A midsize regional health insurer with approximately 3,000 employees across 10 locations in the Western United States created a role for a business continuity manager (BCM) reporting to the chief operating officer. In this organization, the enterprise risk management (ERM) functions, established in 2004, are owned by the chief legal officer. The insurer is a member of a larger network of health insurers. Each member organization develops its own ERM strategies and organizational structures but can leverage the best practices of the other members.
The BCM has direct access to the board of directors and meets regularly with senior business leaders to discuss continuity planning. Because of the executive focus, risk management becomes an organizational mandate, and line-of-business managers are fully on board. In 2009, the insurer implemented performance incentives tied to risk identification and control measures.
The BCM meets regularly with business managers to help them with the risk assessment process, which is ultimately their responsibility. The BCM provides guidance and framework for evaluating business processes. Not only does evaluating a business process enable continuity planning, but it has the great benefit of giving the business the opportunity to enhance the process by creating operational efficiencies. These enhancements become part of the continuity planning document.
However, the BCM in this example notes that the organization has no plan for ensuring the enhancements are made and lacks a consistent mechanism for evaluation. The BCM is also concerned about the lack of definition of the company's business processes, which impedes his ability to assist the business manager in performing disaster impact analysis and planning. The BCM intends to devote extra time to researching and understanding his business customers. This point is a critical success factor: It's difficult to perform risk assessments as an outsider. Given the complexity of insurance business processes, regulators and distribution partners, a deep understanding of the business facilitates better planning. Continuity planners with strong business knowledge will be better partners to their business customers who "live with the risk" on a daily basis.
Equally important is revisiting risks on an ongoing basis. New information security threats emerge every day, so putting measures in place to identify and respond to weaknesses is paramount. If systems are breached or information compromised, the insurer may have little time to react. The goal is to build a resilient organization that will not be compromised by a single disaster. Understanding differences and dependencies within the IT architecture will enable more cost-effective protection.
This case study represents one insurer's idea for handling risk management. SAS and the Economist Intelligence Unit surveyed insurance pros worldwide to learn how they are improving their risk management capabilities since the financial crisis. Listen to this webinar to hear David Buckham, founder and President of Monocle Solutions; Abhik Sen, Managing Editor of Industry & Management at the Economist Intelligence Unit; and Stuart Rose, SAS’ Global Insurance Marketing Manager, discuss the survey’s findings.