Particularly in the market were in, its critical to maintain very precise underwriting practices, matching exposure to price and coverage in a very exact way, says Rick Harold, director of Zurich North Americas workstation development.

Underwriting Management

The North American insurance division of Tokyo-based Mitsui Sumitomo In-surance Group writes commercial lines insurance throughout the United States. The division recently consolidated its risk management strategy and front-end technology tools in its property business. Up until a year ago, the underwriting department was assessing weather and catastrophe risks using a variety of different manual charts and methods and varying degrees of automation.

In 2002, the company installed two products from AIR Worldwide Corpora-tion, a subsidiary of Insurance Services Office, Inc. These included AIRProfiler, a Web-based tool that uses address information to analyze a locations hurricane, earthquake, flood, and severe thunderstorm risk, and Classic/2, a client-server-based catastrophe-modeling tool.

[AIRProfiler] is a quick look at a location. We use it to get an understanding of new risks were considering to see if they raise any red flags, says David Donlick, marketing coordination manager in the insurers Warren, N.J., office. Classic/2 is used to evaluate segments of business or the entire book for catastrophe risk.

Donlick reports the reason Mitsui Sumitomo chose AIR and, in particular, Classic/2 was the solution didnt limit underwriters to assessing one category of risk at a time. All the products we considered did accumulation, but with AIR, if we want to focus on earthquake, windstorm, and hurricane exposures combined, we can do that without having to re-enter address information. We can get a loss prediction on an individual account for the selected exposures either combined or separated and do the same for the entire book.

Zurich North Americas risk management strategy also starts at the line level. We need to provide our underwriters all the tools they need to assess and price the risk, says Harold.

The workstation is a portal Zurich created in-house. It's part of the enterprise underwriting management strategy initiated with the creation of the Underwriting Management and Technical Services Unit, which was set up in January 2001. The unit led to the creation of the underwriting workstation strategy, which was formally unveiled in November 2002 (for more on Zurich's workstation strategy and implementation, see Information Station, p. 30). The workstation provides staff in underwriting, claims, and risk engineering access to a variety of in-house and third-party underwriting information sources, reporting tools, and hazard analysis systems, such as catastrophe modeling software from Risk Management Solutions (RMS).

Over the past year, Zurich also has worked to better understand its accumulation of risk by creating a database system it calls (coincidentally) Harold to store location data from all the insurers various processing systems and to run analytics against it. In the first iterations [of Harold], were looking at our property business, says Tom Peach, senior vice president, underwriting and policy administration. Zurich will ex- tend that system to include other exposures such as workers compensation.

Described by Peach as a tactical system designed to be deployed quickly, aggregated data from Harold will be available via the workstation. Its functionality will be embedded in future upgrades of the RMS system at Zurich.

Changing Markets, New Threats

The cyclical nature of the marketplace always has had an impact on insurers risk management strategy. However, a hard market combined with new loss exposures (see Proximate Cause), regulations, and industry standards of measurement have carriers looking for technological solutions.

We are definitely taking a more scientific approach to writing our property risks, using geocoding to determine more accurately the hazard or exposure, Donlick says.

Gail McGiffin, associate partner in Accentures Insurance Solution Group, sees four main technology trends in insurance risk management. The first three include continued movement from paper to electronic processing to speed information gathering, implementation of rules-based decision-making, and utilization of automated workflow systems in many functional areas of the company.

The fourth trend is a sharply increased interest in geographic information systems. These have evolved to offer not just standardization of address formats and address verification, but also geocoding of individual risks to plot latitude and longitude and analytics. These analytics include spatial analytics, which help determine the relative proximity of locations to each other or to geophysical hazards, and radial analytics, which determine the hazards within a circular distance of a particular location.

