May 14, 2013, will mark the second annual World Risk Day, which was created to raise awareness around how taking smarter risks drives corporate strategy, improves business confidence, and grows profits. That message introduces a key point: Effective risk management is not about trying to avoid risk; it is about striking a balance between minimizing risk and maximizing reward.
Creating and implementing an Enterprise Risk Management (ERM) practice is critical to achieving and maintaining that balance, especially for Insurers. A critical topic within ERM to examine is whether a lack of information controls is creating unacceptable risk levels. Technology plays a key role in establishing those controls, but should not play an exclusive role. Regularly training and communicating risk to employees at all levels across the entire organization can play just as critical a role in improving decision-making, while also reducing risk and the likelihood of falling out of compliance.
[Enterprise risk management strategies are becoming increasingly complex; read The Downside Of Enterprise Risk Management]
Business operations are information-driven. Insurance companies receive, process, produce, store and send a staggering array of information to support and manage their operations, satisfy regulators, and make important decisions. Data governance is the practice of developing standards, processes, and controls around data to ensure its availability, usability, integrity, and security. As part of their data governance initiatives, many organizations deploy an array of automated tools and techniques to ensure the accuracy, consistency and reliability of information that is both used by the company and its customers.
Business Operations Management
Regulatory mandates, such as the Affordable Care Act, Dodd-Frank Act, Sarbanes-Oxley (SOX), NAIC MAR, and increased federal intervention, along with growing board and investor scrutiny, have resulted in pressures for more transparent ERM and reporting of complex operations more frequently and with greater levels of detail -- especially regarding back-office operations. These types of operations can be categorized into three fundamental types of processes:
1. Core processes: capturing, processing, recording, accounting and reporting transactions originated at the front office.
2. Management processes: includes balancing and reconciliation, monitoring and measurement to ensure integrity and performance.
3. Governance processes: internal and external audit, as well as regulatory compliance to test, validate and certify the integrity of core management processes.
Inefficiencies in these back-office processes stem from multiple sources, including information silos across product lines, mergers and acquisitions, and the prevalence of manual steps.
To remedy these inefficiencies, I recommend a three-step process I refer to as "Business Operations Management," which guides companies to lower costs, reduce errors, and improve cycle time. These steps are in order:
1. Control: Establish continuous, end-to-end controls that automatically monitor all information and reports errors to appropriate personnel, eliminating the risks and costs associated with performing those tasks manually.
2. Analyze: Analyze information in real-time to reduce risk, improve compliance postures and provide the operations team with immediate 24/7 access into operational intelligence.
3. Improve: Use that intelligence to facilitate operational improvement by helping to guide business leaders in their decision-making processes, and provide operations and risk management teams with measurements on how various systems are performing and where inefficiencies can be eliminated.
Implementing an information control software solution and following these Business Operations Management guidelines ensure that companies are maximizing the significant investments they make in other technologies that support ERM-related practices and policies, such as Business Intelligence and Business Activity Monitoring (BAM) solutions, Extract Transform Load (ETL) software, and financial reconciliation solutions. It is crucial these systems utilize reliable data.
None of these tools alone provide any assurance that the information being reported, analyzed and used is 100% accurate. Controls, however, provide proof that ERM procedures are being followed through controls/monitoring and exceptions corrected through exception management. Given the critical nature of information, it is imperative for all organizations to ask the question, "Do we trust the information that we use to make our most critical business decisions?" Therefore, information integrity is a prerequisite for the success of today's business operations and ERM initiatives.
The Necessary Human Element
At this point, you may be thinking, "Big surprise, the guy from the software company is advocating technology as an ERM necessity," so let me place equal emphasis on this next point: Technology alone does not an effective ERM system make.
Implementing the technology and establishing a set of risk management policies and best practices are the first steps. An organization must train employees on those policies, and not just right after they're hired. Regular workshops and training sessions should be mandatory not only as refreshers, but to address changes in policies dictated by business decisions or updates to laws and regulations.
Implementing the right ERM technology, employing risk managers and other staff members with the skill sets required to manage an ERM program, and building a corporate culture not of risk avoidance but of minimizing risk to maximize reward are all important, and all point to a need to involve employees at all levels. As a recent study from Deloitte and Forbes Insights concluded, "The effectiveness of ERM is predicated on each individual's ownership of risk, which is, in turn, dependent on company-wide awareness."
Jeffery Brown is a Product Manager at Infogix, Inc. (Naperville, Ill.), where he is responsible for working with product development to create customer driven solutions.