| When Microsoft’s claims manager Brian | | | | hurdles you had to overcome in working |
| Warren (risk management) and senior | | | | together? |
| program manager Ed Shoemaker (treasury | | | | Warren: There has been a learning curve |
| information technology) joined forces | | | | throughout my working with IT. I am |
| five years ago to bring the Redmond, | | | | always trying to understand IT budget |
| Washington-based software giant’s IT | | | | cycles, how IT prioritizes projects, |
| and risk management departments | | | | learning how to express my business |
| together, they knew their work was cut | | | | requirements in ways that can be |
| out for them. Their challenge was not | | | | supported by IT. |
| just to manage Microsoft’s risk more | | | | Shoemaker: Brian came to the company |
| efficiently, but also to affect the kind | | | | about six years ago and I came about |
| of institutional change within the | | | | five years ago. By that time, our |
| organization that would long outlive | | | | departments already had a history |
| either of their stays. Risk Management | | | | together, but it was very young. I came |
| Magazine spoke with Warren and Shoemaker | | | | in as a contractor to deploy the first |
| on the difficulties of bringing their | | | | RMIS system at Microsoft. That was the |
| departments together, what they have | | | | real beginning of our relationship in |
| achieved and how their progress serves | | | | terms of providing systems needs for |
| as a model for other organizations. | | | | Microsoft’s risk management |
| RM: What makes Microsoft’s risk | | | | department. IT was not doing much for |
| management and information technology | | | | risk management prior to that. |
| demands unique? | | | | I’m unique in the IT group at |
| Warren: Our main product is intellectual | | | | Microsoft because I came in from eleven |
| property. Consequently, we don’t have | | | | years in the insurance industry, so I |
| the property exposures that other | | | | already understood risk financing and |
| businesses might. We have relatively low | | | | insurance. The challenge for me has been |
| investment in physical plants, and | | | | learning how to help the business |
| relatively less workers’ compensation | | | | understand IT and helping Brian meet his |
| exposure than most manufacturing or | | | | challenges while trying to be pragmatic |
| service businesses. But we do have far | | | | about striking a balance between |
| more concern over intellectual property | | | | evolving process efficiencies and |
| rights issues, contractual issues, etc. | | | | delivering systems solutions. |
| When you look at this company in terms | | | | RM: What cultural obstacles stood |
| of its balance sheet, it’s a whole | | | | between your departments? |
| other dimension of opportunities and | | | | Warren: When we started working |
| challenges. In many cases, Microsoft has | | | | together, there was a defensive attitude |
| more assets than the insurance companies | | | | between IT and the rest of the business. |
| we consider doing business with, so we | | | | Certain projects hadn’t gone well and |
| have to ask ourselves, “What are we | | | | a lot of blame got tossed at IT, so they |
| trying to accomplish?” The answer to | | | | did not want to get burned on future |
| that is we are trying to achieve | | | | projects. We struggled with that for a |
| flexibility for alternative risk | | | | little while. |
| financing from other-than-commercial | | | | For risk management, we had to figure |
| insurance markets. This creates a lot of | | | | out how to define our business |
| new business systems to manage. | | | | requirements. That became an exercise in |
| Shoemaker: Microsoft’s significant | | | | documenting everything so that there |
| cash resources give us the ability for | | | | would be no opportunity for us to come |
| creative risk financing that other | | | | back at IT later if a project fell |
| companies do not have. As such, our | | | | through and say: “This is your |
| unusual business systems needs take us | | | | fault.” |
| out of the mainstream of packaged | | | | We realized if the business uses the |
| solutions. When Brian comes to me with a | | | | system successfully, that results in a |
| business need or a systems need, it may | | | | win for risk management and for IT. If |
| not be mainstream. I have to take more | | | | the project fails, it is a loss for all |
| time to understand his needs in creating | | | | of us. Once we broke through the bad |
| and deploying those solutions. This | | | | blood created by others, we aligned the |
| opportunity creates additional | | | | interests of our organizations, and |
| challenge. | | | | developed a win-win mantra. Things |
| RM: What inspired Microsoft’s IT and | | | | started to smooth out and get better |
| risk management departments to work | | | | from that point on. It gave IT |
| together? | | | | permission to be flexible in trying to |
| Warren: We were not satisfied with the | | | | solve our systems requirements, and if |
| policy side of any RMIS [risk management | | | | something unsuccessful happened because |
| information systems] products we looked | | | | of their being flexible, we would not |
| at on the market, largely because of the | | | | blame them. |
| unique risk financing Microsoft does | | | | Shoemaker: Now we share common values |
| with captive utilization and some finite | | | | and goals. But when Brian and I started |
| programs with extended durations and | | | | working together, IT’s business |
| broad coverage. Standard RMIS does not | | | | relationship with risk management was |
| encompass multiple-year policies or | | | | like the Wild West. The dialogue between |
| integrated policies with | | | | IT and risk management was: “You told |
| single-aggregate limits across | | | | me you need to handle a certain |
| dissimilar additional coverages like | | | | requirement, I think I have a system for |
| property and general liability merged | | | | you, here’s what you need.” And we |
| under a single limit. | | | | gave it to them. They would end up |
| We realized we were not going to get | | | | coming back to us, saying: “This is |
| what we needed from our RMIS vendors, so | | | | not working for me!” So we told them |
| we opted to develop a RMIS solution | | | | they had to become masters at telling us |
| internally. We went that route as a last | | | | what they need, to articulate that, and |
| resort because the costs can be | | | | we would then build something to meet |
