All posts tagged risk

Drug Use Skyrockets among American Workers

Tableau of drugs- pills, coke, marijuana, and alcohol.

Drug use is rapidly increasing among American workers, as more states liberalize marijuana laws, cocaine makes a resurgence and more people abuse amphetamines and heroin.

A new study by Quest Diagnostics Inc., a workplace drug-testing lab, found that the number of workers testing positive for illicit drugs is higher than at any time in the last 12 years.

That puts employers in a tricky predicament, particularly if employees are using at work, which could reduce productivity and also make them more susceptible to workplace injuries since they may not be as focused as they should be on their work.

In 2016, 4.2% of the 8.9 million urine drug tests that Quest conducted for employers turned up positive, compared to 4% in 2015 and 3.5% in 2011. The rate was the highest since 2004, when 4.5% of tests showed evidence of potentially illicit drug use.

While there were marked increases in positive tests for most illicit drugs, the surprising excption was prescription opioids like hydrocodone and oxycodone, thanks o stricter enforcement in many jurisdictions around the country.

Marijuana is the most commonly used drug among U.S. workers and was identified in 2.5% of all urine tests for the general workforce in 2016, up from 2.4% a year earlier. In oral fluid testing, which detects recent drug use, marijuana positivity increased nearly 75%, from 5.1% in 2013 to 8.9% in 2016.

The highest increases for marijuana usage among workers seemed to be in states that have recently legalized the recreational use of marijuana.

The number of workers testing positive in Colorado rose 11%, while in Washington there was a 9% increase. The rates of increase were more than double the increase nationwide in 2016.


Changes in test-positives by drug:

  • Amphetamine: Up 8%
  • Marijuana: Up 4.2%
  • Heroin: Zero (after 146% increase in four years prior)
  • Oxycodone: Down 4%
  • Cocaine: Up 12%



Implications for businesses

About 12% of workers who die on the job test positive for drugs or alcohol in their system at the time of the incident. And incidentally, one OSHA study found that the most dangerous occupations, like construction and mining, also have the highest drug use rates among workers.

Employers suffer from hiring substance abusers in many ways. Not only do they run the risk of having deadly or dangerous accidents occur, but substance abusers also cost employers money in other ways, including poor productivity and decision-making.

Substance abusers may:

  • Have poor work performance.
  • Frequently call in sick or arrive late.
  • Frequently change workplaces.
  • Struggle with productivity.
  • Injure themselves or others at work.


The takeaway

If you’re concerned, you can initiate an effective workplace drug program that includes drug testing before hiring and during employment – and the consequences for violating the rules.

You should have in place rules for working while under the influence and the ramifications for doing so.

You may also want to consider an employee assistance program for employees who feel they may have a problem, as well as for those who feel they’re developing a problem. A quality assistance program will offer services such as counseling to deal with substance abuse problems.

You may also want to consider holding meetings about health and safety and drug use. Provide education about what addiction looks like and why people begin to abuse drugs/alcohol. Education can help employees understand how to support those that are struggling, as well as remove negative stereotypes often associated with addiction.

Provide health benefits that offer a more “comprehensive coverage” for addiction. This includes addiction assessment (screening), treatment, aftercare and counseling.


Ransomware Becomes Biggest Cyber Threat Facing Businesses


Ransomware is turning out to be the biggest cyber threat facing companies in 2017 after attacks more than quadrupled in 2016 from the year prior, according to a new study.

If you are not familiar with this fast-evolving cyber threat, typically the perpetrators will essentially lock down your database and/or computer system and make it unusable, then demand that you pay a ransom to unlock the system.

The “Beazley Breach Insights Report January 2017” highlights a massive and sustained increase in ransomware attacks.

Another report, the “2017 SonicWall Annual Threat Report,” found that cyber criminals are shifting their attention from malware and other types of threat to ransomware – as evidenced by a significant decline in the former types of attack and a dramatic increase in the latter.

