While it is possible for a business to understand and protect itself against a range of risks that directly affect its own assets, performance and people, it is less easy to assess and protect against the risks faced by those in a lengthy supply chain. By way of example, property damage and business interruption policies typically provide cover where the assets of a business are directly impacted by an insured event. The policy may well not provide cover, however, in circumstances where your business is unable to trade because a key supplier has suffered a business interruption event. In such circumstances, the business would be self-funding its losses without any recourse to insurance protection.
Evolving risks mean that the supply chain risk needs to be under constant review. What if some parts of the supply chain are in parts of the world that are more susceptible to rapidly changing climatic events such as fire, flooding or hurricanes? Is that changing risk profile being reflected in the assessment of risk in the supply chain, and how is that risk being managed?
Equally, while your business may have stress-tested its own insurance policies and operational procedures to protect itself against cyber-events, is there sufficient protection in place in the event of a cyber-event affecting part of your supply chain? One risk to be aware of is that a security weakness in a supplier's IT systems could act as a point of entry to your business' own systems in a cyber-attack. Aside from insurance, another way to monitor and manage this risk is to include minimum security requirements in the contractual terms negotiated with suppliers.
It is important therefore to look broadly at your business interruption risk profile. Understanding and managing the risk is always the first step. If insurance is to be used to manage the risk then it is worth keeping in mind the following points.
- It can be possible to utilise supplier extension clauses to protect against insured events occurring to suppliers. If you are considering doing so, consider matters such as whether the suppliers need to be specifically named (and whether they have been accurately described), what events may trigger cover and what sub-limits may apply.
- If any cyber cover is to be effective it is essential to consider how, if at all, it will respond if the attack is to an entity in (or via) the supply chain, and whether that matches the risk the business is looking to mitigate.
As of January 2020, Herbert Smith Freehills is now an Associate Partner of Airmic. Herbert Smith Freehills has been an Airmic Preferred Supplier for eight years. The move to become Airmic's only Associate Partner law firm, is a testament to the extent of cooperation between Aimic and Herbert Smith Freehills over the past eight years and to the exciting programme of events planned for the coming year.
Paul Lewis, who heads the insurance team, said: "We were absolutely delighted to be asked by Airmic to become an Associate Partner. We value our relationship with Airmic very highly and look forward to assisting them in taking the profession forward".
Over the coming year, in its capacity as an Associate Partner, Herbert Smith Freehills will be running events for a wide variety of Aimic members. From the Leadership Group, to the FastTrack group, to a number of Special Interest Groups and, of course, for everyone attending the Airmic Conference in June 2020.
These events will explore a range of evolving business risks that should be top of mind for risk managers in 2020 including climate change, class actions, data breaches and ICO fines. As well as providing this technical content, Herbert Smith Freehills will also be running a soft skills workshop on negotiation skills for our FastTrack members in May. Do keep an eye out for invitations to events relevant to you. Herbert Smith Freehills looks forward to seeing you there.