The cost of claims has been at the heart of total cost of risk (TCOR) as a
separate function since the inception of risk management and even before. The
sheer magnitude of losses, insurable or not, defines so much of what risk
managers focus on, and it tends to be what they report on most often as well.
The nature of mature, and by inference effective, risk management programs
has claim management as a key focus as well. While risk maturity is directly
correlated with risk effectiveness, this latter term encompasses a much broader
perspective on things that matter.
Not surprisingly, many of these components of risk management maturity have
some connection to effective claims management. Accordingly, it is appropriate
to understand what these components are and how they dovetail with a more
comprehensive view of effective risk management. Admittedly, this perspective
relates most to the traditional hazard-risk-focused practice of risk
management; however, failure in this realm will likely point to probably
failure in other areas of risk management.
Components of Risk Discipline
To instill risk discipline, and by extension maturity, into claims
management activity, one must set the tone for effectiveness across the
spectrum of risk management activities and significantly feed overall risk
management performance. By extension, this will influence the ability of risk
leaders to act as "trusted advisers" to organizational
decision-makers. This should be a key aspirational goal for risk leaders,
critical to long-term effectiveness and functional sustainability.
The starting point for this subject is two key things: First, how one
defines "risk" and drives a consensus among key stakeholders about
that definition. Claims are, of course, the outgrowth of risk and exposure.
This direct relationship is the essence of why claims and effective claims
management has a direct relationship to effective risk management. Whether this
aspect of the discipline gets done by insurers (as part of the insurance
contract), insureds (as a part of a self-administered claim operation), or
through third parties (e.g., independent adjusters, third-party administrators,
etc.) makes little difference. Effective claim management feeds effective risk
management.
The second issue involves the risks you focus on and where they fall on the
loss curve. This may sound simple, but the reality is that many risk leaders
have responsibilities for only a portion of the risks organizations face—often
only the insurable risks. If that's the case, the need to focus on claim
management is clear: one leads to the other.
The Basics of Effective Risk Management Maturity
If you are a risk leader with broader accountability for more or all risks,
then the first question of "What is a risk to your firm?" requires
total clarity. For the purposes of this article, a good definition of risk is
"uncertainty" as it relates to the accomplishment of objectives. This
simple definition captures the most central element of concern—uncertainty.
However, the real challenge is determining the amount of uncertainty (such as
frequency/likelihood), as well as the level of impact or severity. Each risk
leader must make this choice and get it validated by his or her
organization.
While many hazard-risk-focused leaders focus on risks at actuarially
"expected" levels of loss, the challenge is how far out on the tail
one should manage. While the possibility of loss becomes increasingly remote as
you move out toward the tail of the curve, the impact of events become more
destructive. Because the magnitude of loss in this realm can be catastrophic,
the importance of both preventing and mitigating these events and their impact
becomes critical. Central to after-loss mitigation is the claims management
process. Related key questions that every risk leader must answer include the
following.
- What matters more to your organization: likelihood or impact—or are they
equal?
- What level of investigation should you apply to less likely risks?
- How do you apply typically limited resources to remotely likely
risks?
- Do you have a consensus among key stakeholders as to what risks to focus
on and how?
- Do you have or need an emerging risk identification process?
- Do you have a consensus on and clear understanding of how you define risk
in your organization?
- Have you educated your organization on the correlations among losses,
claims, and risk effectiveness?
These questions are the starting point for ensuring risk management
maturity. From your answers to these questions, you can chart your course for
what this will mean to your firm. The answers will define the process elements
of maturity that will be needed to achieve your desired state. But we need to
define what risk maturity is in order to track progress toward this state and
to ensure that stakeholders are aligned around the chosen components necessary
to get there.
Understanding the attributes of claims and risk maturity includes the
following.
