Once upon a time, risk management meant making sure employeesdidn't trip over boxes lining the hallways. It was a different timeand place for risk managers. Today, though, risk management hasrisen to a level that looks at all types of exposures. In theinsurance industry that means internal as well as externalexposures.

Still, there are multiple levels of sophistication aroundenterprise risk management.

“I've had conversations with supposedly sophisticated riskmanagers who think of ERM only in terms of worker injuries,automobile driving techniques, and fire protection in thebuilding,” says David Allred, head of technology for Zurich NorthAmerica Commercial. “They don't go much beyond that to look at theinternal risks to the business. They don't think about credit risk,political risk, or supply chain management.”

Cyber security is a major issue facing risk managers today,particularly with the abundance of mobile computing devices thathave found their way into the workplace. It is an issue of suchimportance that the World Economic Forum recently listed it firstamong its five “risks to watch” in its Global Risks Report.

“The science of risk management has grown over the last fewyears,” says Allred. “The concept often times has outrun thepractical use in many cases because it's still a learning processfor a lot of companies.”

People want data wherever and whenever they need it andNationwide Insurance employees are no different. But the issuerisk-management personnel at Nationwide have to deal with—alongwith every insurance company—is how to protect that data.

“We're looking at how we can protect the data versus protect thedevice,” says Lisa Hodkinson, vice president, information riskmanagement for Nationwide. “Associates want to use whatever devicemakes them most productive. If they want to pull data to thatdevice then we want to find a way to protect [the data] so they canuse the tools and applications that help their productivity.”

Nationwide is in the pilot stage of a programdesigned to address those data security issues, including an effortto understand if the carrier's internal applications are compatibleand configurable to run on the smartphones in the market, accordingto Hodkinson.

“Depending on the outcome of our pilot, we hope to move forwardwith some personally-owned devices—if approved by executiveleadership. It will be a very cautious and controlled rollout,” shesays. The pilot program was begun in 2010 and Hodkinson points outthere is research, analysis, piloting, and ramp-up work involvedacross the insurer's HR, IT, and legal teams.

“We turned it on for a few limited devices and engaged seniorleadership within the organization so we have a good cross group ofpeople in the pilot,” says Hodkinson.

One of those involved in the pilot is Nationwide's senior vicepresident and chief risk officer, Michael Mahaffey.

“All the folks in the pilot had company-owned BlackBerrysmartphones and this pilot allowed us to use personally-owneddevices—an iPhone, an iPad, etc.—but using secure software toaccess much of the same information,” he says. “It's a verycontrolled, staged pilot that enables us to ensure the data isprotected and then extend the participants slowly. As a user, Ithink it's been wonderful.”

The pilot is a component of a larger Nationwide initiative whichthe carrier calls the Emerging Workplace, according to Hodkinson.There are multiple components, looking at how the carrier'sworkforce increasingly is relying on mobile computing. Hodkinsonexplained there are human resource policies, information securitypolicies, and legal polices all under review.

Hodkinson's team is working on the security piece of the puzzleso if the device is lost or stolen Nationwide has the dataprotected. “For applications associates need to use for their job,we want to validate that [the apps] work securely on the devicesassociates want to use,” she says.

Divergent Directions

Risk managers are facing two related, yet  divergent,movements in the world of computing, according to Allred.

First is the incredible growth of smartphones and the wirelesscomputing being done over those devices. The second is theemergence of cloud computing.

“In some ways they are related because they are similar types ofoperations,” says Allred. “You are relying on someone else tomanage, carry, and secure information.”

There are different specifics around the two, though, points outAllred, and technology leaders are trying to understand theimplications for the enterprise.

“As we look at the communications firms or cloud computingfirms, we spend an awful lot of time trying to understand how theymanage their networks—not only the technical side but the humanengineering side as well—to try and prevent [bad] things fromhappening and respond rapidly if things do happen,” saysAllred.

Larry Collins, head of e-Solutions for Zurich ServicesCorporation, worries the expansion of mobile computing has enabledthe hackers of the world to go phishing on Web sites to collectuser IDs and information or credit card information.

“There is an enormous impact from mobile computing in thatgenre,” he says. “The APWG trade group (Anti Phishing Work Group)estimates there are about 40,000 attacks a month going on. A lot ofthat has been enabled by instant messaging and the collection ofmobile devices we might have. The mobile computing environmentprovides a new venue for that kind of attack, especially since theycontain so much data.”

Carriers often are doing all the right things in managing risk,but as Mike Besso, e-commerce specialist for Zurich Services pointsout, IT departments are forced to produce content faster becausebusiness users want more content for their mobile devices.

