| When Microsoft’s claims manager Brian | | | | you had to overcome in working together? |
| Warren (risk management) and senior program | | | | |
| manager Ed Shoemaker (treasury information | | | | Warren: There has been a learning curve |
| technology) joined forces five years ago to | | | | throughout my working with IT. I am always |
| bring the Redmond, Washington-based software | | | | trying to understand IT budget cycles, how IT |
| giant’s IT and risk management | | | | prioritizes projects, learning how to express |
| departments together, they knew their work | | | | my business requirements in ways that can be |
| was cut out for them. Their challenge was not | | | | supported by IT. |
| just to manage Microsoft’s risk more | | | | |
| efficiently, but also to affect the kind of | | | | Shoemaker: Brian came to the company about |
| institutional change within the organization | | | | six years ago and I came about five years |
| that would long outlive either of their | | | | ago. By that time, our departments already |
| stays. Risk Management Magazine spoke with | | | | had a history together, but it was very |
| Warren and Shoemaker on the difficulties of | | | | young. I came in as a contractor to deploy |
| bringing their departments together, what | | | | the first RMIS system at Microsoft. That was |
| they have achieved and how their progress | | | | the real beginning of our relationship in |
| serves as a model for other organizations. | | | | terms of providing systems needs for |
| | | | Microsoft’s risk management |
| RM: What makes Microsoft’s risk | | | | department. IT was not doing much for risk |
| management and information technology demands | | | | management prior to that. |
| unique? | | | | |
| | | | I’m unique in the IT group at |
| Warren: Our main product is intellectual | | | | Microsoft because I came in from eleven years |
| property. Consequently, we don’t have | | | | in the insurance industry, so I already |
| the property exposures that other businesses | | | | understood risk financing and insurance. The |
| might. We have relatively low investment in | | | | challenge for me has been learning how to |
| physical plants, and relatively less | | | | help the business understand IT and helping |
| workers’ compensation exposure than | | | | Brian meet his challenges while trying to be |
| most manufacturing or service businesses. But | | | | pragmatic about striking a balance between |
| we do have far more concern over intellectual | | | | evolving process efficiencies and delivering |
| property rights issues, contractual issues, | | | | systems solutions. |
| etc. | | | | |
| | | | RM: What cultural obstacles stood between |
| When you look at this company in terms of its | | | | your departments? |
| balance sheet, it’s a whole other | | | | |
| dimension of opportunities and challenges. In | | | | Warren: When we started working together, |
| many cases, Microsoft has more assets than | | | | there was a defensive attitude between IT and |
| the insurance companies we consider doing | | | | the rest of the business. Certain projects |
| business with, so we have to ask ourselves, | | | | hadn’t gone well and a lot of blame |
| “What are we trying to | | | | got tossed at IT, so they did not want to get |
| accomplish?†The answer to that is we | | | | burned on future projects. We struggled with |
| are trying to achieve flexibility for | | | | that for a little while. |
| alternative risk financing from | | | | |
| other-than-commercial insurance markets. This | | | | For risk management, we had to figure out how |
| creates a lot of new business systems to | | | | to define our business requirements. That |
| manage. | | | | became an exercise in documenting everything |
| | | | so that there would be no opportunity for us |
| Shoemaker: Microsoft’s significant | | | | to come back at IT later if a project fell |
| cash resources give us the ability for | | | | through and say: “This is your |
| creative risk financing that other companies | | | | fault.†|
| do not have. As such, our unusual business | | | | |
| systems needs take us out of the mainstream | | | | We realized if the business uses the system |
| of packaged solutions. When Brian comes to me | | | | successfully, that results in a win for risk |
| with a business need or a systems need, it | | | | management and for IT. If the project fails, |
| may not be mainstream. I have to take more | | | | it is a loss for all of us. Once we broke |
| time to understand his needs in creating and | | | | through the bad blood created by others, we |
| deploying those solutions. This opportunity | | | | aligned the interests of our organizations, |
| creates additional challenge. | | | | and developed a win-win mantra. Things |
| | | | started to smooth out and get better from |
| RM: What inspired Microsoft’s IT and | | | | that point on. It gave IT permission to be |
| risk management departments to work together? | | | | flexible in trying to solve our systems |
| | | | requirements, and if something unsuccessful |
| Warren: We were not satisfied with the policy | | | | happened because of their being flexible, we |
| side of any RMIS [risk management information | | | | would not blame them. |
| systems] products we looked at on the market, | | | | |
| largely because of the unique risk financing | | | | Shoemaker: Now we share common values and |
| Microsoft does with captive utilization and | | | | goals. But when Brian and I started working |
| some finite programs with extended durations | | | | together, IT’s business relationship |
| and broad coverage. Standard RMIS does not | | | | with risk management was like the Wild West. |
| encompass multiple-year policies or | | | | The dialogue between IT and risk management |
| integrated policies with single-aggregate | | | | was: “You told me you need to handle a |
| limits across dissimilar additional coverages | | | | certain requirement, I think I have a system |
| like property and general liability merged | | | | for you, here’s what you need.†|
| under a single limit. | | | | And we gave it to them. They would end up |
| | | | coming back to us, saying: “This is not |
| We realized we were not going to get what we | | | | working for me!†So we told them they |
| needed from our RMIS vendors, so we opted to | | | | had to become masters at telling us what they |
| develop a RMIS solution internally. We went | | | | need, to articulate that, and we would then |
| that route as a last resort because the costs | | | | build something to meet those needs. |
