| When Microsoft’s claims manager Brian | | | | RM: What were the biggest technical hurdles you had |
| Warren (risk management) and senior program | | | | to overcome in working together? |
| manager Ed Shoemaker (treasury information | | | | Warren: There has been a learning curve throughout |
| technology) joined forces five years ago to bring the | | | | my working with IT. I am always trying to |
| Redmond, Washington-based software | | | | understand IT budget cycles, how IT prioritizes |
| giant’s IT and risk management | | | | projects, learning how to express my business |
| departments together, they knew their work was | | | | requirements in ways that can be supported by IT. |
| cut out for them. Their challenge was not just to | | | | Shoemaker: Brian came to the company about six |
| manage Microsoft’s risk more efficiently, | | | | years ago and I came about five years ago. By that |
| but also to affect the kind of institutional change | | | | time, our departments already had a history |
| within the organization that would long outlive either | | | | together, but it was very young. I came in as a |
| of their stays. Risk Management Magazine spoke with | | | | contractor to deploy the first RMIS system at |
| Warren and Shoemaker on the difficulties of bringing | | | | Microsoft. That was the real beginning of our |
| their departments together, what they have | | | | relationship in terms of providing systems needs for |
| achieved and how their progress serves as a model | | | | Microsoft’s risk management department. |
| for other organizations. | | | | IT was not doing much for risk management prior to |
| RM: What makes Microsoft’s risk | | | | that. |
| management and information technology demands | | | | I’m unique in the IT group at Microsoft |
| unique? | | | | because I came in from eleven years in the insurance |
| Warren: Our main product is intellectual property. | | | | industry, so I already understood risk financing and |
| Consequently, we don’t have the | | | | insurance. The challenge for me has been learning |
| property exposures that other businesses might. We | | | | how to help the business understand IT and helping |
| have relatively low investment in physical plants, and | | | | Brian meet his challenges while trying to be pragmatic |
| relatively less workers’ compensation | | | | about striking a balance between evolving process |
| exposure than most manufacturing or service | | | | efficiencies and delivering systems solutions. |
| businesses. But we do have far more concern over | | | | RM: What cultural obstacles stood between your |
| intellectual property rights issues, contractual issues, | | | | departments? |
| etc. | | | | Warren: When we started working together, there |
| When you look at this company in terms of its | | | | was a defensive attitude between IT and the rest |
| balance sheet, it’s a whole other dimension | | | | of the business. Certain projects hadn’t |
| of opportunities and challenges. In many cases, | | | | gone well and a lot of blame got tossed at IT, so |
| Microsoft has more assets than the insurance | | | | they did not want to get burned on future projects. |
| companies we consider doing business with, so we | | | | We struggled with that for a little while. |
| have to ask ourselves, “What are we | | | | For risk management, we had to figure out how to |
| trying to accomplish?†The answer to that | | | | define our business requirements. That became an |
| is we are trying to achieve flexibility for alternative | | | | exercise in documenting everything so that there |
| risk financing from other-than-commercial insurance | | | | would be no opportunity for us to come back at IT |
| markets. This creates a lot of new business systems | | | | later if a project fell through and say: “This |
| to manage. | | | | is your fault.†|
| Shoemaker: Microsoft’s significant cash | | | | We realized if the business uses the system |
| resources give us the ability for creative risk financing | | | | successfully, that results in a win for risk |
| that other companies do not have. As such, our | | | | management and for IT. If the project fails, it is a |
| unusual business systems needs take us out of the | | | | loss for all of us. Once we broke through the bad |
| mainstream of packaged solutions. When Brian comes | | | | blood created by others, we aligned the interests of |
| to me with a business need or a systems need, it | | | | our organizations, and developed a win-win mantra. |
| may not be mainstream. I have to take more time | | | | Things started to smooth out and get better from |
| to understand his needs in creating and deploying | | | | that point on. It gave IT permission to be flexible in |
| those solutions. This opportunity creates additional | | | | trying to solve our systems requirements, and if |
| challenge. | | | | something unsuccessful happened because of their |
| RM: What inspired Microsoft’s IT and risk | | | | being flexible, we would not blame them. |
| management departments to work together? | | | | Shoemaker: Now we share common values and goals. |
| Warren: We were not satisfied with the policy side | | | | But when Brian and I started working together, |
| of any RMIS [risk management information systems] | | | | IT’s business relationship with risk |
| products we looked at on the market, largely | | | | management was like the Wild West. The dialogue |
| because of the unique risk financing Microsoft does | | | | between IT and risk management was: |
| with captive utilization and some finite programs with | | | | “You told me you need to handle a certain |
| extended durations and broad coverage. Standard | | | | requirement, I think I have a system for you, |
| RMIS does not encompass multiple-year policies or | | | | here’s what you need.†And we |
| integrated policies with single-aggregate limits across | | | | gave it to them. They would end up coming back to |
| dissimilar additional coverages like property and | | | | us, saying: “This is not working for |
| general liability merged under a single limit. | | | | me!†So we told them they had to become |
| We realized we were not going to get what we | | | | masters at telling us what they need, to articulate |
| needed from our RMIS vendors, so we opted to | | | | that, and we would then build something to meet |
| develop a RMIS solution internally. We went that | | | | those needs. |
