Year in Risk 2016

Morgan O'Rourke


December 1, 2016

year in risk management 2016

As businesses continually expand into new markets and develop strategies to win customers, the risks they are exposed to increase exponentially. Risk professionals, therefore, need to be prepared for all contingencies in order to protect their companies and their stakeholders and help create value where they can. In order to move forward, it is critical to reflect on where we have been. To that end, here are some of the most notable risk events of the past year.

State of Emergency Declared in Flint
January 16
flint water crisisIn response to the discovery of unsafe levels of lead contamination in the water supply of Flint, Michigan, the federal government declared a state of emergency in the city. The crisis in Flint began in 2014 after a switch in municipal water sources prompted residents to complain of discolored, foul-tasting drinking water and an increase in illnesses and physical problems. Five government officials resigned or were fired after it was revealed that they had prior knowledge of the issue, and criminal charges were filed against at least nine others for misconduct, tampering with evidence and violating federal and state water regulations. Multiple class actions and civil suits are also pending against public and private entities for their roles in the crisis. According to estimates, it could cost as much as $1.5 billion to fix Flint’s water infrastructure.

Blizzard Paralyzes East Coast
January 22
A major blizzard dumped as much as three feet of snow along the East Coast of the United States, causing 58 deaths and more than $1 billion in economic damages, according to Aon Benfield. In anticipation of what weather authorities were calling a potentially historic storm, states of emergency were declared in 11 states, airlines grounded some 13,000 flights and travel bans were issued throughout the region. Ultimately, seven states saw snow accumulation of more than 30 inches, five states and Washington, D.C, were declared federal disaster areas, and Delaware and New Jersey had to contend with severe coastal flooding. This was the first storm since 2011 to achieve an extreme Category 5 ranking on NOAA’s Regional Snowfall Index.

Zika Designated a Public Health Emergency
February 1
The World Health Organization officially designated the ongoing Zika epidemic as a Public Health Emergency of International Concern, a formal declaration intended to foster global coordination of tracking, research and management efforts to combat the virus. This was only the fourth time such a declaration has been issued. By the beginning of November, the Pan American Health Organization had confirmed more than 168,000 Zika cases in the Americas since 2015. Primarily transmitted by mosquitoes, the virus causes flu-like symptoms in the majority of patients, but has also been linked to neurological disorders, including Guillain-Barré syndrome in adults and microcephaly in infants.

Chipotle Closes Stores to Implement Food Safety Measures
February 8
In the wake of multiple foodborne illness outbreaks that sickened hundreds of customers throughout 2015, Chipotle Mexican Grill closed all of its U.S. stores temporarily to conduct a company-wide meeting on food safety. Chipotle pledged to shore up its food-handling practices in order to regain public trust, but sales have not yet rebounded for the chain. Same-store sales were down 22% in the third-quarter as compared to last year—the fourth consecutive quarter of such declines—and stock prices have dropped nearly 50% since reaching a peak in August 2015.

Hollywood Hospital Pays Ransomware Demand
February 18
Hollywood Presbyterian Medical Center paid $17,000 in bitcoin to hackers who had encrypted the hospital’s data as part of a ransomware attack. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said Hollywood Presbyterian CEO Alan Stefanek. “In the best interest of restoring normal operations, we did this.” The frequency of ransomware attempts surged in 2016, with the U.S. Department of Justice estimating that more than 4,000 such attacks have occurred daily since the beginning of the year—a 300% increase over 2015. According to a report by cybersecurity firm BitSight, while ransomware attacks affect all industries, the education, government and health care sectors are the most common targets.

HB2 Signed into Law in North Carolina
March 23
hb2 north carolinaNorth Carolina Governor Pat McCrory’s signing of the Public Facilities Privacy & Security Act, commonly known as HB2 or the “bathroom law,” which requires transgender people to use public restrooms that match their sex at birth, sparked nationwide outrage as civil rights groups and businesses were quick to condemn the law as discriminatory. In response to the law, a number of companies, including PayPal and Deutsche Bank, scrapped expansion plans in North Carolina, while high-profile events such as the 2017 NBA All-Star Game, NCAA football and basketball championships were canceled, as were performances from artists such as Bruce Springsteen, Pearl Jam and Cirque du Soleil. Many state and local governments also banned their employees from traveling to the state on official business. Nevertheless, North Carolina officials report that the law has not had a major impact on the state economy.

Panama Papers Published
April 3
In the biggest data leak in history, 11.5 million private documents from Panama-based law firm Mossack Fonseca were made public, detailing questionable offshore business practices. The source of the leaks—an anonymous whistleblower with an unknown relationship to the firm—cited income inequality and the scale of social injustice detailed in the documents as the motivation for the breach. The documents identify a wide range of ­political figures, heads of state, celebrities and businesses that have all used Mossack Fonseca’s services to establish offshore tax vehicles to protect their wealth. While many of these arrangements are legal, some have come under regulatory scrutiny for potentially concealing fraudulent activity.

