orsa - Blog - Global Risk Community2024-03-28T13:08:51Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/orsaWriting an ORSA Reporthttps://globalriskcommunity.com/profiles/blogs/writing-an-orsa-report2014-10-29T10:30:00.000Z2014-10-29T10:30:00.000ZRiskviewshttps://globalriskcommunity.com/members/Riskviews<div><p>Insurance regulators have made the Own Risk and Solvency Assessment (ORSA) into one of the global <a href="http://www.iaisweb.org/view/element_href.cfm?src=1/20567.pdf" title="Insurance Core Principle 16 Enterprise Risk Management for Solvency Purposes">Insurance Core Principles</a> that need to be adopted in all countries.</p><p>By <a href="http://blog.willis.com/author/daveingram/" title="View all posts by Dave Ingram">Dave Ingram</a></p><p>Several countries have already adopted an ORSA requirement and in all cases, there is a need for a report to share with the regulator that documents the ORSA process.</p><p>The ORSA report itself is an example of <a href="http://blog.willis.com/2014/03/guide-to-erm-risk-management-disclosures/" target="_blank">risk management disclosure</a>. A company that has no history of disclosure of risk management information may struggle with creating an ORSA report that communicates their risk management efforts with sufficient, but not overwhelming, detail.</p><p>And while the requirements vary slightly, in most jurisdictions the board has a prescribed minimum role in the ORSA process.</p><p>That role may be a shock to boards who have not been involved in a process of risk management governance prior to the first ORSA process and report.</p><p>In the U.S., the <a href="http://www.naic.org/store/free/ORSA_manual.pdf" target="_blank">National Association of Insurance Commissioners</a> (NAIC) has suggested three segments to the ORSA report:</p><p><b>Section 1 – Description of the Insurer’s Risk Management Framework</b></p><p>A discussion of the ERM framework which includes eight of the ERM practices in the Willis Guide.</p><p>While this section is meant to be descriptive, it is clear that the regulators have minimal expectations for the particulars of the answers that they will be getting.</p><ul><li><a href="http://blog.willis.com/2014/01/erm-practices-risk-identification/">Risk Identification</a> – How the insurer goes about deciding which risks that need to be included in their risk management process and in consideration for the ORSA process, including <a href="http://blog.willis.com/2013/04/what-to-do-about-emerging-risks/">Emerging Risks</a>.</li><li><a href="http://blog.willis.com/2014/01/erm-practices-risk-limits-and-controls/">Risk Limits, Mitigation and Controls</a> – Discussion of the action steps in the risk management program.</li><li><a href="http://blog.willis.com/2014/01/erm-practices-risk-organization/">Risk Organization</a> – Clearly defined roles and responsibilities for the risk management process.</li><li><a href="http://blog.willis.com/2014/02/erm-practices-policies-and-standards/">ERM Policies and Standards</a> – Not specifically requested for the ORSA report, but an insurer that has these will have a much easier time pulling together an ORSA report and updates to that report.</li><li><a href="http://blog.willis.com/2014/02/guide-to-erm-risk-appetite-and-tolerance/">Risk Appetite and Tolerance</a> – Seen as foundational elements of a risk management program. Board involvement is expected.</li><li><a href="http://blog.willis.com/2014/03/guide-to-erm-risk-governance/">Risk Management Governance</a> – Clear leadership from the board in the risk management process.</li><li><a href="http://blog.willis.com/2014/03/guide-to-erm-risk-management-culture/">Risk Management Culture</a> – Looking to hear how the company culture supports accountability for risk related decisions.</li><li><a href="http://blog.willis.com/2014/01/guide-to-erm-risk-measurement-reporting/">Risk Reporting</a> – Good dissemination of risk information is seen as a clear requirement for a lively risk management program.</li></ul><p><b>Section 2- Insurer’s Assessment of Risk Exposures</b></p><p>This section of the ORSA report is about the processes that the insurer uses to determine which risks are material to the solvency of the enterprise: in other words, a discussion of how risks are assessed by the insurer.</p><ul><li><a href="http://blog.willis.com/2014/01/guide-to-erm-risk-measurement-reporting/">Risk Measurement</a> – The primary topic of this section which asks how the insurer goes about assessing risks.</li><li><a href="http://blog.willis.com/2014/02/erm-practices-stress-testing/">Stress Testing</a> – An important form of risk measurement that is seen as one tool that must support the ORSA opinion about the sufficiency of the insurer’s capital.