| can be prohibitive. But management decided it | | | | |
| was important enough for IT and risk | | | | RM: Given your departments’ common |
| management to jointly work on a proprietary | | | | history, would it be as difficult to build a |
| risk financing program code-named Sandhurst, | | | | Sandhurst II? |
| which launched on October 18. | | | | |
| | | | Shoemaker: It would be much easier. When I |
| Sandhurst is a Web-based software solution | | | | came to Microsoft, I was a singular capital |
| you access through Internet Explorer. It can | | | | investment because I already understood risk |
| capture virtually any risk financing program | | | | and insurance. My challenge was to transfer |
| or instrument you can think of. Extra | | | | my knowledge to the other IT professionals. |
| aggregate limits, coverages, any sublimits, | | | | Sandhurst was a good opportunity to do that. |
| per occurrence limits, retentions, all that. | | | | Because it was an internal custom |
| It can set up an occurrence and suggest, | | | | application, I could employ other analysts, |
| based on characteristics of that occurrence, | | | | developers and testers to help build it. They |
| which of our policies or programs have | | | | could get their hands dirty with this system |
| available limits and could possibly respond | | | | and its documentation, so as we move on to |
| and provide coverage. This allows the user to | | | | other projects, these people have a greater |
| take additional steps to select coverages, | | | | familiarity with risk management’s |
| lock them in and make a record of the claim. | | | | systems needs. I am more replaceable today |
| The actual handling of the claim is still | | | | than at the beginning of the project, which |
| manual; you have to call the carrier, etc. | | | | is something we endeavor to do. |
| But over time, this will give us much better | | | | |
| perspective on the remaining balance or | | | | Warren: On the risk management side, we have |
| limits of our risk portfolio so we know at | | | | expanded my skill set to two or three people |
| any given time what programs have the | | | | beyond just me. On the IT side, Ed did a lot |
| potential to respond to specific situations. | | | | to expand exposure to risk management systems |
| | | | to the other people on his staff. A couple of |
| Shoemaker: Sandhurst is designed to support | | | | years ago, it was just Ed and myself. Now, |
| our business needs for five years or more. We | | | | there are four to five people on the IT side |
| are going to start improving the code base | | | | and the risk management side who are familiar |
| immediately, so it will go through an | | | | with the process and can work together. We |
| evolutionary process until, ultimately, | | | | have built an institutional skill set amongst |
| Microsoft’s business needs will have | | | | the staff that will make things like |
| changed so much it will become cost effective | | | | Sandhurst much easier in the future. |
| to create something from scratch rather than | | | | |
| continue to update Sandhurst. The only thing | | | | RM: What words of advice would you give to |
| that would derail that would be a sudden and | | | | colleagues trying to accomplish a similar |
| significant change in how Microsoft does | | | | goal? |
| business—a fundamental, underlying | | | | |
| change in our database requiring such a | | | | Shoemaker: You should always scale your |
| substantial rewrite of the application that | | | | business requests to IT according to whatever |
| we would have to start over from scratch. | | | | competency, budgetary and other business |
| | | | restraints may exist. If IT and risk |
| RM: Would you consider Sandhurst to be the | | | | management have not yet developed a mature |
| capstone of your departments’ | | | | relationship, if they don’t have a big |
| collaboration so far? | | | | budget with lots of resources, then scale |
| | | | your requests to something that is possible |
| Shoemaker: Sandhurst is a sign of the | | | | for you to achieve. Brian and I cut our teeth |
| maturing relationship between | | | | on smaller projects at first, enhancing an |
| Microsoft’s IT and risk management. If | | | | existing system or building a narrow |
| Brian and I started working on Sandhurst four | | | | function. As we got more successful at |
| or five years ago, the project would not have | | | | working together, we learned how each |
| been as successful as it is today. We put | | | | other’s processes worked, and whatever |
| Sandhurst on the board, determined its specs, | | | | pitfalls may exist between them. Once you get |
| scheduled it, costed it, made changes along | | | | a joint success, even if it is a modest one, |
| the way, had a commitment date of 10/16 and | | | | you can build on that. |
| missed that by only two days. All things | | | | |
| considered, that’s pretty good. | | | | Warren: Try to get inside knowledge of how |
| Obviously, it was a cooperative effort, for | | | | your IT department functions. Learn how it |
| both IT and risk management. | | | | sets its budget and its priorities. Be |
| | | | realistic about what you need. There are a |
| Warren: The concepts for this were pretty | | | | lot of good services being offered by RMIS |
| groundbreaking. It presented a significant | | | | companies, so asking IT to build something |
| challenge for an IT organization when the | | | | special for you might not always be |
| business is struggling to define new | | | | necessary. You are going to have problems if |
| processes at the same time it is trying to | | | | you ask IT to deliver something unreasonable. |
| build a system to run those processes. It | | | | But if you come in with a logical argument |
| would have been far easier to automate a | | | | and a business case that makes sense, the |
| well-established manual process. We automated | | | | challenge then becomes how to engage IT and |
| risk financing at a point in our experience | | | | get what you need. IT is motivated to make |
| when it was not a well-established business | | | | itself relevant to the business. If you |
| process, however, which made it much harder. | | | | present your project as an opportunity for IT |
| We had to decide what our standard was going | | | | to add a value-added resource or a useful new |
| to be as we went along. | | | | business function, you will be much more |
| | | | likely to get its support. |
| RM: What were the biggest technical hurdles | | | | |