Over the past decade, insurers have focused heavily on improving the customer’s journey. This task can be particularly challenging because a customer’s engagement with them could be as little as one annual wellness visit with no other claims for that year. In an effort to create engagement and build loyalty while working toward better health status, insurers have gamified biometric device interactions, launched semi-automated communications platforms and established group wellness challenges for employer groups and individual coverage plans. But here’s the challenge: If the data gathered from these engagements that is fed back to insurers is not clean, readable and available in the format and time in which it is needed, then a carrier is unable to optimize its application. If this challenge can be solved, high-quality data that does meet those parameters can be used for CRM modeling tools, experience and loyalty measuring systems, enhanced communications applications, cross-sell offers and lifetime customer value formulas. So how does one begin to solve this challenge? The key lies in using information obtained from reputable sources to fill in some of the gaps in the data you are already gathering. See also: How Agencies Can Use Data Far Better   Here are some of the benefits of using third-party data to inform your analytics:

1. You can enhance the bland data you already have. You could fill volumes with the amount of information you have about your customers’ basic demographics such as age, geography and household income. But what about their risk for certain health conditions and their history of disease? Including these details can support better communications, closer engagement and efficient transaction processing with care providers and administrative systems managers.
2. You can improve both the quantity and quality of your data. Quality of data can make or break processing and downstream analytics. When you use a third party to obtain your data, you may experience a more reliable return on investment in your marketing and communications spend. You can also make more informed decisions when you are pricing the risk of catastrophic losses. High-quality data can mean the difference between automated workflow decision making or manual and costly processes. It does not have to be a lot of data — but it does have to be clean, understandable, reliable and available when needed.
3. You can diversify ways of turning data into actionable insights. Information might be engineered or derived from big datasets that are curated in a way that a payer can ingest, making it useful for activities including workflow automation, risk management assessments, price modeling exercises, population health management or sales and marketing activities.

Of course, it’s important to be able to efficiently manage data from multiple sources. To do that, you need to create a master data management plan. Often, a centralized location for several datasets makes sense, although a connected, decentralized arrangement can work, as well. Establish a standard data dictionary within your company to ensure that your staff understands external data in the right way and can more precisely define even internal data. In other words, break down data silos and functional barriers that may be preventing a standard dictionary that all can leverage. How can you determine whether you are getting the most out of your use of data? A three-step approach may be helpful:

1. Evaluate the data you have and verify whether it is clean, reliable and accessible in the manner you need it.
2. Identify the areas in which external data could complement your own and structure a data management approach for all of your data — both internal and external.
3. Establish a cross-functional executive team that can prioritize where you need the data most, and start on one initiative now. If you are not doing something, your competitors most probably are.

See also: Role of Unstructured Data in AI   Well-organized data can help you engage your current customers, attract new customers and ultimately improve your company’s bottom line. But too much data, that is not optimized for your business needs, may not help the organization meet its goals. When you focus on high-quality and reliable data, you can see some tangible results when you adapt its use into platforms all along the lifecycle of your business.

As Daenerys Targaryen unleashed her dragon on the defenseless King's Landing in the penultimate episode of "Game of Thrones" on Sunday, millions of viewers wondered: Why didn't the writers prepare us more for her turn to the dark side? How did the city's artillery go from hitting everything a week earlier to hitting nothing this week? And, if there was budget for such extensive special effects showing the destruction of the city, then why couldn't Jon Snow have hugged his CGI-generated direwolf goodbye the week before? (Maybe that was just my question.)

Those of us in the insurance industry had even tougher questions: Why didn't the risk managers prepare the city better for an attack? Couldn't dragon-resistant building codes have been imposed? Are there enough adjusters in all of Westeros to handle all the claims?

Right?

Let's imagine two scenarios, one traditional and one cutting-edge, that consider how King's Landing might recover. (If either gets picked up as one of the inevitable prequels or sequels to GoT, I hereby lay claim to a share of the royalties. I can see it now: "A Song of Fire and Fire Insurance.")

We all know the traditional scenario, which we see after hurricanes and wildfires. An army of adjusters descends on the city. They start handing out partial checks and plowing through debris and the details of the policies. An insurer or two is undercapitalized—Lannister Re surely didn't survive this attack, despite its slogan: "Lannister always pays its debts." Loads of people are underinsured, and that's even before the massive competition begins for the materials and skilled workers needed to rebuild. The lawyers get involved, and people learn that being covered for fire doesn't mean they're covered for ALL fire—dragon fire is a special case, after all—or for the damage caused when fire makes someone else's building collapse on them or their homes. Pretty soon, billboards go up advertising for personal injury lawyers: "If You Suffered Emotional Distress in the Dragon Attack, Call Qyburn & Qyburn at 123-456-7890."

The city eventually recovers, but it takes forever; there is a ton of wasted effort and money; and many customers feel ill-used.

Now let's imagine a more, well, magical scenario. George R.R. Martin hasn't finished the books yet, so I'll claim literary license. 

In this scenario, King's Landing insurers saw themselves as in the services business, not in the payment-for-damages business. They helped businesses and citizens prepare for the dragon attack, whose possibility had been building for years. So, many buildings had been hardened and survived reasonably intact. (The episode just didn't show those.) Insurers drew on the new possibilities from insurtechs, especially Bran Stark Analytics (the predecessor of Stark Industries and Tony Stark, aka Iron Man). Based on its Three-Eyed Raven platform, Stark Analytics used AI (aerial intelligence) to warn clients right before the attack and get them to safe areas. (Again, the episode somehow missed these people.) After the attack, the insurtech dispatched flocks of crows (controlled via warging) to survey the damage, quickly started paying claims and helped clients soon get back on their feet. 

