Risk is inherent to insurance–that's certainly the nature of thebusiness–but carriers are paying ever greater attention to how bestto manage that risk. For IT leaders, this goes beyond just helpingbusiness users manage exposures and underwriting. Internal risk canbe fatal for a carrier–inefficient systems and processes and a lackof quality data are as dangerous for a company as any Category 3hurricane.

The term enterprise risk management itself creates risk forinsurers because of the wide range of risks insurers face daily.Virtually every task performed by an insurer carries some elementof risk. This means companies have to attack problems–the risk tounderwriting integrity from faulty data, the risk to the claimsdepartment from fraud, the risk to internal systems from faultysoftware, the risk to customer information from cyber attacks–fromdifferent angles, and in this new environment, insurers mustascertain how these risks affect the company from a complianceperspective. Life would be simple if risk management could beaddressed through one-stop shopping, but carriers and analysts findtheir individual risks need to be addressed in a targetedmanner.

The View From Inside

While most insurers would agree their industry has enoughregulation, analysts, including Craig Weber, Celent's senioranalyst in its insurance practice, contend the complianceenvironment–the Sarbanes-Oxley Act, in particular–is allowingcarriers to keep a sharper eye on their affairs.

Line-of-business leaders have come to understand the value theyare getting from some of those regulatory demands, and they wantthe data that is produced for themselves. “It's not simply aregulatory requirement that results in the collection and reportingof data; it's also about understanding your business and operatingit effectively,” says Weber. “The driver may have been regulatorycompliance, but there actually is business value in understandingthe business at that level of detail.”

From an operation perspective, Dietmar Serbee, managing directorfor PricewaterhouseCoopers, believes risk management applicationshelp insurers avoid some of the problems they experienced in thepast. He asserts internal risk managers need to ask: How are yougoing to manage those controls you have in place against certainmalfeasance in the financial reporting space? And how do youanalyze the quality of your control environment and your residualrisk?

Internally, Weber observes the bar gradually being raised forissues such as system uptime and disaster recovery. What used to bean acceptable level of nonperformance is no longer acceptable. “Aservice system being down is an unacceptable cost to the business,”he says. “That really puts a lot of pressure on IT to build a morerobust infrastructure and to have access to multiple datacenters.”

There are tremendous costs in providing those capabilities,Weber points out, but it's increasingly viewed as a cost of doingbusiness. “There's a sense certain costs simply have to be borne bythe business,” he says. “One of [those costs] is having near-100percent access to customer information and service functionality.It's simply unacceptable not to have the ability to answer thosekinds of questions and not be able to work on a daily basis.”

Functionality Needs

One of the core functionalities risk management software offersin the IT operation is control self-assessment, according toSerbee. This brings together business units supporting the processto examine the risks, the controls in place to mitigate and managethe risks, and where certain actions need to take place to improvethe control environment, he explains. “At the tail end of that,you'll hopefully have a shared agreement across the enterprise ofwhat the risk profile is, and you can do reporting based on that,”he says. “In my discussions with insurance companies, this is afunctionality they really are looking for.”

There is a definite synergy between the processes companiesundertake for SOX compliance and what the business would do in arisk and control self-assessment, Serbee notes. “The convergence ofthose two makes sense for insurers,” he says.

Companies have had to do a lot of work to improve timeliness andquality of reporting, Weber indicates, but the SOX requirementsalso have raised awareness of the business value of thatinformation. “To be able to take an enterprise view of where thebusiness is, where revenues are, where the reserves are, whatreinsurance looks like–once you roll them up across differentbusiness areas (which now is a regulatory requirement for a publiccompany), it gives you a better understanding of the health of yourbusiness,” he says.

The initial reaction to the regulatory demands within theindustry was SOX was bitter medicine, Weber continues. “No onelikes to spend that money and be forced to comply with requirementsunder a deadline, but once you've done that, it makes sense tothink about the value [compliance] is bringing,” he says.

Nonpublic companies are joining in, as well. “One reason is theyexpect at some point they may have to do it, but it's also becominga best practice in any business, whether it's required or not,”Weber states.

