As more regulatory oversight of the insurance industry is put into play, the chief compliance officer (CCO) will become increasingly valuable in helping to inform and shape the business strategy and direction. CCOs who are leading the way in establishing and running a more mature compliance function have moved beyond reporting compliance failures and post-event improvements. They now support the CEO and board in decision making with concrete, reliable information.

To sit with the board and have meaningful dialogue, the CCO must know the compliance risks that pose the greatest threat to the insurer's financial well-being today and into the future, as well as reputational risks arising from actions, or lack of actions, the insurer has undertaken.  

EY's recent survey of insurance CCOs shows that the compliance function is indeed evolving from reactive fixer to proactive risk advisor. These CCOs are all at the head of an independent, central function that tracks key compliance events, such as market conduct exams, regulatory inquiries, and fines and sanctions. Those with more advanced functions have at least some interactions with the board or audit committee. And several CCOs at leading insurers now meet regularly with one or both of those groups, joining the table at senior management strategy and planning discussions to help guide decision making.

Know the risks

The foundation of a robust compliance function is comprehensive, centralized knowledge of the compliance risks arising from laws and regulations relevant to the organization. That knowledge takes the form of not just an inventory of applicable laws and regulations, but also a synopsis of what those laws and regulations mean to the business. Capturing this knowledge is an expected practice in the banking industry. So far, insurers have not been held to the same standard, and few CCOs maintain such a detailed information set. 

As the regulatory environment evolves and compliance risks increase in scope and impact, compliance responsibility needs to be disseminated throughout the organization. The business unit is expected to understand its compliance risks and to take ownership and responsibility for mitigating those risks. Half of the insurers surveyed — chiefly those with a more mature compliance function — indicated that business units view themselves as primarily responsible for their compliance risks, and the CCO manages compliance risk at the organizational level.

This acceptance of responsibility among business units highlights the changing times and a general shift in attitude toward compliance, from a potential impediment to an obligation the unit has to its customers. Among those surveyed, the business units with the strongest compliance functions tend to be organizations that are overseen by federal regulators, including savings and loan holding companies, broker-dealer groups and asset management firms.

Rank the risks

Most CCOs surveyed indicated their organizations perform some level of compliance risk assessment, generally as part of a broader enterprise risk assessment. These assessments tend to be concerned with big buckets of risk, such as fraud and privacy.

A few insurers have evolved beyond these broader assessments. They are assessing risks against specific regulatory requirements and conducting compliance risk assessments at the business-unit level. The result can be a more detailed view of where the most significant compliance risks are, as well as a better understanding of the specific controls needed to mitigate those risks.

Guide decision making

Board reporting and senior management reporting are becoming more comprehensive among CCOs to address existing, changing and future risks. Most CCOs at the surveyed insurers have the responsibility to establish base standards and policies for compliance risk management activities that include the reporting, escalation and remediation of issues. An aggregated report on compliance matters ultimately reaches the board or audit committee.

Although identifying and reporting compliance violations are critical to an insurer, compliance reports are more valuable when they consist of more than just incidents. Compliance reporting should provide compliance leadership, senior management, the board and the audit committee with information that enables them to challenge whether the compliance program is operating as intended.

To be more effective, enterprise compliance reporting should also outline the status of the annual compliance plan, such as training, risk assessments and testing; identify trends through analysis of complaints, violations and fines; identify changes to existing risks and identify emerging risks; and provide updates on the regulatory landscape. Standardized compliance reports and established metrics reveal trends and bring potential issues to light.

Conclusion

The expansion in regulatory requirements coming to the insurance industry is likely to call for a more robust compliance function than insurers have needed in the past and many have in place now. Our survey shows that most insurers are taking steps to prepare for change. Those insurers who have advanced the most have gained a direct, independent line to the board or audit committee through an understanding of the compliance risks that pose the greatest threat to the organization. The stature of the compliance function will play a key role in determining how successfully insurers meet the challenges ahead to continue to protect policyholder and shareholder investments.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

Thomas Ward and Andrew Chenoweth are both with Ernst & Young LLP.