The Path to Success

Risk is inherent to insurance–that's certainly the nature of the business–but carriers are paying ever greater attention to how best to manage that risk. For IT leaders, this goes beyond just helping business users manage exposures and underwriting. Internal risk can be fatal for a carrier–inefficient systems and processes and a lack of quality data are as dangerous for a company as any Category 3 hurricane.

The term enterprise risk management itself creates risk for insurers because of the wide range of risks insurers face daily. Virtually every task performed by an insurer carries some element of risk. This means companies have to attack problems–the risk to underwriting integrity from faulty data, the risk to the claims department from fraud, the risk to internal systems from faulty software, the risk to customer information from cyber attacks–from different angles, and in this new environment, insurers must ascertain how these risks affect the company from a compliance perspective. Life would be simple if risk management could be addressed through one-stop shopping, but carriers and analysts find their individual risks need to be addressed in a targeted manner.

The View From Inside

While most insurers would agree their industry has enough regulation, analysts, including Craig Weber, Celent's senior analyst in its insurance practice, contend the compliance environment–the Sarbanes-Oxley Act, in particular–is allowing carriers to keep a sharper eye on their affairs.

Line-of-business leaders have come to understand the value they are getting from some of those regulatory demands, and they want the data that is produced for themselves. “It's not simply a regulatory requirement that results in the collection and reporting of data; it's also about understanding your business and operating it effectively,” says Weber. “The driver may have been regulatory compliance, but there actually is business value in understanding the business at that level of detail.”

From an operation perspective, Dietmar Serbee, managing director for PricewaterhouseCoopers, believes risk management applications help insurers avoid some of the problems they experienced in the past. He asserts internal risk managers need to ask: How are you going to manage those controls you have in place against certain malfeasance in the financial reporting space? And how do you analyze the quality of your control environment and your residual risk?

Internally, Weber observes the bar gradually being raised for issues such as system uptime and disaster recovery. What used to be an acceptable level of nonperformance is no longer acceptable. “A service system being down is an unacceptable cost to the business,” he says. “That really puts a lot of pressure on IT to build a more robust infrastructure and to have access to multiple data centers.”

There are tremendous costs in providing those capabilities, Weber points out, but it's increasingly viewed as a cost of doing business. “There's a sense certain costs simply have to be borne by the business,” he says. “One of [those costs] is having near-100 percent access to customer information and service functionality. It's simply unacceptable not to have the ability to answer those kinds of questions and not be able to work on a daily basis.”

Functionality Needs

One of the core functionalities risk management software offers in the IT operation is control self-assessment, according to Serbee. This brings together business units supporting the process to examine the risks, the controls in place to mitigate and manage the risks, and where certain actions need to take place to improve the control environment, he explains. “At the tail end of that, you'll hopefully have a shared agreement across the enterprise of what the risk profile is, and you can do reporting based on that,” he says. “In my discussions with insurance companies, this is a functionality they really are looking for.”

There is a definite synergy between the processes companies undertake for SOX compliance and what the business would do in a risk and control self-assessment, Serbee notes. “The convergence of those two makes sense for insurers,” he says.

Companies have had to do a lot of work to improve timeliness and quality of reporting, Weber indicates, but the SOX requirements also have raised awareness of the business value of that information. “To be able to take an enterprise view of where the business is, where revenues are, where the reserves are, what reinsurance looks like–once you roll them up across different business areas (which now is a regulatory requirement for a public company), it gives you a better understanding of the health of your business,” he says.

The initial reaction to the regulatory demands within the industry was SOX was bitter medicine, Weber continues. “No one likes to spend that money and be forced to comply with requirements under a deadline, but once you've done that, it makes sense to think about the value [compliance] is bringing,” he says.

Nonpublic companies are joining in, as well. “One reason is they expect at some point they may have to do it, but it's also becoming a best practice in any business, whether it's required or not,” Weber states.

Daniel Amsden, systems project leader for UnumProvident, relates his perspective on the issue of risk management comes from the carrier's need to maintain potentially sensitive content for future litigation purposes, which is done through the Stellent Content Server. The basic data the system stores concerns what business users were exposed to at a particular time. “We've been able to produce [the data] our people were able to use to make the decisions they made at that time,” he says. “These are the instructional resources we use, the computational formula to figure out whether we could underwrite a particular group, and things along that line.”

Getting It Right

In terms of ensuring the accuracy of the data, Weber cautions once you get an electronic snapshot of customer data or policy data, if the data is not accurate, it exposes weaknesses in your operation. “The only thing worse than not seeing the data is seeing inaccurate data,” he says.

Most carriers realize they have information throughout their organizations that needs to be integrated, Weber believes, but it is important they have the ability to improve transparency of the data. “It's not like the data doesn't exist, but in many cases, it's filed away in ways that make it inaccessible to use,” he says. Weber feels carriers are reaching a better understanding of what data they have and then making better use of that data.

Having good data alleviates risks throughout the company, including areas such as fraud detection to address claims risks, according to Tom Brennan, director of special investigations, Highmark Insurance. About two-and-a-half years ago, Highmark began studying its processes and how it did things. “What we needed to do was work better and faster,” he says. “We believe no one knows your data better than you do, so we developed an application (from software provider SAS) where we could get to our data faster and do the analysis we needed to be a lot quicker in determining whether we have a problem or not.”

What's the Risk?

In the area of enterprise risk management for IT operations, Barry Rabkin, senior research analyst in the insurance practice at Financial Insights, advises one of the first things that should come to every carrier's mind is cyber risk and liabilities–the firewall and security of the systems. “What is the attendant risk in passing information to someone else?” he asks. “Is it information that can be passed on because of HIPAA or SOX, or is it information that needs to be kept closely guarded where only authorized users can get to it.”

