Shutting the door to attacksThese are expenses that can be driven down by putting proper protections in place. For industrial firms, manufacturing operations — or any business for that matter — shoring up cyber security measures is critical. While attacks cannot be avoided entirely, their impact can be significantly decreased.
Some recommendations to consider:
– Investigate before an event occurs. Have systems reviewed by a forensics investigator for potential vulnerabilities. Then address the vulnerabilities as soon as possible.
– Conduct tabletop exercises. Work with privacy counsel to establish what steps to take should an incident occur. Who will be notified? Who is in charge of that notification?
– Test your and your carrier’s breach response readiness. Call your carrier’s data breach hotline to see how long it takes to get a response as an integral part of your breach response planning.
– Review policy language. Understand what your reporting and pre-planning responsibilities are. Some policies require that all forensics and privacy counsel teams be pre-approved. Understand when, and how to report any incidents to your insurance carrier.
– Partner with the right insurance company. Work with an insurance carrier that has deep expertise in handling cyber-related security issues. Your carrier should have a dedicated team of privacy counsel and forensics investigators to help you identify and fix vulnerabilities and prepare for any potential attack.
Whether it’s today’s LockerGoga vulnerability or a future mode of attack, your company’s operations depend on not just a swift response, but a strong defense against breaches. Make sure you’re prepared – create a proactive plan to regularly address and protect your business from ransomware attacks.
Your company should conduct an investigation on its systems and practices long before a ransomware event occurs. That includes understanding what the current process is for investigations, who to call first, and what your responsibilities are.
It includes also knowing how your insurance carrier will respond, and what your reporting and preventative responsibilities are. Work with your carrier to put proper preventions in place, and to tailor your insurance to match those risks your company cannot otherwise mitigate.
About the Author: Tara Nayak is a Claims Specialist in AXA XL’s North America Cyber & Technology insurance business. She can be reached at tara.nayak@axaxl.com.
Done well, operational review ties together all of the effort that has been invested in a sub to get them through the process. It is where "the rubber meets the road."
Because there are fewer clear metrics to apply to this assessment, the operational review is often the most challenging portion of prequalification to execute consistently and well. Many of the steps taken up until this point would be considered “science”; that is, there are clear formulas and requirements for passing the initial review, and defined metrics for financial assessment. The operational review includes more “art”. It is not simple or clear-cut. It is important to devise a consistent way to assess and document which subs will be the best fit on a given job.
The components of a “Best in Class” operational review include having the right people, reviewing the right information, from the right sources, at the right time, adjusting appropriately, and documenting the output of the process. Let’s break that down.
The Right People
– Just as in financial or insurance reviews, there is specialized knowledge needed to perform an operational review. Individuals performing this review should have detailed knowledge of the specific project requirements.
– They should also have fluency with – and access to - the subs’ financial and general prequalification status, internal references, etc. It is critical that they possess an understanding of how the pieces of the prequal process fit together with the operational decisions they will make.
The Right Information
– Make sure your operational assessment includes consideration of the subs’ history with projects of similar type, size, and requirements. Review subcontractors’ capacity holistically – not just as a score or ratio. Experience with similar projects is every bit as important as financial health. A sub may be excellent on a $1M project, but completely paralyzed by a $1.5M contract, or great with K-12, but fail on a healthcare project. Geography matters too; subs who are completely solid in their hometown, may struggle to staff or understand soils or codes on a job just a short distance away.
– Understand the subs’ QA/QC and Safety approach – and make sure they understand yours. Have them delineate their quality and safety concerns and their approach to manage them. Is it aligned with your plan?
– Understand the subs’ work for others. Review their WIP or otherwise gain an understanding of their work programs to find out if their overall project load will be in line with their past performance. Also try to determine if a single large or very public project may threaten their focus or manpower on yours.
– Discuss manpower and schedule requirements and understand the subs’ staffing plan for your project. Can they give you enough resources to meet the schedule and quality requirements? Are you getting the A team? Do they currently employ enough people, and, if not, will they be hiring for the job – in which case you might be on their learning curve - or use brokered labor? How will they manage if so? Do they have experience with their proposed approach? Many large claims have schedule and/or quality components directly related to manpower issues, which are increasingly common as the labor pool is stretched by more and larger projects than ever before.
From the Right Sources
– Talk to the subs. What do their responses tell you? Are they readily available to talk and collaborative in their approach? Also listen to what they don’t say: How do they respond to requests for information? Have they supplied you with their qualification information, quality plan, OSHA logs, etc. in a timely fashion? You can make some fair assumptions about whether they will be a true partner or an unproductive challenge using these factors.
