Risk. It’s the malevolent, lurking fiend that attacks in the dark of night and keeps CEOs awake. Yes, during this COVID-19 crisis, many are facing risks, but for some it’s compounded by poor execution. It’s the Boeing BA 737 Max that hides below the surface of the shiny, new thing labeled “new and improved” when, in reality, it’s a time bomb awaiting a veritable explosion from risk to problem. The engineering team has been driven to meet timing or cost deadlines and, despite believing there may be hidden issues, silently agrees to ship the product to market. “This [737 Max] airplane is designed by clowns, who in turn are supervised by monkeys,” said one Boeing pilot in a 2016 email. And another risk-turned-problem happened at Takata where they were warned by multiple engineers that it was headed down a dangerous path, but for cost reasons ignored the Functional Safety failures and plowed forth into production with massive product recall and associated liability. And it’s not limited to these two companies that have been prevalent in the news, but there are many such cases, e.g. General Motors GM , who now has a few of the worst product liability settlements in history totaling billions of USD.
The largest automotive recall in history centers around the defective Takata Corp. air bags that are … [+]
2015 Getty Images
Soon, by decree, the general population will be financial backers of some of these companies. Airlines, cruise lines, automotive companies, etc. will all be holding an empty mug on the street corner. The governments of the world will create stimulus loans for affected corporations to keep them from failing, some of who have these poorly-run projects. And as distributed underwriters, we should all have concerns about the risk introduced by these invisible engineering processes. For nine straight years, commercial auto insurance underwriting has resulted in losses for that industry. And it doesn’t take a long look over the list of 2019 bankrupcies to see companies that have declared Chapter 11 due to engineering or risk management issues (e.g. Pacific Gas & Electric PCG ). Those catastrophic, business milestones create an undue burden for creditors and insurance providers, and suddenly there’s a veritable mosh pit of lawyers fighting for dimes on the dollars. A quick glance at NHTSA complaints by make/model suggests there might be some underlying, engineering issues there as well since six of eight are FCA vehicles, and they also have the dubious honor of the fastest recall in NHTSA history (2015 cybersecurity). But don’t expect the U.S. government to strongly regulate since they have explicitly stated they cannot keep up with technological advancements and will mostly just provide best practices. So should “We the People” loan trillions with some of it going to these poorly managed companies?
Frankly, yes. Too. Big. To. Fail.
So how could these loans avoid the crushing blow of unexpected pandemonium? Maybe ask the insurers? Yes, liability or indemnity insurance companies have they’ve managed risk for decades via a variety of ways (e.g. via lagging indicators, dissolution of the risk), but let’s discuss the pros and cons of those historical strategies and propose a NEEDED indicator of risk for mitigating exposure:
Historical Strategy #1: Past Performance & Predictive Analytics
Description: Monitoring past or real-time performance of the individual company or person is a lagging indicator frequently used as a predictor of future outcomes (a.k.a. “predictive analytics”). Yes, the initial price is predictive based upon industry information for the customer or individual, but thereafter the premium is adjusted by its Risk Class and extrapolation of things that have happened and/or models previously created. If VroomVroom Incorporated hasn’t recently experienced Functional Safety issues, it’s promoted into the “Preferred” Risk Category with a lower, associated premium.
Pros: Rewards better individual behavior; creates a decent predictor of future behavior (e.g. HSB sensors and Artificial Intelligence).
Cons: Does not protect against an extreme event (e.g. VroomVroom sells millions of its new Widget 2.0 and kills hundreds of people), which is probably the most relevant to a cybersecurity failure since these can be infrequent, significant claims, e.g. that FCA cyber recall was for 1.4 million cars; assumes “proven in use” Functional Safety compliance despite possibly different suppliers, personnel, etc.
Historical Strategy #2: Spread the Pain
Description: Insurers bin companies into Risk Categories usually based upon industry, size, debt/credit rating, etc. and any new claim is essentially shared across the industry and the Risk Category. For instance, Aerospace Builders Corporation (ABC) is hacked, downgraded to “Substandard”, and all aerospace premiums go up the following year (in varying degrees according to Risk Class) to spread the pain. A real-world example: commercial auto insurers have seen continued rate increases quarterly since 2011 due to the aforementioned underwriting problems.
Pros: Drives multi-year profitability (in theory); decreases exposure from one irresponsible party
Cons: Does not protect against the extreme event; does not reward responsible behavior from the individual company; requires multiple customers in the same genre.
The Boeing 737 MAX has been grounded since two crashes resulted in 346 deaths. (Photo by Nicolas … [+]
NurPhoto via Getty Images
The NEEDED Strategy: Project Assessment Rating
Description: Getting a thorough, third-party Project Assessment Rating during the design phase of 2-3 critical, upcoming projects will help drive better processes by the insured company and create a conversation of sustained, reduced risk. Why target 2-3 specific projects? All corporations have great examples of healthy teams, and the history of corporate-wide assessments (e.g. Capability Maturity Model Integration or CMMI) shows that a one-and-done Assessment leads towards companies relaxing after achieving a high-score. Project-level evaluations permit a periodic check of different teams.
The next question is “What is thorough?” In the day and age of pervasive connected solutions, it’s probably a three-pronged evaluation: 1) Functional Safety Analysis, 2) Development Process Assessment and 3) Cybersecurity Threat Assessment. Although no perfect scoring system exists to meld the three Assessments together, each has a standard against which to evaluate performance (e.g. ISO 26262 for Functional Safety) with accredited Assessors that can provide insights into weaknesses and risks. The methodologies behind these standards have evolved over the past 30-40 years with some having new releases in the past few years (e.g. ASPICE PAM 3.1), but most are truly not all that new.
Pros: Leading indicator(s) alert of likely risks and help avoid surprises; Cost can be shouldered by the company wanting the loan or lower interest rate (e.g. “You can jump up to ‘Preferred’ of you demonstrate consistent Capability Level 2 Compliance.”)
Cons: Requires ongoing diligence (e.g. follow-up discussions on weakness improvements).
Final Thought: Speak Up
Today’s tradition was based upon yesterday’s revolution. Change only happens by taking the first steps. As best said by Kubra Sait, “Asking questions is the first way to begin change.” Ask your government representatives if they intend to force borrowing companies to be assessed for risk management. Ask if their underwriters are going to provide the ongoing diligence. While sheltering in place, think about protecting money as well. Change will only happen if “We the People” insist upon it.
And, oh by the way, liability and indemnity insurers might need to step up their game as well.