Hurricane Andrew was the first wake-up call, where carriers saw the need to have better accumulation of risk. But 9/11 has taken that to a new level; it brought the need for greater assessment of what is in the four-wall structure, the aggregation of not just property exposures and fixed assets, but the accumulation across product lines, such as workers compensation loss, death benefits, and medical costs. It is no longer sufficient to aggregate exposure at a ZIP code level, McGiffin says.

To go beyond ZIP code analysis, systems extract location data from policy files, cleanse the data to standardize and verify addresses, and then run that data through a geocoding engine. A spatial analytics application can then determine if, for instance, not only are two tenants in the same building, but that two buildings with completely different street addresses may sit back to back.

Importantly, this process takes insurance risk management beyond the traditional post-loss activities of claims modeling to a proactive activity that is part of both strategic and tactical decision-making. Carriers are trying to leverage data earlier in the process for improved decision-making and, most important, to think across product lines, McGiffin says. This involves such activities as giving more departments and users access to analytic tools, making the results of disparate Risk Management Solutions available via portals, and using collaboration technologiesor even simply good business practicesto bring staff together from various functional areas.

Our underwriting, tech services, engineering, and claims all work together to determine best practices for not only risk selection, but also other critical processes, says Zurichs Harold. Peach adds the goal of Zurichs IT department is to make its risk management technology available to the widest array of users. We will browser-base an application that sits on risk-intelligent data, and that can then be pushed to anywhere from underwriters to [external] MGAs [managing general agents].

Making Better Connections

Just as carriers have taken the concept of risk management from the individual account to the aggregated line of business and then to the departmental level, there is a strong push toward making risk management connections across departments. Consider a scenario whereby underwriting assesses its accumulation of risk by using geocoding to determine proximate locations. This same assessment can be used in the event of a claim.

An adjuster getting a first notice of loss or learning of an event could check the location datastore and be armed with information about the existence of other potential claimants, says McGiffin. Not only can that consolidate the adjusters work, but it also can help a carrier be proactive in its claims management. A company could also deploy its catastrophe unit more effectively rather than guessing based on the general area, McGiffin adds. From interdepartmental deployment, its a natural leap for insurers to target the evolution to enterprisewide risk management.

But waitisnt there an absence of enterprisewide technology?
Yes, inasmuch as no system exists to extract automatically data from every disparate system an insurer has and to perform the differing calculations of risk that each functional area considers. However, there are methods and tools that can help insurers create an enterprise risk management process.

What insurers have done in the absence of holistic modeling capabilities is to try to get at [enterprise] issues through business organization and procedures, says McGiffin. Theyre breaking down, if you will, the functional silos of business and having cross-functional teams of those responsible for singular event analysis at least manually assess exposures to those multiple events.

The creation of a dedicated risk management division also is a new development for insurers, which traditionally have relegated risk management to their actuarial departments. Historically, risk managers were little more than insurance buyers, even in insurance companies, says Oliva. Insurers are just starting to latch on to the concept of enterprise risk management beginning with designating a top-level officer as the chief risk officer.

This top-level effort is necessary, Oliva maintains, for insurers to bring together insurance risk management with the growing emphasis on operational risk management. Operational risk management looks at the innumerable threats to business continuation from divergent internal and external factors, such as employee turnover, public relations fiascos, or supply interruption.

There has been increasing emphasis on the regulatory side, Oliva adds. Financial information has to be at [insurers] fingertips, not only for corporate transparency [full disclosure of financial and key performance information], but also for the other regulations they have to comply with, such as capital adequacy and the Basel 2 accord, which specifies capital requirements for financial institutions. Also, there is a bevy of regulations that affect customer relationships; for example, what are the risks of noncompliance with the Patriot Act, money-laundering detection requirements, privacy regulations, and so on.

Working Toward Enterprisewide

Combining technology with a dedicated, centralized risk management strategy is the Royal Bank of Canada (RBC) Financial Group, which has five different divisions including RBC Insurance, the largest bank-owned insurance carrier in Canada. Headquartered in Mississauga, Ontario, RBC Insurance provides life insurance, property/casualty insurance, travel insurance, creditor insurance, and reinsurance.

