On solid ground: the high stakes involved in competing in a global economy are driving insurers to take a holistic view of data used in enterprise risk management.[ILLUSTRATION OMITTED]
In a dynamic global marketplace, insurance executives face pressure to deal with the increasing scope and complexity of risk not only the risk of loss and its financial consequences, but the risk of missed opportunity as well.
More than ever, business decisions must be based on a holistic view supported by reliable external and internal data integrated across the enterprise. No longer can companies be governed effectively by decisions based solely on independent silos of information.
The imperative to achieve data reliability and integration is underscored by numerous post-mortems that reveal bad data as the root cause of company failures.
In most organizations, data and data management structures evolve to fit organizational needs. Essential data are created within pockets of expertise and often remain within the organizational silos where they originated. For effective decision making, however, data must flow throughout the enterprise so they may be used, transformed and stored.
In large organizations, the existence of data silos (1) A separate database or set of data files that are not part of an organization's enterprise-wide data administration. See siloed application.
(2) An external storage array or cabinet. See disk array. , data flow and related activities can be complex and broad in scope. The continuous process of disparate data creation, transformation and storage creates risk of data compromise, including:
* Isolation of data from others
* Introduction of extraneous ex·tra·ne·ous
1. Not constituting a vital element or part.
2. Inessential or unrelated to the topic or matter at hand; irrelevant. See Synonyms at irrelevant.
* Omission omission n. 1) failure to perform an act agreed to, where there is a duty to an individual or the public to act (including omitting to take care) or is required by law. Such an omission may give rise to a lawsuit in the same way as a negligent or improper act. of relevant data
* Creation of incorrect data
* Creation of conflicting information
* Duplication of data
* Breaks in data/process life cycles
* Degradation of data value over time
* Lack of unique data-set identifiers
* Creation of nonstandard non·stan·dard
1. Varying from or not adhering to the standard: nonstandard lengths of board.
* Risk of data theft or breach of security and privacy
These issues are compounded over time, and lead to flawed flaw 1
1. An imperfection, often concealed, that impairs soundness: a flaw in the crystal that caused it to shatter. See Synonyms at blemish.
2. decision-making within the organization.
Systems Flashing Red
Early symptoms of data compromise may not be apparent readily, but the effects are nevertheless pernicious pernicious /per·ni·cious/ (per-nish´us) tending toward a fatal issue.
Tending to cause death or serious injury; deadly. and costly. Consider an actual example: A well-known insurance company was placed in liquidation The collection of assets belonging to a debtor to be applied to the discharge of his or her outstanding debts.
A type of proceeding pursuant to federal Bankruptcy by the state insurance department because the company's financial performance had deteriorated, even though it was competitive in the marketplace.
Analysis of the company's information systems, databases, data flows between and within organizational units In computing, an Organizational Unit (OU) provides a way of classifying objects located in directories, or names in a digital certificate hierarchy, typically used either to differentiate between objects with the same name (John Doe in OU "marketing" versus John Doe in OU "customer , and assessment of the roles and responsibilities of data custodians
The Custodians is terminology in the Bahá'í Faith, which refers to nine Hands of the Cause assigned specifically to work at the Bahá'í World Centre in attendance to the Guardian of the Faith. and users revealed a number of major issues, including:
* Critical application systems not capturing all the required data
* Often-duplicated data in the systems
* Independent "owners" of various critical systems
* Critical systems not integrated or able to share data
* Data captured under varying formats in each system, which precluded creating a single clear data set or eliminating duplicate data
* Data in the systems not mapped, preventing universal interpretation of data sets
* Certain critical data not captured by any of the systems
* Data often downloaded into spreadsheets and then further manipulated, causing errors, loss of data, and minimal tracking of changes
These data issues were determined to be the root cause of improper tracking and reporting of critical business metrics metrics Managed care A popular term for standards by which the quality of a product, service, or outcome of a particular form of Pt management is evaluated. See TQM. , leading to the inability to price products properly, manage expenses, and properly create reserves. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke"
put differently , the company could not manage its risks and opportunities effectively.
In Data We Trust
As this example indicates, data integrity and effective risk management may mean the difference between success and failure.