Here’s what SonicWall saw in 2016:

  • Unique malware attacks fell to 60 million from 64 million in 2015, down 6.25%.
  • Total malware attack attempts fell to 7.87 billion from 8.2 billion, down 4%.
  • Ransomware attacks exploded to 638 million attempts in 2016 from 3.8 million in 2015, up a massive 166 times!

SonicWall’s report estimates that around $209 million in ransoms was paid in the first quarter of 2016 alone.

“It would be inaccurate to say the threat landscape either diminished or expanded in 2016 – rather, it appears to have evolved and shifted,” said Bill Conner, president and CEO of SonicWall. “Cybersecurity is not a battle of attrition; it’s an arms race, and both sides are proving exceptionally capable and innovative.”

The unprecedented growth of ransomware was likely driven as well by easier access in the underground market, the low cost of conducting a ransomware attack, the ease of distributing it and the low risk of being caught or punished.

Ransomware is also growing in both sophistication and type of attack, and the hackers are proving to be inventive in how they can cripple your business enough to elicit the ransom.

When you are most vulnerable

And there are some times that businesses are more susceptible than others in being targeted for an attack.

“Organizations appear to be particularly vulnerable to attacks during IT system freezes, at the end of financial quarters and during busy shopping periods,” the report states. “Evolving ransomware variants enable hackers to methodically investigate a company’s system, selectively lock the most critical files, and demand higher ransoms to get the more valuable files unencrypted.”

Ransomware enters a company’s system in a variety of ways.

The most common method is when an employee clicks on a link in a bogus e-mail that opens the door to malicious code to start rifling through your systems. But more often, an employee unintentionally clicks on a link or sends information.

The types of attack will vary from industry to industry.

How Ransomware Infiltrates 

  • Hack or malware: 40%
  • Insider: 7%
  • Unintended disclosure 28%
  • Physical loss: 6%
  • Portable device: 6%
  • Other/unknown: 9%

Source: Beazley Plc (numbers for financial services industry)

Horror stories

  • Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin to regain access to its data in February 2016.
  • Lansing Board of Water & Light paid ransomware attackers $25,000 after they had paralyzed the company’s information system in April 2016.
  • A four-star hotel in the Austrian Alps paid 1,500 euros (about $1,600) in bitcoin after ransomware had locked up the computer running the hotel’s electronic key lock system, leaving guests unable to enter their rooms.

Have Plans in Place as Mega-quake Threat Level Is Raised


The risk for a massive earthquake of magnitude 8.0 or greater has increased, according to the U.S. Geological Survey.

The risk of that kind of mega-quake occurring in the next three decades is now 7%, according to the survey, which just last year released a report that increased the threat level from 4.7%.

It has raised the threat level again due to a better understanding that quakes are not limited to separate faults and that one can start on one fault and jump to others, resulting in a multiple faults snapping at once in a giant mega-quake.

The report says that past models generally assumed that earthquakes were confined to separate faults, or that long faults like the San Andreas ruptured in separate segments.

This newly discovered phenomenon has significantly increased the likelihood of a massive quake. Quakes dating back in the last 30 years reflect the new discovery.

  • 1987 The Whittier Narrows earthquake

Magnitude 5.9

Fallout: Three days later a 5.6 magnitude aftershock hit on a different fault. Damage reported in Whittier, Pico Rivera, Los Angeles and Alhambra.

  • 2010 California-Mexico border quake

Magnitude 7.2

Fallout: Scientists said the border quake directed tectonic stress toward and its aftershocks triggered movement on at least six faults, including the Elsinore and San Jacinto faults, which run close to heavily populated areas in eastern Los Angeles County and the Inland Empire.

  • 2011 Tohoku Japan earthquake

Magnitude 9.0

Fallout: The initial quake spread through multiple faults, resulting in two tectonic plates sliding against each other and moving the sea floor an astounding 165 feet westward, creating a massive tsunami that killed 15,000 people.


