Risk Manager Focus

Data Driven

Risk managers share their experiences selecting RMIS systems and leveraging their full potential.
By: | March 3, 2017 • 10 min read

As risk management technology goes, the Risk Management Information System (RMIS) isn’t exactly the new kid on the block.

Quite the contrary. RMIS, in one form or another, have been employed by the risk management community for 35 years.

But the way risk managers use them — and the way they influence the practice of risk management — continues to evolve.

Mark Dorn, who perhaps could be called the godfather of RMIS, has been watching it all unfold since he launched RISKMASTER in 1982.

Mark Dorn, president and CEO, DAVID Corp.

“Act 1 of the RMIS industry has been using technology to help enable and empower the risk manager to [take care of] their day to day needs,” said Dorn, president and CEO of DAVID Corp. “It was always about [total cost of risk] and about making decisions to manage the TCOR.”

Act 2, said Dorn, from around 2000 to the present, increased the focus on compliance. In 2017, however, “it’s Act 3, which is risk managers trying to get from defense to offense,” he said.

“Now the issue is what can these systems do, assuming they have unlimited data — which basically they do. The question is how do you mobilize those insights and leverage them.” DAVID Corp.’s NAVRISK VISION uses embedded key performance indicators and risk scoring to help users further drive improvement throughout their organizations.

Playing offense means spending more time looking ahead rather than behind, said Dorn. When you’re working retrospectively, “we call that dead data. Reporting on dead data doesn’t have a lot of value. The claim is closed. You need to be working on live data, real time.”

Risk managers say that’s spot-on. They’re looking at the broader picture of how RMIS can be used to transform their organizations.

“The question really — the sky’s the limit — what can we do with this system that would make us unique?” said Brian Van Allsburg, vice president, risk management at Compass Group. “What can we do with this system that would lend an enormous amount of transparency across a number of businesses that we have within our portfolio.”

Van Allsburg agreed that his company has actively shifted to offense, aligning its RMIS functionality to focus on leading rather than lagging loss indicators. As much as post-loss data can empower the TPA or the corporate claims team to mitigate a loss, he said, it’s far less than what the company stands to gain by preventing the claim from actually happening.

Being able to aggregate internal and external data across silos, seamlessly convert it into actionable information and then push it back out to stakeholders is key for Compass, which partners with Origami Risk.

“The question really — the sky’s the limit — what can we do with this system that would make us unique?” – Brian Van Allsburg, vice president, risk management, Compass Group

“I can see all of that [data] tied to my locations. That creates the transparency that I can kick back to the business owners and say, ‘Hey for this region and for these particular locations, your workplace safety scores are low, your fleet audit scores are low.’

Advertisement




Now you’re not talking about claims that have already happened. Now you’re talking about behaviors that need to change to prevent the claims from happening.”

The City of Clearwater, Fla., which partners with DAVID Corp., is also leveraging its RMIS platform to head off claims, by using data to feed safety initiatives and improve safety culture throughout the municipality. Reports are pushed out to all municipal departments to help identify training needs and trends.

“Our overall goal is to increase safety awareness and culture within the city’s departments,” said Rick Osorio, the city’s risk manager. We’re able to give the feedback they need to make positive changes. And DAVID does a good job of that.”

“You’re providing them with the direction they should be going in,” added Van Allsburg. “So if they’re going awry — say their loss patterns are worsening or their audit scores are worsening, offer those suggestions, show them the locations that are not performing well and then tell them what type of advice or support you plan on providing them to get them back on track.”

Making the Choice

The vast majority of risk managers have some kind of tool or system for managing their pertinent risk and claims data, whether homegrown or formal. But continued growth in the market suggests that an increasing number of organizations are coming to terms with the value that a true RMIS platform can provide.

Bob Petrie, president and CEO of Origami Risk, said that over the past several years, more than half of the company’s new business is coming from clients that were previously not using a formal RMIS system. “Maybe they had some kind of tool, they had spreadsheets, they had a homegrown Access database — or in some cases they really did have nothing,” he said. “The market is still expanding.”

