PRIMA Public Risk October/November/December 2025 by Moire Marketing Partners

TURNING THE TIDE:

How Risk and Claims Leadership Are Reversing the PTSD and Disability Crisis Among First Responders

Manage risk and your budget

Find the risk management solutions you need fast — from employee wellness and benefits programs to cybersecurity and IT.

Sourcewell connects you with trusted suppliers through competitively solicited and awarded cooperative purchasing contracts, streamlining procurement while supporting public purchasing standards.

Save time

Move faster with contracts that meet solicitation requirements

Reduce costs

Leverage the buying power of 50,000+ participating agencies

Expand your options

Access a broad portfolio of risk management solutions

OCTOBER/NOVEMBER/DECEMBER 2025 | Volume 41, No. 4 | www.primacentral.org

Turning the Tide:

By Joseph Sousa, Dr. Tomer Anbar & David Picone

Responders

By Michael Towers

By Mark A. Sadler, JD

The Public Risk Management Association promotes effective risk management in the public interest as an essential component of public administration.

PRESIDENT

Steve M. LePock

Risk Manager

Virginia Beach City Public Schools

PAST PRESIDENT

Adam F. Maxwell, CLRP

Director of Administration

City of Grandview Heights, OH

PRESIDENT-ELECT

Jennifer Hood

Safety & Risk Director

Montgomery County (TN) Government

DIRECTORS

Cathie T. Chancellor, JD, MS, CRM

Risk Manager City of Norfolk, VA

Joe Costamagna

Risk Manager

Schools Insurance Authority

Chester Darden Director of Loss Control Public Entity Partners

Jamee Higgins Safety & Risk Manager

City of Midland (TX)

Michelle Jordan

HR Manager: Risk, Benefits and Compliance

Clayton County Water Authority

Robert Warren, CRM

Risk Manager

Trinity River Authority of Texas

NON-VOTING DIRECTOR

Jennifer Ackerman, CAE

Chief Executive Officer

Public Risk Management Association Alexandria, VA

EDITOR

Nick Baker

703.528.7701

nbaker@primacentral.org

ADVERTISING

Nick Baker

703.528.7701 nbaker@primacentral.org

Public Risk is published 4 times per year by the Public Risk Management Association, 700 S. Washington St., #218, Alexandria, VA 22314 tel: 703.528.7701 • fax: 703.739.0200 email: info@primacentral.org • Web site: www.primacentral.org

Opinions and ideas expressed are not necessarily representative of the policies of PRIMA.

Subscription rate: $140 per year.

Back issue copies for members available for $7 each ($13 each for non-PRIMA members). All back issues are subject to availability. Apply to the editor for permission to reprint any part of the magazine.

THE PRIMA LEADERSHIP ACADEMY

MARCH 3–4, 2026 | ALEXANDRIA, VA

PRIMA’s Leadership Academent (PLA) is designed to strengthen your ability to strategically:

• Lead while navigating complex workplace issues

• Communicate risk across departments

• Gain upper management buy-in

• Meet tight deadlines through effective planning and tasks prioritization

Looking Ahead To 2026, Incorporating Risk Management Into Our Daily Lives

I hope everyone enjoyed the fall weather, wherever you call home. Fall has always been my favorite time of year because it feels like the perfect balance between energy and calm. The air turns crisp and fresh, and the world seems to glow with warm colors — red, orange, and gold leaves that make even an ordinary walk feel magical. Fall also brings back some of my favorite memories — carving pumpkins, going to football games, and spending cozy nights inside with friends and family. It’s the season that makes me feel most grounded and grateful. Everything about it — the colors, the smells, the sounds — reminds me to slow down and appreciate the small things. Winter is almost upon us and PRIMA is gearing up for next year! Planning is well underway for PRIMA26, which takes place in beautiful Fort Lauderdale, Florida, June 7–10, 2026 , so that we can bring you another outstanding event filled with learning, networking, and inspiration.

Planning for PRIMA26 began right after this year’s conference wrapped up. Each year, PRIMA staff hold a debriefing to reflect on what went well, review attendee feedback, and gather ideas for improvement. They also review all the session proposals submitted by members and partners and prepare the proposals for the Conference Planning Committee’s fall planning session. The committee met in September, and we received some fantastic proposals

Thank you to everyone who provided post-conference feedback and/or submitted a proposal! Your contributions help us shape a program that’s relevant, practical, and inspiring. We’re confident you’ll be excited about the quality and variety of educational sessions coming your way in Fort Lauderdale. Stay tuned for more updates as planning continues!

As the new year approaches, take a moment to reflect on your professional goals for next year, and then develop a plan. Make the most of your membership by taking advantage of professional development opportunities throughout the year. PRIMA offers monthly webinars and professional training led by experts designed to expand your professional knowledge and enhance your leadership skills. Here’s what’s in store for 2026:

• The year kicks off with the Emerging Tech and Risk Symposium, held virtually January 27–29, 2026, 12-2 p.m. ET. This three-day conference will offer insights and strategies to manage the opportunities and risks associated with emerging technologies. And the best part - registration is free for PRIMA members!

• The PRIMA Leadership Academy (PLA) takes place March 3–4, 2026, in Old Town Alexandria, Virginia. PLA is an adaptive thought-leadership experience that will strengthen your leadership capabilities and help you implement innovative solutions to complex challenges within your entity.

• Finally, PRIMA Institute 2026 (PI) is set for October 18–23, 2026, and will also be held in Old Town Alexandria. PI serves as PRIMA’s premier educational program for both new and experienced professionals, and offers you a comprehensive exploration of emerging trends, best practices, and effective management techniques.

Make 2026 your year to grow, connect, and lead with PRIMA.

In closing, I would like to share a recent leaf-peeping excursion and how I incorporated risk management into the adventure with my family. It was one of those crisp October mornings when the air smells faintly of woodsmoke and the trees. There were no budgets or contracts to review, just logistics for

a fun day outdoors. The planner in me couldn’t resist making a checklist. Transportation? Confirmed. Weather? Cold front on the way. Terrain? Slightly muddy, moderate incline. I found myself drafting what looked suspiciously like a mini risk assessment, complete with contingency plans for rain, an emergency contact list, and a small first aid kit.

At first, I laughed at myself. Was I really doing a full risk review for a hike to look at different leaf colors? But as I looked at the smiling faces of my family who trusted the plan, it hit me: this is exactly what we do every day in risk management and anticipate what could go wrong.

Halfway along the trail, the sky changed its mind. The drizzle that had seemed harmless at the parking lot turned the fallen leaves slick. I lost my footing on a slope, just a stumble, nothing serious. Because we had talked through what to do in case of an accident, the response was calm and immediate. No panic. No chaos. Just quiet family teamwork.

By the time we reached the lookout point, the clouds had cleared, and the valley below glowed with gold and red leaves. Standing there, I thought about how the same mindset that guides us through audits, assessments, and compliance reviews also guides us through life.

Risk management isn’t paperwork; it’s a perspective. It’s about caring enough to think ahead, to protect what matters, and to help others feel safe enough to enjoy the view. Every checklist, every what-if scenario, every small preventive measure… they all add up. Sometimes they save a loss; sometimes they just save a good day outdoors. Either way, that’s a win.

Sincerely,

Steve M. LePock PRIMA President 2025-2026

NEWS Briefs

THIS CITY IS GETTING SERIOUS ABOUT SIDEWALKS. WILL OTHERS FOLLOW SUIT?

By Jared Brey, Governing magazine

Like a lot of cities, Denver’s sidewalks are marked by gaps, cracks and narrow stretches.

