Gone are the days of someone sitting at a typewriter creating 50 separate cover letters for state filings, as was the case in the 1980s when John Baumgardner joined Standard Insurance Co. The Portland, Ore.-based insurer began using simple off-the-shelf tools to automate day-to-day activities. “We’ve continuously updated the off-the-shelf items [such as Microsoft’s Word Macros and Mail Merge] year by year,” he says. “It’s very simple and cost effective.”

This is just the beginning. Insurers have begun applying a number of different business models and more sophisticated tools to their regulatory compliance management practices. Before implementing any tools, though, most will agree the process needs to start with a plan and be well thought out.

“We looked at how many hours we are spending on activities,” says Baumgardner. “That’s where you have to start. You have to know what you’re doing, how long it’s taking, how long it will take to automate, what the savings are, and then do a cost benefit analysis.”

Jackie Paul, director in government relations at Humana Inc., Louisville, Ky., had a plan in place before deciding to take a project management-type approach to the company’s compliance practices. “If you don’t have a defined process, you don’t have process controls or a secured data system where you store information—you can’t guard against rework.”


There are a variety of areas within an insurance organization that have compliance functions within them. This is a large area of concern for insurers right now, according to Debbi Marquette, product manager, Frisco, Texas-based Skywire Software. “Insurers are concerned about how they track and manage the compliance processes,” she says. “They interact with multiple business units within their organization. They don’t operate within a silo by any means.”

A project management-based approach has helped Humana, which analyzes 800 to 1,000 laws and regulations per year, with this concern. “We have multiple areas within the organization playing different roles within compliance,” Paul says. “There needed to be an integrated process with everybody having more defined roles and responsibilities. We, as a company, use a lot of performance- and process-based discipline. So, it was just applying that same discipline.”

The methodology behind Humana’s approach consists of four key steps: initiation, planning, execution and closeout. In the initiation stage, the form or legislation/regulation is reviewed and assigned to a subject matter expert through a database. Next in the planning stage, a timeline/schedule is developed and process controls are designed. The execution stage consists of validating deliverables and executing risk management, change control and any communication plan. The final stage—closeout—consists of completing documentation, obtaining final status reports and conducting lessons learned.

“We have found in practice that for a lot of the legislative and regulatory changes, it’s helpful to go through all four of the steps, regardless whether it’s a complex piece of legislation or not,” Paul says. “Certainly, it gets much more sophisticated if you’re talking about something that’s of high magnitude. We’ve had to develop pretty specialized teams and databases to store all of the documentation associated with certain legislation.”

Baumgardner says the way Standard approaches compliance is much like a project management approach. “We’ll watch for a law change, and when it changes, we assess the impact on our company,” he says. “We take it as it comes and deal with each one separately.”

Plans are in place at The Standard to develop a central database of projects to help Baumgardner manage projects. “I’ll then know who has room on their desk for a new project,” Baumgardner says. “Many our insurance services group compliance team is broken out by specific products. I’ll have a group life expert or a group disability expert—crossovers as well. But it’s nice to have one person who’s the best at that, so when I get notice of a law change, it can go to that person and they’ll say, ‘Here’s what we need to do and here’s how we need to change our processes.’”

Creating the right process is important in a project management-based approach, and different for each company.

Skywire’s Marquette says one customer saw its compliance department spend 20% of their time just fielding questions from other business units on managing the process. “That equates to one day per week of someone’s time—time that could be spent negotiating with the insurance department,” she says. “By putting processes in place, and really identifying and mapping out their business process, which included implementing a self-serve status search, anyone with access could go in via Web browser and search for status of filings, forms or rates—time spent fielding questions dropped from 20% to 1%.”


Insurers’ compliance departments spend a great deal of time managing the enterprises’ many compliance issues throughout a number of areas, which is why some experts will agree that enterprise risk management (ERM) is more important than ever.

