Greg Kaden is a lawyer specializing in corporate bankruptcy at Goulston and Storrs. Seeing changes and trends in risk management and insurance, Kaden and a few colleagues pitched the creation of a subsidiary called Fort Hill Risk Management.
Kaden spoke with CSO about how internal controls and insurance work together for effective risk management.
CSO: Are more companies thinking more about risk management in these turbulent times?
Greg Kaden: It's difficult to generalize from my perspective, which has been on a case-by-case basis. Some organizations are very sophisticated and have very detailed operational controls, and some others are more averse even to purchasing insurance—they may think it's not worth the expense, and it isn't clear whether they've actually done a cost-benefit analysis or have a strong sense of their own internal controls. Some are flying by the seat of their pants.
Goulston and Storrs is a big firm—about 200 lawyers. Why create Fort Hill, a risk management subsidiary?
There were three or four of us with some insurance bent to our practices—[together these amounted to a] very fragmented practice that had developed in the firm on almost an ad hoc basis. So it made sense to institutionalize that practice and organize our thinking.
But the idea also stemmed from a couple of other considerations. At a law firm, you are very much tied to hourly billing. There's little flexibility in terms of fee arrangements, or bringing in non-lawyers to assist with work. So setting up a subsidiary allows us to do flat-fee engagements, contract with people who aren't affiliated with Goulston and Storrs who have some specific expertise, and so on.
Additionally, in the traditional risk management world, there's a lot of confidential information that gets exchanged, and there are nondisclosure agreements providing some protection for that information. But a nice thing about our Fort Hill operation is that we can make the additional argument: If there's a subpoena, some of the discussion is in the nature of legal advice, and so it can be covered by attorney-client privilege. So that provides an additional layer of protection for some of that confidential information.
There seems to be a poor connection in many organizations between risk managers and the people in charge of in-house security. Do you think that's true?
Part of the philosophy that we want to bring to the table recognizes that very disconnect. One of our primary approaches in providing services is to take a very holistic view—broader probably than the typical straight insurance broker would take.
We want to understand the business operation, look at the indemnification agreements that are in place, the key contracts. Broadly speaking, what are your real exposures? What can be mitigated by a non-insurance contract, or by insurance policy? What risks can be assumed or ignored? The fact that we think that's a relevant approach speaks to the idea that we observe that same disconnect between internal risk management elements.
I don't have a magic identifier as to what constitutes a strong internal risk-control environment—it seems to be based on the people. I have seen companies with thoughtful, risk-averse people who are also good business people and who can strike the right balance. I have also run into very successful businesses that are well run and have good management overall, but for some reason have underdeveloped insurance programs.
For executives, insurance at times can be very much a check-the-box exercise. "OK, we have a management liability policy, a general liability policy, so our risks are covered." They don't focus on whether the policies in place are really compatible with the needs of the business, or the risk appetite of the business.
You would think that with the last decade with Sarbanes-Oxley and Dodd-Frank, that would be changing.
Why is it valuable or necessary to have the flexibility to bring in outside experts?
Part of our philosophy is that we want to work collaboratively with existing brokers or partners. We don't want to displace others just for the purpose of getting all the glory, or telling people they've been doing it all wrong. So in that spirit, we recognize that there are going to be situations where either our expertise is limited, or the engagement would benefit from the help of a non-lawyer.
[Get the best security risk management coverage with CSO's Risk Management newsletter — sign up now!]
For example, in a situation where we might be having difficulty making headway with an underwriter, it could help to have someone with an underwriting background brought in. We interviewed a guy who is a retired lawyer with excellent crisis-management skills, so if there is an engagement with a PR crisis brewing, we could call in his experience.
How does your personal specialty of bankruptcy law fit into this equation?
My interest in insurance developed from being a bankruptcy lawyer. Any time a company failed, the executive team inevitably wound up in trouble. Fingers were pointed at them by creditors. So insurance policies need to be targeted at the gap between the balance of obligations to creditors and the ability of the company to repay those obligations.
In creating Fort Hill, we saw three areas of insurance that are particularly relevant in today's environment: management liability, data security, and environmental. Among the three founding members, we have those areas well covered.
Being that we're still in difficult financial times and lawsuits from 2008 are still working their way through the systems, and there are increased concerns and regulations following Dodd-Frank. There are all kinds of personal risk for directors and I felt that was an important area to address.
Bankruptcy lawsuits from 2008? I hadn't considered the long slow grind of the legal system in that regard.
In litigation, the job is to maximize compensation in a world where complete satisfaction of an outstanding debt is impossible. Which means these things drag out in the effort to leave no stone unturned—identifying assets, sorting out claims and so on.