Compliance means many things -- especially within the insurance industry. It means complying with state-to-state insurance regulations; but it also means establishing an anti-money laundering program. It means complying with Sarbanes-Oxley requirements; but it also means protecting customers' personal information.
Making the issue even more complex, compliance also means different things to different people. Insurers often have several groups -- including IT, legal and internal risk departments -- tasked to handle the various compliance challenges faced by the enterprise. Increasingly, however, insurers are looking to streamline compliance operations and even unify disparate compliance initiatives under one roof.
"What's happened over the past couple of years -- especially with Sarbanes-Oxley and with a lot of increased regulatory interests, large internal audit functions, etc. -- is that a lot of companies are really struggling to handle this overload and these over-auditing situations," says Maurice DiMeo, the New York-based insurance practice lead of Ernst & Young's technology and security risk services (TSRS) practice. "What companies are looking to do is converge their efforts, converge their resources. Many times there are many different constituencies involved in the risk management space -- they're looking to streamline a lot of that and, oftentimes, the technology piece can be a way of converging some of those controls."
Perhaps because of the myriad ways compliance can be defined and approached, however, insurers have built a web of disparate (and often siloed) compliance systems. As a result, it can be difficult for chief compliance officers or CIOs to look to their industry peers for an overarching strategy or emerging best practices.
Instead of specific technology blueprints on how to run an efficient and cost-effective compliance operation, what has emerged is a more general guideline: More important than any individual software solution is an insurer's basic compliance philosophy. While there are many ways to attack compliance challenges, carriers are finding that they're best served by embracing a proactive, enterprisewide approach that anticipates regulatory and risk management requirements rather than reacts to them.
More specific, if compliance issues -- such as IT security or financial reporting -- are viewed as business requirements instead of technology requirements, it's less likely that a carrier will be caught off guard by the latest new or changed regulation. "It's back to the concept of: Do you want to do it right up front, or do you want to deal with it on an exception basis after the fact?" DiMeo says.