About 40 percent of Denver’s more than 3,000 miles of sidewalks are substandard, according to a 2019 report: Either too narrow to comply with the Americans with Disabilities Act (ADA) or missing from the network entirely. Many more miles are in disrepair. For most of the city’s history, sidewalks have been built on an ad hoc basis — by developers creating or filling in neighborhoods, by individual property owners, or by the city carrying out a redevelopment project. Once the sidewalks are built, it’s a property owner’s responsibility to maintain them.

“What we’ve seen between the number of deficient sidewalks, the many, many, many hundreds of miles of sidewalks that need repair, and the 350 miles of missing sidewalks,” says Geneva Hooten, a planner in Denver’s Department of Transportation and Infrastructure, “is that that system doesn’t work.”

And now, it’s about to change. This summer, Denver is starting work on its new Sidewalk Enterprise Program, a rare commitment by a city to build out and maintain a sidewalk network at an urban scale. The program, which

grew out of a 2022 voter-approved ordinance backed by citizen advocates, imposes a fee on every property in the city. Proceeds from the fee, a $150 annual flat rate per property with additional “impact fees” for larger properties, are put into an “enterprise fund” which can only be spent to build and maintain sidewalks. The city began collecting the fee in January, and the Denver City Council on Monday approved two contracts worth a combined $75 million to begin construction and repair work. Hooten says the work — a mix of “shovelready” projects to fill in sidewalk gaps as well as spot repairs requested by residents — should begin immediately.

Most cities leave the burden of sidewalk maintenance to property owners. But few ever force owners to do anything about their sidewalks, even when they’re in serious disrepair, says Mike McGinn, the executive director of America Walks and a former mayor of Seattle. That creates a patchwork of pedestrian infrastructure instead of a real network in most places. And it reinforces existing inequities in the built environment, with well-resourced property owners able to keep up with maintenance and poorer communities in disrepair.

“You get a situation where if you’re an advocate and you want sidewalks, you go to the city and they say, ‘It’s not our job,’” McGinn says. “But the city through its actions is making sure it’s no one’s job.”

Some other cities have developed programs to fund sidewalk maintenance beyond a projectby-project approach. Los Angeles launched a $1.4 billion program to prioritize repairs in 2016. Ithaca, N.Y., established a series of Sidewalk Improvement Districts with repairs funded with an additional property assessment. Nashville included funding for sidewalks in a transit referendum that voters approved last year. But Denver is going farther than other cities in taking ownership of the entire sidewalk network.

Advocates had been pushing for Denver to improve its sidewalk network for years. The city’s own pedestrian master plan, released in 2004, called for the city to take a more active role in maintaining what it described as “a $500 million dollar transportation asset.” But there wasn’t political momentum to pay for the necessary work, says Jill Locantore, executive director of the Denver Streets Partnership. Locantore spearheaded the “Denver Deserves Sidewalks” campaign in 2015. A few years later, Denver set aside some money for sidewalks as part of a general obligation bond. But at the rate of repair made possible by that funding, it would have taken 400 years to complete the network, Locantore says.

Read the full article: https://www.governing.com/infrastructure/ this-city-is-getting-serious-about-sidewalkswill-others-follow-suit

IMPROVING COMMUNICATIONS AHEAD OF THE NEXT WILDFIRE EMERGENCY

By Stephanie Kanowitz, Route Fifty

In the eight years since the Tubbs Fire devastated Sonoma County, California, public safety officials there have learned to use technology, including artificial intelligence, to plan their response to wildfire emergencies more effectively.

One of the biggest problems that officials ran up against then was communication, said Bret Sackett, executive director of the Sonoma County Public Safety Consortium, during a recent webinar sponsored by Octave, a new software-as-a-service company set to be spun off from Hexagon.

The 17-year-old consortium was set up for collaboration among its member agencies, but units from all the western states and Canada responded to help fight the Tubbs Fire — and several other large wildfires that sparked between 2017 and 2020. It scrambled to enable information sharing among all those entities, and “it worked, but it was clunky,” Sackett said.

Today, technology is available like HxGN Connect, a unified workspace that multiple agencies can use at once to ingest and share information. It works with generative AI to produce summaries of what’s happening on the platform and with geospatial AI, which analyzes data from multiple geographic information system sources, such as drones, satellites and weather stations.

One application for this is testing and redirecting evacuation routes. “We spent considerable time creating these very digestible evacuation zones and launching a community campaign to let people know what zone they are in,” Sackett said.

But the consortium members also needed to know, for example, if a given two-lane road could handle the evacuation of 10,000 people or what to do if a burning tree falls on an evacuation route, rendering it unusable. “That is where predictive modeling with AI helps. GIS has to be integrated into platforms we use,” Sackett said.

In fact, that capability has applications in daily response efforts, not just major emergencies, he

Today, technology is available like HxGN Connect, a unified workspace that multiple agencies can use at once to ingest and share information.

added. For instance, it can help an ambulance find the fastest route to the hospital when construction affects traffic or road accessibility. “That is a day-to-day operation that can be scaled during a time of disaster,” Sackett said.

Another issue Sackett said the county encountered between 2017 and 2020 was keeping residents properly informed. “Although we thought we had established good lines of communication with our communities, we quickly realized that there was some work that needed to be done,” he said.

For instance, the county lost about 50 cell towers, either to the Tubbs Fire itself or because they didn’t have battery backups. Sonoma had

used Everbridge Nixle to broadcast alerts via email, text and voice calls, “but when it really came down to it, and under the times of stress, your community may respond differently than you anticipated,” Sackett said, adding that people flooded the dispatch centers with calls.

“This is a significant burden on your dispatch centers to weed out those calls and be sure that they’re available for higher-priority things,” he added.

Read the full article: https://www.route-fifty.com/digital-government/2025/10/improving-communicationsahead-next-wildfire-emergency/408780/?oref=rfhomepage-river

TURNING THE TIDE:

How Risk and Claims Leadership Are Reversing the PTSD and Disability Crisis Among First Responders

BY JOSEPH

SOUSA, CITY OF SAN DIEGO; DR. TOMER ANBAR, INSTITUTES OF HEALTH & DAVID PICONE, SAN DIEGO FIRE DEPARTMENT (RETIRED)

A CRISIS ROOTED IN SERVICE AND THE PATH TOWARD RECOVERY

Every day across America, firefighters, police officers, sheriffs, and emergency medical personnel step into danger without hesitation. They are the ones we call in our darkest hours when natural disasters tear through communities, violent crimes shatter lives, and industrial accidents and other tragedies bring chaos and fear. In those moments, they stand between order and catastrophe. But when the sirens fade and the crowds disperse, the danger does not end. For the first responders who confront such devastation, the invisible and insidious impact lingers, etching itself into their memories and their bodies alike. These silent wounds, too often met with indifference or buried in bureaucracy, can shatter the sacred bond of trust with the agency they believed would protect them, leaving them with a profound sense of betrayal.

WHAT DO YOU WANT TO DO?

It is no secret that more first responders die from suicide than in the line of duty (Heiman, et al, 2018). Nor is it a surprise that Post Traumatic Stress Disorder (PTSD), brain injuries, chronic pain, sleep disorders, and substance use have reached epidemic levels in this workforce. What is far less understood, however, is how these conditions are perpetuated, not only by trauma itself, but by the system of care and compensation designed to help.

Delayed or denied access to treatment, denied claims, and adversarial processes are not just bureaucratic hurdles, but rather biological insults that perpetuate disability. They are betrayals that wound both body and soul.

