This is Paper 5 of a series of five on the topic of risk appetite and associated questions. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards comprehend the links between risk and strategy. This is achieved either through painful and expensive crises or through the less expensive development of a risk appetite framework (RAF). Understanding of risk appetite is in our view very much a work in progress for many organizations, but RAF development and approval can lead boards to demand action from executives. Paper 1 is the shortest paper and makes a number of general observations based on experience working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes their relationship to strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and risk maturity. This paper, Paper 5, describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy. What are the characteristics of an effective risk appetite statement? The purpose of a risk appetite statement (RAS) is to provide clear guidance to people, at all levels, of the ranges of risk within which they are required to operate in pursuit of objectives. An RAS exists within a risk appetite framework (RAF). The RAF is the ‘’overall approach including the policies, controls and systems, through which risk appetite is established, communicated and monitored.’’[1] As a particular RAS is devolved down through an organization, its content will change based on the intended recipients. For example, a RAS at:

• Group executive level will be high level and inclined toward expressing appetite for risks to objectives that deliver value and increase performance. The RAS will describe objectives, risks, expected returns and control(s) requirements,
• Middle management level will articulate levels of tolerance that, if breached, will require escalation and "circuit breaking" reports, with priority given to immediate interdictions and a review of internal controls,
• Business unit level will be more detailed and inclined toward expressing risk limits and internal controls.

A RAS that is not explicit and clearly communicated has limited value. For this reason, a RAS exists within a compendium of (risk appetite) statements that take their root at the intersection between a particular group-level objective and its associated subsidiary objective(s). The RAF, like the strategic plan, is explictly approved by the board. Properly crafted and implemented, it has powerful utility to directors in that the RAS approval process requires a series of linear RAF discussions. Wisely conducted, these discussions can result in a peeling back of the many layers of complexity  associated with operational drivers and the business model. Independent, non-executive directors (INEDs), in particular, can find this immensely useful as most INEDs will typically only possess a relatively superficial understanding of the principal operational exigiencies that drive performance. The RAF discussions will include discussions on:

1. Explictly stated objectives[2] and where they reside on the risk appetite continuum,
2. The associated subsidiary objectives[3] and where they reside on the risk appetite continuum,
3. First RAS drafts at group and subsidiary levels,
4. RAS approvals, once operational and business model implications are fully understood and satisfied.

RAF template headings: RMI offers frequently used headings that we use in helping organizations develop their RAFs.

1. Mission/purpose/mandate:

a. Large, privately held companies will have clearly established and communicated mission statements, etc.

b. For a large number of regulated entities in Ireland, this will reflect the goal set by the parent for the subsidiary,

c. For public companies, this will be reflected in the legislation establishing the entity,

2. Strategic initiatives:

a. Very many organizations will not have a board-approved, 10-15 year strategic plan. Rather, they will have business plans within which various strategic initiatives are either implied or explicitly stated,

b. The development of a strategic plan is outside of the scope of a RAF, but each document informs the other,

3. Board (risk committee) statement of risk assurance requirements: This is a prescriptive statement addressing a wide range of requirements and would include the following, among others:,

a. Objectives that are clearly articulated, aligned with strategy and performing to expectations,

b. Risks to objectives that are identified, assessed and evaluated against approved risk criteria,

c. Risk treatment plans that are executed efficiently and effectively, increasing the likelihood of achieving objectives,

4.Objectives: As discussed above, 5. Risk appetite continuum: five-level continuum against which company (group and subsidiary) objectives are mapped relative to appetites for risk (from very high to very low) 6. Risk appetite statements:

a. Overall group RAS

b. Objectives level RASs’

c. Risk treatment level RASs’[4]

7. Risk criteria tables (risk tolerances and limits)

a. Five levels (substantial, down to negligible impacts),

b. Measurable risk limits[5]

c. Measurable risk tolerances.

How can organizations ensure that RAFs are both actionable and measurable? The RAF is to the board of directors what risk management is to the rest of the organization. As such, there is a direct correlation between the efficacy of the RAF and the efficacy of the risk management framework. Ensuring that RAFs are both actionable and measurable requires an understanding of how boards work in this particular context. When RMI converses with board members and the executive, we share what we call the RMI "Tell me, Show me, Prove it to me" questions. Questions will vary from company to company, but broad results in terms of an informal scoring that we would thereafter apply do not vary greatly. For example:

• Tell me: (Score: 3/10)
  • How you relate your strategic plan to critical objectives and their associated key performance indicators (KPIs),
  • About your board audit/risk charter,
  • Risk management framework.

We are told about external attestation (sometimes exemplary), policies, board committees and rich processes.

• Show me: (Score: 5/10)
  • Your strategic plan/objectives statements,
  • Your risk register and how it links to objectives, KPIs and threats/risks to the enterprise,
  • Your risk appetite statements,
  • Your risk treatment plans,
  • Your top five contingency plans.

We find that most of these documents do not always exist and that the Excel spreadsheets, word documents and Power Points (invariably with differing formats for different parts of the organization) make no consistent reference to objectives, other than obliquely. In addition, we find that original risk reports are edited on multiple occasions as they travel from original risk owners to the executive and the board.

