Kidnap and ransom - More and more companies are sending employees to high-risk overseas environments; yet many remain ill-informed of the potential risks to their personnel and assets.

By Jon Gregory of AIG.

Kidnap & Ransom and Extortion (KRE) insurance helps organisations protect their people, assets and operations. However, it is a highly confidential subject that is rarely discussed and is therefore commonly misunderstood. Confusion often arises over who should know about its existence within the organisation, and how the policy - and the crisis response services it offers - actually work.

One of the first questions is who should be covered? Some people think that kidnapping only affects the wealthy, or that only the top company executives are exposed; they are wrong. Any employee of a multinational may be an attractive target for financially motivated criminal and terrorist groups. This includes expats, travellers and local employees – in fact, in some parts of the world the latter are most at risk. Coverage can, and should, apply to everybody, including contractors and temporary employees. It is all part of a company’s duty of care.

Global coverage is also recommended, as you never know where an incident may take place. The highest-risk locations for kidnap currently include Afghanistan, Iraq, Mexico, Nigeria, Pakistan, Somalia, Chad, the Philippines and Yemen. Yet kidnapping can and does happen everywhere – and other forms of threat extortion or security-related issues often affect companies in ‘safe’ regions such as Europe, North America and Australasia.

Another common question is what limits a company should purchase. The insurer can always give insured companies a benchmark figure based on what similar sized companies in a particular industry are buying, combined with the level of ransom settlements reached in those countries or regions where the client is operating. However, it is always best to adopt a conservative position because it is impossible to make accurate predictions; each incident is unique. It is also important to remember that this is also a policy of reimbursement, so a company must be worth the limit of coverage they purchase and be in a position to settle the ransom amount themselves before seeking a recovery from their insurance policy.

The part of the coverage that is not reimbursed, but rather paid by the insurer directly, relates to the fees and expenses of the response consultants. This is a critical element of the cover and, again, something that is frequently misunderstood.

Tess Baker from our retained response consultancy, NYA International, comments: “Over the years a number of Hollywood films have sensationalised and misrepresented the response consultants’ role. The consultants act as the affected company’s advisors, providing advice based on many years’ of experience of these types of events.

“They help the company’s crisis management team to prepare for both likely and unforeseen eventualities and pursue a controlled, structured strategy that is firmly grounded on proven principles. This includes advice on issues such as: financial strategy, communications, liaison with the media, law enforcement and other stakeholders and practical considerations around ransom collection, delivery and payment. The key things to remember are that, during a case, the consultants work on behalf of the company, not the insurer, and that all decisions, ultimately rest with the company.

“Ideally, companies should get to know their response consultancy in advance of any incident and gain a thorough understanding of how things work. Don't be afraid to ask some difficult questions, such as how many consultants are on the team, how they are vetted and trained, what experience they have, and how many are deployed to advise on each case.”

At a high level there is also much that a company can do to reduce the risk of an incident happening in the first place. For example you can give personal security training to employees who live and/or work in high-risk parts of the world, which helps to raise their risk awareness and take a degree of personal responsibility for their own safety and security. It is also recommended that companies have a crisis management plan at the ready and a crisis management team that understands what it needs to do in the event of an incident.

Baker continues: “It’s a good idea to do a practice run of a kidnap scenario, via a simulated, table-top exercise - to ensure that everyone is clear on their roles and responsibilities and has a clear, structured course of action to follow. You’ll be very glad of this in the event of a real incident: things can unfold at an alarming rate.”

Risk mitigation is obviously in the insurer’s interest also, and a good KRE policy will provide funding towards this kind of pre-incident work.

So companies need to forget the hype and drama that they may associate with kidnap ransom and extortion and consider their key risk individuals and locations at least once a year.