Are You Prepared to Gamble Your Public Entity Risk Pool’s Future?

Public entity risk pools are wholly adept at managing risk. With more than 90,000 public entities in the United States, the Association of Governmental Risk Pools (AGRiP) estimates that at least 80% of them participate in one or more pools.

By pooling their risk—and accountability—these not-for-profit organizations can economically provide risk management and loss control, underwriting, claims management and a comprehensive package of insurance coverages that typically include property, casualty and workers’ compensation. This effort supports a pool’s number one priority: the co-owners of the pool—its members. These members hail from local and state municipalities, including entire fleets of first responders (fire and police), public utilities, school districts, government-run hospitals, public libraries, community colleges, support staff and more. Accordingly, the typical pool must ensure its technology systems can reliably support the needs of its members.

This means ensuring uptime is paramount. During COVID, pools, like most private or corporate sector organizations, were forced to make adjustments in how they worked, many prioritizing their IT wish list to maintain operational performance and resiliency. However, unlike most organizations, pools are restrained by outdated legacy systems and a limited, fixed budget, and as a result, that wish list remains a wish instead of a reality.

Undoubtedly, budget concerns are one of many issues facing pools: Often, these organizations don’t have a large IT staff, so they’re forced to maintain operations “the way it’s always been done,” cobbling along in the hopes that the risks it faces will be minimal. In actuality, the risks facing these organizations are at an all-time maximum.

This conundrum is complicated by the fact that most pools rely on antiquated databases and Microsoft Office products for the bulk of their day-to-day operations. At a minimum, this reliance opens the door to Outlook phishing, making the pool more vulnerable to cyber criminals.  Many may use Excel or other inexpensive spreadsheet programs that make it difficult to access data and almost impossible to regroup on errors. Imagine the time required to backtrack, inspect various versions of the spreadsheet’s values, calculations, source data and file history to correct the error, wreaking havoc on routine financial or regulatory reporting. Some pools use insurance core system software that, with the exception of claims, includes workflows that don’t necessarily match with the pool’s own protocols.

If all this doesn’t spur you to think differently about how technology is managed, consider the largest, most recent risk impacting pools: ransomware. Public entities are one of the most targeted sectors, yet often have the least resources and capabilities to prepare for and respond to ransomware attacks. Consider that 2,400 U.S.-based governments, health-care facilities, and schools were victims of ransomware in 2020, notes Council on Foreign Relations blogger Michael Garcia. In 2020, cyberattacks cost government organizations in the United States approximately $18.88 billion in downtime and recovery costs, according to a report from consumer tech information company Comparitech. Local governments continue to experience the greatest number of ransomware attacks according to security company Blackfog.

Yes, ransomware is a network issue, and with ever-evolving ransomware keys and infiltration methods, there’s no way to prevent an attack with 100% certainty.  But the rise in cybercrime is spurring pools across the country to wake up to the fact that it’s the pool’s technology foundation that enables them to best respond to their individual public entity members, which makes that foundation a critical asset--and more valuable than ever. Without a unifying approach to IT management that includes modernization, pools will continue to struggle to operate efficiently, much less deter, disrupt, prepare for and respond to ransomware events.

Now let’s revisit the statement about pools and their fixed budgets. As they work with members on their annual loss control programs, they ask: What is the cost of not modernizing systems that are used to make city payroll, keep utilities up and running, communicate with first responders and even save lives?  If nothing else, the latest wave of ransomware is a learning moment for pools that have been trying to define a path to digital maturity.

That path, which can be undertaken by pools of all sizes, begins by conducting a basic technology assessment, which can be used to identify both known and unknown risks, issues that affect data access, workflow, operational performance and resiliency, network and systems’ vulnerabilities, mobility, and, of course, security.

The good news is that pools that have undertaken tech assessments are finding that their legacy systems can stay put—there are inexpensive ways to modernize and drive immediate front-end results without an overwhelming rip/replace approach. There are solutions available that can help them take a stepped approach to evaluating protocols, optimizing processes, enhancing workflows and improving services for its members.

Let’s face it: whether in it for a profit or not, pools want to reduce operational costs, increase policyholder/member satisfaction, offer systems that are attractive to younger IT workers, and form a solid and secure foundation for the future.

Recent events tell us that it’s no longer an option to “just get by” or “wait and see.”  The choice pools face today is a calculated one, and it’s important to recognize that their goal—to attain effective integrated risk management--is only as powerful as the technology foundation that supports it. It just takes that first step.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*