• Prove to me that: (Score: 2/10)
  • Your risk register is not just a list of risks,
  • Top 10 risks are the real top 10,
  • Risk owners actually provide input to the flow of information and ultimately to the risk register,
  • Known issues and risks on the ground can be escalated to decision makers, without jeopardy to the originators of information,
  • Dynamic risks can be aggregated in real time and with confidence because of your data governance practices,
  • Your crisis management team (CMT)[6] is developed and capable.

We find that risk data governance is so poor that answers to these questions can only be determined after manual searches over a number of days. This is compounded when, invariably, we also find that managers have not been adequately trained in the use of common language, risk management processes or board risk-assurance requirements. Furthermore, we find that  ‘’risk culture’’ is such that people are disinclined to speak up with regard to matters giving them cause for concern lest they jeopardize relationships with colleagues and their next reports. We therefore recommend that fundamental questions for the CEO and INEDS should include:

1. What demonstrable evidence do you have that your top five group risks are the right top five?
2. Can you monitor threats and risks to objectives in real time, and what kind of dynamic tests can you run on your red flags?
3. What proofs do you have that management is capable of switching from business as usual, to delivery of credible solutions to stakeholders under abnormal/adverse conditions?
4. Where are you in terms of risk maturity, and how do you know?

RMI also recommends the following framework, which summarizes how to ‘’Operationalize the links between Risk and Strategy,’’ ensuring that RAFs are measurable and actionable. The framework is summarized as follows:

1. Reporting to the CEO:

Strategy/Risk Program Office reporting to the CEO and Board Audit/Risk Committee, with:

• Focus 1: Defend operations, reputation, business model,
• Focus 2: Exploit opportunities faster than less adaptive competitors.

2. Board Audit/Risk Committee: Executing responsibilities with regard to risk in the manner described earlier in this paper and in particular as described in the RMI answer to the FAQ: "What are characteristics of an effective risk appetite statement?" 3. Data Governance: Putting System to Process: Understanding the significance of integrating:

• Executive and management (risk) training;
• Inclusion of risk management KPIs in annual appraisals, and
• Deployment of a database solution designed and specified to the ISO 31000 series

(Note: Lessons learned from the global financial crisis include that database solutions, by themselves, are not the solution. The adage, "poor information input, misinformation output," is appropriate and reminds us that tools and techniques in the wrong hands can precipitate disaster.) 4. Library of Responses to Top 5-10 Threat/Opportunity Rehearsals Seminal works that have been undertaken include:

• 1996: The Impact of Catastrophes on Shareholder Value: Rory F. Knight & Deborah J. Pretty, The Oxford Executive Research Briefings, Templeton College, University of Oxford, Oxford OX1 5NY, England[7].

What contributed to catastrophic failure?

• Poor crisis management,
• Failure to recognize the significance of the event early enough in the crisis,
• Poor stakeholder communications, including with news and social media,
• Lack of awareness of the potential for reputational damage,
• Failure to appreciate the importance of transparency early enough,
• Failure to learn from prior experience (even with the same company).

Resilient Companies:

• Have exceptional risk radar,
• Build effective internal and external networks,
• Review and adapt based on excellent communications,
• Have the ability to respond rapidly and flexibly,
• Have diversified resources.

These separate and unrelated studies similarly conclude that management’s capability to defend operations, the business model and reputation are mission-critical to sustainable performance in the 21^st century In conclusion, it is our view that operationalizing the links between risk and strategy in the manner outlined above will, with positive CEO and board endorsement, fulfill the role of the board as concluded by the Financial Reporting Council (FRC) report:  Boards and Risk: A Summary of Discussions with Companies, Investors and Advisors, September 2011. References

