What do you Think - Risky Business
What Do You Think?
Insurers have always been eager to hand out risk management advice to their customers. Managing risk, after all, is the true definition of insurance. Carriers haven’t always applied the same sense of caution to their own operations—particularly the IT department—where failed projects, aging technology, and a shortage of talented technologists have plagued operations for decades.
This month we asked three industry analysts to offer some advice to carriers on one area where risk management in the IT department could be improved. Providing the advice are Rod Travers, executive vice president of The Nolan Co.; Bill Jenkins, founder of Agile Insurance Analytics; and Donn Vucovich, managing partner in MVP Advisory Group.
This month’s question: What is one particular aspect of risk management that insurance IT departments need to focus on in the next year?
Rod Travers, The Nolan Co.
IT should take a more prominent role in risk awareness education and policy reinforcement for employees, business associates, and even customers. Granted education may not be “technology” per se, and it’s not as glamorous as implementing the latest new tablet function, but such education is impactful in terms of changing behavior and mitigating cyber risk.
The everyday technology user has no idea of the myriad security threats that are out there, or how they might be unwittingly enabling them. They need to be periodically informed about common vulnerabilities, threats, and best practices for thwarting those threats.
Some companies have begun conducting “mystery shopper” security drills to expose vulnerabilities and to demonstrate real-world threat scenarios. Some have even made it competitive by awarding a prize when someone fends off a staged threat.
The “human endpoint” is typically the weakest point in the information security chain; we should be doing more to address that reality.
Bill Jenkins, Agile Insurance Analytics
One of the biggest risk-management issues that has plagued all IT operations over the years has been project failure risk. Most system development projects represent significant corporate investment from both a tangible view (financial investment, staffing investment, and technology investment) and an intangible view (lost opportunity costs).
Project failure is often defined as being over-budget, overdue, and missing user expectations. Project management studies highlight that the majority of development projects fail over time, and only about 15 percent of software projects are completed on-time and on-budget.
Under greater scrutiny, it becomes apparent that many “successful” projects are the result of reduced functionality or to a scaling back of the system’s original specifications/requirements. More frightening however, is the fact that a report from The Standish Group states that system development failures are increasing. “When you find yourself in a hole,” Will Rogers once said, “stop digging.”
Donn Vucovich, MVP Advisory Group
Flight attendants will warn those of us traveling with small children to put our oxygen mask on first and then tend to our children. This simple, common-sense approach to continuous parenting also applies to continuous risk management. And if you don’t give the risk manager enough oxygen, you won’t see much life in your risk management program.
In 2016, a good IT risk manager should have the funding and staff necessary to:
Conduct risk assessments with business input that identify significant gaps in data protection and cyber-security;
Prioritize risks based on a shared business and IT view of incidence and severity;
Identify emerging risks timely; and
Build risk mitigation into every new IT project, product or service
Strong IT risk management is the result of consistent attention to systematically updating threat profiles and ensuring that defenses and contingencies are strong. Vigilance and prevention aren’t free, but they are economical.
36 ITAPro // November 2015 // www.emagazine.ITApro.org