From the tangible to the intangible
The hospitality sector’s fragmentation, growing reliance on technology and disruption by new players has seen a shift in focus towards intangible risks
As with many other industry sectors, the leisure and hospitality industry is subject to constant change and reinvention, introducing it to new and emerging risks as it evolves. While property damage and business interruption have not gone away, today’s organizations are increasingly concerned about cyber attacks, reputational damage and disputes with franchisees and other emerging perils. This is particularly the case for major hotel chains, as they have become franchised entities. “Big hotel groups aren’t what people imagine — because they very rarely own hotels — they are effectively companies that are brand owners,” explains Ian Canham, partner, Risk Solutions, Lockton.
“What that means is that systems and cyber become fundamental to the risk of large hotel groups.” InterContinental Hotels Group (IHG) has 5,174 hotels across nearly 100 countries, including brands such as Candlewood Suites, Crowne Plaza and Holiday Inn. Hilton, which owns Hampton and Doubletree, has 243 franchised hotels in the U.S. and 260 in the rest of the world. Within these major hotel chains are sub-brands, including restaurants and spas, with each business run independently by a franchisee. All these entities are stakeholders in the value chain, with the onus on the brand owner to attract franchisees and maintain standards.
“Ultimately whoever puts the brand on the building still has to worry about everything and it all needs to be aligned,” says John Ludlow, CEO, Association of Risk and Insurance Managers. “Everybody else has to fi t in behind that and support it otherwise the pyramid falls down.” He thinks the secret to building resilient organizations is in effective leadership. “It’s not about control. You can’t control 5,000 hotels and 380,000 members of staff and a million guests who, for example, you are selling alcohol to. It’s about leadership and, as a brand owner, leading for all you’re worth.”
As intangible assets make up an increasingly large proportion of the value of leisure and hospitality firms, reputation and brand protection are front of mind, explains Polly James, director of risk management at Hilton. “Our reputation is our biggest asset. We have a department that focuses on business continuity crisis management.”
“A big part of brand protection is communication, training the people on the ground on how to react and what to say and what not to say,” she continues. “I know in Europe periodically the general managers will do one-on-one media training with members of the press. They will be given a scenario and trained in how to keep a tight lid on any negative fallout.”
Effective crisis training is all about having the “muscle memory”, explains James. “It doesn’t matter how good your plans are and what you know, it’s how you implement it. And the best way of doing that is to practice it.”
A survey from software provider Fourth found that younger, tech-savvy consumers are more likely to leave negative reviews on platforms such as TripAdvisor. Operators have the best chance of mitigating this if they provide a discounted bill, great service and the offer of a complimentary return visit upon hearing of a complaint.
“Bad news travels very fast now and hotel groups spend huge amounts of time monitoring social media,” notes Canham. “That was one of the findings of the Airmic report ‘Roads to Resilience’: many organizations from a variety of sectors found that social media could out-communicate them. You have to be really on top of that. And when it comes to claims handling an individual’s claims experience will get spread very quickly on social media.”
Hospitality in a technology age
One of the biggest challenges and opportunities for leisure and hospitality organizations in recent years has been the growing reliance on technology and the disruption that this has created. On the one hand access to big data and advanced analytics is offering new opportunities to tailor the customer journey to the individual.
On the other hand, technology has caused disruption in the industry, heightening competitive pressures. Incumbents are up against the sharing economy among others. According to real estate consultant Colliers International, in London alone Airbnb’s market share of overnight stays more than doubled in the last year, to almost nine percent.
Meanwhile, the emergence of internet travel intermediaries has intensified competition within leisure, corporate and group travel. There has been immense pressure to update legacy systems in order to bring booking and reservation platforms and websites up-to-speed to compete in a digital era.
With online travel service providers including Expedia, Booking.com and Travelocity.com all vying for a slice of the business, and often undercutting the prices listed by branded reservation systems, the pressure is on to adapt and innovate. Increasingly it is about leveraging data to tailor the customer experience, explains Airmic’s Ludlow.
“Legacy reservation systems are being replaced,” he says. “That’s enabling the big hotel chains to manage the guest experience, as well as the more transactional aspect of the guest arriving at a hotel. Right from the time you think about staying at the hotel, all the way through every stage of the guest’s emotional experience throughout their journey, through to gathering feedback and providing loyalty incentives. It’s an incredibly joined-up and connected world.”
However, while the Internet of Things (IoT) offers the opportunity for hotels to better tailor the customer journey to the individual, it also introduces potential weaknesses, explains Hilton’s James. “In the future when you check into your room, you’ll be able to customize things like having extra pillows, ordering room service, setting the room to your preferred temperature etc. But that will potentially open up additional avenues for attackers to hijack those interfaces.”
Growing cyber claims
While data is allowing leisure and hospitality organizations to tailor the experience to the individual, it has also heightened their responsibilities when it comes to gathering, handling and protecting that data. For organizations operating in Europe and equivalent jurisdictions, new data protection regulations — the GDPR — have introduced more stringent data protection rules and significantly increased fines and penalties (up to four percent of annual global turnover) for those failing to adhere.
The leisure and hospitality industry is far from immune to major cyber-attacks — including ransomware, denial of service attacks and other cyber threats targeting sensitive data, attempting to extort and threatening to bring down critical systems. As XL Catlin notes in a recent article, six high-profile companies within the hospitality industry suffered customer data breaches between May 2014 and December 2015. They included a restaurant chain where credit card data was stolen from over 3,600 outlets.
“There is a clear trend towards greater sophistication of the attacker,” says Paul Handy, global head of Cyber and Technology Risks, Crawford. “We are seeing some very clever methods of attack that would challenge even the most technoalert. Cyber insurance is now becoming a must-have purchase and with that access to expert-led incident response services.” Fifty-five percent of hotel and hospitality organizations currently purchase cyber insurance, with a further 27 percent stating they plan to take out the specialist cover in the near future, according to Aon Risk Solutions.
The success of any major hotel business comes down to its ability to fill rooms, thinks Ludlow. Beyond the concerns over losing customer data, it is the business interruption (BI) arising from a cyber attack that can be particularly disruptive, he says. “You are selling time and once it’s gone it’s gone. Frequent outages were the one I used to fear the most — when you are starting to annoy your customers. Also, don’t forget, you’re annoying your hoteliers who are part of the ecosystem.”
In its 2018 Risk Barometer, insurer Allianz found that for the first time, cyber incidents were the most feared BI trigger. BI is also the main cause of economic loss for businesses following a cyber incident. “Increasingly, the claims we are handling on behalf of our leisure and hospitality clients involve business interruption,” explains Benedict Burke, chief client officer, Global Markets, Crawford.
“And the causes of this are indicative of the changing risk landscape that hotels, casinos, sports and entertainment venues are operating in,” he continues. “Disruption to businesses are today just as likely to be triggered by a strike, cyber outage, supplier failure, denial of access or other source of non-physical interruption as it is by a traditional physical peril.”
Major hotel groups account for 92 percent of all point-of-sale intrusions, according to Verizon Data Breach Investigations Report. “I was going through a very large hotel chain’s data center and the head of cyber security said they were under attack every minute of every day,” reveals Lockton’s Canham.
“There’s a massive regulatory cost if these things go wrong, but additionally if the core of your business is to get people through the front door, then the booking system is really important. It’s the pipe work for these companies. If their systems go down for a few minutes they start losing money