Within each of its five divisions,_RBC manages business risks unique to those operations. [We] believe everybody throughout our organization is responsible for managing risk, says Bob Aylward, senior vice president of operational risk at RBC Financial Group. RBC Insurance, for example, uses a variety of modeling and forecasting tools for underwriting and actuarial risk. Additionally, RBC Financial Group manages certain types of risk, including operational risk, at the enterprise level. It has a central risk management department that establishes policies for risk management and also has a chief risk officer who is vice-chair of the corporation and a member of its top management committee.

The company looks at four broad categories of operational riskpeople, processes, technologies, and external eventsand has designated 30 subcategories within those. In May 2002, the company also installed Portiva, a portal-based risk management system for capturing risk assessment data.

RBC Insurance has segmented its operations into smaller components it calls operational risk entities, which represent processes within product and functional lines. Each of those entities conducts risk and control self-assessments based on a set of common deliverables, says Aylward. Those assessments begin with understanding what are the business objectives, what are the areas of operational risk that reside within that business, how are those risks mitigated, what is the likelihood of a particular event, and what is the probable impact if something does go wrong.

Designated staff in each of those entities use Portiva to record these self-assessments in a scorecard format. Portiva provides analytics from these assessments that are used by the operational risk entities and divisions to manage risk. Additionally, the central risk management department uses Portiva to combine these line-level assessments with the relative importance (from a risk management perspective) of each risk entity to the overall business.

RBC Financial Group therefore is able to assess residual risks (the remaining likelihood of a loss occurring and its impact) and decide whether or not action is needed, Aylward explains. That action could be any of a range of solutionsdeveloping back-up strategies, purchasing additional insurance, or providing additional staff training, for example.

In addition to the database that supports the Portiva system, RBC Financial Group also has created an additional loss event database. We capture data regarding any of the operational losses that occur across the corporation, Aylward says. We track where the loss occurred, the value, what the corrective action was, and why the loss occurred. The company is working toward implementing an OLAP tool to provide analytics that take both systems into account.

Building for the Future
Gartner doesnt expect to see technology that can fully integrate the many types of Risk Management Solutions and strategies in play across the enterprise until at least 2006. However, there are strategies insurers can use to prepare for this development today.

When doing their technology planning, particularly for data mining and warehousing, insurers need to look at data tools and filters that will enable them to capture not only past loss data, but future projection data for the whole enterprise, says Oliva. Then, when they get into analyzing the eventsstatistical modeling, event modeling, predictive modelingthey have to look at it across the enterprise and not by silos.

The problem is these [risk management] projects are done in the business units, but insurers have to look at them across business units, says Neal Oswald, financial services practice leader at Cap Gemini Ernst & Young. In a classic insurance company scenario, where you have 42 legacy systems, 15 divisions, and global operations, unless you start specifying design principles for aggregation, youre lost before you start. You have to standardize your design principles around data, reporting, infrastructure, and customer.

While portal technologies can provide users access to the results of these tools and help create aggregated viewpoints, its still a far cry from true technology-based enterprise risk management.

Is it possible to have one system that does all of this? I think the answer is probably no, Oliva says. It becomes a matter of some type of a middleware that would be pulling data from various systems to a risk managers desktop. So for at least the first iteration of enterprise risk management, Oliva says, it will be a connection and integration issue, rather than building a single system that can understand so many different units of measure.

Those connections could be made by an aggregation tool, a piece of software like SAS to bring it together, or even a simple DB2 or Oracle environment with a query tool to run against it, says Oswald. Importantly, not everything in business can be distilled to financial risk, so there will always be an art to risk management that technology will likely never completely replace.