Goldman Sachs Fined $5 Billion for Role in Financial Crisis
April 11
The U.S. Department of Justice fined Goldman Sachs $5 billion for its conduct in the packaging, securitization, marketing, sale and issuance of residential mortgage-backed securities during the 2008 financial crisis. The settlement included a $2.4 billion civil penalty and $1.8 billion in relief for consumers who were harmed by the firm’s mortgage practices. In February, Morgan Stanley agreed to a $3 billion settlement for its mortgage-backed security practices, while Citigroup and JPMorgan Chase previously saw fines of $7 billion and $13 billion, respectively. Bank of America agreed to the most expensive settlement at $17 billion in 2014. The Justice Department has also started turning its attention to European banks and asked Deutsche Bank to pay a $14 billion settlement in September, which some believe could cause an ­economic crisis in Europe. Analysts say, however, it is likely the actual settlement will be in the range of $2 billion to $5 billion.

Series of Earthquakes Strike Japan
April 14
A 6.2-magnitude earthquake struck near the Japanese city of Kumamoto, presaging a series of aftershocks in the area that would culminate in a 7.0-magnitude temblor that shook the city two days later. The quakes killed at least 50 people, injured more than 3,000 and caused more than $4 billion in insured losses and some $40 billion in economic losses. There were a number of significant earthquakes around the world in 2016, including a 7.8-magnitude tremor that struck Ecuador, also on April 16, killing more than 650 people and injuring 27,000. A 6.2-magnitude quake that struck central Italy on Aug. 24, resulted in 300 deaths, billions of dollars in damages, and many questions about the lax construction practices that may have contributed to the destruction. Central Italy was struck again in late October by another series of earthquakes, but no deaths were reported, in part because many people had not yet returned to their homes after the August disaster.

Petrochemical Plant Explosion Kills 30 in Mexico
April 20
mexichem explosion mexicoAn explosion at a petrochemical plant owned by Mexican oil company Pemex and chemical company Mexichem killed at least 32 and injured more than 130 in Coatzacoalcos, Mexico. The cause was suspected to be a gas leak. The blast was only the latest in a series of deadly tragedies to strike Pemex facilities in recent years. In January 2013, at least 37 people were killed in an explosion at the company’s Mexico City headquarters, while 30 people died from another explosion at a Pemex natural gas facility in northern Mexico in September 2012.

Paris Climate Agreement Signed
April 22
An initial group of 175 nations signed the Paris Agreement, developed under the auspices of the United Nations Framework Convention on Climate Change, at an Earth Day ceremony. In an effort to reduce the impact of climate change, the agreement calls for holding the increase in the global average temperature to well below 2°C above pre-industrial levels and pursuing efforts to limit the temperature increase to 1.5°C above pre-industrial levels. By the time it went in effect on Nov. 4, 192 countries and the European Union had signed the agreement.

EU General Data Protection Regulation Adopted
April 27
The new General Data Protection Regulation (GDPR) was adopted in the European Union and is expected to go into effect in 2018. The law not only applies to EU companies, but to any company that does business with EU residents, regardless of where the business is located. The GDPR requires businesses to adopt “privacy by design” standards, which specify that data protection safeguards be built into any product or service offerings at the outset. It also establishes data breach notification requirements and gives consumers new consent rights with regard to data use, including the “right to be forgotten,” which allows consumers to order a company to erase their personal data. A company that violates the provisions of the GDPR can face fines of up to €20 million, or 4% of their global turnover, whichever is greater.

Fort McMurray Wildfire Becomes Canada’s Costliest Disaster
May 1
A wildfire that broke out near the Canadian city of Fort McMurray eventually burned 1.4 million acres, destroyed 2,400 homes and buildings and forced the evacuation of 80,000 residents. The blaze caused an estimated CAN$3.58 billion (US$2.67 billion) in insured damages, according to estimates by the Insurance Bureau of Canada, making it the most expensive disaster in Canadian history. It also temporarily halted oil sands production for facilities in the area, which analysts say led to a drop in production of more than 30 million barrels, worth an estimated $1.4 billion.

Terrorist Gunman Kills 49 at Orlando Nightclub
June 12
A gunman proclaiming allegiance to the terrorist group ISIS killed 49 people and wounded 53 others at a gay nightclub in Orlando, Florida. It was the deadliest mass shooting by a single person and the deadliest attack against the LGBT community in U.S. history. The year was marked by a number of high-profile, ISIS-related terrorist attacks around the world, including a March airport and train station bombing in Brussels, Belgium, that killed 35 people, the Bastille Day massacre that killed 87 in Nice, France, a shopping center bombing in Baghdad that killed more than 340 in July, and multiple bombings that have claimed hundreds of lives in Syria, Pakistan, Yemen, Turkey, Libya and elsewhere.

