Changing regulation and new approaches by regulators are a challenge for risk managers, both in terms of keeping up with the evolving regulatory environment, and the impact on the cost of risk. Zurich’s global leaders of claims for property, casualty and specialty business examine the way in which regulation is changing and how it affects companies operating globally.
Change is happening more rapidly than ever before and regulators are having to work much harder to keep up and respond. Regulators are increasingly putting the onus back on the people they are regulating and, as a result, codes and regulations are becoming much less prescriptive. It is also clear that compliance with regulations no longer provides the protection that companies might reasonably expect.
From a liability perspective, two priorities for business in terms of regulations are clarity and certainty. If they are required to operate in an environment where they feel that they do not have clarity about regulations, it puts them in a riskier environment going forward. If a company is complying with certain regulations, it would expect that there would be some protection on the liability side from civil matters. However, that certainty is currently being called into question in some environments.
For example, the US pharmaceutical business is a highly regulated industry where you cannot place a product into the market unless you have Food and Drug Administration (FDA) authorisation. The FDA oversees the warning labels on the product and if such a label were approved by the FDA, a company would reasonably assume that it will not be exposed to lawsuits focused on the inadequacies of that warning.
But there is a case currently before the US Supreme Court that deals with this exact issue. A drug company went to the FDA with a warning label, which was declined by the FDA. Later, it was hit by lawsuits concerning the inadequacy of the warning label, which have now reached the Supreme Court.
There could be similar arguments about the effects of regulatory compliance in the UK as the public inquiry over the Grenfell Tower tragedy unfolds. One argument will centre on the impact of building code compliance, as the Grenfell Tower had passed building compliance inspection. In the aftermath of the fire, however, the UK building codes have come under considerable scrutiny and criticism from the Hackitt inquiry for being “unclear”.
It remains to be seen what impact the regulations will hold for the various companies involved, which are likely to assert that they relied upon the building codes.
These are examples of companies relying on regulatory approval and potentially not getting the protection they had expected, creating uncertainty. Risk managers need to work closely with their general counsel and governmental affairs officer to give meaningful input on regulations, noting when they could be unclear for their business.
On the first-party side, it is clear that increases in building regulations are causing extra cost and risk. There have been several changes to codes in terms of building requirements in recent years, such as for fire protection systems or disabled access. Developers and contractors need to be aware of new regulations, whether they are planning, building, maintaining or even refurbishing a building.
Changes are often brought in post-loss, such as tougher regulations to replace the building envelopes following a number of serious fires in high-rise buildings being spread by cladding. For example, following a spate of high-rise fires in Dubai, there have been changes in regulation and a new code (Fire and Life Safety Code 2017).
The code makes it clear that fire regulations are a multi-party responsibility. It has a chapter specifying the requirements for developers, consultants, contractors and even the tenants. This makes clear that fire safety is not an issue where liability can simply be passed down to a subcontractor. There is also increasing concern over potential conflicts between safety and environmental issues when it comes to construction. For example, we are seeing increased risk brought about by living walls and roofs, designed to improve the environment but causing fire safety issues.
In general, around the world there is an increasing requirement to bring older buildings up to specification. For example, in Hong Kong new codes have come in that require rebuilds to have higher standards. However, risk managers need to be aware that insurance policies can include a sub-limit and the full value of, for example, a fire protection system, may not be covered. Regulations can increase cost and risk managers must ensure that limits purchased in the policy reflect that increased cost.
After the 2008 financial crisis, governments and their financial regulators realised that the tools and processes they were using were not enough to meet their oversight responsibilities. New risks, complex financial transactions and the need for global oversight forced regulators to evolve. Ten years later, regulators have more powerful tools and greater powers but oftentimes fewer resources to address emerging risks. Data protection, guarantees of privacy and management of cryptocurrencies are a few examples of the challenges regulators face. These emerging risks have forced regulators to leverage their resources and adopt new techniques to keep pace with increasing volumes and complexity.
To do this, regulators have created new tools. They have more sources of data to analyse companies and transactions. Simultaneously, companies must devote more time and resources to report information and comply with new regulations. Because so many companies have a global footprint, regulators now reach across borders to share information. By combining their resources and working together, regulators leverage synergies and are far more effective.
One tool increasingly being used by regulators is remediation as an alternative to prosecution. It is often more effective in creating change. Remediative action might range from limiting the future employment of a company officer to oversight of a company by a regulator-appointed monitor.
More recently, regulations have arisen from an ‘event’ such as a corporate collapse, a natural disaster, or the failure of a product. An event often spurs an investigation and sometimes results in new regulation. Historically, the violation of a regulation was the primary reason why a regulator became involved. Today, the attention of a regulator is increasingly being caused by the occurrence of an event, as opposed to the breach of a regulation.
Risk officers must expect current regulations to evolve and new regulations to be implemented, especially after the occurrence of an event. The process of adapting and complying can be painful. After an event, a risk officer should review their own organisation to check that the proper controls are in place. Events are a problem for risk managers because they are unexpected and unpredictable.
As a result, it is not enough to comply with existing regulations. Risk officers must work with their governmental affairs group to make sure that they have an ongoing dialogue with regulators, to understand how new regulations may impact them. They need to work with their legal advisers to understand the legal implications of changing global regulations.
To manage these risks, a risk officer needs to be certain that their existing coverage protects against current and evolving risks. They should work with their insurer and broker to identify emerging new risks, determine which are covered, and protect against those that are not.
This article and the content therein reflect the personal view of the authors and not necessarily that of Zurich Insurance Group.
Contributed by Steven Bauer, global head of casualty claims, commercial insurance, Zurich Insurance Group; Martin Clark, global head of property and energy claims, commercial insurance, Zurich Insurance Group; and Thomas R Ripp, senior vice-president, global head of specialty claims, Zurich Insurance Group.