Modernizing Core Systems in Insurance: Ten Lessons Learned

John Rao

By John Rao, Managing Director
Technology Consulting



Like all financial services companies, insurers rely on technology — which changes faster than any other aspect of the business. Core information technology systems, including mainframe technology, are aging rapidly, causing significant problems. These old systems require increased maintenance, which drives up costs, while operating knowledge is at risk of being lost as the workforce with the knowledge to maintain these systems ages and retires.

Older systems cause process and decision-making friction, degrading business agility, which can easily degenerate into strategic risks. Worse, the short-term fixes adopted by insurance companies over the years to postpone modernization mask broader long-term issues, and the patchwork of old and new technology is preventing firms from innovating and becoming more agile, efficient and customer-centric, risking loss of market share.

At the same time, the potential benefits of modernization are compelling: Increased premium growth through improved distribution effectiveness, targeted marketing, cross-selling, expanded analytics, improved customer service, improved pricing, and shorter new product cycle times.

Nevertheless, making the case for modernization can be a tall order because projects of this scale are typically measured in years and hundreds of millions of dollars. Cost and time were the biggest hurdles, cited by 44 percent of financial services executives in a recent Protiviti survey.

With so much riding on a successful implementation, a clear core modernization roadmap is critical. A new Protiviti white paper, Modernizing Legacy Systems in Insurance, makes the case for implementation drawing on the experiences of those who have gone before to help those just beginning the modernization process.

Without going into every detail in this post, here are the top ten lessons learned:

  1. View a legacy modernization program as an opportunity to achieve world-class performance — without this vision, the expense is hard to justify.
  2. Ensure long-term senior executive support and buy-in as required for a strategically-important project of this magnitude.
  3. Begin with the end in mind: Define strategy, objectives, investment, business value, and the target operating model.
  4. Build a business case for change that does not underestimate the change management component.
  5. Establish success criteria upfront and measure success in terms of tangible business benefits.
  6. Establish governance that includes key constituents.
  7. Avoid “paving the cow paths,” or investing in new technology and then performing the work the same old way. Instead, redesign processes for efficiency, service and agility.
  8. Apply proven techniques from leading financial services organizations: Straight-through processing, automation, robotics, data analytics and digitization.
  9. Use a program management office (PMO) and manage the project with discipline, enabling collaboration with key stakeholders and providing constant communication between the teams.
  10. Legacy modernization projects are complex and challenging; they require the “A” team. Obtain outside assistance as required.

Take special note of lesson seven. One of the most common mistakes companies make when upgrading technology is failing to optimize the underlying business processes.

Good questions to ask when developing your roadmap include: Why are we doing this? What is the business case? When should we proceed? Where will the technology be located? Who will help us? How will we manage the project in a risk-aware manner?

Taking time to answer these questions and carefully planning upfront will help to mitigate implementation risk and ensure that your organization gets optimal return on its technology investment.

Read the full white paper here.

Compliance Insights Latest: The Future of Financial Regulation Still Unclear; Meanwhile, New Rules March On

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance




The recent election results weigh heavily on the minds of financial services professionals. All manner of questions have been raised regarding potential related regulatory impacts. Currently, there is ambiguity and speculation as to what changes are in store, when they will come, and the extent to which they will occur. What is certain is that change is inevitable, at least based upon what can be gleaned from the campaign trail and the agenda of the existing Congress.

We address some of the immediate reactions to the recent elections in our November edition of Compliance Insights. We will continue to monitor developments as they unfold, and provide our perspective in future editions. In the meantime, refer to Protiviti’s recent flash report for a more detailed, cross-industry perspective on the impacts of the recent elections.

Aside from the election, the November edition of Compliance Insights examines a new rule from the Consumer Financial Protection Bureau, finalized in October, that significantly changes the regulatory environment for prepaid accounts — including general-purpose reloadable and non-reloadable cards, such as payroll cards, student financial aid disbursement cards, tax refund cards, certain federal, state and local government benefit cards, and electronic wallets that store funds. The new rule, due to be implemented at the end of 2017, requires new disclosures to be provided to consumers at the time of purchase, including fees, terms and other comparative information; periodic statements listing recent transactions; dispute resolution procedures; and new protections if the prepaid account contains credit features. The article is on page 2 of the newsletter.

