Challenge

As a federally regulated financial institution, the Office of the Superintendent of Financial Institutions (OSFI) expects Gore Mutual to implement a risk-based regulatory compliance management (RCM) program, focused on three core components:

• Governance (program design)
• Program Delivery (requirements identification, control design & implementation)
• Program Assurance (control testing at both the business unit and compliance levels)

Since an effective regulatory compliance management (RCM) program requires whole-enterprise engagement, Gore Mutual was tasked with fostering meaningful relationships across more than 12 business units—ranging from finance to underwriting, human resources to technology, marketing to claims—all of which were required to comply with a varying number of legal and regulatory requirements. To add another layer of complexity, some of those requirements were in the process of being heavily scrutinized by Canadian regulators.

While developing these relationships at the best of times can be challenging (since compliance functions are often seen as an organizational burden rather than innovation and value-add partner), the compliance team also knew that all of these business units were keenly focused on their own ambitious roadmaps that stretched resources to modernize their individual functions in accordance with the overall company transformation goals.

The team also recognized that their regulatory compliance management program was not only the cyclical nature (in that our federal regulator expects property and casualty insurance companies to undertake this cycle at least annually) but also the program’s core components mandated a significant level of effort from Business Unit Compliance Officers (BUCOs), including:

• Requirement Identification – Identifying the regulatory and legal requirements applicable to their business unit, which vary across 13 provincial jurisdictions and require consideration given our ambition to become a national insurer.
• Operational Controls – Identifying, designing, and implementing operational controls within their business unit that are responsive to the relevant regulatory requirements, plus evaluating their design. Testing the operational effectiveness of their identified and implemented operational controls.

Given that their regulatory compliance management (RCM) program at the time of refresh consisted of more than 330 unique regulatory requirements and 294 compliance controls spanning more than 12 business units, Gore Mutual needed to embrace the challenge of making their RCM program not only accessible but efficient for their business partners. They looked to the Onspring platform as the key to their success.

Solution

It became clear to the Gore Mutual team that they had two great opportunities to catapult efficiency and streamline a tedious process.

First, they wanted users to focus on unmet regulatory requirements assigned to their business unit. The team needed a way to visibly account for individual regulations and automatically notify BUCOs.

Second, they needed a way to inform the frequency of compliance control testing by the results of annual compliance risk assessment. For example, a high-risk control must be tested at a minimum of every 6 months, but ideally it would be tested quarterly.

Integrated Control Mapping Dashboard

Tackling the regulatory requirement identification process first, Gore Mutual dove into Onspring’s out-of-the-box compliance solution to relate regulatory requirements to controls.

Next, the team needed to create an alert to notify business units of their new and/or unmet regulatory requirements.

Enlisting the help of Tutela Solutions, Gore Mutual created a report and a corresponding dashboard to alert BUCOs to new and/or unmet regulatory requirements assigned to their business unit, which also seamlessly enabled the identification and documentation of a responsive control.

This automated process connected three applications:

1. Regulation Information stores the specific regulations Gore Mutual is striving to satisfy.
2. Organizations is where each of the Business Units are documented such as Claims, Marketing, Underwriting, etc.
3. Controls houses the specific steps to adhere to the regulation documented per Business Unit.

To ensure all regulatory requirements assigned to Organizations were fulfilled by a corresponding Control, Gore Mutual created a Control Mapping dashboard with several reports utilizing formulas to detect any gaps.

When gaps are identified, Organizations can update an existing Control or create a new Control to ensure alignment. This convenient visibility ensures Business Units have Controls documented for the Regulations they are required to meet—and Corporate Compliance has transparent status information.

Risk-based Compliance Control Testing

Gore Mutual knew that in order to meet regulatory expectations, all control testing needed to be risk-based and provide critical insights into the effectiveness of their RCM Program without overburdening business partners.

They began once again with Onspring’s out-of-the-box solutions to operationalize the risk assessment process by mapping to the Risk Register app easily enough. Then they customized the solution even further. In partnership with Tutela Solutions, Gore Mutual configured the entire process to inform the business unit control operation testing based on a frequency guided by the inherent risk assessment from the control’s underlying business process.

Now, their automated regulatory compliance management program contemplates an Annual Compliance Risk Assessment, wherein each business unit considers the levels of inherent and residual risk of non-compliance within their core business unit processes.