Managing Risk During a Global Crisis

Is Your Company Prepared for a Pandemic?

Recent natural disasters such as Hurricanes Harvey and Irma have undoubtedly sparked a renewed interest in continuity planning among many business leaders. When compared with even large-scale weather events, however, a global crisis – particularly a pandemic – is exceedingly difficult to plan for. This article outlines risk mitigation strategies and steps companies can take to ensure business continuity in the event of a pandemic.

with co-author Cristina Stefan

Every flu season, public health experts speculate about the likelihood of a future global pandemic and its possible costs to lives and livelihoods. No one doubts those costs will be high. In recent years, outbreaks of highly infectious diseases, though short of pandemic levels, have taken billions of dollars from the global economy and caused untold misery.

For example, the World Bank projected losses of $3.5 billion in Latin America and the Caribbean due to the 2016 Zika virus. The 2014 Ebola outbreak in Guinea, Liberia and Sierra Leone cost those countries an estimated $2.8 billion in overall economic impact through 2015. A study by scholars at Korea University and the Australian National University roughly estimated the global economic impact of the 2003 SARS epidemic at $40 billion.

While public health officials and medical professionals work to understand how to prevent or contain pandemics to save lives, less attention has been paid to containing the economic risks. A 2016 report by the National Academy of Medicine’s Commission on a Global Health Risk Framework for the Future estimates that an outbreak on the scale of the 1918 influenza pandemic would cost the global economy as much as $60 billion a year. Despite this and other frightening estimates, businesses today are unprepared for the revenue losses that will result from the disruption of commerce during a global or even a regional disease outbreak.

In the past, executive committees and boards of directors often have focused their business continuity planning on the risks to physical property from earthquakes, fire, floods or even terrorism. In the wake of recent, high-profile cyberattacks, companies now are paying more attention to the risks that arise from malicious computer viruses and hacks. Unfortunately, they spend far less time contemplating the impact of a real-life contagion, which would be the equivalent of a flesh-and-blood denial-of-service attack.

Pandemics: Not Your Average Catastrophe

Earthquakes, hurricanes and even the worst terrorist attacks are localized events. Pandemics are different. They may occur over months. They are not confined to one place. They are unlikely to progress in an easily predictable way. And because the risk of a pandemic is systemic – that is, it affects everything – mitigation (e.g., via geographical diversification of supply chains) is nearly impossible to achieve.

For example, companies in developed economies increasingly rely on manufacturing in countries including China, India and Vietnam that are at high risk for pandemics. In an outbreak, operations and supply chains would be disrupted when employees fall ill, leading to massive productivity losses as assembly lines grind to a halt. All suppliers in the region would confront the same problem, as would their customers. The idea of shifting work would be a mirage.

Health care providers, including hospitals, are especially vulnerable. Even annual influenza outbreaks strain health care systems. Hospitals, on the front lines during a pandemic event, could and likely would quickly become overwhelmed by soaring demand as lines lengthen, caregivers sicken and stores of critical equipment, such as ventilators, are soon exhausted.

Hospitals have worked with public health officials to model responses for taking care of the sick, but they have done less to address the cascading impact on their staffs and supply chains. In a pandemic, hospitals need to know where their supplies will come from, how they will get them, who will care for their patients and how they will pay for it all.

Other industries have unique financial and operational risk profiles, but the general lack of private business-interruption coverage or thorough contingency planning leaves most companies vulnerable to pandemic risk without financial recourse.

Risk Mitigation: The Best Strategy Is a Mix of Strategies

There is no silver bullet for mitigating or addressing the risk of business disruption due to a pandemic. Organizations need a mix of strategies, and that will require collaboration among all the parties that will be affected.

The players and their roles should include:

• Private companies. Fighting such a complex threat begins with building increased awareness. Once the risk of a pandemic is acknowledged, organizations need to assess their loss potential so enterprise risk management (ERM) departments can develop contingency measures and/or business continuity plans tailored to their businesses’ requirements.
• Insurance markets. Over the past dozen years, insurers have learned much about how to model pandemic risk. This work has been informed by widely accepted models that support catastrophic insurance. Although it’s not often that insurance companies will have both a good model and good data to feed it, they will still be able to insure businesses that prove they have implemented measures to mitigate the impact of a pandemic. In such cases, insurers would be willing to carry the risk of high losses caused by a pandemic through nonphysical damage business-interruption policies.
• Governments. Public health infrastructure is critical to outbreak containment. Federal funding is expected to drive investments in this infrastructure, requiring public sector agencies to identify sources of financing for contingency plans.

In addition, public health measures for containing pandemics must have a national and even an international reach. Governments should have a platform for educating the private sector in building their own company- or industry-focused contingency plans.

Why Pandemics Remain a Risky Business and a Business Risk

There have been notable public and private sector efforts to address the need for business-interruption coverage. Initiatives to finance a public-sector response to severe disease outbreaks include the Pandemic Emergency Facility (PEF). Developed by the World Bank and the World Health Organization (WHO), PEF would use a mix of insurance and catastrophe bonds to finance the cost of countries’ responses to disease outbreaks in order to prevent them from becoming pandemics. In addition, African Risk Capacity (ARC), an agency of the African Union, plans to offer insurance to support investment in pandemic preparedness and contingency plans in some African countries.

Emerging products to provide business-interruption insurance also are aimed at the private market. For example, Munich RE is in the process of developing property-casualty insurance products to cover industries that would be severely disrupted by a pandemic.

