Best tips for risk management


Risk Management and IT

When Microsoft’s claims manager Brianhurdles you had to overcome in working
Warren (risk management) and seniortogether?
program manager Ed Shoemaker (treasuryWarren: There has been a learning curve
information technology) joined forcesthroughout my working with IT. I am
five years ago to bring the Redmond,always trying to understand IT budget
Washington-based software giant’s ITcycles, how IT prioritizes projects,
and risk management departmentslearning how to express my business
together, they knew their work was cutrequirements in ways that can be
out for them. Their challenge was notsupported by IT.
just to manage Microsoft’s risk moreShoemaker: Brian came to the company
efficiently, but also to affect the kindabout six years ago and I came about
of institutional change within thefive years ago. By that time, our
organization that would long outlivedepartments already had a history
either of their stays. Risk Managementtogether, but it was very young. I came
Magazine spoke with Warren and Shoemakerin as a contractor to deploy the first
on the difficulties of bringing theirRMIS system at Microsoft. That was the
departments together, what they havereal beginning of our relationship in
achieved and how their progress servesterms of providing systems needs for
as a model for other organizations.Microsoft’s risk management
RM: What makes Microsoft’s riskdepartment. IT was not doing much for
management and information technologyrisk management prior to that.
demands unique?I’m unique in the IT group at
Warren: Our main product is intellectualMicrosoft because I came in from eleven
property. Consequently, we don’t haveyears in the insurance industry, so I
the property exposures that otheralready understood risk financing and
businesses might. We have relatively lowinsurance. The challenge for me has been
investment in physical plants, andlearning how to help the business
relatively less workers’ compensationunderstand IT and helping Brian meet his
exposure than most manufacturing orchallenges while trying to be pragmatic
service businesses. But we do have farabout striking a balance between
more concern over intellectual propertyevolving process efficiencies and
rights issues, contractual issues, etc.delivering systems solutions.
When you look at this company in termsRM: What cultural obstacles stood
of its balance sheet, it’s a wholebetween your departments?
other dimension of opportunities andWarren: When we started working
challenges. In many cases, Microsoft hastogether, there was a defensive attitude
more assets than the insurance companiesbetween IT and the rest of the business.
we consider doing business with, so weCertain projects hadn’t gone well and
have to ask ourselves, “What are wea lot of blame got tossed at IT, so they
trying to accomplish?” The answer todid not want to get burned on future
that is we are trying to achieveprojects. We struggled with that for a
flexibility for alternative risklittle while.
financing from other-than-commercialFor risk management, we had to figure
insurance markets. This creates a lot ofout how to define our business
new business systems to manage.requirements. That became an exercise in
Shoemaker: Microsoft’s significantdocumenting everything so that there
cash resources give us the ability forwould be no opportunity for us to come
creative risk financing that otherback at IT later if a project fell
companies do not have. As such, ourthrough and say: “This is your
unusual business systems needs take usfault.”
out of the mainstream of packagedWe realized if the business uses the
solutions. When Brian comes to me with asystem successfully, that results in a
business need or a systems need, it maywin for risk management and for IT. If
not be mainstream. I have to take morethe project fails, it is a loss for all
time to understand his needs in creatingof us. Once we broke through the bad
and deploying those solutions. Thisblood created by others, we aligned the
opportunity creates additionalinterests of our organizations, and
challenge.developed a win-win mantra. Things
RM: What inspired Microsoft’s IT andstarted to smooth out and get better
risk management departments to workfrom that point on. It gave IT
together?permission to be flexible in trying to
Warren: We were not satisfied with thesolve our systems requirements, and if
policy side of any RMIS [risk managementsomething unsuccessful happened because
information systems] products we lookedof their being flexible, we would not
at on the market, largely because of theblame them.
unique risk financing Microsoft doesShoemaker: Now we share common values
with captive utilization and some finiteand goals. But when Brian and I started
programs with extended durations andworking together, IT’s business
broad coverage. Standard RMIS does notrelationship with risk management was
encompass multiple-year policies orlike the Wild West. The dialogue between
integrated policies withIT and risk management was: “You told
single-aggregate limits acrossme you need to handle a certain
dissimilar additional coverages likerequirement, I think I have a system for
property and general liability mergedyou, here’s what you need.” And we
under a single limit.gave it to them. They would end up
We realized we were not going to getcoming back to us, saying: “This is
what we needed from our RMIS vendors, sonot working for me!” So we told them
we opted to develop a RMIS solutionthey had to become masters at telling us
internally. We went that route as a lastwhat they need, to articulate that, and
resort because the costs can bewe would then build something to meet
