The insurance industry faces compliance challenges in areas such as transparency with the Generally Accepted Accounting Principles; privacy with the Health Insurance Portability and Accountability Act; accountability with the Sarbanes-Oxley Act; security with ISO 17799; and licensing with state-specific

licensing requirements. These challenges can range from issues involved in developing a compliance approach, rules for governance, managing costs or attaining a clean audit. To address such challenges, companies are examining various technology solutions to automate the processes associated with compliance and to ensure the accuracy of compliance results and evaluations.

At the same time, insurance companies face a host of operational challenges including opaque, entrenched business practices and legacy information systems that have become an impediment to change.

It is easy for companies to adopt individual tools and methods to address risk management, change management, business-process management, document management, e-mail archiving, electronic discovery, information security, and disaster recovery and continuity planning. However, this often results in an independent "silo" approach to solving compliance issues. Such an approach can cause high expenses, redundant analysis and infrastructure, integration difficulty and long-term maintenance complexity.

Companies face multiple competing compliance, operations and information-technology challenges that arise not in isolation but together in complex interaction. Therefore, companies should address these challenges in an integrated fashion.

There is a viable, holistie alternative to silos: an approach that joins corporate compliance initiatives with operations. The approach comprehensively applies information-technology best practices, effectively transforming compliance projects from unwanted distractions into competitive advantages.

FINDING AN INTEGRATED APPROACH

The silo approach is essentially a duplication of effort causing additional up-front cost and the promise of long-term integration-related expense. The results are negative and predictable. Investment in long-term infrastructure is ignored because the cost is not seen as amortized over multiple projects but borne by a particular one. In addition, the silo approach results in the selection of niche tools, guaranteeing ballooning integration costs (or lack-of-integration opportunity costs) in the future. Finally, incremental costs that would result in enterprisewide benefits will be considered out of scope--and every project manager knows that scope creep is bad, right?

The logical alternative to the isolated, silo approach to compliance alone is an integrated approach to compliance, operations and information systems. Regulatory considerations should be addressed in conjunction with operational ones, and information systems should support them jointly and not individually.

In insurance, for example, financial reporting involves transactional data from accounting, underwriting, policy administration, claims, and risk and capital management. Some of the data needed for running the business is the same data needed for reporting compliance. The process models behind the operational information systems share much in common with the descriptions of controls for audits.

A single application portfolio, if robust enough, should support both compliance and operational needs. Integrating all functions transforms entire compliance initiatives into smaller incremental projects, resulting in financial payoff, functional improvement and operational simplification.

BUSINESS PLANNING

Integration of compliance with operations involves three elements: business planning, process modeling and tools.

Planning for compliance is best done as part of overall business and IT planning. This encompasses strategy, organization, definition of key performance indicator metrics and overall project management. The benefits include cost efficiency, business case reuse and a unified road map for change.

Companies create enterprisewide information strategies to ensure that the selection of technology--hardware, software and network components---and business processes for accounts payable, payroll, e-mail and Web sites is functional, cost-effective, seamlessly integrated and adaptable to changing compliance needs. The same advantages that apply in the case of these operational systems also apply to compliance systems.

In contrast, decision-making silos--information technology in one discussion, compliance considerations in another--create an artificial dilemma in cost analysis.

For example, the cost of compliance, given your existing legacy information systems, is probably greater than the cost of compliance would be with next-generation systems. But the reason that the legacy systems are still there is because replacing them was not cost-justified--based on information-system benefits alone.

However, suppose the shortfall on that business case is exceeded by the savings in cost of compliance. In that scenario, compliance becomes a business case for technology investment. Alternately, a strategic investment in IT, in addition to bringing its own benefits, might decrease the cost of compliance to zero. Consolidating systems to a simpler infrastructure reduces complexity and improves efficiency in parallel with compliance.

Following are just a few examples of possible synergies between operations and compliance. They involve leveraging application data security architecture to address privacy requirements, or extending document-management capabilities to include document retention.

In insurance, financial reporting entails transactional data from accounting, underwriting, policy administration, claims, and risk and capital management; develop a road map of business-intelligence needs addressing both executive dashboards and regulatory reporting. Companies could also align billing applications and processes with Sarbanes-Oxley compliance activities, and harness Web technologies or service-oriented architectures--SOA to attain electronic integration with regulatory systems. They could holistically approach the modeling of processes for business process re-engineering or capability maturity certification (with the Capability Maturity Model or ISO-9000), along with modeling of controls (e.g., SOX). Controls and audits in existing IT applications that already exist but are underutilized could be leveraged.