Insurers need to think about the information flow within the corporation and to the corporation's clients, Rabkin suggests. “There is an element of risk with content management and collaboration,” he says. “Am I allowing people outside the boundaries of the corporation–who are potential collaborators–to be accessing information they should not [have access to], and do I know who [the collaborators] really are? If I am building a new product and have an agency council, is whoever is signing on from out in the field the people they say they are?”

Rabkin contends human ignorance is an area carriers need to study. “You put in some code or you put in a program, and it brings the system down,” he says. “You didn't do it intentionally; you just didn't have the knowledge you needed to have.”

There also is what Rabkin describes as the project management type of IT risk when the systems being built aren't doing what they are supposed to be doing. He points out such risk is not because IT people willingly are building bad systems, but more often it's because the developers haven't gone through the appropriate unit testing or functional integration testing.

The Marketplace

There are plenty of software companies addressing operational risk management, according to Serbee, many of which offer tailored solutions. “You have a lot of players that originated in the banking/capital market space, so the banking industry had to formalize practices, put processes in place, and manage information,” he says. “Now, the insurance industry is realizing there is a good amount of transferability here.”

Serbee predicts a shakeout in the market over the next 12 to 18 months. “There are a lot of players, and the pie is only so big,” he says. The issue some of these vendors run into, indicates Serbee, is they are small and have a minimal amount of runway. “It's difficult to survive with one or two clients,” he explains. “Even if it's a big client, you still need to go for number two or number three in order to build momentum and become a solution that imposes itself.”

Another element in the market is the larger carriers tend to build their own solutions and are less likely to go for a solution being offered by a software company that has 50 to 100 employees. “It's more difficult for [large carriers] to justify [choosing a smaller vendor] because in many cases, they have the ability to build [a solution] in-house,” Serbee points out.

Transparent Data

For West Bend Mutual, rating and pricing are daily risks, and the risk analytics tool the carrier uses helps underwriters make their decisions on whether to write a risk and how to price it. “We are not at the point where we are automating the decision fully, but it is another tool the underwriters use,” says David Wagner, vice president of IT business solutions.

The most time-consuming part for carriers is gathering all the data, reports Wagner. Such work also is tedious. “That's why we spent a lot of time making sure the data was good and clean,” he says. “The path we chose is we didn't make any assumptions about what data was good or bad. We gave Valen [Technologies] as much as we could find in electronic form and let its tools sort out the predictors.”

West Bend has hundreds of data elements it supplied Valen. “We found all kinds of stuff including loss control reports that were in Word format we could mine some data from,” says Wagner. “A conscious thought, with coaching from Valen, was give [Valen] everything. Don't assume it's not valuable. That was an important step because Valen was able to get interesting tidbits out of the raw data.”

The system is making West Bend more accurate and more efficient, according to Wagner. “To be able to price risk accurately is one of the keys,” he says. “We think we can price more accurately using this tool than we could without it.”

Amsden states the workflow element of the Stellent solution addresses the risk involved with business users viewing faulty documents contributed to UnumProvident's intranet system. Any data has to be checked in and is not available for business users until it goes through the automated review process. The carrier also is interested in using the system for the external-facing components of the company, such as its Internet site, which would allow sign-off to any information presented outside the company, according to Amsden.

The business users are the contributors to the UnumProvident system, Amsden explains. Adding the documents to the system kicks off the workflow, which he describes as a required review process.

Amsden recalls working with a business user on content items that previously were rejected because they had not been checked back into the system in their existing format. Those particular documents kicked off a workflow process that required a subject-matter expert examine them. The documents were reviewed for content and then sent out to a manager to review for marketing purposes. Finally, the documents were pushed out to the intranet system. “That's how we assure the piece of documentation has gone through a washing machine and spit out on the other end as a collaborative content item,” he says. “[The document] was worked on by several different people to assure it is what people need in order to do their job correctly as opposed to something that will get us in trouble down the road. [The document] never goes away. If someone asks us for it, we can produce it for them.”

Showing Integrity

Amsden reports his conversations within and outside the company reinforce the belief the industry is concerned with the integrity of data and its related risk factors, particularly customer-related data. But he remarks in a customer service situation or even at a higher level, such as when underwriters come and go, new business users brought in are going to have to learn their job off some content. “You are going to need the documentation if someone leaves,” he says. “That documentation becomes just as important to you as the data someone is going to review as part of their daily job.”

Faulty documentation is a potential risk for carriers, Amsden maintains. UnumProvident has recognized the problem and is working to solve the issue. Most insurance carriers have a data strategy, and they know how to ensure their data's integrity is top-notch, he points out. “They have their review processes in place for that, but their documents just are sitting around on the network. People are using them every day. They could have 20 copies of the same [document]. You never know.”

With UnumProvident, though, there is only one version in the system. “If you want the real answer to your question, you go to our intranet system, and you find it,” says Amsden. “If you got the document from any place else, you better check it. People have learned that here. We know which document was the authority at the time of the litigation period. We can produce that document for the court system so [the courts] can decide whether we made a mistake on our policy, or perhaps there was a mistake by the user, or there was no mistake at all.”

The first-generation tools Serbee has seen tend to be self-contained custom-built systems that help companies administer risk throughout the enterprise and report on the results. Some of the things he is seeing today are more integrated with a company's production systems. “It makes a lot of sense to track the risks through key risk indicators,” he says. “In order for [the key indicators] to be really meaningful and to lead to actionable information, you want to report on a timely basis. Events don't occur on a monthly reporting cycle; they happen all the time. If you can build engines that provide you with that information as it occurs, that's a big plus from the management perspective.”