- Managing exposures to specifically defined appetite and tolerances
- Management support for the defined risk culture that ties directly to the
organizational culture
- Ensuring disciplined risk and claim processes aligned with other
functional areas
- Creating a process for uncovering the unknown and/or poorly understood
(aka emerging) risks
- Effective analysis and measurement of risk and claims both quantitatively
and qualitatively
- A collaborative focus on a resilient and sustainable enterprise that must
include a robust risk and claim strategy
Examples of Risk Management Maturity Models
One thoroughly developed risk management maturity model (RMM) comes from the
Risk Management Society (RIMS).1 While it was
developed some 10 years ago, it remains a simple yet comprehensive view of the
seven most important factors that inform risk maturity. When well implemented,
these components should drive an effective approach to managing all risks
within your purview.
The components of the RIMS RMM model include the following.
- Adopting an enterprise-wide approach supported by executive management
and that is aligned well with other relevant functions
- The degree to which repeatable and scalable process is integrated into
the business and culture
- The degree of accountability for managing risk to a detailed appetite and
tolerance strategy
- The degree of discipline applied to using the elements of good root cause
analysis
- The degree to which a robust emerging risk process is used to uncover
uncertainties to goal achievement
- The degree to which the vision and strategy are executed considering risk
and risk management
- The degree to which resiliency and sustainability are integrated between
operational planning and risk process
Like all risk management strategies, no two are exactly the same, and there
is no one way to accomplish maturity. Importantly, every risk leader needs to
do for his or her organization what the organization needs and will
support.
Of course, RIMS is not the only source of risk maturity measurement. Others,
including Aon, offer other criteria. Aon's model2 includes the following components.
- Ensuring the board understands and is committed to the risk strategy
- Effective risk communications
- Emphasis on the ties among culture, engagement, and accountability
- Stakeholder participation in risk management activities
- The use of risk information for decision-making
- Demonstration of value
This is not to say that the RIMS model ignores these issues; they simply
take a different emphasis between the models.
Another model worth considering is from Protiviti's
perspective3 on risk maturity as it relates to the
board of director's accountability for risk oversight. A few highlights of
their perspective include the following.
- An emphasis on the risks that matter most
- Alignment between policies and processes
- Effective education and use of people and their place in the
organization
- Ensuring assumptions are supportable and understood
- The board's knowledge of asking the right questions
- Understanding the relationship to capability maturity frameworks
Certainly, good governance is critical to ultimate success, and the
board's role in that is the apex of that consideration. If the board is
engaged and accountable for ensuring their risk oversight responsibility is
effectively executed, the successful execution of the strategy is likely, and
by inference, risk and related claims will have been effectively managed as
well.
Another critical aspect of the impact of risk and claims that should not be
overlooked is their impact on productivity. If productivity is directly related
to people's availability to work, then we can quickly agree that risks
produce losses that affect both people and property, oftentimes together. We
can readily agree that impacts on productivity are a frequent result of losses
and the claims they generate.
Further, productivity impacts are not just limited to an on-the-job injury.
Every car accident, property loss, or general liability loss that includes
personal injury has implications for productivity in either the workplace
and/or outside of the workplace. As a result, it behooves all risk and claim
leaders to execute their roles by aligning their interests and driving their
focus.
Finally, a few fundamentals that are important to understand in the
execution of these goals include the understanding of the following.
- How you handle claims will directly affect not just your TCOR but your
overall risk management capability and effectiveness.
- There is no one right approach to managing claims or risks; each
organization must chart its own course aligned with its culture and
priorities.
- Risk and the claims they can generate must be treated as an integral
aspect of organizational strategy.
- Risk and claim management should be a focus on additive value.
- Risk and claim maturity have shown that better results are achieved as a
result.
In its simplest form, risk management is about preventing (or, on the
upside, leveraging) financing and controlling risk and loss. Effective risk
management is dependent on many elements, not the least of which is effective
claims management. And, while claims are naturally focused on negative events
that have already occurred, this activity is centrally critical to
comprehensive, effective risk management.
How you prioritize claims and related activities will have significant
effects on how you can contribute to organizational success. Doing both well
will enable both risk and claim management effectiveness, demonstrated by
measurable maturity.