There was still plenty of dislocation—dragon attacks will do that—but the focus on prevention and the use of cutting-edge technology meant that the city quickly recovered and thrived under the long reign of....

Cheers,

Paul Carroll

Editor-in-Chief

P.S. Spare a thought for the 3,500-plus girls who over the course of the show have been named some version of Daenerys or Khaleesi. Named after a symbol of female strength, the girls and their parents are now finding that Daenerys has become an unhinged mass murderer.

The timing was excellent – or unfortunate – depending on your perspective. Just a week before South Korean President, Moon Jae-in, jets to Washington to talk DPRK denuclearization, it was reported that a South Korean oil tanker had been detained. The P PIONEER – the first local vessel seized by South Korean authorities — is among four detained by Seoul. All are suspected of violating United Nations sanctions on fuel shipments to North Korea. Just last month, the UN Security Council (which uses Windward technology) published its latest report on North Korea. It laid out in graphic detail Pyongyang’s evolving tactics in evading sanctions, and the maritime compliance risk faced by anyone connected – however unwittingly – to vessels engaged in this kind of activity. THE P PIONEER According to reports, the P PIONEER was detained last October on suspicion of shipping oil to North Korea via clandestine ship-to-ship transfers and is “an indicator of the increasing pressure the U.S. is exerting on foreign governments and businesses to crack down on North Korean sanctions evasion,” according to Tahlia Townsend and Joseph Grasso, who head the International Trade Compliance and Insurance Practice Group at U.S. law firm Wiggin and Dana. A Windward analysis of the vessel’s behavior in the 12 months leading up to its detention reveals a pattern of dark activities in several parts of the East China Sea. In total, we detected 13 separate occasions when this happened – the kind of deceptive shipping practices routinely employed by North Korea, as highlighted by an updated advisory published last month by the U.S. Treasury’s Office of Foreign Assets Control. During our analysis, another notable pattern of behavior emerged: In the 12 months before it was detained, the P PIONEER only visited ports in South Korea. In other words, every voyage the vessel undertook began and ended in South Korea. Map showing polygons (areas) linked to possible clandestine oil transhipments to North Korea. Source: OFAC, UN. See also: Can Insurers Stop Financial Crimes? Yes   Searching in the dark Detecting such behavior just by searching for “dark activity” won’t get you very far. Indeed, if you use this behavior as a proxy for illicit activity in the East China Sea, you’ll end up with a short list of 20,000 vessels during the past 12 months (the East China Sea is notorious for poor AIS coverage, meaning many vessels that “go dark” don’t do so deliberately). Of these, 1,200 were tankers – a number way too big to differentiate between innocent vessels just passing through and those potentially engaged in illicit oil trading with North Korea. If identifying dark activity was all we could do, compliance officers, charged with ensuring vessels they deal with are complying with sanctions, would probably jump overboard. Map showing clusters of Dark Activities by vessels in the East China Sea over the past year Where we can narrow things down for maritime compliance risk is by looking at how frequently vessels went dark – where it was an integral part of a vessel’s modus operandus. As the chart below shows, most tankers had no more than one dark activity in the area; only 3.5% of them did it more than five times. We can look more closely at repeat offenders, to find those that might be evading sanctions (our algorithms can detect which turn-off-transmissions are due to lack of reception and which due to skulduggery). Distribution of vessel dark activity, highlighting two additional vessels that were mentioned in the recent OFAC advisory regarding DPRK as possibly being involved in illegal transports of petroleum products. Behavioral Analysis Another way to whittle down the list of potential miscreants is to look at trade patterns. As discussed above, most vessels passing through this area were heading to ports in the region. The P PIONEER’s voyages always started and finished in South Korea (with a dark activity in between), a pattern we see in just 81 other vessels over the past 12 months. If we narrow our time window to the past 60 days, we find only 17 vessels were engaged in this pattern of behavior – a much more manageable data set. Within those 17, we find one, very interesting, vessel, called the P CHANCE. Like the P PIONEER, it’s a tanker; it’s flagged in South Korea; it had 21 dark activities in the region in the past year – including one last month. Oh, and it belongs to the same registered owner (see below). Looking at the P CHANCE’s economic utilization profile, one can spot the same risk indicators but from a different perspective. With more than 15 dark activities in the East China Sea in 2018, the vessel spent only 31 days in port (compared with 80 days for similar tankers). See also: Europe’s New Data Breach Requirements   To be sure, this analysis isn’t a smoking gun – it just means that out of the thousands of vessels transiting the East China Sea every month, this vessel stands out, indicating that further investigation may be warranted. Maritime Compliance Risk The deceptive shipping practices discussed in this article were once only relevant to intelligence agencies and NGOs that monitored and enforced sanctions. But as we’ve seen in the recent OFAC advisory, and the UN Panel of Experts report, sanctions enforcement is no longer something only bad actors need worry about; counterparty due diligence (CDD) teams in every industry that interacts with shipping now need to up its game considerably. Indeed, when list managers or compliance officers consume data feeds and black lists, the recent OFAC advisory might now require them to prepare and consume a global daily review of dynamic sanctions evasions tactics, to mitigate compliance risk. With the right technology, they can do so – while keeping their businesses running as usual.