Summer Floods in China Cause $38 Billion in Losses
June 14
Heavy rains that began in mid-June led to widespread flooding in ­northern China and along the Yangtze River, killing more than 300 people and destroying crops throughout nearly 20 Chinese provinces. To date, the floods have caused $38 billion (CNY255.8 billion) in economic damages, according to Aon Benfield. Reflecting the low level of insurance penetration in the country, however, only about 1.5% or $596 million (CNY4 billion) of that total is insured.

U.K. Voters Approve Brexit
June 23
brexit voteIn a referendum result that surprised many experts, 52% of voters in the United Kingdom elected to leave the European Union. In the immediate aftermath, Prime Minister David Cameron resigned and was replaced by Theresa May, who is now tasked with leading the transition. Although it will take two years for the U.K. to officially exit the EU, the decision has already created an atmosphere of uncertainty as businesses try to determine how this will affect commerce and trade. In the early going, the U.K. economy has not yet suffered as badly as many thought it would, but the pound is down sharply against the dollar and euro, and many financial experts remain cautious.

Volkswagen Agrees to $14.7 Billion Settlement in Emissions Cheating Scandal
June 28
As part of its restitution for intentionally tampering with emissions tests to meet pollution standards, Volkswagen agreed to pay $14.7 billion dollars to settle various civil actions. As much as $10 billion of the total was earmarked to buy back affected cars and compensate  consumers, while $2.7 billion will be set aside for environmental mitigation measures, $2 billion will go toward developing clean technology and $600 million will be used to settle claims with 44 U.S. states. The company is still under criminal investigation by U.S. and German authorities, which could lead to additional fines and penalties.

Justice Department Blocks Health Insurance Mergers
July 21
The U.S. Department of Justice and various state attorneys general filed lawsuits to block Anthem’s proposed $54 million acquisition of Cigna and Aetna’s proposed $37 million acquisition of Humana. The DOJ alleged that the transactions would restrict competition for health insurance by reducing the number of large health insurers from five to three and thus lead to higher health care costs. In response, Aetna announced in August that it would withdraw from most of the public exchanges created by the Affordable Care Act because of the financial losses it was incurring that the merger was designed to alleviate.

Louisiana Floods Called the Worst U.S. Disaster Since Superstorm Sandy
August 12
louisiana floodingIn what the Red Cross called the worst natural disaster to hit the United States since Superstorm Sandy in 2012, massive flooding in Louisiana led to 13 deaths, damaged at least 150,000 homes and businesses and caused between $10 billion and $15 billion in economic damages. The state saw seven trillion gallons of rainfall in one week, and some areas received as much as 30 inches of rain in a single day. Although catastrophe modeler AIR Worldwide estimated potential insurable losses in the state to be as high as $11 billion, Aon Benfield’s Impact Forecasting said that, because 80% of the affected homes are without flood insurance, actual insured losses are likely to be in the low single-digit billion range.

FAA Issues Regulations for Drone Use
August 29
With drone use increasing, the Federal Aviation Administration’s new regulations for the operation of these unmanned aerial systems went into effect. The rules, which apply to drones weighing 55 pounds or less, stipulate that drones must be under line-of-sight control, remain less than 400 feet off the ground, and cannot fly above people who are not involved in operating them or in certain airspaces, such as near airports. They may carry objects for hire provided the total combined weight of the drone and its payload does not exceed 55 pounds. Although the FAA did not mandate that operators obtain a pilot’s license, they do need to be at least 16 years of age, pass an aeronautical knowledge test, and must conduct pre-flight inspections before operating a drone.

EU Hits Apple with $14 Billion Tax Bill
August 30
As part of a probe into what it considers to be improper tax deals between American companies and EU-member governments, the European Commission ordered Apple to pay Ireland €13 billion ($14.25 billion) in back taxes after ruling that the Irish government had made a tax arrangement with the tech giant that amounted to illegal state aid. In response, a U.S. Treasury spokesperson said in a statement, “The commission’s actions could threaten to undermine foreign investment, the business climate in Europe, and the important spirit of economic partnership between the U.S. and the EU.” Apple is not the only company to face such a penalty. In 2015, Starbucks and Fiat Chrysler were asked to pay €30 million ($33 million) each for back taxes in the Netherlands and Luxembourg, respectively. Amazon and McDonald’s are under investigation for similar tax deals.