Another study released by a California State University at Northridge professional of geophysics, Julian Lozos, predicts the high likelihood that a major quake could start on the San Jacinto fault and continue on the San Andreas fault, California’s longest and most dangerous fault line.


Earthquakes and your business

Business owners must consider the potential impact of earthquakes and related hazards on buildings, employees and operations.

Planning for how you will respond during and after an earthquake, and taking steps now to reduce potential damage, is crucial to a successful and speedy recovery.

Here are some tips:

  • Develop a business continuity plan.
  • Conduct an audit of general earthquake vulnerability and a hazards risk assessment.
  • Establish an operations contingency plan.
  • Conduct a non-structural assessment of your business, including inventory.
  • Hold regular drop, cover and hold on drills for employee safety.
  • Encourage employees to have family plans and emergency kits.
  • Seismically retrofit buildings or occupy/rent buildings that are built to earthquake code.
  • When looking for a new site for your business, consider risks of liquefaction and proximity to faults, transportation, power and water.



If your business is operating in an area that is at risk of a quake, you should seriously consider earthquake insurance. Currently, premiums for coverage are the lowest they’ve been in years, while the risk of earthquakes has increased.

Earthquake coverage is purchased as an endorsement to the standard business owner’s policy. The endorsement covers damage caused by shaking during an earthquake, including structural damage and the damage to property.

Depending on the policy, lost business income caused by an earthquake may also be covered.

Coverage only begins when damage has exceeded your policy’s deductible – the amount you pay out of pocket before your insurance kicks in.

Earthquake insurance policies often have high deductibles – ranging from 2% to as high as 20% of the value of your building, depending on its location, age and condition.





Top 10 Laws and Regulations Affecting Business in 2016 (Part 1)

Top 10 gold

AS WITH every New Year, businesses are faced with a slew of new laws and regulations. We’ve condensed them into a list of the top 10 most likely to affect your operations.


  1. New teeth to gender equal pay laws

A new state law adds teeth to the laws on gender pay equality.

Before SB 358, employees seeking to prove pay discrimination had to demonstrate that they are not paid at the same rate as someone of the opposite sex at the same establishment for “equal work.”

Under the new law, the requirement of “same establishment” has been deleted, and the employee need only show he or she is not being paid at the same rate for “substantially similar work.”

Substantially similar work means a composite of skill, effort and responsibility, performed under similar working conditions.

Employment law attorneys say the employer has the burden to affirmatively demonstrate the pay difference being complained about is based on any or all of these specific factors:

  • A seniority system,
  • A merit system,
  • A system that measures earnings by quality or quantity of production, or
  • Another factor, such as education, training or experience.


  1. Minimum wage increase

On Jan. 1, the state minimum wage increased to $10 an hour, the last of two incremental increases since legislation was passed in 2013. The first came on July 1, 2014, which moved the rate up to $9 an hour, where it has been until now.


  1. Employer mandate part II

At the end of 2015, the Affordable Care Act reprieve for business with 50 to 99 full-time or full-time equivalent employees ends.

Employers of this size are required to provide health insurance to at least 95% of their full-time employees and dependents up to age 26 starting this year.

For employers who don’t provide coverage, the fee is $2,000 per full-time employee (minus the first 30 full-time employees).

Companies with 100 or more full-time employees were required to cover their workers, starting in 2015.


  1. Health coverage reporting

Starting in 2016, employers with 50 or more full-time or full-time equivalent employees are required to make additional filings with the IRS, as well as supply their staff with forms.

Applicable large employers (with 50 or more full-time and full-time equivalent employees in the preceding calendar year) will use Form 1094-C and Form 1095-C to satisfy reporting requirements.

If filed on paper, these forms must be put in the mail no later than Feb. 28. If filing is done electronically, the due date is March 31.