What’s a great, differentiated customer experience (CX) really worth to a company? It’s a question that seems to vex lots of business executives, many of whom publicly tout their commitment to the customer but are actually unsure about the ROI of customer experience — leaving them reluctant to invest in customer experience improvements. As a result, companies continue to subject their customers to complicated sales processes, cluttered websites, dizzying 800-line menus, long wait times, incompetent service, unintelligible correspondence and products that are just plain difficult to use. To help business leaders understand the overarching influence of a great customer experience (as well as a poor one), my firm sought to elevate the dialogue. That meant getting executives to focus, at least for a moment, not on the cost/benefit of specific customer experience initiatives but, rather, on the macro impact of an effective customer experience strategy. We accomplished this by studying the cumulative total stock returns for two model portfolios – composed of the Top 10 (“Leaders”) and Bottom 10 (“Laggards”) publicly traded companies in customer experience. As the graphic in the next section vividly illustrates, the results of our study were quite compelling. The Results Eleven years of customer experience rankings were available for our analysis. The graph below shows the cumulative total return across that period for the Leaders and Laggards.

• Customer Experience Leaders outperformed the broader market, generating a total return that was 45 points higher than the S&P 500 Index.
• Customer Experience Laggards trailed far behind, posting a total return that was 76 points lower than that of the broader market.
• Customer Experience Leaders generated a total cumulative return that was nearly three times greater than that of the Customer Experience Laggards.

Commentary This analysis reflects over a decade of performance results, spanning an entire economic cycle, from the pre-recession market peak in 2007 to the post-recession recovery that continues today. While there are obviously many factors that influence a company’s stock price, the results of this study indicate that, over the long term, a great customer experience helps build business value, while a poor customer experience erodes it.  That’s an important takeaway, for public and private entities alike. What creates that enhanced value? Revenue growth. When most people think about the economic benefit from a great customer experience, this is where their heads go.  That’s entirely appropriate, because revenue growth is indeed one clear advantage of customer experience excellence. Why? Happy, loyal customers have better retention, they’re less price-sensitive and they’re more willing to entertain offers for other products and services – all helping to raise revenue. Plus, because they love you so much, they spread positive word-of-mouth and refer new customers to you – lifting revenue even higher. Expense control. This is the part of customer experience economic equation that most businesses fail to appreciate. (It’s also why using revenue growth, alone, to demonstrate customer experience ROI is misguided.) When you have happy, loyal customers, it helps to better control – if not reduce – your expenses. For example, due to all the customer referrals you’re getting, you can spend less on business acquisition – which reduces expenses. In addition, happy customers tend to complain less, putting reduced stress on your operating infrastructure (e.g., lower call volumes), thereby also helping to keep expenses in check. Of course, these economic dynamics cut both ways. Customer Experience Laggards struggle to raise revenue (e.g., poor retention, high price-sensitivity, limited cross-purchasing, negative word-of-mouth), and they’re burdened with higher expenses (e.g., to acquire new customers, and to deal with the existing unhappy ones). This weighs on their long-term profitability and makes them less valuable in the eyes of the market. To learn more about the study’s methodology, and what Customer Experience Leading firms do to achieve their outperformance, view Watermark’s complete Cross-Industry Customer Experience ROI Study. The Insurance Industry Perspective The insurance industry often views itself as being different than other sectors, given, for example, its highly regulated nature and the fact that its products are something of a “grudge purchase” for consumers. Well, we’ve crunched the Customer Experience ROI numbers for the Auto and Home insurance industries – and it turns out the customer experience story is even more compelling in those sectors: Insurance Customer Experience Leaders outperformed the Laggards by over a three-to-one ratio. It’s a striking result that suggests, at least in this regard, the insurance industry isn’t different from most other sectors, and the compelling economics of a customer experience excellence still apply. To learn more about Watermark’s insurance industry analysis, including the implications for insurance providers seeking to improve their own customer experience, view the complete Insurance Customer Experience ROI Study.

If insurers want to mitigate risk, rather than risk their time and money with litigation, if they want to guard against fraudulent claims, if they want to protect good doctors against wrongful claims, then they should invest in sound legal counsel. Insurers should highlight the value of retaining healthcare lawyers with the intelligence to know—and the strength to do—what is necessary to defeat false allegations of fraud or abuse. A doctor’s career can hang in the balance when defending against a professional liability claim. Without sound counsel, our best doctors may not be able to practice medicine. Unless we work to stop fraudulent claims, or make it more difficult for fraudsters to enlist the government to pursue these claims, our healthcare system will continue to suffer. Stopping this injustice starts with healthcare lawyers in search of justice—namely, healthcare lawyers whose expertise doctors need. See also: Proof of Value for Medical Management   According to Fenton Law Group, which specializes in defending healthcare providers against allegations of fraud and abuse, the charges themselves have their own nuances and degrees of sensitivity. Take the firm’s representation of Dr. Alwin Lewis (Lewis v. Medical Board) before the Supreme Court of California, regarding a purported violation of a patient’s privacy rights. Because HIPAA prevents people from delving into personal medical records, an insurer cannot muster much of a defense without access to and knowledge of the very things that would exonerate a doctor from a wrongful claim. Bear in mind, too, that insurance companies often hire panel counsel to defend against claims of fraud. Which is not to say that all insurance companies put savings ahead of saving doctors from fraudulent claims. Given these circumstances, doctors need effective counsel. Insurers should, in turn, at least listen to what healthcare lawyers have to say about what constitutes a smart legal strategy. Perhaps elevating the role of defense counsel will benefit insurers, reducing the number of fraudulent claims by increasing the difficulty of bringing claims against doctors who have done nothing wrong. Perhaps hiring the right healthcare lawyers is the right thing do. Perhaps, indeed; but until then—until the honest unite against the dishonest—we need defense lawyers who can expose fraudulent claims and dismantle claims of fraud against innocent doctors. We cannot afford to do otherwise. Not if we want to preserve our healthcare system and protect our preferred providers of healthcare. We cannot afford to have insurers settle all fraudulent claims, either, because we will pay the price for these payouts in higher premiums and deductibles. See also: 4 Reasons to Join Agency Networks   The price will come at the expense of choice, leaving us with one of two choices: less affordable care or no care at all. We must avoid that false choice. We must have lawyers who champion our rights. We must have lawyers who defend the rights of doctors and healthcare providers. We must have lawyers who expand our rights. To have lawyers at the forefront of this cause is a good thing, an altogether just and necessary thing.