Paul Major, vice president, risk management, Ameriprise Financial

Paul Major, vice president, risk management with Ameriprise Financial, said that even though his company has a sophisticated risk management program, it was using a somewhat informal information management system until just a few years ago when it decided to partner with Riskonnect.

“I was no longer interested in a RMIS system that was merely used as a data repository — something that we basically just stored policy information in,” said Major. “Because effectively what we were doing was taking policies off of our network, as it were, and dumping them into this system.”

Compass Group experienced a similar frustration even though they did have a prior partnership with a RMIS provider.

“The system was not being used to its full extent, or at all, really,” said Van Allsburg. “It was more or less used as kind of a claims aggregator. … I think unfortunately a lot of companies use it this way. And [only] one or two people were actually running any kind of report out of it. It really wasn’t adding a lot of value to our businesses, and we were paying a fair amount of money for this system.”

Both Major and Van Allsburg said their companies put a great deal of care and analysis into selecting the right RMIS partner. Flexibility and customization were must-haves for both.

Compass, with its strong focus on leading indicators, needed audit capability to be a piece of the puzzle. Origami didn’t have a large audit platform. But that wasn’t an issue, said Van Allsburg — they built one. Now Compass’ 22 safety professionals in the field can do self-assessments on the fly whenever necessary.

“Origami even built out a mobile application where any of my associates can log in and pull up a specific audit that reflects their particular business line, go through the audit, whether it’s OSHA questions, whether it’s fleet questions, and [the completed audit] gets loaded into the system and tied to that location.”

The unique benefit of a cloud-based software-as-a-service (SaaS) platform is that new functionality developed to meet one client’s needs is automatically available for every client.

“The cost of these RMIS systems for the most part are not that high. And I think they do pay for themselves over the long term.” – Paul Major, vice president, risk management, Ameriprise Financial

“The origin of the ideas for the new features and enhancements we’re putting into our product is coming from the clients themselves, so they have the leverage of all of the brainpower of all of our collective 300-plus clients that are contributing ideas — everybody else benefits from the best of those ideas,” said Origami’s Petrie.

Ameriprise’s Major, using Riskonnect, said that kind of collective power means he’s a lot less likely to have to ask his RMIS team to reinvent the wheel for him.

“There’s not much that we’re coming to them with that they haven’t done before, in one way or another, or that I can’t leverage off of what somebody else done within the firm to build it out.”

And while functionality, user interface, ease of use and other considerations were also weighed carefully, risk managers said the importance of the team and their level of service could not be overstated.

Questions to consider, said Van Allsburg, include: Do they understand not only the risk and insurance landscape, but have they taken the time to understand your business? Are they willing to take in a whole host of information, understand why you want them to take that information in, and how it should be tied to the measures you want them to be tied to?

Open communication is paramount, he said. With the company’s prior partner, “we weren’t being told how we could better leverage the system. We weren’t being told about their software updates, and about how [new software] releases could impact us — there really wasn’t an effort to understand our business.”

As for cost, risk managers said it was practically a non-issue. “It’s fairly miniscule,” said Van Allsburg. ”If a risk manager were to read this and think oh, the cost of a RMIS system is going to be astronomical — I don’t really think it is.”

“The cost of these RMIS systems for the most part are not that high,” agreed Major. “And I think they do pay for themselves over the long term.

“We have a very tight community as far as risk management groups, everybody really works well together and most people know each other, so that’s when you really can have an open dialogue.” – Paul Major, Ameriprise Financial

“I’m not sure you can ever quantify dollar for dollar when the payback happens because you’re really talking about a lot of soft costs,” he said.

“I’m more interested in, does it support what we need to do as a group and help us more effectively manage risk within the firm. And then does it have the flexibility to help out in other areas of the company or other projects we might be thinking about. You make your decision based on that.”