Still, there is hope. Across the country, a new movement is emerging. Led not only by clinicians, this transformation is also being spearheaded by risk managers and claims professionals as they step into a powerful new role and become healers through system leadership.

First responders operate in high-stakes environments that demand rapid decision-making and emotional suppression. Over time, these demands can conflict with deeply held values, leading to what clinicians describe as moral

injury. Whether it is being unable to save a child, using force under duress, or seeing a colleague fall, these experiences can rupture one’s inner world.

Yet, the trauma does not end at the scene. When workers are denied care or are forced to prove their suffering through adversarial claims processes, it creates a feeling of organizational betrayal, a profound secondary wound inflicted at an extremely vulnerable time. This betrayal corrodes trust, deepens isolation, and reinforces the belief that “no one has my back.”

It is not just a psychological issue. Psychoneuroimmunology (PNI) research shows that moral injury and chronic stress disrupt the body’s most vital systems, including immune function, cardiovascular regulation, and hormone balance. Elevated levels of cortisol, suppressed natural killer (NK) cell activity, and pro-inflammatory cytokines are common among traumatized responders. These biological changes are not only linked to PTSD and chronic depression, but they are also associated with contributing to the causation of cancer, autoimmune diseases, and accelerated aging.

When injured first responders are trapped in cycles of denied care, untreated trauma, or fragmented treatment, it creates a perfect storm for long-term disability. The consequences are staggering, and those impacted can experience intensified PTSD symptoms, chronic pain and central sensitization; sleep dysfunction and cognitive impairment; substance use and suicidality; and increased cancer, cardiovascular, and chronic disease risk. In short, delays in treatment not only delay recovery but also biologically deepen the damage and trauma.

THE SOLUTION: TRANSDISCIPLINARY BIOPSYCHOSOCIAL THERAPEUTIC COMMUNITIES

Reversing this trajectory requires more than individual therapy or medication. It demands system-wide transformation, including innovative clinical models that treat the whole person.

Enter the Transdisciplinary Biopsychosocial Therapeutic Community (TBTC) model. Developed by Institutes of Health (IOH) and implemented in partnership with munici-

palities like the City of San Diego, this model provides an integrated platform where physical medicine and rehabilitation (PM&R) physicians, psychologists, neurologists, psychiatrists, pain and rehabilitation specialists, addictionologists, sleep experts, peer mentors, clinical nutritionists and researchers work in unison to rebuild health from the inside out.

Unlike siloed care, the TBTC model recognizes that PTSD can often be intertwined with undiagnosed brain injuries. Moreover, chronic pain and insomnia amplify trauma responses and impede recovery. Substance use, as a maladaptive coping mechanism, can further complicate the situation and contribute to neurobiological dysregulation.

The TBTC approach heals through structured daily programming, community trust, and biologically informed care that restores nervous system regulation, immune resilience, and psychosocial identity. It is a living model of psychoneuroimmunology in action.

Nowhere is this model more powerfully demonstrated than in the City of San Diego’s workers’ compensation department. Under the leadership of forward-thinking claims professionals, the city has built a new standard of care that is trauma-informed, data-driven, and outcomes- focused.

Instead of routing first responders through generic networks, the City of San Diego’s claims team became trained in recognizing first responder trauma. They built trusted referral pathways with physically vetted clinical programs. These actions ensured patients received rapid access to multi-disciplinary care with facilities demonstrating proven outcomes.

The results were overwhelmingly positive and exceeded expectations. Partnering with IOH and employing the TBTC model, the City of San Diego achieved the following:

• 93.6% of treated first responders with complex PTSD no longer met diagnostic criteria post-treatment.

• 93.6% returned to full duty or modified work.

The City of San Diego workers’ compensation team also noted significant reductions in opioid use, polypharmacy, and disability duration. Additionally, clinically validated improvements were also achieved in sleep, cognition, emotion regulation, and pain. These results did not happen by accident but rather because risk leadership aligned with clinical excellence.

While the most overlooked heroes in this recovery revolution may not wear uniforms, they are on the frontlines of healing every day. Risk managers and claims professionals are in the best position to ensure early recognition and referral; approve integrated, evidencedbased treatment plans; direct care to vetted providers with proven results; and track functional, not just symptomatic, recovery outcomes. When these professionals choose the proper care, lives are saved, costs are reduced, careers are restored, and families are preserved.

The clinical success of the partnership between the City of San Diego and IOH is not based on anecdote or aspiration, but rather on rigorous, peer-reviewed research presented at national scientific and occupational medicine conferences. These studies document not

only statistically significant improvements in PTSD, pain, and return-to-work outcomes but also illuminate why the TBTC model is producing unprecedented results for injured first responders.

REVERSING PTSD AND DISABILITY IN FIRST RESPONDERS

A study titled “Systematically Reversing Post-Traumatic Stress Disorder and Disability Among First Responders Through a Biopsychosocial Occupational Medicine Program” analyzed treatment outcomes for 62 San Diego first responders treated at IOH (Powell et al., 2025a). The results were groundbreaking:

• 93.6% of patients who completed at least the median number of program hours no longer met diagnostic criteria for PTSD at the end of care.

• 93.6% of the same group had returned to work, compared to only 64.5% among those with lower engagement.

• Each doubling of program hours was associated with a 50% decrease in the odds of persistent PTSD and two times higher likelihood of return-to-work.

These outcomes are not just exceptional. They redefine what is possible in workers’ compensation care.

FUNCTIONAL RESTORATION AND MENTAL HEALTH

The TBTC model was further validated in the study “Improving Mental Health by Restoring Physical Health: Addressing Chronic Pain and Behavioral Health Issues Through a Functional Restoration Program” (Powell et al., 2025b). Among 336 patients:

• Each doubling of program participation significantly improved carrying and overhead lift capabilities.

• Increased program hours led to statistically significant reductions in clinically meaningful pain, anxiety, and somatic complaints.

• Odds of clinically significant pain and anxiety dropped by 26% and 23%, respectively, for each doubling of participation.

The TBTC approach heals through structured daily programming, community trust, and biologically informed care that restores nervous system regulation, immune resilience, and psychosocial identity. It is a living model of psychoneuroimmunology in action.

This research confirms that physical recovery and psychological healing are mutually reinforcing when addressed in an integrated way.

TREATING PAIN AS A GATEWAY TO BEHAVIORAL RECOVERY

In the study “Treating Psychosocial Barriers in Patients with Traumatic Brain Injuries in a Transdisciplinary Biopsychosocial Therapeutic Community Model” (Powell et al., 2025d), IOH researchers evaluated 149 patients receiving multidisciplinary TBTC-based care.

• When patients with at least the median number of program hours were compared to patients with fewer than the median number of program hours, patients had significantly ( p<0.01) lower physical component summary (PCS) scores at treatment completion if they completed at least the median number of program hours.

• Adjusted analysis found that longer treatment duration was significantly associated with lower likelihood of clinically relevant pain catastrophizing at completion (odds ratio: 0.66; 95% confidence interval: 0.47-0.93).

• There was an average reduction in PCS scores of 35% across all patients. For patients who completed above the median hours, there was a 42% reduction.

This study highlights that a biopsychosocial approach to care has a significant impact on psychosocial barriers to recovery as well as clinical symptoms, allowing for improved selfefficacy, a primary driver in perceived disability and healthcare utilization.

