|
| Home | Software Providers | Consultants | Articles | Columns | Reviews | Headlines |
 Copyright © 2001 Business Insurance |
"Enterprise Risk Management: RMIS Requires Corporate Cultural Transformation"December 4, 2000 |
- by Michael Prince
- A risk management information system can be an essential tool for
companies adopting an approach, but buying a new system is far from the first step in the
process, experts say.
Instead, they say, companies taking a broader view of managing their risks first must undergo a sweeping cultural transformation that involves making an organization's top management as well as virtually every business unit aware of the myriad risks involved. Only when this lengthy process of expanding risk awareness throughout the enterprise is complete, and the organization understands what it wants and needs in an information system, should the risk manager step into the marketplace for information systems that can help quantify and track these broader risks.
An enterprisewide RMIS system can help managers with a wide array of functions. At the outset, once connected to an organization's existing information systems, the RMIS gathers information from all these various systems into one database. There, the data can be analyzed from various angles to get different perspectives on the risks the organization faces.
With this rich database and analysis tool, various custom reports can be produced not just for a risk manager, but also for managers throughout the organization, giving them a detailed look at their exposures.
``The goal of the process is to define for yourself what the goal is and then find the system that will do this,'' said Anita Schoenfeld, senior consultant and practice leader for RMIS consulting services at Tillinghast-Towers Perrin in Dallas.
For example, one goal may be to implement a single system that tracks all claims within an organization. Another organization may instead want to focus on what financial issues may arise that could hurt its bottom line.
Before buying a risk management information system to help track enterprisewide risks, an organization must undergo a significant transformation, said David Duden, national RMIS practice leader at Deloitte & Touche L.L.P. in Hartford, Conn.
``There kind of has to be a philosophical change within the company,'' before a system is purchased, he said. ``The system piece is almost easier than the cultural piece, '' Mr. Duden said.
The first step in this transformation, he said, is to take an internal audit of risks. This process will identify the operational, financial and market risks the organization faces. A market risk, for example, might be the loss of revenue if a company's reputation were suddenly damaged, he explained.
Once this broad audit of risks is completed, the risks then need to be quantified, Mr. Duden said. ``That's where the tough part comes.''
It's important that upper management be involved in conducting the needs assessment, advised Tillinghast Towers-Perrin's Ms. Schoenfeld. ``It's a pretty detailed process, where you sit down and ask what are their needs but also how they do business,'' she said. The system needs to handle the requirements of the organization but also must mesh with its culture and not become an expensive, unused toy, Ms. Schoenfeld said.
If the risk manager is going to lead the charge into the world of enterprisewide risk management, he or she needs to understand the various parts of the company's business and then convince these other business leaders that this new system would benefit them, said Mark Robson, vp at MMC Enterprise Risk Inc. in Toronto, a unit of Marsh & McLennan Cos. Inc.
In taking the lead, the risk manager also needs to gain the support of senior management. Implementing such a sweeping cultural change can't be done without the input and total support of top management.
``The board and the CEO really need to see the value,'' of the new approach, Mr. Robson said.
A fundamental question that needs to be considered is what is constitutes a ``risk,'' noted Peter Stockman, partner and practice leader for the North American risk management practice at Andersen Consulting in New York. Another consideration is the extent to which an organization is willing to accept variability in its revenue or profits, he noted. These matters must be considered at the outset of the process, so that the information system can be set up to address the answers, he said.
Once the decision has been made to invest in a new information system to help manage enterprisewide risks, several factors should be considered in selecting the right one, experts say.
These systems first reached the market in 1999, and in 2000 they are ``still in the pioneering stage, not in the settling stage,'' Mr. Duden said. ``It's definitely a new, virgin territory,'' Mr. Duden said of the entire field of enterprisewide RMIS systems. Today, he estimates there are fewer than 10 such systems on the market.
The systems available have various strengths, consultants say. For example, they say, some analyze financial risks better than others do, while others more readily lend themselves to analyzing operational risks.
The systems also differ in terms of their reach.
For example, some information systems may be strong in only one area, such as in examining a firm's market-based risk, but can perform this task well throughout an entire organization, said Chris Karow, a partner with Ernst & Young L.L.P. in New York. Others, however, might be capable of gathering information about a wider variety of exposures, but can only do so from perhaps a single computer that ``is not necessarily accessible to the enterprise,'' he said.