Daniel Amsden, systems project leader for UnumProvident, relateshis perspective on the issue of risk management comes from thecarrier's need to maintain potentially sensitive content for futurelitigation purposes, which is done through the Stellent ContentServer. The basic data the system stores concerns what businessusers were exposed to at a particular time. “We've been able toproduce [the data] our people were able to use to make thedecisions they made at that time,” he says. “These are theinstructional resources we use, the computational formula to figureout whether we could underwrite a particular group, and thingsalong that line.”

Getting It Right

In terms of ensuring the accuracy of the data, Weber cautionsonce you get an electronic snapshot of customer data or policydata, if the data is not accurate, it exposes weaknesses in youroperation. “The only thing worse than not seeing the data is seeinginaccurate data,” he says.

Most carriers realize they have information throughout theirorganizations that needs to be integrated, Weber believes, but itis important they have the ability to improve transparency of thedata. “It's not like the data doesn't exist, but in many cases,it's filed away in ways that make it inaccessible to use,” he says.Weber feels carriers are reaching a better understanding of whatdata they have and then making better use of that data.

Having good data alleviates risks throughout the company,including areas such as fraud detection to address claims risks,according to Tom Brennan, director of special investigations,Highmark Insurance. About two-and-a-half years ago, Highmark beganstudying its processes and how it did things. “What we needed to dowas work better and faster,” he says. “We believe no one knows yourdata better than you do, so we developed an application (fromsoftware provider SAS) where we could get to our data faster and dothe analysis we needed to be a lot quicker in determining whetherwe have a problem or not.”

What's the Risk?

In the area of enterprise risk management for IT operations,Barry Rabkin, senior research analyst in the insurance practice atFinancial Insights, advises one of the first things that shouldcome to every carrier's mind is cyber risk and liabilities–thefirewall and security of the systems. “What is the attendant riskin passing information to someone else?” he asks. “Is itinformation that can be passed on because of HIPAA or SOX, or is itinformation that needs to be kept closely guarded where onlyauthorized users can get to it.”

Insurers need to think about the information flow within thecorporation and to the corporation's clients, Rabkin suggests.“There is an element of risk with content management andcollaboration,” he says. “Am I allowing people outside theboundaries of the corporation–who are potential collaborators–to beaccessing information they should not [have access to], and do Iknow who [the collaborators] really are? If I am building a newproduct and have an agency council, is whoever is signing on fromout in the field the people they say they are?”

Rabkin contends human ignorance is an area carriers need tostudy. “You put in some code or you put in a program, and it bringsthe system down,” he says. “You didn't do it intentionally; youjust didn't have the knowledge you needed to have.”

There also is what Rabkin describes as the project managementtype of IT risk when the systems being built aren't doing what theyare supposed to be doing. He points out such risk is not because ITpeople willingly are building bad systems, but more often it'sbecause the developers haven't gone through the appropriate unittesting or functional integration testing.

The Marketplace

There are plenty of software companies addressing operationalrisk management, according to Serbee, many of which offer tailoredsolutions. “You have a lot of players that originated in thebanking/capital market space, so the banking industry had toformalize practices, put processes in place, and manageinformation,” he says. “Now, the insurance industry is realizingthere is a good amount of transferability here.”

Serbee predicts a shakeout in the market over the next 12 to 18months. “There are a lot of players, and the pie is only so big,”he says. The issue some of these vendors run into, indicatesSerbee, is they are small and have a minimal amount of runway.“It's difficult to survive with one or two clients,” he explains.“Even if it's a big client, you still need to go for number two ornumber three in order to build momentum and become a solution thatimposes itself.”

Another element in the market is the larger carriers tend tobuild their own solutions and are less likely to go for a solutionbeing offered by a software company that has 50 to 100 employees.“It's more difficult for [large carriers] to justify [choosing asmaller vendor] because in many cases, they have the ability tobuild [a solution] in-house,” Serbee points out.

