Once upon a time, risk management meant making sure employees didn't trip over boxes lining the hallways. It was a different time and place for risk managers. Today, though, risk management has risen to a level that looks at all types of exposures. In the insurance industry that means internal as well as external exposures.

Still, there are multiple levels of sophistication around enterprise risk management.

“I've had conversations with supposedly sophisticated risk managers who think of ERM only in terms of worker injuries, automobile driving techniques, and fire protection in the building,” says David Allred, head of technology for Zurich North America Commercial. “They don't go much beyond that to look at the internal risks to the business. They don't think about credit risk, political risk, or supply chain management.”

Cyber security is a major issue facing risk managers today, particularly with the abundance of mobile computing devices that have found their way into the workplace. It is an issue of such importance that the World Economic Forum recently listed it first among its five “risks to watch” in its Global Risks Report.

“The science of risk management has grown over the last few years,” says Allred. “The concept often times has outrun the practical use in many cases because it's still a learning process for a lot of companies.”

People want data wherever and whenever they need it and Nationwide Insurance employees are no different. But the issue risk-management personnel at Nationwide have to deal with—along with every insurance company—is how to protect that data.

“We're looking at how we can protect the data versus protect the device,” says Lisa Hodkinson, vice president, information risk management for Nationwide. “Associates want to use whatever device makes them most productive. If they want to pull data to that device then we want to find a way to protect [the data] so they can use the tools and applications that help their productivity.”

Nationwide is in the pilot stage of a program designed to address those data security issues, including an effort to understand if the carrier's internal applications are compatible and configurable to run on the smartphones in the market, according to Hodkinson.

“Depending on the outcome of our pilot, we hope to move forward with some personally-owned devices—if approved by executive leadership. It will be a very cautious and controlled rollout,” she says. The pilot program was begun in 2010 and Hodkinson points out there is research, analysis, piloting, and ramp-up work involved across the insurer's HR, IT, and legal teams.

“We turned it on for a few limited devices and engaged senior leadership within the organization so we have a good cross group of people in the pilot,” says Hodkinson.

One of those involved in the pilot is Nationwide's senior vice president and chief risk officer, Michael Mahaffey.

“All the folks in the pilot had company-owned BlackBerry smartphones and this pilot allowed us to use personally-owned devices—an iPhone, an iPad, etc.—but using secure software to access much of the same information,” he says. “It's a very controlled, staged pilot that enables us to ensure the data is protected and then extend the participants slowly. As a user, I think it's been wonderful.”

The pilot is a component of a larger Nationwide initiative which the carrier calls the Emerging Workplace, according to Hodkinson. There are multiple components, looking at how the carrier's workforce increasingly is relying on mobile computing. Hodkinson explained there are human resource policies, information security policies, and legal polices all under review.

Hodkinson's team is working on the security piece of the puzzle so if the device is lost or stolen Nationwide has the data protected. “For applications associates need to use for their job, we want to validate that [the apps] work securely on the devices associates want to use,” she says.

Divergent Directions

Risk managers are facing two related, yet divergent, movements in the world of computing, according to Allred.

First is the incredible growth of smartphones and the wireless computing being done over those devices. The second is the emergence of cloud computing.

“In some ways they are related because they are similar types of operations,” says Allred. “You are relying on someone else to manage, carry, and secure information.”

There are different specifics around the two, though, points out Allred, and technology leaders are trying to understand the implications for the enterprise.

“As we look at the communications firms or cloud computing firms, we spend an awful lot of time trying to understand how they manage their networks—not only the technical side but the human engineering side as well—to try and prevent [bad] things from happening and respond rapidly if things do happen,” says Allred.

Larry Collins, head of e-Solutions for Zurich Services Corporation, worries the expansion of mobile computing has enabled the hackers of the world to go phishing on Web sites to collect user IDs and information or credit card information.

“There is an enormous impact from mobile computing in that genre,” he says. “The APWG trade group (Anti Phishing Work Group) estimates there are about 40,000 attacks a month going on. A lot of that has been enabled by instant messaging and the collection of mobile devices we might have. The mobile computing environment provides a new venue for that kind of attack, especially since they contain so much data.”

Carriers often are doing all the right things in managing risk, but as Mike Besso, e-commerce specialist for Zurich Services points out, IT departments are forced to produce content faster because business users want more content for their mobile devices.

“Our customers are likely to produce content,” says Besso. “Fact checking and validating numbers is one thing, but it's beginning not to happen. This is starting to play out with people making bad decisions based on the information they received from their devices.”

