Insurance regulators have made the Own Risk and Solvency Assessment (ORSA) into one of the global Insurance Core Principles that need to be adopted in all countries.
By Dave Ingram
Several countries have already adopted an ORSA requirement and in all cases, there is a need for a report to share with the regulator that documents the ORSA process.
The ORSA report itself is an example of risk management disclosure. A company that has no history of disclosure of risk management information may struggle with creating an ORSA report that communicates their risk management efforts with sufficient, but not overwhelming, detail.
And while the requirements vary slightly, in most jurisdictions the board has a prescribed minimum role in the ORSA process.
That role may be a shock to boards who have not been involved in a process of risk management governance prior to the first ORSA process and report.
In the U.S., the National Association of Insurance Commissioners (NAIC) has suggested three segments to the ORSA report:
Section 1 – Description of the Insurer’s Risk Management Framework
A discussion of the ERM framework which includes eight of the ERM practices in the Willis Guide.
While this section is meant to be descriptive, it is clear that the regulators have minimal expectations for the particulars of the answers that they will be getting.
- Risk Identification – How the insurer goes about deciding which risks that need to be included in their risk management process and in consideration for the ORSA process, including Emerging Risks.
- Risk Limits, Mitigation and Controls – Discussion of the action steps in the risk management program.
- Risk Organization – Clearly defined roles and responsibilities for the risk management process.
- ERM Policies and Standards – Not specifically requested for the ORSA report, but an insurer that has these will have a much easier time pulling together an ORSA report and updates to that report.
- Risk Appetite and Tolerance – Seen as foundational elements of a risk management program. Board involvement is expected.
- Risk Management Governance – Clear leadership from the board in the risk management process.
- Risk Management Culture – Looking to hear how the company culture supports accountability for risk related decisions.
- Risk Reporting – Good dissemination of risk information is seen as a clear requirement for a lively risk management program.
Section 2- Insurer’s Assessment of Risk Exposures
This section of the ORSA report is about the processes that the insurer uses to determine which risks are material to the solvency of the enterprise: in other words, a discussion of how risks are assessed by the insurer.
- Risk Measurement – The primary topic of this section which asks how the insurer goes about assessing risks.
- Stress Testing – An important form of risk measurement that is seen as one tool that must support the ORSA opinion about the sufficiency of the insurer’s capital.
- Risk Capital – The answer to the question, “how much capital does the insurer need?” For the ORSA, the necessary capital is expected to be determined in relation to the risks of the insurer.
- Interdependence of Risks – While risk independence is one of the supporting pillars of the entire concept of insurance, experience tells us that many risks are partially or fully interdependent. To complete the ORSA process, management must have a clear view of the interdependence of their risks.
- Model Validation – While no regulator has suggested substituting the ORSA process for other solvency regimes, they do want an answer to the question, “Why should we believe this?” A model validation process is the best way to answer.
Section 3 – Group Risk Capital and Prospective Solvency Assessment
The final section of the ORSA report explains why management and the board have sufficient capital to undertake their business plan, even if future experience turns out to be much worse (due to internal or external factors) than is expected in the plan.
- Stress Testing – The actual solvency testing needs to be performed both under expected conditions and in an adverse environment. Testing the impact of an adverse environment on an insurer is, of course, a stress test.
- Risk Capital – Solvency testing in both the U.S. and Canada is in relation to a risk capital target that is established by the company management and board. In the E.U., the ORSA tests the capital against the Pillar I risk capital requirement of Solvency II.
- Interdependence of Risks – While the risk capital determination must reflect a view of interdependence, the stress tests may include some scenarios where there are simultaneous occurrences of more independent risks.
- Change Risk – A unique feature of the ORSA process, at least with regard to the world of regulatory requirements, is that the assessment is permitted to assume that management has some discretion to act in the adverse scenarios that are being projected. A firm with a robust change risk management process will have better justification for assuming robust and timely actions on the part of management.
- Risk Management Governance – In the U.S., the ORSA regulations require that the board review the ORSA report before it is given to the regulator. In other parts of the world, it is often required that the board take a much more active role in the ORSA process. But regardless of the minimal stated requirements in the U.S., boards may well want to have a quite lively discussion with management about the ORSA report and the process that led up to the report.