prohibitive. But management decided itthose needs.
was important enough for IT and riskRM: Given your departments’ common
management to jointly work on ahistory, would it be as difficult to
proprietary risk financing programbuild a Sandhurst II?
code-named Sandhurst, which launched onShoemaker: It would be much easier. When
October 18.I came to Microsoft, I was a singular
Sandhurst is a Web-based softwarecapital investment because I already
solution you access through Internetunderstood risk and insurance. My
Explorer. It can capture virtually anychallenge was to transfer my knowledge
risk financing program or instrument youto the other IT professionals. Sandhurst
can think of. Extra aggregate limits,was a good opportunity to do that.
coverages, any sublimits, per occurrenceBecause it was an internal custom
limits, retentions, all that. It can setapplication, I could employ other
up an occurrence and suggest, based onanalysts, developers and testers to help
characteristics of that occurrence,build it. They could get their hands
which of our policies or programs havedirty with this system and its
available limits and could possiblydocumentation, so as we move on to other
respond and provide coverage. Thisprojects, these people have a greater
allows the user to take additional stepsfamiliarity with risk management’s
to select coverages, lock them in andsystems needs. I am more replaceable
make a record of the claim. The actualtoday than at the beginning of the
handling of the claim is still manual;project, which is something we endeavor
you have to call the carrier, etc. Butto do.
over time, this will give us much betterWarren: On the risk management side, we
perspective on the remaining balance orhave expanded my skill set to two or
limits of our risk portfolio so we knowthree people beyond just me. On the IT
at any given time what programs have theside, Ed did a lot to expand exposure to
potential to respond to specificrisk management systems to the other
situations.people on his staff. A couple of years
Shoemaker: Sandhurst is designed toago, it was just Ed and myself. Now,
support our business needs for fivethere are four to five people on the IT
years or more. We are going to startside and the risk management side who
improving the code base immediately, soare familiar with the process and can
it will go through an evolutionarywork together. We have built an
process until, ultimately, Microsoft’sinstitutional skill set amongst the
business needs will have changed so muchstaff that will make things like
it will become cost effective to createSandhurst much easier in the future.
something from scratch rather thanRM: What words of advice would you give
continue to update Sandhurst. The onlyto colleagues trying to accomplish a
thing that would derail that would be asimilar goal?
sudden and significant change in howShoemaker: You should always scale your
Microsoft does business—a fundamental,business requests to IT according to
underlying change in our databasewhatever competency, budgetary and other
requiring such a substantial rewrite ofbusiness restraints may exist. If IT and
the application that we would have torisk management have not yet developed a
start over from scratch.mature relationship, if they don’t
RM: Would you consider Sandhurst to behave a big budget with lots of
the capstone of your departments’resources, then scale your requests to
collaboration so far?something that is possible for you to
Shoemaker: Sandhurst is a sign of theachieve. Brian and I cut our teeth on
maturing relationship betweensmaller projects at first, enhancing an
Microsoft’s IT and risk management. Ifexisting system or building a narrow
Brian and I started working on Sandhurstfunction. As we got more successful at
four or five years ago, the projectworking together, we learned how each
would not have been as successful as itother’s processes worked, and whatever
is today. We put Sandhurst on the board,pitfalls may exist between them. Once
determined its specs, scheduled it,you get a joint success, even if it is a
costed it, made changes along the way,modest one, you can build on that.
had a commitment date of 10/16 andWarren: Try to get inside knowledge of
missed that by only two days. All thingshow your IT department functions. Learn
considered, that’s pretty good.how it sets its budget and its
Obviously, it was a cooperative effort,priorities. Be realistic about what you
for both IT and risk management.need. There are a lot of good services
Warren: The concepts for this werebeing offered by RMIS companies, so
pretty groundbreaking. It presented aasking IT to build something special for
significant challenge for an ITyou might not always be necessary. You
organization when the business isare going to have problems if you ask IT
struggling to define new processes atto deliver something unreasonable. But
the same time it is trying to build aif you come in with a logical argument
system to run those processes. It wouldand a business case that makes sense,
have been far easier to automate athe challenge then becomes how to engage
well-established manual process. WeIT and get what you need. IT is
automated risk financing at a point inmotivated to make itself relevant to the
our experience when it was not abusiness. If you present your project as
well-established business process,an opportunity for IT to add a
however, which made it much harder. Wevalue-added resource or a useful new
had to decide what our standard wasbusiness function, you will be much more
going to be as we went along.likely to get its support.
RM: What were the biggest technical



1 A B C D 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112