The news of a data breach at Premera Blue Cross, following on the heels of the recent announcements of large-scale,  healthcare breaches at Anthem, is another reminder that employers and other health plan sponsors, fiduciaries and insurers need to take immediate steps to assess and tighten up their privacy, data security and data breach compliance and risk management. Health plans and their employers, administrators, insurers and other vendors and service providers need to take immediate steps to conduct documented investigations, provide mandated breach notifications and take other actions that are required by the Privacy, Security & Breach Notification Rules imposed by the Health Insurance Portability & Accountability Act and other potentially applicable laws. Employers or other plan sponsors, fiduciaries, administrators and service providers also may be subject to additional responsibilities under the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code and a host of other laws. Whether they are subject to the additional responsibilities depends on the scope of data affected and their involvement with the affected plans, Insurance industry or other vendors providing services to these plans also may face specific responsibilities under applicable insurance, health care, federal or state identity theft, privacy or data security or other federal or state laws. (See, e.g., Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond; HIPAA Compliance & Breach Data Shares Helpful Lessons for Health Plans, Providers and Business Associates.) The need for prompt assessment and action is not necessarily limited to health plans and organizations sponsoring, administering or doing business with the plans involved in the Premera or Anthem breaches. The report of these and other healthcare breaches, as well as recent reports of identity theft and other fraud affecting federal tax returns and other large data breach reports involving retailers and other prominent businesses are spurring recognition of the large risks and need for greater scrutiny and accountability to business collection, use and protection of sensitive personal and other data. Of course, the risk is exploding largely in response to the continued evolution of electronic payment and other business operating systems coupled with the emergence of data harvesting and other capabilities at virtually every U.S. business. Cyber criminals seem to always be one step ahead of business and government in leveraging these emerging opportunities for their criminal purposes. Everyone from the Internal Revenue Service, other federal and state government agencies and private business partners are pushing for electronic transactions and data. So, businesses are conducting more and more transactions electronically containing business and individual tax information, personal financial information, personal health information, confidential business and personal information. Meanwhile, "big data" and other business and marketing gurus also encourage businesses to use data from customers, prospects and other sources to benefit marketing and other parts of the business. As these practices have taken hold over the past decade, data breaches, other cyber crimes and risks have also grown. Privacy, identity theft and other cyber crimes have led federal and state lawmakers to enact an ever-growing list of notice, consent, disclosure, security and other laws and regulations, including the Fair and Accurate Credit Transaction Act (FACTA),the Gramm-Leach-Bliley Act, the Privacy and Security Rules of the Health Insurance Portability and Accountability Act and state identity theft, data security and data breach and other electronic privacy and security laws. As notorious breaches occur and judgments, penalties and other costs soar, federal and state regulators are looking at the need for expanded rules and penalties. (See Cybercrime Enforcement Statistics; DOJ Enforcement Priorities and Statistics.) Widening data privacy and security concerns from incidents like the recent reports of breaches at Anthem and elsewhere have prompted Congress and state regulators to hold hearings to consider the need for added reforms, and the Federal Trade Commission has just announced plans to host a workshop on Nov. 16, 2015, to look at the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes. While these and other legal and enforcement developments promise new liabilities and expenses, the business losses and customer and business partner implications experienced by Target, Anthem and other businesses illustrate the severe business consequences that inevitably result if a business appears to have failed to take customer privacy or other data security concerns seriously. The notorious Target hacking data breach event is illustrative. Target reported in late 2013 that credit and debit card thieves stole the name, address, email address and phone number from the credit and debit card records of around 70 million Target shoppers between Nov. 27 and Dec. 15, 2013. After announcing the breach, Target reported a 46% drop in profits in the fourth quarter of 2013, compared with the year before. The company announced plans to invest $100 million upgrading its payment terminals to support Chip-and-PIN-enabled cards and millions of dollars more in rectification efforts. Subsequently, Target’s losses have continued to mount, and it now faces lawsuits and other enforcement actions as a result of the breach. Beyond a general need to tighten their defenses, health plans, their sponsors, fiduciaries, administrators and vendors have specific obligations that require immediate, well-documented action when an actual or potential breach happens. The Privacy, Security and Breach Notification requirements of HIPAA require that health plans adopt specific policies and maintain and administer specific safeguards. In the event of a breach, these rules require that the health plan, usually acting through its fiduciaries, and affected service providers that qualify as business associates both investigate and redress the breach, as well as provide specific notification as soon as possible, usually no later than 30 days after the health plan knows or has reason to know of the breach. Significant civil and even criminal penalties can apply. Beyond the specific requirements of HIPAA, employers and other plan sponsors and others involved in the maintenance and administration of the health plan or the selection and oversight of its vendors often may have less-realized responsibilities. As health plan data often includes payroll and other tax data, employers, there may be specific responsibilities under the Internal Revenue Code or other laws. To the extent that the plan sponsor or another party is named as the plan administrator or otherwise exercises control over the selection of the insurer or other plan vendor or other plan operations, the fiduciary obligations of ERISA also may require a prudent investigation and other action. Brokers, insurers, third party administrators, preferred provider organizations or other managed care providers and others doing business with the health plan also may have specific responsibilities under state insurance, health care, data breach and identity theft or other laws. Under the provisions of most of these laws, leaving it to the insurer or other vendor involved in the breach generally will not suffice to fulfill applicable legal responsibilities, much less allay the fears of plan members, employees, healthcare providers and others involved with the health plan. In the face of these developments, health plans and their sponsors, fiduciaries and others working with them must take immediate action in response to breaches. Businesses also should check the adequacy and defensibility of their current overall data collection, use and security practices while remaining ever-vigilant for new requirements, as well as weaknesses in their own practices. Businesses need to build their defenses in anticipation of breaches both to withstand government and private litigation and enforcement, and the judgment of public opinion.

