Project Description
Century-old Insurance Company Automates 100% of RCM with Onspring
A Regulatory Compliance Management Case Study
OVERVIEW
Before Canada was even a nation, its preeminent property & casualty insurance company was up and running. Though proud of its legacy, in 2022 Gore Mutual Insurance Company knew it had to modernize its regulatory compliance management for the future—stat. With guidance from Tutela Solutions, this nearly 200-year-old business satisfied OSFI regulatory requirements and established holistic, enterprise compliance in a matter of months by creating unique automations in Onspring.
Challenge
As a federally regulated financial institution, the Office of the Superintendent of Financial Institutions (OSFI) expects Gore Mutual to implement a risk-based regulatory compliance management (RCM) program, focused on three core components:
- Governance (program design)
- Program Delivery (requirements identification, control design & implementation)
- Program Assurance (control testing at both the business unit and compliance levels)
Since an effective regulatory compliance management (RCM) program requires whole-enterprise engagement, Gore Mutual was tasked with fostering meaningful relationships across more than 12 business units—ranging from finance to underwriting, human resources to technology, marketing to claims—all of which were required to comply with a varying number of legal and regulatory requirements. To add another layer of complexity, some of those requirements were in the process of being heavily scrutinized by Canadian regulators.
While developing these relationships at the best of times can be challenging (since compliance functions are often seen as an organizational burden rather than innovation and value-add partner), the compliance team also knew that all of these business units were keenly focused on their own ambitious roadmaps that stretched resources to modernize their individual functions in accordance with the overall company transformation goals.
The team also recognized that their regulatory compliance management program was not only the cyclical nature (in that our federal regulator expects property and casualty insurance companies to undertake this cycle at least annually) but also the program’s core components mandated a significant level of effort from Business Unit Compliance Officers (BUCOs), including:
- Requirement Identification – Identifying the regulatory and legal requirements applicable to their business unit, which vary across 13 provincial jurisdictions and require consideration given our ambition to become a national insurer.
- Operational Controls – Identifying, designing, and implementing operational controls within their business unit that are responsive to the relevant regulatory requirements, plus evaluating their design. Testing the operational effectiveness of their identified and implemented operational controls.
Given that their regulatory compliance management (RCM) program at the time of refresh consisted of more than 330 unique regulatory requirements and 294 compliance controls spanning more than 12 business units, Gore Mutual needed to embrace the challenge of making their RCM program not only accessible but efficient for their business partners. They looked to the Onspring platform as the key to their success.
Mandated OSFI program expectations
Evolving regulations & requirements
Missing visibility into current status of BU compliance
Significant level of effort for requirements identification
Time-intensive, cyclical evaluation of 330 unique regulatory requirements, 294 compliance controls spanning more than 12 business units
Solution
It became clear to the Gore Mutual team that they had two great opportunities to catapult efficiency and streamline a tedious process.
First, they wanted users to focus on unmet regulatory requirements assigned to their business unit. The team needed a way to visibly account for individual regulations and automatically notify BUCOs.
Second, they needed a way to inform the frequency of compliance control testing by the results of annual compliance risk assessment. For example, a high-risk control must be tested at a minimum of every 6 months, but ideally it would be tested quarterly.
Integrated Control Mapping Dashboard
Tackling the regulatory requirement identification process first, Gore Mutual dove into Onspring’s out-of-the-box compliance solution to relate regulatory requirements to controls.
Next, the team needed to create an alert to notify business units of their new and/or unmet regulatory requirements.
Enlisting the help of Tutela Solutions, Gore Mutual created a report and a corresponding dashboard to alert BUCOs to new and/or unmet regulatory requirements assigned to their business unit, which also seamlessly enabled the identification and documentation of a responsive control.
This automated process connected three applications:
- Regulation Information stores the specific regulations Gore Mutual is striving to satisfy.
- Organizations is where each of the Business Units are documented such as Claims, Marketing, Underwriting, etc.
- Controls houses the specific steps to adhere to the regulation documented per Business Unit.
To ensure all regulatory requirements assigned to Organizations were fulfilled by a corresponding Control, Gore Mutual created a Control Mapping dashboard with several reports utilizing formulas to detect any gaps.
When gaps are identified, Organizations can update an existing Control or create a new Control to ensure alignment. This convenient visibility ensures Business Units have Controls documented for the Regulations they are required to meet—and Corporate Compliance has transparent status information.
Compliance Management in Onspring
See how automation can save 25% of your time when managing regulatory compliance.
Risk-based Compliance Control Testing
Gore Mutual knew that in order to meet regulatory expectations, all control testing needed to be risk-based and provide critical insights into the effectiveness of their RCM Program without overburdening business partners.
They began once again with Onspring’s out-of-the-box solutions to operationalize the risk assessment process by mapping to the Risk Register app easily enough. Then they customized the solution even further. In partnership with Tutela Solutions, Gore Mutual configured the entire process to inform the business unit control operation testing based on a frequency guided by the inherent risk assessment from the control’s underlying business process.
Now, their automated regulatory compliance management program contemplates an Annual Compliance Risk Assessment, wherein each business unit considers the levels of inherent and residual risk of non-compliance within their core business unit processes.
Result: Automation in Onspring Accelerates Gore Mutual Compliance Vision
“When we started our journey to modernize Gore Mutual’s compliance function, we recognized and reveled in the opportunity to transform within a broader organizational transformation,” said Sonya Stark, Chief Compliance Officer for Gore Mutual.
Onspring’s innovative platform quickly delivered an automated regulatory compliance management solution that supported their team’s goal to be a data-driven, efficiently automated, value-add partner for the overall business.
Massive Efficiencies
The most critical need for Gore Mutual was to leverage a platform that could automate their entire RCM program their way and fast. In just a matter of months with Onspring, they completely automated 80% of the RCM program’s components, with the remaining 20% slated for later in the year. This has eliminated manual, burdensome processes for BUCOs, such as navigating endless spreadsheets, and has reduced their administrative workload by an estimated 25%.
Flexibility that Integrates the Enterprise
In their quest for Onspring, Gore Mutual found several solutions that were either too specialized, too slow or too rigid. Since implementation, they’ve greatly enhanced the visibility of their RCM program monitoring and reporting, with real-time insights and trending dashboards. This allows compliance to be seen in a new light, one that enables timely and value-add organizational contributions.
“Now we have our enterprise risk management team, our procurement team, internal audit, third-party vendor management and more coming into Onspring,” reiterates Sandra Malcolm, Director of Compliance. “Together, we leverage internal reporting and data sharing among all of us without the previous lag time and email chaos. It’s an amazing improvement.”
Want to explore more?
What Does ISO Certified Mean and Why Is It Important?
Curious about what does ISO certified mean for your business? Learn how this credential can boost your company's efficiency, sustainability and customer trust. as well as the steps to achieve ISO certification.
What is Governance, Risk and Compliance (GRC)?
Governance, Risk, and Compliance (GRC) is your all-in-one practice for operating your business safely and efficiently. Learn how integrated GRC can streamline operations, mitigate risks and ensure you stay compliant.
Top Practices in Managing GRC for ISO 27001
Learn how leveraging GRC practices for ISO 27001 compliance can save you time and streamline your information security management.