Sense and nonsense of insurance

download this column in pdf

	I like this column
	845 persons like this column

In the world around us there are many things that can go wrong. It varies from small inconveniences like getting a fly in your mouth during cycling, climbing through falling, traffic accidents, economic crises and ice ages to ultimate catastrophic events like the sun exploding. Most of those risks do not get any attention. There is a very good rationale behind this apparent neglect. Small inconveniences can be dealt with when they occur, and you cannot protect against truly big catastrophes so thinking about mitigations would be a waste of time. Furthermore, as argued before, thinking about all potential risks would consume so much time and energy that hardly any remained for normal living. The cure would be worse than the disease. From the perspective of the individual there is a limited number of risks that should be managed. Though managed may be an overstatement. For most individuals managing a risk comes down to insuring them. Typical examples are health insurance, vehicle coverage, fire insurance and the like. Insurance works for those cases because damages are relatively rare. The participants pay a higher fee than their average damage (otherwise the insurer would go broke), but much less than the damage they could incur in the worst case and which they most likely would not be able to bear. From this perspective insurance is a wise strategy.

However, for large companies active in the capital intensive industry the situation can be very different. These companies often face very special risks they know much more about than the insurer. The risks may be rare even on a global scale, and insurers would have to charge a significant risk premium on top of the expected average damage to cover for uncertainty and the natural variation that happens in the materialization of risk. For those organizations it can be wiser just to accept the risk, especially given that the company value on the stock exchange can vary more on a daily basis than the largest imaginable damage. Nevertheless, some risk managers seem to have an untamed desire to insure everything that could have a catastrophic impact and is not covered otherwise. This is pitfall number 1: One should only insure those damages that really go beyond the risk tolerance of the company. Often an event that is called catastrophic (e.g. costing more than 50% of annual profit) in not catastrophic in reality, it just should not happen too often.

A second lapse of reason occurs when people think that insuring risks means solving the problem. If some asset  risk is analyzed some people fail to mention the financial damage to the asset because it is insured. But in the end all damages are paid by the company itself, let it be over a longer period (plus a service premium for the insurer), so that damage should be taken into account. Furthermore, the insurance may cover the financial damage, but not any other consequences. The grief that can result from incidents is not dampened by the insurance. And finally the reputational damage of a large incident can be many times more significant than the direct financial costs. Think about Deepwater Horizon, the Costa Concordia. If you want to manage risk within a company you need to work on the cause and the effect, not on who pays.

This brings us to pitfall 3. That is focusing on very rare events with very large consequences instead of often occurring small inconveniences. Large incidents often not the result of one single rare cause, but the coincidence of many smaller hidden preconditions, latent failures and errors. Each of these often is harmless by itself, but they formed a toxic combination. Thinking with hindsight about occurred incidents often provides hints on what could have be done to prevent precisely this incident from happening. But there may be so many ways in which the incident could have happened anyway that this feels a bit useless. Often risk managers then turn to damage control, but again that is not a real solution. That lies in working on the culture that allowed small incidents to happen. If two faults are needed to cause an incident, reducing the probability of both failures by 10% reduces the probability of the incident by almost 19% (residual probability is 90%*90%=81%). With the coincidence of three failures this is 27%, and so on. This is a common fact in safety engineering, where the probability of a fatal incident is reduced by limiting the number of small incidents. That this strategy is effective has been proven by the chemical giants of this world (Shell, DuPont, DSM).

Something very similar (in terms of pitfalls) is attention for future risks that did never materialize in the past. The human mind is limitless in creativity but also in stupidity. That we can imagine some things to happen does not means that it can happen in reality, let alone that it will actually happen. Take for example the Y2K problem, where people predicted the world would stop turning because computers recorded the year only by 2 digits and they would suddenly become zero. No doubt there were some applications in which it would have been very inconvenient, but the fact that on January 1 2000 nowhere on this planet a more serious problem than an inconvenience occurred means that the problem did not exist, and not that the solution was perfect. Based on my experience as a risk manager I know for certain that if the problem existed, somewhere on the world someone would have missed part of it, and thus that somewhere problems should have materialized. The golden rule in risk management is not for nothing focusing on problems that occurred in the past instead of problems that may occur in  future.

The last pitfall, finally, is the thought that one could be better off by not knowing about the risk, because then one is invulnerable for the criticism that nothing was done about it. Though pitfall is perhaps not the right term, it is more like the hole an ostrich sticks its head in. But fortunately then you cannot fall in the pit anymore.

Thinking about this, risk management is a strange profession. Most risks are not managed but accepted. The generally accepted mitigation, insurance, is precisely the thing that should not be applied. True risk management starts in working very conscientiously, but then it is not risk management anymore but operational management. But there is a 50% probability that it is otherwise.

<< back to overview