– Pick up the phone! It is surprisingly common to see that references were collected but not called. Use the references you collected in the initial phase of the review and capture those conversations in notes that are accessible to future project teams as well. In addition to performance-specific questions, use this opportunity to ask about the sub’s management – administrative and field. Are they timely with documents, willing participants in constructability and schedule efforts available for meetings, and to answer the phone or email?
– Don’t leave the information already existing within your organization on the table. There’s nothing much worse than struggling with a sub and having another member of your own team say that they had the same problem – last year. Make internal post-project evaluations part of your closeout process, and consulting them part of the prequalification process.
At the Right Time
Ideally, the time to look at a sub’s operational capacity and character is before they are allowed to bid your project, and certainly before relying on their number in a budget. However, in a situation where this is not possible (as in hard bid work) the effort to fully understand your sub partners is still worthwhile for risk mitigation purposes, and occasionally may result in a decision to move on to a different sub at a cost. The information gained in a formal Operational Qualification process will help you to make the best possible decision in all situations.
Adjust Appropriately
– Think about the “What Ifs”. Scrutinize the sub’s potential impact should they fail. Understanding your Plan B if the sub goes out of business or falters. How disruptive will that be? Will they be straightforward to replace? Are they on the critical path? Do they control specialized materials your project can’t proceed without? The stakes are highest for critical path trades with proprietary or custom systems, and your level of caution should reflect that.
– Have defined practices around low bids – Define a percent low at which a sub’s bid will get a closer look before the bid can be used. 10% low is a typical threshold. Assess whether a low bid is in line with other bidders and your internal budget and includes all appropriate scope. Ensure the sub understands all the specifications (including division 1 specs) and your internal requirements for quality, manpower, and safety on the project, then proceed with due caution.
– Use appropriate Risk Mitigation Planning. If a sub is the right one for your job, but shows weakness in some area (operational or financial) a strong RMP may protect their ability to perform and make all the difference in their success on your job. Ensure that your teams know this, and are willing to create and manage appropriate risk mitigation plans for the lifecycle of the subcontract. Financial RMP are easily implemented (joint checks, dedicated LOC, etc.), whereas operational RMP are tougher to deploy – but should be contemplated as part of subcontract terms, including quarterly update of work awarded, monthly C-suite meetings, dedicated personnel and crew size, quarterly operational scorecards, increased quality and production monitoring, etc.
– Define guidelines and limits of authority (LOAs) to clarify practices for exceptions. Your team needs to understand the limits resulting from your review, and that there is a firm process for using subs outside of those limits, no matter how low their bid or strong their reputation. Define Limits of Authority (LOA) for exceptions to the parameters you’ve set, and review awards to determine that the process has been followed. Examples of situations where an exception process would be appropriate prior to award would include:
– Subcontractor's largest-ever project
– Subcontract award over the sub's calculated SPL or AGG
– Red flags in the prequalification or information that is expired
– Subcontractor engaging in a new market, scope, or geography
– Lack of QA/QC definition
– Safety (EMR too high, practices not in line with yours)
– Negative internal or external reviews
– Predetermined scopes lways requiring a second look prior to decision to award (building envelope subs, for example)
Make It Happen
Once you’ve determined the practices for operational prequalification within your organization, don’t leave them to chance. Formalize the criteria for consistency. Develop a process or template to capture the factors that led to award decisions – and memorialize them. This is useful for accountability, to see trending over time, and subs’ fit with various types of projects. A periodic audit process for compliance is also recommended.
Common Practices to Avoid:
– Don’t just “trust your gut” – decisions should be defensible with documentation of how they were reached – best practice is to use a scoring matrix, best-value narrative, etc. to capture the factors that went into the decision. Replace “trust your gut” with “trust but VERIFY!”
– Don’t rely solely on past relationships or experience – relationships matter but need to be tempered with specific knowledge of each sub’s current health and capacity. This means communication between financial and operational reviewers / sub selection team. Default claim information suggests that there may be increasing instability in the very subs you have become most comfortable with – those in business for 10-15 years or more. Don’t be complacent.
– Don’t overlook the potential impact of smaller subcontracts. Claims data supports that subcontracts under $5M have the largest cumulative impact when it comes to defaults.
In summary, the operational prequalification process offers an incredible opportunity for positive influence on your project’s success. It is not easy, but it can either magnify or destroy the value of all the prequalification efforts that precede it. Defined and thorough practices lead to greater success and are well worth the effort to develop and follow.
Cheri Hanes is a risk engineer with AXA XL’s North America Construction insurance business. She’s always open to talk more about CLT. Contact her at cheri.hanes@axaxl.com.
