In 2005, many U.S. insurers were privately held and thus not subject to the requirements mandated by the Sarbanes-Oxley (SOX) Act of 2002. However, private insurers must follow financial reporting rules set forth by the National Association of Insurance Commissioners. As the NAIC considers adoption of SOX-related best practices, leading private insurers already are preparing for the inevitable increase in regulatory scrutiny.
Many of the insurance industry’s traditional business processes and IT systems will not support the projected demands of SOX-style compliance. In response, some private insurers are consolidating their business systems, examining where and how they store critical data, and proactively adopting internal controls similar to those outlined within SOX sections 303, 404 and 409. As they do so, they face the same compliance challenges as their public industry peers:
o Identifying and mapping all current business processes;
o Determining how best to simplify and automate those processes;
o Developing and documenting internal controls;
o Maintaining auditable processes;
o Enforcing privacy standards; and,
o Ensuring the security of core business systems.
During 2005, the first year of SOX enforcement, insurers struggled to overcome the shock of learning how their organizations actually conducted business. Many of their processes involved much more paper and manual intervention than previously thought.
After a painful and costly first year spent identifying their business processes in order to monitor and report on them, insurance companies face a new challenge in 2006. In this second phase, they must evaluate their business operations, eliminate redundant processes, then simplify and automate the remaining processes to reduce the time and costs associated with compliance.
One key strategy to address this challenge among both public and private insurers involves driving compliance throughout their entire organization. A common misconception about compliance is that it only involves the finance department. In fact, it impacts all key functional areas from human resources and purchasing to IT. While the CFO often is the primary owner of compliance issues related to financial transactions, many other departments should participate in the execution of compliance activities and share responsibility for their organizations’ overall adherence to SOX and pending NAIC standards.
This enterprisewide approach to compliance is the foundation for a growing trend among insurers. Many now are making business unit owners and other employees responsible for a variety of compliance activities. The goal is to enable the entire company to review how it performs critical processes instead of forcing financial executives into the role of compliance cop.
Human resources–not finance–executives, for example, should own the processes associated with tracking and reporting on licensure status for claims adjusters and examiners in accordance with state regulations. The same is true for routine HR tasks, such as administering benefits and payroll, since all of these activities are key compliance metrics.
Yet, completing an employee transaction today, such as a pay raise, often involves some level of paper-based processes and ad hoc decision-making. Automating this compliance-related process ensures the pay raise moves through all the required approval channels while simultaneously creating an electronic audit trail. It also ensures employees receive the correct raise at the correct time while minimizing the time HR staff spend collecting paper records, instead of focusing on more strategic activities like succession planning.
In procurement, insurers must demonstrate compliance across a variety of transactions related to spending management. For example, insurance companies need to track how much they spend with specific suppliers and enforce on-contract purchases vs. ad hoc buying. By having purchasing managers take ownership of these processes, they gain visibility across their often geographically distributed organizations. Only then can insurers begin to standardize and automate their purchasing practices companywide to support compliance.
Insurance purchasing managers also must establish internal controls to ensure compliance with their company’s vendor payment policies. These policies could include rules related to which employees may add a vendor to the procurement system or authorize payments against vendor purchase orders.
The addition of internal controls allows local purchasing to continue but monitors which vendors receive payments at what time and by which employee’s authorization. By automating vendor payment processes, insurers can consolidate their preferred vendors, prevent payment errors, improve efficiencies and free procurement staff for more strategic work, such as negotiating vendor contracts.
In addition to department leaders, the average employee has a supporting role to play in compliance activities. Self-service technologies enable insurance companies to make all employees responsible for ensuring their basic information is accurate. For example, when employees maintain their address, tax deductions and benefits enrollment data, they lessen the HR department’s compliance burden. This allows HR executives to focus on more complex compliance issues related to 401(k) contracts, Social Security benefits and other key metrics.
As SOX and NAIC regulatory requirements continue to evolve, the insurance industry must adopt technologies that support automation as well as business process improvements. Insurers must also embrace a culture in which compliance permeates their entire business, instead of being an initiative driven solely by the finance department.
This two-pronged strategy will enable insurance companies to reduce their compliance burden and effectively prepare for the third, and final, phase of compliance management. That phase will focus on streamlining automated processes to gain measurable business benefits from overall compliance efforts. The result will be reduced manual, paper-based processes that will give insurance companies more time and capital to perform strategic tasks that ultimately drive long-term competitive advantage.