You must provide 1095-C to your employees before the end of January, along with their W-2 forms


  1. Leeway to avoid frivolous lawsuits

AB 1506 gives employers 33 days to fix technical violations on an itemized wage statement before an employee can pursue civil litigation under the Private Attorneys General Act.

The California Chamber of Commerce championed the bill, which took effect on Oct. 2, 2015, saying it will greatly reduce frivolous litigation over an issue for which “injury” is hard to prove.


You can find out about the next five laws in our Thursday blog entry.

Hands-free Technology a Significant Danger: Study

If you think your employees who drive while on the job are completely safe using hands-free mobile phone technology while driving your car, a new study says otherwise.

Mental distractions can persist for nearly 30 seconds after dialing, changing music or sending a text using voice commands, according to new research by the AAA Foundation for Traffic Safety.

The researchers discovered the residual effects of mental distraction while comparing new hands-free technologies in 10 vehicles and three types of smart phones (Google Now, Apple Siri and Microsoft Cortana). The analysis found that all systems studied increased mental distraction to potentially unsafe levels.

Researchers found that potentially unsafe levels of mental distraction can last for as long as 27 seconds after completing a distracting task in the worst-performing systems studied. That amount of time is the equivalent of driving three footballs fields at 25 miles per hour. The faster a vehicle is traveling, the further it would go during this time.

When using the least-distracting systems, drivers remained impaired for more than 15 seconds after completing a task.

The dangers are obvious: Drivers using phones and vehicle information systems while driving may miss stop signs, pedestrians and other vehicles while their minds are readjusting to the task of driving.

The research indicates that the use of voice-activated systems can be a distraction even at seemingly safe moments when there is a lull in traffic or the car is stopped at an intersection. Mental distractions persist and can affect driver attention even after the light turns green.

Researchers rated the distraction level of the cars and smart phone technologies on a scale of 1-5, with anything above 2 deemed distracting enough to be a danger.

The best-performing system was the Chevy Equinox with a cognitive distraction rating of 2.4, while the worst-performing system was the Mazda 6 with a cognitive distraction rating of 4.6.

Among phone systems, Google Now performed best as the least distracting with a distraction rating of 3, while Apple Siri and Microsoft Cortana earned ratings of 3.4 and 3.8.

Using the phones to send texts significantly increased the level of mental distraction. While sending voice-activated texts, Google Now rated as a category 3.3 distraction, while Apple Siri and Microsoft Cortana rated as category 3.7 and category 4.1 distractions.

AAA Foundation researchers liken the categories as follows:

  • Category 1 – About as distracting as listening to the radio or an audio book.
  • Category 2 – About as distracting as talking on the phone.
  • Category 3 – About as distracting as sending voice-activated texts on a perfect, error-free system.
  • Category 4 – About as distracting updating social media while driving.
  • Category 5 – About as distracting as a highly challenging, scientific test designed to overload a driver’s attention.



EEOC Opens up New Discrimination Class: Sexual Orientation

In a step that creates a new protected class, the Equal Employment Opportunity Commission has ruled that discrimination based on sexual orientation is illegal under federal law.

The ruling is significant since it essentially sets the stage for employers being susceptible to a new class of lawsuits, opening up an additional area of liability.

While discrimination based on sexual orientation is not spelled out in Title VII of the Civil Rights Act of 1964, it does bar sexual discrimination and the commission ruled that “an allegation of discrimination on the basis of sexual orientation is necessarily an allegation of sex discrimination.”’

Employers will have to change their policies and handbooks and train supervisors and managers on the ruling.

Federal courts are not bound to the ruling, but that said, courts frequently defer to federal agencies when they interpret laws that come under their jurisdiction.

The ruling applies to a number of employment areas, including hiring, termination and promotion decisions, and employee working conditions, including claims of workplace harassment.

It would apply to both job applicants and employees, who would be able to file a complaint with the EEOC if they feel their rights have been violated in this regard.

