People want data wherever and whenever they need it and Nationwide Insurance employees are no different. But the issue risk management personnel at Nationwide have to deal with—and at every insurance company—is how to protect that data.
"We're looking at how we can protect the data versus protect the device," says Lisa Hodkinson, vice president, information risk management for Nationwide. "Associates want to use whatever device makes them most productive. If they want to pull data to that device then we want to find a way to protect [the data] so they can use the tools and applications that help their productivity."
Nationwide is in the pilot stage of a program designed to address those data security issues, including an effort to understand if the carrier's internal applications are compatible and configurable to run on the smartphones in the market, according to Hodkinson.
"Depending on the outcome of our pilot, we hope to move forward with some personally-owned devices – if approved by executive leadership, it will be a very cautious and controlled rollout," she says. The pilot program was begun in 2010 and Hodkinson points out there is a lot of research, analysis, piloting and ramp-up work involved across our HR, IT and Legal teams.
"We turned it on for a very few limited devices and engaged senior leadership within the organization so we have a good cross group of people in the pilot," says Hodkinson.
One of those involved in the pilot is Nationwide's senior vice president and chief risk officer, Michael Mahaffey.
"All the folks in the pilot had company-owned BlackBerry smartphones and this pilot allowed us to use a personally-owned devices—an iPhone, an iPad, etc.—but using secure software to access much of the same information," he says. "It's a very controlled, staged pilot that enables us to ensure the data is protected and then extend the participants slowly. As a user of it I think it's been wonderful."
The pilot is a component of a larger Nationwide initiative which the carrier calls the Emerging Workplace, according to Hodkinson. There are multiple components, looking at how our workforce is increasingly relying on mobile computing. Hodkinson explained there are human resource policies, information security policies, and legal polices all under review.
Hodkinson's team is working on the security piece of the puzzle so if the device is lost or stolen Nationwide has the data protected. "For applications associates need to use for their job, we want to validate they work securely on the devices associates want to use," she says.
Business Support
Having the support of Nationwide's business leaders has brought Hodkinson's team in closer contact with the enterprise risk management team at Nationwide. That teamwork has enabled Hodkinson's group to look at Nationwide's overall risk posture in order to understand various risk mitigation initiatives and staying ahead of risk—including the risk of having employees use personally-owned devices.
"We engage senior leaders across the business on anything from security issues to continuity management, crisis management and compliance. We try to always make sure we are going after the highest risks in order to be responsive to what the business wants us to focus on so we can enable business opportunities," says Hodkinson. "With personally-owned devices, we want to determine if we can mitigate the risk and enable our associates to be productive at doing their jobs and serving customers."
Broader Strategy
Mahaffey explains the personally-owned device pilot is one small facet of a broader information security strategy for Nationwide.
"What we talked about [with the pilot] is the ability to give key senior executives access to e-mail and calendar functionality on a personally-owned device," he says. "When we talk about securing customer information that becomes a more comprehensive discussion running from laptop encryption, network access control, secure e-mail, etc."
Mahaffey points out there has been no difficulty getting not only senior management but board focus on the importance of maintaining a conservative and secure risk posture when it comes to protecting the information of Nationwide's customers.
"That's been high on the radar screen of our leadership," he says. "The broader context of our position on the deployment of resources and risk tolerance for information security is we've been demonstrated and recognized leaders in this space for a long time."
Hodkinson agrees there has been great collaboration and support from across the organization.
"We look at information risk management as a business issue," she says. "If our customers don't trust us they are not going to do business with us. Criminals are always becoming more sophisticated and working around traditional controls. We look at [security] as managing a moving target. The competitive landscape continues to evolve rapidly so we actively monitor our risk posture. We consult with business leaders to make sure we are in alignment with what the highest risks are. We try to drive a balance between risk mitigation and acceptance. We want Nationwide to remain a trusted company which translates into enthusiastic customers, growth, and profitability."
What They Do Best
Risk management is what insurance companies do best. At Nationwide, Mahaffey explains ERM is actually enterprise risk and capital management.
"It's different in a sense that we are, at our core, risk intermediaries on behalf of our customers," he says. "When we talk about ERM we are talking about catastrophe risk we're willing to accept through the sale of property insurance; mortality risk in the sale of life insurance; and investment risk when we invest the proceeds from premiums into bonds, equities or anything else. Enterprise risk and capital management is integrally linked with our core strategy and our core business management."
Those two sides are inextricably linked, according to Mahaffey. From there, convergence is weaved throughout the organization with the other functions.
For example, Nationwide has functions governing compliance, privacy, information security, continuity management, financial reporting controls, and other dimensions of operational risk.
"We have a variety of control functions designed to make sure our operations are well controlled," says Mahaffey. "That all falls under the broad realm of operational risk. The ERM function there is to drive coordination and alignment of standards across all those functions so we have direct accountability and effective collaboration and coordination. These are considered part of our enterprise risk profile. Our job is to make sure we are well aware of the risks and they are well managed, that there is adequate capital to support those risks; that the company is earning the right risk-adjusted returns on capital as part of our long-term business strategy; and ultimately that we are doing these things for the long-term benefit of our policyholders."
Need for Convergence
In a large organization such as Nationwide with multiple business segments and business units, there is a need for convergence, points out Hodkinson.
"Mike and his team are working to drive that so we have common tools and practices in assessing, prioritizing, classifying, and reporting that risk so we are driving risk mitigation with the highest priorities of the business," she says. "The goal is to positively impact our business performance and ensure the protection of our policyholders. If we are managing our risk effectively, we should see that in our overall business performance."
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.