MetricStream has shared with us a November 2014 report from the analyst firm Forrester: Predictions 2015: The Governance, Risk and Compliance Market Is Ready For Disruption. (Registration required.) I have had serious issues in the past with Forrester, its portrayal of governance, risk management and compliance (GRC), its assessment of vendors’ solutions and its advice to organizations considering purchasing software to address their business problems. However, Forrester does talk to a lot of organizations, both those that buy software as well as those that sell it. So, it is worth our time to read their reports and consider what they have to say. I’m going to work my way through the report, with excerpts and comments as appropriate. “…the governance, risk, and compliance (GRC) technology market is ripe for disruption.” I have a problem with the whole notion of a GRC market. For a start, the “G” is silent! The analysts seem to forget that there are processes, each of which can be enabled by technology, to support governance of the organization by the board and others. For example, there is a need to enable the secure, efficient and useful sharing of information with the board – for scheduled meetings and throughout the year. In addition, there are needs to support whistleblower processes, legal case management, investigations, the setting and cascading of business objectives and goals, the monitoring of performance and so many more. In addition, organizations should not be looking for a GRC solution. They should instead be looking for solutions to meet their more critical business needs. Many organizations are purchasing a bundle of GRC capabilities but only use some of what they have bought – and what they do use may not be the best in the market to address that need. Finally, I have written before about the need to manage risk to strategies and objectives. Yet, most of these so-called GRC solutions don’t support strategy setting and management. There is no integration of risk and strategy. Executives cannot see, as they review progress against their strategies and objectives, both performance progress and the level of related risks. “A corporate risk event will lead to losses topping $20 billion.” What is a “risk event”? This is strange language. Why can’t Forrester just talk about an “event” or, better still, a “situation”? I agree that management of organizations continue to make mistakes – as they have ever since Adam and Eve ate the apple. Some mistakes result in compliance failures, penalties, reputation damage and huge losses. I also agree that the size of those losses continues to rise. But what about mistakes in assessing the market and customers’ changing needs, bringing new products and services to market or price-setting (consider how TurboTax alienated and lost customers)? I have seen several companies fall from leaders in their market to being sold for spare parts (Solectron and then Maxtor). Management should consider all potential effects of uncertainty on the achievement of objectives. “Embed risk best practices across the business…. Risk management helps enhance strategic decision-making at all organizational levels, and, when company success or failure is on the line, formal risk processes are essential.” The focus on decision-making across the enterprise is absolutely correct. Risk management should not be a separate activity from running the business. Every decision-maker needs to consider risk as she makes a decision, so she can take the right amount of the right risk. “Read and understand your country’s corporate sentencing guidelines.” This is another excellent point! Unfortunately, the authors didn’t follow through and point out that the U.S. Federal Sentencing Guidelines require that organizations take a risk-based approach to ensuring compliance; those that do will have reduced penalties should there be a compliance failure. “Build and maintain a culture of compliance.” Stating the obvious. It is easy to say, not so easy to accomplish. “Review risks in your current register and add ‘customer impact’ to the relevant ones.” All the potential consequences of a risk should be included when analyzing it. Rather than "customer," I would include the issues that derive from upsetting the customer, such as lost sales and market share. Further, it’s not a matter of reviewing risks in your risk register. It’s about including all potential consequences every time you make a decision, as well as when you conduct a periodic review of risks. Risk management should be an integral part of how decisions are made and the organization is run – not just when the risk register is reviewed. Forrester makes some comments and predictions concerning GRC vendors. I don’t know whether they are right or wrong. However, I say again that organizations should not focus on which is the best GRC platform. They should instead look for the best solution to their business needs, whatever it is called. I do agree with Forrester that there are some excellent tools that can be used for risk monitoring. They should be integrated with the risk management solution, with ways to alert appropriate management when risk levels change. What do you think of the report, the excerpts and my comments? Should we continue to talk about GRC platforms? Is it time to evaluate risk management solutions? How about integrated strategy, performance and risk solutions? [By way of complete disclosure, I have a relationship with a number of vendors of “GRC” solutions, including MetricStream and Resolver. I no longer have a relationship with SAP.]

Predictions that 2015 would be a watershed year for stolen healthcare records are bearing out. Health insurer Premera Blue Cross has disclosed that a cyber attack that commenced in May 2014 resulted in exposure of medical data and financial information of 11 million customers. Stolen records included claims data and clinical information, as well as financial account numbers, Social Security numbers, birth dates and other personal data. The Premera breach appears to involve a record number of victims. Records for some 80 million people were stolen from the nation’s No. 2 insurer Anthem, and records for 4.5 million people were hacked from Community Health Systems, parent of 206 hospitals in 29 states, disclosed last summer. But the Anthem and CHS breaches involved the theft of personal data only, not medical records. More: 7 steps to take if your healthcare records are in the wild Personal and medical records are the building blocks for the worst forms of identity theft. With Premera, "hackers not only got the skeleton keys to lives, they got the key ring and the key chain,” says Adam Levin, chairman and co-founder of identity and data risk management consultancy, IDT911, which sponsors ThirdCertainty. “Members and employees whose data was exposed – especially their SSNs – will be forced to look over their shoulders for the rest of their lives.” Seattleites hit hard More than half of the victims — about 6 million Premera patrons – reside in Washington state, including employees of Amazon, Microsoft and Starbucks. These companies now are prime targets for spear phishing attacks. It doesn’t take much imagination for a criminal to use stolen data to create spoofed accounts to come across as a trusted colleague to send viral email and social media posts to fellow employees as a way to breach any of these corporate networks. On a lower rung of criminal activity, a whole generation of scammers who’ve mastered fraudulent online transaction using stolen credit card account numbers are ready to move to the next level, observes Lisa Berry-Tayman, senior privacy and governance advisor at IDT911 Consulting. “Criminals learn,” Berry-Tayman says. “The credit card thief steals the data, charges until the account is closed and the money is gone. To steal more money over a longer period of time, he or she must think bigger, and bigger is identity theft. Why just spend their money for a finite period of time when you can become them and spend their money for years and years?” The healthcare industry has arisen as a target because it has moved aggressively to get rid of paper records and to collect, store and make use healthcare data in digital form. The goal: to boost productivity. Trouble is the healthcare industry, like many other industries, continues to make the digital push, including intensive use of the Internet cloud, without adequately accounting for security basics, security experts argue. Healthcare data at risk – a three-part series: Why medical records are easy to hack, lucrative to sell “Today’s Premera breach news once again demonstrates the failure of flawed, outdated assumptions, an over-reliance on guard-the-entry-point security and simplistic single-key encryption schemes,” says Richard Blech, CEO of encryption technology company Secure Channels. “This is a quaint and dangerous approach to a 21st century problem.” Trent Telford, CEO of data security company Covata, agrees. “For many of these companies, data security has been an afterthought or something they did not deem necessary,” Telford says. “However, this breach again highlights how vulnerable the health care and insurance industries are to attacks. People are entrusting these organizations with their personal information, and it is the responsibility of corporations to take appropriate steps to ensure it is protected – this must include data encryption.” Common culprits? Premera is keeping details of how the breach was carried out close to the vest. The FBI and IT forensics specialist Mandiant, a division of FireEye, are investigating. A good guess is that Premera was the focus of a targeted attack, says Josh Cannell, malware intelligence analyst at Malwarebytes Labs. “A vast majority of cyberattacks targeting enterprise networks originate by attackers gaining access to internal networks through social engineering techniques like phishing/spear phishing e-mails that closely resemble something employees are familiar with,” Cannell says. “Once attackers have an access point inside an enterprise network, they can then use privilege escalation techniques and install malware to maintain a presence on the network.” Cannell says it’s plausible the same hacking collective hit Anthem and Premera. “Since the attack happened around the same time as the Anthem breach, and was targeting a similar organization, it seems reasonable to say the threat likely originated from the same actors,” Cannell says.