IMPROVING FUNCTION AND REDUCING PERCEPTION OF DISABILITY FOR SUSTAINED RECOVERY

A fourth study, “Reducing Disability in Patients with Traumatic Brain Injuries via a Transdisciplinary Biopsychosocial Therapeutic Community Model Occupational Medicine Program,” examined 187 patients across TBTC sites (Powell et al., 2025c). Key insights included:

• Doubling hours of program participation was significantly associated with improved activities of daily living (ADL) function, reduced depression and perceived disability.

• Improvements on the Oswestry Disability Questionnaire (ODQ), 22% on average.

• 30% Increase in ADL function on average.

• 21% reduction in depressive symptoms as measured on the Beck Depression Inventory (BDI).

These outcomes demonstrate that treating psychosocial factors concurrently with physical and cognitive deficits results in significant improvements in both ADL and psychological functioning. According to research, psychosocial factors have a greater impact on chronicity than do clinical findings. Reduced perceptions of disability improve self-efficacy and selfmanagement, leading to reduced dependence on the healthcare system and better long-term functional outcomes.

Presented at major medical and occupational health conferences in 2025, these four independent studies underscore the scientific evidence

for the efficacy of the TBTC model. When first responders are immersed in a recovery environment that addresses trauma, pain, sleep dysfunction, substance misuse, and relational trust simultaneously, they do not just stabilize; they recover. They return to their jobs, their families, and their sense of identity.

These outcomes are only possible when risk and claims managers, working in alignment with department leadership and evidence-based clinical providers, commit to the model, vet the clinics, and clear the path to timely, coordinated care.

Outcomes like those achieved through the partnership between the City of San Diego and Institutes of Health do not happen by chance. They are not the result of luck, branding, or one-time heroics. They are the predictable by-product of deliberate, strategic alignment between those responsible for managing organizational risk and those responsible for the lives that risk management is meant to protect.

In workers’ compensation, risk managers and claims administrators are often seen as gatekeepers. But when aligned with chiefs, department leaders, and outcome-proven care providers, they become enablers of recovery. This alignment is not just a procedural necessity; it is a moral and operational imperative.

Too often, first responders are sent to providers selected from large medical provider networks (MPNs) or generic vendor networks, without any verification of their ability to reverse PTSD, treat brain injury, or address complex pain. Strategic systems do not settle for that.

The real difference is not just in having the right clinic or the right treatment model but rather in clearing the path so that care can happen at the right time, in the right way, with the right team.

Under the City of San Diego program, clinics are physically visited, medically verified, and performance vetted. The risk team knows where they are sending injured workers. They understand the philosophy, the protocols, and, most importantly, the outcomes. That is how confidence is built. That is how lives are saved.

The first few weeks following an injury or traumatic event are critical. Delayed authorization, siloed evaluations, or adversarial utilization reviews (URs) often push first responders into isolation, pain, and demoralization. The longer the delay, the more entrenched the dysfunction becomes.

But when risk leaders, claims personnel, and clinical partners collaborate from Day 1, the opposite happens. Early screening detects PTSD, brain injury, or comorbid substance use disorder (SUD) before they escalate. Fast-tracked referrals get patients into function-first programs immediately. These actions, alongside coordination with chiefs and supervisors, build a culture of care rather than confrontation. This kind of early, team-based activation is what prevents chronicity and enables transformative recovery.

Another defining factor in the City of San Diego’s success has been the willingness of departmental chiefs, including fire, police, lifeguard, and others, to engage directly in the recovery infrastructure. When chiefs understand the care model, trust the providers, and remain engaged with the claims process, the results are remarkable. The leadership and support of chiefs help first responders feel valued, not discarded. Referrals come with leadership endorsement rather than fear. The result is department morale improves as word spreads that “this system actually works.”

Chiefs are more than commanders; they are cultural architects. When they align with risk

and claims teams, they create systems where care is not delayed, dignity is not denied, and disability is not inevitable.

The City of San Diego model does not rely on hope or anecdotes. It runs on data, reviewed regularly by risk leadership and clinical teams alike. Among the City’s key performance indicators are the percentage of patients returning to work, resolution rates of PTSD and chronic pain, reductions in polypharmacy and unnecessary surgeries, and time to medical maximum improvement and cost savings.

By integrating data dashboards and continuous feedback loops, the system self-corrects, improves, and proves its value with every case. This creates mutual accountability—a rare yet powerful dynamic—in the world of injury care.

The real difference is not just in having the right clinic or the right treatment model but rather in clearing the path so that care can happen at the right time, in the right way, with the right team.

That means risk managers are trained in trauma-informed decision-making; claims professionals are empowered to fast-track proven care; chiefs sit at the table and say, “My people deserve better, and I will lead the way”; and clinical providers understand that healing is a system function, not just a treatment outcome. When that alignment occurs, the tide turns. PTSD resolves. Disability declines. Trust is rebuilt. And most importantly, lives and careers are saved.

Joseph Sousa is Workers’ Compensation Manager for the City of San Diego; Dr. Tomer Anbar is the CEO of Institutes of Health in San Diego; and David Picone is Battalion Chief, Health & Wellness Specialist with the San Diego Fire Department (Retired).

REFERENCES:

American College of Occupational and Environmental Medicine [ACOEM]. (2024). ACOEM clinical practice guidelines: Chronic pain. Retrieved from https://www.acoem.org

American College of Occupational and Environmental Medicine [ACOEM]. (2024). ACOEM clinical practice guidelines: Post-traumatic stress disorder. Retrieved from https://www.acoem.org

California Department of Industrial Relations, Division of Workers’ Compensation. (2021). Annual Report. Retrieved from https://www.dir.ca.gov/dwc

Gatchel, R. J., Reuben, D. B., Dagenais, S., Turk, D. C., Chou, R., Hershey, A. D., … & Horn, S. D. (2014). Research agenda for the prevention of chronic pain and its impact: Report of the National Institutes of Health Pain Consortium Research Task Force. The Journal of Pain, 15(2), 92–100. https:// doi.org/10.1016/j.jpain.2013.10.007

Heiman, M, Dill J, Douglas, R. The Ruderman White Paper on Mental Health and Suicide of First Responders, Ruderman Family Foundation, April 2018.

Powell, A. C., Dawson, G., & Anbar, T. (2025, April). Improving mental health by restoring physical health: Addressing chronic pain and behavioral health issues through a functional restoration program [Poster presentation]. American Academy of Pain Medicine Annual Conference, Austin, TX.

Powell, A. C., Sousa, J., Picone, D., Dawson, G., & Anbar, T. (2025, May). Systematically reversing post-traumatic stress disorder and disability among first responders through a biopsychosocial occupational medicine program [Poster presentation]. American Occupational Health Conference, American College of Occupational and Environmental Medicine.

Powell AC, Dawson G, Anbar T. Reducing Disability in Patients with Traumatic Brain Injuries via a Transdisciplinary Biopsychosocial Therapeutic Community Model Occupational Medicine Program. Poster presented at: American Society of Pain & Neuroscience Annual Conference; 2025 July 17-20; Miami, FL.

Powell AC, Dawson G, Anbar T. Treating Psychosocial Barriers in Patients with Traumatic Brain Injuries in a Transdisciplinary Biopsychosocial Therapeutic Community Model. Poster presented at: PainWeek National Conference; 2025 Sep 2-5; Las Vegas, NV.

Substance Abuse and Mental Health Services Administration [SAMHSA]. (2022). Traumainformed care in behavioral health services. Treatment Improvement Protocol (TIP) Series 57. HHS Publication No. (SMA) 13-4801.