</li><li><a href="http://blog.willis.com/2014/02/guide-to-erm-risk-capital/">Risk Capital</a> – The answer to the question, “how much capital does the insurer need?” For the ORSA, the necessary capital is expected to be determined in relation to the risks of the insurer.</li><li><a href="http://blog.willis.com/2014/03/guide-to-erm-interdependence-of-risks/">Interdependence of Risks</a> – While risk independence is one of the supporting pillars of the entire concept of insurance, experience tells us that many risks are partially or fully interdependent. To complete the ORSA process, management must have a clear view of the interdependence of their risks.</li><li><a href="http://blog.willis.com/2014/04/guide-to-erm-economic-capital-model-validation/" target="_blank">Model Validation</a> – While no regulator has suggested substituting the ORSA process for other solvency regimes, they do want an answer to the question, “Why should we believe this?” A model validation process is the best way to answer.</li></ul><p><b>Section 3 – Group Risk Capital and Prospective Solvency Assessment</b></p><p>The final section of the ORSA report explains why management and the board have sufficient capital to undertake their business plan, even if future experience turns out to be much worse (due to internal or external factors) than is expected in the plan.</p><ul><li><a href="http://blog.willis.com/2014/02/erm-practices-stress-testing/">Stress Testing</a> – The actual solvency testing needs to be performed both under expected conditions and in an adverse environment. Testing the impact of an adverse environment on an insurer is, of course, a stress test.</li><li><a href="http://blog.willis.com/2014/02/guide-to-erm-risk-capital/">Risk Capital</a> – Solvency testing in both the U.S. and Canada is in relation to a risk capital target that is established by the company management and board. In the E.U., the ORSA tests the capital against the Pillar I risk capital requirement of Solvency II.</li><li><a href="http://blog.willis.com/2014/03/guide-to-erm-interdependence-of-risks/">Interdependence of Risks</a> – While the risk capital determination must reflect a view of interdependence, the stress tests may include some scenarios where there are simultaneous occurrences of more independent risks.</li><li><a href="http://blog.willis.com/2014/03/guide-to-erm-change-risk" title="WillisWire: Guide to ERM: Change Risk">Change Risk</a> – A unique feature of the ORSA process, at least with regard to the world of regulatory requirements, is that the assessment is permitted to assume that management has some discretion to act in the adverse scenarios that are being projected. A firm with a robust change risk management process will have better justification for assuming robust and timely actions on the part of management.</li><li><a href="http://blog.willis.com/2014/03/guide-to-erm-risk-governance/">Risk Management Governance</a> – In the U.S., the ORSA regulations require that the board review the ORSA report before it is given to the regulator. In other parts of the world, it is often required that the board take a much more active role in the ORSA process. But regardless of the minimal stated requirements in the U.S., boards may well want to have a quite lively discussion with management about the ORSA report and the process that led up to the report.</li></ul></div>ORSA Compliance: An Opportunity, Not An Obligationhttps://globalriskcommunity.com/profiles/blogs/orsa-compliance-an-opportunity-not-an-obligation2014-08-27T14:30:00.000Z2014-08-27T14:30:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028229698,original{{/staticFileLink}}"><img width="425" src="{{#staticFileLink}}8028229698,original{{/staticFileLink}}" class="align-right" alt="8028229698?profile=original" /></a>Starting January 1, 2015, insurers across the United States are subject to a National Association of Insurance Commissioners (NAIC) model law requiring them to annually submit an Own Risk and Solvency Assessment (ORSA). ORSA is a self-assessment of sorts, requiring large and medium-size insurance groups* to report on their current and future risk management process.</p><p>ORSA Model Act outlines a few basic dimensions on which insurers will be analyzed. They include (1) effectiveness of risk management, (2) documentation of risk processes and results, (3) understanding of risk exposure and current/future solvency, and (4) the high-level annual report.