Be Prepared for the Unexpected!!


In creating an effective crisis management plan, your organization should explore various potential crises your organization can face, such as fire, weather-related perils, workplace violence, and cyber-attacks. After assessing the risks, create a crisis management plan to address those risks identified. This process should be assessed regularly to strengthen any weaknesses in the current plan or identify new risks.

Crisis Management Plans should include the following:

  • Procedures for the immediate response to a crisis, business operations plan, and a contingency plan for every potential crisis identified.
  • Updated inventory of your organization’s personal property and equipment to ease the insurance claims process
  • Identify Employees’ Roles
  • Identify Individuals who are designated to take charge during an emergency

Your crisis management plan should be able to answer, “What do we do [potential situation]?” Your crisis management plan should be reviewed by your attorney and regularly updated. The most effective strategy is to be prepared.

Many insurance carriers can provide additional information to assist with your crisis management plan. Let us know if you have any questions, we are here to help.


Risk Management Basics: Preventing Slips, Trips, and falls

Written By: Rebecca Gomez


One of the most common incidents that nonprofits face are slips, trips, and falls. These claims can be costly for many nonprofits and implementing an effective slip and fall incident prevention method will help prevent future claims and keep insurance premiums low. Your organization should establish a risk management policy that focuses on both prevention and procedures in the event an injury occurs. Some good practices include documenting the incident, collecting witness statements and any video surveillance (if possible). These practices can make a huge difference in defending your organization from fraudulent claims as well.

A basic “walk through” of your premises to find potential problems should be implemented daily. Below are a few tips to include in an effective slip, trip, and fall prevention risk management program:

  • Conduct a daily facility safety survey to look for common problems such as wet or greasy floors, loose mats, torn carpeting, bad lighting, clutter, cables or wires and uneven surfaces.
  • Immediately attend to any problems by putting up warning signs and/or closing an area off and taking steps to eliminate the hazard.
  • Maintain all floors and walkways on a consistent basis, using the recommended cleaning products and methods. Fix all uneven surfaces if possible by recoating or leveling the floor. You should mark or illuminate areas that cannot easily be leveled.
  • Train your employees and volunteers in slip and fall safety, and establish guidelines on how they should report problems and respond to customer injuries or hazardous situations
  • Make sure you have secure handrails for all stairs and balconies.
  • Take care of your outdoor areas, including sidewalks and parking lots. Potholes, snow and ice all create potential problems.
  • Additional or dry replacement entrance mats should be available on site during wet weather.
  • Document all of your efforts by keeping records of your daily safety inspections and any maintenance work to improve walking and working surfaces.

Best practice is to have a written policy in place and to train managers, employees, and volunteers on all safety procedures. Safety is everyone’s business!

Your organization should also have a written incident report form to document any such events. It is every employer’s responsibility to provide a safe environment. Be sure you are doing all that you can to recognize and reduce the risk. Slips, trips, and falls have the potential to be a major cause of injury for your employees, volunteers, vendors, and visitors. Be Prepared.

Let us know if you have any questions or would like more information. We are here to help.

Back to Basics: Cyber Risk Management and Your Employees

By Rebecca Gomez

cyber lock

Addressing cyber security risk management procedures to all staff is critical to every organization. A recent report indicated two-thirds of all cyberattacks against organizations (large and small) result from employee negligence or malicious activities. The same report also indicated that external breaches only caused about 18 percent of cyberattacks. Human error, according to many studies, is the leading cause of cyber-attacks. Therefore, administrators and employees need regular training on how to identify and prevent cyber-attacks.

Minimizing cyber threats requires a cyber security plan that includes effective policies and procedures that account for legal compliance and data protection. These policies should include (not an exhaustive list):

  1. A bring your own device (BYOD) policy: governing whether or not an employee can use their own device to conduct business and the circumstances that deem whether or not personal cell phone use for business is appropriate.
  2. A password policy requiring the use strong and unique passwords that change at least every 6 months.
  3. Personnel policies that enhance security
  4. A network tracking policy requiring regular monitoring of network traffic for evidence of suspicious access.

Organizations should also have an incident response plan in place which outlines how a company will respond to suspected events. Implementing an incident response plan will help your organization to quickly investigate and remediate cyber-attacks. It will also outline the leaders of the response team and their responsibilities implementing the response plan.  The board of directors should be informed of the organizations cyber security program and exposure, as they are ultimately responsible.  Brown & Streza offers a unique proactive approach to a Data Security Breach plan that can help your organization prepare in the event of a breach.

Cyber Risk Insurance should be considered as part of your risk management plan (and not your only plan). A Cyber Risk Insurance policy can offer nonprofit organizations with affordable protection. There is no “standard” cyber policy form and administrators should review their cyber policies to understand what coverage their policy provides. Most standalone Cyber policies offer forensic investigation coverage, system restoration costs, defense and indemnity costs associated with litigation resulting from the loss of personal information, or other sensitive data and defense costs and penalties associated with regulatory investigations. Most General Liability policies now exclude coverage for cyber-related claims.

