Brett Curran is a chief compliance officer with a lot on his plate.
At Dallas-based insurance provider UICI, its his job to ensure that the companys 3,000 employees know their obligations for financial reporting, record-keeping and dealing with the public.
Thats a tall order. As a publicly traded company, UICI must comply with rules issued by the Securities and Exchange Commission and laws such as the Sarbanes-Oxley Act. Since it operates in the financial world, UICI also faces money-laundering and anti-fraud regulations. UICI sells products directly to consumers, so the National Do Not Call Registry comes into play. And one of its primary businesses is selling health insurance—so compliance with HIPAA (Health Insurance Portability and Accountability Act) privacy rules is required.
The story begins in mid-2001, as HIPAA loomed on the horizon. UICI executives decided they could not continue the companys strategy of letting each of its eight divisions manage compliance training on its own. HIPAA regulations would affect the whole enterprise, so management gave Curran his marching orders: Build a consistent, enterprisewide platform to track compliance procedures and monitor training.
"I began to realize that this was going to be a challenge largely of documentation, policies, procedures, training, tracking of the training—those sorts of things," said Curran, who had more than a decades experience in UICIs IT department. "I realized the big challenge in keeping current documentation."
A business immersed in the details of compliance training faces a risk if it misses a new rule, said Dave DeMartino, head of marketing for Prime Associates Inc., a Clark, N.J., consultancy focused on compliance needs. The content and IT requirements can be managed by an outsourced training provider; for the business the heavy lifting is more about structuring the application well rather than installing hardware or migrating software.
Curran said he envisioned a platform that could handle training not only for HIPAA but also for other regulations that might arise—and even for routine departmental procedures such as filing a claim. Company executives would identify procedures to comply with HIPAA (procedures for other regulations would come later) and store them in a repository. Employees could tap the repository for training, and management could use it for a birds-eye view of compliance know-how.
Currans first move, in late 2001, was to turn to PricewaterhouseCoopers Global Risk Advisory Services practice. He especially wanted to know what PWCs other clients were doing "for this onslaught of paper management."
PWC replied that nobody had devised a solid solution yet. Curran then asked PWC to find a knowledge management tool, "so that as we begin building our policies and procedures, we can populate this repository and then use that same content to drive our training."
By early 2002 PWC recommended Axentis Corp. and its flagship Axentis Enterprise software. Curran had also consulted analysis companies and professional colleagues and found several vendors that offered products to manage compliance training or to monitor such training—but not one product to manage both.
"As I recall there were only a couple that were even in the ballpark at that time," Curran said. "None of them—including Axentis—could meet all the business requirements we had identified."
Since Axentis was the best fit for what Curran wanted, in July 2002 he crafted a triumvirate to develop a compliance management system: PWC would bring consulting expertise on compliance requirements, Axentis would deliver a technology platform, and UICI would provide an operations perspective on what would work within the company.