Proximate Cause

Even as the industry scrambles to create terrorism exclusions for property policies, it must still evaluate this new catastrophe risk due to its impact on all lines of insurance. Before, it didnt matter if you had three or four buildings [insured] in Manhattan; now insurers need to model for terrorism the way they always did for events such as floods or hurricanes, says Tom Peach, senior vice president of underwriting and policy administration at Zurich.

Measuring terrorism risk adds another level of complexity to catastrophe modeling. That is, there are decades of weather data that can be relied upon, and more important, Mother Nature has no intent when she creates an earthquake or hurricane. Terrorism risk management, however, involves monitoring the ever-changing geopolitical climate of the world and assessing the attractiveness of a businesss operations to a terrorist. Catastrophe risk management solution providers, such as the Insurance Services Offices and Risk Management Solutions, have all come out with terrorism models that consider these complex factors.

For example, Oxxford Information Technologys Vulnerability Index provides a database of 28 million businesses nationwide and identifies threats for high-risk businesses. Certain industries are more subject; they make a product, they are a delivery mechanism, and so on. We have a scoring mechanism using 40 different methods, including a weighting method for the type of terrorism that may be involved, the type of patents and processes, whether they have government contracts, and whom they are selling to, says Ray Greenhill, Oxxfords CEO and founder.

However, an insured risk also may be subject to terrorism loss even though it isnt specifically a terrorist target. By using geocoding, the Oxxford index can be used to assess not only the direct risk of an insured location, but also potential loss due to proximity to more attractive terrorist targets, such as power plants and communications facilities. The risk at a particular insured location therefore is determined by the highest risk potential at the site, whether that comes from the insureds or others operations.

The objective is to allow insurers to manage the risk of their overall book of business, selecting business in lower-impact areas to balance what they might already have on the books, says Greenhill.

Risk Management and Modeling Tools Vendor List

AIR Worldwide
Boston, Mass.
617-267-6645
www.air-worldwide.com

CSC Financial Services
Austin, Tex.
512-275-5000
www.csc-fs.com

Delphi Technology
Cambridge, Mass.
617-494-8361
www.delphi-tech.com

Effisoft
Boston, Mass.
617-437-9600
www.effisoft.com

Entegra Corp.
Oakbrook Terrace, Ill.
630-613-7661
www.entegracorp.com

Envision Technology Solutions
Midvale, Utah
801-568-1818
www.envision-ts.com

Fair, Isaac & Co.
San Rafael, Calif.
415-472-2211
www.fairisaac.com

Forensic Analysis & Engineering Corp.
Raleigh, N.C.
919-872-8788
www.forensic-analysis.com

GenSource Corp.
Valencia, Calif.
661-294-1300
www.gensourcecorp.com

International Security Technology, Inc.
New York, N.Y.
212-557-0900
www.ist-usa.com

Insurance Information Exchange
College Station, Tex.
800-683-8553
www.iix.com

Ivega Corp.
San Francisco, Calif.
415-274-2699
www.ivega.com

Marsh USA
Los Angeles, Calif.
213-346-5828
www.marsh.com

MountainView Software
Layton, Utah
800-533-1122
www.mvsc.com

Portellus
Irvine, Calif.
949-250-9600
www.portellus.com

Risk Laboratories
Marietta, Ga.
678-784-4615
www.risklabs.com

Risk Management Solutions
Newark, Calif.
510-505-2500
www.rms.com

Risk Sciences Group, Inc.
Schaumburg, Ill.
800-619-0224
www.risksciencesgroup.com

RISKTRAC
Portsmouth, N.H.
800-294-3316
www.libertymutual.com/risktrac

RMIS/Lab
Hartford, Conn.
860-543-7341
www.rmislab.com

Silver Plume
Boulder, Colo.
800-677-4442
www.silverplume.com

Valley Oak Systems, Inc.
Alamo, Calif.
925-552-1650
www.valleyoak.com

Worldinsure Limited
Quincy, Mass.
416-594-2172
www.worldinsure.com