In recent years, insurance companies have changed their focus in terms of how they want to be both profitable and competitive in the marketplace.
“It used to be all about driving premium growth,” says Frank Petersmark, CIO advocate for X By 2, a consulting firm specializing in enterprise and application architecture for the insurance industry. “Before the economic downturn, carriers began to think long term about enterprise risk management to develop a strong book. Today, being profitable is more about risk control—managing pricing and making money off underwriting.”
Insurance carriers also find themselves opening their internal systems to forge collaboration through mobile technology and social media that connects carriers to consumers and business partners.
The research and consulting group Forrester has seen a drop in investment for the areas of risk and compliance. After surveying insurers on enterprise risk management, 60 percent of carriers listed ERM as either a high or a critical priority, which sounds all well and good except Forrester conducted a similar survey in 2010 and 72 percent of respondents listed enterprise risk management as a high or critical priority.
“Investment today seems to be all about emerging technology,” says Ellen Carney, senior analyst for Forrester. “[Insurers] are looking at new ways to be innovative in the business and in many ways enterprise risk management and compliance are standing in the way of [innovation], particularly when you consider things like the implications of consumer information privacy.”
Carney is surprised by her company’s survey numbers and believes spending on ERM and compliance should instead be at the forefront, especially in today’s world where carriers are opening their doors and windows to mobile technology and social media.
“There haven’t been any nasty disclosures of consumer information for insurers that you have seen with other industries,” she says, by way of explanation for this pattern. “Insurers have done a good job as an industry in being compliant with how they use consumer information. The same goes with security and keeping out the bad guys. Insurance isn’t the sexiest industry, so you can say they’ve done a good job of building out security organizations, but it’s not a good time to take your eye off the risk/compliance ball.”
Many carriers are just scratching the surface of ERM, explains Petersmark.
“They are trying to figure out what it is and how it’s applied to the enterprise,” he says.
Petersmark believes there are significant reasons for carriers to work harder on ERM. When he served as CIO at Amerisure, Petersmark explains the carrier looked mainly at the financial elements.
“It’s a fine way to start,” he says. “The ERM platform allows you to evaluate and model. The key word is enterprise. If you think about it across the enterprise, there is an opportunity to connect people in ways they’ve never been connected before. To do ERM well you need input and data points from all over the company.”
Unfortunately, that hasn’t always been a common practice in the insurance industry.
“People are busy and there are silos,” says Petersmark. “You need to develop a holistic view of risk within the organization. It allows people to collaborate and connect in a different way.”
At that point, insurers can begin to think of ERM as something more than a way to measure financial risk.
“Everyday is full of risk calculations and not all of them are financial,” says Petersmark. “There are different kinds of risks. Some have to do with human resources, some with infrastructure and availability. There is an opportunity for companies to think more broadly about risk.”
Petersmark’s third point is if a carrier reaches a level where ERM is being done well, it should create opportunity for the carrier.
“If you are concerned about risk and are doing advanced analytical work, you have different data points going,” he says. “If you are smart about it you should be able to create some opportunities you might not have thought you had. One way to look at ERM for future-focused carriers is you create opportunity out of the chaos. If the chaos is the current enterprise and the diverse set of functions and financial portfolios and you find the way to pull that all together, you should find out some things that you might never have seen before.”
Risk management is a shared responsibility throughout PURE (Privilege Underwriters Reciprocal Exchange), the member-owned reciprocal insurer that focuses on serving the personal insurance needs of responsible, high net worth individuals and families.
“In many, if not all of our management meetings, we discuss risk management across the enterprise,” says Stuart Tainsky, senior vice president and CIO at PURE.
Tainsky believes the insurance industry learned important lessons about internal risk management in the early 2000s as government legislation such as Sarbanes-Oxley came about and the tragedy of 9/11 brought a new focus on business interruption and disaster recovery.