Please let us know if you have any questions regarding cyber risk management or would like us to provide you with a quote. (see attached application)

Cyber Risk Management and Cyber Liability Insurance

By: Rebecca Gomez


Last weekend, a ransomware virus known as “WannaCry,” affected 150 countries and more than 300,000 people. Ransomware is a cyber attack where hackers encrypt files from their victim’s server and holds them for ransom. In the case of “WannaCry,” the hackers demanded $300 to restore their data.

An important lesson to take from this incident is that no one is 100% safe from cyber crime. If the appropriate measures to protect your data are not diligently taken, your organization is vulnerable and recovering from a cyber attack can be costly. The Hiscox Cyber Readiness report stated that last year alone, cyber crime has cost the global economy $450 billion.

Below are some risk management tips your organization may want to consider regarding cyber risk:

  • Conduct regular back ups of systems
  •  Have strong passwords that are unique which provide a barrier against intrusions
  • When using unfamiliar websites, make sure the URL begins with https. The “s” indicates that the site is secure.
  • Continually install the updates your browser and operating system (including anti-virus and anti-spyware) requires.
  • Be aware of the e-mail you receive: if the deal sounds too good to be true, be very skeptical. If you receive a message from your co-worker, employer, or someone you know and it sounds out of character, or includes nothing but a link in the body of the email, it may be suspicious. Check with the sender and make sure it is legitimate. This could be a phishing fraud.
  • Do not use an unprotected Wi-Fi network for your business, always require a password and do not conduct business where there is public Wi-Fi.
  • Password Protect smart phones and computers
  • Train employees on cyber risk management

The “WannaCry” ransomware incident serves as a good reminder to keep current with system updates and to contact your IT person to check your organization’s software for vulnerabilities. Good data security is key to protecting your organization.

Cyber Liability insurance should be part of your organization’s risk management program.  If you have a Cyber Liability policy, be sure to review it and understand the terms and conditions. Many cyber policies offer effective loss control services to help protect your organization. Let us know if you have any questions regarding Cyber Liability or would like us to provide you with a quote. We are here to help.

Back to Basics: The Importance of the IIPP

by: Rebecca Gomez



In California, organizations with at least one employee are required to have a written Injury and Illness Prevention Program (IIPP) that is easily accessible for employees to read. An IIPP is a safety program that requires employers to develop and implement an effective program that improves safety in the workplace. In order for the IIPP to be effective, all employees, supervisors, and management need to be actively involved.  Cal/OSHA requires eight elements to be written in the IIPP and implemented in the workplace (with a few exceptions).

  1. Responsibility (The position/person who is in charge of implementing the IIPP)
  2. Compliance
  3. Communication
  4. Hazard Assessment
  5. Accident/Exposure Investigation
  6. Hazard Correction
  7. Training and Instruction
  8. Recordkeeping

Above are the minimum components required for an IIPP to be acceptable to Cal/OSHA standards. Everything in the IIPP must be implemented and documented to avoid a fine from the Cal/OSHA inspector. If your organization adds additional safety procedures to the IIPP, make sure those procedures are properly implemented with proper documentation.

There are a few exceptions to the IIPP requirements. One exception is as follows:

If your organization has 20 employees or less in a calendar year, whose industry is not on a high hazard list, and has an experience modification rating of 1.1% or less, your organization qualifies for the limited requirements of the IIPP:

  1. Identity of those whose authority and responsibility to implement the IIPP
  2. The schedule of periodic inspections to identify unsafe conditions and work practices
  3. Training provided to employees.

Cal/OSHA provides a sample IIPP program (see attached). Anything that is written in the IIPP must be implemented and have supporting documentation. Administrators need to make sure that employees know who the IIPP administrator (the authority) and who has the responsibility for implementing the procedures in the IIPP (This is usually one of the first questions a Cal/Osha inspector will ask an employee during an inspection). If your organization identifies a specific individual’s name, instead of a position title, make sure to update the IIPP if another individual replaces that position.  It is important to update your IIPP at least once a year.

The IIPP, while statutory, can support an organization’s safety culture. The IIPP enforces the importance of safety in the workplace. A safe work environment can help prevent workplace injury claims and lower your organization’s workers’ compensation premium. Please let us know if you have any questions or concerns regarding workers’ compensation or the IIPP. We are here to help.

Developing a Safety Culture

by Rebecca Gomez


At Baker Romero, we encourage our clients to focus on the importance of developing a safety culture in the work environment. Administrators should find ways to motivate employees to practice safe work practices. An effective safety culture can help lower the amount of claims and minimize the cost of a claim as both affect the x-mod and the workers’ compensation premium.

