The word "governance" has come to prominence in insurance IT circles in just the last few years, partly in reaction to the spate of federal regulation rained down by the Sarbanes-Oxley Act of 2002, the Gramm-Leach-Bliley Act of 1999 and the USA Patriot Act, which became law in 2001."The need for governance didn't become apparent until Sarbanes-Oxley and the others came along," says Karen Pauli, senior analyst in the insurance research practice at the Needham, Mass.-based TowerGroup. "SOX made it mandatory to know what's going on."
Congress passed SOX to establish accountability after a rash of corporate and accounting scandals; Gramm-Leach-Bliley opened up competition among banks, securities companies and insurers; and the Patriot Act, rushed into law after 9-11, expanded the federal government's power to search records and regulate transactions.
Then, on top of the regulations, the Federal Rules of Civil Procedure went into effect late last year, mandating that carriers produce electronically stored information in timely fashion when a legal case arises.
It seems that meeting all the new rules required "governance" from above. No longer could top management leave IT departments to find their own ways to automate business processes, manage data and conduct their own affairs. Oversight has its advantages, though, according to some.
"IT governance, if you're doing it right, is an enterprise thing that keeps IT from taking the rap for things that don't work," observes TowerGroup's Pauli.
Still, as Pauli would quickly admit, IT governance amounts to much more than a smokescreen for the department's ills. In fact, research shows the more a corporate board engages in IT governance, the better the financial results, says Larry Danielson, a principal at Deloitte Consulting.
And some insurers, Pauli notes, turned their attention to IT governance before the current era of regulation began.
The emphasis on IT governance began only partly because of regulation at Schaumburg, Ill.-based Zurich in North America, says Colleen Clark, the company's IT controller.
IT governance became a catch phrase at Zurich in North America in about 2002, as the company began striving for greater consistency and uniform standards for discretionary projects, says Clark. It was also a time of globalization for the company's IT function, which brought standards and practices that also required IT governance, she continues.
At Des Moines, Iowa-based EMC Insurance Group Inc., regulation intensified the need for IT governance, but the idea had been in place at the company since the mid-'80s, says Mike Freel, a bureau statistics manager there.
IT governance took precedence there so early because the company switched to mainframe hardware that wasn't IBM based. That meant the firm's staff began writing virtually all the software in-house and needed to assign priorities and adhere to them.
Those are examples of internal justifications for IT governance, an important aspect of the whole, according to Rajiv Gupta, founder and CEO of software provider Securant Technologies Inc., which has headquarters in San Francisco.
Many consider IT governance a subset of corporate governance, but others maintain that sorting the two into separate piles can prove problematic, says Gupta. The technology that supports some insurance lines has become so intertwined with the business rules that the two pursuits have nearly become one.
"Business governance these days really is totally meshing with IT governance because so much business is automated," says Pauli. "If you look at some of the really big carriers, or any carrier that has a preponderance of personal lines, almost all that stuff is fully automated."
Unlike commercial lines, personal lines are often automated because they include thousands or even millions of similar policies and contain more relatively homogenous data elements, says Pauli. "A car is a car and a house is a house," she says, while a 15-story office building is complicated and not necessarily similar to another office building.
Meanwhile, some consider the phrase "IT governance" nearly all-encompassing, and consequently imprecise. "I don't like the term because it's so ambiguous," says Marc Cecere, vice president and principal analyst at Forrester Research Inc., a Cambridge, Mass., consulting and research company.
Cecere says he likes to tighten the definition to "oversight." Don't include activities or processes in the definition, he cautions. Thus, he adds, building applications or processing claims wouldn't count as governance because they're hands-on.
"It might mean something different to every person," Zurich's Clark says of IT governance.
To people working in an operating environment or in the infrastructure organization, IT governance could mean change control or management around processes and functions, says Clark.
On the application side, IT governance might mean following the right protocol and practice of rolling out a new application, she says.
For people in controlling or project management, IT governance could relate to reporting, processes and controls for projects-and to funding.
"It could be defined in many ways," Clark says, "and I really think it means something different depending upon what facet of IT you're involved in."
Then there's the problem of sorting out governance and compliance. Vendors, in particular, favor the word "compliance" over "governance" because it's catchy and more likely to help promote a product, says Cecere.
"It's a way to sell more stuff," Cecere says. "If you have a project management tool and you say it can help with compliance, you'll sell more of them."