</p><p>By nature, ORSA and ERM are inherently linked; as written on <span style="text-decoration:underline;"><a href="http://www.naic.org/cipr_topics/topic_own_risk_solvency_assessment.htm">NAIC’s website</a></span>, “ORSA is not a one-off exercise—it is a continuous evolving process and should be a component of an insurer’s enterprise risk-management (ERM) framework.” The phrase <i>not a one-off exercise</i> here should be emphasized, as many organizations will likely approach ORSA with a dangerous ‘check-the-box’ mentality. Any company with this mindset sees ORSA as an obligation, and likely an annoyance.</p><p>In truth, ORSA provides a valuable opportunity for insurers to integrate risk management with a range of business processes, such as compliance with the NAIC’s <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/grc-software/sox-financial-compliance/">Model Audit Rule</a></span> or even strategic planning. In doing so, insurers are able to take a mandatory compliance activity and turn it into a value-add for the business. The ability to align ORSA compliance with other business processes (i.e. <a href="http://www.logicmanager.com/grc-software/it-security-risk-management/">IT Governance and Security</a>, <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/grc-software/business-continuity-planning/">Business Continuity</a></span>, etc.) increases efficiency in all of these areas, helping to build a robust ERM program. This consistency is what drives value from ERM, and has even proven to <span style="text-decoration:underline;"><a href="http://www.propertycasualty360.com/2014/04/25/mature-risk-management-practices-could-realize-25">raise market value up to 25%</a></span>.</p><p>But what about insurers without an ERM program? They may have the most to gain in the coming year; ORSA serves as a wake-up call, allowing them to structure an ERM framework around this new regulatory process to build a fully functional ERM program over time.</p><p>Like any organizational initiative, ORSA adherence comes with a series of challenges. <span style="text-decoration:underline;"><a href="https://www.acli.com/ann2013/PDFs/presentations/0_Mon102813-ORSA-SullivanManyemLongWilliamsSaldana-UPDATED.pdf">These challenges</a></span> include (1) managing across various stakeholders on the front line, (2) optimizing strategies across the organization, (3) centralized storage of risk management documentation, and (4) avoiding a check-the-box mentality. A <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/grc-software/">risk management software</a></span> can solve these challenges to greatly enhance the speed at which an ERM program will provide a return on investment. LogicManager offers a range of tools, including a risk maturity assessment and mentoring to relay successes and best practice.</p><p>ORSA is not just a year-end goal, so it should not be treated like a year-end task. The primary purpose of the process is to foster an effective level of ERM at insurance organizations. Companies with mature ERM programs will benefit by linking ORSA to an already comprehensive enterprise-wide approach to risk management.</p><p></p><p><strong>To learn more about how your organization can prepare for ORSA compliance, download this complementary eBook titled '<a href="http://www.logicmanager.com/orsa-compliance-ebook">ORSA Compliance: 5 Steps to Take in 2015</a>' or watch the on-demand webinar</strong><b> </b><strong><a href="http://www.logicmanager.com/register-orsa-compliance-webinar">here</a>!</strong></p><p> </p><p><span class="font-size-1">* Small insurers and insurance groups are generally exempt from the requirements of the Model Act. If an individual insurer has annual premiums of less than $500 million and belongs to a group with total annual premiums of less than $1 billion, both the individual insurer and its insurance group are exempt from ORSA requirements.</span></p></div>RMORSA Part 5: Risk Reporting & Communicationhttps://globalriskcommunity.com/profiles/blogs/rmorsa-part-5-risk-reporting-communication2013-10-11T18:00:46.000Z2013-10-11T18:00:46.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028228084,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8028228084,original{{/staticFileLink}}" width="300" class="align-right" alt="8028228084?profile=original" /></a>Having <a href="http://www.riskmanagementmonitor.com/rmorsa-part-2-risk-identification-and-prioritization/">standardized risk assessments</a> and well documented <a href="http://www.riskmanagementmonitor.com/rmorsa-part-4-risk-monitoring-control-action-plans/">mitigation and monitoring activities</a> will equip your organization with a lot of risk intelligence. The question becomes, how do you report all of this information to your board and communicate it to your commissioner in a way that demonstrates the value of your ERM program? First, risk managers must be able to demonstrate how risks across the organization roll-up to impact the Board’s strategic objectives; and second, ERM functions must track key metrics to validate the effectiveness of a formalized risk management approach.