Also in October, the Department of Labor released the first in a planned series of FAQ documents to provide guidance on the implementation of its Fiduciary Rule, issued in April 2016. The rule was issued as an investor protection measure to identify, eliminate and mitigate against investment adviser conflicts of interest that could result in advice not aligned with clients’ best interests. The new rule redefines how retirement investment advice is communicated to investors, how and when adviser relationships are established, and how adviser compensation for products and services is earned. See page 5 in Compliance Insights for some of the specific questions addressed.

Other recent regulatory news we cover in our November edition:

  • The Financial Crimes Enforcement Network published an advisory and FAQs to help financial institutions comply with cybersecurity reporting obligations under the Bank Secrecy Act.
  • The Office of the Comptroller of the Currency published guidance on the periodic risk re-evaluation of foreign correspondent banking applicable to all national banks with foreign correspondent banking relationships.

We discuss all of these new developments, including our take on the financial regulations’ future, in detail in the full edition of Compliance Insights. Read it here.

Strategic Use of Email in Internal Investigations: Your Questions Answered

scott-moritzBy Scott Moritz, Managing Director
Protiviti Forensic




As part of our ongoing internal investigations series and in conjunction with Fraud Awareness Week, Protiviti, in partnership with Morrison & Foerster and Robert Half Legal, presented a webinar last week on the strategic use of email in internal investigations, discussing ways companies can undertake email investigations without letting costs get out of hand. My colleagues Robert Hennigan and Marshall Matus recapped the highlights, but I want to share here a few of the questions addressed during the live Q&A session, which I facilitated.

 Q: What are the points to consider before accessing email data — including legal rights to open email accounts, legal responsibilities to notify users, and how to avoid alerting users that someone is accessing their email?

Robert Hennigan, Protiviti: Any time you have a question specifically about legal issues, we recommend consulting with counsel to help you make those determinations prior to initiating an email investigation. Generally speaking, there is no reasonable expectation of privacy in the United States for work email — and that extends to personal devices if they are being used to send and receive business email. There is no obligation to notify users of a pending examination of email on a company exchange, although some types of information are protected under HIPAA and laws governing the cross-border transfer of personally identifiable information. Employees are not obligated to divulge passwords for personal devices, but case law has established that biometric account security is not protected.

Q: What should you do to ensure you’re following rules of evidence and maintaining a chain of custody?

James M. Koukios, Morrison & Foerster: Companies wouldn’t invest time and resources in an email investigation unless they have a reason to believe that the investigation will yield important evidence. It is therefore important to ensure that the investigation is conducted in a way that ensures the findings will be admissible in court. Specifically, it is important to freeze the account to prevent alteration or deletion of emails. This may involve taking physical custody of a laptop, device or workstation. Searches must be planned and conducted in a way that ensures the resulting analysis will present a thorough and accurate picture. By the end of the investigation, the party presenting the evidence should be able to demonstrate that the evidence is complete, authentic, and authored or received by the individual or individuals being investigated. The evidence should support what actually happened.

Q: How do you search for information embedded in PDFs and other non-searchable “picture” attachments? Is there technology available to extract text that might not otherwise show up in a standard keyword search?

Marshall Matus, Robert Half Legal: An important part of determining the scope of any email investigation is understanding the allegations, and determining how information was communicated. It is not uncommon for perpetrators to try to bypass traditional keyword search capabilities by scanning documents into PDFs or image files. In such cases, optical character recognition (OCR) software can help extract text from such files.

Q: What if someone in the IT organization is the subject of the allegation?

Marshall Matus: That is a tricky one. That said, the proper response, with few exceptions, is to go up. Most organizations of any size have a chief information officer, or chief information security officer, who can be enlisted to help. If the subject of the investigation is the CISO, CIO or CTO, investigators can reach out to the CFO, General Counsel or CEO for assistance.

Because email investigations can be resource-intensive and costly, it is important for companies to do their homework before they initiate the investigation, to make sure the work will yield maximum results and be accepted into evidence in court. Our audience was interested in many more details of an email investigation, and we cannot cover all of them here — but I do invite you to listen to the archived webinar (the Q&A session is at the end of the recording).