| prohibitive. But management decided it | | | | those needs. |
| was important enough for IT and risk | | | | RM: Given your departments’ common |
| management to jointly work on a | | | | history, would it be as difficult to |
| proprietary risk financing program | | | | build a Sandhurst II? |
| code-named Sandhurst, which launched on | | | | Shoemaker: It would be much easier. When |
| October 18. | | | | I came to Microsoft, I was a singular |
| Sandhurst is a Web-based software | | | | capital investment because I already |
| solution you access through Internet | | | | understood risk and insurance. My |
| Explorer. It can capture virtually any | | | | challenge was to transfer my knowledge |
| risk financing program or instrument you | | | | to the other IT professionals. Sandhurst |
| can think of. Extra aggregate limits, | | | | was a good opportunity to do that. |
| coverages, any sublimits, per occurrence | | | | Because it was an internal custom |
| limits, retentions, all that. It can set | | | | application, I could employ other |
| up an occurrence and suggest, based on | | | | analysts, developers and testers to help |
| characteristics of that occurrence, | | | | build it. They could get their hands |
| which of our policies or programs have | | | | dirty with this system and its |
| available limits and could possibly | | | | documentation, so as we move on to other |
| respond and provide coverage. This | | | | projects, these people have a greater |
| allows the user to take additional steps | | | | familiarity with risk management’s |
| to select coverages, lock them in and | | | | systems needs. I am more replaceable |
| make a record of the claim. The actual | | | | today than at the beginning of the |
| handling of the claim is still manual; | | | | project, which is something we endeavor |
| you have to call the carrier, etc. But | | | | to do. |
| over time, this will give us much better | | | | Warren: On the risk management side, we |
| perspective on the remaining balance or | | | | have expanded my skill set to two or |
| limits of our risk portfolio so we know | | | | three people beyond just me. On the IT |
| at any given time what programs have the | | | | side, Ed did a lot to expand exposure to |
| potential to respond to specific | | | | risk management systems to the other |
| situations. | | | | people on his staff. A couple of years |
| Shoemaker: Sandhurst is designed to | | | | ago, it was just Ed and myself. Now, |
| support our business needs for five | | | | there are four to five people on the IT |
| years or more. We are going to start | | | | side and the risk management side who |
| improving the code base immediately, so | | | | are familiar with the process and can |
| it will go through an evolutionary | | | | work together. We have built an |
| process until, ultimately, Microsoft’s | | | | institutional skill set amongst the |
| business needs will have changed so much | | | | staff that will make things like |
| it will become cost effective to create | | | | Sandhurst much easier in the future. |
| something from scratch rather than | | | | RM: What words of advice would you give |
| continue to update Sandhurst. The only | | | | to colleagues trying to accomplish a |
| thing that would derail that would be a | | | | similar goal? |
| sudden and significant change in how | | | | Shoemaker: You should always scale your |
| Microsoft does business—a fundamental, | | | | business requests to IT according to |
| underlying change in our database | | | | whatever competency, budgetary and other |
| requiring such a substantial rewrite of | | | | business restraints may exist. If IT and |
| the application that we would have to | | | | risk management have not yet developed a |
| start over from scratch. | | | | mature relationship, if they don’t |
| RM: Would you consider Sandhurst to be | | | | have a big budget with lots of |
| the capstone of your departments’ | | | | resources, then scale your requests to |
| collaboration so far? | | | | something that is possible for you to |
| Shoemaker: Sandhurst is a sign of the | | | | achieve. Brian and I cut our teeth on |
| maturing relationship between | | | | smaller projects at first, enhancing an |
| Microsoft’s IT and risk management. If | | | | existing system or building a narrow |
| Brian and I started working on Sandhurst | | | | function. As we got more successful at |
| four or five years ago, the project | | | | working together, we learned how each |
| would not have been as successful as it | | | | other’s processes worked, and whatever |
| is today. We put Sandhurst on the board, | | | | pitfalls may exist between them. Once |
| determined its specs, scheduled it, | | | | you get a joint success, even if it is a |
| costed it, made changes along the way, | | | | modest one, you can build on that. |
| had a commitment date of 10/16 and | | | | Warren: Try to get inside knowledge of |
| missed that by only two days. All things | | | | how your IT department functions. Learn |
| considered, that’s pretty good. | | | | how it sets its budget and its |
| Obviously, it was a cooperative effort, | | | | priorities. Be realistic about what you |
| for both IT and risk management. | | | | need. There are a lot of good services |
| Warren: The concepts for this were | | | | being offered by RMIS companies, so |
| pretty groundbreaking. It presented a | | | | asking IT to build something special for |
| significant challenge for an IT | | | | you might not always be necessary. You |
| organization when the business is | | | | are going to have problems if you ask IT |
| struggling to define new processes at | | | | to deliver something unreasonable. But |
| the same time it is trying to build a | | | | if you come in with a logical argument |
| system to run those processes. It would | | | | and a business case that makes sense, |
| have been far easier to automate a | | | | the challenge then becomes how to engage |
| well-established manual process. We | | | | IT and get what you need. IT is |
| automated risk financing at a point in | | | | motivated to make itself relevant to the |
| our experience when it was not a | | | | business. If you present your project as |
| well-established business process, | | | | an opportunity for IT to add a |
| however, which made it much harder. We | | | | value-added resource or a useful new |
| had to decide what our standard was | | | | business function, you will be much more |
| going to be as we went along. | | | | likely to get its support. |
| RM: What were the biggest technical | | | | |