“Everyone has a deeper understanding of the importance of a good risk management strategy,” says Tainsky. “Whether it is having your systems located in a secure hosting facility with redundancy; having the right succession plan in place for key personnel; or making sure you have redundancies if one of your processes fail risk management is something that is peace of mind for PURE. As a company that focuses on managing risk for our members, we are attuned to the need to focus on risk management in our own environment as well.”
Forrester reports the number of insurers who say they are planning to significantly upgrade their security environment by assigning it as a critical priority is 49 percent, according to Carney.
She explains that number is midway down the priority rankings for insurers, but she points out it is ahead of initiatives—barely—such as social media and mobile.
“Anything to do with data environments is at the top of the list,” says Carney. “We’re seeing this consistently as a better way to tap into the strategic asset they have in their possession—their data.”
From a risk management standpoint, Carney believes any business intelligence or decision support tool strategy has a clear line of sight to the company’s ERM posture.
“It doesn’t make sense to be dependent on data to make operational business and development decisions if potentially the data is not secure and there is risk associated with it,” she says.
Carney also believes the prevailing attitude of consumers should be that protection of their personal information should be an important factor in their use of technology, but the Forrester survey shot holes in that theory.
“I was actually surprised that in our survey about what was more important to consumers, fast page-loading, highly developed Websites, and security messages were ranked the highest,” says Carney. “Ease of navigation beat out security, so maybe that explains the decline in risk and compliance posture among insurers. We take [security] as a given in the industry. Consumers haven’t heard of many nasty security threats within the insurance industry, so security is considered table stakes now. But just because they don’t read about [security events] doesn’t mean they aren’t happening.”
Security falls under risk management for some carriers, points out Petersmark.
“When companies first started poking around with ERM it was really just financial,” he says. “Now there is an understanding that it’s more than a financial issue. Security from a liability viewpoint—a data spill where you are responsible for personal information—has moved into the bucket with enterprise risk.”
Petersmark believes security used to be looked on as an afterthought—changing passwords and other innocuous issues—within the IT department. Today, a misstep involving security can cost companies bad publicity, which leads to market-share loss, lawsuits, and other bad things the board of directors doesn’t want to find on their doorstep.
“I don’t know if companies give that the ERM weight, but maybe they should,” Petersmark says. “There is still a bit of ‘that’ll never happen to me’ attitude with carriers.”
Petersmark has not heard of any risk managers specializing in data security, but larger carriers, he explains, have relatively robust security departments and more often than not they are housed within IT and under the control of the CIO. Carriers will have someone at a director level, depending on the size of the company, running the department.
“They are sort of their own risk managers, but I’ve seen security steering committees where they engaged cross-functional business executives with two goals,” he says. “One is there’s an education component and it has an impact. Number two, you can start moving the focus of security up-stack. This is serious and you need to think about moving to a new security platform, whatever it might be. Things like that have become more than just an IT issue.”
PURE requires its cloud-based providers to follow generally-accepted security standards, and has the vendor prove to PURE’s satisfaction that it is operating in a secure environment.
“We want to have a nimble environment and having the right risk management structure in place to give us that nimbleness, but it comes with risks in and of itself,” says Tainsky. “You don’t want to go with a fly-by-night provider. That is the [due diligence] you perform, no matter what vendor or product you use. We look at the technologies available throughout the marketplace. It doesn’t matter if you are selling insurance or cars. We try to find the best people in the business that can provide service in the most secure manner.”
From the standpoint of new software licensing or deployment models such as SaaS or managed services, Carney believes a primary concern insurers have about these models is the exposure to greater threats.
“That’s certainly one of the biggest objections I’ve heard among insurers for not deploying SaaS,” says Carney. “Insurers are fine with SaaS for email productivity, but it’s doubtful they would think about areas such as policy administration systems—the DNA of the business—in the cloud. It’s a significant concern from a security and compliance standpoint. For any on premises software being introduced into the company, the risk is also a given.”
