How American Fidelity Assurance Enhanced Third-Party Risk Management and IT Compliance Functions
- GRC
- 19 June 24
Introduction
At the 2023 GRC Summit in Miami, Tice Morgan, Senior Manager, Governance and Compliance, American Fidelity Assurance, discussed how they improved the management of their third-party risks and IT compliance processes, their transformation journey experience with MetricStream, and more. American Fidelity Assurance is a leading health insurance company operating in 49 states across the US.
Here are the excerpts from Tice’s session at the summit.
Challenges
Tice: A lot of our GRC needs were associated with simplifying our compliance program and also looking at how we could better control or at least assess our third parties.
We operate in 49 states, and what I found was that I'm answering the same questions for each of these regulators, sometimes on a quarterly basis, sometimes only on an annual basis. We really wanted to look at a compliance framework that we can customize to allow our organization to harmonize these controls. State once and then use many times.
Having a consistent approach to control and that consistent expectation of evidence has really been a challenge for our organization. And part of that is our ability to tailor our control efficacy and the frequency in which we operate. When the team comes in to test controls, they're going to test it once a year. They're going to do a small sample set. But if we look at the volume, and some of the issues that we've had like any large organization was things slip through the cracks. If they happen to sample one of those slips through the cracks, that control is going to fail for that year. So, what we're actually in the process of implementing it's a monthly control testing component so we can at least catch that up.
The Implementation Journey
Tice: Our GRC program today primarily focuses on third-party risk and IT compliance.
I wanted to start out really small. We started with the Third-Party Risk Management product, and that was a pretty quick deployment. For IT compliance, it's definitely more of a long-term strategy for our organization. And part of that is that the ecosystem is changing – especially on the privacy side.
One of the compelling features of the MetricStream Platform is that it has really helped us enable our organization to be a little bit more efficient and a little bit more consistent about how we support our compliance and our third-party program.
Business Value Realized
Tice: From a key learnings and best practices perspective, one of the things that I always stress is to keep it simple. We had 137 controls when we started, and we've been able to whittle that down to 68 key controls that primarily address the majority. There are always those one offs, and we do accommodate for some of those. But I think those should be more the exception versus the rule.
The other element is to explain, educate, collaborate, and then automate. I will admit that I look at automation in two ways. There are always the technology automation components, system interaction, and API integration. Those are all good, but in a lot of cases, automation can also be just process efficiency.
The other thing is best practices – really understanding the mechanics of what you are trying to assess. The other element is identifying key source systems and reporting requirements. I really can't stress this enough, because in a lot of cases, there are a lot of systems, and getting the data out of those systems [is critical]. The GRC platform that you’re implementing is only a component of your overall compliance function.
The one thing that it does allow us to do is facilitate continuous control monitoring. In a lot of cases, we are working to test controls on a monthly basis. That way, even though our external regulators are going to do it in a quarter or on a yearly basis, we know in advance that we’re going to have an issue with that control. We can go do the awareness, we can go to the communication, the training, augment that control, or refine that control to make sure that evidence is going to be good for us. So, we catch it before the regulator or our internal audit team assesses it. It also allows us to reduce our overall control expectations and the ability to reuse controls for certain things.
You can watch the complete session here:
Find out how we can help you on your GRC journey. Request a personalized demo today!