Samsung Recalls Exploding Phones
September 2
After widespread reports that the batteries in its new Galaxy Note 7 smartphone were prone to overheating and catching fire, Samsung issued a recall of one million phones in an effort to correct the problem. Reports of fires persisted, even among replacement phones, however, leading the FAA to ban the Galaxy Note 7 from all U.S. flights and the Consumer Product Safety Commission to advise consumers not to use the phones at all. In October, wireless carriers in the United States announced that they were suspending sales of the phone until further notice and Samsung issued a second recall of 1.5 million phones on Oct. 10. One day later, the company announced that it was permanently terminating production and shipment of the Galaxy Note 7. In all, the recall was expected to cost Samsung $5.3 billion, an amount that would essentially wipe out its entire mobile business profit.

Fox News Pays $20 Million Sexual Harassment Settlement
September 6
Two months after filing a sexual harassment suit against then-Fox News chairman Roger Ailes, former anchor Gretchen Carlson received a $20 million settlement from Fox News’ parent company, 21st Century Fox. After internal investigations turned up similar allegations from other women, Ailes resigned as chairman in July. The legal fallout continued for Fox News, however, as former-host Andrea Tantaros filed another sexual harassment suit against the network, Ailes and other Fox executives in August.

Federal Government Issues New Guidelines for Autonomous Cars
September 19
In order to help promote safety on the nation’s roads, the U.S. Department of Transportation and the National Highway Traffic Safety Administration released a set of guidelines for manufacturers and developers of autonomous vehicle technology. The guidelines create a 15-point “safety assessment” that covers a wide range of issues including system testing, traffic law compliance, crash protection, safeguards in the event of system failure, and passenger privacy and cybersecurity measures. The guidelines come after a Tesla driver was killed in June in the first fatal crash involving an autonomous car.

500 Million Accounts Exposed in Yahoo Hack
September 22
In what is likely the largest data breach to date, Yahoo announced that hackers compromised at least 500 million user accounts in an attack that began in 2014. According to Yahoo, the account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The company said that it believed the breach was the work of a state-sponsored actor and urged its customers to change their passwords and security questions for their Yahoo accounts and any others that use similar login credentials, watch for suspicious activity on their accounts, and avoid clicking on email attachments or responding to inquiries from unknown or questionable sources.

Hurricane Matthew Wreaks Havoc
September 28
hurricane matthewThe first Category 5 Atlantic hurricane since Hurricane Felix in 2007, Hurricane Matthew devastated parts of the Caribbean and southeastern United States, causing at least $8 billion in damages. Casualties were the highest in Haiti where more than 1,000 people were killed. The government also estimated that 175,000 people were left homeless and economic damages would reach almost $2 billion. In the United States, 49 people were killed as flooding, particularly in North and South Carolina, contributed to economic damages that could cost as much as $6 billion, according to CoreLogic. RMS estimated that insured losses in the United States would fall between $1.5 billion and $5 billion.

U.S. Blames Russia for Using Cyberattacks to Disrupt Elections
October 7
U.S. intelligence agencies announced that they believe the Russian government was behind a series of cyberattacks designed to influence the Nov. 8 elections. Earlier in the year, the Democratic National Committee revealed that its network had been hacked. Internal emails published on WikiLeaks raised questions about the campaign tactics of the Democratic party and led to the resignation of DNC Chair Debbie Wasserman Schultz. State voter registration databases in Illinois, Arizona and other states have also come under attack, but most experts believe the disconnected nature of state voting technology would make it very difficult for hackers to affect the election by tampering with actual votes.

Wells Fargo CEO Steps Down Amid Fake Accounts Scandal
October 12
John Stumpf resigned as chairman and CEO of Wells Fargo after it was revealed that employees had opened millions of unauthorized bank and credit card accounts, without customers’ knowledge, in an effort to collect money on fees and meet sales incentives. The bank was hit with $185 million in fines from various federal and state agencies and reportedly fired 5,300 employees in connection with the scheme. The company said it also set aside $5 million for customer remediation. The scandal created a reputational crisis for Wells Fargo, as it has resulted in the company losing its accreditation with the Better Business Bureau and facing the possibility of significant additional loses over the next year if customers flee to other banks.

Cyberattack Takes Down Multiple Websites
October 21
A massive denial-of-service attack against Dyn, a provider of domain name system services that govern internet traffic, blocked access to dozens of websites, including Twitter, Netflix, Amazon and Reddit, underscoring the vulnerability of internet infrastructure. The attack was unique in that the hackers were able to exploit the connectivity of internet of things devices to release a botnet that overwhelmed Dyn’s servers, effectively slowing or halting web activity. The identity of the hackers remains unknown.

Donald Trump Elected President
November 8
After one of the most contentious and downright ugly presidential campaigns in recent memory, Donald Trump was elected as the 45th president of the United States. One of the new president’s biggest challenges will be to find a way to help reunite a country and government sharply divided by partisan rhetoric in order to address a wide array of economic, political, social and national security risks.

Morgan O’Rourke is editor in chief of Risk Management and director of publications for the Risk & Insurance Management Society, Inc. (RIMS)