This past year, the Occupational Safety and Health Administration (OSHA) enacted a new regulation that prohibits employers from implementing injury based incentive programs. OSHA considers this type of incentive program as retaliatory, which can discourage employees from reporting injuries.  Having rewards based on injury free days is an example of the prohibited safety incentive program. When employees refrain from reporting a claim after an injury, another issue to consider is the adverse impact it can have on a claims report. The cost of the claim significantly increase when employees do not report injuries.

However, OSHA did not prohibit the use of incentive programs altogether. Employers should develop a safety program that encourages safe work habits and implement an effective return to work process.  Recognizing employees for safe work habits such as completing training and using safe work procedures can create a proactive safety culture. Also, consider incorporating safety measures into performance appraisals. The performance appraisal demonstrates the importance of a company’s commitment to safety.

In the final analysis, developing a strong safety culture by encouraging safe work habits can be more effective. Administrators should create innovative ways to encourage and recognize safe work habits that encourage employees to be safe on a daily basis.

As a service to our clients, our agency provides safety videos tailored to their organization to help them promote safe work habits.  Please contact us for information regarding the safety videos or if you would a quote for workers’ compensation coverage. We are here to help

Does Your Organization Have a Robbery Prevention Strategy?

downloadBy Rebecca Gomez

Crime is a continuous problem for many organizations. Several studies have proven the direct correlation between available cash and likelihood of a robbery. The best strategy an organization can have to prevent robbery is limit the amount of cash available. This strategy will not only reduce the likelihood of a robbery but will also reduce the possibility of employees or clients injury that can result from a robbery. Organizations that have retail operations are especially vulnerable to robbery.

To protect your organization, administrators should implement a robbery prevention program. The Occupational Safety and Health Administration (OSHA) developed a set of questions that can help administrators assess their exposures to a potential robbery. These questions include:

  • Is cash on- hand or in cash drawers kept at a minimum? Interviews with robbers have indicated that when the amount of available cash drops from $100 to $50, fully half the robbers lose interest in the store as a robbery target.
  • Is cash, especially large bills, removed from cash registers and deposited in drop safes?
  • Are signs posted noting that only limited cash is available and employees do not have access to the safe?
  • Is cash transferred to the bank regularly, but not on a set, predictable schedule?
  • Has consideration been given to using an armored car service or having a guard accompany bank messengers (especially for night deposits)?
  • Has consideration been given to closing the business at night, especially if other neighborhood businesses close? Robbers prefer targets that allow them to escape unseen.
  • Are posters and displays, which obstruct the view into the premises or block the employees’ view of the outside areas, not placed on windows?
  • Have employees been advised to observe and report suspicious persons?
  • Have employees been trained in procedures to follow during and after a robbery?
  • Have employees been advised not to take any actions that, during a robbery, could jeopardize personal safety?
  • Are “buddy” procedures used for opening (such as one employee waiting outside while another searches for the premises) and closing (having one employee leave and go to the safety of a car before the other employee locks up) the business?
  • Without conflicting with life safety code requirements, are side and rear doors kept locked at all times? In some robberies, access is gained through the side or rear door.
  • Are security devices, such as holdup alarm systems and closed circuit television, provided and employees trained in their use? If a holdup alarm is provided, employees should be advised not to attempt to actuate it while the robber is on the premises.

Being proactive is an effective risk management strategy to prevent your organization from becoming victim to crime.  If you would a quote for crime coverage or have any questions, please contact our office. We are here to help.

Can Water Damage Be Covered?

According to Nonprofits Insurance Alliance of California (NIAC), the most common uncovered property claim they receive is water damage. Property claims are generally waterdamagedeclined because of poorly maintained premises. Water damage is typically excluded from property policies with the exception that a covered cause of loss occurs first, such as wind or fire. Water damage claims can be preventable with regular maintenance. With the storms that have swept through California in the past few weeks, many organizations may have experience leaks and water damage from poor maintenance. Damage claims that are a result from improper maintenance are declined by most insurance carriers, as such damage is not categorized under a “sudden an unforeseen event.”

An effective risk management tip is to have routine property inspections. According to NIAC, some things that need to be checked regularly are: damaged flashing, roof scuppers, drains, gutters, and drain pipes. A failure to do so can turn a small fix into an expensive repair that would not be covered under your property policy. In other words, if damage can be deemed as a result of poor or negligent maintenance, it may be declined.

Also, consider purchasing flood insurance to protect your property. Flood insurance provides coverage against damage done by rising or overflowing bodies of water. Property policies, in general, do not insure flood damage.  If you have any questions about property or flood insurance, or would like us to provide a quote, please contact us. We are here to help.

*This article is intended to be used for informational purposes only and not to be construed as legal advice. 

