Workflow Templates for Insurance: Quarterly Risk Monitoring Checklist

Regulatory Compliance Review

Pull state DOI bulletins from this quarter

Pull bulletins, circular letters, and adopted regulations from each state DOI portal where the carrier is licensed. SERFF activity and NAIC model law adoptions belong here too. Flag anything affecting rate filings, form filings, or unfair claim settlement timing.

Verify producer licensing and CE on NIPR

Run the NIPR roster against the appointed-producer list in the AMS. A lapsed CE = lapsed license = no authority to bind, and the carrier wears the unauthorized-transaction exposure. Confirm cross-state appointments for any producer who bound coverage outside their resident state this quarter.

Confirm Part 500 attestation status

Walk the §500.17 control list with the CISO: written information security program current, biennial risk assessment on file, MFA on all external access, encryption of NPI in transit and at rest, annual pen test, vendor risk program. Anything trending toward the April 15 certification deadline that isn't green is captured here.

Build a remediation plan for Part 500 gaps

Document the gap, the responsible owner, the target close date, and any compensating controls in place until close. The plan goes to the CISO and Audit Committee — not just sitting in a tracker — because §500.17 requires prompt remediation, not eventual remediation.

Brief account managers on filed rate changes

Cover state-by-state filing posture (prior approval, file-and-use, use-and-file) and the effective date for any rates pushed live in PolicyCenter. The single biggest unauthorized-rate risk is producers quoting against a filing that hasn't yet been approved in a PA state.

Operational Risk Review

Audit FNOL acknowledgement against Chapter 542

Sample 30 first-party Texas claims opened this quarter from ClaimCenter. Confirm 15-business-day acknowledgement and 15-business-day decisioning after all info received. Each missed deadline triggers 18% statutory interest plus attorney's fees and shows up at the next market-conduct exam.

Review reserve cadence on open claims

Pull all open claims past the 30/60/90-day reserve-review cadence. Placeholder reserves at FNOL that haven't been refreshed are the leading driver of IBNR drift, and stale reserves are a common market-conduct finding.

Re-screen claim payees against the OFAC SDN list

Many carriers screen at policy issuance but not at every claim payment. Claimants, assignees, and structured-settlement annuitants can be added to the SDN list mid-policy. Re-screen all payees this quarter, not just new ones.

Identify claims-handling process bottlenecks

Walk the claim cycle-time report with the claims manager. Note examiner caseload outliers, IME scheduling delays, and any TPA hand-off friction. Capture the top three drivers and the accountable owner.

Validate disaster recovery RTO and RPO targets

Confirm PolicyCenter, ClaimCenter, and the AMS were exercised against documented RTOs in the last DR test. Any system without a quarterly tabletop or annual full failover is a Part 500 §500.16 finding waiting to happen.

Financial Stability Indicators

Analyze written, earned premium, and loss ratio

Pull WP, EP, paid losses, and incurred losses by line of business from the data warehouse. Compare loss ratio to plan and to the prior four quarters. Combined ratio above 100 in any line is a flag for the next pricing cycle.

Confirm RBC ratio and statutory surplus

Pull the latest RBC calculation from the actuarial team. Anything trending toward the Company Action Level threshold gets surfaced to the CFO this quarter, not at year-end statutory filing.

Review investment portfolio against IPS limits

Confirm asset allocation, NAIC designation distribution, and duration are within the Investment Policy Statement bands. Note any fair-value declines on bond holdings that would affect statutory surplus if realized.

Reconcile reinsurance treaty recoverables

Match ceded losses booked in the system to billings sent to each treaty reinsurer. Aged recoverables over 90 days drag on surplus and are a Schedule F penalty if uncollateralized. Flag any follow-form treaty whose triggers don't cleanly match the underlying policy form.

Flag material adverse financial trends

Synthesize the loss ratio, RBC, investment, and reinsurance signals into a single answer. Any one of: RBC trending toward Company Action Level, combined ratio above 105 in a top-three line, or aged recoverables above 5% of surplus is a Yes.

Escalate adverse trends to the risk committee

Schedule an out-of-cycle risk committee session — don't wait for the standing quarterly review. Brief the CFO and Chief Actuary in advance so the committee discussion focuses on remediation, not on first-time discovery.

Customer Experience Signals

Pull DOI consumer complaint counts by state

Pull complaints filed via each state DOI portal this quarter, broken out by complaint reason code. The NAIC complaint index is the trailing public number; the DOI portal feed is what shows up in the next market-conduct exam.

Track first-call resolution and claim NPS

Compare claim-close NPS and first-call resolution rate to last quarter. A drop in NPS that lines up with a spike in cycle time usually points at a single examiner team or TPA — drill down before the trend becomes a complaint cluster.

Audit declarations page disclosure clarity

Pull a sample of dec pages issued this quarter. Confirm GLBA privacy notice was sent at issuance, NY Reg 187 commission disclosure was included for commercial accounts, and CCPA-aligned language is present for California personal-lines insureds.

Review social listening for brand mentions

Pull mentions across review platforms and social. Cluster by claim-handling, billing, and producer-conduct themes. Producer-conduct clusters often precede a DOI complaint and are worth catching early.

Technology and Cybersecurity

Run the Part 500 §500.11 vendor risk review

Scope is every third party that handles NPI — TPAs, claim vendors, document destruction firms, even printers handling claim packets. Confirm SOC 2 Type II reports are current and that contractual security clauses are in place. Treating this as IT-vendor-only is a §500.11 finding.

Open remediation tickets for vendor findings

For each finding, log the vendor, the control gap, the contractual remedy invoked, and the cure date. Vendors that miss the cure date go into a substitution plan — Part 500 expects prompt action, not a tracker entry that ages out.

Verify MFA on remote and third-party access

Section 500.12(b) covers any individual accessing the Covered Entity's network from an external network — including contractor VPN access. Treating MFA as employee-only is the most common scope miss at exam time.

Confirm pen test and vuln scan currency

Annual penetration test and bi-annual vulnerability assessment per §500.05. Confirm the report is on file and that material findings have remediation tickets, not just acknowledgements.

Review the cyber incident log this quarter

Walk every recorded event against the §500.17 72-hour DOI notification standard. Many response plans default to the HIPAA 60-day window or GLBA's lack of a hard window and miss the much shorter state-DOI clock.

Sign off on the quarterly risk report

The CRO signs the quarterly risk report. Capture the overall posture, narrative notes for the board packet, and the digital signature. This is the document the Audit Committee references at the next quarterly meeting.