Major strongly recommended reaching out to peers as part of the decision-making process. He credited a strong and supportive risk management community in the Minneapolis-St. Paul region with helping his company make the best possible choice.

“We’re fortunate [that] in Minneapolis-St Paul, there are … a number of Fortune 500, Fortune 250 companies with sophisticated risk management groups that are using these types of systems. So it really helped to reach out to a variety of [companies] in our risk management network to figure out what people were using, what they were using it for, and get input on what works and what doesn’t work,” Major said.

Advertisement




“We have a very tight community as far as risk management groups, everybody really works well together and most people know each other, so that’s when you really can have an open dialogue. You’ve got people that’ve been using various systems hands-on and can give you the plusses and minuses of each. It really adds to your decision process as you go through.”

Major added that through that process, his company’s RMIS leader established a local user group that meets regularly “just to talk about the different things that are going on, what people are doing, how they’re using the system, new features that they have, etc.”

“That’s benefited everybody in that group, opening their eyes about different things that the system can do, or what we use it for, versus, say, what another large financial institution or a large retailer [might use it for].”

Develop a Roadmap

For risk managers looking to partner with a RMIS vendor or switch partners, users offered suggestions for ensuring a more effective outcome.

“I think one of the keys is to have a very defined outline of what you want and then develop a very defined implementation plan around that. You have to prioritize what you want … because if you try to do everything at once. It’s not going to work,” Major said.

Once you’ve made a decision, he said, plan to have a frank discussion about what your short-term and long-term goals are for the platform so that your account team has a firm grasp on where you want to go.

Also have a new project plan that you’re working towards each year, suggested Major. “Some smaller companies may say, ‘Hey, all I want is this functionality and that’s all I need.’ But speaking from a larger company, I think you constantly need to evolve and you need to have plans around making that happen.” &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Black Swan: EMP

Chaos From Above

An electromagnetic pulse event triggered by the detonation of a low-yield nuclear device in Earth’s atmosphere triggers economic and societal chaos.
By: | July 27, 2017 • 9 min read

Scenario

The vessel that seeks to undo America arrives in the teeth of a storm.

The 4,000-ton Indonesian freighter Pandawas Viper sails towards California in December 2017. It is shepherded toward North America by a fierce Pacific winter storm, a so-called “Pineapple Express,” boasting 15-foot waves and winds topping 70 mph.

Advertisement




Normally, Pandawas Viper carries cargo containers. This time she harbors a much more potent payload.

Unbeknownst to U.S. defense and intelligence officials, the Viper carries a single nuclear weapon, loaded onto a naval surface-to-air missile, or SAM, concealed below deck.

The warhead has an involved history. It was smuggled out of Kyrgyzstan in 1997, eventually finding its way into the hands of Islamic militants in Indonesia that are loosely affiliated with ISIS.

Even for these ambitious and murderous militants, outfitting a freighter with a nuclear device in secrecy and equipping it to sail to North America in the hopes of firing its deadly payload is quite an undertaking.

Close to $2 million in bribes and other considerations are paid out to ensure that the Pandawas Viper sets sail for America unmolested, her cargo a secret held by less than two dozen extremist Islamic soldiers.

The storm is a perfect cover.

Officials along the West Coast busy themselves tracking the storm, doing what they think is the right thing by warning residents about flooding and landslides, and securing ports against storm-related damage.

No one gives a second thought to the freighter flying Indonesian colors making its way toward the Port of Long Beach, as it apparently should be.

It’s only at two in the morning on Sunday, December 22, that an alert Port of San Diego administrator charged with monitoring ocean-going cargo traffic sees something that causes him to do a double take.

GPS tracking information indicates to him that the Pandawas Viper is not heading to Long Beach, as indicated on its digital shipping logs, but is veering toward Baja, Calif.

Were it to keep its present course, it would arrive at Tijuana, Mexico.