The EEOC justified its interpretation of sexual discrimination to include sexual orientation by writing:

“Discrimination on the basis of sexual orientation is premised on sex-based preferences, assumptions, expectations, stereotypes or norms. ‘Sexual orientation’ as a concept cannot be defined or understood without reference to sex.”

Here’s an example of what the EEOC means: When a manager mistreats a gay male employee because he dislikes the fact that his employee dates other men, the manager is taking that worker’s sex into account. Such discrimination is obviously sex-based, and therefore forbidden by Title VII.

The ruling is essentially a roadmap for courts to use when hearing cases of discrimination based on sexual orientation. And the issue is especially salient in light of the recent ruling by the U.S. Supreme Court that laws barring gay and lesbian marriages are illegal.

Twenty-two states currently ban workplace discrimination based on sexual orientation.

And under the new guidelines, all sexual orientation discrimination will be considered illegal, empowering gay private employees to lodge discrimination complaints.

Courts may choose to accept or reject the EEOC’s ruling, but the commission’s rulings are respected by the judiciary, and could tip more courts to rule that sexual orientation discrimination is, indeed, already forbidden in the United States.



Five Reasons You Need a Cyber Liability Policy

The hacking threat is growing with each passing year. There are crooks out to steal data from companies, sometimes to turn around and sell personally identifiable information or credit card numbers to identity thieves and scammers.

Other cyber criminals are just out to create mayhem, shutting down websites and creating denial-of-service attacks that grind business operations to a halt.

The problem for your business is that if hackers walk away with your employees’ social security numbers, they can do serious damage to their credit lines – and in some cases even sell their identities.

The likelihood of any of the above scenarios affecting your company is growing year by year.

In any of the above cases, cyber liability insurance would pay for the costs of responding to an attack. And while you might think that insurance that protects you in case of a cyber attack is for only large companies, in recent years hackers have started targeting smaller companies in greater numbers than large ones.

If you haven’t thought about buying a policy, here are some reasons you should:

  1. It’s affordable  – Premiums for most small companies are usually $1,000 to $2,000, depending on your exposure. You can get coverage as high as $30 million and deductibles as low as $10,000, depending on your needs and what you’re willing to pay. Cyber liability insurance is still fairly new, and that means policies will vary from one to the other. In some cases you can even negotiate some parts of the coverage.
  2. Broad coverage – Most policies will pay for business interruption, the cost of notifying customers of a breach, and even the expense of hiring a public relations firm to repair any damage done to your image as a result of a cyber attack. Policies will also cover any penalties you may incur from government agencies. Having such broad coverage will help you weather the storm and keep your business viable.
    Business interruption coverage can be especially important for a small business. That’s because they are typically not as diversified as larger companies and lack the same financial resources.
  3. You likely don’t have a risk manager on staff  – While most big companies have a department dedicated to reducing risks, most small and mid-sized firms don’t have that same luxury.  If you are buying a cyber liability policy, you can sometimes receive assistance like analysis of your firewalls as well as making sure you have social media policies in place to reduce the chances of being hacked.
    Your insurer may be willing to help with these areas because the better protected you are, the less likely you are to have a breach that could result in a claim.
  4. Outsourcing data hosting won’t save you – Even if you don’t host your data yourself, you’re still responsible for that data. So even if you are using a cloud storage solution for your data, you need to read the fine print of your contracts.
    The problem is that you can’t control how a cloud provider handles your data, but an insurance policy can protect you if your cloud provider errs.
  5.  Your business liability policy won’t cover you – Typically, a general liability policy specifically excludes losses incurred via the Internet. In other words, the cyber liability policy gives you protection you won’t have in other policies.

    Make sure your cyber policy covers laptops and mobile devices as well, to give yourself coverage in as many situations as you can.
    Finally, we can help. You can work with us to integrate cyber liability with your general policy and employment liability policy. Talk to us and we can help you achieve seamless coverage.


New Threat Uses Human Contact to Access Vital Data

One of the newest scams to hit businesses is “social engineering” fraud, and many companies are unknowingly being swept up in the web.

