Who: Piyush Singh, SVP/CIO of Great American Insurance
What: Singh has transformed the 4,000-employee company’s entire operative platform and influenced the company’s business philosophy.
Why: Singh’s experiences innovating in a traditionally risk-averse industry provides a recipe for success for any CIO grappling with governance, risk and compliance challenges.
Piyush Singh has been a CIO in the insurance industry for more than a decade, currently holding the title of senior vice president and CIO of Great American Insurance, as well as vice president of its parent company, American Financial Group in Cincinnati. Singh led a large-scale transformation of Great American’s entire operative platform and has had a major influence on its business philosophy. Under his leadership, the company’s IT role changed from that of custodian of a legacy IT environment to respected partner that participates in–and contributes to the success of–the businesses it supports.
Great American has implemented a modern technology architecture as a foundation that will adapt for future growth and evolving business needs. CIO Insight contributor and Metis Strategy President Peter High recently spoke with Singh about how he balances his team’s role in innovation with governance, risk management and security–especially in light of the increasing demands of his colleagues and the company’s customers.
CIO Insight: What is your approach to managing IT?
Piyush Singh: First, my philosophy is that IT is an integral part of the business environment, and we need to service it to provide a competitive advantage. This requires proximity to the domain-specific business environment, involvement in the broader business world, and a strong understanding of business strategy. To achieve this in an agile and nimble manner, we need to maintain the optimum balance between build and buy. We build those systems that give us a competitive advantage and differentiation in the marketplace. Examples include our core underwriting systems, as well as portals that form the foundation for servicing our customers. We buy those items that do not differentiate us and would make no difference to our customer base, such as billing applications, background rating solutions, content management and the like. In the past, we had no clear strategy, and sometimes our actions were driven by individual and organizational passions. Once our core pieces were in place, it was vital to ensure that our entire architecture was effectively and efficiently integrated.
We recently underwent a four- to five-year initiative to change our application architecture to make it relevant for the current and evolving business environment. It was a radical change for us, but it was necessary to be sure that we were operating as efficiently as possible. By working with our business colleagues to determine what should be built versus bought, we can be sure that more of my team’s time will be focused on truly innovative activities to support the business.
CIO Insight: You operate in an industry that, at its core, is about risk management. How do you foster an innovative culture, which is defined by a certain level of risk taking, in an industry that is designed around the mitigation of risk?
Singh: First, CIOs need to educate their colleagues (inside IT and out) about the emerging world of the future. They should describe innovations from other industries, drawing parallels with their own business. In the insurance business, we are very good at mitigating other’s risks and, as you suggest, we can take it to an extreme when we need to take risks ourselves. This is both a problem and an opportunity. It is a problem in that it is easy to simply have a risk-averse culture. But it is also an opportunity because you can stand out in this industry if you foster a culture of innovation, take some risks and show the business how it can creatively apply technology solutions to meet customer and organizational needs. Then, it is important to prove the advantages that can be brought about through innovation, and continue to pull this lever until ultimately the business demands innovation from IT.
CIO Insight: How does the “consumerization of IT” affect innovation?
Singh: While many people are concerned about the proliferation [of consumer devices in the workplace] and the issues this is creating, it has largely been a big help from my perspective. Non-IT people see the power of technology to a greater extent than they once did. They bank online; they shop online; they have a multitude of technology devices that they employ. The challenge for us is that in the past, the IT team would test a new technology thoroughly before it was deployed. Today, our business executives have their hands on iPads before we do, and they are more knowledgeable about them than some of the IT staff. It puts us in a position of having to catch up. That said, it provides a platform for conversations that stimulate innovation. The appetite is there among our business constituents to a greater extent than in times past.
CIO Insight: How has technology changed the habits of your company’s customers?
Singh: It is leading to the need for shorter cycle times. Customers expect things faster. The extent to which they have a terrific user experience on Amazon means that we are now going to be compared with Amazon to some extent when they visit our site. They want life to be a “single-click” and intuitive experience. If we are not fast and nimble, and if our services don’t
anticipate their needs, they will be underwhelmed.
The younger our customers are, the more demanding they will be. They will want access from anywhere to everything through any device. That puts pressure on IT to think creatively about how to deliver that vision. Again, to the extent we cannot deliver it, the customer will be less than satisfied.
CIO Insight: How do you approach governance, risk management and compliance (GRC) in light of these factors?
Singh: It is important that we take all three of these practices very seriously. The data that we house and store and act upon related to our customers is sacred, private, and it is of the utmost importance that it remains secure. Therefore, we have taken the necessary precautions to ensure that it is safe. There are some basic ground rules that I live by. First, it is important to note that if someone has access to data, they have the capability of taking it with them. This means we need to think about who should have access to which systems and which data. We should find out where and how people are working, and provide authorizations accordingly. Modern systems of identity access management can help us more than traditional silo approaches to user authorizations. Second, we strengthen the perimeter. We make it close to impossible for outsiders to penetrate our systems. Third, it is important to have a high level of trust internally, and when trust has been broken, to take remedial action and let it be known that action has been taken, so
as to dissuade others who might act inappropriately.
At the end of the day, governance, risk management and security practices cannot be allowed to shackle our customers and our colleagues, or they will be frustrated. Customers will go elsewhere to do business, and our colleagues will try to find ways to work around us.
CIO Insight: Do you see a disconnect between the risk tolerance of the company and the risk tolerance of the CIO?
Singh: Companies need to understand their own risk tolerance and willingness or need to innovate before hiring a CIO. Once they have determined that, they need to think about whether CIO candidates align with that vision. There are many cases where they do not, and that is bound to frustrate the CIO and his or her colleagues outside of IT.
That said, investing in technology naturally comes with some risk. We are asked to transform technology, to right the wrongs of our predecessors, to innovate on behalf of the company while also managing IT efficiently. There will be risk, and there should be some risk.
One of the rules I’ve noted through my experience and my interactions with CIO peers is [that] the later one gets in one’s career, the less likely he or she is to take significant risks. There are exceptions, but the closer a CIO is to retirement, the less likely he or she will be to take major risks. Why not go out on a less controversial note rather than taking a chance and possibly failing?
CIO Insight: How does this rule apply to you?
Singh: Well, I’m not the youngest CIO, but I have chosen a path that I think provides us ample room for innovation while also managing risk. When I look for good ideas, or when I benchmark companies, I look at my insurance peers, of course, but I never stop there. I also look at other information- or data-centric companies. We have made supply chain changes based on examples we’ve learned from Amazon. Amazon is a classic example of a company that is eliminating non-value-add tasks in the business process and making it customer-centric. I also see other customer-centric companies employing tablets in their businesses. Many of my peers in insurance are waiting to see how the solution shakes out, but we decided that if we continue to wait, we are going to miss the boat and frustrate our colleagues and ultimately our customers.
Regarding governance, I think you mitigate some of the risk through sound practices. We expect new ideas to have ROI analyses conducted. We need to know what the cost will be, and what potential benefits we can assume. There is a tendency in IT departments to focus on cost and effort rather than benefits. While we push on the former, we focus on the latter a lot with the customer in mind. We need to recognize that truly innovative ideas may not have a precursor that can be used to help gauge the potential benefit. Therefore, there is some tolerance for best guesses. If there is a positive ROI, we typically say, “Give it a try.” If there is not a provable ROI, but there are other well-articulated benefits that may not have dollars associated with them, we may still give them the green light. Innovating is about taking some chances. The governance process should continue to validate those assumptions. Where the assumptions are proven to be wrong, we need to re-evaluate, and to cancel the idea if necessary.