Have You EERMed Today?
Nov 21, 2019

No? Let's talk about that. Extended Enterprise Risk Management (EERM) is the art of extending risk management planning, policies, requirements, etc. across the entire web of your third party ecosystem. John Donne told us "no man is an Island cut off from the main." That's even more true in the highly networked, interleaved B2B structures of the 21st Century. Earlier this year (Vol 4, Number 3) we told you the story of how a mighty electric utility was threatened with a possible major cyber attack through a minor indiscretion by a subcontractor of a subcontractor.

Now is a good time to think about EERM because Deloitte and Touche has just published its fourth annual industry survey, All together now: Third party governance and risk management. Assuming your risk span is any broader than a burrito cart on a Brooklyn street corner, you need to know more about EERM and the Deloitte survey is a comprehensive source of information. Deloitte questioned some 1,055 risk managers from 19 countries about what they are doing and what needs to be happening in third party risk management. Here are a few highlights:


Major concerns: no surprise that risk cost reduction hit the top of the list. That was predictable. What's more informative is the next three major concerns listed - reducing third party incidents, better compliance with regulatory scrutiny and also with internal audit functions. Do we have our, er, bases covered?


Underinvestment: many firms seem to be chronically underinvested in EERM. Lack of resources or piecemeal funding often leaves even basic good risk review half accomplished. By extension, this would imply that significant risk potentials are left unaddressed.


Federated structures: respondents reported a good deal of movement toward "federated" risk structures in which senior management, operating units, country teams, and tech units work together to manage third party service delivery models, as opposed to dumping the entire task on a probably understaffed risk department and walking away.


Deep knowing: companies are pooling actionable intelligence and analysis across the organization and not hoarding data in little silos where its full importance is often not clear.


EERM recruiting: more organizations are beginning to understand the need to recruit people with serious expertise in EERM.

This list is necessarily high level. The report dives deeper into useful details and examples, but EERM is an abstract concept since every large, complex organization has a unique ecosystem of service and supply vendors which represent different degrees of risk potential.

The most important item reported is simply this: 83% of respondents reported a third party incident in the past three years; 11% of those were severe and another 35% moderate in overall impact. That's a lot of third party messes to clean up. Third party hits can come in many forms but the big one nowadays is cyber attack or breech. The giant snack food company, Mondelez, incurred an estimated $600 million in damages when malware entered their system through a routine annual update of their tax reporting software in Ukraine. That's a lot of crackers and cookies.

To EERM or not to EERM? No, that's not a question anymore.


The Four Day Workweek - More Than a Campaign Issue?

Presidential election years are generally not chock full of risk management issues, other than the obvious potential for traumatic windbag deflation events. But this time around may be an exception. The "Medicare for all" debate and its possible consequences could have a dramatic impact on workers' comp*, but yet another issue with disruptive potential is now creeping into the discussion - the four day workweek. As Bernie Sanders put it just last month, "Shortening the workweek is certainly one idea that we have got to look at..."

As it happens, various employers are experimenting with four day a week work schemes around the globe. A recent article in Business Insider summarizes current trial runs by Microsoft in Japan and Perpetual Guardian, New Zealand's oldest trust company. The results have been very promising. At Microsoft Japan productivity rose by roughly 40%, with 92% of employees saying they were happy with the four day program by the end of its run. Perpetual Guardian said that its people were happier, more creative, more punctual, and more productive.

So far, so good, but what does this have to do with risk? For the last twenty years we have seen the publication of dueling studies on the relationship between long hours/overtime and industrial accidents. For example, back in April of 2004, the CDC published a NIOSH meta-analysis of some 22 studies on the relationship of long hours and increased injury rates as well as other negative outcomes. In short, the studies reviewed found a number of relationships both strong and weak between long shifts and more accidents as well as a range of poor health outcomes.

But that was merely one salvo in a long exchange. In May, 2007, an article in no less than the Harvard Business Review showed that, based on in depth studies by the authors, "only certain types of employees doing certain types of work in certain work environments are at higher risk of illness, injury, or reduced productivity - and only at certain levels of long hours."

Well - that's definitive, and there's a good deal more where those examples came from. Our point here is to suggest that knowing how longer or shorter hours impact comp costs, among other elements of productivity, in the various parts of your enterprise might be a good idea. You may well be able to drive some useful analytics from your existing comp data, assuming you can normalize losses against payroll and FTEs. Comp claim files should include accident time and hours worked that day. In other words, as the subject of work hour regulations bubbles up in the molten brew of politics, you may be well advised to have all the real data you can find on tap and your helpful TPA may be able to pull a number of useful rabbits out of their data hat.

More generally, are you really using the extensive data buried in your comp and absence files to drive a better understanding of real cost and productivity drivers? Do you pour over reports from your TPA to make certain that you have squeezed every dime out of medical billings and then not task other information in the same comp files to tell you how work hours drive disability costs? You wouldn't do that - would you?

*For a deep dive into this Black Lagoon, follow Joe Paduda's excellent blog, Managed Care Matters. Joe actually unscrambles the eggs and makes sense of this debate.

An illustration of a man sitting with his head resting on a desk, with a series of clocks behind him

"How did it get so late so soon?" Dr. Seuss


Quick Take 1:
Wearables - The Beat Goes On

We've noted the ongoing discussions concerning wearable devices and their role in workers' comp in several issues of this noble electronic fishwrap in the past. Our friends at Business Insider have just published a neat update on new developments in wearables and the controversies that continue to dog this new technology.

What controversy, you might ask. Wearable devices appear both useful and benign in detecting unsafe work practices - the kind that can result in expensive and life-altering industrial injuries. "StrongArm Technologies, a Brooklyn-based tech startup, created the biometric device [profiled in the article lead] as a way to improve workplace safety and reduce the cost of claims related to workplace injuries."

Yes, but - is life ever that simple? As the writer goes on to point out, "employers aren't just using the technology for safety purposes - they're also using it to monitor worker productivity and, in some cases, even plan how to replace workers with automation." Yeah, as in Facebook started in a Harvard dorm as a way to find a party on Saturday night, but now it's supposedly a threat to democracy itself. If your company is thinking about serious deployments of wearable devices, you need to make yourself familiar with all of the pros and cons swirling around this new technology. This article provides a convenient primer.

The monitored employee, 2019, whose every movement is a KPI.


Quick Take 2:
Meanwhile, Back at the Interactive Process...

Yes, the interactive process mandated under the ADA and ADAAA laws is an HR issue - except when it isn't. The interactive process for handling reasonable accommodations for disabled employees includes folks on TPD in a comp RTW program. Every so often, this gets overlooked and it can be an expensive oversight. A few years ago, the maximum ADA penalty went from $55K to $75K - a so-called inflation adjustment.

We offer this reminder in part because the folks at SHRM (the Society for Human Resources Management) recently posted a handy everything-you-ever-wanted-to-know-about-the–interactive-process page. This page points to a wide variety of checklists, a toolkit, sample forms, and articles which explain every aspect of the interactive process and accommodation. Getting an accommodation right is really pretty painless, especially compared to a $75K penalty.

My Swedish grandfather patiently explained to me one day: there is never anything wrong with getting it right the first time. The occasion had something to do with finishing concrete, so you know he meant it.


Words to Remember

"I've heard that hard work never killed anyone, but I say why take the chance?" - Ronald Reagan


Share This
* Required Fields