Yehuda, R., Flory, J. D., Southwick, S., & Charney, D. S. (2006). Developing an agenda for translational studies of resilience and vulnerability following trauma exposure. Annals of the New York Academy of Sciences, 1071(1), 379–396.

RANSOMWARE — TO PAY OR NOT TO PAY? Considerations for Public Entities

BY MARK A. SADLER, JD, GREAT AMERICAN INSURANCE COMPANY

PUBLIC

ENTITIES FACE A UNIQUE, EVOLVING, and increasingly challenging risk environment. An emerging exposure faced by public entities is the risk of cyber-attack. In recent years, foreign threat actors have increasingly targeted America’s public entities. Cyber-attacks are varied and can take many forms, with ransomware among the most serious.

The FBI defines ransomware as malicious software that restricts access to computer files, systems, or networks, often through encryption, and demands a ransom for their return. Essentially, attackers hold data or systems hostage, demanding payment to restore access.1 Two notable examples of ransomware attacks impacting public entities are the 2018 attack on the City of Atlanta and the 2019 attack on the City of Baltimore. The Atlanta attack is reported to have cost the city up to $17 million.2 The Baltimore attack is reported to have cost $19 million, due to the cost of restoring computer networks and the disruption of city services such as property tax processing, water billing, parking citations, and other revenue-generating activities.3

NetDiligence has estimated the average cost of a ransomware event at $334,000.4 In

addition to the monetary impact of an attack, public entities may be affected by operational disruption. For example, an attack may disrupt 911 dispatch systems, impact public health services such as water treatment or sanitation, or interfere with public transportation and educational services.5

Prevention is the best remedy for ransomware and several organizations like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have published resources, such as its Ransomware Guide, that provide best practices and checklists to help organizations harden their environment to prevent or mitigate the impact of ransomware.6 Although ransomware attacks usually involve encryption of the victim’s network, threat actors are increasingly also threatening to publish exfiltrated data in order to extort a ransom payment.

A key to effective recovery from a ransomware attack lies with the availability of current viable backup records that can facilitate early restoration without the need to negotiate for a decryption tool. In the event of a ransomware attack, having a detailed incident response plan and access to legal and technical experts experienced in addressing ransomware incidents can be invaluable.

An important initial step in responding to a ransomware attack is reporting the incident to local, state, and federal law enforcement, such as the FBI’s Internet Crime Complaint Center (IC3). The U.S. Department of Treasury, Office of Foreign Assent Control (OFAC) considers a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies, such as CISA or the U.S. Department

In the event of a ransomware attack, having a detailed incident response plan and access to legal and technical experts experienced in addressing ransomware incidents can be invaluable.

of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), made as soon as possible after discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor in determining an appropriate enforcement response.” 7

Experts have opined that the response to a ransomware event should include immediate isolation of affected systems, securing backups, notifying relevant parties, conducting a forensic investigation, and developing a recovery strategy. It is also essential to disconnect infected devices from the network to prevent further spread and assess the impact of the event.8 Often, in addition to the initial forensic and restoration response, experts will seek to open a dialogue with the attacker. This serves to provide proof that the threat actors can decrypt the encrypted data, provide insight into data that the threat actors may have exfiltrated, and preserve the options of obtaining a decryption tool from a threat actor in the event there is no viable option to restore from backups.

The FBI does not support paying a ransom in response to a ransomware attack.9 In the event a ransom payment is made, there is no guarantee that the threat actor will perform upon receipt of the funds, and there is no ability to enforce the agreement in the event of non-performance. The adverse impact associated with paying ransoms includes contributing to the growth of ransomware as a business model for threat actors, incentivizing further attacks, and prolonging uncertainty regarding the possibility of data recovery.

If it becomes necessary to obtain a decryption tool from a threat actor, payment must generally be made in cryptocurrency. Another consideration is compliance with state and federal laws that prohibit payments to threat actors.

On the federal level, OFAC “administers and enforces economic and trade sanctions against targeted foreign jurisdictions and regimes, as well as individuals and entities engaging in

harmful activity, such as terrorists, international narcotics traffickers, weapons of mass destruction proliferators, and other malign actors, in response to threats to the national security, foreign policy, or economy of the United States. OFAC sanctions take various forms, from blocking the property of specific individuals and entities to broadly prohibiting transactions involving an entire country or geographic region, such as through a trade embargo or prohibitions related to particular sectors of a country’s economy.”10

It is notable that “[i]n the case of ransomware payments that may have a sanctions nexus, OFAC has issued warnings that payment of ransom in the event of a ransomware attack may involve entities linked to terrorism and or sanctioned countries that could result in legal penalties.”11 Specifically, OFAC advises that “under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). Additionally, any transaction that causes a violation under IEEPA, including a transaction by a non-U.S. person that causes a U.S. person to violate any IEEPA-based sanctions prohibitions, is also prohibited. U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons that could not be directly performed by U.S. persons due to U.S. sanctions regulations.”12

OFAC further advises that “the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining an appropriate enforcement response to an apparent violation

of U.S. sanctions laws or regulations.”13 In this regard, it is essential that a ransomware victim consult with legal and technical experts experienced in ransomware matters and ensure OFAC compliance before considering paying a ransom to a threat actor.

In addition to federal law, state-specific laws must be considered by a victim in the event of a ransomware attack. Three examples of ransomware-specific laws applicable to public entities include statutes in the States of Florida, North Carolina, and Tennessee.

Florida Statute § 282.3186 went into effect July 1, 2022. The statute, titled Ransomware Incident Compliance, prohibits state agencies, counties, and municipalities in the state of Florida from paying or otherwise complying with a ransom demand when experiencing a ransomware incident.14 This statute is part of a broader State Cybersecurity Act and aims to address the increasing risks associated with ransomware attacks. The statute mandates that public entities in Florida cannot pay a ransom to resolve a ransomware event and also requires that local governments report cybersecurity incidents, including ransomware incidents, to the Florida Cybersecurity Operations Center, the Cybercrime Office of the Department of Law Enforcement, and the local sheriff. The required reporting includes details about the incident, compromised data, and any ransom demands. The incidents must be reported as soon as possible, but not later than: (i) 12 hours after the discovery of a ransomware incident or (ii) 48 hours after the discovery of any other covered incident.

North Carolina General Statute § 143-800(a) prohibits state agencies and local government entities from paying ransoms to entities that have engaged in ransomware attacks on their information technology systems.15 The law applies to any agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of state government, according to the statute. Specifically, it forbids entities from submitting payment or communicating with an entity that has encrypted data and is demanding a ransom to decrypt it, and

requires consultation with the state Department of Information Technology, according to G.S. 143B-1379.

Tennessee Code § 4-1-423 (2024) prohibits state entities from making payments to an entity that has engaged in a cybersecurity incident involving the encryption of data and then demanding a ransom. Under the law, a “state entity” “(1) [means] an agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of state government, including a public institution of higher education and all other entities for which this state has oversight responsibility; and (2) Does not mean a vendor, contractor, insurance company, law firm, or other third party that has a contract, or does other business, with a state entity.”16

An entity victimized by ransomware may face the permanent loss of data that can lead to the disruption of key government services. In addition, operational disruptions can result in service and safety issues for residents or clients of a public entity. A ransomware victim must also be mindful of compliance with both state and federal laws and restrictions pertaining to payment of a ransom, or, in the case of North Carolina, communicating with an entity that has encrypted data and is demanding a ransom. Considering the level of disruption accompanying a ransomware event and the complexity of the legal environment, entities need to consult with legal and technical sources that specialize in ransomware incident response and remediation.