Strategic Use of Email in Internal Investigations

robert-henniganmarshall-matus-rhiBy Robert Hennigan, Associate Director
Protiviti Forensic

and Marshall Matus, Engagement Manager
Robert Half Legal



When we first started talking about putting together a webinar on the role of email in internal investigations, none of us anticipated the global impact a single email investigation could have. As it turned out, our well-attended November 15 webinar couldn’t have been more timely.

We presented the webinar during International Fraud Awareness Week together with Scott Moritz, the global leader of Protiviti Forensic, and James Koukios, a partner in Morrison & Foerster’s White Collar and Anti-Corruption practice group.

Our goal was to demystify the process of email investigations. In addition to addressing some of the popular misconceptions that might cause organizations to avoid undertaking a forensic email investigation, we wanted to offer some clear and simple strategies for managing the process, based on our years of experience, both as consulting professionals and as special agents of the FBI.

We thought the webinar was necessary because we’ve heard from a lot of people who believe, incorrectly, that:

  • Due to high volume, email investigations are cost-prohibitive and overly time-consuming.
  • Email investigations are a waste of time because no employee in their right mind would put anything incriminating in an email on a company server.
  • Privacy laws give employees the right to refuse employer access to their individual work emails.

To be sure, the email universe is vast, with more than one hundred billion work-related emails sent and received each day around the globe. We’ve read that employees spend about 28 percent of their work week sending and receiving emails at a rate of 122 emails each day.

It’s easy to see how the prospect of an email investigation of, say, 15 or 20 individuals, spanning several years, could be daunting — not only because of the volume, but also because of the need to maintain the integrity of evidence, which involves following established procedures regarding the acquisition, preservation and processing of email evidence. Managing this process effectively involves striking a balance between sufficiency and overkill.

Planning an Investigation

As with most business controls and processes, the time and cost of an email investigation can be carefully managed through planning. In that regard, it is important to start with a clear understanding of what you are looking for. What is the complaint? How many people could potentially be involved? Over what time frame did the alleged activity take place? Where does that data reside? And who were the custodians of that data?

As for the misconception that employees wouldn’t leave anything incriminating on a company server, experience has shown that it happens all the time. Also, if an employee forwards work emails to a personal mobile phone or home computer, those devices are considered to be discoverable for investigative purposes. There is ample case law to establish that work emails are work product owned by the company. Most U.S.-based organizations have electronic communication policies making it clear that users have no expectation of privacy. There are a few notable exceptions that include communications covered by attorney/client confidentiality, but for the most part, electronic communication at work is fair game for investigators.

Nor do investigations have to be confrontational. Often, investigators can obtain all the evidence they need from system backups or the company email server, without having to notify employees.

Companies also have had great success leveraging email review platforms and other forensic technologies to search for keywords indicative of potential malfeasance. Newer versions of email platform tools have significant capabilities built in.

Each of our expert panelists emphasized the criticality of communication between the various players in an investigation — the review team, forensic accountants, and outside counsel — to ensure coordination, avoid redundancies and share knowledge. A good investigation will follow project management best practices, with phases of the project including data collection, data processing, data analysis and review.

There’s an art to this process that involves knowing how to select key words; when to go broad and when to go narrow; how to leverage techniques and theories from related fields, such as information retrieval; and how to use various forensic technologies. All of this was discussed in our webinar at length, and we encourage you to listen to it.

Finally, we had a number of interesting questions from the audience that followed the presentation and speakers. We will summarize some of these questions in an upcoming post. Subscribe to our blog to be sure not to miss it.

How Expensive Are Cybersecurity Attacks and Data Breaches?

In this Industry Perspective series, we offer the views of Protiviti leaders on developments and news in specific industries. The perspective below focuses on Energy & Utilities.


Danny Rudloff

Cal Slemp mugBy Danny Rudloff, Managing Director
Industry Leader for Energy and Utilities

and Cal Slemp, Managing Director
Solution Leader for IT Security and Privacy


A Journal of Cybersecurity article earlier this year concluded that public concerns regarding the increasing rates of breaches and legal actions may be excessive compared to the relatively modest financial impact to firms that suffer these events. Based on a sample of more than 12,000 cyber events that include data breaches, security incidents, privacy violations and phishing crimes, the authors found that the cost of a typical cyber incident in that sample is less than $200 000 (about the same as those firms’ annual IT security budgets), representing only 0.4 percentof their estimated annual revenues.

