Roy O'Neil provides an overview of the issues surrounding systems usage in the 21st century.
Issues relating to global systems and risks experienced in the 20th century will continue to dog many organisations, including re/insurers, well into the early part of the 21st century. Much beyond that is difficult to assess at this stage, as technological developments continue to be made at such a rapid pace.
As with most corporate systems, re/insurers have developed their technology infrastructure over many years to support and reflect a particular organisational structure. As many of these organisations evolved it became apparent that the old infrastructure no longer provided the support and flexibility required by today's more demanding reinsurance market. For example, systems historically were built and operated on a geographical model, generally separate systems within each major operating unit, and usually country specific. Many of these organisations have already, or are now moving towards, a global product line-based structure.
In the US, some reinsurers developed their IT infrastructures in such a way that they cannot be tailored to support a global line of business. Problems thus arise not only from difficulties in making structural changes to the technology but also because of an inability to handle local tax, currency, legal and reporting requirements. Therefore, organisations that are moving towards a global structure are facing the challenges of trying to integrate disparate systems or implement new global underwriting systems, accounting systems and business processes. This is no small task. Additionally, the need to underwrite, manage claims and assess risk on a consistent global basis requires a degree of commonality across the business and systems which have hither to been absent.
It is important to note that when an organisation has operated on a particular business model for years, such as a geographical basis, there are many formal and informal relationships established between the business units and the IT function. When an operating model is changed, such relationships need to be re-established. This is normally overlooked and possibly not considered at all.
As with many types of organisation, reinsurers still continue to struggle with the interface between the business and the IT function. Is it the business or the IT department that drives the systems development and implementation plans? Deloitte Consulting recently attended meetings with two global reinsurers which were in the process of implementing major global applications. When the business units were asked who was sponsoring the project, the CIO's name was given.
A key factor to any successful global operation is the implementation of consistent business processes. The field of improving and redesigning business processes has seen much activity over recent years and is still a key issue to be considered by reinsurers when they are implementing global systems. As with any global systems implementation, the challenges faced by global process teams are much greater than those experienced by geographically-focused teams. Apart from the obvious issues, such as accommodating different time zones, there are more important issues relating to language, culture, terminology and legislative requirements that need to be considered by highly skilled teams.
Deloitte Consulting recently conducted a survey throughout the global reinsurance industry, which confirmed that legacy system integration and process redesign was still very high on the corporate agenda. Respondents to the survey viewed it as a major constraint to business growth if it was not successfully implemented.
Data integration issues continue to cause the reinsurance industry problems. It is impossible to aggregate data unless there is a common understanding of terminology. Recent experience has revealed that inconsistent use of terminology within the same organisation continues to be a problem. For example, if a reinsurer wanted to list all exposures to a multiline primary carrier, it would ideally make a simple enquiry on a system. However, it is often the case that different permutations of a particular company name would have been input into the system, providing inconsistency across the system. Consider the impact of this one simple term being interpreted differently across multiple types of data category such as clients, classes of business and classifications. Additionally, consider the impact of simple language differences. For example, an item such as a `fender' in the US is known as a `bumper' in the UK - same item, different name. It is clear that clarity and consistent use of terminology within an organisation will contribute to a successful global systems implementation.
Provision of data
The main concern for reinsurers is the provision of accurate data. In order to address this concern, a reinsurer will need to consider interfacing its systems with those of a client or partner. There are varying degrees of interfacing standards to help with this but, as yet, no single standard exists. Even so, most reinsurers would still welcome direct interfaces to client systems. Interfaces into partner systems, however, must be cost justified. Once a decision has been taken to interface to external systems, consideration must be given to how data will be shared and managed globally. Additionally, data interfacing is expensive, and not just in IT terms; there are also integrity controls and data management considerations to take into account.
One further point is the question of whether reinsurers get their clients involved in systems development. There are risks on both sides - if the development is a success, clients will, in theory, be happy and will have considered being fully integrated into the process. But if the development is in someway unsuccessful, will clients continue to provide business?
The terrorist attacks of September 11 forced companies to take another look at their existing IT spend. If disaster recovery wasn't one of the top priorities before the loss, it sure is now. In reality, most companies did have good disaster recovery plans relating to their IT infrastructure - and most now have even better ones. However, the main issue relating to disaster recovery was the quality of business continuity plans. The following major instructions were found to be lacking in the event of a major disaster:
Due to a few recent occurrences involving Enron, and subsequently WorldCom, security is another top priority project for most organisations and reinsurers. Enron's failure, for example, will have a profound effect on the future robustness of systems and processes to support corporate governance and compliance.
The specific impact of the attack on the World Trade Center has also taught us about cross-aggregation of risk. For example, the combined effects from a single event on numerous classes of cover, including business interruption, property and workers' compensation, critical person cover, life and permanent health insurance. Even if the interrelationships for a given event could be modeled, the appropriate level of data is not combined in the relevant systems. For example, data collected for workers' compensation and life cover does not correlate place of work.
As the world wide web becomes increasingly the preferred environment for e-service, e-commerce, etc, security for these applications becomes more of an enabler and therefore should be viewed as a continual risk assessment process.
Security exposure is not just about hackers stealing corporate data or credit card details. It can come from various sources. Reputational exposure, for instance, can be caused by website vandalism, as experienced by the New York Times, eBay and BMW. This is not only embarrassing for an organisation, but it can also have commercial and potentially legal consequences. Customer trust can be compromised. Additionally, customer trust may be compromised if a website is frequently unavailable, caused by `denial of service attacks', for example, in which a website is flooded until it crashes.
Let's not forget the most common security issues facing organisations - damage caused by employees, whether intentional or not. A recent case was brought before the UK courts in which a television was priced at £100 instead of £1,000 on a website. Hundreds were ordered and those orders were processed by credit card before the error was picked up.
As there is no one `silver bullet' to resolve an organisation's security issues, there has to be a trade-off between risk and expense. How much risk is an organisation prepared to accept? Organisations need to implement tight security processes and controls, and make use of the relevant security tools available. Additionally, an organisation must review and monitor security controls on an ongoing basis.
Many reinsurers aiming to operate on a global basis are struggling with process-, data- and security-related issues. Some have tackled the data issue by implementing the politically simple mechanism (and generally the cheapest route) of a data warehouse fed by different systems (normally the old geographic-based applications). However, the overall cost of overhauling different systems to provide consistent definitions, data and processes is much more expensive than the politically difficult move of implementing a global application. At the same time, process redesign remains on the corporate agenda. Finally, reinsurers will also look to introduce unbreakable security to websites and the back office. Information infrastructures will be designed to withstand failure and break-in.
By Roy O'Neil
Roy O'Neil is a consultant with Deloitte Consulting, soon to be renamed Braxton. The firm has 14,000 professionals in 34 countries, and serves more than one-third of the companies in the Global Fortune 500. www.www.dc.com .