PROCESS MODELING

The intersection of compliance and operations is not fundamentally about information systems but about business processes. As the importance of business process modeling cannot be overemphasized, one needs to understand the following:

* To formulate a business strategy that can be successfully implemented, you must have at least a high-level model of your business processes. A business strategy, once defined, still must be communicated, and translated into action; business process models are the media for doing so.

* To ensure that compliance testing is successful and repeatable, model your business processes. This encourages the organization to think of compliance activities as a repeatable process, not as ad hoc activities (recurring but reinvented). The cost of compliance (of given scope) should decrease over time, not increase.

* To ensure that your IT projects address real business needs and do not fail, and that efficiencies of automation are realized, it's critical to model the business processes. Successful implementations require solid requirements, which can be valid only if they in turn are grounded in actual business processes.

* To implement change successfully, it is critical to model both the current business processes and those envisioned for the future. Change always involves a "before" and "after" picture, and such pictures are well "painted" by business processes.

In short, process modeling should be the foundation for compliance activities just as it is for change management and information-system activities.

TOOLS

Compliance tools should be selected no differently from any enterprise and operations software. These should be part of an overall plan for shared capabilities using a common enterprisewide infrastructure. In short, compliance activities should maximize the use of existing IT assets. When existing IT assets cannot satisfy new compliance requirements and additional tools are needed, choose the tool which best meets the full enterprise requirements, not merely the compliance requirements alone.

Avoid selecting tools until the following prerequisite activities have been completed first.

* Identify the business ease in the context of the entire enterprise.

* Model the business processes (and plans for how they will change), and use them to drive requirements.

* Define requirements before attempting to evaluate a given tool specifically, develop joint requirements for package selection addressing compliance, operations and strategic information-technology needs together.

* Assess the extent to which existing tools already meet those requirements. Only then is it time to consider selecting additional tools to purchase.

Information technology used to be considered a stand-alone function and cost center, but corporations now recognize that it is intimately tied to core business processes and operations. Compliance is currently treated as a stand-alone activity and cost center, but here, too, there is opportunity to integrate it with other business functions. This is particularly important for insurance and other financial services companies.

Integrating compliance activities with operations and associated information systems when applied to planning, business modeling and tools--promises many benefits: high-payback improvements that otherwise seemed cost-prohibitive, decreased integration costs, and increased visibility into business performance with a unified view of operations and compliance. The sum is more than just failing into line with regulation. It adds up to competitive advantage.

JOE TEDESCO is a managing director in the Business Technology Solutions practice of international consulting firm Navigant Consulting Inc. He has previously published opinion pieces on business intelligence, data management, outsourcing, and project management.

Survey: Compliance Initiatives Suffer from Inconsistency

When it comes to consistency among compliance procedures, corporations are all over the map, according to a new survey of executives responsible for governance, risk and compliance.

The survey found that 84 percent of companies don't use consistent structure and terminology in their policies and procedures. Human resources, finance, legal, and IT departments in different business units, for example, keep policy and procedure documents in different formats.

What's the upshot? It's very expensive, and often there are big variations in the quality of documents, according to the survey's authors.

"Some may be written simply and clearly, but others are often quite arcane," the authors of the survey write. "Worse yet, when employees, executives, or outside auditors have questions about the company's policies or procedures, they have to go on time-consuming hunting expeditions to find the answers they need.

The survey was released in April by Axentis, a Cleveland-based marketing and risk and compliance software services company.

It also found that 92 percent of companies do not separate policies and procedures in a consistent manner. As a result, employees are often forced to absorb the contents of massive documents, of which only a small portion may relate to their specific responsibilities.

This is dangerous, as employees are simply signing oft on an all-encompassing document rather than the specific procedures for which they are responsible, and can drive companies afoul of regulators.

In addition, the survey found that 67 percent of companies do not consistently track policies against the regulatory requirements or corporate mandates that drive them, and 64 percent of companies lack a consistent way of communicating procedures to employees.

At many companies, employees are informed about compliance-related procedures through hard-copy documents, e-mails, intranet Web sites, and verbal communications. The plethora of channels only confuses recipients, according to the survey's authors, who recommend that firms stick with a single, automated system to distribute and track compliance materials.

"Such a system reduces confusion among users, since it provides a standardized look-andfeel and a methodical approach for all compliance-related communications," the authors write.

KEVIN SUDY is an associate director with experience in business intelligence, regulatory compliance, revenue assurance, data management and system development life cycles. They can be reached at riskletters@lrp.com.