"The vendor community very heavily trades on that compliance story," agrees Pauli. "To them, that seems like the silver bullet-because you can't ignore compliance."
"It is a sales word," notes Clark. "People can get scared or get excited when they hear the word compliance."
Mentioning the word "compliance" also can open doors, according to Pauli. "A lot of IT dollars over the last several years have been thrown on the table in the name of compliance," she says, "and you didn't even have to do any project plan to get the money."
To further complicate the IT governance discussion, there's corporate IT and non-corporate IT.
Corporate IT operates enterprisewide and could include an architecture group that would help define standards and a planning group that helps coordinate activity across all of the other IT organizations, says Forrester's Cecere.
Compared with other industries, carriers' corporate groups often have fewer people and less power to dictate to the business units, says Cecere. "That's not necessarily bad," he notes, because business rules should define IT projects.
The groups are smaller because companies tend to create more groups in the face of regulation, and only the pharmaceuticals industry faces more regulation than do carriers, Cecere says. Insurers also tend to have smaller groups because many companies grew by acquisition and did not digest the companies they took over, he adds.
To make the work still tougher for insurance companies, most are made up of business units that enjoyed quite a bit of autonomy in the past, Cerere says. That independence yielded differing systems, vocabularies, definitions and data.
"If they have a large life business unit," he notes, "they may have half a dozen policy admin systems-each associated with a particular line of business-variable life, regular life, term life and on and on."
That division of effort has slowed the march toward IT compliance, says Pauli. "It's been very haphazard because IT development has been so siloed-automobile lines for personal lines have one system, the homeowners line has another and then there's the fire line-they're all separate systems," she says.
And whatever the obstacles, IT governance requires hard work, notes Pauli. She provides an example of failure to prepare.
"If your personal lines systems need overhauling, quick go find a policy admin vendor and plug something into place-you're done," she says. "But if you say, 'we're going to take the next three months to put together a business architecture, a governance architecture-then, when we finally understand our business, we understand it entirely, then we're going to go buy or build."
How does a company go about it? The heads of business lines need to meet and they have to come to the realization that they now need to work together, she says. From there, they should agree upon definitions. A truck on a personal policy is the same as a truck on a commercial policy, for example.
Many carriers fail to bring people together to create an enterprise plan, she says, "because it is time-consuming, it's hard and you very frequently have to have someone from the outside to guide it. It is very difficult look at yourself critically. It can be very painful, depending on the organization."
While bringing people together can prove critical, it's still best to keep directives flowing down from the board of directors, a task that's sometimes difficult to achieve, says Deloitte's Danielson.
"The word 'technology' scares a lot of board members," Danielson says. "We just don't see enough engagement. They could have a lot more influence."
However, Deloitte research conducted with Corporate Board Member magazine suggests a strong tie between board oversight of IT and corporate performance.
"We can't say whether it is because companies whose boards manage IT more closely perform better as a result, or if it is just that better-managed companies also pay more attention to IT," says Danielson. "But if we were on a board, we would not ignore this correlation."
Some 14% of the boards at companies surveyed, which included insurance companies, say they are "completely and actively involved" it IT strategy. At the same companies, 10% of the boards delegate IT matters to a board committee.
Surprisingly, in view of the growing importance of IT, 52% of the companies surveyed say their boards will spend no more time on IT governance over the next three years than they do now, Danielson says.
"The message is they should engage," he says. "It takes time but it's well worth it. There are huge paybacks in their learnings about what the business is about. I encourage them to do it."
Top management should take the lead in IT governance, agrees Brian Niemiec, vice president of operations for Sircon Corp., an Okemos, Mich.-based software vendor.
"It's not just a downward pressure but a marrying of technology to the business," says Niemiec.
That makes sense to Zurich in North America's Clark. The IT departments build the underlying structure, she says.
"It's a partnership, but the corporate governance is the ultimate driver," says Clark.
At Zurich in North America, the chief operating officer and chief financial officer emphasized the need for governance to the executive committee in 2002, when change was coming to the company, says Clark.
She describes a partnership between the office of the chief operating officer and the chief technology office. Collaboration of the two ensures alignment on business directives and business goals along with the goals of the IT organization, she says.
Having top management's involvement made things happen, says Clark. "That really helped us and helped drive the right decisions, especially at that time in the soft market."