Early in November 2014, immediately following the release of the SMA research report Crowdsourcing and Open Innovation: Powering the Sharing Economy, which explored the shared economy and its implications for insurance, I received an interesting email from the CEO of a shared shipping start-up. The CEO stated, “I just wanted to let you know that I have found the hardest problem to solve as the CEO is that, after talking with 12 different insurance companies, I am still stuck on finding someone to write a policy for me! I am not sure you can overstate the tsunami of change that insurers are trying to avoid. It is frustrating to me as a CEO trying to get my company going.” My instant reaction was … what a powerful voice, and what a compelling, if troubling, customer statement! I immediately reached out to him to discuss his predicament. In our SMA research, we have written about how the shared economy is empowering individuals and businesses to access specialized skills, resources, goods or services from anyone, anywhere, at any time based on an instantaneous need. The change is spawning new business models and leveraging the combination of crowdsourcing, open innovation and technology. These new business models are challenging decades of business assumptions, models, pricing and growth that were based on the principle of ownership, rather than access or subscription. As a result, the fundamentals of insurance, from risk models to pricing, products and services, are feeling shockwaves. My discussion with the CEO about his business provides a great but jolting example of the need for these new business models, new risk models and (especially) new insurance products. He agreed to do a webinar to describe his needs and his frustrating experiences for our SMA Innovation Communities. During the webinar, the CEO shared his experience and powerful insights for insurers: It was easier to obtain $2 million for investment funding than to find insurance. The funding would likely be completed within 30 days. Contrast that with finding insurance coverage: After talking to more than 20 insurers, brokers or agents, over nearly 12 months, there is still no coverage. He found two companies, one of which works with Peers (the non-profit company backed by shared economy companies), that are bringing insurance to this market segment. But he is still awaiting confirmation. Outdated insurance business models don’t fit today’s market needs. The old models are based on historical actuarial models, rather than real, point-in-time data (i.e. coverage when driving and shipping something). The lack of visibility into capabilities of insurers and independent agents and the language barrier (the coverage needed is inland marine, which implies the use of a boat rather than land surface shipping) make it especially difficult to find exactly the right coverage. Finding the right independent agent is “tricky” because of referral chains, lack of skill sets, unclear representations, and agent incentives. In seeking coverage, he was told by many in the industry that, “Insurance has not updated the business model since the 1800s, so you won’t find anything.” What does this mean for the insurance industry? Mildly put, listening to the voice of the customer should be a wake-up call. The lack of understanding and inability to respond rapidly to new market needs opens the door to new competitors and the potential loss of customers. Just like many other industries that are being disrupted and transformed, insurance must reimagine its business models – from the mission to the customer to the product, pricing, operational and revenue models. Historically, insurance has been about the transfer of the risk of a loss from one entity to another in exchange for payment. In today’s fast-paced, changing world of emerging technologies, new business models and shifting industry boundaries, is that focus limiting our opportunities? This experience by a “could-be” customer clearly suggests we are at least limiting our future, if not risking it altogether. Other industries (and companies) are noticeably redefining their visions and focus to compete in this new world. At the 2015 Consumer Electronics Show, the media noted that Ford CEO Mark Fields sees Ford as rethinking itself as a mobility company rather than being defined by its legacy as an automotive company, and Ford is delivering a wide array of new services and experiences via the auto. Even Google’s CEO, Larry Page, has acknowledged that its vision statement – “To organize the world’s information and make it universally accessible and useful” – is too narrow, as reported in a Nov. 13, 2014, Fortune magazine article, “Google's Larry Page: The most ambitious CEO in the universe.” Page is creating a future by leveraging emerging technologies to reshape the business beyond the legacy as a search engine. Yet the view that insurance vision and business models are shackled in decades or even centuries of tradition is, unhappily, very real. This notion is reinforced in a Jan. 21, 2015, Forbes article titled “Insurance: $7 Trillion Goliath” that compares banking with insurance relative to change and innovation. The article notes that 15 years ago banking was a lumbering, vertically integrated giant that was largely untouched by the technology revolution. Today, however, there are a group of “Davids” like CoverHound, Lending Club and Square that are challenging traditional banking “Goliaths” with some digital “slingshots.” The article further observes that insurance has also remained largely untouched by the technology revolution, but that we are beginning to see the emergence of “Davids” who will challenge the traditional “Goliaths,” leveraging the technology revolution to disrupt the traditional business assumptions and models of insurance. Insurers must redefine their vision and reinvent their business model, taking into consideration the new and emerging technologies, the growing amount of real-time data, new market trends and much, much more. If they do not, they risk facing a disruption that will be devastating, when it could have been transformational, creating new relevance in a rapidly changing world. The reimagination of businesses in the context of today’s world and tomorrow’s potential are already defining and revealing future market leaders and winners. Will insurance remain focused on risk transfer products? Or will we look more broadly toward offering products and services that provide much more, enhance the lives or businesses of our customers and meet the needs of a reimagined business model, like the shared economy? The possibilities are significant. Are you reimagining your business, considering the impossible as the new possible? Insurers need ingenuity and outside-in thinking to reimagine their business as a Next-Gen Insurer and ignite a vision of possibilities. If not you, then someone else will. So dream the impossible and become a Next-Gen insurer