Our Perspective:

This study may be placing too much emphasis on “counting the trees” and not enough on understanding the value of the “forest.”

For companies in industries like energy, on which the public relies for essential goods and services, reliability and reputation are an integral part of the product or service. So measuring damage from a cyberattack by adding up the costs of breaches, bad debts and fraud risks but not the cost of service interruption or reputation damage minimizes an incident’s true impact.

Similar to the experience of other industries, significant damage from a cyber incident will be seen in the erosion of the customer’s confidence and trust that is the underpinning of future business, or in potential regulatory overreach that can unduly constrain future operations. The impact to reputation, and its implied customer loyalty, can be serious.

In addition, the study identifies the mining and oil and gas industry as suffering the highest litigation rate among all other industries, with more than 30 percent of all cyber events litigated. Therefore, it is wise for the industry to stay focused on this area.

Companies should not be complacent about cybersecurity or rely on the findings of a single report. The consequences and costs of a cybersecurity breach can vary widely, based on the company’s size, customer base, regulatory oversight and other factors. Because the threats and risks related to information security change so quickly, an annual security assessment is recommended so that companies can keep an eye on these trends and evaluate their information security programs in this ever-changing context.

COSO Guide Seeks to Elevate and Evolve Fraud Risk Management Practices

Pamela Verick

By Pamela Verick, Director
Protiviti Forensic



For many organizations, fraud risk management consists of checking boxes and thinking positive thoughts:

“We hire good people.”
“We have a code of conduct.”
“We comply with Sarbanes-Oxley (SOX).”
“Our hotline does not ring (for serious things).”
“Fraud simply doesn’t happen here.”

Of course, as forensic professionals, we know that this is not enough. So does the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Recognizing the need to both elevate and evolve management thinking on the topics of fraud prevention, detection and deterrence, COSO released its Fraud Risk Management Guide (“COSO Guide”) in September 2016.

The COSO Guide provides a valuable blueprint of leading practices and user-friendly templates to help organizations not only correlate, but actively apply, the five fraud risk management principles first outlined in Managing the Business Risk of Fraud: A Practical Guide (jointly published by the AICPA, The IIA and ACFE in 2008) within the context of the 2013 COSO Framework.

These principles serve as a universal foundation for anti-fraud programs. They are:

  1. Fraud Risk Governance
  2. Fraud Risk Assessment
  3. Fraud Control Activity
  4. Fraud Investigation and Corrective Action
  5. Fraud Risk Management Monitoring Activities

Of these five principles, fraud risk assessment is perhaps the most widely recognized because the consideration of the potential for fraud was explicitly included within the 2013 COSO Framework. Since that time, the identification and assessment of fraud risk has been a focal point of inquiry for internal and external auditors. However, the scope of management’s fraud risk assessment is still often limited to fraud scenarios that would cause a material misstatement on an organization’s financial statements. In contrast, the COSO Guide encourages an elevated and evolved assessment of fraud risk in the context of the organization’s overarching fraud risk management program in order to achieve better support of, and greater consistency with, the overall 2013 COSO Framework.

The COSO Guide is both user-friendly and pragmatic in its design. Each chapter is organized to provide a clear snapshot of how individual fraud risk management principles align with the COSO 2013 Framework’s components and principles, and outlines unique characteristics for each fraud risk management principle within specific points of focus. These points of focus are structured similarly to those contained in the 2013 COSO Framework and are useful in considering the design and operating effectiveness of management’s own fraud risk management capabilities. Whether an organization is new to the topic of fraud risk management or seeking a more detailed view on the “how-to” of certain fraud risk management activities, the COSO Guide provides information that is both thorough and thoughtful, as well as applicable to a variety of audiences.