</p><p><b>Reporting on Critical Risks</b></p><p>Due to the limitations of spreadsheets, risk managers often have to choose between presenting actionable data that is too granular for the board, or presenting a high level summary, such as a top 10 risk report, which lacks the context of how risk within business process activities relate to the objectives that senior leadership and the board require. However, a common <a href="http://logicmanager.com/erm-software/product/risk-taxonomy/">risk taxonomy</a> allows organizations to gather risk intelligence at the business process level, and aggregate it to a high level for senior leadership.</p><p>For the top risks across the organization, often risk managers must provide the more detailed underlying data, such as which business areas are involved, what their individual risk profile of the risk is, what the mitigation strategy is, and how the risk is being monitored.</p><p>The most commonly used method to determine top key risks is to rank risks based on the score from their assessment, this aggregate will depict which risks pose the most immediate danger to the enterprise, and should be reported on regularly. The second method uses your common language, root cause library to identify systemic risks. These are risks that have been identified by multiple departments, and may be more easily addressed with corporate wide policies or procedures rather than point solutions. And now that you have a complete and transparent mitigation library, you can publish out effective controls from one department to another, reducing overlapping activities in your organization and leveraging the practices in departments that are the most effective in managing risk.</p><p><b>The State of ERM</b></p><p>When demonstrating the value of your ERM program, take a step back to evaluate just how many risks have been identified, and how well risks are being evaluated and mitigated. The common standards established by an ERM program will significantly enhance your risk identification process by allowing you to prioritize efforts to the most important risks that have the least assurance of control effectiveness. You might find that over the past several quarters, the gap between the number of risks identified and those that have been addressed has grown. This isn’t a concern, but rather a sign that your organization has a clear path forward and is beginning to understand its entire risk universe.</p><p>You can also track your progress with the ERM guidelines outlined in the <a href="http://www.rims.org/ERM/Pages/RiskMaturityModel.aspx">RIMS Risk Maturity Model</a><i>. </i>Providing your executives, board or commissioner with a bi-annual report on the maturity of your ERM program will show which areas you've improved upon and what areas need focus going forward. The Model provides a repeatable process that enables internal audit to validate its quality and effectiveness. This same Model also has the benefit of enabling you to benchmark your program against others in your industry, providing a transparent, third party evaluation of where your organization stands.</p></div>RMORSA Part 4: Risk Monitoring, Controls, & Action Planshttps://globalriskcommunity.com/profiles/blogs/rmorsa-part-4-risk-monitoring-controls-action-plans2013-10-11T13:30:00.000Z2013-10-11T13:30:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="http://www.logicmanager.com/wp-content/uploads/2013/09/Remorsa-4-Action-Plan1-560x390.jpg" target="_blank"><img src="http://www.logicmanager.com/wp-content/uploads/2013/09/Remorsa-4-Action-Plan1-560x390-300x208.jpg?width=300" width="300" class="align-right" alt="Remorsa-4-Action-Plan1-560x390-300x208.jpg?width=300" /></a>As we move into the 4<sup>th</sup> step of ORSA implementation, Risk Monitoring, Control, and Action Plans, we begin to see the importance of adhering to best practices when executing <a href="http://www.riskmanagementmonitor.com/rmorsa-risk-culture-and-governance/">Risk Culture and Governance</a>, <a href="http://www.riskmanagementmonitor.com/rmorsa-part-2-risk-identification-and-prioritization/">Identification and Prioritization</a>, and <a href="http://www.riskmanagementmonitor.com/rmorsa-part-3-risk-appetite-and-tolerance-statement/">Risk Appetite and Tolerances</a>.