Globalization is affecting just about every business these days. Even if a company operates only in the U.S., its customers, suppliers and traveling employees may very well be in another country. That means the laws, regulations and cultural differences in those areas are likely affecting the organization. This increased globalization of businesses means risk managers must have more of a global focus. Managing risk on a multinational basis was one of our "Issues to Watch" for 2019, as many risk managers are looking for ideas and resources. To help us better understand the issue, we had four distinguished experts join us for our most recent Out Front Ideas with Kimberly and Mark webinar:

• Maggie Biggs, VP of insurance and risk management for VF Corporation
• Kevin Hoskinson, client executive of global risk management for Marsh
• Mary Roth, CEO of the Risk & Insurance Management Society
• David Stills, VP of global risk management for Walmart

Why It Matters Companies with no physical presence outside the U.S. are nevertheless affected by international regulations around issues such as data privacy. For example, the General Data Protection Regulation (GDPR), a law that regulates how companies protect the personal data of citizens in the European Union, caries stiff penalties for noncompliance. Businesses must be aware of the tenets of the law and adhere to them. Issues such as the expansion of the GDPR prompted RIMS to address the idea of globalization several years ago. With members in more than 60 countries, the organization was hearing that the risk management culture present in the U.S. was just not the same in other areas of the world. RIMS identified the Asia Pacific region as the area where it could truly make an impact by bringing in its resources. After surveying its members, the organization set up advisory groups that include people in risk management in the affected markets and is building programs there. Program Structure Setting up a risk management program in another part of the world depends on several factors, such as the country and its laws and regulations and the organization. While centralized and decentralized are the two basic models, many companies instead have a hybrid. A totally centralized model means all decisions are made at the corporate office. These decisions could include factors like the risks to retain in addition to which brokers and other partners to use. The other extreme is all decisions made within each country. Going completely one way or the other may be a mistake. Instead, our panelists said the process should be fluid and allow for changes in leadership. See also: Why Risk Management Is a Leadership Issue   A centralized decision-making model may be more balanced and less expensive. On the other hand, local regulations can complicate things. Communication barriers can also present problems, as one panelist explained. A simple question from a team member in Asia would not reach her desk for 12 hours; then it would go to the broker team and others. It could take a week before there was an answer. Program enhancements to address such hurdles that our panelists have tried include consolidating broker relationships into a single hub and ensuring the broker has local input to help place insurance with capable companies that meet the business’ needs. An important consideration in a program’s structure is premium allocations. Regulators and taxing authorities are finding that premium taxes can be a new revenue source. Regulatory officials are looking at what a company has in terms of exposures and requiring the business to justify that the premium is commensurate with the risk. For example, one panelist noted a situation with a client who sustained a large property loss in France but had not allocated any premiums specifically to that country. While the insurer was happy to pay the claim, it was difficult to determine whether shifting the money paid in the U.S. to a local French subsidiary constituted income or a gift, both of which were taxable. The issue can be complicated and expensive. Businesses should at least have an idea of how they might handle such a situation. Culture Addressing cultural differences is one of the most important things a risk manager can do, our panelists said. It’s critical to understand these differences and learn how to work within various cultures. For example, employees in some Asian countries may feel embarrassed or even ashamed to admit, let alone report, their injuries. Implementing safety strategies and incident reporting processes would need to be done in a way that respects that cultural difference. The typical challenges encountered by any business are that much more complicated because of language barriers, time differences, regulatory disparities and cultural variances. The key to overcoming these hurdles is solid communication and strong relationships with the company’s international partners. It is important to dispel the idea that the world revolves around the U.S. and how we do things here. That perception creates obstacles for businesses trying to work effectively in other countries. The theme of “Think globally, act locally” was endorsed by several of our panelists. It means adapting to local nuances and practices. Risk tolerance levels, for example, may be different in another country. Instead of dictating how things should work, it is better to get local input. There are also different applications of law in other countries. Negligence or leases, for example, may not have the same elements as in the U.S. It behooves a company to discover the local laws and how they are applied. Something as simple as communicating with international partners can be complex. Instead of email, for example, WhatsApp or WeChat may be the more popular mode of messaging. Risk Management Differences Companies need to be aware of risk management differences in countries outside of the U.S. Our speakers outlined several examples:

• Court system differences. There may or may not be a jury system. The class action mechanism may not be available in certain countries, creating a difficult environment for mass claims. The speed of the legal system may be incredibly slow, compared with the U.S.
• Adequacy of damages. Other countries have different perspectives on what is considered adequate. Some jurisdictions lean toward inflated awards that make no sense to us. Or, a company might not need the level of general liability coverage, for example, that it would need in the U.S.
• Deductible levels. In some countries, there is a strong preference to have first-dollar insurance. While that may not seem cost-effective, teams in some countries are responsible for their own profits and losses and can be severely affected by a large hit. In some cases, international policies for general liability will have zero-dollar deductibles, while other lines – such as property/casualty and directors and officers liability – have large deductibles globally.