The port administrator dutifully notifies the U.S. Coast Guard.

“Indonesian freighter Pandawas Viper off course, possibly storm-related navigational difficulties,” he emails on a secure digital communication channel operated by the port and the Coast Guard.

“Monitor and alert as necessary,” his message, including the ship’s current coordinates, concludes.

In turn, a communications officer in the Coast Guard’s Alameda, Calif. offices dutifully alerts members of the Coast Guard’s Pacific basin security team. She’s done her job but she’s about an hour late.

At 3:15 am Pacific time on December 22, the deck on the Pandawas Viper opens and the naval surface-to-air missile, operated remotely by a militant operative in Jakarta, is let loose.

It’s headed not for Los Angeles or San Diego, but rather Earth’s atmosphere, where it detonates about 50 miles above the surface.

There it interacts with the planet’s atmosphere, ionosphere and magnetic field to produce an electromagnetic pulse, or EMP, which radiates down to Earth, creating additional electric or ground-induced currents.

The operative’s aim is perfect. With a charge of hundreds and in some cases thousands of volts, the GICs cause severe physical damage to all unprotected electronics and transformers. Microchips operate in the range of 1.5 to 5 volts and thus are obliterated by the billions.

As a result, the current created by the blast knocks out 70 percent of the nation’s grid. What began as an overhead flash of light plunges much of the nation into darkness.

The first indication for most people that there is a problem is that their trusty cellphones can do no more than perform calculations, tell them the time or play their favorite tunes.

As minutes turn to hours, however, people realize that they’ve got much bigger concerns on their hands. Critical infrastructure for transportation and communications ceases. Telecommunication breakdowns mean that fire and police services are unreachable.

For the alone, the elderly and the otherwise vulnerable, panic sets in quickly.

Hospital administrators feverishly calculate how long their emergency power supplies can last.

Advertisement




Supermarkets and other retailers anticipating one of their biggest shopping days of the year on that Monday, December 23, instead wake up to cold homes and chilling prospects.

Grocery stores with their electricity cut off are unable to open and product losses begin to mount. Banks don’t open. Cash machines are inoperable.

In the colder parts of the United States, the race to stay warm is on.  Within a day’s time in some poorer neighborhoods, furniture is broken up and ignited for kindling.

As a result, fires break out, fires that in many cases will not draw a response from firefighting crews due to the communication breakdown.

As days of interruption turn into weeks and months, starvation, rioting and disease take many.

Say good-bye to most of the commercial property/casualty insurance companies that you know. The resulting chaos adds up to more than $1 trillion in economic losses. Property, liability, credit, marine, space and aviation insurers fail in droves.

Assume widespread catastrophic transformer damage, long-term blackouts, lengthy restoration times and chronic shortages. It will take four to 10 years for a full recovery.

The crew which launched the naval surface-to-air missile that resulted in all of this chaos makes a clean getaway. All seven that were aboard the Pandawas Viper make their way to Ensenada, Mexico, about 85 miles south of San Diego via high-speed hovercraft.

Those that bankrolled this deadly trip were Muslim extremists. But this boat crew knows no religion other than gold.

Well-paid by their suppliers, they enjoy several rounds of the finest tequila Ensenada can offer, and a few other diversions, before slipping away to Chile, never to be brought to justice.

Observations

This outcome does not spring from the realm of fiction.

In May, 1999, during the NATO bombing of the former Yugoslavia, high-ranking Russian officials meeting with a U.S. delegation to discuss the Balkans conflict raised the notion of an EMP attack that would paralyze the United States.

That’s according to a report of a commission to assess the threat to the United States from an EMP attack, which was submitted to the U.S. Congress in 2004. But Russia is not alone in this threat or in this capability.

Wes Dupont, vice president and general counsel, Allied World Assurance Company

North Korea also has the capability and the desire, according to experts, and there is speculation that recent rocket launches by that country are dress rehearsals to detonate a nuclear device in our atmosphere and carry out an EMP attack on the United States.

