Workflow Templates for Insurance: Insurance Project Planning Checklist

Project Initiation

Define the project's regulatory and business drivers

Capture why the project exists in the language a steering committee will recognize: a new product line, a state expansion, a SOC 2 / NYDFS Part 500 remediation, a Guidewire migration, or an M&A integration. State drivers and disqualifying constraints up front so scope creep gets pushed back against the original mandate.

Map stakeholders across UW, claims, and compliance

Most insurance projects fail because compliance, actuarial, or reinsurance was looped in late. Build the RACI with named individuals from underwriting, claims, IT, compliance, actuarial, reinsurance, and producer relations — not just department headers.

Draft the project charter and success criteria

Charter should state in-scope lines of business, target states, effective date, target loss ratio or expense ratio impact, and explicit out-of-scope items. Attach the signed PDF — auditors and acquirers will ask for it during diligence.

Secure executive sponsorship and budget approval

Confirm an accountable executive sponsor (CUO, COO, or CIO depending on project type) and an approved capital and expense budget. Funded projects without a named sponsor stall the first time a cross-department conflict arrives.

Determine if a SERFF rate or form filing is required

If the project changes rates, rules, or forms in any state, treat filing posture (prior approval, file-and-use, use-and-file) as a hard dependency on the timeline. Pushing a rate live in a PA state without DOI approval creates an unauthorized-rate exposure.

Risk Management

Catalog regulatory and market-conduct risks

Inventory exposures the project introduces: state filing miss, producer licensing gap, prompt-pay (e.g., Texas Chapter 542) impact, OFAC screening change, GLBA / NYDFS Part 500 NPI handling, anti-fraud plan refresh in NY/CA/FL/NJ. Distinguish project-execution risks from steady-state operational risks the project leaves behind.

Run the project risk assessment

Score each risk on likelihood and impact using the carrier's standard scale. NAIC Insurance Data Security Model Law and NYDFS Part 500 expect documented risk assessments — the project-level register feeds the enterprise risk program, so format consistently.

Document mitigation strategies for top-rated risks

For each high or critical risk, name the control, the residual risk after the control, and the date the control becomes operational. Avoid the "monitor" cop-out — monitoring is not a mitigation.

Build the SERFF filing strategy with regulatory affairs

Coordinate with regulatory affairs to set the filing sequence: priority states, expected DOI review windows (often 30–90 days in PA states), filing-fee schedule, and effective-date contingencies. Build a 60-day buffer between expected approval and the planned bind date.

Assign risk owners across business and technology

Each risk gets a named owner with the authority to deploy the mitigation. Risks owned by "the team" or "PMO" default to nobody — examiners and internal audit consistently flag this.

Resource Planning

Inventory required underwriting and claims SMEs

Identify the named UW and claims practitioners whose time the project will consume — by line, by state, and by hours per week. SMEs are the constraint on most insurance projects, not engineers.

Build the resource allocation and burn-rate plan

Plot internal hours, vendor hours, and capital spend by month against the approved budget. Flag any month where forecast burn exceeds budget so the sponsor can re-baseline before the variance reports go out.

Set milestones tied to filing approvals and bind dates

Tie milestones to the controlling external dates: SERFF approval, reinsurance treaty inception, ACORD form release, NCCI rate effective date, or carrier bind authority effective date. Internal milestones should ladder backwards from these.

Confirm whether new vendors will handle NPI

NYDFS Part 500 §500.11 vendor scope includes TPAs, claims vendors, document-destruction firms, and printers handling claim packets — anyone touching nonpublic information. A "no" here should be defensible against the §500.11 definition, not just the IT-vendor short list.

Run Part 500 §500.11 vendor due diligence

Collect the vendor's SOC 2 Type II, WISP, encryption-in-transit-and-at-rest attestation, MFA posture, and incident-notification SLA. Update the contract addendum so the carrier's 72-hour DOI notification obligation flows through to the vendor.

Stand up project tracking in the PMO tool

Configure the PMO tool (Smartsheet, MS Project, Jira, Asana) with the WBS, milestone dates, RAID log, and the risk register from the prior section. Connect it to the policy admin or AMS where production cutover steps live.

Communication Strategy

Draft the stakeholder communication plan

For each stakeholder group — sponsor, steering, line UWs, claims operations, producers, reinsurers, DOI-facing regulatory affairs — list the message frequency, channel, owner, and the decision they need to make. One-size-fits-all updates get ignored by everyone.

Pick channels for internal teams and broker partners

Internal: SharePoint, Teams, or the PMO tool. External producer-facing: agent portal bulletins, Applied Epic/AMS360 messaging, broker email blasts. Avoid mixing producer-confidential commission detail into general broker channels.

Schedule recurring sponsor and steering updates

Weekly working group, biweekly sponsor, monthly steering is the typical cadence for a multi-quarter insurance project. Lock the cadence on the calendar before kickoff so it does not slip during execution.

Build the status report template

Standard sections: RAG status, milestone burn-up, top 5 risks, decisions needed this week, blockers. Force a one-page limit — steering committees do not read multi-page narratives.

Define protocols for DOI and reinsurer touchpoints

External-regulator and reinsurer communications need a single channel and a named owner — typically regulatory affairs and the chief actuary respectively. Ad-hoc emails from project staff to a DOI examiner during a market-conduct exam create discoverable inconsistencies.