RiverStone Group

RiverStone Group

Case Study

Established over 20 years ago, the RiverStone Group – part of Fairfax Holdings Limited – is a US insurance services provider specializing in managing legacy and run-off insurance businesses and portfolios. RiverStone employs over 320 skilled professionals across the United States dedicated to helping insurers and reinsurers balance the factors required for successful run-off strategies.

The Challenge: Delivering the ‘vision of an integrated, enterprise-wide approach to risk management’

Operating predominantly in the field of legacy and run-off insurance, RiverStone’s primary focus is liability management. As a transactional business, its model is to acquire run-off portfolios at an appropriate price, providing security and finality for sellers. RiverStone also services claims portfolios on behalf of client insurance companies.

Prior to adopting Sword Operational Risk Manager (“SORM”) and Sword Audit Manager in 2018, risk management within RiverStone was centralized, high-level and not integrated with other risk specialties across the business. 

Stephen Osborne explains, "Information existed in silos and was not always brought together at the enterprise level. There was a lack of integration overall, creating an opportunity for an enterprise approach that could bring value."

Stephen Osborne, Vice President Risk

While RiverStone already had a risk management product in use, it was not well supported or well implemented. Lacking critical internal audit capabilities, it was used solely by the Risk team, which found the user interface to be non-intuitive and its reporting functionality overly complex. 

Osborne elaborates: “The initial ‘eye test’ of the product in itself was a barrier to better adoption. The software wasn’t user-friendly. It had become a repository of information for the Risk team only that was quite hard to use. Essentially, we didn’t feel it was an appropriate tool to take the business forward. We recognized that we needed a solution offering integration, allowing us to embed risk management across our teams, and to place ownership of information within departments and teams across the company."

Stephen Osborne, Vice President Risk

The Solution: Sword GRC - a validated choice

Though RiverStone did undergo an RFP (Request for Proposal) process to select a best-fit solution, it took confidence in the fact that a decision-maker within the organization already had knowledge and experience of Sword Operational Risk Manager and Sword Audit Manager. 

Osborne points out: “One of my UK compatriots had knowledge of the Sword solutions from previous use and importantly, trusted the Sword GRC team. We knew Sword’s GRC solutions could be fit-for-purpose and actually, both the UK and the US made the switch to Sword solutions concurrently.”

Stephen Osborne, Vice President Risk

The implementation process spanned three months end-to-end and comprised hands-on support from the Sword GRC team. This involved a series of workshops and training conducted online and geared at ensuring the base software was configured to support RiverStone’s business units’ needs. Sessions via WebEx enabled RiverStone to interrogate Sword GRC’s implementation team and ensure that the key product features needed were selected.

Commenting on the quality of Sword GRC’s support, Osborne stated: “The team’s advice was very pragmatic, helpful and practical. Using document exchange to go through configuration and training would have been more drawn out and with greater margin for error, so Sword GRC’s hands-on, mentoring approach was refreshing. As an out-of-the-box solution, features can be switched on or off to suit so through the implementation we were able to note things that we could revisit, as our company processes develop. Subsequently, we’ve always been able to follow the core product path and keep up with upgrades. “We’ve been pleased with the support Sword has provided – that’s not something you can guarantee at the time of contract. With Sword GRC we have found that usually things can be handled quickly with a call or an email and any cost implication is very transparent. We haven’t been let down in any shape or form – in fact, quite the opposite.”

Stephen Osborne, Vice President Risk

Feature-rich solutions underpin a positive risk culture

Embracing risk is central to RiverStone’s ethos and it operates both a ‘top-down’ and ‘bottom-up’ risk framework. According to Osborne: “We have a robust second line working through committees and boards, with our Risk team facilitating the top-down approach, setting risk limits and controls. Bottom-up, we rely on the data coming in from the teams on how they are documenting their risks and setting risk level limits and controls. It’s a two-way process. 

“Structurally, we have Risk Champions within each department who represent our interface with the business. We work in close communication with them with key data leveraged through the SORM solution. Executive buy-in was a key priority in our drive toward enterprise-wide risk management. Top-down engagement is essential and with departmental reporting, planning and tactical focus, Operational Risk Manager enables alignment with executives.”

Stephen Osborne, Vice President Risk

Learning and improving through operational loss events

Amongst Sword Operational Risk Manager’s range of features, a choice of standard and custom reporting options enables relevant and informative data outputs from information collected. 

Its reporting capabilities make it easy for RiverStone’s Risk team to configure reports, filter information, sort reports – removing the need for manual collation or extraction of data. 

Osborne comments: “A standout feature for us is the risk reporting function for risk events. This is actively promoted internally and forms the basis for a campaign entitled ‘Stuff Happens, Make it Matter’ - an accessible, fun way to engage people, take the sting out of a negative event, and turn it into an opportunity to learn and improve. Loss data underpins recovery or control improvements and with Sword Operational Risk Manager, any employee can simply click on a link to generate a report to us.”

Stephen Osborne, Vice President Risk

Driving mesurable benefits

Tracking risk events and reporting via this campaign provides RiverStone with a clear metric. Risk Champions can see when an individual enters an event, how long it is open for, and measure subsequent progress on any follow-up actions.

“We’ve seen an uptick with the tool and it has greatly facilitated our strategy in regard to loss events management.”

Stephen Osborne, Vice President Risk

A further benefit is the ability to configure email alerts for the Risk team, providing full visibility on any updates made across risk actions, assessment, changes in controls, and risk alerts. Information is flagged and can be followed up accordingly, without an individual having to search for changes.

Osborne sums up: “We can configure exactly what we want to see come through; it’s convenient, time-saving, and the efficiencies go without saying.”

Stephen Osborne, Vice President Risk

Auditing informed by risk and made attestable

Tailored to suit an organization’s particular internal audit, investigation or compliance needs, when integrated with risk management, Sword Audit Manager enables a full risk-based auditing methodology to plan from the risk register and feed audit results back in. Linking with Sword Operational Risk Manager, it generates working papers of risks, controls and, as required, test options identified by management. 

For RiverStone, attestation is a key requirement.

“We operate a quarterly attestation cycle within which Risk Owners and Control Owners must review and update the status on their risk profiles. Data changes are monitored, and sign-off on risk and controls is essential. Sword Audit Manager makes this whole process easy for us, which is great. It gives an audit trail and trends of risks over time, which we find especially useful,” says Osborne.

Stephen Osborne, Vice President Risk

The flexibility that comes from integrated risk and audit systems is a major plus. With two products working hand-in-hand the business is equipped to do its own control testing and through Sword Audit Manager, the Audit Department can keep its own audit papers while using consistent information.

Bringing a consolidated view of risk organization-wide

Perhaps of greatest value is consolidation; a single source of information that makes live data available, on-demand, at all levels.

Says Osborne: “The fact that my team, each business area and its leadership have a point of reference and that all the information can be brought together and accessed in easy–to-comprehend and consistent formats is a game-changer.”

Stephen Osborne, Vice President Risk

Looking to the future, RiverStone’s Risk team plans to further improve the value of risk management for the Company. This will involve using KRI and KPI functionality that exists within the system and integrating business control testing.

“Knowing that control owners can validate their own control effectiveness and document that in the tool is something that we want to take further. Now we have the ability to mature our framework and the software to support that.”

Stephen Osborne, Vice President Risk