OpRisk Awards 2016
There's no monopoly on good ideas in risk management – something that helps explain how a Japanese car giant's approach to manufacturing can provide valuable lessons for a 165-year-old life insurance company based in Springfield, Massachusetts.
The centrepiece of MassMutual's risk management programme is the ‘MassMutual way', a philosophy that allows every member of staff to raise potential risk management problems, which can then be fixed. The idea is based on Toyota's famous system in which employees were empowered to halt production at the firm's manufacturing plants if they spotted a defect on the assembly line.
"The goal is always to make no mistakes, but in the real world, mistakes get made," says Brad Hoffman, senior vice-president in MassMutual's enterprise risk and actuarial department, who is responsible for operational and strategic risks.
"Effective operational risk management is about making sure we track mistakes to discover trends and identify those problems. At MassMutual a red flag isn't a bad thing – it's an issue that has been successfully identified and can then be fixed."
Mutually owned by its policyholders, MassMutual offers services such as life insurance, retirement services, disability and long-term care insurance, annuities and investment management. Among its affiliates are well-known buy-side firms such as Babson Capital Management, Baring Asset Management and Oppenheimer Funds. At the end of 2015, its US insurance sales totalled $3.5 billion, while it had a considerable $642 billion in assets under management.
The MassMutual way allows any employee to identify when something isn't working as it should be, and trigger the problem-solving process to address it
Brad Hoffman, MassMutual
In practice, MassMutual's interpretation of Toyota wisdom is applied by giving every employee the opportunity to raise an operational glitch or weakness. This occurs during what are known as ‘huddles' – regular team meetings designed to source new ideas from throughout the workforce and foster continuous improvement.
"What we're trying to avoid is fixing a symptom, but not addressing the underlying issue," Hoffman explains. "The MassMutual way allows any employee to identify when something isn't working as it should be, and trigger the problem-solving process to address it."
One example of this process relates to procurement. Recently, Hoffman says one employee raised the alarm about an increasing number of exceptions being made to the usual terms and conditions embedded in the firm's procurement contracts. As a result, risk management staff moved quickly to improve its ability to monitor and control such exceptions, as well as quantifying the impact of existing ones.
"The result was that a multi-pronged solution was rolled out, involving better education for colleagues on why exceptions were being made, as well as a new system to enable the risk department to quantify the added risk," he says. "This all came about because one employee was able to raise the issue in a huddle, and the company was able to orchestrate a consistent solution across the various departments to dig down into the root causes of the problem."
Archer at the centre
MassMutual has also been making improvements to the way it uses data and metrics to inform operational risk management. At the centre of this is its implementation of RSA Archer, a governance, risk and compliance (GRC) tool provided by Boston-based technology firm RSA Security. Although the tool was originally purchased two years ago for use in IT, Hoffman says it has recently been deployed throughout the whole firm, making it a useful asset for op risk managers.
"Our information risk team bought Archer a couple of years ago, so it began really in the enterprise risk information space; in IT controls and privacy controls. However, as we had the tool in-house and as Archer was trying to expand to become a corporate solution, it became very attractive to have in other areas of the business," he says. "We worked with the Archer team to provide the functionality we required for operational risk and have been adding to the platform ever since."
The GRC tool brings together data from various business lines, which can then be used to assist in op risk management. This data flow cuts two ways: on the one hand, it gives risk managers a better view of critical information from other parts of the business; on the other, it allows frontline businesspeople to view and track risk metrics that are relevant to their own departments.
"What we really appreciate is that any other department at MassMutual can be given access to the tool as well, which gives us a vital commonality in our communication," Hoffman says. "From an operational risk perspective, we can request specific pieces of data to be entered into the tool, while also viewing what's been entered by information risk, by audit, by compliance and so on."
We can measure key performance indicators as key risk indicators, while helping our colleagues in different business lines to understand their metrics from a risk perspective
Brad Hoffman, MassMutual
MassMutual has tweaked Archer with a customised taxonomy, or risk register. Data elements can be tied directly to the taxonomy and categorised, allowing op risk managers to select and monitor metrics relating to the most important risks the company faces. In addition to providing a useful early-warning signal, Hoffman says this streamlines communication between the risk department and other areas of the business.
"The taxonomy we've built into Archer allows us to take things like certain key performance indicators from various departments and then map them to the taxonomy – meaning we can measure key performance indicators as key risk indicators, while helping our colleagues in different business lines to understand their metrics from a risk perspective."
Practitioners say having an ability to effectively communicate risk information across the firm is vital. However, in MassMutual's case, it has also delivered a useful side benefit. According to Hoffman, the firm's wider integration of Archer has made it easier to respond to information requests from the multitude of state-level regulators that oversee the US life insurance industry. Laws regarding the oversight of third-party providers vary widely from state to state, in particular, which previously made compliance tricky.
"Before we had the GRC tool, it was a huge exercise to gather all the necessary data that any one state insurance department might be demanding," he explains. "Using a fully integrated and constantly evolving GRC tool, our operational risk department has been able to work across the various business lines within MassMutual to establish a consistent and standardised process to track any data that could prove necessary."