“Our customers are likely to produce content,”says Besso. “Fact checking and validating numbers is one thing, butit's beginning not to happen. This is starting to play out withpeople making bad decisions based on the information they receivedfrom their devices.”

For example, Besso points to a mistake made by Fox News inNovember when it ran a story on its Web site that editors picked upfrom the satirical Web site The Onion. The article was posted onthe Fox News Web site before anyone from Fox realized it was abogus story.

“This is going to become more prevalent as our customers moveinto the cloud,” says Besso. “They are going to want to keep upwith or be better than the competition and sometimes that meanscutting corners in fact-checking and that increases liability.”

Enterprise Level

Risk management is what insurance companies do best. AtNationwide, Mahaffey explains ERM is actually enterprise risk andcapital management.

“It's different in a sense that we are, at our core, riskintermediaries on behalf of our customers,” he says. “When we talkabout ERM we are talking about catastrophe risk we're willing toaccept through the sale of property insurance; mortality risk inthe sale of life insurance; and investment risk when we invest theproceeds from premiums into bonds, equities or anything else.Enterprise risk and capital management is integrally linked withour core strategy and our core business management.”

Those two sides are inextricably linked, according to Mahaffey.From there, convergence is weaved throughout the organization withthe other functions.

For example, Nationwide has functions governing compliance,privacy, information security, continuity management, financialreporting controls, and other dimensions of operational risk.

“We have a variety of control functions designed to make sureour operations are well controlled,” says Mahaffey. “That all fallsunder the broad realm of operational risk. The ERM function is todrive coordination and alignment of standards across all thosefunctions so we have direct accountability and effectivecollaboration and coordination. These are considered part of ourenterprise risk profile. Our job is to make sure we are well awareof the risks and they are well managed, that there is adequatecapital to support those risks; that the company is earning theright risk-adjusted returns on capital as part of our long-termbusiness strategy; and ultimately we are doing these things for thelong-term benefit of our policyholders.”

“Mike and his team are working to drive that so we have commontools and practices in assessing, prioritizing, classifying, andreporting that risk so we are driving risk mitigation with thehighest priorities of the business,” says Hodkinson. “The goal isto positively impact our business performance and ensure theprotection of our policyholders. If we are managing our riskeffectively, we should see that in our overall businessperformance.”

More Access

Mahaffey explains the personally-owned device pilot is one smallfacet of a broader information security strategy forNationwide.

“What we talked about [with the pilot] is the ability to givekey senior executives access to e-mail and calendar functionalityon a personally-owned device,” he says. “When we talk aboutsecuring customer information that becomes a more comprehensivediscussion running from laptop encryption, network access control,secure e-mail, etc.”

Mahaffey points out there has been no difficulty getting notonly senior management but board focus on the importance ofmaintaining a conservative and secure risk posture when it comes toprotecting the information of Nationwide's customers.

“That's been high on the radar screen of ourleadership,” he says. “The broader context of our position on thedeployment of resources and risk tolerance for information securityis we've been demonstrated and recognized leaders in this space fora long time.”

Jojy Mathew is a global practice leader for Capgemini's businessinformation management practice and is focused on enterpriseinformation management and strategy.

Mathew believes corporate ERM initiatives in the past were ledby compliance and corporate security, which means often there wasno business owner or sponsor.

“Business people need to take ownership,” he says. “If youviolate client privacy policies you are going to be sued and couldlose millions of dollars, so this really has become a businessimperative.”

Hodkinson agrees there has been great support from across theorganization.

“We look at information risk management as a business issue,”she says. “If our customers don't trust us they are not going to dobusiness with us. Criminals are always becoming more sophisticatedand working around traditional controls. We look at [security] asmanaging a moving target. The competitive landscape continues toevolve rapidly so we actively monitor our risk posture. We consultwith business leaders to make sure we are in alignment with whatthe highest risks are. We try to drive a balance between riskmitigation and acceptance. We want Nationwide to remain a trustedcompany which translates into enthusiastic customers, growth, andprofitability.”

Having the support of Nationwide's business leaders has broughtHodkinson's team in closer contact with the enterprise riskmanagement team at Nationwide. That teamwork has enabledHodkinson's group to look at Nationwide's overall risk posture inorder to understand various risk mitigation initiatives and stayingahead of risk—including the risk of having employees usepersonally-owned devices.

“We engage senior leaders across the business on anything fromsecurity issues to continuity management, crisis management andcompliance. We try to always make sure we are going after thehighest risks in order to be responsive to what the business wantsus to focus on so we can enable business opportunities,” saysHodkinson. “With personally-owned devices, we want to determine ifwe can mitigate the risk and enable our associates to be productiveat doing their jobs and serving customers.”