As a claims advisor, I specialize in helping to optimize property casualty claims management operations, so I spend a lot of time thinking about claims business processes, activities, dependencies and the value chains that are commonly used to structure and refine them. Lately, I have been focusing on the claims management supply chain -- the vendors who provide products and perform services that are critical inputs into the claims management and fulfillment process. In a traditional manufacturing model, the supply chain and the value chain are typically separate and -- the supply chain provides raw materials, and the value chain connects activities that transform the raw materials into something valuable to customers. In a claims service delivery model, the value chain and the supply chain are increasingly overlapping, to the point where it is becoming hard to argue that any component of the claims value chain couldn’t be handled directly by the supply chain network. Which creates an intriguing possibility for an insurance company -- an alternative to bricks and mortar and company cars and salaries, a virtual claims operation! Of course, there are third-party administrators (TPAs) that are large and well-developed enough to offer complete, end-to-end claims management and fulfillment services to an insurance company through an outsourced arrangement. That would be the one-stop shopping solution: hiring a TPA to replace your claims operation. But try to envision an end-to-end process in which you invite vendors/partners/service providers to compete to handle each component in your claims value chain (including processing handoffs to each other.) You select the best, negotiate attractive rates, lock in service guarantees and manage the whole process simply by monitoring a performance dashboard that displays real time data on effectiveness, efficiency, data quality, regulatory compliance and customer satisfaction. You would need a system to integrate the inputs from the different suppliers to feed the dashboard, and you would also need to make certain the suppliers all worked together well enough to provide the ultimate customer with a seamless, pain free experience, but you are probably already doing some of that if you use vendors. You would still want to do quality and compliance and leakage audits, of course, but you could always hire a different vendor to do that for you or keep a small team to do it yourself. Your unallocated loss adjustment expenses (ULAE) would become variable, tied directly to claim volume, and your main operating challenge would be to manage your supply/value chain to produce the most desirable cost and experience outcomes. Improved cycle time, efficiency, effectiveness, data accuracy and the quality of the customer experience would be your value propositions. You could even monitor the dashboard from your beach house or boat -- no more staff meetings, performance reviews, training sessions -- and intervene only when needed in response to pre-defined operational exceptions. Sounds like a no-brainer. Insurance companies have been outsourcing portions of their value chain to vendors for years, so why haven’t they made their claims operations virtual? If you are running an insurance company claims operation, you probably know why. Many (probably most) claims executives are proud of and comfortable with their claims operations just the way they are. They believe they are performing their value chain processes more effectively than anyone else could, or that their processes are “core” (so critical or so closely related to their value proposition they cannot be performed by anyone else) and thus sacrosanct, or that they have already achieved an optimal balance between in-house and outsourced services so they don’t need to push it any further. Others don’t like the loss of control associated with outsourcing, or they don’t want to consider disruptive change. Still others think it might be worth exploring, but they don’t believe they can make a successful business case for the investment in systems and change costs. Unfortunately, this may help explain why claims executives are often accused of being stubbornly change averse and overly comfortable with the status quo, but I think it is a bit more complicated than that -- it all begins with the figurative “goggles” we use to self-evaluate claims operations. If you are running a claims operation, you have an entire collection of evaluation goggles -- the more claims experience you have, the larger your collection. When you have your “experience” goggles on, you compare your operation to others you have read about, or seen in prior jobs, or at competitors, to make sure your activities and results benchmark well and that you are staying up to date with best practices. At least once a year, someone outside of claims probably demands that you put your “budget” goggles on o look for opportunities to reduce ULAE costs. or legal costs, or fines and penalties, or whatever. You probably look through your “customer satisfaction” goggles quite a bit, particularly when complaints are up, or you are getting bad press because of your CAT response, or a satisfaction survey has come out and you don’t look good. Your “stakeholder” goggles help you assess how successful you have been at identifying those who have a vested interest in how well you perform, determining what it is they need from you to succeed, and delivering it. You use your “legal and regulatory compliance” goggles to identify problems before they turn into fines, bad publicity or litigation, much as you use your “no surprises” goggles to continually scan for operational breakdowns that might cause reputational or financial pain, finger pointing and second guessing. Then there are the goggles for “management” -- litigation, disability, medical, vendor -- and for “fraud mitigation” and “recovery” and “employee engagement.” Let’s not forget the “efficiency” goggles, which help you assess unit costs and productivity, and the “effectiveness” and “quality control” goggles, which permit you to see whether your processes are producing intended and expected results. And of course your “loss cost management” goggles give you a good read on how well you are managing all three components of your loss cost triangle, i.e., whether you are deploying and incurring the most effective combination of allocated and unallocated expenses to produce the most appropriate level of loss payments. Are all those goggles necessary? You bet. Claims management involves complex processes and inputs and a convoluted web of variables and dependencies and contingencies. Most claims executives would probably agree it makes sense to regularly evaluate a claims operation from many different angles to get a good read on what’s working well , what isn’t and where there is opportunity for improvement. The multiple perspectives provided by your goggles help you triangulate causes, understand dependencies and impacts and intelligently balance operations to produce the best outcomes. So even if you do have a strong bias that your organization design is world-class, your people are the best and all processes and outcomes are optimal, the evaluation should give you plenty of evidence-based information with which to test that bias and identify enhancement opportunities -- as long as you keep an open mind. No matter what you do, however, there will always be others in your organization who enjoy evaluating your claims operation, and they usually aren’t encumbered by such an extensive collection of goggles. They may have only one set that is tuned to budget, or customer experience, or compliance, or they may be under the influence of consultants whose expensive goggles are tuned to detect opportunities for large-scale disruptive/destructive process innovation or transformation in your operation. On the basis of that narrow view, they just might conclude that things need to change, that new operating models need to be explored. Whether you agree or disagree, your evidence-based information should be of some value in framing and joining the debate. Will we ever see virtual claims operations? Sure. There are many specialized claims service providers operating in the marketplace right now that can perform claims value chain processes faster, cheaper and better than many insurance companies can perform them. The technology exists to integrate multiple provider data inputs and create a performance dashboard. And there are a few large insurance company claims organizations pursuing this angle vigorously right now. I fully expect the companies that rethink and retool their claims value chains to take full advantage of integration of supply chain capabilities and begin to generate improved performance metrics and claim outcomes, ultimately creating competitive advantage for themselves. Does that mean it is time for you to rethink your claims value chain? I think the best way to find out is to put on your “innovation” goggles and take a look!