<a href="http://www.logicmanager.com/wp-content/uploads/2013/09/Remorsa-4-Action-Plan1-560x390.jpg"><br /></a></p><p>With the necessary structure in place to track and collect risk intelligence, the next step involves orchestrating a plan for improvement. Why is a plan for improvement so critical? Besides limiting the risk exposure of your organization, consider that under the <a href="http://www.sec.gov/rules/final/2009/33-9089-secg.htm">SEC Rule Proxy Disclosure Enhancements</a>, Boards of Directors and executive leadership can be found negligent for having inadequate or ineffective ERM programs. The caveat? Having a demonstrable plan for improvement can greatly reduce or even exempt companies from penalties under the Federal Sentencing Guidelines.</p><p><b>The Right Way to Monitor Control Activities</b></p><p>Boards and CEOs are depending on risk managers to monitor key risk indicators at the business process level. This can be accomplished one of two ways: Testing and Business Metrics.</p><p>Testing provides a high level overview of whether a control is occurring, usually in the form of a simple pass/fail. Testing does not, however, provide actionable steps to take in order to improve a mitigation activity. The result is that many organizations are only testing compliance with internal policies, which may or may not tie back to the specific risks that the policies were designed to mitigate.</p><p>Let’s consider an example. An <a href="http://www.logicmanager.com/erm-software/operational-risk-management-software/insurance/">Insurance Organization</a> with an online customer service system is experiencing unacceptable downtimes, and the correct staff members never seem to be available to fix the problem. The organization implements what would appear to be a reasonable control activity by insisting that every member of the support team be trained to refresh the system. The company tests internal compliance with this policy by tracking whether the online training has been completed. Unfortunately, even if everyone takes the training, the company has no idea whether this control is fulfilling its purpose.</p><p>In testing compliance to the policy, the organization has lost sight of the risk. If they had tracked a business metric, like system downtime, they would have realized that the controls in place made no difference to the impact or likelihood of system failure. Business metrics may have indicated that the system was going down during peak usage hours, like lunch, when staff was unavailable. With no business metric tracking, the organization continued with a Band-Aid approach when money might have been better spent upgrading system memory.</p><p><b>Developing the Action Plan</b></p><p>To avoid this common pitfall, your key business metrics need to be aligned not only with the control activities you’ve designed, but the risks they were designed for. <a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/">Keeping track of these linkages</a> can be impossible with two dimensional spreadsheets, but is critical to monitoring the risks you’ve identified so that your action plans and control activities are meaningful and measurable.</p><p>As a risk manager, approach process owners in need of assistance with mitigation plans geared toward their most severe risks. As you develop actionable plans for improvement, don’t lose sight of the end goal or fall into the trap of testing controls rather than monitoring risks.</p><p><i>Interested in the best way to monitor or audit your risk management program? Check out the </i><a href="http://www.logicmanager.com/risk-maturity-model-audit-guide"><i>RIMS Risk Maturity Model Audit Guide</i></a><i>, also available through the </i><a href="http://www.rims.org/ERM/Pages/RiskMaturityModel.aspx"><i>RIMS Risk Maturity Model</i></a><i>.</i></p></div>RMORSA Part 2: Risk Identification and Prioritizationhttps://globalriskcommunity.com/profiles/blogs/rmorsa-part-2-risk-identification-and-prioritization2013-09-27T15:00:00.000Z2013-09-27T15:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="http://logicmanager.com/wp-content/uploads/2013/09/istock-cyber-crime1.jpg" target="_blank"><img src="http://logicmanager.com/wp-content/uploads/2013/09/istock-cyber-crime1-300x230.jpg?width=300" width="300" class="align-right" alt="istock-cyber-crime1-300x230.jpg?width=300" /></a></p><p><span>The first step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) implementation,<span class="apple-converted-space"> </span><a href="http://www.riskmanagementmonitor.com/rmorsa-risk-culture-and-governance/">Risk Culture and Governance</a>, lays the groundwork and defines roles for your risk management function. The second step, Risk Identification and Prioritization, defines an ongoing risk intelligence process that equips an organization with the data needed for risk based decision making.