Whether an organization is in pursuit of a “best-in-class” fraud risk management program, or simply looking to enhance certain elements of its anti-fraud control activities, below are some suggestions for utilizing the information and templates included within the COSO Guide:

  • Map and analyze the fraud risk management process for improvement opportunities
  • Evaluate whether there is proper oversight and assignment of resources for fraud control activities
  • Create or update the organization’s fraud control policy
  • Conduct a fraud risk management survey
  • Expand documentation and visualization of the organization’s fraud risk and controls matrix
  • Assess the organization’s list of potential fraud exposures
  • Review the organization’s fraud response plan
  • Implement a data analytics framework
  • Enhance awareness of fraud risk through communication with various organizational constituencies

It is important to note that the COSO Guide offers insights into leading practices encompassing fraud prevention, detection and deterrence. It is not intended to create a prescriptive standard for either fraud risk management or fraud risk assessment. Furthermore, there is no “one size fits all” approach to fraud risk management and fraud risk assessment. Each process needs to be tailored to an organization’s operations, objectives, industry, people, geographies and technologies.

Finally, it is critical to recognize that fraud is a highly dynamic event. There is no guarantee that an organization will be free from its occurrence or effect simply because it has implemented leading practices. The ability to prevent and detect fraud can — and should — evolve with the organization’s internal control framework, and the COSO Guide provides a clear roadmap that can help drive organizations toward excellence in fraud risk management.

New Evaluation Tool Enables Boards to Assess and Improve Their Risk Oversight

Jim DeLoach

By Jim DeLoach, Managing Director




Prudent risk-taking is essential to the success of organizations seeking market opportunities and executing aggressive growth strategies. Boards of directors have a growing role in overseeing risk in the companies they govern. In fact, risk oversight is an integral part of a board’s responsibility to ensure the company’s risk profile is aligned with its strategy. Yet according to a NACD study, only three of 10 directors have sufficient knowledge and understanding of their board’s emerging risks.

Identifying and understanding emerging risks is critical, as directors know that disorder and disruption are no longer the exception but the norm. Resilient organizations are the ones that are most likely to survive and thrive in this changing world, and boards play a key role in fostering resiliency in the companies they serve. Investors and regulators are recognizing the importance of boards taking an active approach to risk oversight and applying leading risk oversight practices. Every board has an opportunity to disclose beyond the boilerplate in the proxy statement.

Because it is imperative that directors stay educated about new and emerging risks, we believe that boards should evaluate the effectiveness of their risk oversight practices from time to time. This evaluation is made more effective when it is accompanied by an effective process and insights that provide directors assurance that the evaluation exercise is sufficient and sound. That’s why Protiviti is excited to collaborate with The Board Institute (TBI) in developing the TBI Protiviti Board Risk Oversight Meter to boards desiring to enhance and improve their risk oversight process.

The TBI Protiviti Board Risk Oversight Meter is a recent addition to The Board Institute’s suite of world-class, validated tools. It is unique in that it offers a flexible, cost-effective method for boards to self-evaluate their risk oversight in an objective, participatory exercise. Participants, who include directors and others chosen by the board, can provide input regarding the board’s processes using a web-based tool which saves time and simplifies the usual logistics to conducting board self-evaluations. It also allows participants to contribute their responses according to their own schedules.

Using the information gathered, the tool generates results in a robust, insightful and actionable report that highlights not only the board’s strengths in overseeing risk, but also the areas where the board can improve its practices. In this regard, the report includes quantitative and qualitative information, as well as anonymous commentary that provides further color and context to the results. Additionally, the report benchmarks against best practices and validates the quality of risk oversight considering the expectations of key constituencies in the marketplace. The overlay of best practices and market information enables directors’ confidence, by making it possible for them to come up to speed quickly and improve their risk oversight continuously in these rapidly changing times.

What I like most about the TBI Protiviti Board Risk Oversight Meter is that it not only supports a board best practice (i.e., periodically self-evaluate the board’s effectiveness), but mirrors how boards execute that practice. Having assisted boards with their self-assessment exercise, I particularly like how the tool can facilitate dialogue among directors as to where, how and why to improve their risk oversight process. That is what you look for in a tool of this nature in the board space. And because assessments can be repeated, the oversight process can be refreshed continually to stay current with a dynamic business environment.

Are you focused on improving risk oversight at your company? Engage in a dialog with us. To learn more, click here.