In the Bizarro world of insurance, the product that people buy hoping they never use it is replaced with products that people buy via an interactive and engaging learning experience. Last Wednesday, Google opened its first retail store in London: a pop-up store within a British electronics retailer, called Currys PC World. The Google shop lets people play, experiment and learn about all Google has to offer. In a sense, the store is an interactive billboard that places profits at the backseat and lures customers in via a promise to entertain. This concept of "play over purchase" isn’t unique, and can be found in Apple's and Samsung’s business models. In fact, only two years ago, Samsung looked to emulate Apple’s success in the U.S. by launching its own chain of mini-stores in partnership with Best Buy. Surely there is some room for play, not just purchase, in our industry. To get a better idea of how this would work in Bizarro insurance world, picture a retail destination with insurance geniuses standing by, ready and eager to engage customers in the insurance experience all the way from consulting on insurance products to simulating claim-handling and the latest telematics gadgets. These insurance geniuses will welcome consumers and listen to them, to better understand the right combination of products and features to offer. Later, the geniuses will point consumers to different stations, such as "Seriously Real," sponsored by Cyberith, where consumers can enter the virtual world of operating drones for disaster support, or "Hot Quotes," sponsored by Bolt, where consumers can obtain auto insurance quotes faster than Jimmy John’s delivery guy can make a sub. The result will be a house of insurance brands that come together under one roof to clearly communicate the value of insurance for the sake of a branded customer experience. Yes, I'm referring to the two most overused words in this industry – customer experience - which until now were largely defined by an automatic renewal letter sent once a year or perhaps an unused, "downloaded and forgotten" app. We should also draw on the underused word "ecosystem": in this setting, defined as a network of carriers, vendors and insurance startups that collaborate to educate and engage around insurance products via a one-stop shop. To be continued when we revisit the Bizarro world of insurance....

Dear CIO and my partner-in-creating-the-future: I came across this great quote from Rita McGrath that makes me laugh but also wince because it’s such a painfully accurate observation, especially as I think about how many of these barriers we could overcome by transforming the way marketing and IT work together: “All of our innovation barriers are self-inflicted.” As the CIO, you lead a function that must demonstrate ever-greater value and impact. The pressure is on to shift away from being a utility provider to an enterprise strategic asset -- an active creator of value and a collaborative contributor -- a function driving, and driven by, innovation. Guess what? Marketing feels a similar set of pressures, and I believe the keys to our success lie in how we work together. Not because there is strength in numbers, so much as because value creation in the new economy will happen at the intersection of three of the hats our functions influence, shape and lead within the organization: customer insight and analytics + user experience + implementation capability. Years ago, I co-led a big initiative alongside one of my all-time favorite CIOs. We were assigned an audacious multi-year, IT-based effort. The CIO gave me a great piece of advice that has stuck with me through many assignments. “Amy,” she said, “you just have to chunk it.” Chunking complex projects down into bite-size and digestible parts has become one of my personal core operating principles, and is relevant to the challenge of reinventing what we do for a digitally powered world. So herewith are six “chunks” I’d like you to embrace as elements of the answer.

1. Connect the future path of the IT organization to the company’s vision. This sounds obvious. Nonetheless, taking the time to confirm that there is a vision, that it is clear and defensible and that it is understood by all constituencies may expose opportunities to get the IT foundation to be as air-tight as possible.

