Recently, I polled a number of professionals in the long term care industry to find out what operational risks are the most pressing and concerning. The poll provided a list of commonly voiced concerns divided into six parts:

1. Employee and employment issues.
2. Regulatory and political risks.
3. General insurance concerns.
4. Specific insurance lines concerns.
5. Financial and litigation concerns.
6. Property and safety.

Each part also contained subsections. For example, (3) general insurance concerns had subsections of:

• Cost of insurance (how much coverage is needed, proper deductible/retention, etc.).
• Difficulty getting coverage regardless of costs (capacity).
• Gap in coverage (E.g., your coverage did not cover the type of cost or deductible was so high that it will create a significant problem if a loss occurs or concern that the upper limit is too low).
• General concern due to lack of understanding of insurance coverage.
• Other.

All responses were sent to me privately, which was surprising. No one wanted to publicly share their concerns. This is concerning because if we are not comfortable discussing risk, we as stakeholders, facility managers, and as an industry are not able to address the threats that could shutter our doors.

Many of the comments that accompanied the responses acknowledged the interdependence of risk. By example, one respondent tied regulatory/political risk (changes in laws/compliance with regulations) and cyber-risk pointing out that cyber breaches in medical data crosses over both risks. It also incorporates reputational risk and directors & officer insurance risks. Several respondents confided that they had not thought about all the different risks until they saw the list.

Cyber Threats

The top concern is the same as in most industries: cyberattacks. The few comments accompanying this concern voiced a feeling of helplessness and a lack of control. Respondents felt that they could manage their safety issues, physical property exposures, and general liability concerns, but that cyberattacks were beyond their control.

One person stated that they “foolishly” hope that they are too small to be a target. But, this makes you a great target for cyberattack. Chances are that you are too small to have a mature defense in place and have an inadequate response plan. You are the perfect target for a quick payout, and that attack could close your doors overnight.

Gallup often surveys employees to gauge job satisfaction. Willis Towers Watson analyzed the intersection of job satisfaction and cyberattacks. What it found was amongst organizations who had engaged the Gallup survey and later were breached, the breach occurred in those locations or departments where job satisfaction was lowest in the organization.

Constant training such as having internal spam email tests and proper security management activities start to give organizations real control of this risk. Without employee engagement, you are a ripe target. Although the world of cybersecurity is constantly evolving, its prevalence has resulted in a lot of companies entering the marketplace with solutions. This in turn has led to more affordable options to protect yourself. As a warning, some service providers are better than others. It can be difficult to assess who is good. Do your homework.

Litigation and Insurance

Litigation and insurance issues remain a perennial concern. Respondents appear to have a clear understanding of workers’ compensation claims but less of an understanding of the general liability, professional liability, and directors & officers liability breakouts. This in turn appears to elevate the insurance coverage concerns beyond what was expected.

Within the insurance coverage responses, the comments indicated a lack of understanding of insurance in general. The basic understanding was there but comments as to how to decide deductibles and concern that your losses won’t be covered means that insurance coverage issues are not easily bucketed. The confusion can, and often does, result in gaps in your coverage.

The take-away from this result is that your leadership team needs to have ongoing conversations with their risk managers and broker(s) to understand the distinct types of exposures that not only your facility faces, but also those experienced in the industry. You may not be aware of emerging exposures and therefore may miss the opportunity to address them until they are realized.

As an example of a potential coverage gap that could be catastrophic, if a fire in your facility destroys the kitchen, will your standard general liability policy cover it, or should you have had a business interruption policy? If you have a business interruption policy, does it kick in immediately or is there a waiting period? How do you address feeding the residents during the time until the policy kicks in?

Reputational and Financial Risks

Reputational and financial risks got less attention than I expected. Prior to the advent of cyberattacks, reputational risks were a perennial chart-topper. Reputational risk is always the secondary risk to anything such as cyberattacks, general security issues, food-borne illness issues, work conditions, and accusations of regulatory or financial irregularities. Conversations that I have had with brokers indicate that inquiries in obtaining reputational risk insurance is as strong as it has ever been. Perhaps it did not score higher because leaders may, at some level, realize that if they can get the issues that can attack their reputations under control—such as building a good cyberattack defense, instituting safety measures, etc.—it will mitigate the reputational exposures. It is no different than reducing your general liability exposures by making sure your facility is safe for residents and visitors. It is no different than mitigating your property loss exposures by performing roofing inspections, repairing uneven and cracked walkways, and checking fire suppression systems, to name a few.

Identification Is Key

The takeaway from this exercise is that facilities may not be able to identify their risks and therefore are not able to develop plans for addressing those risks. Even when they are able to either clearly identify the risk or sense the outlines of a risk exposure, they are unable to articulate the concerns and get the proper guidance for addressing them. This, in turn distorts their understanding of their exposures.

The good news is that whatever your risk exposures are, you are not alone. Other facilities have experienced them too. Now what is needed is tapping into the collective industry knowledge to identify these risks and their solutions.

Jeff Marshall is a risk and claims management consultant focusing on nursing homes and assisted living facilities. He can be reached at IManageRisk4U@gmail.com.