Ransomware events targeting public entities are severe and becoming more common. In light of the issues associated with the payment of a ransom to threat actors, it is increasingly incumbent on potential targets to ensure that they have done all possible to prevent becoming a victim, mitigate the impact of an attack in the event they suffer an attack, and that they are prepared to respond to an attack should one occur.

Mark A. Sadler,

JD, RPLU, CPLP, CIPP/US, CIPP/C17, is Divisional Senior Vice President, Claims with Great American Insurance Company

1 Federal Bureau of Investigation, Common Frauds and Scams – Ransomware, (available at: https://www.fbi.gov/how-we-can-help-you/ scams-and-safety/common-frauds-and-scams/ ransomware#:~:text=If%20You’re%20a%20 Victim,a%20report%20at%20ic3.gov.) (Last accessed June 30, 2025).

2 Benjamin Freed, One Year After Atlanta’s Ransomware Attack the City Says It’s Transforming It’s Technology, StateScoop (March 22, 2019), (available at: https://statescoop. com/one-year-after-atlantas-ransomwareattack-the-city-says-its-transforming-itstechnology/ ) (Last Accessed June 30, 2025.

3 A.J. Vicens, Iranian man pleads guilty in US to 2019 Baltimore ransomware attack, Reuters (May 27, 2025), (available at: https://www. reuters.com/world/us/iranian-man-pleadsguilty-us-2019-baltimore-ransomwareattack-2025-05-27/ ) (Last accessed July 1, 2025).

4 NetDiligence, Cyber Claims Study 2024 Report, at 32, (available at: https://netdiligence. com/cyber-claims-study-2024-report/ (Last accessed June 30, 2025).

5 See Hannah Kyle Kinney, Prohibiting Government Entities from Paying Ransoms in Ransomware Attacks: A Policy Analysis, Institute for Homeland Security, San Houston State University (2025), (available at: https:// ihsonline.org/Portals/0/Tech%20Papers/2025/ Kinney-Prohibiting-Government-Entitiesfrom-Paying-Ransoms.pdf?ver=WeVdGIeJ9n dxrAT13Od5iA%3D%3D ) (Last accessed June 60, 2025).

6 Cybersecurity Infrastructure and Security Agency, Ransomware Guide September 2020, (available at: https://www.cisa.gov/sites/ default/files/publications/CISA_MS-ISAC_ Ransomware%20Guide_S508C_.pdf (Last accessed June 30, 2025).

7 U.S. Department of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, (September 21,2021) (available at: https://ofac. treasury.gov/media/912981/download?inline (Last accessed June 30, 2025).

8 John P. Carlin, Ten Steps to Successful Ransomware Response, International Association of Privacy Professionals (March 2025), (available at: t https://iapp.org/resources/ article/successful-ransomware-response/ ) (Last accessed June 30, 2025).

9 Federal Bureau of Investigation, Common Frauds and Scams – Ransomware, (available at: https://www.fbi.gov/how-we-can-help-you/ scams-and-safety/common-frauds-and-scams/ ransomware#:~:text=If%20You’re%20a%20 Victim,a%20report%20at%20ic3.gov.) (Last accessed June 30, 2025).

10 U.S. Department of Treasury Office of Foreign Assets Control, Basic Information on OFAC and Sanctions, (available at: https://ofac. treasury.gov/faqs/topic/1501) (Last accessed June 30, 2025).

11 Federal Bureau of Investigation, Common Frauds and Scams – Ransomware, (available at: https://www.fbi.gov/how-we-can-help-you/ scams-and-safety/common-frauds-and-scams/ ransomware#:~:text=If%20You’re%20a%20 Victim,a%20report%20at%20ic3.gov.) (Last accessed June 30, 2025).

12 Federal Bureau of Investigation, Common Frauds and Scams – Ransomware, (available at: https://www.fbi.gov/how-we-can-help-you/ scams-and-safety/common-frauds-and-scams/ ransomware#:~:text=If%20You’re%20a%20 Victim,a%20report%20at%20ic3.gov.) (Last accessed June 30, 2025).

13 Federal Bureau of Investigation, Common Frauds and Scams – Ransomware, (available at: https://www.fbi.gov/how-we-can-help-you/ scams-and-safety/common-frauds-and-scams/ ransomware#:~:text=If%20You’re%20a%20 Victim,a%20report%20at%20ic3.gov.) (Last accessed June 30, 2025).

14 Fla. Stat. § 282.3186 (2024), Local Government Cybersecurity, (available at: http://www.leg.state.fl.us/Statutes/ index.cfm?App_mode=Display_ Statute&URL=0200-0299/0282/ Sections/0282.3185.html#:~:text=(a)%20A%20 local%20government%20shall,jurisdiction%20 over%20the%20local%20government) (Last accessed June 30, 2025).

15 N.C. Gen. Stat. § 143-800(a) (2022), State entities and ransomware payments, (available at: https://www.ncleg.gov/enactedlegislation/ statutes/pdf/bysection/chapter_143/gs_143800.pdf) (Last accessed June 30, 2025).

16 Tenn. Code. Ann. § 4-1-423 (2024), Cybersecurity - State payment of ransom prohibited - Incident reporting protocol, (available at: https://law.justia.com/codes/tennessee/ title-4/chapter-1/part-4/section-4-1-423/ ) (last accessed June 30, 2025).

17 The views or opinions expressed herein are those of the author and shall not be construed as legal advice; and do not necessarily reflect any corporate position, opinion or view of Great American Insurance Company, or its affiliates, or a corporate endorsement, position or preference with respect to any contractual terms and provisions or any related issues. If you have any questions or issues of a specific nature, you should consult appropriate legal or regulatory counsel to review the specific circumstances involved. Great American Insurance Group, 301 E. Fourth St., Cincinnati, OH 45202.

ARE YOU RECOVERING LOSS OF USE AND DIMINUTION OF VALUE?

BY MICHAEL TOWERS, ALTERNATIVE CLAIMS MANAGEMENT

THIS ARTICLE WILL TAKE AN IN-DEPTH LOOK AT AUTO PHYSICAL

damage claims to ensure you recover all the claim elements to which taxpayers are entitled. This includes the Fleet Managers’ expenses and their alignment with claim element entitlements, total losses, and routine items not covered by almost every policy, and as such, are hardly ever seen on a claim demand.

Additionally, it’ll go over Loss of Use and Diminished Value recoveries, and why they should be part of your claim. Lastly, based on your statute of limitations, should you—and can you—go back and recover from the at-fault carrier those items that were previously overlooked? Finally, this article will outline several options for implementing these recovery strategies.

We all encounter auto claims when another party has caused damage to one of our vehicles. Some of us are self-insured and handle

recoveries from the at-fault party’s carrier using in-house staff or a third-party administrator (TPA). In contrast, others have fleet insurance through a risk pool or carrier with a deductible. Regardless of how your claims recoveries are handled, one common issue we see almost every time is that Loss of Use and Diminution of Value are typically not requested in claims submitted by governmental agencies.

One would ask why, and the reasons are varied. If your fleet is insured, there are typically no policy provisions to cover these elements. Some

entities assume they are not entitled to recover Loss of Use because the Fleet Manager has spare vehicles. Others have tried or have been told by the insurance carriers that they are not entitled to Loss of Use because they have spare vehicles. As for Diminution of Value, the insurance industry makes this difficult to prove. Add to that the fact that we are not lacking in claims, and that recovering for the damage or Total Loss takes significant time and resources, and we don’t have the extra staff to prolong the settlement and justify the costs.

