Risk is a double-edged sword for insurance companies. On one hand, customers buy coverage because their businesses face a variety of risks. On the other hand, risk management challenges for the insurance industry are numerous. These include risks like “underwriting, credit, market, operational, liquidity risks, etc.,” according to the National Association of Insurance Commissioners (NAIC).
Insurance companies operate under the increased scrutiny of a tightening regulatory environment. About a year ago, the NAIC expanded its required assessment framework, called the Own Risk and Solvency Assessment (ORSA). ORSA is defined as “an internal process undertaken by an insurer or insurance group to assess the adequacy of its risk management.”
ORSA goes beyond the SEC disclosure requirements that have universal applicability. It requires firms to “analyze all reasonably foreseeable and relevant material risks…that could have an impact on an insurer’s ability to meet its policyholder obligations.”
Next, we’ll take a closer look at some specific concerns, as well as risk management challenges and best practices for the insurance industry.
The minimum threshold for an ORSA program requires yearly analysis of all material risks. Companies must prove risk assessments have been undertaken at the organizational level where the risk activity takes place, not just at the senior management level. Organizations ensure this occurs by setting a “tone from the top.”
Take a more detailed look at ORSA and how it affects insurance organizations by reading our five-part blog series. To determine how well your organization’s risk management program meets ORSA requirements, use the complimentary RIMS Risk Maturity Model, recommended by the NAIC and Institute of Internal Auditors recommends. The Risk Maturity Model will confirm what aspects meet ORSA requirements, and also identify areas needing most improvement. The companion audit guide (also complimentary) then details best practices for making those improvements.
ORSA compliance alone can be a major risk management challenge without an ERM solution that consolidates information. When any manager can evaluate risks in his or her own sphere of responsibility, however, it’s very easy to “roll” assessments up to the next level. Reporting, whether for annual ORSA assessments or a board meeting, becomes a simple matter of presenting information already existing in the system.