For example, Besso points to a mistake made by Fox News in November when it ran a story on its Web site that editors picked up from the satirical Web site The Onion. The article was posted on the Fox News Web site before anyone from Fox realized it was a bogus story.

“This is going to become more prevalent as our customers move into the cloud,” says Besso. “They are going to want to keep up with or be better than the competition and sometimes that means cutting corners in fact-checking and that increases liability.”

Enterprise Level

Risk management is what insurance companies do best. At Nationwide, Mahaffey explains ERM is actually enterprise risk and capital management.

“It's different in a sense that we are, at our core, risk intermediaries on behalf of our customers,” he says. “When we talk about ERM we are talking about catastrophe risk we're willing to accept through the sale of property insurance; mortality risk in the sale of life insurance; and investment risk when we invest the proceeds from premiums into bonds, equities or anything else. Enterprise risk and capital management is integrally linked with our core strategy and our core business management.”

Those two sides are inextricably linked, according to Mahaffey. From there, convergence is weaved throughout the organization with the other functions.

For example, Nationwide has functions governing compliance, privacy, information security, continuity management, financial reporting controls, and other dimensions of operational risk.

“We have a variety of control functions designed to make sure our operations are well controlled,” says Mahaffey. “That all falls under the broad realm of operational risk. The ERM function is to drive coordination and alignment of standards across all those functions so we have direct accountability and effective collaboration and coordination. These are considered part of our enterprise risk profile. Our job is to make sure we are well aware of the risks and they are well managed, that there is adequate capital to support those risks; that the company is earning the right risk-adjusted returns on capital as part of our long-term business strategy; and ultimately we are doing these things for the long-term benefit of our policyholders.”

“Mike and his team are working to drive that so we have common tools and practices in assessing, prioritizing, classifying, and reporting that risk so we are driving risk mitigation with the highest priorities of the business,” says Hodkinson. “The goal is to positively impact our business performance and ensure the protection of our policyholders. If we are managing our risk effectively, we should see that in our overall business performance.”

More Access

Mahaffey explains the personally-owned device pilot is one small facet of a broader information security strategy for Nationwide.

“What we talked about [with the pilot] is the ability to give key senior executives access to e-mail and calendar functionality on a personally-owned device,” he says. “When we talk about securing customer information that becomes a more comprehensive discussion running from laptop encryption, network access control, secure e-mail, etc.”

Mahaffey points out there has been no difficulty getting not only senior management but board focus on the importance of maintaining a conservative and secure risk posture when it comes to protecting the information of Nationwide's customers.

“That's been high on the radar screen of our leadership,” he says. “The broader context of our position on the deployment of resources and risk tolerance for information security is we've been demonstrated and recognized leaders in this space for a long time.”

Jojy Mathew is a global practice leader for Capgemini's business information management practice and is focused on enterprise information management and strategy.

Mathew believes corporate ERM initiatives in the past were led by compliance and corporate security, which means often there was no business owner or sponsor.

“Business people need to take ownership,” he says. “If you violate client privacy policies you are going to be sued and could lose millions of dollars, so this really has become a business imperative.”

Hodkinson agrees there has been great support from across the organization.

“We look at information risk management as a business issue,” she says. “If our customers don't trust us they are not going to do business with us. Criminals are always becoming more sophisticated and working around traditional controls. We look at [security] as managing a moving target. The competitive landscape continues to evolve rapidly so we actively monitor our risk posture. We consult with business leaders to make sure we are in alignment with what the highest risks are. We try to drive a balance between risk mitigation and acceptance. We want Nationwide to remain a trusted company which translates into enthusiastic customers, growth, and profitability.”

Having the support of Nationwide's business leaders has brought Hodkinson's team in closer contact with the enterprise risk management team at Nationwide. That teamwork has enabled Hodkinson's group to look at Nationwide's overall risk posture in order to understand various risk mitigation initiatives and staying ahead of risk—including the risk of having employees use personally-owned devices.

“We engage senior leaders across the business on anything from security issues to continuity management, crisis management and compliance. We try to always make sure we are going after the highest risks in order to be responsive to what the business wants us to focus on so we can enable business opportunities,” says Hodkinson. “With personally-owned devices, we want to determine if we can mitigate the risk and enable our associates to be productive at doing their jobs and serving customers.”

Cloud Risks

Allred believes IT professionals are aware of issues and have concerns with cloud computing, but often the business side of the house may not be sophisticated enough to know how the cloud works.