</span></p><p><span>The engine behind this process – the enterprise risk assessment – isn’t a new concept, but organizations are finding that the traditional, intuitive ideas for how to conduct risk assessments are inadequate. Too often, risk managers are interviewing process owners and collecting huge quantities of data, only to find that their top 10 risks are entirely subjective and lack any actionable component. And what good is a top 10 risk if you can’t answer the inevitable question; what are you going to do about it?</span></p><p><strong><span>Take a Root-Cause Approach</span></strong></p><p><span>The first and most common hurdle risk managers face is that the risks expressed by process owners are so specific to their business area that they can’t possibly be measured against the rest of the enterprise. For example, the IT department may be struggling to find candidates with enough JavaScript experience, or the Health & Safety department might be concerned with an endless string of EPA regulations. Process owners can’t help but think in terms of their immediate environment, but you can make use of their insight by adopting a root-cause approach.</span></p><p><span>The key to this root cause approach is a common risk library, or<span class="apple-converted-space"> </span><a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/">Taxonomy</a>, that orients the concerns of business areas to a category that you as the risk manager can take action upon. When IT says it can’t find candidates with JavaScript experience, for example, what it’s really expressing is an issue with hiring practices, just as health and safety is expressing its concern with the company’s regulatory environment.</span></p><p><span>By categorizing risks, it becomes evident when more than one business area is expressing the same concern, allowing the risk management function to identify and address systemic risks.</span></p><p><strong><span>Use a Single Set of Criteria</span></strong></p><p><span>When engaging a variety of business areas for risk assessments, ensure you’re using a single set of criteria. Often risk managers will begin with a monetary value that represents a critical loss, and they’ll evaluate risks based on that amount. But consider how many process owners in your organization have the financial transparency to operate off of monetary values. Chances are, the answer will be very few.</span></p><p><span>To combat the lack of financial awareness, qualitative criteria is essential for operational risk assessments. Create qualitative criteria that will apply to multiple functions. For example, a major risk—such as fraud or embezzlement—might result in a work stoppage, or result in a serious variation from an organization’s business values.</span></p><p><strong><span>Tell a Story to Your Board and Executive Leadership</span></strong></p><p><span>The key to any good story is not only an identifiable villain (your top 10 risks), but also a damsel in distress (your company’s strategic goals). Tying risks to strategic objectives allows you to demonstrate ORSA compliance by orienting your initiative to the executive objectives of the company. When the question is asked “why is this risk a priority?” your top 10 list won’t exist in isolation, but will be mapped back to the priorities already set by the board.</span></p><p><span>Demonstrating risk-based decision making is one of the more difficult elements of ORSA compliance, but it can be accomplished by gathering meaningful, contextual risk intelligence with well-designed risk assessments.</span></p><p><em><span>For more information on risk assessment best practices, download LogicManager’s ebook</span></em><span class="apple-converted-space"><i><span> </span></i></span><span><em>, “<a href="http://www.logicmanager.com/ebook-5-steps-for-better-risk-assessments" target="_blank">5 Steps for Better Risk Assessments.</a>”</em></span></p></div>RMORSA Series 1: Risk Culture and Governancehttps://globalriskcommunity.com/profiles/blogs/rmorsa-series-1-risk-culture-and-governance2013-09-27T15:00:00.000Z2013-09-27T15:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028225684,original{{/staticFileLink}}"><img width="200" src="{{#staticFileLink}}8028225684,original{{/staticFileLink}}" class="align-right" alt="8028225684?profile=original" /></a>The National Association of Insurance Commissioners adoption of the <a href="http://www.naic.org/cipr_topics/topic_own_risk_solvency_assessment.htm">Risk Management and Own Risk and Solvency Assessment Model Act</a> (RMORSA) requires insurance organizations to take a broader approach to risk management. As US insurers begin to mobilize their efforts to comply with the regulation by the 2015 deadline, it’s important for insurers to take a step back, leverage their existing risk management operations, and develop their RMORSA efforts with a mind to the future.