In some cases, the ERM process within insurance organizations started off in the actuarial department, says Tom Hettinger, managing director at EMB America LLC, San Diego. “We are seeing some compliance departments coming into the role of ERM leader. But, ERM is not just a filling-out-forms process or a checking-a-box process. It’s more a process of checking a box, filling out forms and asking what’s on the horizon. That’s not to say compliance can’t do that. I think they’ll have to be careful to not let it turn into just checking the box.”

ERM also involves complex risk modeling and assessing risk, which has become difficult due to the increasing volume of data that’s required to do these, according to Van Beach, senior consultant with the Tillinghast Division of New York-based Towers Perrin. “The alternative to a more robust environment is to throw more actuaries behind it, but the problem is that actuaries are expensive and anything manual is prone to error,” he says. “It’s the classic IT/business distinction: The business has owned this problem forever and been loathe to let IT in, but now IT can step in and help here. The business side and actuaries have to let that happen. There will be products coming out to create that managed, controlled environment.”

Humana is headed toward ERM. “There’s a lot of disciplines to enterprise risk management,” Paul says. “Where you store all of your documentation has to be done in a secured way, and you have to have process controls in place that don’t allow people to manipulate that information once it’s been out there for compliance purposes. We’re still trying to do a lot in that area to get more disciplined about that.”

Document storage and management is just one facet of ERM. Insurers need processes, activities, procedures, metrics, measurements and tools to make sure risk management and compliance are embedded into their strategic planning, says John Varvaris, senior managing director, advisory business services at Devon, Pa.-based SMART Business Advisory and Consulting LLC. But, he says, technology and the user have to evolve. “This ERM top-down methodology is fairly new, and companies may not be ready go out and buy toolsets because they’re still trying to get their arms around the culture. So there’s a little bit of a push-pull: Are users ready for technology? Is the tech there to support the users?”


There are existing technologies that can help insurers in a principles-based approach to compliance efforts, according to Robert Booz, VP and analyst for the Financial Services research team at Stamford, Conn.-based Gartner Inc.

Principles-based compliance is the organizational adoption of execution methods for external regulatory requirements that will offer guidance in uncertain situations and provide early identification of problems to enable action before directives are put in place, according to Booz. Principles-based compliance creates internal rules, procedures and behaviors for a health insurer to use in responding to issues or mandates on a day-to-day—rather than episodic—basis. To be sure, rules-based compliance must be the baseline for regulatory activities. Principles-based compliance augments, but does not replace, the required steps of proactive issue identification.

“There are companies that have had this as part of their corporate culture for some time,” Booz says. “It was just not referred to as principles-based, but more code of conduct.”

Using existing IT capabilities such as CRM, process management tools and business intelligence can provide early warning of, and mitigate the need for, regulatory responses to potential problems. Investment in IT can be limited to repurposing excising capabilities.

“If a particular claim type has a higher than normal inquiry rate, which you can find through business intelligence, the insurer can ask why there is a problem with its policy; is there a problem with how it’s explained; is there a problem with how it’s processed internally?” Booz says. Rules-based compliance would entail dealing with an inquiry or complaint when it’s received, Booz says. Principles-based compliance entails looking at that report with the intent to find out where the problem is and fix it before the inquiry or regulatory call is received.”

Tillinghast’s Beach looks to valuation software rather than financial modeling software to help insurers with principles-based compliance. “Using financial modeling software may not be useful in a compliance capacity—they have never been used in this manner,” he says. “Valuation software has more security and compliance-related functionality or features that lock down a system.”

No matter the technology used, insurers can use principles-based compliance to get in front of competitors, Booz says, and, in some instances, influence regulators or legislatures to recognize the insurer as best in breed.

To find out more about what the future regulatory landscape holds, visit www.insurancenetworking.com and search “TowerGroup Maps Technical Regulatory Challenges.”

(c) 2008 Insurance Networking News and SourceMedia, Inc. All Rights Reserved.

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access