One important factor to consider when looking at systems is their ability ``to disseminate information in a user-friendly format,'' typically electronically, Ms. Schoenfeld said. It's also important that end users be comfortable with the manner in which information is delivered, he said.
``The goal is not only to give them information, but give them information in a format they can manipulate and use for loss mitigation,'' Ms. Schoenfeld said.
Systems usually come with many built-in standard reports, such as the number of accidents at each manufacturing plant, but the system should also allow individuals to customize reports.
The most important aspect of any system is how well it integrates with existing information systems used for production and finance within the company, Mr. Robson said. The RMIS must be able to gather information from the existing systems and create reports that use the same terminology and have the same look as the existing reports. ``It's all about the reports,'' he said.
These reports will be used by both risk managers and business leaders throughout the organization, and reports that use different terms or have a different style from existing ones aren't going to be helpful to users, he said.
The ease of use of an system also is very important, said Mr. Duden. This is particularly critical when it comes to entering information from the various business units connected to the system. ``The only way you're going to get this data is by making it easy for people to put in this information,'' he said. He recommends the use of online, browser-based formats, because people generally feel comfortable with such tools and the systems don't ``require a huge change in the infrastructure for most of these organizations.''
Internet-based systems possess three advantages, Mr. Karow said. First, the information contained on them is available to all qualified users. In addition, the system can be upgraded easily, because the program and the database reside on a server and not on numerous personal computers. And finally, all the data sits on one place, ``so if I want to see the big picture, I can,'' he said.
One system that Mr. Duden noted as solid is sold by Portiva, a company based in Amarillo, Texas. One reason he likes its product, he said, is that it is Web-based and the company's founders come from a risk management background.
Apart from ease of access, consultants also identified several other important considerations.
A system should also be able to run a value-at-risk analysis, Mr. Stockman said. These examine what effect an event, such as an increase in interest rates, would have on the company's share price.
In addition, a system should employ an open architecture. This allows the models built into the system to be changed so newer ones can be added, expanding the system's capabilities, Mr. Stockman said.
Also, the system should have a database that contains the type of data the user needs. For example, if the user is interested in weather risks, then the database needs to have the relevant weather information stored within it, or it must be able to handle an additional database of that information.
The RMIS also needs to be able to display information in a variety of ways, allowing for the creation of multiple charts and graphs. ``A lot of information comes out, and to understand it, you need a good presentation package,'' he said.
A strong system also needs a good data mapping and acquisition module, which allows the system to pull in needed data from multiple sources within an organization. A system not only needs to be able to gather this information but also should check on its quality and track where the data came from. Often, the largest hurdle in setting up a system is linking it to the existing systems, which frequently aren't set up to allow the outflow of information.
In addition, a system should have a good library of modeling tools, and it should allow the incorporation of additional tools as they become necessary. ``This is particularly important when you're in an environment where new risks are emerging,'' Mr. Stockman said.
The system also needs to be secure, Ms. Schoenfeld pointed out. This means locking out unauthorized users through passwords and limiting users' access to only the information they need.
And customer support is a hidden but critical factor in evaluating a system, she noted.
``Some vendors do it very well, and some do it poorly,'' she said.
Systems should also be able to handle claims and litigation management, Ms. Schoenfeld said. Some systems include a claims reminder feature; others, a broad array of claims tools. A full-fledged claims management feature usually includes a diary that sends out reminders when legal items are due or when court documents need to be filed. In addition, a complete system keeps track of all claims, providing detailed claims handling notes and reserve amounts. Such comprehensive systems generally are much more expensive, though, she noted.
``It's important that you totally understand what you're buying,'' she said.
The installation process, too, can pose certain problems.
Time, for one, can be a major concern. It can take up to two years to fully install a system, depending on the number of systems that have to be connected and how widespread the system will be within an organization, Mr. Stockman said.
Finally, these systems can be very expensive. The exact price will vary with the amount of time needed for installation. But buying the least expensive system may not always be a good strategy.
``Buying the cheapest vendor doesn't always get you a system for the lowest price,'' Mr. Robson said. This is because the cheapest vendor might not be qualified to properly install the program or you could end up with a system that doesn't meet all of your needs.
No matter how good the system is, however, it still comes down to the people in an organization.
``The system is an enabler,'' Mr. Karow said, while people will address the risks.
© Copyright Business Insurance 2000, 2001