The first defense against such an attack is our missile defense. But some experts believe this country is ill-equipped to defend against this sort of scenario.

“In terms of risk mitigation, if an event like this happens, then that means the best risk mitigation we have has already failed, which would be our military defense systems, because the terrorists have already launched their weapon, and it’s already exploded,” said Wes Dupont, a vice president and general counsel with the Allied World Assurance Company.

The U.S power grid is relatively unprotected against EMP blasts, Dupont said.

And a nuclear blast is the worst that can occur. There isn’t much mitigation that’s been done because many methods are unproven, and it’s expensive, he added.

Lloyd’s and others have studied coronal mass ejections, solar superstorms that would produce a magnetic field that could enter our atmosphere and wipe out our grid.  Scientists believe that an EMP attack would carry a force far greater than any coronal mass ejection that has ever been measured.

An extended blackout, with some facilities taking years to return to full functionality, is a scenario that no society on earth is ready for.

“Traditional scenarios only assume blackouts for a few days and losses seem to be moderate …” wrote executives with Allianz in a 2011 paper outlining risk management options for power blackout risks.

“If an event like this happens, then that means the best risk mitigation we have has already failed … because the terrorists have already launched their weapon, and it’s already exploded.” — Wes Dupont, vice president and general counsel, Allied World Assurance Company

“But if we are considering longer-lasting blackouts, which are most likely from space weather or coordinated cyber or terrorist attacks, the impacts to our society and economy might be significant,” the Allianz executives wrote.

“Critical infrastructure such as communication and transport would be hampered,” the Allianz executives wrote.

“The heating and water supply would stop, and production processes and trading would cease. Emergency services like fire, police or ambulance could not be called due to the breakdown of the telecommunications systems. Hospitals would only be able to work as long as the emergency power supply is supplied with fuel. Financial trading, cash machines and supermarkets in turn would have to close down, which would ultimately cause a catastrophic scenario,” according to Allianz.

It would cost tens of billions to harden utility towers in this country so that they wouldn’t be rendered inoperable by ground-induced currents. That may seem like a lot of money, but it’s really not when we think about the trillion dollars or more in damages that could result from an EMP attack, not to mention the loss of life.

Allianz estimates that when a blackout is underway, financial trading institutions, for example, suffer losses of more than $6 million an hour; telecommunications companies lose about $30,000 per minute, according to the Allianz analysis.

Insurers, of course, would be buffeted should a rogue actor pull off this attack.

Lou Gritzo, vice president and manager of research, FM Global

“Depending on the industries and the locations that are affected, it could really change the marketplace, insurers and reinsurers as well,” said Lou Gritzo, a vice president and manager of research at FM Global.

Gritzo said key practices to defend against this type of event are analyzing supply chains to establish geographically diverse supplier options and having back-up systems for vital operations.

The EMP commission of 2004 argued that the U.S. needs to be vigilant and punish with extreme prejudice rogue entities that are endeavoring to obtain the kind of weapon that could be used in an attack like this.

It also argued that we need to protect our critical infrastructure, carry out research to better understand the effects of such an attack, and create a systematic recovery plan. Understanding the condition of critical infrastructure in the wake of an attack and being able to communicate it will be key, the commission argued.

The commission pointed to a blackout in the Midwest in 2003, in which key system operators did not have an alarm system and had little information on the changing condition of their assets as the blackout unfolded.

Advertisement




The commission’s point is that we have the resources to defend against this scenario. But we must focus on the gravity of the threat and employ those resources.

Our interconnected society and the steady increase in technology investment only magnify this risk on a weekly basis.

“Our vulnerability is increasing daily as our use of and dependence on electronics continues to grow,” the EMP commission members wrote back in 2004.

But “correction is feasible and well within the nation’s means and resources to accomplish,” the commission study authors wrote. &

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]