Nir Kossovsky is CEO and director of Steel City Re, a Pittsburgh-based broker and adviser specializing in corporate reputation management and risk transfer. Mr. Kossovsky recently spoke with Business Insurance Senior Editor Rodd Zolkos about the ability to quantify reputation risk and how that ability facilitates managing and insuring those exposures. Edited excerpts follow.
Q: Is it safe to say reputation risk is real and something companies should be concerned about?
A: Very much so. Companies have been aware of reputation risk easily for the last 10 years now. What is clearly new is the ability to begin to manage it in the way that risk managers have become accustomed to managing risk. I think probably the best thing to say is that managing reputation risk quantitatively represents sort of the fourth generation of modern risk management.
The first generation would have been the classic actuarial modeling, which became far more sophisticated as more and more data could be handled and crunched with sophisticated computer tools.
In Generation Two, the sense of looking at risk almost on a day-to-day basis began to enter into the realm, taking some of the experiences from operational research where companies were tracking how they were making things and making sure there were tolerances and certain boundary conditions. The financial services sector introduced the notion of value at risk, which they would measure every day. You got a more sophisticated level of managing risk, not just looking at historic data but beginning to compare historic data to day-to-day data and looking for deviations.
Generation Three — introduced maybe 10, 15, 20 years ago — we'll call that the adding of workforce experience models, the nonsto-chastic models. The workforce was saying these mathematical models are terrific, but they're not capturing certain local risk events, moral hazard exposure — things of this sort are just not being captured by these math models. So the third generation was the introduction of these workforce experiences, these qualitative models, scenario modeling, nonstochastic modeling, with the associated enhancements in operational controls and financial controls now looking at specific behaviors and controlling those.
With the benefit of Internet enablement and the ability to now capture additional data — not just within the company but from the external environment — we're now in Generation Four. And that's why this reputation risk solution that we work with and the ability to manage reputation risk, which has certainly been on the radar for at least 10 years, is now addressable.
Q: Then using the Internet and this fourth generation risk manage-ment, it's possible to quantify reputation risks and the effect of reputation-damaging events?
A: Exactly. It's been known for 10 years reputation risk was bad. It could be really bad in the sense that this was a huge risk, but the tools that everybody became confident in using, the quantitative tools, the sophisticated mathematical modeling that made risk management what it is today — a science and an art — were not available for the management of reputation until the Internet made such data available.
Q: And the ability to quantify reputation risks and the effect of reputation-threatening events makes it possible to use insurance in addressing reputation risk?
A: It was a necessary element for the insurance solutions to become available. Until we were able to reliably quantify and build actuarial models around reputation risk, it was not something that insurance companies could easily address.
Q: Do you think more companies are becoming aware that reputation risks are risks that they can actively address or mitigate?
A: I think more and more companies ... are acknowledging that reputation risk is something they need to deal with and are voicing it as a serious concern, which means that there's an appreciation that reputation risk has material financial effect. I think that at that level of companies there's still an incomplete awareness of the availability of solutions. I think part of our challenge has been that there's been some confusion with the traditional view of reputation as something that's done by the marketing department as opposed to something that's managed by the risk management department.