As more regulatory oversight of the insurance industry is putinto play, the chief compliance officer (CCO) will becomeincreasingly valuable in helping to inform and shape the businessstrategy and direction. CCOs who are leading the way inestablishing and running a more mature compliance function havemoved beyond reporting compliance failures and post-eventimprovements. They now support the CEO and board in decision makingwith concrete, reliable information.

To sit with the board and have meaningful dialogue, the CCO mustknow the compliance risks that pose the greatest threat to theinsurer's financial well-being today and into the future, as wellas reputational risks arising from actions, or lack of actions, theinsurer has undertaken.

EY's recent survey of insurance CCOs shows that the compliancefunction is indeed evolving from reactive fixer to proactive riskadvisor. These CCOs are all at the head of an independent, centralfunction that tracks key compliance events, such as market conductexams, regulatory inquiries, and fines and sanctions. Those withmore advanced functions have at least some interactions with theboard or audit committee. And several CCOs at leading insurers nowmeet regularly with one or both of those groups, joining the tableat senior management strategy and planning discussions to helpguide decision making.

Know the risks

The foundation of a robust compliance function is comprehensive,centralized knowledge of the compliance risks arising from laws andregulations relevant to the organization. That knowledge takes theform of not just an inventory of applicable laws and regulations,but also a synopsis of what those laws and regulations mean to thebusiness. Capturing this knowledge is an expected practice in thebanking industry. So far, insurers have not been held to the samestandard, and few CCOs maintain such a detailed informationset.

As the regulatory environment evolves and compliance risksincrease in scope and impact, compliance responsibility needs to bedisseminated throughout the organization. The business unit isexpected to understand its compliance risks and to take ownershipand responsibility for mitigating those risks. Half of the insurerssurveyed — chiefly those with a more mature compliance function —indicated that business units view themselves as primarilyresponsible for their compliance risks, and the CCO managescompliance risk at the organizational level.

This acceptance of responsibility among business unitshighlights the changing times and a general shift in attitudetoward compliance, from a potential impediment to an obligation theunit has to its customers. Among those surveyed, the business unitswith the strongest compliance functions tend to be organizationsthat are overseen by federal regulators, including savings and loanholding companies, broker-dealer groups and asset managementfirms.

Rank the risks

Most CCOs surveyed indicated their organizations perform somelevel of compliance risk assessment, generally as part of a broaderenterprise risk assessment. These assessments tend to be concernedwith big buckets of risk, such as fraud and privacy.

A few insurers have evolved beyond these broader assessments.They are assessing risks against specific regulatory requirementsand conducting compliance risk assessments at the business-unitlevel. The result can be a more detailed view of where the mostsignificant compliance risks are, as well as a better understandingof the specific controls needed to mitigate those risks.

Guide decision making

Board reporting and senior management reporting are becomingmore comprehensive among CCOs to address existing, changing andfuture risks. Most CCOs at the surveyed insurers have theresponsibility to establish base standards and policies forcompliance risk management activities that include the reporting,escalation and remediation of issues. An aggregated report oncompliance matters ultimately reaches the board or auditcommittee.

Although identifying and reporting compliance violations arecritical to an insurer, compliance reports are more valuable whenthey consist of more than just incidents. Compliance reportingshould provide compliance leadership, senior management, the boardand the audit committee with information that enables them tochallenge whether the compliance program is operating asintended.

To be more effective, enterprise compliance reporting shouldalso outline the status of the annual compliance plan, such astraining, risk assessments and testing; identify trends throughanalysis of complaints, violations and fines; identify changes toexisting risks and identify emerging risks; and provide updates onthe regulatory landscape. Standardized compliance reports andestablished metrics reveal trends and bring potential issues tolight.

Conclusion

The expansion in regulatory requirements coming to the insuranceindustry is likely to call for a more robust compliance functionthan insurers have needed in the past and many have in place now.Our survey shows that most insurers are taking steps to prepare forchange. Those insurers who have advanced the most have gained adirect, independent line to the board or audit committee through anunderstanding of the compliance risks that pose the greatest threatto the organization. The stature of the compliance function willplay a key role in determining how successfully insurers meet thechallenges ahead to continue to protect policyholder andshareholder investments.

This material has been prepared for general informationalpurposes only and is not intended to be relied upon as accounting,tax, or other professional advice. Please refer to your advisorsfor specific advice.

Thomas Ward and Andrew Chenoweth are both with Ernst &Young LLP.