Insurers face the threefold challenge of conforming to the lawsand regulations specific to the states in which they operate,staying ahead of changes to those laws and regulations, andcomplying with federal laws and regulations that affect them.

In 2009 alone, more than 24,000 state and federal laws orregulations that affect the U.S. insurance industry were changed orcreated. In the push to meet regulatory requirements, organizationsoften draft ad hoc hundreds or thousands of policies andprocedures. As the regulatory environment grows more complex,technology is a key component in helping insurers effectivelymanage their policies and procedures and reduce their compliancerisk.

Fragmented policies and procedures management can lead toproblems such as overlapping and conflicting documents, weakaccountability, haphazard communication and general confusion amongemployees. It can also lead to problems in regulatory examinations.As of January 2010, the National Association of InsuranceCommissioners' examination standards state that exams should beperformed with a focus on risk management, and policy review is acentral component of that examination process.

To begin improving policies and procedures management, insurersshould first evaluate the current process they have in place. Amaturity model, such as the Open Compliance &Ethics Group (OCEG) Illustrated Series: V. Policies, Procedures andControls, can facilitate goal setting and assessment ofprogress. According to the OCEG's maturity model, which outlinesfive key maturity levels, Level 1 (Chaos) is characterized by thefollowing:

• Existing policies, procedures and controls are in a state ofchaos and it is unknowable whether they are designed or operatingeffectively.
• Policies and procedures are passed down through an "oraltradition" and are prone to confusion and inconsistency.
• Roles, responsibilities and accountability are not clearlydefined or absent.
• A methodology to develop, implement and manage policies andprocedures is absent.
• Technology to reduce the cost and complexity of management isabsent.

Insurance organizations that find themselves toward the lowerlevels of the maturity model will have more work ahead of them.However, referring to a model such as this one provides a baselinefor building a better policies and procedures management process.It can also help an organization prioritize what needs to bedone.

By identifying and prioritizing the most pressing policy andprocedure compliance challenges, the organization will lay thegroundwork for enterprise-wide enhancement and addressmission-critical objectives in the short term. A review of thecompany's track record of performance in market conductexaminations can help pinpoint the policies and procedures thathave the greatest immediate bottom-line impact. Processes thatresult in recurring penalties for non-compliance should receivepriority attention. Insurers should also refer to research aboutcurrent enforcement trends, which can shed light on what regulatorsare looking for.

Once an organization has evaluated its current processes andidentified what needs to be accomplished, they should also considerhow technology can create efficiencies. Here are three key areaswhere technology can offer important benefits:

• Document management

Underwriting, claims, product development and licensingdepartments in different business units may maintain policies andprocedures documents in different formats and use inconsistentterminology. Some documents may not be comprehensible to theaverage employee without standardized language. Moreover, ifemployees, executives, insurance regulators or outside auditorshave questions about company policies or procedures, valuablecompany time and resources can be spent trying to track downanswers – and these efforts may not yield all the relevantinformation.

By implementing a shared technology system, an organization canachieve uniformity of location, content, revision and distributionfor all policies and procedures. In addition, search functions,version control and metadata structures will be unified under acommon management system, increasing usability and accessibilityfor staff.

Well-documented policies and procedures promote consistency,efficiency and compliance. A shared system will improve the overallquality of policies and procedures documents, eliminateredundancies, and allow compliance managers to quickly and easilydiscover gaps in policies and procedures coverage.

• Linking policies and procedures to requirements androles

Among the other benefits of a Web-based, shared system, it canhelp make procedures more understandable to staff. For example, itcan assist compliance managers in linking policies and procedureswith their related regulatory mandates or corporate goals, as wellas the organizational roles to which they apply. A shared systemalso will automatically track revisions as they are assigned andexecuted.

When the relationships of regulatory requirements to policiesand procedures are not clearly documented and tied to assignmentsfor implementation, misunderstandings by employees involved in eachmandate inevitably result. Multiple managers can establishconflicting and/or redundant procedures as they each pursue policyexecution.

In addition to creating conflict and redundancy, a reliance oncertain managers' personal knowledge over comprehensivedocumentation puts an insurer at risk of losing crucial insight ifthose managers leave and precludes any policies and proceduresauditing activities.

In contrast, assigning policies by business unit, line ofbusiness, or other organization hierarchy methods will prevent theloss of key personnel from compromising compliance success. It willalso enable managers to logically connect procedures to thepolicies they support, link regulatory requirements to the content,define policies and procedures in terms of organizational units andeffectively deliver targeted, tailored content to the audienceresponsible for and in need of compliance guidance.

By implementing the automatic tracking of changes, theorganization will also be able to keep an ongoing record of whoedited which policy when. This can serve as a very helpful audittrail for demonstrating to regulators and other key stakeholdersthat required updates have been made.

• Improving Understanding of Policies andProcedures

Technology can also help ensure that an insurance organization'semployees, contractors and suppliers have received and understandits policies and procedures.

Simply distributing hard copy and/or electronic documents on anad hoc basis and trying to keep track of sign-offs in variousspreadsheets scattered throughout the company can be difficult, andthe challenge increases if multiple policies and procedures arecompiled into a single large document. In such cases, employeesmust sign to recognize their comprehension of the whole document,rather than the specific areas relevant to them.

Third parties, such as suppliers and contractors, can complicatethe matter further. It can be particularly difficult to getdocuments to and receive attestations from third parties. Also,they may get confused by inconsistent formats that differentcompliance teams use, which can delay the attestation process.

A shared system, meanwhile, can help seamlessly integrate thirdparties into compliance processes, give compliance managers a clearview of who has not provided a response and help streamlinefollow-up with those individuals. It can also allow theorganization to provide employees and third parties with only thosepolicies and procedures applicable to them.

A technology platform can help an organization overcome its toppolicies and procedures challenges, such as achieving a consistentmodel for compliant claims practices, and enable advancement alongthe policies and procedures maturity scale. OCEG describes Level 5(Transparent) maturity with the following attributes:

• Policies, procedures and controls are embedded within corebusiness processes and technology and are almost invisible.
• Accountability for policies and procedures is built into jobdescriptions and performance evaluations.
• Compliance training is embedded within existing jobtraining.
• Compliance support is embedded within transaction systems.
• Compliance considerations are built into general decisionsystems.

While promoting transparency, a technology platform can enablecompliance managers to meet high-priority deadlines and stay withintheir budgets. It also can provide more control of the audit trailand expanded flexibility for adjustments as regulations change.Finally, by increasing the efficiency of compliance efforts, it canset the stage for a broader, enterprise-wide risk and compliancestrategy.

Pam Ewing is director of Professional Services, Insurance,for Wolters Kluwer Financial Services. Steve Taylor is seniorproduct manager for the company. They can be reached at [email protected]and [email protected].