“They simply look at the numbers and believe they can save more money and be more efficient,” says Allred. “They don't have a real solid understanding of what the implications may be when they don't control everything internally in their own environment.”

The issue for Collins is there are general standards available on how to address the quality of a security program, but none of those standards were designed for the scale of a cloud-computing environment.

“The good news about cloud is it concentrates computing power in key places where it is perhaps managed a little better, but I don't have a good warm and fuzzy feeling that [the industry] has adequately looked over controls of the security and privacy of that system,” says Collins. “I suspect there will be a few ugly surprises early on in [cloud] implementations.”

Business Worries

Allred maintains that a lack of sophistication among business users is the cause of many of the risk issues involving mobile and cloud technology.

“Up until now, people have generally had good experiences with their banks and bill paying and while we read horrendous stories of the attacks and the loss of data, the reality is a lot of people are simply never affected by [cyber attacks] and if they are [victims] some don't even know they were affected,” says Allred.

Business users have achieved a comfort level and don't worry about consequences. Allred believes many on the business side just don't understand how IT works.

“Go handle it and don't bother me and by the way, don't spend too much money is often the attitude,” he says. “Some [business users] think they have a hook to save some money but they don't understand the implications of [the technology] and how their IT network is the central nervous system of the company. If the central nervous system breaks down you are paralyzed.”

Allred believes there are a lot of business users engaged with the IT professionals who understand security and standards, but he maintains the missing link often is the people who sign the bills at the end of the day—the CFO and the CEO—who don't understand the implications.

Zurich recently sponsored the Cyber-security Forum, hosted by the Tech-America Foundation, according to Allred, to educate and create awareness of the ERM approach.

“We want them to drill down into how their company operates from all aspects, looking for vulnerabilities and at opportunities and think through how to mitigate the problems or take advantage of the opportunities so they can become more efficient,” he says. “This is an area often neglected because it's the magic in the backroom that [business leaders] don't think about. We see this as a critical missing link to make sure the CEOs and CFOs understand the implications of the financial decisions they are making and how to mitigate those decisions.”

Solvency II

Risk managers also need to look across the ocean to Solvency II, which was established by European insurance regulators. Every insurance company in Europe is mandated to adhere to the Solvency II ERM standards.

“One of the biggest premises behind this is to have all insurance companies on a level playing field,” says Mathew. “Secondly, it is to protect the insured so when they are buying policies the company is not taking too many risks with the policy. Third, from a reporting/governance/compliance perspective, [companies] are adhering to the same standards.”

European insurers have to quantify, manage, and maintain risks and report to the regulators under the mandates of Solvency II, according to Mathew. One area is operational risks, such as security, fraud, and anything related to operations.

“Each company has to quantify the risk and actively manage it,” says Mathew.

P&C carriers have to look at claims and their exposure from a catastrophe.

Finally, there is the investment side, where insurers have to quantify and manage market and credit risks.

Mathew believes the financial crisis of 2008 is what put more emphasis on risk management with mandates such as Solvency II.

“Solvency II has put more urgency and focus on insurers managing information,” says Mathew. “You can't do ERM without the right information and the right people. It's the number one topic right now in the insurance space at the chief risk officer/chief financial officer level.”

Social Networking

The implications of social networking with ERM are not clear yet. Collins explains the largest computer program application in the world today is Facebook, yet it is hardly a mature technology.

“There are profound privacy questions and some profound security issues,” he says. “[Social networking] will be equal if not more to the risk exposures of mobile computing with some unique exposures to companies and corporations as well.”

Allred feels users haven't judged the risks that can arise from social networking.

“Everywhere we go and whatever we do somebody is watching,” he says. “Ninety-nine percent of the time those are people that want to help and do good, but there's that element out there that's looking for a way to cause problems for us in some form or fashion.”

The potential is there not only for loss of information, but also loss of corporate secrets, reputations, business opportunities, and potential physical harm to people or disruption of business networks or utility networks.

“It is becoming almost an incomprehensible situation to know what can be done,” says Allred. “We are working with our customers and others to try and keep a lid on things. So many things, whether it is mobile computing or cloud networking, are not so much a technical problem as they are human engineering problems. Phishing attacks would fail if people would use a little of what I call the world's greatest oxymoron: common sense. That means, if someone asks you for your password that's not a good thing, so don't tell them.” TD

Special Reports /

Insurers Try to Keep a Lid on Mobile Security

Related Stories

Recommended For You