By the way, this advice applies equally to marketing. With all of the intense pressure to generate marketing return on investment (ROI), step one has to be a connection to business priorities.

2. Empower IT team members with customer insight. An example of this would be to package and leverage ethnography, including artifacts coming out of in-home/on-site visits and day-in-the-life tag-alongs with customers – and by packaging I mean not the typical, mind-numbing Powerpoint slides, but video and other highly visual, interactive media that bring insights to life and make it easy to draw connections to development decisions.

I’d be happy to conduct workshops with members of the IT team to translate field learning into actions for business performance improvement and potentially disruptive business models.

3. Insist upon and work actively to foster collaboration between IT and other functions … abolish the “order-taking” role. I’ve never met an IT professional who enjoyed being an order-taker, but it’s hard to redefine a role that for now-irrelevant reasons is often defined as such. Think like a start-up. How to change? Start by establishing processes grounded in business priorities and customer insight that foster collaboration between IT and other functions. Work with marketing to set the example. Demonstrate your role as a source of value.

One process I’ve seen work uses a repeatable approach to tapping into market insight and customer analytics to formulate hypotheses for growth, vetting and prioritizing them, putting the best ones into a test-and-learn cycle with working user prototypes, reading results and moving to next steps: kill, test again or roll out. This model demands design, analytics and technology skills, along with openness, a collaborative mindset and agility. With these conditions in place, it works.

4. Implement an organization structure that enables digital transformation … and transcends the usual silos and politics. Challenge the norms and at least nudge your approach to accelerate IT’s impact on the digital transformation. There is always an “ideal scenario,” and then there’s the reality of anchoring to the company’s history, culture and business environment. These are all part of the context for a pragmatic organization solution that is both future-focused and rooted.

A good starting point is a fresh approach to a user experience capability. To be done right, this unit taps into a range of skills that would traditionally be distributed in marketing, IT, potentially finance or operations. Don’t overlook the impact on performance of co-location and a unified structure, what skills are really needed and how to close existing gaps. Consider the role of external resources who can jumpstart efforts, whether design agencies, big data analytics partners or maybe mobile app developers. IT should have a seat at the table to form this capability but may not be its organizational home.

5. Take a clean-sheet approach to what is internal vs. external. Today the questions around what should be internal vs. outsourced, and how those outsourced relationships should be structured, have become more important and more complex. As with internal roles, external providers who know their stuff are more likely to walk the talk on a more multi-functional approach than traditional providers.

For both organization and external capabilities there is no right answer, except to be driven by the business vision and priorities, to be open-minded to new ways to execute and to expect external partners to collaborate, not just take orders.

6. Enable a real prototyping capability … not just to see if code will run, but to get continuous and actionable customer feedback on the experience, either live in-market, or minimally in a simulation. This capability should enable speed, iteration and low cost.

On this recommendation, I have seen more examples in larger regulated institutions of what won’t work than what will. Live prototyping remains a challenge in regulated sectors, where there is no room for the downside of risks that might hurt a user, but where businesses are foregoing the upside of user-centered design. Disruptors make the choice to frame business models that can advance without the permissions and burdens of a regulated entity. Creating infrastructure that assures compliance and predictability while also enabling agility is by itself an innovation opportunity. Let’s work together on progress toward the Dream Team vision.

Pull back on the reins for a moment and come to a complete stop. What do you see behind you? Probably a wake of both straight and winding roads… some intact, some obliterated, most somewhere in between. You probably see customers satisfied and dissatisfied at a number of different levels. Same with employees. Now look ahead of you. What do you see? A yet-to-be-unfolded strategic plan? A vision? Goals? Innovation? "Change management" is used to make the transition to doing things a new or different way. It’s a tool used to implement change required for forward movement, innovation, strategies, etc. "Un-change management" refers to the need for organizations to let go of the unwavering focus on innovation and advancement and share some of the time and energy removing that which is not valued by the external customer or not required by law. In a word, we’ll refer to it simply as "waste." Waste unattended grows, at best, in parallel with your company’s growth. If you are pleased with your growth goals, ask yourself if you’re pleased with your simplicity goals. The ratio of waste to value should be reduced when you grow. Unbridled growth often leads to an increase in the waste-to-value ratio, and that isn’t realized until years later, mostly because all eyes are on growth. Companies then scramble, point fingers, place blame and cut costs without really understanding were the problem could have and should have been addressed in the first place. Continuous improvement is more about elimination of waste than it is about doing anything new. It requires serious focus on work and asking why things are done. The goal is to arrive as close as possible to creating perfect flow in your business systems -- where orders are placed, where product or service is made or conducted and where they are provided to the customer for consumption. Clean out the garage (and keep it clean) For companies that have never emphasized waste, large gains are made in a relatively short period after they introduce their system of elimination. After that, removal efforts continue to whittle away at midsized waste and so on until, finally, the mindset converts to innovation. I think we’d all agree that an innovative company with little waste is a valuable thing indeed. The way companies manage waste has a profound impact on the way the company culture emerges. (See www.ThreeBellCurves.com and download the free whitepaper.) Employees want to work on things that matter, not waste. Customers want to pay for things of value. Keeping the price low requires the elimination of as much waste as possible. Is your company ready to share some of its change management with "un"-change management? If you are, you will create more room for value without escalating costs.