The effort to keep up with an onslaught of compliance and regulatory requirements is swamping insurance firms, causing them to put important operational issues on the back burner, sometimes to the detriment of the business, according to senior executives attending the recent LOMA/ACORD Insurance Forum and the Risk Insurance Management Society (RIMS) annual conference.

“The regulatory environment has increased 10 times versus 3 years ago,” said Chuck McCaig, CIO of Chubb Insurance “Regulations are being passed and implemented state by state as well as federally, which means insurance firms have to manage their people and systems horizontally and vertically. It’s incredibly complex.”

With the threat of punitive action hanging like the Sword of Damocles over their heads, the insurance industry has poured time, money and resources into compliance initiatives. But progress has been painfully slow, Sarbanes-Oxley deadlines have been pushed back, and errors and abuses are still occurring.

Why isn’t it working? The reason, experts say, is that businesses are tackling the regulatory challenge incorrectly. The wrong people are driving the process, key groups within the organizations are being excluded, the right tools are not being put in place, and, perhaps most importantly, they are not beginning with a risk plan.

“Every initiative should begin with a risk plan,” said John Phelps, Director of Risk Management for Blue Cross Blue Shield of Florida. Initiatives to date have been too focused on risk suppression and instead should be focused on risk management. Helping operations to better manage their business.

A risk plan allows an organization to rate and measure risks associated with a particular initiative, identify items on the critical path or high risk issues, and score those assessments against business metrics. With an accurate risk plan in place, businesses can objectively prioritize its requirements, get the right folks around the table, and focus on those projects that will yield the greatest benefits to the company.

A good risk plan gets risk management, compliance, audit and operations needs on the table, and demonstrates how the IT organization can effectively support this diverse group of constituents, noted Phelps. A risk plan built around compliance can also identify costly problems that have not been uncovered previously.

“It’s a lot like the process we all go through to get a car inspection sticker,” added Bob Parisi, Senior Vice President and Chief Underwriting Officer of AIG. “To comply with the law, we go through the inspection process and display the sticker as a symbol of compliance. But if, in the process of getting that sticker, the mechanic discovers and fixes a safety flaw before someone gets hurt than the end result is much greater than simply achieving compliance.”