Preparing for the inevitableReprints
Difficulty in forecasting rapidly changing risks, notably cyber liability and reputation risk, are driving risk managers to seek more from their risk management information systems.
RMIS once focused on basic tasks such as claims and insurance policy management. Observers say today's risk managers want to increase their predictive analytic capabilities, but also worry about the accuracy of such forecasts.
“There are basically two schools of thought within the risk management community,” said John Phelps, director of business risk solutions at Blue Cross and Blue Shield of Florida in Jacksonville and a past president of the Risk & Insurance Management Society Inc.
One consists of traditional risk managers who are looking for claims management capabilities, policy management and archiving abilities, he said. The other school of thought involves risk managers who focus primarily on enterprise risk management and are not involved in risk financing, he said.
“Predictive analytics is by far the hottest topic” in RMIS today, said Paul Marushka, president of Chicago-based Marsh ClearSight L.L.C., previously CS Stars L.L.C. until it was rebranded last year. “The research we've seen is that 66% of the risk managers say they do not have the analytics they need to manage their risk effectively, and 86% say their ability to forecast risks will become more difficult in the next three years.”
Mr. Marushka said risks continue to evolve and are getting harder to identify, citing cyber risk as an example.
“It takes over 80 weeks for shareholder value to recover after a reputational crisis,” Mr. Marushka said. “The ability of risk managers to model that out so they can give a perspective holistically across their organizations is a top priority.”
“We see an acceleration, with risk managers talking about uninsurable risks,” said Bob Morrell, CEO of Kennesaw, Georgia-based Riskonnect Inc.
“The nature of risk management is evolving dramatically, from a relatively steady state to more of a rapid-response environment,” said Stephen Rhee, Chicago-based CEO of Ventiv Technology Inc. He said that risk managers must be prepared to deal with developments that can arise at any moment.
“Cyber risk is different than just about any other class of risk facing a business today, in that there is somebody actively trying to do harm to your organization every day,” he said. “For every organization, it's not a matter of if, but when, in terms of when it will face a cyber attack.”
Mr. Rhee said an RMIS system is “critical to help risk managers prepare for and deal with this inevitability.”
According to Mr. Rhee, the effective quantification of risk exposures, both tangible and intangible, is probably the most difficult component of cyber risk assessment. “Use of a RMIS system in the quantification helps standardize both definition and values of all classes of exposed assets,” he said.
According to Ventiv, other risks that could require a rapid response include weather impact, product failure and brand reputation.
“We've tailored offerings that are specific around cyber risks, but also handle the broadest impact of what those risks entail,” said Riskonnect's Mr. Morrell.
“When you look at what RMIS has done, it's been a matter of let's help the risk management department make better decisions,” Mr. Morrell said. “That's important, but there's a lot more to risk management than that. The complexity of the uninsurable side of risk just keeps increasing. If you use a spreadsheet to manage it, it just falls apart.”
Rather than subscribing to one benchmark model or one built-in predictive model, risk managers “are coming to the same conclusion that insurance underwriters have subscribed to for many years: overlaying multiple data points drives better results,” said Aaron Shapiro, New York-based executive vice president of Chicago-based Origami Risk L.L.C.
He said that on its own, each of these analytics is somewhere between a compass and a GPS.
RMIS “won't tell you to … settle your claim for exactly $20,000',” he said, but “they will give you something better than, 'Head northwest,'” Mr. Shapiro said.
“Our clients are now looking to subscribe to multiple sources and overlay the analytics and their own private data” such as claims, policies, exposures and the like, he said.
“They can expect to see RMIS offer more and more flexible tools to automatically combine these data sets. The result will be more informed decisions and the ability to drive the best results via rules-based automation,” Mr. Shapiro said.
“What do I see the rising risk professionals doing? They're using apps for everything” on their smartphones, said Darius Delon, chair of the RIMS Canada Council and associate vice president of risk management at Mount Royal University in Calgary, Alberta.
“The integration of a worthwhile app that's on your phone that allows your common staff members that have the app to actually record the incident” would be a welcome addition to RMIS, he said. For a university, an incident could range from water damage to property to a campus commotion, he said. “We have some stuff that's cloud-based, but you have to log into the system … you're already away from the incident. It would have to be so simple that everybody could do it.”
“If you don't capture the incident, you don't manage the claim” that arises from it, Mr. Delon said.