Risk managers are used to reviewing contracts to ensure their company is protected from risks associated with a business arrangement. However, internationally there is a tendency to deal with those risks on a business basis rather than through insurance. Because of this, there may not be adequate insurance in place to cover risks. As an example, consider a manufacturer and supplier in China that does not buy the product liability coverage limits typically seen in U.S. contracts, but the part it makes is entering the U.S. market. There are situations where there was a large loss on a product in the U.S., and it basically shut down the Chinese company because the insurance coverage was inadequate. Additional Considerations Political risk and supply chain are two issues that can have a significant impact on global risk management programs. U.S./China relations of late have generated the risk of tariffs on Chinese-made products imported into the U.S. Likewise, there can be a backlash on U.S. brands sold elsewhere. A regulatory change could spark political unrest that causes damage or looting to a business. There is also the risk of local governments confiscating properly. See also: How to Improve ‘Model Risk Management’   A political uprising or natural disaster could devastate a company. The panel advised businesses to consider, for example, whether remote operations are warranted, or whether backup stock of products is necessary. Supply chain challenges related to theft can be a major concern for multinational companies, especially products traveling through Mexico and South America. There’s also potential risk to the security of the people moving the products. Monitoring the political climate of other countries, and lobbying where possible, is invaluable. Some companies do an annual deep dive evaluation of the risks in specific countries. While it may not be possible to manage all the risks, understanding what is happening can go a long way to protecting property and people. Available Resources Organizations looking for help to better understand and address global risk management issues can turn to RIMS for help. Since the organization embarked on its globalization efforts several years ago, it has developed a plethora of resources for risk managers. Under the Community section of the RIMS web page, you will find all their global resources. The link is HERE. To listen to the full Out Front Ideas webinar on Globalization of Risk Management, please click HERE.