Top management needs to go beyond business rules and look at the technical side, too, Clark asserts. "Certainly data management and data preservation, from a business priority perspective does need to be driven from the top down," she says.
And a lot of people throughout the organization could bring ideas to the CIO and let the CIO be their connection up, says Danielson of Deloitte Consulting. "People at every level can bring great ideas forward and the board should encourage it," he says.
Sharing responsibility at differing levels is crucial, according to Freel at EMC. Still, top management lacks the hand-on understanding found among workers in the middle levels, he warns.
EMC created managers called "systems directors" who understand the needs of various departments and how the departments should work together.
The systems directors also consider the big picture, and they remind people that the work in a department must square with the company's longer-range goals.
That fosters an atmosphere of cooperation rather than enforcement, Freel says. Systems directors figure out which projects should come first and build consensus for that order.
"We're all professional-caliber people," says Freel. "If we're given a chance to truly understand the big picture of what our company goals are, and how our needs fit into those goals, it makes a much simpler process to all work together and set priorities."
Assistance can come from outside, too, in the form of third-party software. Zurich in North America has used vendor-provided software for project tracking and project management, user-ID controls and management, access to systems, and access to production data, says Clark.
"You can source some of that out and have somebody whose expertise is in those functions deliver to you," she says, adding that customization is required.
For Clark, IT governance pays off. "It is that much easier knowing there's consistency and knowing there's one approach everybody uses," she says.
"A companywide approach really allows folks to be able to focus on delivering value to the business-moving the business forward rather than questioning or second-guessing," she says.
GOVERNANCE DIVIDE: IT VS. DATA
Insurance carriers are recognizing the need to separate IT governance and data governance, according to members of the industry's "data community."
"People often confuse them, but data governance is really quite a different topic than IT governance," says Gary Knoble, who worked for The Hartford for 30 years before leaving a year ago to work as a consultant for Bao Rong in China. He's a founder of data-oriented trade groups.
The IT vs. data divide also carries weight with another data specialist, Jim Viveralli, a data architect at Erie Insurance Group, Erie, Pa. Viveralli sits on industry data standards committees.
"IT Governance is usually about IT management issues, like architecture decisions or project prioritization," Viveralli says. "Data Governance is about data issues such as data stewardship, data definitions, data quality, and sometimes balancing and reconciliation."
Knoble speaks of a "data community and an "IT community." The latter, he says, occupies itself with questions centering on technology architecture.
Data governance doesn't get enough attention when treated as a subset of IT governance, says Knoble, because the IT community does not focus on data.
"I think that's the real reason you need to separate IT governance and data governance," Knoble says.
He admits that some IT people regard data governance as part of IT governance, but he says larger carriers are making data governance the province of the actuarial department and delegating responsibility to the chief actuary or someone with the newly minted title of chief data officer.
That shift makes sense, says Knoble, because the actuarial contingent usually comes second only to the accounting department in how much it uses data.
THE KEY TO IT GOVERNANCE? MEASUREMENT.
The more a carrier's board of directors engages in IT governance, the better the company's performance. That's one of the key findings of research by Deloitte Consulting LLP and "Corporate Board Member" magazine.
But how does a board go about understanding and monitoring IT governance? What's needed, according to a Deloitte executive, is measurement.
"I think there's a huge opportunity around measurement, because that's something the board can see," says Larry Danielson, a Deloitte consulting principal who specializes in insurance.
"With the right metrics they can directionally understand where things are and seek to probe further," Danielson continues. "With the right metrics that measure the right behaviors, you can reinforce or change what you don't like."
Some carriers have the right metrics in place for directors, who can examine budgets and note how much the company is spending on development, new projects and maintenance.
"The biggest void in metrics is around IT value," says Danielson. "Right now, people are struggling with this. It's a question we get asked at all levels of leadership."
Measurement of big ideas, like IT value, comes from adding up numbers associated with smaller ideas. One component of IT value, for example, is how well the company handles product introductions.
"The culture and the change you want to have-you can measure these things," says Danielson. "You can talk about the degree of control, the degree of frameworks that are in place, the decision-making process around, for example, portfolio management-all essential parts of governance. Sometimes they are quite defined."
But the most important element is the will to use what's at hand. "How often," Danielson asks rhetorically, "is the measurement really looked at?"
