Risk Assessment Checklist

Inventory the workflows that have to keep running for the business to function: submission intake, bind, policy issuance, FNOL, reserve setting, claim payment. Note the system of record for each (Guidewire PolicyCenter / ClaimCenter, Duck Creek, Applied Epic, AMS360) and the named owner. Attach the process inventory.

For each critical system, document the maximum tolerable downtime against the carrier's RTO. A four-hour PolicyCenter outage during a renewal cycle has different financial exposure than the same outage at month-end. Pull last year's incident records from the IT ticketing system as your baseline.

List every TPA, MGA, MGU, and binding-authority partner with delegated authority. Confirm current SOC 2 Type II reports, binding-authority limits, and reporting cadence. Lapsed SOC 2s and stale binding agreements are a recurring market-conduct exam finding.

Run a tabletop on a ClaimCenter outage during business hours. Confirm the manual FNOL fallback (paper ACORD intake, claim-number reservation, reserve placeholder rules) and the catch-up procedure once systems are restored. Texas Chapter 542 acknowledgement clocks do not stop for system outages.

Calculate the company action level RBC ratio for the current year and the prior two annual statements. Note any movement toward the 200% company action level threshold; trending matters more than a single point in time.

Run the recoverables-by-reinsurer report. Flag any reinsurer holding more than 10% of total recoverables and confirm A.M. Best rating, collateral posted, and treaty wording. Following-form treaty mismatches against the underlying form are the gap that surfaces during a recovery dispute.

Reconcile case reserves to actuarial indications by line of business. Watch for reserve cadence drift — placeholder reserves left untouched past the 30/60/90 review cadence are the leading source of IBNR surprise and a market-conduct finding.

Pull the agency-bill and direct-bill aging from the AMS. Anything over 60 days needs a producer-balance review; anything over 90 days needs an authority discussion. Stale producer balances mask credit risk on the producer of record.

Read the most recent A.M. Best credit report and rationale. Document any rating outlook changes (negative, under review) and the drivers Best cites — capital adequacy, operating performance, business profile, ERM. Distribution partners watch this.

Run the NIPR PDB report for every appointed producer. Confirm active license, lines of authority, CE compliance, and appointment status in each state where they have bound business this year. A producer binding outside their state appointment exposes the carrier to rescission.

Pull market conduct and financial exam reports issued in the last 36 months. Confirm every cited finding has a documented remediation closed by the DOI. Open findings carry into the next exam cycle and compound.

For each writing state, reconcile filed rates and forms to what is actually live in PolicyCenter. Note the filing posture per state — prior approval, file-and-use, use-and-file — and verify any pending PA filings have been approved before the rate goes live. Pushing a rate live in a PA state ahead of approval creates unauthorized rates.

Pull a sample of policies issued and claim payments made this year. Confirm OFAC SDN screening fired at policy issuance and again at every claim payment. Many carriers screen at issuance but not at payment — claimants and assignees can be added to the SDN list mid-policy.

NY, CA, FL, NJ, OH, NM, KY, LA, and MN require Anti-Fraud Plan filings. Confirm each is on file with the most recent SIU staffing, training, and case-referral data. Acquired books often inherit unfiled or stale plans.

Walk the 23 NYCRR 500 control matrix: CISO designation, written cybersecurity policy, risk-based access controls, encryption of NPI in transit and at rest, annual penetration test, biennial risk assessment. The biennial-minimum is the floor — material changes (new product, acquisition, new vendor) trigger an interim assessment.

Part 500.12(b) requires MFA for any individual accessing internal networks from an external network — including TPA staff, document-handling vendors, and contractor VPN accounts. Treating MFA as employee-only is the most common Part 500 finding.

Engage a qualified third party to test PolicyCenter, ClaimCenter, the AMS, and any externally-facing producer or insured portals. Capture the executive summary and the remediation plan for any high or critical findings.

NYDFS Part 500 and the NAIC Insurance Data Security Model Law both require notification within 72 hours of a determined cybersecurity event. Confirm the IR runbook reflects 72 hours — not the GLBA absence-of-deadline or the HIPAA 60-day window — and walk through who notifies which state DOI.

Section 500.11 covers any vendor handling NPI — TPAs, claims vendors, document destruction firms, print shops. Confirm each has a current security questionnaire, contractual security terms, and a SOC 2 or equivalent on file. IT-vendor-only programs miss the operational vendor scope.

Roll every finding from operational, financial, regulatory, and cyber into the enterprise risk register with inherent rating, control rating, and residual rating. The register is what the board risk committee reviews and what the next exam team will request first.

Assign each high or critical finding from the pen test to a named owner with a target close date. High findings open past 30 days are themselves a Part 500 finding at the next exam.

Submit appointments, terminations, or CE remediation through NIPR. Pause binding authority on any producer with a state gap until cleared. An unauthorized-transaction finding will surface every prior bind in that state.

The CRO and CISO sign off on the assessment, the residual risk rating, and the remediation plan. The signed package goes to the board risk committee and is retained as evidence of the Part 500 §500.09 / NAIC Model Law biennial risk assessment.