Insurers have always been eager to hand out risk management advice to their customers. Managing risk,
after all, is the true definition of insurance. Carriers haven’t always applied the same sense of caution
to their own operations—particularly the IT department—where failed projects, aging technology,
and a shortage of talented technologists have plagued operations for decades. This month we asked
three industry analysts to offer some advice to carriers on one area where risk management in the IT
department could be improved. Providing the advice are Rod Travers, executive vice president of The
Nolan Co.; Bill Jenkins, founder of Agile Insurance Analytics; and Donn Vucovich, managing partner in
MVP Advisory Group.
What Do You Think?
This month’s question:
What is one particular aspect of risk management that insurance
IT departments need to focus on in the next year?
The Nolan Co.
IT should take a
more prominent role
in risk awareness
education and poli-
cy reinforcement for
associates, and even
education may not
be “technology” per se, and it’s not as
glamorous as implementing the latest
new tablet function, but such education
is impactful in terms of changing behav-
ior and mitigating cyber risk.
The everyday technology user has
no idea of the myriad security threats
that are out there, or how they might be
unwittingly enabling them. They need to
be periodically informed about common
vulnerabilities, threats, and best practices for thwarting those threats.
Some companies have begun conducting “mystery shopper” security
drills to expose vulnerabilities and to
demonstrate real-world threat scenarios.
Some have even made it competitive by
awarding a prize when someone fends
off a staged threat.
The “human endpoint” is typically the
weakest point in the information security
chain; we should be doing more to address that reality.
Agile Insurance Analytics
One of the biggest
issues that has
plagued all IT opera-
tions over the years
has been project
failure risk. Most
significant corporate investment from
both a tangible view (financial investment,
staffing investment, and technology
investment) and an intangible view (lost
Project failure is often defined as being
over-budget, overdue, and missing user
expectations. Project management studies highlight that the majority of development projects fail over time, and only
about 15 percent of software projects are
completed on-time and on-budget.
Under greater scrutiny, it becomes
apparent that many “successful” projects are the result of reduced functionality or to a scaling back of the system’s
More frightening however, is the fact
that a report from The Standish Group
states that system development failures
“When you find yourself in a hole,” Will
Rogers once said, “stop digging.”
MVP Advisory Group
will warn those of
us traveling with
small children to
put our oxygen
mask on first and
then tend to our
children. This simple,
approach to continuous parenting also
applies to continuous risk management.
And if you don’t give the risk manager
enough oxygen, you won’t see much life
in your risk management program.
In 2016, a good IT risk manager should
have the funding and staff necessary to:
K Conduct risk assessments with business input that identify significant gaps
in data protection and cyber-security;
K Prioritize risks based on a shared business
and IT view of incidence and severity;
K Identify emerging risks timely; and
K Build risk mitigation into every new IT
project, product or service
Strong IT risk management is the result
of consistent attention to systematically
updating threat profiles and ensuring
that defenses and contingencies are
strong. Vigilance and prevention aren’t
free, but they are economical.