Jumping Forward

Compliance in insurance

As we venture into 2020, evolving regulations and changing consumer behavior will impact insurers. Cybersecurity, data privacy, and customer protection continue to shape new challenges and trigger regulatory scrutiny.

As an insurance leader, you may already be considering how to address regulatory and risk management challenges—and it’s a daunting task. At Oliver Wyman, we have been working with clients to solve these issues and more effectively manage compliance risks. Our paper, Jumping Forward, delves into the challenges and impacts our clients are facing. We present the strategic changes and quick wins needed to effectively manage compliance, including how to develop a risk-based compliance program, increase engagement with the overall business, and fully align other non-financial risk functions.

Compliance as a strategic partner rather than a naysayer will be important to communicate clearly and gain critical buy-in from the business


The financial crisis highlighted the staggering financial and reputational impact compliance failures can have on institutions. Since 2008, regulators globally have sought to raise the bar for compliance risk management—imposing stricter standards on how financial services companies manage their obligations. Recently, there has been significant focus on compliance practices at insurers, in addition to new laws and regulations related to sales practices, market conduct, privacy, and individual accountability. This, coupled with changes in customer expectations, business mix, and technology have only further increased the challenges insurers face to manage their compliance risks.


In our experience, Compliance functions at insurers tend to be less mature than those at other regulated financial institutions. Similarly, insurers typically have fewer resources dedicated to compliance risk management and less influence and impact within their organizations than at other types of regulated financial institutions.

As a result, insurance companies need to take a hard look as to whether their Compliance functions are keeping pace with this heightened degree of complexity, scrutiny and change. In this paper, we recommend that insurers make three strategic changes to more effectively manage existing and evolving compliance risks.


  • 1Establish risk-based compliance programs

    The goal is to focus on the most important compliance risks rather than applying similar intensity across all obligations. In our experience, Compliance programs at most insurers are predominantly “rules-based” instead of also being “risk-based.” Rules-based functions focus solely on the letter of the law and have broad but shallow programs to track relevant rules, laws, and regulations and test and train for compliance within them.

  • 2Increase the engagement between Compliance and the business and corporate functions

    Enables a broader firm-wide effort to manage the most important compliance risks rather than having these efforts shouldered by Compliance. This partnership model allows for stronger compliance processes to be built into the first line, enabling the business to better detect risks as they originate. When Compliance provides review and challenge of the business’ design and Implementation of controls, this allows for effective risk management to be embedded in everyday business processes.

  • 3Align and work more closely with other non-financial risk management functions

    This helps to more seamlessly manage the firm’s top risks (e.g., privacy and cyber) in a similar fashion. Within many institutions, Compliance and other non-financial risk disciplines (e.g., operational, information technology and cyber, third-party) in insurance companies have organizationally operated in silos despite falling under the same non-financial risk umbrella. As a result, these disciplines have built various risk management processes (e.g., risk rating methodologies) that may not align. Areas where we have observed a high degree opportunity of alignment are the risk assessment process, controls processes, and reporting. Other areas of opportunity are interaction with the businesses/functions and training.


As insurance companies invest in the development of more “risk-based” compliance risk management programs., these changes can be implemented across the typical compliance risk management framework.


We believe that it is essential for insurers to begin a journey towards a more effective model for Compliance within their organizations.

Enabling this transformation requires insurers to obtain strong support from senior management, clarify the first-line and second-line ownership of compliance risks, and upskill the Compliance team. While such a transformation will likely occur over multiple years, many quick wins can start to be implemented right away to progressively set the tone on the way forward.

Jumping Forward: Compliance In Insurance