Transparent Data

For West Bend Mutual, rating and pricing are daily risks, andthe risk analytics tool the carrier uses helps underwriters maketheir decisions on whether to write a risk and how to price it. “Weare not at the point where we are automating the decision fully,but it is another tool the underwriters use,” says David Wagner,vice president of IT business solutions.

The most time-consuming part for carriers is gathering all thedata, reports Wagner. Such work also is tedious. “That's why wespent a lot of time making sure the data was good and clean,” hesays. “The path we chose is we didn't make any assumptions aboutwhat data was good or bad. We gave Valen [Technologies] as much aswe could find in electronic form and let its tools sort out thepredictors.”

West Bend has hundreds of data elements it supplied Valen. “Wefound all kinds of stuff including loss control reports that werein Word format we could mine some data from,” says Wagner. “Aconscious thought, with coaching from Valen, was give [Valen]everything. Don't assume it's not valuable. That was an importantstep because Valen was able to get interesting tidbits out of theraw data.”

The system is making West Bend more accurate and more efficient,according to Wagner. “To be able to price risk accurately is one ofthe keys,” he says. “We think we can price more accurately usingthis tool than we could without it.”

Amsden states the workflow element of the Stellent solutionaddresses the risk involved with business users viewing faultydocuments contributed to UnumProvident's intranet system. Any datahas to be checked in and is not available for business users untilit goes through the automated review process. The carrier also isinterested in using the system for the external-facing componentsof the company, such as its Internet site, which would allowsign-off to any information presented outside the company,according to Amsden.

The business users are the contributors to the UnumProvidentsystem, Amsden explains. Adding the documents to the system kicksoff the workflow, which he describes as a required reviewprocess.

Amsden recalls working with a business user on content itemsthat previously were rejected because they had not been checkedback into the system in their existing format. Those particulardocuments kicked off a workflow process that required asubject-matter expert examine them. The documents were reviewed forcontent and then sent out to a manager to review for marketingpurposes. Finally, the documents were pushed out to the intranetsystem. “That's how we assure the piece of documentation has gonethrough a washing machine and spit out on the other end as acollaborative content item,” he says. “[The document] was worked onby several different people to assure it is what people need inorder to do their job correctly as opposed to something that willget us in trouble down the road. [The document] never goes away. Ifsomeone asks us for it, we can produce it for them.”

Showing Integrity

Amsden reports his conversations within and outside the companyreinforce the belief the industry is concerned with the integrityof data and its related risk factors, particularly customer-relateddata. But he remarks in a customer service situation or even at ahigher level, such as when underwriters come and go, new businessusers brought in are going to have to learn their job off somecontent. “You are going to need the documentation if someoneleaves,” he says. “That documentation becomes just as important toyou as the data someone is going to review as part of their dailyjob.”

Faulty documentation is a potential risk for carriers, Amsdenmaintains. UnumProvident has recognized the problem and is workingto solve the issue. Most insurance carriers have a data strategy,and they know how to ensure their data's integrity is top-notch, hepoints out. “They have their review processes in place for that,but their documents just are sitting around on the network. Peopleare using them every day. They could have 20 copies of the same[document]. You never know.”

With UnumProvident, though, there is only one version in thesystem. “If you want the real answer to your question, you go toour intranet system, and you find it,” says Amsden. “If you got thedocument from any place else, you better check it. People havelearned that here. We know which document was the authority at thetime of the litigation period. We can produce that document for thecourt system so [the courts] can decide whether we made a mistakeon our policy, or perhaps there was a mistake by the user, or therewas no mistake at all.”

The first-generation tools Serbee has seen tend to beself-contained custom-built systems that help companies administerrisk throughout the enterprise and report on the results. Some ofthe things he is seeing today are more integrated with a company'sproduction systems. “It makes a lot of sense to track the risksthrough key risk indicators,” he says. “In order for [the keyindicators] to be really meaningful and to lead to actionableinformation, you want to report on a timely basis. Events don'toccur on a monthly reporting cycle; they happen all the time. Ifyou can build engines that provide you with that information as itoccurs, that's a big plus from the management perspective.”