However, business-interruption insurance largely remains unavailable due to:

• A lack of comprehensive data. The WHO provides a central resource for pandemic data, but it depends on reports from affected countries. These reports are not completely curated. Unfortunately, that means some countries, especially in Africa and Asia, may not be well-prepared for a pandemic and are at high risk of exposure to the deadliest outbreaks, making extending coverage problematic.
• Poorly understood impact scenarios. What happens to people and systems in an earthquake or hurricane is well understood. That’s not the case with pandemics. To date, insurers have had to rely on experience (some of it outdated) and make educated guesses when deciding when and how to cover pandemic risk. Reinsurance companies, as the ultimate bearers of this risk, need a deeper understanding of how losses may accumulate and how to manage them. The goal would be to create triggers that address global exposure in ways that minimize the possibility they will be impacted in multiple locations simultaneously.
• A lack of detailed data for models. Today’s pandemic risk models generally are not sufficiently granular. To produce more accurate exposure estimates, models need to account for today’s greater connectivity through travel; provide output by age, gender, occupation, income, country, region and population density; and include hospital-capacity variables (such as the availability of intensive care, standard care and acute care).

Given these obstacles, insurers and reinsurers face many now-unanswerable questions related to underwriting, including what can be insured, what are appropriate triggers for coverage and what unbiased, auditable data sources can be used to support a determination that a trigger has been met.

These questions must be answered to issue insurance policies that manage risk appropriately, including shifting it to investors through securitization or offloading it to retrocession markets (companies that provide reinsurance for reinsurers). Businesses must answer similar questions to understand their exposure to disruption and prepare for it.

The Good News: Better Data and Better Tools

Given the challenges of underwriting business-interruption insurance, insurers have either excluded pandemic coverage from their policies or their policies and coverage pricing have not been well-grounded in data or realistic trigger scenarios. Today, however, improved tools and analytics (with cheaper computational power provided through cloud computing) and better data (from epidemiological and public health research) are combining to improve pandemic risk models, allowing businesses to apply them specifically to their operations and their industries.

Metabiota, a company specializing in risk analytics, has developed a stochastic modeling tool that takes advantage of new computational technologies and big data to model pandemic risk. The Infectious Disease Model (IDM) offers users the ability to test millions of scenarios to understand how a pandemic might impact them financially.

The IDM consists of two subcomponents: an epidemiological spread model and a proprietary financial-risk model.

The epidemiological model contains data covering the population, transportation patterns, disease spread and probabilities of outbreaks occurring in specific locations. The financial risk model includes variables such as exceedance probability (the likelihood of different levels of loss), outbreak duration and claims/loss distribution. Combined, these components support a catalog of more than 20 million scenarios covering three families of pathogens and more than 220 countries and territories.

Two examples illustrate how the model could be applied in the insurance industry:

• Travel insurance. “Just-in-time” travel insurance could target customers who are traveling to a country or region at risk of a disease outbreak, such as travelers to Latin America during the Zika outbreak. Coverage could include trip cancellation or rebooking to another destination if the outbreak spreads and produces casualties above a predetermined threshold.
• Business-interruption insurance. Manufacturing costs can easily double when during a peak production season workers’ absenteeism increases, as would be the case in a pandemic. An insurance policy that triggers coverage resulting from absenteeism during an outbreak could cover a manufacturing plant’s losses in a sustained pandemic scenario.

Users can plug in their own data to see how different scenarios affect their financial exposure. Insurers, for instance, could apply a variety of scenarios to model revenue streams and ensure that their client portfolios can be managed with a better understanding of the potential for loss. In addition, Metabiota’s Preparedness Index measures how well a country is provisioned to fight an outbreak. This information can help businesses understand where and how a pandemic is most likely to spread and how well the public health sector in a specific geography is prepared to respond.

If Businesses Wait, It Will be Too Late

The May 2017 WannaCry ransomware attack (which the Wall Street Journal called a “computer pandemic”) offers some insight into the trajectory and costs of a disruptive global business event, including the potential impact on hospitals.

The cyberattack rapidly affected individuals and businesses in more than 150 countries, including hospitals in the United Kingdom. These hospitals were using obsolete software or had failed to patch their systems despite warnings to do so. Similarly, failure to patch supply chain and service delivery systems in anticipation of a pandemic will result in similar disruption, but with loss of lives.

Preparations should proceed on two fronts. In public health, concerns about pandemics should be leveraged to improve the health care infrastructure and the processes for mitigating the impact of a surge of patients. In the private sector, companies should continue to expand their pandemic-specific business continuity efforts and discuss tactical responses for pre-pandemic, pandemic and recovery event stages. They can use the same analytical tools as insurers to assess and quantify their vulnerabilities to make data-driven decisions about what steps to take (including what insurance to buy and how to diversify their exposure). The recent Ebola and Zika outbreaks can be used to evaluate the strengths and weaknesses of current plans.

Actions that companies can take now include:

• Business continuity planning. Disaster and business continuity planning is critical to competitiveness. Vendors are now evaluated not only on price, but on their ability to provide services during a disruption. This trend is consistent with current ERM practices in which decisions are based on risk and return.
• Supply chain management. Supply chain disruption during a pandemic would affect almost all businesses. In the health care space, both the cost and availability of services will be affected. For example, the number of available hospital beds could rapidly become constrained. An assessment of potential demand, as well as a plan to source needed supplies, should be undertaken.
• In a pandemic, companies will need to address the concerns of internal and external stakeholders. Sample communications should be prepared in advance for pre-, mid- and post-pandemic situations to ensure a properly cadenced information flow.

Today’s improving data technologies – and the robust models they are enabling – should allow business and political decision-makers to be better informed about their risks during a pandemic. The better they understand them, the better their chances of mitigating and containing losses. Both livelihoods and lives will depend on the energy and resources businesses and governments apply to what is less a possibility than a likelihood.

This article was originally shared on the FTI Journal and is republished here with permission.