Developing Risk Plans
June 24, 2005 | Boston, MA: The effort to keep up with an onslaught of compliance and regulatory requirements is swamping insurance firms, causing them to put important operational issues on the back burner, sometimes to the detriment of the business, according to senior executives attending the recent LOMA/ACORD Insurance Forum and the Risk Insurance Management Society (RIMS) annual conference.
“The regulatory environment has increased 10 times versus 3 years ago,” said Chuck McCaig, CIO of Chubb Insurance “Regulations are being passed and implemented state by state as well as federally, which means insurance firms have to manage their people and systems horizontally and vertically. It’s incredibly complex.”
With the threat of punitive action hanging like the Sword of Damocles over their heads, the insurance industry has poured time, money and resources into compliance initiatives. But progress has been painfully slow, Sarbanes-Oxley deadlines have been pushed back and errors and abuses are still occurring.
Why isn’t it working? The reason, experts say, is that businesses are tackling the regulatory challenge incorrectly. The wrong people are driving the process, key groups within the organizations are being excluded, the right risk analysis tools are not being put in place and, perhaps most importantly, they are not beginning with a risk plan.
“Every initiative should begin with a risk plan,” said John Phelps, Director of Risk Management for Blue Cross Blue Shield of Florida. Initiatives to date have been too focused on risk suppression and instead should be focused on risk management. Helping operations to better manage their business.
A risk plan allows an organization to rate and measure risks associated with a particular initiative, identify items on the critical path or high risk issues and score those assessments against business metrics. With an accurate risk plan in place, businesses can objectively prioritize its requirements, get the right folks around the table and focus on those projects that will yield the greatest benefits to the company.
A good risk plan gets risk management, compliance, audit and operations needs on the table and demonstrates how the IT organization can effectively support this diverse group of constituents, noted Phelps. A risk plan built around compliance can also identify costly problems that have not been uncovered previously.
“It’s a lot like the process we all go through to get a car inspection sticker,” added Bob Parisi, Senior Vice President and Chief Underwriting Officer of AIG. “To comply with the law, we go through the inspection process and display the sticker as a symbol of compliance. But if, in the process of getting that sticker, the mechanic discovers and fixes a safety flaw before someone gets hurt than the end result is much greater than simply achieving compliance.”
With that mindset companies can actually use regulations to create a more efficient business and a healthier bottom line.
“People feel they don’t have time to improve their business processes because they are so focused on addressing the compliance issues. But really, compliance is just the minimum quality standard,” said John Oliveira, Director of Operations for Horizon Casualty Services. “We shouldn’t be afraid of risk management and compliance. We should embrace it as an opportunity to bring new efficiencies to make the business prosper.”
Bringing operations in from the cold to drive the process
Many companies have expanded the duties of their compliance and audit groups to include not only identification of risk areas but implementation of corrections as well. This is a doomed approach because, in reality, auditors are the police – they find the problems. Compliance groups are the lawyers – they interpret the regulations and state the framework. And risk managers are the mediators- they evaluate the risk and liability data based upon business metrics and help establish a framework. None are empowered as enforcers and none have the resources to effectively fight that battle.
The group with the knowledge, ability and requirement to implement meaningful improvements to the business is operations, who have been bushwhacking in the field making the best results they can but not really moving the business forward as much as they know they could the right tools and support were available. The realization is now dawning on many firms that while the goal may be to make sure the books are in order, the books will not be in order if the right policies, procedures and activities are not formalized within operations to manage the business in addition to the controls within finance.
“Technology is the enabler of the business. The business owns the business rules and process. Information technology specialists are not actuaries. Companies must provide the business the tools to manage the complexity of their rules and process. Business must drive and own the policy, procedures and activity,” pointed out Barbara Kosler, CIO at Prudential Insurance.
Unfortunately, while operations own the business logic and technology should be the enabler, today that logic is stuck in legacy systems that are owned by IT. The business people can’t understand the logic when it is buried in the legacy code. But when the logic is extracted, it is completely out of context and essentially unmanageable. The complexity expands exponentially when you consider that the web of business rules always extends across multiple systems and manual processes.
Adding intelligence to Risk Planning and Management
Business rule driven wizard technology combined with workflow routing and business activity monitoring can help close the gaps that exist between organizations, between senior management and the rest of the organization and between individuals and systems.
At the top level, the technology can help senior management develop an effective risk plan. It can provide access to specific data and analysis to identify where the problems are, formalize a method of identifying operational risk, measure the compliance risk and understand the impact on the bottom line.
Once that analysis is completed, the employees in the trenches use the same tool to validate senior management’s conclusion. In the “bottom-up” phase, real historical data and experience validates senior management’s assessments and quantifies the root causes of the identified risks, as well as the associated costs.
With that validation, the senior management team has the data it needs to make truly educated decisions about the direction the company should take and the priorities for improvement.
This top down/bottom up approach ensures that a solid risk plan is in place and a clear direction is established by senior management. The compliance experts, subject matter experts from operations and risk management experts can then work together to implement solutions and improvements that will meet corporate objectives and stand up to close scrutiny by the audit group.
Using the right people for the right job
According to Patrick Hatfield, an attorney at Lord, Bissell & Brook, risk and compliance initiatives as they currently are run frequently fail to address the executional component. Business operations must own and drive the project, however, operations can source specialists from different parts of their organizations to meet specialized resource requirements.
“IT project managers are a shared service to the business,” noted Chubb’s McCaig. An important element of a project is the quality of the project manager. The IT organization has developed qualified project managers. According to McCaig, the Information Technology organization should separate skill resource from their functional area of responsibility. Business drives and runs the project and returns the resource to the project manager pool after project completion. This shared services approach provides the expertise and cultivates the best of class project managers. The same is true for financial analysts from finance and legal specialists from compliance departments.
The same business rule driven workflow technology that was used to in the top-down/bottom-up assessment phase can be tapped by the senior management team to measure progress, keep the implementation team on track and dramatically speed deployment. It can also be used to clear another common roadblock on the path: the lack of a common platform for rules-based applications which can be used throughout the organization to solve a variety of problems.
“There have not been enough easy to use and quick to learn business software applications on the market that are effective in managing and solving the problem for business,” he explained. “Home grown systems built with rules and workflow engines are so specific to the application for which they were developed that it is difficult to roll them out to other areas of the business.
McCaig’s experience is why many firms are turning to business-driven applications modules, which close the gap from conceptualizing a need to implementing a solution. These applications utilize sophisticated rules, workflow technology and descriptive business driven modeling to incorporate proven best practices for a particular process with business rules and allow each business to easily define and document as well customize those processes and business rules to fit the needs of the company.
Achieving success at multiple levels
Now, the organization has:
- the risk experts setting up the risk plan and how the team will identify the issues;
- the compliance experts interpreting the laws and regulations and assessing the impact to the organization;
- the subject matter experts providing the vital business operations input;
- And the IT project managers organizing resources and managing the overall project to its successful completion.
To close the loop, business are demanding these rules and workflow technologies to include comprehensive reporting and analysis that allow senior management to monitor progress or drill down further to underlying data to make more informed decisions. While not available in all of these applications, this is a definite need that is met by some.
Clearly, compliance initiatives are here to stay and the insurance industry appears committed to doing the right thing by achieving full compliance. Along the way, however, companies should seize the opportunity to go beyond basic compliance to improve their overall business operations…and their bottom lines.
Caitlin Seele: email@example.com | (617) 530-1208