| route as a last resort because the costs can be | | | | RM: Given your departments’ common |
| prohibitive. But management decided it was important | | | | history, would it be as difficult to build a Sandhurst II? |
| enough for IT and risk management to jointly work | | | | Shoemaker: It would be much easier. When I came |
| on a proprietary risk financing program code-named | | | | to Microsoft, I was a singular capital investment |
| Sandhurst, which launched on October 18. | | | | because I already understood risk and insurance. My |
| Sandhurst is a Web-based software solution you | | | | challenge was to transfer my knowledge to the |
| access through Internet Explorer. It can capture | | | | other IT professionals. Sandhurst was a good |
| virtually any risk financing program or instrument you | | | | opportunity to do that. Because it was an internal |
| can think of. Extra aggregate limits, coverages, any | | | | custom application, I could employ other analysts, |
| sublimits, per occurrence limits, retentions, all that. It | | | | developers and testers to help build it. They could |
| can set up an occurrence and suggest, based on | | | | get their hands dirty with this system and its |
| characteristics of that occurrence, which of our | | | | documentation, so as we move on to other projects, |
| policies or programs have available limits and could | | | | these people have a greater familiarity with risk |
| possibly respond and provide coverage. This allows | | | | management’s systems needs. I am more |
| the user to take additional steps to select coverages, | | | | replaceable today than at the beginning of the |
| lock them in and make a record of the claim. The | | | | project, which is something we endeavor to do. |
| actual handling of the claim is still manual; you have to | | | | Warren: On the risk management side, we have |
| call the carrier, etc. But over time, this will give us | | | | expanded my skill set to two or three people |
| much better perspective on the remaining balance or | | | | beyond just me. On the IT side, Ed did a lot to |
| limits of our risk portfolio so we know at any given | | | | expand exposure to risk management systems to |
| time what programs have the potential to respond to | | | | the other people on his staff. A couple of years ago, |
| specific situations. | | | | it was just Ed and myself. Now, there are four to |
| Shoemaker: Sandhurst is designed to support our | | | | five people on the IT side and the risk management |
| business needs for five years or more. We are going | | | | side who are familiar with the process and can work |
| to start improving the code base immediately, so it | | | | together. We have built an institutional skill set |
| will go through an evolutionary process until, | | | | amongst the staff that will make things like |
| ultimately, Microsoft’s business needs will | | | | Sandhurst much easier in the future. |
| have changed so much it will become cost effective | | | | RM: What words of advice would you give to |
| to create something from scratch rather than | | | | colleagues trying to accomplish a similar goal? |
| continue to update Sandhurst. The only thing that | | | | Shoemaker: You should always scale your business |
| would derail that would be a sudden and significant | | | | requests to IT according to whatever competency, |
| change in how Microsoft does business—a | | | | budgetary and other business restraints may exist. If |
| fundamental, underlying change in our database | | | | IT and risk management have not yet developed a |
| requiring such a substantial rewrite of the application | | | | mature relationship, if they don’t have a |
| that we would have to start over from scratch. | | | | big budget with lots of resources, then scale your |
| RM: Would you consider Sandhurst to be the | | | | requests to something that is possible for you to |
| capstone of your departments’ | | | | achieve. Brian and I cut our teeth on smaller projects |
| collaboration so far? | | | | at first, enhancing an existing system or building a |
| Shoemaker: Sandhurst is a sign of the maturing | | | | narrow function. As we got more successful at |
| relationship between Microsoft’s IT and | | | | working together, we learned how each |
| risk management. If Brian and I started working on | | | | other’s processes worked, and whatever |
| Sandhurst four or five years ago, the project would | | | | pitfalls may exist between them. Once you get a |
| not have been as successful as it is today. We put | | | | joint success, even if it is a modest one, you can |
| Sandhurst on the board, determined its specs, | | | | build on that. |
| scheduled it, costed it, made changes along the way, | | | | Warren: Try to get inside knowledge of how your IT |
| had a commitment date of 10/16 and missed that by | | | | department functions. Learn how it sets its budget |
| only two days. All things considered, that’s | | | | and its priorities. Be realistic about what you need. |
| pretty good. Obviously, it was a cooperative effort, | | | | There are a lot of good services being offered by |
| for both IT and risk management. | | | | RMIS companies, so asking IT to build something |
| Warren: The concepts for this were pretty | | | | special for you might not always be necessary. You |
| groundbreaking. It presented a significant challenge | | | | are going to have problems if you ask IT to deliver |
| for an IT organization when the business is struggling | | | | something unreasonable. But if you come in with a |
| to define new processes at the same time it is trying | | | | logical argument and a business case that makes |
| to build a system to run those processes. It would | | | | sense, the challenge then becomes how to engage |
| have been far easier to automate a well-established | | | | IT and get what you need. IT is motivated to make |
| manual process. We automated risk financing at a | | | | itself relevant to the business. If you present your |
| point in our experience when it was not a | | | | project as an opportunity for IT to add a |
| well-established business process, however, which | | | | value-added resource or a useful new business |
| made it much harder. We had to decide what our | | | | function, you will be much more likely to get its |
| standard was going to be as we went along. | | | | support. |