Enterprise risk management (ERM) is often viewed as a bureaucratic and unnecessary process, subtly or overtly motivated by regulation, accompanied by internal risk leadership kingdom building and suggesting an unclear value proposition. Occasionally, these perceptions are correct, and ERM fails. Yet, there is hope for a successful ERM approach with the right motivations and when designed and implemented with the real business goals and culture of the organization in mind. This is when ERM becomes an invaluable approach to learning about and managing truly destructive risks. A successful ERM approach also creates a clearer lens for seeing and responding to emerging risks, including potential impacts, and helping to prioritize the more valuable solutions. The resulting ERM processes are, however, often fraught with hurdles, preventing many organizations from achieving a level of risk astuteness and maturity beyond ad-hoc decision making. Few risks affect organizations with the diversity, impact and pervasiveness of cyber. As we are now a truly internet-connected and -dependent world, few organizations escape material exposure to this ever-evolving risk and its wide range of impacts; fewer still seem to have effective plans for cyber risk mitigation or an ability to calculate the value “in play” gained, or not, from their cybersecurity strategies. This is not to say many organizations haven’t addressed or aren’t trying to address cyber risk. Beyond regulatory requirements, no effective governance structure today would allow management to ignore or not actively investigate this growingly complex enterprise-wide risk. Even so, why would cybersecurity become a clarion call for ERM? What role does ERM play in helping to solve the cyber dilemma, and to assess this critical cross enterprise risk? We are glad you asked. Every organization should approach risk management in a way that is effective for itself and its key stakeholders, both internal and external. This sounds good but, as mentioned, is hard to accomplish. ERM often means something much less than a comprehensive, multi-step framework and numerous processes addressing a full gamut of ERM components. ERM should at least mean, however, that those elements that most meaningfully contribute to solving the problem (i.e. understanding and controlling the risk) are employed. Certainly, at a minimum, this means identifying and valuing the significance of the exposure, treating it appropriately and then monitoring its status until it is no longer a significant threat. However, is it necessary to first build a risk culture, create a risk appetite, implement a risk tolerance strategy, appoint risk liaisons across the business, establish ERM committees and invest in sophisticated risk modeling? Likely not, unless your key stakeholders suggest or regulation requires otherwise. ERM processes can easily become overly complicated and burdensome, often working to slow or complicate risk identification and mitigating responses and unnecessarily constraining the business. Further, many ERM processes focus repetitively on risks with a potential for the most obvious and severe impacts (larger inherent risks), sacrificing an ability to otherwise tease out emerging risks and those subtle, often related, frequency risk impacts (lower-level risks), which may be slowly (or rapidly) correlating across the business. ERM frameworks primarily focused on a severity approach, unfortunately, result in a blurry ERM lens and may inadvertently expose the organization to emerging and systemic risk blind-spots. A good example of an emerging risk blind-spot is the various risks found today within a category of risks associated with information security (i.e. cyber risks). See also: Why Risk Management Is a Leadership Issue Cyber risks are a notably different type, when compared with the types of risks historically addressed within an enterprise-wide risk management framework. Why? Cyber risk management is analogous to identifying and responding to risk impacts from multiple, simultaneous “smart tornadoes" (e.g., advanced persistent threats). For example, consider these two facts: 1) cyber risk can be high-frequency and low-severity, or high-frequency and high-severity, at the same time; and 2) cyber risk “impacts” vary widely depending on complexity of known and unknown harm administered, success rate of harm administered and internal acceleration of any such harm (dwell time, lateral movement, then organizational detection and response). These variables create an infinite number of impacts and costs, matrixed across a business. This is an unusual risk behavior, to say the least, and today’s dynamic cyber risk ecosystem creates a delicate challenge for many in the information security profession. When a person proclaims (or attests, or suggests) “don’t worry, we have cyber risk covered” (e.g., managed or otherwise solved for), then she is suggesting an ability to see the future. In other words, she is implying that she generally knows how those smart cyber tornadoes are going to behave outside, inside and throughout the business, every day. Admittedly, for most, it is difficult to acknowledge what we do not know and, especially, the vulnerability we may have in facing a first-of-its kind risk management challenge – with various risks we are unlikely to completely mitigate. However, as more and more businesses engage cloud service providers and increase use cases for Internet of Things (IoT) endpoints, organizational key stakeholders, such as boards of directors, regulators and rating agencies, are becoming increasingly concerned about how organizations are identifying gaps in cybersecurity efforts. There is movement by these stakeholders to test and confirm that risk management processes are in effect and that the enterprise is identifying and responding to risks associated with those smart cyber tornadoes. It is important to understand that even if an organization believes it “has cyber risk covered” by virtue of its current information security (‘InfoSec’) approach, there is still, for many, a critical regulatory requirement to assess the cybersecurity risk itself. Failure to adequately identify, test, monitor, trend and report on enterprise-wide cyber risks creates significant financial, regulatory, reputational and operational exposure for the organization. Static reports that capture log data but are not otherwise normalized or matched to enterprise risk profiles and controls are arguably not offering complete or robust information to the enterprise, for either historical or prospective time periods. And, when we say a risk is managed, it is important to note we are applying a risk management term of art – regulators often have definitions and tests to demonstrate assurance. Managing a risk means identifying, tracking, scoring and valuing, normalizing and trending risk performance, including the net impacts. These steps are performed in accordance with compliance standards and aligned with risk tolerance. Management also includes evaluating how the risk profile (e.g., an enterprise grouping of all defined cyber risks) is changing over time (and we know it is changing) and what key risk impacts the organization is facing from the portfolio of (cyber) risks. This is where the ERM framework and ERM processes can help. The existence of an ERM framework does not provide a carte blanche solution for cyber risk management or mitigation of undesirable cyber risk outcomes. Instead, consider ERM a distinct, enterprise-wide enabler for addressing cyber risk management. In many cases, in-force ERM processes and protocols provide the “plumbing” that InfoSec leaders can immediately access and rely on to deploy quick(er) cyber risk identification, monitor the effects of specific risk mitigation strategies and capture and analyze overall enterprise-wide cybersecurity results. The interplay between ERM and InfoSec serves a critical function for the business. It helps to optimize risk management resources to ensure the InfoSec team is able to focus on the cybersecurity battle at hand. Hacker-driven intrusions and internal actors, along with many other threat vectors and attack surfaces, keep the InfoSec community scrambling for the best depth of defense and tactical offenses required to maintain uptime productivity, lower dwell times, accelerate responses and ensure overall data governance. Meanwhile, together with ERM, InfoSec faces global regulation of personal data actively shifting underfoot, resulting in increasing complexities and wider adoption of cybersecurity regulatory standards. These newly enacted regulatory standards are providing regulators with an ability to dig deep and assess enterprise-wide cybersecurity risk management. For instance, the National Association of Insurance Commissioners recently said: "State insurance regulators have undertaken a number of steps to enhance data security expectations to ensure these entities are adequately protecting this information. As part of these efforts, the NAIC developed Principles for Effective Cybersecurity that set forth the framework through which insurance regulators will evaluate efforts by insurers, producers, and other regulated entities to protect consumer information entrusted…(sic)" Additionally, the New York Department of Financial Services recently said: "Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers." It important to note both regulatory agencies are concerned with evaluating enterprise-wide cybersecurity risk – which, in turn, leads us back to the enterprise-wide risk management “plumbing” and risk governance processes and how the ERM-InfoSec interplay can be helpful in achieving organizational risk management objectives. As an example, we can consider how to use the NIST-CSF (National Institutes of Standard and Technology - Cybersecurity Framework) as a starting point for an enterprise-wide cyber risk identification exercise. The NIST framework offers a diagnostic approach for assessing an organization’s technical cyber risk profile (the current state) versus desired risk tolerance and outcomes (the target state). Separately, using a similar approach, ERM can be assessed through commonly adopted risk maturity evaluative frameworks. One such framework is the RIMS Risk Management Maturity model (RIMS-RMM). This model shares several diagnostic themes with the NIST CSF, including evaluations of risk identification, risk culture, risk resiliency and risk governance. (National Association of Insurance Commissioners, 2014) See also: How Insurtech Boosts Cyber Risk   The common themes between several functional topics within the two frameworks create an opportunity to explore the corollaries between the two frameworks. Scores can be mapped and linked, effectively creating an integrated overall score, by applying relativity factors that capture the directional relationships between the two frameworks. For instance, how might low technical cyber risk scores, such as weak DLP oversight, inform and potentially change the ERM score addressing risk (data) governance? When properly integrated, the NIST CSF and RIMS RMM provide a synchronized view on data governance, privacy and enterprise-wide cybersecurity performance. An integrated analysis, such as a combined NIST CSF plus RIMS RMM approach, helps an organization accelerate their ERM and InfoSec risk management performance and increases risk awareness. In turn, increasing risk awareness leads to becoming more risk astute. When an organization is more risk astute, it is maturing in its risk management thinking, as evidenced by positive return on risk investments and system-wide risk mitigation solutions prioritized and finely attuned to best support organizational growth and profitability. Most importantly, they are increasing their cyber resiliency while deploying strategic cyber risk management. The company that successfully integrates a robust cyber risk management approach and its ERM framework is at a distinct competitive advantage. Not only is such an organization effectively managing its resources and expenses; it is linking cyber security to its business goals, enterprise risk profile and strategic vision.

Who's ready to sign up for "a suite of legacy planning solutions for high-net-worth individuals that offers wealth accumulation, asset diversification, wealth distribution, business continuity and exclusive access to 'proprietary investment advisory service'?"

