An interview with Steinbeis Entrepreneur Professor Dr. Torsten Harms of the Steinbeis Transfer Center for Financial Services
We live in a high-risk world and this affects people just as much as it affects companies. For companies in particular, it’s important to identify threats and minimize or avoid any damage resulting from those threats. What does successful risk management look like, and what support do companies receive from the insurance sector? These were two questions TRANSFER magazine asked Professor Dr. Torsten Harms, Steinbeis Entrepreneur at the Steinbeis Transfer Center for Financial Services and a professor of Business Administration and Insurance at Baden-Wuerttemberg Cooperative State University in Karlsruhe.
Hello Professor Harms. You’re very closely involved in the topic of insurance companies, whose core business is dealing with risk. What influence do recent developments – the pandemic, war in Europe, the energy crisis – have on people’s understanding of risk and with that: the insurance industry?
We’ve witnessed an abnormal concentration of extreme crises recently, which have had a particularly strong impact on Western nations. Within the span of two decades, we’ve witnessed several global financial crises, war in Europe, and of course a global pandemic. On top of that, there are other risks like climate change, but also things happening due to global interdependences – think about things like supply chains, cybersecurity, and energy.
In classic terms, many of those risks are quite rightly uninsurable or only insurable subject to conditions, because almost the entire community of insured parties is affected by such catastrophic events. Insurance works by balancing risk between the insured parties, so it’s not always possible to offer comprehensive protection, or at least it wouldn’t be attractive to customers for pricing reasons.
The insurance industry is working fastidiously on solutions for companies, and in some cases it does offer good products, for example in cyber technology, or for business interuption, but at the end of the day, firms have to work first and foremost on their own risk management. When supply chains become increasingly fragmented – or minimal use is made of warehouses for cost reasons – that increases dependency. Those are the sorts of risks that weren’t previously taken into account in the business optimization process.
Good risk management is an important part of successful corporate strategy. What’s the best way to approach this, in concrete terms?
The first and most important step of good risk management is to identify any risks you enter into. To do that, you have to develop a culture of risk throughout the company such that it sees threats not as “disruptions” or “exceptions,” but as an integral part of running a business. Talking about risk on a regular basis, and openly identifying new threats, should be common practice.
Subsequently minimizing risk through steps taken at the company should always take precedence over covering for risk through insurance. Companies themselves are much more aware of the risks they’re taking, and they have the required expertise and potential to do things to mitigate risk. In the future, running your own in-house risk management will be a key option for adding value in many industries. For example, presently roughly two-thirds of German manufacturers are affected by supply bottlenecks; this is where genuine competitive advantage is to be gained by securing access to more robust supply chains, with different ways to warehouse critical parts or switch plans if there are bottlenecks.
What changes are digital systems bringing to the insurance industry, as well as the risks it covers?
Digitech often allows you to find better solutions; for example, you can be more flexible with the timing of business inventory insurance. Similarly, it makes it possible to buy entirely inexpensive protection via derivatives, which can be traded internationally. One example of that is gambling on extreme temperatures, which can be hedged for on capital markets using weather derivatives. But despite that, the insurance industry remains a highly individual business in which it pays to enter into long-term business relationships.
As for risk, of course a lot of attention is being given to cyber risk; almost all insurance companies now have good offers in their portfolios. But it’s just as important to take out cover for digital damage not resulting from external attacks, which might instead result from something you do yourself, such as misconfiguring back-up servers.
Talking of cyber risks, in your opinion what constitutes successful risk management in such areas, and are there any things firms need to think about in particular?
First of all it’s important to remember that cybercrime is now a fixed element of the business environment. Dozens of companies experience cyberattacks every day. Fortunately, they’re often very easy to detect and are purely planned as mass attacks, but all the same almost every large company suffers damage as the result of cyberattacks these days.
We’re also increasingly witnessing hybrid attacks, which use a combination of IT technology and traditional methods. An example of that would be a break-in, physically on the premises, and the theft of unencrypted data – or, for example, people being impersonated by making fake CEO calls to get unwitting employees to give away confidential information.
Companies must therefore have a clear plan of action explaining what to do in the event of a cyberattack, including emergency procedures, and they should organize regular simulations to practice things. Simulations are a particularly good way for companies to learn how to act with more confidence in the first couple of days after a successful cyberattack.
Would you say there are now more risks posed to companies?
Absolutely, yes! The main reason for that is not so much that the world is increasingly risky, but that more and more things in the value chain are connected and fragmented. If one link in the chain breaks, entire sections of the economy collapse.
In the past, companies were rewarded with higher profits if they kept optimizing and breaking up the value chain; it appears that development has now run it’s limits. So conservative approaches to business activities are more worthwhile than ever.