Workflow Templates for Insurance: Risk Mitigation Checklist

Risk Assessment and Identification

Run the quarterly enterprise risk assessment

NYDFS Part 500.09 requires biennial at minimum but expects continuous reassessment after material changes (new product, acquisition, major vendor). Cover underwriting, claims, cyber, vendor, and compliance risk domains. Annual-only programs are out of compliance if a material change occurred mid-year.

Convene the cross-functional risk committee

Pull underwriting, claims, IT, compliance, and finance into one working session. Underwriters surface appetite drift; claims surfaces reserve cadence and litigation trends; IT owns Part 500 controls; compliance owns SERFF filings and DOI exam posture.

Pull loss runs and claims data for trend analysis

Pull 5-year loss runs from PolicyCenter / ClaimCenter or the AMS. Look for IBNR drift, reserve adequacy by line, and recurring causes of loss. LexisNexis CLUE and ISO data can supplement carrier-internal patterns.

Score risks in the central risk register

Use a likelihood × impact matrix tied to the carrier's risk appetite statement. Tag each risk with owner, domain, and current control. Risks rated high or critical drive the policy and crisis-plan updates downstream.

Flag emerging cyber and regulatory risks

Watch NAIC bulletins, NYDFS guidance, and state DOI circular letters. Common emergents: AI underwriting bias guidance, third-party ransomware exposure, climate-driven property aggregation, and surplus-lines tax rule changes.

Policy Development and Implementation

Update the WISP and underwriting authority documents

Refresh the GLBA Safeguards Rule WISP and binding-authority grids per appointed carrier. Producers binding outside line, hazard grade, or limit authority is a recurring E&O driver. Version-stamp every change.

Cross-check policies against NAIC and state DOI requirements

Map each policy to the applicable model: NAIC Insurance Data Security Model Law, NYDFS 23 NYCRR 500, state Unfair Claim Settlement Practices Acts, Anti-Fraud Plan filings (NY, CA, FL, NJ, OH, NM, KY, LA, MN). Confirm Texas Chapter 542 prompt-pay timing is reflected in claims SOPs.

Determine whether form or rate filings are required

If policy changes touch rates, rules, or forms, confirm the state's filing posture — prior approval, file-and-use, use-and-file, or no-file. Pushing a PA-state rate live before SERFF approval creates unauthorized rates.

Submit the SERFF filing in affected states

File via NAIC SERFF for each state where the rate, rule, or form change applies. Track approval status by state — prior-approval states block implementation until disposition. Hold implementation until the slowest state clears.

Roll out training to underwriting and claims staff

Cover the actual changes — not generic compliance slides. Use real fact patterns: an indication being mistaken for a quote, an OFAC hit at claim payment, a missed Part 500 §500.12(b) MFA scope. Track completion in the LMS.

Monitoring and Review

Refresh the KRI dashboard

Standard KRIs: loss ratio by line, reserve development by accident year, quote-to-bind ratio, producer CE lapse count, OFAC false-positive rate, vendor SOC 2 expiration runway, NYDFS Part 500 control exception count.

Audit producer licensing and appointments

Reconcile the AMS roster against NIPR. Any producer with lapsed CE or missing state appointment for a state where they bound is an unauthorized-transaction exposure. Carriers can rescind affected policies.

Review the vendor risk register under Part 500 §500.11

Scope is not IT-vendor-only. TPAs, claims vendors, document destruction firms, and printers handling NPI all qualify. Pull each vendor's most recent SOC 2 Type II and confirm coverage period has not lapsed.

Engage external auditors for an independent review

Required cadence varies by carrier size and Model Audit Rule applicability. Independent review surfaces the items internal teams normalize — reserve cadence drift, premium audit dispute backlog, retention schedule violations.

Document audit findings and remediation owners

Each finding gets a named owner, target date, and severity. High and critical findings become inputs to the next quarter's risk assessment.

Open remediation tickets for high and critical findings

Track each finding through to closure with target dates aligned to the carrier's audit response standard. Reopen patterns become next quarter's KRIs.

Crisis Management and Response

Refresh the cybersecurity event response plan

NAIC Insurance Data Security Model Law and NYDFS Part 500 require notification to the state DOI within 72 hours of a cybersecurity event. Many plans default to the GLBA or HIPAA window and miss the shorter DOI clock — fix that explicitly.

Run a tabletop exercise on a realistic scenario

Pick a scenario tied to a top risk: ransomware on the policy admin system, a TPA data breach, a CAT event triggering claim surge. Time the team against the 72-hour DOI notification clock and the carrier's reinsurance treaty notification triggers.

Confirm the crisis communications plan and contact tree

Verify outside counsel, forensic IR vendor, cyber carrier, reinsurance broker, and DOI contacts. Test the after-hours numbers — stale contacts surface during the actual event.

Verify excess and reinsurance notification triggers

Most excess policies require notice of any matter reasonably likely to involve the layer; carriers commonly use 50% of primary as the practical trigger. Following-form treaties may not align with policy form coverage triggers — confirm the gap is documented.

Sign off on the quarterly risk mitigation review

CRO or compliance officer signs off and files the package for the next market conduct or financial exam. Retain per the carrier's record retention schedule (typically 5–7 years P&C, longer for WC).