Cyber Threats: Be Prepared.

As hackers and cyber thieves are becoming more technology literate, the scale and cyber picsophistication of cyber-attacks are increasing. In San Francisco, for example, the San Francisco Municipal Transportation Agency (SFMTA) became victim of a ransomware attack.  A user (in SFMTA case an employee) unknowingly downloaded the malware on their computer which then was seized by the cyber criminals’ ransomware. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.

The internet is not a stable institution as many believe. Web companies have tight security protocols that are dedicated to network security infrastructure. In October, Dyn, a web company that controls the internet domain name system, was attacked. Their system was infected with “botnets,” a malware that is designed to bombard a server with traffic that overwhelms the server and crashes.

These are two examples that prove no one is 100 percent safe from cyber-attacks. Tracey Vispoli, President at Berkley Cyber Risk Solutions advises that, “Everyone should assume at some point their data will be viewed by an unauthorized person or group of person with the intent to disrupt, destroy, or hack that information for their own gain or purposes.”

Cyber threats can have an impact on all insurance policies. In reviewing insurance policies, organizations should look for where coverage exists and where there’s a gap. Some policy forms include data breach exclusions while others include some coverage but may not be sufficient in recovering lost data and other expenses accrued from a loss.  As cyber threats are becoming increasingly common, cyber policies will also evolve, according to Manny Cho, executive vice president at Risk Placement Services, Inc.

Cyber risk management is a good practice that organizations can do to help protect themselves from losses. But what should organizations do in the event they fall victim to a cyber-attack? Having a cybersecurity strategy can be a good defense. Christopher Roach, Risk and Advisory Services managing director for CBIZ, has a 3R strategy that can be helpful in the event of a breach.

  1. Recognize: Organizations need to find the source of the incident. Finding the source is important to help minimize the damage. Roach states to look to internal controls. Monitor logs and access to networks to find signs of breaches.
  2. React: Cut off access point to slowdown the hacker and attempt to preserve the environment that has been compromised. Proactive monitoring, training employees or other IT users, and layered security. Law requires that if any identifiable information has been compromised, the affected parties must be notified. Check with your attorney for more information in the event a breach of this nature occurs. Forensic analysis should be conducted and organizations should look for a tech company that is experienced with cybersecurity risk mitigation.
  3. Recover: Organizations need to fix the vulnerable areas that led to the breach and discuss what they can do to better secure their data. After they fixed that, Organizations should be implementing a risk management program and do periodic cyber risk assessments.

A cyber insurance policy should be considered as part of your risk management plan. Most policies are designed to protect your organization from various types of cyber threats. For more information regarding cyber policies or if you would like us to provide a quote, let us know. We are here to help.

*This article is intended to be used for informational purposes only and not to be construed as legal advice. 

January Newsletter

Workers’ Compensation and the Experience Rating Modification (“X-Mod”)

Experience rating, authorized under the State Insurance Code, is a statistical procedure, which tailors premiums of qualifying employers to fit their organization’s loss (claims) experience.

How Does the System Work?

If your company’s premium is large enough to meet the system’s eligibility requirements, it is assigned an annual experience modification. Eighty percent of the state’s workers are subject to experience rating.

The experience modification (‘x-mod’) is generated by the workers’ compensation Insurance Rating Bureau of California, a nonprofit association of more than 400 workers compensation companies. The bureau is licensed by the Insurance Commission to collect data about injured workers’ claims. The Bureau uses this data to develop workers’ compensation rates and pricing regulations, which are recommended to the Insurance Commissioner for adoption.

An Important part of the Bureau’s duties is determining your organization’s qualifications for an experience modification (‘x-mod’).

Experience Rating Compares Organizations that Have Similar Risks (Exposures)

By comparing your organization’s payroll and claims history with other businesses assigned to the same industry classification, experience rating can determine if your organization’s claims are greater or less than what is expected from an organization in a similar industry.

The Bureau uses this statistical comparison to assign your organization its experience modification. The “x-mod” is a percentage factor, which is applied to your premium. It is used to either increase or decrease the amount of premium your organization pays to your insurance company.

How Workers’ Compensation is Priced

The premium for workers’ compensation insurance is based on a minimum rate that is established by the insurance commissioner.

The manual rates are based on a comparison of past payroll and losses of all of the businesses in a given classification. The rate projects the average cost of paying benefits for all businesses assigned to the classification, per $100 of payroll. If the rating system went no further than manual rating, the loss history or experience rating would not be recognized in determining the premium.

Experience rating, however, refines manual rates by comparing a company’s loss experience to other businesses assigned to the same classification and adjusts the company’s premiums to reflect its actual experience.

If you have any questions regarding workers’ compensation insurance, please let us know, we are here to help.

*This article is intended to be used for informational purposes only and not to be construed as legal advice.