This is especially true in the new global economy. Insurance carriers today must deal with an increasing number of complex products along with more market volatility, stricter regulatory reviews, greater competition, growth in the value of exposures, and a proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous
n. of external threats, such as security breaches, natural disasters and geopolitical ge·o·pol·i·tics
n. (used with a sing. verb)
1. The study of the relationship among politics and geography, demography, and economics, especially with respect to the foreign policy of a nation.
a. and social issues.
To respond effectively, carriers must increase their dependence on sophisticated risk analytics and modeling capabilities, all of which depend, in turn, on the integrity of underlying data.
In the past, carriers employed monolithic Single object. Self contained. One unit. , centralized systems In telecommunications, a centralized system is one in which most communications are routed through one or more major central hubs. Such a system allows certain functions to be concentrated in the system's hubs, freeing up resources in the peripheral units. with limited data variables and tight control over data usage to manage limited risk factors. Today carriers must employ experts who use highly sophisticated computer models, based on many thousands of variables and integrated from a large variety of sources, to manage complex risks and opportunities.
In addition, advances in data mining, data visualization See information visualization. , pattern recognition, automated underwriting Underwriting
1. The process by which investment bankers raise investment capital from investors on behalf of corporations and governments that are issuing securities (both equity and debt).
2. The process of issuing insurance policies. , automated auditing, and data flow and process controls are giving carriers a broad range of new capabilities. Tools such as predictive modeling, for example, are helping carriers improve risk-based decisions in marketing, underwriting, pricing, loss settlement and operations.
Certain information systems, however, have been designed specifically to satisfy regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. . Sarbanes-Oxley systems, for example, am primarily focused on controls in support of financial reporting, and consequently may not capture important operational data essential to ERM (Enterprise Relationship Management) An umbrella term with many shades of meaning over the years. It may refer to the management of information from any or all of an organization's customers, suppliers, business partners and employees. . This critical operational data often am embedded Inserted into. See embedded system. in individual business unit applications not integrated with enterprise platforms. Nevertheless, this data must be accessed, collected, normalized and integrated for use in risk management.
Rating Agencies' Concerns
Another critical issue for insurance companies is the focus placed on ERM by the rating agencies. Rating agencies always have been concerned about a carrier's approach to risk management--it has a strong bearing on carrier performance and sustainability.
Today, that focus has shifted to an enterprisewide view of risk. All rating agencies employ sophisticated methodologies to analyze a carrier's ERM capabilities, and then apply results of the ERM assessment to help determine the carrier's rating.
Rating agencies are concerned, too, that executives may not have a holistic view of risk, especially forward-looking risk. And they are concerned about the foundation and integrity of risk management programs.
In other words, rating agencies want to be sure that all the data involved in a carrier's underlying analyses and decisions are accurate, complete, and relevant and that all processes are working across the enterprise to achieve meaningful results.
This focus on data issues and integration by the rating agencies is justified. Experience has shown that enterprise data management represents one of the most problematic areas in creating an effective ERM program. Because data typically are generated and used within operational or business silos, risk management projects, if they exist at all, initially tend to be focused within these silos.
These types of silos potentially can create isolated views of risk. Equally important, disparate risk silos create a potential for deriving risk analyses and decisions based on data unrelated to other areas of the business.
A good example relates to the SEC's executive compensation disclosure requirements. Data required for compliance with stock options (accounting rules FAS 123R) typically reside in finance and accounting systems. However, the legal and the human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. departments are responsible for record keeping on stock option grants and compensation, respectively, and it is not unusual for data to reside in these systems separately.
In the end, rating agencies want to be assured that carriers demonstrate the ability to define and manage risk and opportunity to protect insurers and sustain the business over the long term.
Achieving effective ERM is a continuous process. It is initiated and supported by the full commitment of executives and management, and sustained over the long term.
Experience shows that management must give top priority to these areas:
Emphasizing know-how: An ERM program requires a senior person experienced in large-scale program management to establish and ensure the disciplined but flexible management of development, implementation, and continuous adjusting, using a mix of disciplines throughout the organization.
Putting teeth in the framework: In addition to the senior executive, it is essential to establish an ERM Steering Committee steer·ing committee
A committee that sets agendas and schedules of business, as for a legislative body or other assemblage.
