A helping hand: as insurers work hard to make sure everything is ready to comply with various regulations, their IT departments also are playing a key role in meeting the challenge.
* Insurers increasingly are relying on their information technology departments' help in the compliance process.
* Insurers' IT leaders believe their companies' investments in compliance already are paying off.
* Because many insurers view compliance as either a mandate or requirement, some believe it's helped to renew IT's reputation, while giving it more credibility.
Compliance has become part of an insurer's everyday vocabulary. Faced with regulations, such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, the USA Patriot Act and others, insurers increasingly are relying on their information technology departments' help in the compliance process.
"Compliance is the cornerstone of our operations," said Fred Haynes, IT leader for global finance for GE Insurance Solutions. Haynes was one of four industry experts who participated in a Best's Review round-table discussion on IT and compliance.
The good news for many companies is that they can rest assured because their IT departments have been preparing for some time to meet compliance requirements, and most say they're already up to the challenge.
At the Ready
While insurers' IT departments have worked diligently over the past several years to make their systems ready to ensure regulatory compliance, they said they're also prepared for additional challenges that may be thrown their way, including future delays in compliance deadlines. Such delays are nothing new for insurers. They experienced that recently when the compliance deadline for Sarbanes-Oxley Section 404--the reporting portion of the bill--was delayed twice.
Kansas City, Mo.-based GE Insurance Solutions said it's prepared to meet the challenge of any such future delays. Last year, the company conducted an internal "complete dry run" of its systems and ran as if dates were real, said Haynes. This year, the company again is going through the process. "However, some businesses may not be as prepared in having some of the internal controls, documentation or business practices set up, and may end up having to go back and do a lot of work from the ground up," he said. GE Insurance Solutions now is focusing on putting best practices in place, getting more organized and concentrating on filling in the blanks, Haynes said.
Some in the industry believe future delays are inevitable. "I wouldn't be surprised if [Sarbanes-Oxley] were delayed again, similar to what we saw with HIPAA," said Dr. Charles Emery, senior vice president of information systems and chief information officer for Horizon Blue Cross Blue Shield of New Jersey. "Everyone was point on for the implementation date, but certain groups couldn't make it. In HIPAA's case, it was the doctors." Similar to GE Insurance Solutions' approach, Emery said Horizon also ignored some of the delay dates and now is on target to meet the original compliance dates.
While it's difficult to put a number on it, insurers' IT leaders believe their companies' investments in compliance already are paying off.
A recent study by Financial Executives International, a professional organization for chief financial officers and other senior financial executives, estimated that the cost of Sarbanes-Oxley Section 404 compliance recently has gone up by 62% in six months, particularly for larger companies. Compliance now is estimated to cost $3.14 million, up from last year's survey estimate of $1.93 million. Internal costs, external costs and a rise in the fees charged by external auditors all are driving the increase.
"Return is hard to catch for us," said Horizon's Emery. "For the most part, we treated it as a mandate, and mandates are looked at a little differently than ROI where we are looking for a business return." Given the onset of both new and old regulations, the company recently developed a matrix of redundancy where "they basically all cross over one another," he added. He said the company came up with a worst-case scenario with the most stringent of all regulations and rules and placed them on the front end of its system processes. "Therefore, we view it more as a cost avoidance of redoing post implementations," Emery said.
For GE Insurance Solutions, Haynes said its largest cost driver of Sarbanes-Oxley compliance comes from the internal process of gathering and organizing documentation of controls. The overall cost, however, is in line with what the company originally anticipated, he said.
Because many insurers view compliance as either a mandate or a requirement, some believe it's helped to renew IT's reputation, while giving it some more credibility because IT departments are familiar with the internal workings of company systems.
"It's given appreciation of some of the complexity, since people now have to sign documents and they're now interested in what it really means," said Horizon's Emery. The downside, however, is that because insurers face new constraints and controls, IT now is starting to look like a bottleneck, he said.
However, GE's Haynes disagreed, casting IT's role more as best practices in terms of how the company organizes and executes to comply with Sarbanes-Oxley rather than as a bottleneck.
While Appleton, Wis.-based Thrivent Financial for Lutherans, a not-for-profit Fortune 500 financial-services organization, hasn't yet formally implemented Sarbanes-Oxley, Chief Information Officer Larry Robbins said the member-governed organization has a strong history of open disclosure of key decisions, checks and balances on management's authority, and accuracy and completeness in financial reporting. He said Thrivent Financial's IT department is getting ready for the challenge of Sarbanes-Oxley as a true partnership with business to formalize regulatory requirements. "We allow business to lead on many of these things, and IT is there to support and enable whenever possible."
Because many of the industry's IT leaders were involved with their companies' initial compliance processes, they believe it's given them a leg up in terms of knowing the company's compliance-related needs. Haynes, for instance, has assigned a full-time IT controller who is part of a companywide controllership organization which is focused on ensuring compliance with Sarbanes-Oxley.
IT also plays an important role in the interpretation of regulations.
"There is room for different interpretations. If you look across the entire landscape, we've historically approached each regulation in isolation, whether it's a privacy issue, a compliance issue or something expected," said Thrivent's Robbins. Thrivent is now connecting the dots within and across the company, he said, forming a multidiscliplinary view of all the regulations to look at them more systematically.