The bigger concern from a security standpoint, according to Carney, is the unstructured data that they are becoming increasingly dependant upon, both from the social media realm as well as helpful claimants capturing images with their mobile phone and taking witness statements for a claim.
“Insurers have to make sure there are no malware or potential security issues for the data coming to their systems,” she says.
The majority of PURE’s technology operates in the cloud, according to Tainsky. Secure-hosting and managed-service providers enable the insurer to operate business as usual, even in the face of something such as this summer’s Hurricane Irene, adds Tainsky.
“The fact that we have all this secure cloud-based technology—call center, messaging, policy, and claims systems, and the infrastructure in place to service it enables us to have disaster recovery capabilities instantaneously,” says Tainsky. “It is a tremendous asset to us as we grow our business. Using secure, hosted or cloud-based technology is a big part of our risk management strategy.”
When there is a crisis situation, Tainsky points out the last thing anyone wants to think about is where employees are going to work, how they will get to work, and how they will be able to connect with coworkers or customers.
“When you have those bases covered and test them regularly, as we do, it’s not a concern,” says Tainsky. “You can focus on servicing the needs of the insureds so you are getting them the quality of service they deserve. It’s certainly a competitive advantage.”
Tainsky believes PURE has taken advantage of the technology in the market.
“Our strategy of using more outsourced services for the commoditized technology such as call-center technology, is a strategy not just for new companies,” he says. “More seasoned companies are looking at those technologies in order to be more nimble, whether it is closing down branches or dealing with disaster situations.”
As for regulatory compliance, Carney recently attended the PIMA conference where a speaker discussed the regulatory compliance landscape.
“He asked: What would you rather deal with, 50 monkeys or one giant gorilla?” says Carney. “We haven’t heard much conversation from clients about the changing regulatory environment. People are taking a wait-and-see approach. There are other more pressing compliance issues than the Federal Insurance Office. Vendors love wait-and-see attitudes. They can make hay out of that.”
The PURE compliance team has partnerships with consulting groups that help the insurer understand new regulations and keep PURE apprized of any new concerns.
“Our nimble technology enables us to deliver changes quickly with the business side,” says Tainsky. “Our systems enable us to understand the requirements and use the great relationship we have with the business side. We can make changes as quickly as we need to. To understand the product, file proof of the product, develop requirements, and understand all the requirements that have to go into the product have been a competitive advantage for us.”
CIO: RISK MANAGER
Petersmark doesn’t see many CIOs with the dual task of risk manager, but he believes the CIO needs to be involved in any ERM discussion.
“The CIO is in as good a position as anyone else in the organization to help companies think about ERM more holistically and truly from an enterprise perspective,” he says. “Any high level insurance leader—either in IT or on the business side—is a risk manager every day. They all have their divisions and budgets to look after and they are doing all sorts of calculations for themselves every single day.”
The CIO is in a unique position, though, by virtue of the work IT does.
“They have or should have a larger view of the organization,” says Petersmark. “They can certainly play the role of risk manager, and an opportunity could be there for them to play that role.”
Within IT, though, CIOs already are their own risk managers.
“You could argue that the CIOs with most carriers probably engage in risk more than other business executives to the point where they often are in the position of managing large portfolios of existing systems and applications that the company depends upon to run their business,” says Petersmark. “Balance that with the fact these applications have a certain run rate, there is so much investment in resources, and now you have to modernize it. There are huge risks in disrupting current business processes and practices to better those processes and practices.”
There’s also the human element, according to Petersmark.
“Do the people in IT have the chops to do a certain project or do we need to go outside, bring in some third parties, and add some risk?” he says.
There is financial risk for CIOs, technology process risks, human talent risks, and for the company there is opportunity risk, explains Petersmark.
“Anymore, it’s IT departments helping carriers getting to be more responsive, more nimble and to be able to have innovative platforms that allow you to get new products or get into a new geography quicker,” he says.