RMORSA Series 1: Risk Culture and Governance

8028225684?profile=originalThe National Association of Insurance Commissioners adoption of the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) requires insurance organizations to take a broader approach to risk management. As US insurers begin to mobilize their efforts to comply with the regulation by the 2015 deadline, it’s important for insurers to take a step back, leverage their existing risk management operations, and develop their RMORSA efforts with a mind to the future.

The groundwork for RMORSA was laid with International Association of Insurance Supervisors’ (IAIS’) Core Principle 16 – Enterprise Risk Management – and much of the ORSA requirements can be fulfilled with the adoption of an ERM framework:

  1. Risk Culture and Governance
  2. Risk identification and Prioritization
  3. Risk Appetite and Tolerances
  4. Risk Management and Controls
  5. Risk Reporting and Communication

Before you scoff at the scope of these requirements, consider that the ORSA Guidance Manual stipulates that insurers with appropriately developed ERM frameworks “may not require the same scope or depth of review” as organizations with less defined processes. In this blog series, each of the core elements will be examined with an emphasis on preparing your organization for ORSA compliance. Today’s post will explore the first key principle:Risk Culture and Governance.

As defined by the NAIC, Risk Culture and Governance provides defined roles, responsibilities, and accountability in risk-based decision making. In effect, the principle builds off of a 2011 SEC mandate requiring corporate boards to document their role overseeing enterprise risk. This rule extends the board's role in risk oversight from C-level risks, activities and decisions to now having accountability at the business process level.  Boards are explicitly given a choice between either having effective risk management, or disclosing their ineffectiveness to the public. If they do neither, it is now considered fraud or negligence.  Enforcement actions by the SEC have doubled in recent years, so it’s likely your board has already established risk management as a priority, but what does this mean for your organization?

The first practical issue is that it is no longer sufficient to rely on the audit function as a hub for risk management. Risk responsibility has always been the responsibility of process owners, and ORSA is now mandating better oversight under the guidance of a risk management function. For many organizations, the critical first step has been taken by establishing executive responsibility in a Chief Risk Officer (a CRO is actually required to sign off on the ORSA assessment), but without the appropriate tools to make risk management actionable, accountability beyond the CRO is never properly defined. Front line managers hear “Risk Responsibility” and take the same action they would for other lofty strategic initiatives – that is to say, they take no action at all.

To engage process owners in a Risk Culture, each business area must take ownership for a subset of the enterprise risks.  Risk managers, in effect, do not own the risks to the organization; on the contrary, they own the ERM process. Their primary role is to lay the groundwork for risk assessments, aggregate risk intelligence for board reports, and create actionable initiatives for business areas in need of oversight.

Engaging process owners has the dual effect of permeating an enterprise-wide risk culture, while also creating a sense of shared responsibility. The structure defined above also creates three levels of defense, a concept adopted and well-articulated by The Institute of Internal Auditors. The operational risks are owned by the process owners. The risk management function provides guidance and strategic alignment. And finally, Internal Audit ensures adherence to the proper policies and regulatory standards.

Risk Culture and Governance cannot be accomplished overnight, but significant progress can be made by adopting and articulating the best practices outlined above. For more information on how you can engage process owners, implement a standardized risk assessment process, and report this information to the board, download our complementary eBook, “Presenting Risk Management to the Board.”

Votes: 0
E-mail me when people leave their comments –

Steven Minsky is a recognized thought leader in risk management, CEO and Founder of LogicManager. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts and published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!