For Horizon, regulatory interpretation lies in the hands of the company's compliance group, which is led by general counsel and various internal specialists. "One thing for us is not just Sarbanes-Oxley but also making sure it integrates in with everything else at the same time, so we don't have separate processes and discovery requirements for every single law and regulation that comes down," said Emery. He said CIOs also play a key role in the interpretation process and are expected to know the ins and outs of state and federal regulations.
When asked whether any of the recent regulations either improve or influence the benefit that IT can bring to an organization as a secondary benefit of the work they are doing technologically, insurers said only time would tell.
"We're still trying to figure out that component," said Michael A. Edwards, executive vice president and chief information officer for Baltimore-based American Skyline Insurance Co. "On the one hand, it's true because with Sarbanes-Oxley there is accountability from a management team perspective and this is information we share with our shareholders and board of directors. It's such a huge issue to work through, and there's still uncharted territory for us, so we'll have to figure it out as we go along."
Horizon's Emery said recent regulations have created some of what he calls "wildcatting." "This is where someone runs off, says this is a cool system that a vendor convinced them they can't live without and then eventually they say they have to have it." Senior management now understands they can't do that, however, without first filling it into the whole compliance scheme, he added. "For instance, HIPAA was a great set of regulations, but it was just 25 years too late. If we can figure out and help the government put regulations in the right place so we don't have to unbuild and rebuild, that makes a lot more sense," he said.
"When you talk about Sarbanes-Oxley, you need to organize your documentation and better understand your data flows from a support perspective," said Haynes. There are economies companies can achieve whether they are outsourcing or insourcing in terms of supporting critical applications, he said. "And we've also seen some opportunities to automate processes that maintain user access and system roles, and that ends up in some cost savings for us."
Robbins also said there are secondary opportunities that come about as a result of the compliance issues companies face. "However, it's difficult to quantify and doesn't justify it all from an expense standpoint," he said. Instead, it forces companies to look across the organization more holistically. "It also forces us to have better controls all the way through the process. We need to look at Sarbanes-Oxley as an opportunity to not only address the compliance aspect, but to leverage this to streamline the business process and systems."
State vs. Federal
Since insurance is regulated at the state level, and a lot of the compliance issues were on the federal level, insurers speculate what may come about in trying to bridge the gap between states' regulatory demands and expected federal requirements.
Health plans faced this situation with HIPAA, said Horizon's Emery. "The state had its own HIPAA-basic type set of rules called HINT, and we worked with the state to get better in line with the federal government, and we found for the most part the state will work with an overlying federal structure if it makes sense," Emery said. If not, the state then wants to put its own rules into place on top of the federal ones, so IT's role in many cases is that of coordinator and educator, he added.
Working closely with state regulators is also key. American Skyline's Edwards said it's critical that insurers have the best working relationship they can with various departments of insurance.
Closer Look at Compliance
Generally the regulations, although at times challenging, are bringing focus to areas that are appropriate for IT departments to look at and improve, said Robbins of Thrivent Financial. "Our challenge is to meet compliance as well and get the most value out of them for our membership."
American Skyline's Edwards said companies should pay particular attention to three areas: legal and regulatory requirements from an interpretation of law perspective; accounting compliance and interpreting their requirements; as well as particular attention internally within operations management.
Compliance is critical to the industry, and it's everyone's job, said GE's Haynes. "When it comes to compliance, IT is seen as an enabler and a true partner with business," he said.
In addition, Horizon's Emery said he would like to see both the federal and state governments do a better job at coordinating these efforts. "And in light of the fact they don't always, our key to success is coordinating it so we only have to cover the tracks once," Emery said. Compliance already is being accomplished and is a good codification of much of what already is being done, he said. "Our industry deals in confidence," Emery said, "and anything that gives our customers more confidence will make them more confident that we're doing the right thing for them on a consistent basis."
Chief Information Officer, Thrivent Financial for Lutherans
The regulations, although at times challenging, are bringing focus to areas that are appropriate for IT departments to look at and improve.
Michael A. Edwards
Executive Vice President and Chief Information Officer, American Skyline Insurance Co.
Companies should pay particular attention to three areas: legal and regulatory requirements from an interpretation of law perspective; accounting compliance and interpreting their requirements; as well as particular attention internally within operations management.
Dr. Charles Emery
Senior Vice President, Information Systems and Chief Information Officer, Horizon Blue Cross Blue Shield of New Jersey
"HIPAA was a great set of regulations, but it was just 25 years too late. If we can figure out and help the government put regulations in the right place so we don't have to unbuild and rebuild, that makes a lot more sense."
IT Leader for Global Finance, GE Insurance Solutions
"When it comes to compliance, IT is seen as an enabler and a true partner with business."
Executive Vice President/Chief Information Officer and E-Fusion Conference Chairman, A.M. Best Co.
American Skyline Insurance Co.
A.M. Best Company #12479
Distribution: In-house agents, independent agents, exchange, direct
Horizon Blue Cross Blue Shield of New Jersey
A.M. Best Company #64022
Distribution: Brokers, benefit consultants, direct
GE Insurance Solutions
A.M. Best Company # 58158
Distribution: Brokers, managed general underwriters, direct
Thrivent Financial for Lutherans
A.M. Best Company #06008
Distribution: Captive field force
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Regulatory Issues; Information Technology|
|Date:||Nov 1, 2004|
|Previous Article:||Liberty Mutual's ads grab honors.|
|Next Article:||Online customers report insurers improved service.|