Risk and reward: how much is too much?

It is a great question but, frustratingly, there is no easy answer

Professional service firms grapple yearly with the perennial question of how much professional indemnity insurance is appropriate for their businesses, constantly reassessing the fine balance between premium and risk transfer.

Obviously, a business’s tolerance for risk is the starting point and every business owner or board of directors will differ in their approach, fundamentally driven by stakeholders. While organisational risk is an accepted by-product of doing business, the key is in identifying and mitigating threats that might create unwelcome potential exposure, whether financial, legal, or human.

So, where to start?

Risk and reward: the higher the risk, the greater the uncertainty, but ultimately also the potential for greater gains. This makes sense and many businesses are willing to adopt a high tolerance benchmark. However, things may not always be that simple: regulatory or legal requirements can necessitate a more cautious process.

Accountancy firms in England and Wales are required to comply with regulations in respect of professional indemnity (PI) policies, notably with certain minimum standards of coverage limits, use of participating insurers and particular policy wordings.

Additional cover in excess of these limits is a matter of choice. If a business’s risk tolerance is low, what are the considerations for additional PI cover over and above the minimum standards?

Client base

Any assessment of risk implications for accountants ought to involve a close analysis of a practice’s client base. Two issues are highly relevant and often overlooked in favour of a simple (but perhaps misguided) focus on premium: the nature of client work and the volume of such work.

Consider the client base. If an accountancy practice typically provides advice to SMEs, the risk exposure might sit at a fairly measured and tolerable level. However, if, for example, the business engages in audit work for billion pound entities (or even one such entity), the risk exposure will be markedly different. Should the practice find itself on the receiving end of a negligence claim in such circumstances, the potential financial exposure is clearly considerably greater. A failure to consider this presupposes an underinsured business.

Secondary to the nature of the work, an analysis of the volume of work will be critical - or, perhaps more correctly, the volume of work in any given sector. Over-exposure to a particular market segment may create multiple claim scenarios when market forces conspire. Consider accountancy firms which provided niche auditing services to financial institutions during the 2007 global financial crisis. Post the GFC, auditing firms found themselves under investigation for their roles in failing to detect fraudulent wrongdoing. It is not difficult to see how an aggregation of possible claims across a number of similar clients would have a profound impact on a firm’s professional liability insurance.

On a less ‘global’ scale, an accountancy firm acting for a property developer may provide professional services to a number of related entities. In the event of the developer suffering financial hardship, it is not inconceivable that a raft of corporate insolvencies might follow, creating pressure points and, not atypically, finger-pointing at professional advisers. Again, the combined possible exposure ought not to be underestimated.

The cyber impact on PI policies

A topical consideration is the impact of ‘silent cyber’. Historically, many businesses have been able to rely on their PI policy for third party liability cover in the event of a cyber incident. Such cover was typically not expressly worded, but ‘silent’. As from 1 January 2021, Lloyd’s markets are now requiring that PI policies either positively affirm or categorically exclude cyber cover from PI policies, by way of endorsement. The intention is that cover for cyber-related issues should be clear and categorical - no longer silent. Non-Lloyd’s markets are also reviewing their positions.

This has implications on PI coverage limits. Whether cover for cyber-related incidents is affirmed or excluded, an analysis of the effect of the endorsement will be critical.

An exclusion of cyber cover may mean more cover is available for other PI claims (although potentially leaving an uninsured exposure that needs to be considered). By contrast, an endorsement of affirmative cover within the PI policy may mean that a cyber-related claim could erode PI limits. This possibility might necessitate an increase in PI limits, particularly when considering the exponential rise in ransomware attacks: attacks increasingly involving the exfiltration and release of confidential information into the public domain.

A key exposure for any accountancy business is the sensitive data held on its clients. When considering limits, estimates around the cost of losing data and dealing with ensuing liability claims is imperative. This exposure will vary for all types of businesses but has particular relevance for professional service firms.

The full picture

The setting of PI limits over and above minimum regulatory limits should not be arbitrary nor based on premium alone, but a true reflection of the business’s risk exposure and tolerance, against a background of the professional services undertaken.

As well as PI exposure, a number of other factors deserve consideration when assessing business risks, including the possible transfer of risks relating to crime, cyber security and management liability. A full and timely discussion with your broker is recommended.

Vanessa Cathie, vice president, Lockton 

If you have any questions, please contact your Lockton Account Manager for further advice or email ACCAaccountants@uk.lockton.com.

Lockton is ACCA’s recommended broker for professional indemnity insurance