On solid ground: the high stakes involved in competing in a global economy are driving insurers to take a holistic view of data used in enterprise risk management.
In a dynamic global marketplace, insurance executives face pressure to deal with the increasing scope and complexity of risk not only the risk of loss and its financial consequences, but the risk of missed opportunity as well.
More than ever, business decisions must be based on a holistic view supported by reliable external and internal data integrated across the enterprise. No longer can companies be governed effectively by decisions based solely on independent silos of information.
The imperative to achieve data reliability and integration is underscored by numerous post-mortems that reveal bad data as the root cause of company failures.
In most organizations, data and data management structures evolve to fit organizational needs. Essential data are created within pockets of expertise and often remain within the organizational silos where they originated. For effective decision making, however, data must flow throughout the enterprise so they may be used, transformed and stored.
In large organizations, the existence of data silos, data flow and related activities can be complex and broad in scope. The continuous process of disparate data creation, transformation and storage creates risk of data compromise, including:
* Isolation of data from others
* Introduction of extraneous data
* Omission of relevant data
* Creation of incorrect data
* Creation of conflicting information
* Duplication of data
* Breaks in data/process life cycles
* Degradation of data value over time
* Lack of unique data-set identifiers
* Creation of nonstandard formats
* Risk of data theft or breach of security and privacy
These issues are compounded over time, and lead to flawed decision-making within the organization.
Systems Flashing Red
Early symptoms of data compromise may not be apparent readily, but the effects are nevertheless pernicious and costly. Consider an actual example: A well-known insurance company was placed in liquidation by the state insurance department because the company's financial performance had deteriorated, even though it was competitive in the marketplace.
Analysis of the company's information systems, databases, data flows between and within organizational units, and assessment of the roles and responsibilities of data custodians and users revealed a number of major issues, including:
* Critical application systems not capturing all the required data
* Often-duplicated data in the systems
* Independent "owners" of various critical systems
* Critical systems not integrated or able to share data
* Data captured under varying formats in each system, which precluded creating a single clear data set or eliminating duplicate data
* Data in the systems not mapped, preventing universal interpretation of data sets
* Certain critical data not captured by any of the systems
* Data often downloaded into spreadsheets and then further manipulated, causing errors, loss of data, and minimal tracking of changes
These data issues were determined to be the root cause of improper tracking and reporting of critical business metrics, leading to the inability to price products properly, manage expenses, and properly create reserves. In other words, the company could not manage its risks and opportunities effectively.
In Data We Trust
As this example indicates, data integrity and effective risk management may mean the difference between success and failure.
This is especially true in the new global economy. Insurance carriers today must deal with an increasing number of complex products along with more market volatility, stricter regulatory reviews, greater competition, growth in the value of exposures, and a proliferation of external threats, such as security breaches, natural disasters and geopolitical and social issues.
To respond effectively, carriers must increase their dependence on sophisticated risk analytics and modeling capabilities, all of which depend, in turn, on the integrity of underlying data.
In the past, carriers employed monolithic, centralized systems with limited data variables and tight control over data usage to manage limited risk factors. Today carriers must employ experts who use highly sophisticated computer models, based on many thousands of variables and integrated from a large variety of sources, to manage complex risks and opportunities.
In addition, advances in data mining, data visualization, pattern recognition, automated underwriting, automated auditing, and data flow and process controls are giving carriers a broad range of new capabilities. Tools such as predictive modeling, for example, are helping carriers improve risk-based decisions in marketing, underwriting, pricing, loss settlement and operations.
Certain information systems, however, have been designed specifically to satisfy regulatory requirements. Sarbanes-Oxley systems, for example, am primarily focused on controls in support of financial reporting, and consequently may not capture important operational data essential to ERM. This critical operational data often am embedded in individual business unit applications not integrated with enterprise platforms. Nevertheless, this data must be accessed, collected, normalized and integrated for use in risk management.
Rating Agencies' Concerns
Another critical issue for insurance companies is the focus placed on ERM by the rating agencies. Rating agencies always have been concerned about a carrier's approach to risk management--it has a strong bearing on carrier performance and sustainability.
Today, that focus has shifted to an enterprisewide view of risk. All rating agencies employ sophisticated methodologies to analyze a carrier's ERM capabilities, and then apply results of the ERM assessment to help determine the carrier's rating.
Rating agencies are concerned, too, that executives may not have a holistic view of risk, especially forward-looking risk. And they are concerned about the foundation and integrity of risk management programs.
In other words, rating agencies want to be sure that all the data involved in a carrier's underlying analyses and decisions are accurate, complete, and relevant and that all processes are working across the enterprise to achieve meaningful results.