Social engineering fraud is the act of influencing others to disclose private company information using various forms of communication, including e-mail, phone, the Internet and even in-person interactions, according to a recent report published by the global insurance company Chubb.

Chubb issued the “Guide to Prevent Social Engineering Fraud” to help businesses train their workers about this new type of fraud, understand how it works and prevent this activity.

According to Check Point Software Technologies, nearly half of global businesses surveyed in 2011 reported being the victim of one or more social engineering attacks that resulted in losses ranging from $25,000 to $100,000 per occurrence.

Social engineering fraud is different than cyber fraud and crime in that it involves a human element. These criminals trick their targets into giving them information via various forms of communication in order to perpetrate their scheme of defrauding and infiltrating companies.


Social engineering fraud strategies

Fraudsters use many different social engineering strategies to gather information from their targets, including:

  • Impersonation/pretexting:  The attacker impersonates a person in authority, a fellow employee, IT representative or vendor in order to access confidential or sensitive information.
  • Phishing:  Phishing can take the form of a phone call or e-mail from someone claiming to be in a position of authority who asks for confidential information, such as a password. It can also include sending e-mails that contain malware designed to compromise computer systems or capture private credentials.
  • IVR/phone phishing (aka vishing):  This technical tactic involves using an interactive voice response (IVR) system to replicate a legitimate-sounding message that appears to come from a bank or other financial institution, and directs the recipient to respond in order to “verify” confidential information.
  • Baiting: This typically involves leaving a malware-infected device – a USB drive, CD or DVD – at a location where an employee will come across it, and then out of curiosity will plug or load the infected device into their computer.
  • Tailgating/direct access:  Attackers gain access to your premises by following closely behind an entering employee or by presenting themselves as someone who has business with the company.
  • Diversion theft:  The methodology in this attack involves misdirecting a courier or transport company and arranging for a package or delivery to be taken to another location.

What you can do

Chubb, which has launched a new insurance product to cover costs associated with social engineering fraud, says companies need to train their employees on what constitutes confidential and sensitive information – and how to keep it safe. Let the following be a guide for policies and training:


  • Identify which employees have access to what types and levels of sensitive company information.
  • Never release confidential or sensitive information to someone you don’t know or who doesn’t have a valid reason for having it. If a password must be shared, it should never be given out either over the phone or by e-mail.
  • Establish procedures to verify incoming checks and ensure clearance prior to transferring any money by wire.
  • Reduce reliance on e-mail for all financial transactions. If e-mail must be used, establish call-back procedures to clients and vendors for all outgoing fund transfers or implement a customer verification system.
  • Avoid using or exploring “rogue devices” such as unauthenticated thumb/flash drives or software on a computer or network.
  • Be suspicious of unsolicited e-mails and only open ones from trusted sources. Never forward, respond to or access attachments or links in such e-mails; instead, either delete or quarantine them.
  • Avoid responding to any offers made over the phone or via e-mail. If it sounds too good to be true, then it probably is.
  • Be cautious in situations where a party refuses to provide basic contact information, attempts to rush a conversation, uses intimidating language or requests confidential information.
  • Guard against unauthorized physical access by maintaining strict policies on displaying security badges and other credentials and making sure all guests are escorted.
  • Monitor use of social media outlets, open sources and online commercial information to prevent sensitive information from being posted on the Internet.

Supply Chain Risk Lessons from the Ports Strike

The West Coast ports strike illustrates the dangers of just how fragile most companies’ supply chains are, as disruptions to the delivery of crucial items threatened the viability of many businesses during the industrial action.

Retailers waiting for shipments had empty shelf space where some items were supposed be, carmakers suspended operations because key parts were sitting on the docks or waiting to be unloaded, and some companies were forced to lay people off due to the ports’ inability to take in more cargo.