Noun first: one that can communicate the vision, set expectations and boundaries, influence the culture, and ensure accountability for results. This is especially important for dealing with entrenched en·trench also in·trench
v. en·trenched, en·trench·ing, en·trench·es
1. To provide with a trench, especially for the purpose of fortifying or defending.
2. silos of information.
Taking complete control: This is necessary for establishing governance, strategies, goals, acceptable risk levels, policies, technology, operational practices, resource requirements The components of a system that are required by software or hardware. It refers to resources that have finite limits such as memory and disk. In a PC, it may also refer to the resources required to install a new peripheral device, namely IRQs, DMA channels, I/O addresses and memory , controls and performance measures that ensure delegation and accountability.
Managing data: This includes the capability to identify, acquire, cleanse cleanse
tr.v. cleansed, cleans·ing, cleans·es
To free from dirt, defilement, or guilt; purge or clean.
[Middle English clensen, from Old English and transform large-scale data sets into workable databases that can be integrated and universally accessed; and to define and implement records access, storage and retention policies. This is a foundational requirement that delivers additional benefits to the organization, such as the ability to address e-discovery more effectively.
Furnishing the right technology: This requires an assessment to determine and acquire technology to facilitate automated analysis, modeling and management of a holistic view of the major risk categories across the enterprise--financial, strategic, operational, reputational and hazard-related.
Relying on experts: Data management and application of risk technology require expertise in specialized spe·cial·ize
v. spe·cial·ized, spe·cial·iz·ing, spe·cial·iz·es
1. To pursue a special activity, occupation, or field of study.
2. technical disciplines in order to address ERM goals and objectives effectively. This requires an assessment and closure of any gaps in resources.
These six priorities are best implemented by conducting an initial informal workshop and planning session as a kickoff to the overall process.
According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. the risk information firm ISO (1) See ISO speed.
(2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. , in the past 15 years approximately one-third of the carriers serving the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. have vanished.
In most cases, their demise was blamed on competition, or more specifically, on their Inability to compete. However, as discussed earlier, data issues should be considered as a likely root cause leading to company failure, simply because poor data leads to bad decisions. These carriers were probably not exceptions.
Additionally, past industry "best practices" have led to an inordinate, linear focus on negative risk--protecting the company from threats and harm. Today, there is a more balanced approach to risk, with an increasing focus on opportunity risk, which includes a strong correlation with innovation.
Creativity and innovation require a holistic view of the enterprise and the environment, which in turn requires unparalleled data management capability.
* What's Wrong: Data stored in company computers often are outdated, faulty or cannot be utilized among departments.
* What's Happening: Companies are making poor decisions, and even failing, because their data are unreliable.
* What's the Answer: Properly handled data are vital to unlocking ERM's management, compliance and profit potential,
What Is ERM?
Enterprise risk management--or ERM--is a risk management framework that involves every element of an enterprise--including its board, staff, clients, regulators and even society at large--as equal stakeholders Stakeholders
All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. in the long-term viability of that enterprise. Enterprise risk management takes the traditional elements of risk management, such as risk analysis, identification and mitigation, and applies them holistically across an entire enterprise. This gives all within the enterprise an equal incentive to become a part of the risk management process.
Source: Adapted from RIMS' RiskWiki, www.rims.org/riskwiki
Critical ERM Questions for CEOs
Candid answers to these questions related to ERM and data integrity can help companies evaluate their current situation and determine a future course of action.
Does my management fully embrace the concept of ERM, or does the company's culture still encourage independent silos of information?
Do the ERM experts in my organization have what they need to move the company toward a more effective ERM program?
Is there one person in my organization responsible and accountable for information systems and data Issues?
Who in my organization can answer with absolute assurance if a potential "smoking gun" data problem exists within the company that could cause major problems?
Are my information systems capable of achieving data integrity and integration?
Do I have the right risk management processes and tools to allow effective corporate decision-making across the organization?
Do people involved in day-to-day, risk-based decision-making have accurate and complete information on which to base decisions?
Contributor Richard Hershman leads FTI FTI Free thyroxine index, see there Consulting's Global Insurance Services practice. He can be reached at email@example.com