Work closely with IT to create best RMIS fitReprints
Keep the lines of communication open.
That is the basic advice offered by experts on how risk managers can work most effectively with their information technology departments, in regard to both purchasing risk management information systems and developing cyber policies.
Work closely with IT to create best RMIS fit They say the best path forward is created when risk managers and IT departments contribute their respective expertise in insurance and technology.
“There’s a tremendous opportunity to partner with your own IT department” in bringing the right expertise to selecting a risk management information system, said Patrick J. O’Neill, president of Redhand Advisors L.L.C., an Atlanta-based IT consulting firm.
“I have really good relations with our IT department,” said Gloria Brosius, Loveland, Colorado-based corporate risk manager at Pinnacle Agriculture Holdings L.L.C.
“It works very well for us to collaborate with them on various items. They know that I am there to help them,” said Ms. Brosius, who is on the New York-based Risk & Insurance Management Society Inc.’s board of directors.
“Definitely start an informal dialogue about it,” said Ms. Brosius. “Sit down face to face with the director of IT” and “explain that you need their help to do your job appropriately and that you’re there to help them as well. It’s a give and take to understand what the exposures are and help them develop the best practices for the exposure that’s out there.”
Bill Baker, Minneapolis-based national director of Arthur J. Gallagher & Co.’s Core360 risk management program, said it is important for the risk manager to articulate how the IT department could help solve problems or challenges, and provide “some idea of how the end results might look like, which would help the IT department visualize what the risk manager is really trying to achieve.”
“One of the things that we see is that risk managers don’t take the time to meet with their IT folks ahead of time and sort of explain their business requirements,” said Robert Petrie, president and CEO of Chicago-based Origami Risk L.L.C., which develops risk management software.
“If they don’t do that, what the IT department might come back with is their default requirements, or must haves, and sometimes those are things that don’t match the business requirements,” said Mr. Petrie.
But there is more data sharing now, said Neeraj Sahni, senior vice president and national cyber broker with Willis Towers Watson P.L.C. in New York.
In the past, there had been some worry by IT personnel, who typically had less authority, that the risk manager, “would come in and take their jobs.” But today there is “more partnership and collaboration,” he said.
“When it comes to technology, you might have the IT organization actually run the procurement process” and use it “to help ask the right security questions,” said Randy Nornes, Chicago-based executive vice president with Aon Risk Solutions.
Michael Santulli, Newport Beach, California-based partner with ICA Risk Management Consultants, recommends that risk managers learn what software their IT departments are already using and proceed from there because you do not necessarily “want to come in and wipe the slate clean.”
It is also important that risk managers get to know their firm’s chief information security officers, which is a relatively new position in many companies, Mr. Nornes said.
“The CISO is really looking at the security of the organization, and so if the risk management team is going to implement a new system, you’re going to have to make sure you’re in compliance with the overall security requirements of the organization,” Mr. Nornes said.
But because the CISO is a new position for many organizations, he or she often “does not know who the risk manager is,” said Mr. Nornes. “They should get together” for coffee, he said.
Risk managers and their IT departments should also collaborate on issues such as privacy policies.
Pinnacle’s Ms. Brosius, for instance, said she works with her IT department on the company’s privacy policies, and collaborates with it in developing disaster recovery plans.
“It’s all part of an enterprise risk management program,” she said.