This focus on data issues and integration by the rating agencies is justified. Experience has shown that enterprise data management represents one of the most problematic areas in creating an effective ERM program. Because data typically are generated and used within operational or business silos, risk management projects, if they exist at all, initially tend to be focused within these silos.
These types of silos potentially can create isolated views of risk. Equally important, disparate risk silos create a potential for deriving risk analyses and decisions based on data unrelated to other areas of the business.
A good example relates to the SEC's executive compensation disclosure requirements. Data required for compliance with stock options (accounting rules FAS 123R) typically reside in finance and accounting systems. However, the legal and the human resources departments are responsible for record keeping on stock option grants and compensation, respectively, and it is not unusual for data to reside in these systems separately.
In the end, rating agencies want to be assured that carriers demonstrate the ability to define and manage risk and opportunity to protect insurers and sustain the business over the long term.
Achieving effective ERM is a continuous process. It is initiated and supported by the full commitment of executives and management, and sustained over the long term.
Experience shows that management must give top priority to these areas:
Emphasizing know-how: An ERM program requires a senior person experienced in large-scale program management to establish and ensure the disciplined but flexible management of development, implementation, and continuous adjusting, using a mix of disciplines throughout the organization.
Putting teeth in the framework: In addition to the senior executive, it is essential to establish an ERM Steering Committee first: one that can communicate the vision, set expectations and boundaries, influence the culture, and ensure accountability for results. This is especially important for dealing with entrenched silos of information.
Taking complete control: This is necessary for establishing governance, strategies, goals, acceptable risk levels, policies, technology, operational practices, resource requirements, controls and performance measures that ensure delegation and accountability.
Managing data: This includes the capability to identify, acquire, cleanse and transform large-scale data sets into workable databases that can be integrated and universally accessed; and to define and implement records access, storage and retention policies. This is a foundational requirement that delivers additional benefits to the organization, such as the ability to address e-discovery more effectively.
Furnishing the right technology: This requires an assessment to determine and acquire technology to facilitate automated analysis, modeling and management of a holistic view of the major risk categories across the enterprise--financial, strategic, operational, reputational and hazard-related.
Relying on experts: Data management and application of risk technology require expertise in specialized technical disciplines in order to address ERM goals and objectives effectively. This requires an assessment and closure of any gaps in resources.
These six priorities are best implemented by conducting an initial informal workshop and planning session as a kickoff to the overall process.
According to the risk information firm ISO, in the past 15 years approximately one-third of the carriers serving the United States have vanished.
In most cases, their demise was blamed on competition, or more specifically, on their Inability to compete. However, as discussed earlier, data issues should be considered as a likely root cause leading to company failure, simply because poor data leads to bad decisions. These carriers were probably not exceptions.
Additionally, past industry "best practices" have led to an inordinate, linear focus on negative risk--protecting the company from threats and harm. Today, there is a more balanced approach to risk, with an increasing focus on opportunity risk, which includes a strong correlation with innovation.
Creativity and innovation require a holistic view of the enterprise and the environment, which in turn requires unparalleled data management capability.
* What's Wrong: Data stored in company computers often are outdated, faulty or cannot be utilized among departments.
* What's Happening: Companies are making poor decisions, and even failing, because their data are unreliable.
* What's the Answer: Properly handled data are vital to unlocking ERM's management, compliance and profit potential,
What Is ERM?
Enterprise risk management--or ERM--is a risk management framework that involves every element of an enterprise--including its board, staff, clients, regulators and even society at large--as equal stakeholders in the long-term viability of that enterprise. Enterprise risk management takes the traditional elements of risk management, such as risk analysis, identification and mitigation, and applies them holistically across an entire enterprise. This gives all within the enterprise an equal incentive to become a part of the risk management process.
Source: Adapted from RIMS' RiskWiki, www.rims.org/riskwiki
Critical ERM Questions for CEOs
Candid answers to these questions related to ERM and data integrity can help companies evaluate their current situation and determine a future course of action.
Does my management fully embrace the concept of ERM, or does the company's culture still encourage independent silos of information?
Do the ERM experts in my organization have what they need to move the company toward a more effective ERM program?
Is there one person in my organization responsible and accountable for information systems and data Issues?
Who in my organization can answer with absolute assurance if a potential "smoking gun" data problem exists within the company that could cause major problems?
Are my information systems capable of achieving data integrity and integration?
Do I have the right risk management processes and tools to allow effective corporate decision-making across the organization?
Do people involved in day-to-day, risk-based decision-making have accurate and complete information on which to base decisions?
Contributor Richard Hershman leads FTI Consulting's Global Insurance Services practice. He can be reached at firstname.lastname@example.org