Insurance agency owners often treat their vulnerability (or risk) management and regulatory compliance strategies as two separate activities. While attending a recent webinar, though, I was struck by how the “three core vulnerability management challenges” identified by speaker Jonathan Care apply to far more than cybersecurity. Everything from operational design to workplace culture, including regulatory compliance, can benefit from his threefold approach to addressing vulnerabilities.
Three Core Vulnerability Management Challenges
There are three main challenges in vulnerability management:
- Failing to properly prioritize threats,
- Not using a continuous approach, and
- Poor communication/unclear organizational structure.
Let’s take a closer look at each of these challenges and how they manifest themselves in the context of regulatory compliance. Additionally, we’ll see what steps insurance organizations can take to minimize their vulnerabilities in these areas.
The penalties resulting from non-compliance certainly pose a threat to the success of an insurance business. Still, I would tweak the first challenge to read, “Failing to properly prioritize threats and opportunities.” Many insurance professionals see regulatory compliance as a brake on their growth and innovation. This can be especially true for individuals entering our industry from other, less highly regulated sectors such as technology.
A well-thought-out compliance strategy, however, is more than a way to avoid fees and fines. It can mean the difference between meeting growth goals and wasting valuable resources. It can also become a key differentiator between an insurance business and its competitors. Take the following operational steps to minimize your vulnerability to compliance issues:
Make compliance an organization-wide commitment.
Regulatory compliance isn’t a task that can be “delegated” to a single employee or even a small team and then forgotten. State insurance departments and other regulators hold licensed individuals and entities responsible for compliance. Thus, every licensee has a role to play in meeting compliance obligations. Create a culture of compliance that reinforces the reality that failure to meet these obligations is a work-stoppage issue with a real and often immediate impact on the organization’s bottom line.
Adopt a proactive approach.
While it’s rarely a good idea to put off dealing with compliance requirements, a proactive approach involves more than avoiding procrastination. Insurance professionals need to stop treating compliance as boxes on a checklist to tick off as quickly and cheaply as possible. Instead, licensees and leadership should approach each decision about their compliance strategy by asking, “How can this activity improve the competitiveness and authority of my business?” Finally, organizations need to respond to regulatory actions (their own or the mistakes of others) by putting robust compliance procedures in place to avoid similar events in the future.
Few insurance businesses have time and money to waste on compliance activities that don’t benefit the bottom line. That’s why it’s essential to understand the immediate and ongoing costs and tasks needed to stay compliant before beginning a project. Failing to grasp the often-complex interactions between various regulatory activities can quickly lead to costly delays, do-overs, and abandoned projects. Additionally, if resources are limited, prioritize by return on investment rather than initial cost or ease of completion.
For many insurance professionals, “regulatory compliance” equals “deadlines.” Certainly, it’s important to complete specific tasks by the state-mandated due dates. Focusing exclusively on deadlines, however, can result in compliance receiving only sporadic attention. Consequently, as Jonathan puts it, Sporadic = erratic = failure.
Make compliance routine.
Actions taken on any given day can result in regulatory penalties if the appropriate processes are not in place. Thus, compliance awareness needs to become part of everyday workflows. For example, producers should verify their licensure and appointment status before soliciting, negotiating, selling, or receiving commissions from insurance sales.
Compliance is more than licensing and renewals, however. Various regulators expect insurance businesses to notify them of any changes to information on file in a timely manner. That means training team members at every level to understand what information the states track and when to report changes. Remember that requirements and procedures change over time, so provide “refreshers” on a regular basis.
Build in redundancy.
In many agencies, a compliance team handles the agency’s licenses and other requirements, while individual agents are responsible for their own compliance needs. Third-party providers, such as CPAs, may handle tasks such as tax filings. In organizations where responsibility is shared, it’s a good idea to send reminders about approaching compliance deadlines. Since many requirements have a thirty-day window, monthly emails are ideal.
Next, while some jurisdictions offer grace periods or extensions for certain regulatory filings, beware of relying on this leeway. Such “late filings” can involve additional fees or fines. Additionally, if there is a delay in processing at the state, team members can find themselves unable to work without risking serious regulatory sanctions.
While everyone has a role to play in meeting regulatory requirements, this diffusion of responsibility can make it all too easy for the individual to say, “Hey, that’s somebody else’s problem.” Having a robust and clearly communicated organizational structure for compliance management helps avoid this issue.
Even if an organization concentrates responsibility for submitting regulatory filings in the hands of a few individuals, that team will need information from colleagues throughout the organization. Teams members need to understand what information they need to provide. They also need to know who should receive the information, by when, and in what format. For example, for some filings scanned documents or e-signatures are acceptable, while other filings require the original documents with “wet signatures.”
Once these responsibilities are clearly explained, managers and supervisors need to hold their employees accountable for fulfilling these obligations – just as they would any production-related task. After all, no compliance professional enjoys being the “nag.”
Create a “single source of truth.”
Having a single repository for compliance information, including due dates, current forms, past filings, and supporting documents makes tracking compliance easier. To protect the integrity of the stored information, most users may be limited to read-only access. Depending on the type of information stored, additional security measures may be needed to protect the personally identifiable information (PII) of clients and employees.
Involve compliance at the highest levels.
Compliance professionals need to be key advisors to decision-makers. Too often, leaders enact bold growth strategies only to discover that they failed to understand the costs and timelines involved in executing them. The result can be frustration, wasted resources, and lost business opportunities.
This communication needs to go both ways, however. Compliance teams need to understand the strategic vision of business leaders to ensure that their staffing levels and operational priorities align with the “big picture” objectives and identified business risks and opportunities.
From insurance licensing and compliance, corporate compliance, and surplus lines tax filings to business process management, operations optimization, and more, the ReSource Pro family of companies helps insurance businesses meet their regulatory obligations and achieve their strategic growth goals.
Visit us at ilsainc.com to discuss your needs with a compliance consultant.