If you're like me, your eyes glazed over during that long list of similar-sounding services that followed "individuals." Why not just end the description there and come back later to whatever is relevant? [The company is real, but I see no need to name it and embarrass it.]

Maybe you're excited about "a radical new solution: a modular, trainable, award-winning, ready-to-use Artificial Intelligence construction kit."

Or, like me, maybe you're wondering what that construction kit constructs. And why do we need so many modifiers?

Perhaps you thrill to hear about a startup that will "identify, develop and adopt emerging technologies...that are fast, reliable and right for our customers."

But maybe you'd be happier if the writer left the thesaurus in the desk drawer and chose a single word each time, rather than three. Something like: "We work with emerging technologies to help our customers operate faster." By the way, what's with specifying that you're going to do something right for your customers? Might you ever admit to doing something wrong for them?

As you might imagine, we took company descriptions seriously during my days at Wall Street Journal, where I developed my curmudgeonly feelings long ago. Let me suggest some traps to avoid, based on my experiences there.

We needed to describe every company immediately after naming it, but article ledes rarely exceeded 25 words, so you couldn't have a long description if you hoped to communicate anything other than the company name and description in the first sentence. Besides, long descriptions are unreadable, and you try to engage people with the lede, not scare them away. (A friend once got punchy late in the day and filed a short item that began, "Playboy Enterprises Inc., the purveyor of fun and frolic...." Fortunately, I read even the short items as they passed through me on the national desk, and I fixed the description, or my 17-year career at the WSJ might have been a two-year career.)

My thinking on company descriptions evolved when I became the No. 2 person in the Chicago bureau in the early 1980s. We covered a host of food companies, and it didn't help readers much to just describe Esmark as a "food conglomerate," especially when that was the same identifier used with Consolidated Foods (such a helpful name). I began to have reporters list a few of the products from each company—e.g., Sara Lee desserts for Consolidated Foods—to help readers get a feel for it.

In the end, I evolved a two- or three-step process that could help all of us understand startups faster and stop scratching our heads after reading a news item: 

• Have a super-short description—maybe two to seven words—that you use in first reference.
• Develop a clause that you can use at the start the second paragraph. So, the lede would be begin, "Esmark, a food conglomerate, said...." The second paragraph would start, "Esmark, which makes x, y and z...." This clause, while longer, still has to be simple. You'll lose people if you have a bunch of ideas embedded in it, nested inside each other with commas, or use it to provide a list of complicated ideas, as in my example on legacy-planning solutions.
• Go ahead and produce a full paragraph on what you do and put it at the bottom. (At least at the WSJ, we had readers trained to skip there once they had ingested all the news they wanted and needed a bit of background.) But skip the jargon. Use short sentences. And give us a for-instance: "Our company/product lets customer X do something (very specific) that he/she/it couldn't do before, producing Y benefit."

While you're thinking about descriptions, I'll ask you to indulge me in four smaller ways:

• Cut way back on the word "new." You can't create an old product or technology, so why do you keep telling us you've created a new one? "New" only makes sense if you could put "old" into the sentence and have it still read right.
• Cut way, way back on "proactive." Verbs are actions, so you don't need to tell us that you're "actively" working with clients or whatever. Yet "active" turned out not to sound strong enough to corporate writers, and they tacked "pro-" on the front, even though the prefix's meaning overlaps so much with "active." Business writers wanted us to know that they are actively, actively taking action. Please don't. "Proactive" only makes sense if you're drawing a sharp contrast to something reactive.
• Don't ever describe something as a "value-add." If it isn't adding value, why are you doing it? If there's actual value, then why not take four or five words and specify what that is?
• Stop with the word globs. For reasons that have never made sense to me, business writers often take a bunch of ideas and smash them together as modifiers for a noun, forcing readers to untangle the word globs to understand who is doing what to whom when and why. Just a couple of prepositions here and there and the occasional verb would let the ideas flow in their natural sequence and be much easier to read. A simple example: A startup described the "business insurance application process." Isn't it easier to grasp "the process of applying for business insurance"? It is for me.

There, I feel much better now after the venting. I hope you do, too. If you know someone who could benefit from this advice on writing (and there are a lot of them out there), please pass this commentary along. Thanks.