The truth of the matter is, every injured party, including governmental agencies, is entitled to compensation for Loss of Use and Diminution of Value in a not-at-fault auto accident. It doesn’t matter if your Fleet Manager has a spare pool of vehicles. They will be the first to tell you that most of the fleet cannot be rented through a local agency, and as a result, the taxpayers incur Loss of Use costs 365 days a year. To give you a benchmark, take a routine radio motor patrol unit (RMP). The unit with the police package has an acquisition cost of roughly $40,000. By the time you add the lights, sirens, computers, radios, and other equipment, that unit’s holding costs could reach $80,000. Add a few of these vehicles in the mix, then fire apparatus, and an ambulance or two, and you’re funding several hundred thousand dollars in spare units. Additionally, the vehicle’s value is reduced each time it is damaged.

By recovering these claim elements, you contribute to the general fund, thus helping taxpayers and helping the Fleet Manager offset some of the costs associated with maintaining a spare pool fleet. If they only needed a pool for routine preventative maintenance, their fleet could be marginally smaller. While the reality is a pool fleet is necessary and the costs can’t be avoided, you can help offset some of those costs.

Another claim element we routinely see is Total Loss Supplements, which are part-and-labor estimates over and above the vehicle’s Actual Cash Value (ACV). Total Loss Supplements cover the time and materials to remove and reinstall specialty equipment on a replacement vehicle, including items like radios, lights, sirens, prisoner cages, stretcher and defibrillator mounts, cameras, GPS, pumps, welding equipment, and telematics. It also considers the costs for restriping or lettering the replacement vehicle. When you consider the time fleet or public works staff spend on these tasks and their hourly costs, it amounts to quite a bit of uncompensated taxpayer dollars that the at-fault carrier should be held accountable for paying. The best way to document this is to list each vehicle class with specialty equipment, identify the class with the most equipment, and attach the costs or time required for the removal and reinstallation of those items.

When handling Total Loss Supplements, check which specialty pieces are adaptable to the replacement unit. A good example is the center control panel of a police car, which houses the switches, radio head unit, and siren head control unit. If it works in the 2014 Explorer but not in the 2023 replacement unit, leave it behind, add it to the total loss supplement, and let the carrier depreciate it.

Why remove something that will end up in a dumpster? Treat it the same as your kid’s first car, with a high-end stereo and chrome rims (I know, I’m dating myself). If their car gets totaled, the adjuster will take your receipts for those items, maybe depreciate them, and add them to the final payout. You’ll be doing essentially the same thing.

Before I get to the Return On Investment (ROI), we need to consider the Statute of Limitations and how it affects claims recovery. If you’re considering pursuing any part of these claim elements, you should consider not only adding them to new claims, but also past claims up to the Statute of Limitations. If you did not exhaust limits or sign a release on the initial recovery, you can reopen those claims and submit a supplemental request for compensation. Some states have laws exempting municipalities from the Statute of Limitations. In those states, you can reopen claims as far back as your records retention period. For example, the State of Texas has a two-year statute of limitations, but municipalities have a 10-year records retention policy; this means there could be substantial taxpayer proceeds available for recovery What is your statute of limitations and how many claims can you potentially reopen?

By now, you’re likely wondering what the ROI is for adding these to our claim submissions. Can my TPA or Risk Pool add them to the claim if requested? If your TPA works for you, they can seek recovery, but they’re generally not very effective at recovering these items. If your claims go through a risk pool, they’re similarly constrained and can only recover what they’ve paid out, plus their insured’s deductible. Risk pools are often limited to recovering only what was paid out, plus the insured’s deductible. You might be wondering if there are other options

besides changing your current process? These are all very relevant questions.

To answer the first question: yes, the ROI is there if you accurately calculate your downtime and secure a good Diminished Value evaluation. For example, we worked with a mediumsized county outside Atlanta, where the statute of limitations is four years. By reopening past claims, we recovered and returned more than $2.3 million to taxpayers.

You can also hire a damage recovery firm specializing in this type of work. This allows you to keep your current processes and utilize them to overlay and enhance your efforts. Make sure they are 100% performance-based, with no monthly or per-file fees. If you choose to have them recover the damages, they should do so at no cost to taxpayers. The most cost-effective, highest-ROI approach is to hire a firm whose revenue comes from what you are currently not recovering. These firms do exist, and since there is no cost to the taxpayers, getting procurement’s approval with minimal red tape should be relatively straightforward.

Procurement is generally the most challenging part of implementing any new program or vendor. What makes this program easier to implement than ordering uniforms or work gloves is its unique nature. Because of this, most jurisdictions have a pilot program in which a municipality can enter into an agreement without conducting an RFP, or the entity can piggyback and test the product or program. The key is that the agreement generally cannot last more than 364 days and is helpful for jurisdictions that are contending with a statute of limitations. RFIs, RFQs, and RFPs can take some time to do. Each day, a valuable file could drop off the scope of recovery. Utilizing a pilot program to decide if the vendor meets sole source, or you can, and get the best of all worlds.

I hope this has given you a different perspective on auto physical damage claims and how, as a risk professional, you can positively affect the bottom line at budget season.

Michael Towers is a lead contracted support specialist for Alternative Claims Management.

BEST OF THE BLOG

WHEN BOUNDARIES ARE CROSSED, FOSTERING A RISK MANAGEMENT CULTURE, AND DOES AI POSE A SIGNIFICANT RISK TO LONG-TERM JOB SECURITY?

WHEN BOUNDARIES ARE CROSSED: WHAT SCHOOLS CAN DO TO PROTECT STUDENTS

BY RYAN MCLEOD, DIRECTOR/CHIEF OPERATING OFFICER, MIDDLE CITIES RISK MANAGEMENT TRUST

School principal to Human Resources: “I just got off the phone with a parent. He found some disturbing emails in his daughter’s account.”

That phone call marked the beginning of a deeply troubling investigation. As the district administrator overseeing human resources, I oversaw weeks of interviews, evidence collection, and ultimately, the termination of a teacher. The case centered around 1,300 emails exchanged between a 6th grade teacher and his female student—raising serious concerns about professional boundaries and student safety.

Thankfully, the discovery of these emails prevented further escalation. But what lingered with me most were the interviews with students and staff. Their comments revealed a pattern of favoritism and boundary-crossing behaviors that had gone unreported:

“Oh yeah, she is his favorite.” – student

“She’s the only one that he lets sit at his desk.” – student

“She’s the only one allowed into the classroom before the bell.” – student

“She always gets picked for special jobs.” – student

“I did notice she regularly stayed after school with him.” – staff member

“I heard rumors they were spending a lot of time together.” – staff member

Clearly, many had seen or heard things that could have raised red flags, but no one thought it serious enough to report. This is a common pattern. Educator sexual misconduct researcher, Charol Shakeshaft, explains “In most every case that I’ve studied — and I’ve studied hundreds — people see something going on. They don’t know exactly what it is… What they don’t do is report.” (Kappan Online, 2025)

One reason these behaviors often go unreported is the misconception that abusers fit a specific profile. Billie-Jo Grant, CEO and lead trainer for the McGrath Response System™, explains that most offenders are not a “creepy guy in a trench coat.” Instead, they may be

“respected teachers or coaches who groom not only the student, but the entire community”— making their actions appear helpful or well-intentioned. They may be narcissistic or self-focused, but if there is resistance—if there are barriers—if someone is watching and reporting—they are less likely to act.