</p><p>The groundwork for RMORSA was laid with International Association of Insurance Supervisors’ (IAIS’) Core Principle 16 – Enterprise Risk Management – and much of the ORSA requirements can be fulfilled with the adoption of an ERM framework:</p><ol><li>Risk Culture and Governance</li><li>Risk identification and Prioritization</li><li>Risk Appetite and Tolerances</li><li>Risk Management and Controls</li><li>Risk Reporting and Communication</li></ol><p>Before you scoff at the scope of these requirements, consider that the ORSA Guidance Manual stipulates that insurers with appropriately developed ERM frameworks “may not require the same scope or depth of review” as organizations with less defined processes. In this blog series, each of the core elements will be examined with an emphasis on preparing your organization for ORSA compliance. Today’s post will explore the first key principle:<b>Risk Culture and Governance</b>.</p><p>As defined by the NAIC, Risk Culture and Governance provides defined roles, responsibilities, and accountability in risk-based decision making. In effect, the principle builds off of a <a href="http://www.sec.gov/news/studies/2011/813study.pdf">2011 SEC mandate</a> requiring corporate boards to document their role overseeing enterprise risk. This rule extends the <a href="http://www.logicmanager.com/erm-software/2009/07/22/sec-requires-accountability-for-erm-at-the-board-level/">board's role in risk oversight</a> from C-level risks, activities and decisions to now having accountability at the business process level. Boards are explicitly given a choice between either having effective risk management, or disclosing their ineffectiveness to the public. If they do neither, it is now considered fraud or negligence. Enforcement actions by the SEC have doubled in recent years, so it’s likely your board has already established risk management as a priority, but what does this mean for your organization?</p><p>The first practical issue is that it is no longer sufficient to rely on the audit function as a hub for risk management. Risk responsibility has always been the responsibility of process owners, and ORSA is now mandating better oversight under the guidance of a risk management function. For many organizations, the critical first step has been taken by establishing executive responsibility in a Chief Risk Officer (a CRO is actually required to sign off on the ORSA assessment), but without the <a href="http://www.logicmanager.com/erm-software/erm-software.php">appropriate tools</a> to make risk management actionable, accountability beyond the CRO is never properly defined. Front line managers hear “Risk Responsibility” and take the same action they would for other lofty strategic initiatives – that is to say, they take no action at all.</p><p>To engage process owners in a Risk Culture, each business area must take ownership for a subset of the enterprise risks. Risk managers, in effect, do not own the risks to the organization; on the contrary, they own the ERM process. Their primary role is to lay the groundwork for risk assessments, aggregate risk intelligence for board reports, and create actionable initiatives for business areas in need of oversight.</p><p>Engaging process owners has the dual effect of permeating an enterprise-wide risk culture, while also creating a sense of shared responsibility. The structure defined above also creates three levels of defense, a concept adopted and <a href="https://na.theiia.org/news/Pages/The-Three-Lines-of-Defense-in-Effective-Risk-Management-and-Control-Is-Your-Organization-Positioned-for-Success.aspx">well-articulated by The Institute of Internal Auditors</a>. The operational risks are owned by the process owners. The risk management function provides guidance and strategic alignment. And finally, Internal Audit ensures adherence to the proper policies and regulatory standards.</p><p>Risk Culture and Governance cannot be accomplished overnight, but significant progress can be made by adopting and articulating the best practices outlined above. For more information on how you can engage process owners, implement a standardized risk assessment process, and report this information to the board, download our complementary eBook, “<a href="http://www.logicmanager.com/ebook-presenting-erm-to-the-board">Presenting Risk Management to the Board</a>.”</p></div>