Paul Carroll
Editor-in-Chief 

New technologies mean disability income protection (IP) claims managers can enhance and expand the support and services they offer. Digital solutions can also be used to improve the claims experience. TrackActive is a company that has developed an artificial intelligence-driven engagement platform that provides early, cost-effective and scalable interventions for rehabilitation and prevention of musculoskeletal conditions and other chronic disease. To find out more, I spoke with TrackActive co-founder and CEO Michael Levens. RC: What drew you to the disability insurance business? ML: We launched a product called TrackActive Pro. It links up patients with musculoskeletal conditions to clinics and physiotherapists. People using our service to support insurance claims suggested we go direct to insurers. They said it would reduce the friction they felt in making and processing their claims – the form filling and episodic, continuing interactions with the insurer. So, we developed a fully digital sister product called TrackActive Me. RC: Have you encountered any challenges so far? ML: Disability carriers don’t own the physiotherapist or the health professional; they just buy services from them. So how we get our product into the insurance value chain is very important. Insurers already have excellent claims management processes. However, these rely heavily on paper, which means we have to show that our digital offering can add value or even improve upon them. RC: What are the benefits of TrackActive Me to the IP insurer and for the claimant? ML: Engaging health professionals comes with a cost, and it’s continuing each time a claimant sits with one to process a claim. The quality and impact of the digitized version of our service compares very favorably; it’s as effective as going to see a health professional, and the prescribed exercises can be accessed on demand. The idea of a physiotherapist in your pocket that allows for remote monitoring is a stepping stone toward self-management. If things are working less than optimally, the user can easily opt in to seeing a health professional in person, via TrackActive Pro. Blending service and product like this is important. See also: Putting Digital Health to Work   RC: Must insurers think and act differently to use a digital tool? ML: Yes, it can be difficult for insurers to visualize a digital version of an analogue process. For a start, TrackActive Me is very self-managed. While we have taken down an implementation barrier by making it simple for claimants to get and to use, we have removed some control of the process, too. Insurers can give the tool to their claimants, or a health professional can bring them on board after they have gone through their primary treatment. RC: What is your message to IP insurers who are thinking about digital alternatives? ML: It’s easy, really. We want to engage with companies willing to see that new digital process are not only capable but will enhance their offering. Companies that want to join the dots between the digital and the analogue. Those that have an open mind to technology and want to look at ways the current model can be enhanced. The ideal working approach is collaboration to help the technologies of startups mature in ways that fit best with the needs of IP insurers, before plugging them into existing systems by using open application programming interfaces. Technology will reduce the amount of manual work involved in assessing an IP claim. There are long-term benefits for insurers, as well, in the rich customer data that will be generated. Analysis of the data will provide predictive intelligence to help deliver better value and service to new claimants. It will help to anticipate claims and give focus to providing effective interventions. Ultimately, IP claims solutions delivered using AI or other digital means will save process costs that can then be passed on to customers in the form of reduced premiums. Meanwhile, a more frictionless and transparent solution to managing customers’ recovery in claim stages will significantly add to customers’ satisfaction.

Can you imagine a world where the open ecosystem dream is a reality? A world where our collective insurance platforms talk to each other? A world where the industry moves faster and better by working together? Oasis and Simplitium, along with a host of others, including SpatialKey, are on this path. While the dream feels idealistic, it is possible. Making data more portable between platforms—interoperability—is not something novel. It’s just fundamental and increasingly vital for long-term survival whether you’re a re/insurer, broker, MGA or solutions provider. We all have a stake in this conversation, and a responsibility to move our industry forward. Industry demand for an open ecosystem is overwhelming. We increasingly depend on ecosystems, and we need greater interoperability to overcome inefficiencies and redundancies. Matthew Jones of Simplitium provides three key stepping stones we must embrace for greater interoperability:

1. Avoid a monolithic "one system does all" approach
2. Minimize the number of catastrophe risk modeling platforms, while maximizing choice in models across multiple vendors
3. Design systems so that the possibility of change is embedded

Leading organizations are already heading down this path. Lloyd’s recently announced that after losing £1 billion in 2018 it's looking to drive efficiencies, and one way is through “an ecosystem of products and services that all market participants have access to.” One size does not fit all—and a monolithic approach has proven unsuccessful time after time. Rapid innovation in risk management requires systems that are flexible, scalable, designed for change—and built in close collaboration with those who serve the industry. See also: The Insurance Lead Ecosystem   Interoperability drives efficiency Across our industry, we need to find ways to drive efficiency gains by making data more portable between core systems. If premium is scarce, then finding ways to eliminate waste in the system is not just how you save money, but rather how you make it. Consider this: How much time do analysts spend keying information into different systems of record? Or, underwriters for that matter. Now, think about how much that costs your business. According to McKinsey, underwriters spend 30% to 40% of their time on administrative tasks like rekeying data or manually executing analyses. It’s inefficient and redundant and increases the risk of error, yet it’s a standard in our industry across every insurance workflow. This creates a massive amount of waste. Now, imagine if analysts could pass exposure data seamlessly from system to system —with just the push of a button. We work with clients to perform these types of integrations all the time at SpatialKey. Core systems must talk to each other so that insurers can reap efficiency gains while leveraging the best that each chosen provider has to offer. Modern technologies and well-designed solution architectures allow us to integrate disparate value-driving systems easily—and the only thing in our way is us! The market is advocating cooperation for the greater good. There will be more commercial opportunity and innovation generated through “coopetition” than by trying to knock each other out of the market. Solutions providers must find ways to differentiate that aren’t in opposition to the industry they serve. Interoperability is “perfectly possible” You may think it’s not possible—that the type of interoperability I’m advocating for requires too much change. To quote Dickie Whitaker of Oasis: “Don’t think it’s impossible, because it is perfectly possible.” He goes on to say at a climate change conference last year: “What’s important in solving these big problems is not to be beholden to our existing culture. Our existing view. Our existing experience. We’ve got to look to others that may be able to reframe the problem in a way that actually gives us insight into solving [it].” So, if you’re not leveraging or supporting creative partnerships and ecosystems, perhaps it’s time to consider that they present a “perfectly possible” path to interoperability. See also: Building Ecosystems Requires Guts   Let’s make the open ecosystem dream a reality We’re in an era where your solutions are only as powerful as your connections. Interoperability is the name of the new game. We must make systems do a better job of talking to each other. Doing so is a step change for the industry. And, while an open ecosystem may appear to be a dream, it’s already well on its way to reality. Like we’re seeing with Lloyd’s and elsewhere, purposeful change happens when the status quo is no longer sustainable. It’s time to reach out to your partners and tell them what you need to be successful. Discuss your requirements for interoperability. Drive change that inspires innovation. Edward de Bono, an authority on creative and “lateral” thinking, said, “The system will always be defended by those countless people who have enough intellect to defend but not quite enough to innovate.” Will you defend the status quo or innovate the future? The choice is yours.