Imagine you are a chief claims officer who has just received an email from the CEO directing you to clear your calendar so you can spend a few days participating in an offsite, mission-critical enterprise risk management (ERM) planning session. What is your first reaction?
Depending upon your company culture and your prior experiences with the risk management process, your feelings might range anywhere from anticipation to dread. If you previously suffered through an old-school risk assessment and planning meeting, for instance, you might even view the process as low value, complicated, and boring—something to be avoided at all costs. Which would be unfortunate, because making time to identify, evaluate, manage, and measure risks that threaten your enterprise’s ability to achieve business objectives not only makes sense, but also is truly mission critical in today’s economic and regulatory operating environment. After all, in order to manage risks, you first need to identify and understand them.
The good news is that insurance companies, confronted with emerging business and financial risks and heightened regulatory compliance expectations, have invested time, talent, and resources to strengthen their risk management protocols. Some have even appointed chief risk officers to drive the discipline and improve the effectiveness of their companies’ risk management framework at the enterprise level.
ERM has become big business, with no shortage of consultants and experts to help companies do it right. So risk analysis is now more thoughtful and strategic and useful, with an expanded focus on the dynamics of risk and the role different parts of the organization can play in risk mitigation.
The not-so-good news is that some financial services companies haven’t focused enough attention on their operational exposures. Deloitte reported in the eighth edition of its global risk management survey that while more than 80 percent of financial institutions have implemented risk programs, less than half have gone beyond the minimum to standardize risk controls and deal with operational exposures. Why? Perhaps their planning framework was lacking, or maybe, as Deloitte suggests, some companies have shifted their focus to other risk categories such as governance, liquidity, and regulatory and away from operational risks.
Within an insurance company, the claims organization usually represents a significant operational risk, so to be effective, an insurer’s ERM framework needs to fully comprehend and contemplate that exposure. Fortunately, no matter where your company is on the risk management sophistication curve, or what role the claims department plays in the ERM process, you can positively contribute to the richness and effectiveness of your company’s ERM efforts. How? By incorporating two risk-related diagnostic discussion exercises into your regular claims business and strategic planning sessions. They are easy to organize, they reinforce one another, and they will help you better appreciate your operational risks and produce more comprehensive plans.
Plan of Action
First, ask your management team to identify all claims stakeholders (internal and external parties who have a vested interest in how effectively the claims department performs) and catalog what each stakeholder needs to be successful and/or satisfied. Needs should encompass products, services, data, experiences, and other outcomes. Spend some time working this out because it’s important to make sure all stakeholders have been identified—there may be a dozen or more—and to validate stakeholder needs.
Second, challenge your management team to identify the operating risks they absolutely must manage well in order for the claims department to achieve operating objectives and meet stakeholder needs. This is sometimes called the “no-surprises” exercise, since most claims operating surprises are unwelcome and unpleasant; they frequently trigger undesirable financial consequences and negative publicity; they usually generate a distracting firestorm of second-guessing and finger-pointing; and they always reflect poorly on management.
The no-surprises exercise can be overwhelming, but it’s worth doing because it will reinforce how operating breakdowns, which are often caused by unidentified and/or unmanaged risks, can interfere with the claims department’s ability to deliver what stakeholders need. Ask a group of claims managers to identify their most critical operating risks, and they will remember every unfortunate operating surprise they have ever experienced and dredge up an imposing list, which might look something like this:
- Large exposure case management.
- Customer service and satisfaction.
- Regulatory compliance.
- Loss reserve timeliness and adequacy.
- Supply chain management, including vendor performance and costs.
- Fraud identification and mitigation and compliance with antifraud statutes and regulations and reporting requirements.
- Loss recovery, including subrogation and salvage.
- CAT readiness and execution.
- Cost control, including both ULAE and ALAE.
- Claims technology.
- Data accessibility, accuracy, and security.
- Claims reserve and settlement authority management.
- Productivity.
- Quality control.
- Loss cost leakage (paying more than should be paid on claims).
- Litigation management.
- Medical management.
- Disability management.
- Runaway verdicts.
- Claims quality control.
- Good-faith claims handling and extra-contractual exposures.
- Claims inventory management.
- Awareness of and compliance with best practices.
- Knowledge transfer to underwriters and actuaries.
- Stakeholder relationship management.
- Attraction, development, and retention of quality employees.
Grouping the answers into logical risk categories often helps to structure the discussion and make it easier to include the entire range of operating risks. Risk category examples might include:
- Social (publicity, reputation, relationship management, and knowledge management)
- Financial (reserves, payment accuracy, leakage, cost control, recovery, and vendor management)
- Process (controls and governance, efficiency, productivity, program effectiveness, performance scorecards, and regulatory compliance)
- Technology (reliability, disaster recovery, data accessibility, accuracy, and security)
- People (attraction, development, retention, and engagement)
This analysis helps identify critical claims performance categories, and the no-surprises exercise categorizes the key operating risks that claims departments need to manage (most of which link directly back to stakeholder needs). The output from these discussions represents the raw material you need to intelligently evaluate and prioritize claims operating risks, which is a critical first step toward managing them.
So, back to the imaginary email from the CEO. Depending upon the location, that upcoming ERM planning session might not be so dreadful after all....