Established over 20 years ago, the RiverStone Group – part of Fairfax Holdings Limited – is a US insurance services provider specializing in managing legacy and run-off insurance businesses and portfolios. RiverStone employs over 320 skilled professionals across the United States dedicated to helping insurers and reinsurers balance the factors required for successful run-off strategies.
The Challenge: Delivering the ‘vision of an integrated, enterprise-wide approach to risk management’
Operating predominantly in the field of legacy and run-off insurance, RiverStone’s primary focus is liability management. As a transactional business, its model is to acquire run-off portfolios at an appropriate price, providing security and finality for sellers. RiverStone also services claims portfolios on behalf of client insurance companies.
Prior to adopting Sword Operational Risk Manager (“SORM”) and Sword Audit Manager in 2018, risk management within RiverStone was centralized, high-level and not integrated with other risk specialties across the business.
While RiverStone already had a risk management product in use, it was not well supported or well implemented. Lacking critical internal audit capabilities, it was used solely by the Risk team, which found the user interface to be non-intuitive and its reporting functionality overly complex.
The Solution: Sword GRC - a validated choice
Though RiverStone did undergo an RFP (Request for Proposal) process to select a best-fit solution, it took confidence in the fact that a decision-maker within the organization already had knowledge and experience of Sword Operational Risk Manager and Sword Audit Manager.
The implementation process spanned three months end-to-end and comprised hands-on support from the Sword GRC team. This involved a series of workshops and training conducted online and geared at ensuring the base software was configured to support RiverStone’s business units’ needs. Sessions via WebEx enabled RiverStone to interrogate Sword GRC’s implementation team and ensure that the key product features needed were selected.
Feature-rich solutions underpin a positive risk culture
Embracing risk is central to RiverStone’s ethos and it operates both a ‘top-down’ and ‘bottom-up’ risk framework. According to Osborne: “We have a robust second line working through committees and boards, with our Risk team facilitating the top-down approach, setting risk limits and controls. Bottom-up, we rely on the data coming in from the teams on how they are documenting their risks and setting risk level limits and controls. It’s a two-way process.
Learning and improving through operational loss events
Amongst Sword Operational Risk Manager’s range of features, a choice of standard and custom reporting options enables relevant and informative data outputs from information collected.
Its reporting capabilities make it easy for RiverStone’s Risk team to configure reports, filter information, sort reports – removing the need for manual collation or extraction of data.
Driving mesurable benefits
Tracking risk events and reporting via this campaign provides RiverStone with a clear metric. Risk Champions can see when an individual enters an event, how long it is open for, and measure subsequent progress on any follow-up actions.
A further benefit is the ability to configure email alerts for the Risk team, providing full visibility on any updates made across risk actions, assessment, changes in controls, and risk alerts. Information is flagged and can be followed up accordingly, without an individual having to search for changes.
Auditing informed by risk and made attestable
Tailored to suit an organization’s particular internal audit, investigation or compliance needs, when integrated with risk management, Sword Audit Manager enables a full risk-based auditing methodology to plan from the risk register and feed audit results back in. Linking with Sword Operational Risk Manager, it generates working papers of risks, controls and, as required, test options identified by management.
For RiverStone, attestation is a key requirement.
The flexibility that comes from integrated risk and audit systems is a major plus. With two products working hand-in-hand the business is equipped to do its own control testing and through Sword Audit Manager, the Audit Department can keep its own audit papers while using consistent information.
Bringing a consolidated view of risk organization-wide
Perhaps of greatest value is consolidation; a single source of information that makes live data available, on-demand, at all levels.
Looking to the future, RiverStone’s Risk team plans to further improve the value of risk management for the Company. This will involve using KRI and KPI functionality that exists within the system and integrating business control testing.