Cloud Risks

Allred believes IT professionals are aware of issues and haveconcerns with cloud computing, but often the business side of thehouse may not be sophisticated enough to know how the cloudworks.

“They simply look at the numbers and believe they can save moremoney and be more efficient,” says Allred. “They don't have a realsolid understanding of what the implications may be when they don'tcontrol everything internally in their own environment.”

The issue for Collins is there are general standards availableon how to address the quality of a security program, but none ofthose standards were designed for the scale of a cloud-computingenvironment.

“The good news about cloud is it concentrates computing power inkey places where it is perhaps managed a little better, but I don'thave a good warm and fuzzy feeling that [the industry] hasadequately looked over controls of the security and privacy of thatsystem,” says Collins. “I suspect there will be a few uglysurprises early on in [cloud] implementations.”

Business Worries

Allred maintains that a lack of sophistication among businessusers is the cause of many of the risk issues involving mobile andcloud technology.

“Up until now, people have generally had good experiences withtheir banks and bill paying and while we read horrendous stories ofthe attacks and the loss of data, the reality is a lot of peopleare simply never affected by [cyber attacks] and if they are[victims] some don't even know they were affected,” saysAllred.

Business users have achieved a comfort level and don't worryabout consequences. Allred believes many on the business side justdon't understand how IT works.

“Go handle it and don't bother me and by the way, don't spendtoo much money is often the attitude,” he says. “Some [businessusers] think they have a hook to save some money but they don'tunderstand the implications of [the technology] and how their ITnetwork is the central nervous system of the company. If thecentral nervous system breaks down you are paralyzed.”

Allred believes there are a lot of businessusers engaged with the IT professionals who understand security andstandards, but he maintains the missing link often is the peoplewho sign the bills at the end of the day—the CFO and the CEO—whodon't understand the implications.

Zurich recently sponsored the Cyber-security Forum, hosted bythe Tech-America Foundation, according to Allred, to educate andcreate awareness of the ERM approach.

“We want them to drill down into how their company operates fromall aspects, looking for vulnerabilities and at opportunities andthink through how to mitigate the problems or take advantage of theopportunities so they can become more efficient,” he says. “This isan area often neglected because it's the magic in the backroom that[business leaders] don't think about. We see this as a criticalmissing link to make sure the CEOs and CFOs understand theimplications of the financial decisions they are making and how tomitigate those decisions.”

Solvency II

Risk managers also need to look across the ocean to Solvency II,which was established by European insurance regulators. Everyinsurance company in Europe is mandated to adhere to the SolvencyII ERM standards.

“One of the biggest premises behind this is to have allinsurance companies on a level playing field,” says Mathew.“Secondly, it is to protect the insured so when they are buyingpolicies the company is not taking too many risks with the policy.Third, from a reporting/governance/compliance perspective,[companies] are adhering to the same standards.”

European insurers have to quantify, manage, and maintain risksand report to the regulators under the mandates of Solvency II,according to Mathew. One area is operational risks, such assecurity, fraud, and anything related to operations.

“Each company has to quantify the risk and actively manage it,”says Mathew.

P&C carriers have to look at claims and their exposure froma catastrophe.

Finally, there is the investment side, where insurers have toquantify and manage market and credit risks.

Mathew believes the financial crisis of 2008 is what put moreemphasis on risk management with mandates such as Solvency II.

“Solvency II has put more urgency and focus on insurers managinginformation,” says Mathew. “You can't do ERM without the rightinformation and the right people. It's the number one topic rightnow in the insurance space at the chief risk officer/chieffinancial officer level.”

Social Networking

The implications of social networking with ERM are not clearyet. Collins explains the largest computer program application inthe world today is Facebook, yet it is hardly a maturetechnology.

“There are profound privacy questions and some profound securityissues,” he says. “[Social networking] will be equal if not more tothe risk exposures of mobile computing with some unique exposuresto companies and corporations as well.”

Allred feels users haven't judged the risks that can arise fromsocial networking.

“Everywhere we go and whatever we do somebody is watching,” hesays. “Ninety-nine percent of the time those are people that wantto help and do good, but there's that element out there that'slooking for a way to cause problems for us in some form orfashion.”

The potential is there not only for loss of information, butalso loss of corporate secrets, reputations, businessopportunities, and potential physical harm to people or disruptionof business networks or utility networks.

“It is becoming almost an incomprehensible situation to knowwhat can be done,” says Allred. “We are working with our customersand others to try and keep a lid on things. So many things, whetherit is mobile computing or cloud networking, are not so much atechnical problem as they are human engineering problems. Phishingattacks would fail if people would use a little of what I call theworld's greatest oxymoron: common sense. That means, if someoneasks you for your password that's not a good thing, so don't tellthem.”  TD