This insight offers a powerful strategy for prevention: schools must create resistance and build barriers that help prevent boundarycrossing behaviors. Here are research-aligned guardrails that can help:

• Codify Boundaries: Establish clear policies for interactions, transportation, gifts, communication and social media. Train staff, students and caregivers to build awareness and set expectations.

• Leadership Messaging: Ensure leaders clearly communicate a “we don’t tolerate grooming and sexual abuse here” message. Speak as if grooming and sexual abuse could happen and don’t pretend that it won’t—strong messaging can deter potential abusers.

• Enforce Accountability: Go beyond just written policies—apply them consistently. Avoid “he’s a good guy” exceptions and hold everyone to high standards.

• Design for Visibility: Use space and scheduling to reduce isolation. Implement features like doors with uncovered windows, sign-in/out systems, two-adult supervision norms and common meeting areas.

• Strengthen Reporting Systems: Appoint a single investigator, offer multiple reporting paths (including anonymous options), and ensure every report is documented and followed up.

• Enhance Hiring Practices: Look beyond background checks. Inquire about resignations related to investigations and seek references outside those provided.

• Train to Recognize Boundary-Crossing: Use scenario-based training to help the school community identify inappropriate behaviors masked as support.

Ultimately, prevention requires a proactive culture—one where boundary-crossing behaviors are recognized, reported, investigated, documented and addressed. Implementing proactive barriers and increasing awareness can create safer school environments for students. The responsibility lies with all of us to notice, speak up and act.

FOSTERING A RISK MANAGEMENT CULTURE

BY DEAN COUGHENOUR, RISK MANAGER, CITY OF FLAGSTAFF, AZ [RET.]

It’s my first day on the job as the new municipal risk manager. I am excited for sure, but then I realize that the “culture of risk management” is nearly absent. My excitement dwindled to an anxiety about how in the world can I turn around this huge ship of “That’s not my job” to a team of “I am the risk manager.”

My first piece of advice is to assess your current situation. Do employees know how and when they should report incidents and accidents? Do employees actually follow that procedure? Is compliance training up to speed? Are policies in place that support my organization’s goals and objectives? Are incidents and accidents reviewed by peers, and then the message of prevention shared? How is risk management perceived by my supervisor, directors, and the broader employee base? Maybe the most critical question is: who do the employees think the risk manager is?

Other signs that a risk management culture was seriously lacking were also obvious: a high experience modification factor, a number of frequent flier claims, late reporting of incidents and accidents, a lack of near-miss reporting,

and a view that risk management was... over there somewhere.

And so it began. I had to slow down and recognize that this is a three to five-year change process. I first had to start with what is most important and will have the most significant positive impact with the least amount of resistance. Small wins early on build credibility and foster inclusion of risk management.

I have come to learn that the secret to building a positive culture is, you guessed it, people. Begin by sitting down with directors and key leadership to talk about risk management. Find out what they believe it has been, what they see it as today, and how they envision risk management in the future. To be clear, this meeting is NOT about risk management but about building the foundation of a working relationship and teamwork with the organization’s leadership.

The side benefit is that you will get to learn about their department and to educate them on how, when, and where risk management can help them meet their objectives. At the same

time, invest a few hours every month in “ridealongs” with the employees on the ground, such as police, fire, sanitation, public works, and other departments you serve. Always keep in mind that to achieve desired results, you must have the support of the employees, or progress will be severely impaired.

Then, policies must be current and in place to provide direction to employees and assist in meeting the organization’s goals. Remember, small steps. This is a three to five-year plan of teamwork. Networking and a series of small wins is the course.

The reporting of incidents and accidents is also most critical. Make your reports short and easy to understand in a form that can be easily emailed. When I first arrived at my entity, the ONE and ONLY report form was 13 pages long and contained sections that seemed to duplicate each other. A large percentage of time the reports were not completed, nor sent to risk management promptly. The structure today is outlined in a how-to manual broken into specific loss sections. The instructions are on one page and the corresponding report form is one or two pages long. The objective is to be in the loop as soon as is practical, and make it easy for employees to make that happen.

When a new training program is first designed, polished, and ready to roll out, the first audience is the department director. After reviewing, look for input into making changes, additions, deletions, and most importantly, ask the key questions.

We, professional risk managers, are essentially risk consultants. Our role is to grow and nurture employees to understand their role as risk managers and encourage concepts like “Stop work authority,” “I am the risk manager,” and “My voice matters” to move the needle to a culture of risk management.

I did not realize how far we had moved the needle until one day, in a large auditorium filled with employees, I approached the podium and asked a question. “So, who is the risk manager?” Over the background music, the resounding reply of hundreds of employees was “I AM!” It brought a tear to my eye, for in that moment I realized we were there.

DOES AI POSE A SIGNIFICANT RISK TO LONG-TERM JOB SECURITY?

BY RANDY ANDERSON, FOUNDER/OWNER, E3 PROFESSIONAL TRAINERS

One of the most common concerns I hear expressed in the workplace today is that over whether or when Artificial Intelligence (AI) will begin to push people out of the workplace. As technology advances at an ever-increasing rate, many people have begun to wonder, “Am I going to lose my job? Will my job even exist in a decade or two? What will I do then?”

Let me make clear upfront, that I am a self-realized and self-proclaimed technophobe. I am not someone that embraces change easily and I am certainly not a gadget-guy that has to have the latest, newest, coolest device. With that understanding, I still contend that AI can’t ever replace everything “human” in the work world.

In risk management, AI will be an extremely valuable tool that can be utilized to identify potential problems, and even offer suggestions and strategies for how to mitigate or eliminate those risks, but it won’t ever be able to get a disengaged team member to care more, work harder (which could, in itself, help reduced risks), connect with stakeholders in a way that creates a collaborative environment, and ultimately will allow the maximum application of the information provided by the bots.

I believe one of the greatest risks in any organization, whether public or private, is an infection of apathy and disengagement. If you and your teammates are not fully engaged in your job, it can lead to several negative outcomes. From something as small as a lack of attention to detail and poor performance to something as catastrophic as loss of life.

Bring value every day! That is advice I’ve given my young adult children many times in the last several years. As we see more and more people “going through the motions,” it becomes obvious to me that an individual doesn’t have to try very hard to stand out from the crowd in a positive way these days. Last week, as I was using AI (Chat GPT to be specific) to help me compose descriptive overviews of some of my modules, it never once did more than I asked it to. It always gave me exactly what I asked for.

It always reacted to changes I made in request but wasn’t proactive to offer a solution to an unrealized/unidentified problem, and it didn’t celebrate with me once I had finished what I was working on.

Look for ways to connect with your immediate teammates, other internal customers, external customers/constituents and even vendors. Human interaction is one of the most compelling and impactful influences we can experience. A computer can always produce a list of things that need to be done. It can tell me the best time to do

those tasks. It can likely determine the most efficient sequence in which to do them, but it cannot engage emotionally with someone. It can’t demonstrate heartfelt empathy, care, and concern for others. It can’t prompt healthy competition between friendly rivals, and it can’t show deep gratitude or sincere remorse that are often necessary in the normal course of doing business. In short, the single best way for humans to remain relevant and necessary in the workplace is to always remember one simple sentence: Everyday matters…so matter every day!

ADVERTISER INDEX

HAS YOUR ENTITY LAUNCHED A SUCCESSFUL PROGRAM? An innovative solution to a common problem? A money-saving idea that kept a program under budget? Each month, Public Risk features articles from practitioners like you. Share your successes with your colleagues by writing for Public Risk magazine! For more information, or to submit an article, contact Nick Baker at nbaker@primacentral.org.