The fallout should come as no surprise. Whenever there is a supply chain disruption, companies suffer as products and key parts deliveries are delayed indefinitely. As more companies rely on just-in-time manufacturing and the supply chain stretches to all corners of the globe, small hiccups can turn into big problems.

Prudent companies address these challenges by building safeguards into their supply chains, and planning that includes contingencies. They enhance those risk management efforts by purchasing contingent business interruption insurance, which will cover lost profits if an event shuts down critical suppliers or major customers.

And while it’s typically the woes of big companies that make the news, the impact is felt far and wide – and small companies are especially vulnerable. That’s why it’s important that you create a solid plan for dealing with disruptions to your supply chain, as most every company has one to some extent.


Understanding your supply chain

You’ll be best able to reduce the effects of supply chain disruptions on your business by identifying the risks within your supply chain and developing ways to mitigate them. You should document this process in your risk management plan, which is part of your overall business continuity plan.

There are four main types of external supply chain risks, which are largely out of a business’s control:

  • Supply chain risks that are caused by any interruptions to the flow of products, whether finished goods, raw material or parts, within your supply chain.
  • Environmental risks, which are related to economic, social, governmental, political and climate factors – including the threat of terrorism – that affect the supply chain.
  • Business risks, which can be caused by factors such as a supplier’s financial or management stability, or purchase and sale of supplier companies.
  • Physical plant risks, which can be caused by the condition of a supplier’s physical facility and regulatory compliance. For example, if your key supplier has a machinery breakdown and can’t produce, or regulators shut the facility down, your supply chain will be affected.


Developing a plan

The best way to manage a supply chain disruption is to prepare for it. You should undertake a business impact analysis to prepare your business to address the impacts of supply chain disruption.

Form a team of key personnel that should include shipping and receiving, and management and supervisors involved in your key processes. The team should:

  • To mitigate risks caused by disruptions, consider lining up alternatives to critical suppliers in advance, as finding a new supplier in the midst of a crisis situation could be challenging. It’s important this is done in advance so that you aren’t trying to hunt down a new supplier during a disruption. Even if you find one, you still have to certify that it is able to meet your quality standards, which can be a time-consuming process.
    One option is to contract with a supplier in advance, so the contractor has already been certified and has capacity available as soon as a company loses a critical supplier.
  • Model the impact of disruptions on your sourcing and inventory strategies. You should do this for the four disruption types listed above, so that all contingencies are covered. Under these scenarios, think about how non-delivery of a key part or material would affect your operation. Examine the likely fallout and build contingencies based on those results.
  • Outline the steps that need to be taken for all of the “what if” scenarios that would affect your operations. Be realistic about assessing your capacity to respond to these scenarios. If you would be rendered unable to cope, start now in developing plans.
  • Engineer an actionable contingency plan for failure of any supply chain pillars. Identify key thresholds for executing risk-mitigating decisions, like sourcing from alternative partners, channels or alternative manufacturing and distribution systems whose risks are divorced from the preferred options.
  • Most disaster situations lead to chaos due to the non-alignment of multiple departments within the same company. That makes centralized decision-making based on real-time information from all sources crucial. Institutionalize a contingency management team that will champion all actions during times of disruption. This team must be comprised of senior people who can exercise influence over the various decision levers of the company.
  • Make sure your supply chain is flexible to dealing with risks. Look at opportunities to alleviate current supply chain bottlenecks, model alternative transportation network configurations and look for alternative sources of supply.


The insurance backstop

Companies can address supply chain risks either through business interruption insurance or contingent business interruption insurance. Business interruption insurance covers lost profits after a company’s own facility is damaged by an insured peril, while contingent business interruption insurance covers lost profits if an insured peril skips over the policyholder’s own facilities but shuts down its critical supplier or a major customer.

Contingent business interruption coverage is triggered if there is:

  1. Direct physical loss or damage to a dependent property (supplier or customer);
  2. The loss or damage is caused by a covered cause of loss; and
  3. The loss results in a suspension of operations at a covered location.


supply chain