
- Employer-provided masks for on-site personnel
A Major Source of Risk: Cybersecurity
According to Zugsay, beginning in March of 2020, many collection agencies had to send more data than they ever wanted to outside vendors and work-from-home employees, and had to figure it out on the fly.
Since then, more people than ever are doing work remotely. This increased digital activity has also caused more cybersecurity concerns than ever before. Zugsay says there are some previously untapped ways your agency can approach this major source of risk to protect your business, employees and consumers.
New Safeguards for Information Accessible Remotely
In the past, knowing the limits to cyber coverage was all you needed. With the rise in cyber risk, however, a basic knowledge of policy limits isn’t enough.
Zugsay suggests looking at your company’s insurance policy for dependent business interruption if your vendor is at fault for a data breach, and to understand their policies in general to know what to expect if a breach occurs.
Now that cyber risks are higher than ever, Zugsay suggests becoming familiar with the specific terms of your vendors’ policies. If you’re an Additional Insured on a vendor’s policy, this alone may not be enough to protect you if the coverage terms aren’t adequate.
Training to Detect and Prevent “Social Engineering” Fraud
One of the best ways to protect your company from a cyber attack is through a robust call center training program. Make sure the program includes awareness of current social engineering and phishing tactics, wherein a scammer might trick an employee into giving away money or private information.
Because vendors may also be the source of a data breach, another preventative measure you may take is requiring multi-factor authentication before they can access important data from your company.
When these extra measures are in place, let your insurance carrier know. Being up-front about the actions you are taking to prevent data breaches may have an impact on your policy.
Check Insurance Policy Exclusions
Check for both your insurance policy and your vendors’ policies for exclusions. If you don’t understand what may be excluded from your policy or aren’t familiar with what you may need in the event of a data breach, you may be in for a shock when you are trying to use that coverage. Some exclusions to watch out for, if they are in your policy or your vendors’ policies, are:
- Notifications – Make sure this is not excluded from your vendor’s policy, even though coverage is likely also to be found in your company’s policy if the law in your area obligates you to notify relevant parties of a data breach. There are real risks involved in missing notification deadlines and also risks to your company’s reputation for over-notifying. It is usually best to let the insurance company’s assigned counsel handle notification to ensure it is properly done.
- Software updates - Failure to update your software may negate your coverage. Know your company’s obligations ahead of time and be sure all updates are being performed in a timely manner. This may also be found under the Conditions section of your policy.
- Forensics - Forensics refers to the post-breach investigation that may shed light on where things went wrong. This coverage may apply in your policy only if the breach is in your system.
- Bricking - In the event of a data breach, you may need to replace compromised hardware or upgrade to newer, more secure hardware. If bricking is not covered in your policy, you may find your company solely responsible for these replacement costs.
If you are included as an Additional Insured in a vendor’s policy, look for the condition of indemnity in the vendor’s contract before coverage is triggered.
Again, waiting until a crisis has already occurred can leave you with even more to handle, at the worst possible time. Decide what types of coverage are important to your agency before you enter any agreements. Remember, you have the most leverage to negotiate before you’ve signed a contract. Use this to your advantage by creating contracts and insurance policies that will provide you with the best protection possible.
In the webinar this article was based on, Zugsay also discussed the anatomy of an insurance policy, how to understand claims, and examined common pitfalls agencies should avoid. To be notified when this final article in the series is published, and for more educational AR content, subscribe to the PDCflow blog: