Risk Control Newsletter – October 2021

October is Fire Prevention Month

In 1922 the National Fire Protection Association (NFPA) named the second week of October Fire Prevention Week in commemoration of the Great Chicago Fire in 1871. The goal is to raise awareness and educate communities to practice fire prevention. In addition to educating the public, municipalities should take this opportunity to survey their buildings to determine where they are at risk for fires, carbon monoxide poisoning, and life safety exposures such as building egress. Fires in municipal buildings can occur due to a variety of reasons some of which are preventable such as faulty wiring or poor housekeeping and some which are not preventable such as lightning strikes or vandalism.

Municipalities are at very high risk for these types of exposures due to the nature of their operations. Buildings such as City Halls, Libraries, or Community Centers are at high risk due to the open-access nature of the buildings to the public which could include large gatherings for official Town business or temporary rental scenarios. Any time when you add the uncontrolled element of allowing public access to a building, the risk increases. Buildings such as Public Works garages, Parks/Recreation maintenance barns, and Fire Stations are at high risk due to the types of equipment and chemicals stored in them. Additionally, any building where vehicle or equipment maintenance such as welding and grinding is performed and a fuel source such as spilled oil, gas, or carbon dust exists, is a very high risk for fires. Heavy vehicle electrical fires are very common especially during the winter months, for more information on these types of fires click here. School buildings are at high risk due to their size, public access, kitchen/cooking exposures such as grease fires, art class-related exposures such as kilns, and equipment exposures in home education or vocational type classes with woodworking, vehicle maintenance, etc.

The types of risks present in each municipal building will vary so the best way to address them is to conduct a risk assessment with your fire prevention officer and building inspector. Evaluate the physical hazards that exist that could contribute to a fire such as overloaded electrical outlets, improper use of space heaters and heat lamps, or excessive flammable wall coverings (common in school classrooms). Determine if the smoke/heat detection alarms are adequate and working properly or if additional measures are needed. Evaluate the material storage and housekeeping exposures and remove anything unnecessary. Ensure that fire sprinkler heads are unobstructed and in good working condition. Ensure those fire extinguishers are accessible and have a proper charge. Ensure that all egress routes and doors are clear. Discard unused chemicals and ensure that all chemicals are stored in proper containers and cabinets. Ensure that boiler rooms and electrical supply closets are clear from flammable storage. Once you have completed the assessment and determined what hazards exist at that location you can then create a custom inspection checklist. For a sample self-inspection program please click here. After you have created a customized self-inspection checklist for the building, determine how often follow-up inspections are needed. The buildings mentioned above should be inspected monthly and any issues found should be remedied as soon as possible. If those who are conducting the inspections get support from leadership, the inspections will be much more impactful. Take the time this month to support your fire department in making fire safety in your buildings a priority. Implement a self-inspection program and set an example for your employees and your community.

Risk Transfer: Don’t Get Caught Holding the Bag

When entering any kind of contractual arrangement with a third party it is important to ensure that proper and consistent risk transfer procedures are in place to help protect your entity from potential liability or damages caused by that contractor or service provider. If these procedures are not in place or followed consistently, your entity could be responsible for damages if the responsible party does not have adequate insurance coverage.

It is also critical to use an attorney who is strong with reviewing and scrutinizing contracts to help ensure you have proper Hold Harmless Agreements or Indemnification Agreements in place. These agreements are separate from a Certificate of Insurance (COI). Hold Harmless Agreements help protect against claims that could arise from the contract work or service being provided, or when someone is using your entity’s properties or services. Indemnification clauses are clauses in contracts that set out to protect one party from liability if a third party or third entity is harmed in any way. It is a clause that contractually obligates one party to compensate another party for losses or damages that have occurred or could occur in the future.

Be especially careful when being presented with architects’ AIA (American Institute of Architects) contracts. They usually default at $1mm of coverage (and your project may be a larger expense). Ensure that each contract requires insurance by the contractor that is equal to or more than the amount of the project. Remember that sometimes projects can increase by 20% or more with unexpected overages. Additionally, there may be waivers and limitations in place in the contract which benefit the contractor and not your entity. Required limits of insurance of the contractor/vendor are critical because you want to ensure that the project is being protected from the cost of the project and overages, plus any unforeseen damages.

An example where something went wrong is a newly constructed $5 million jail that was constructed using a poor architectural design. The architect had never designed a jail before, which was contrary to the information provided for the bid, and he did not have an experienced architect’s oversight on the project. Further, when the blueprints were submitted to the Department of Corrections, the design problems somehow escaped notice and the blueprints were approved despite even the most obvious flaws. Once the new jail was completed, the County was alerted to the problems that existed by an outside party. The AIA contract they used only allowed for the architect to be responsible for $1 million in damages instead of the full amount of the project. This limited the County in being able to make critical corrections and many items had to be covered at the County’s expense.

Next, create a process for managing Certificates of Insurance (COI), ensuring that they are obtained, verified, and periodically re-verified to ensure that they have not lapsed or been canceled during the contract period. During this process, create a list of all active contracts and service agreements for each department and determine from whom you are currently obtaining COIs, ensuring that you are being named as an additional insured, obtaining hold harmless agreements, and ensuring the insurance policy limit and expiration date are acceptable.

Being named as an additional insured is important because it protects the individuals or parties who have been extended coverage under the named insured’s policy. Without it, any losses from claims will post against the policies of the primary insured and you would not be notified if the policy is canceled. The contract should also include a clause that requires the contractor/vendor to alert the entity in writing 30 days before changing/canceling the policy.

Retain COIs on file for your state’s statute of limitations plus one year at minimum. For example, if your state’s statute of limitations is two (2) years, then keep the COI on file for three (3) years. If a claim is involved, then the COI should be kept with the claim indefinitely. The reason is that if a vendor or builder has gone out of business, you still have a way to resolve the issue and become more whole.

View our Contractual Risk Transfer Guide.

Cyber Security: B.E.S.T.P.R.A.C.T.I.C.E.S.

Keeping up with cyber security threats is exhausting and chasing trends (guarding against a named threat) is costly. Many are intimidated by technology and instead choose to leave network security issues to their “IT Guy.” The days of leaving security to your IT team are long gone. Protecting your organization against cybercrime will take the effort of everyone on your staff. To assist with this effort, we have comprised an acrostic with a list of cybersecurity best practices for your administrative team to keep in mind.

• Backup all critical data routinely. Experts recommend conducting backups of critical data daily.
• Erase all sensitive information from computers before disposal. Before donating, selling, or recycling old computers, use software designed to eradicate the hard drive permanently. Deleting files or reformatting a hard drive does not remove all data.
• Safeguard your system by installing firewalls, virus, and malware protection software. Always keep the operating system and web browser current.
• Train your employees on the basics of cybersecurity. Educate them on the various types of security threats and how to avoid common pitfalls. Establish best practices by describing how to handle and protect sensitive information.
• Passwords should be unique to the user and never be shared. Use a combination of character symbols, numbers, and upper- and lower-case letters to increase the password strength.
• Response team(s), a designated team of IT professionals or other individuals, should be formed to respond to data breaches.
• Assess and manage information security risks by periodically identifying new threats and your system’s vulnerabilities to those threats.
• Create an action plan for all wireless communication and portable devices. We recommend users always password-protect their devices and IT install remote wiping software.
• Terminate unnecessary online connections to any computers that are not in use or seldom used by turning off the computer or physically disconnecting them from the Internet. Criminals can access your system through these computers and compromise your network.
• Implement and communicate a process to follow in the event of a security breach. All employees must be familiar with their role in preventing, detecting, and responding when security and data loss prevention measures have failed.
• Control physical access to your computers, especially those infrequently used. Organizations should provide essential physical protection, such as locked doors, central security alarms, and other automatic devices to detect intruders.
• Evaluate and eliminate vulnerabilities in your network. Unfortunately, criminals are always looking for ways to exploit flaws in your system. By performing periodic technology audits and network penetration testing, your organization can test the safeguards in place and eliminate weaknesses in the system.
• Secure your wireless (Wi-Fi) network. An unprotected Wi-Fi network is an open gateway for criminals. To prevent unauthorized access, the FCC recommends using “WPA2” encryption, changing the default password and default network name (SSID). See: Protecting Your Wireless Network

Recognizing Risk Managers

Risk Awareness Week this year was October 12th through the 18th. While a Risk Manager’s job is never easy, Risk Managers have had even more to deal with over the past couple of years with having to become Covid-19 managers. Covid-19 is the largest most critical emerging risk we have had to wrangle with, and then as the world continues to operate, it became apparent that Risk Managers had to quickly re-incorporate Risk Management into their roles because risk and liability do not stop. Kudos to everyone for their hard work during this most challenging time!

One of our key tools is communication. We can communicate about projects – those that are in planning, underway, status, and completion along with successes. We can send messages of encouragement and empowerment, promoting a positive workplace culture and helping keep management and staff risk-aware. Positive messages and recognition go a long way in encouraging contribution and innovation, especially when one is reaching out for input on a project. Asking for input is a great way to obtain buy-in and support. Frequent communication is a great way to keep critical thinking and awareness on the front burner.

Risk Management & Safety Committees are another great way to communicate through organizations and positively affect risk culture. Expanding one’s safety committee to include liability issues as well as property needs into a combined committee is a benefit in that there are employees who are working in the different areas of the organization and can contribute what they are seeing concerning liability issues as well as safety. Their insight and ideas can be great contributions not only to the project at hand but to also share information between departments to help strengthen best practices. The Committee can help spread the message of Risk Awareness both by communicating with co-workers verbally, but also by posting on departmental bulletin boards and sending electronic messages through the organization. This is also a great way to communicate their goals and achievements to help keep the positive momentum going. Involving Public Relations for certain projects so that the community becomes aware of the organization’s efforts and sees that the organization is being a good steward of taxpayer dollars can be a positive special interest story.

In recognition of Risk Awareness Week take some time to not only feel good about the positive impact that you are having on your organization but to also communicate messages of encouragement, empowerment, and thanking management and staff for being a part of continuing to make the organization stronger, for the betterment of the workplace as well as the community for which it serves. Thank you for all that you do!

Did you know?

Did you know that since COVID-19 began, the US FBI reported over a 300% increase in reported cybercrimes? The FBI’s IC3, also known as the Internet Crime Complaint Center, reported a major increase with cybersecurity complaints going up from 1,000 complaints to over 3,000-4,000 per day.