Regulatory Risk

Are You Ready For ORSA?

Insurers can leverage ORSA compliance to strengthen enterprise risk management.
By: , and | October 15, 2013

After years of planning and input from the insurance industry, the Own Risk and Solvency Assessment (ORSA) requirement will soon come to fruition for insurers.

Many jurisdictions — including the United States, Canada, the EU and Bermuda — will hold companies responsible for maintaining an ORSA process and provide periodic summary reports as part of their solvency regulatory regimes.

With widespread consensus about the requirements and agreement that the final regulations be in place no later than 2015, the time has arrived for insurers to proactively plan their compliance strategies and determine how ORSA can boost existing enterprise risk management (ERM) practices within their organization.

However, insurers must understand a number of core concepts that will help drive substantial returns on ORSA efforts and investments before building the ORSA implementation work plan.

Do Not Underestimate ORSA

The ORSA Guidance Manual is a moderately quick read, and the key concepts are summarized within the first few pages of the document. But this simplicity is deceptive; a number of important subtleties and nuances across a number of critical risk areas is hidden and embedded.

Collectively, these factors make ORSA compliance — both in the short and long terms — a more complex proposition.

There are gray areas within the Guidance Manual, where there are substantial gaps between minimal initial compliance standards and bigger-picture opportunities relative to ERM. Those areas include:

•  Appetite for Risk. A risk appetite statement can be a very meaningful tool to manage overall risk exposure; however, if poorly defined, it can appear to be meaningless, too qualitative and unrelated to day-to-day operations or decision-making.

The required action is simple: Have executive leadership (board included) clearly state how much risk they are willing to take. That overall risk appetite can then be funneled down through the organization in order to ensure that risk exposure is always within the stated appetite and that formalized processes are used to deal with exceptions.

While such an approach to defining and operationalizing risk appetite is unusual in the industry today, a meaningful risk appetite statement that has been set by management encourages and enables effective ERM frameworks.

Risk measurement. Another crucial component of understanding risk is the ability to quantify exposure to key risk categories.

Consistency is imperative when trying to compare risks between different risk categories (e.g., market to catastrophe), product lines (e.g., life insurance to homeowners to health insurance) and jurisdictions (e.g., Japan to United States).

While there are many ways to quantify risk, an approach that allows for consistency is critical to providing management with a complete picture of risk exposure.

Future capital requirements. Typically, risk exposure and capital calculations are executed as of a specific point in time. While this is a key piece of information, the ORSA process requires insurers to project future capital requirements over the next one to three years (utilizing the business plan of the organization).

By incorporating the specific growth products and markets for a company, a prospective look at capital can provide management with critical information as to what the capital requirements may be down the road. Incorporating stress testing can give management a clearer picture of potential threats related to their business plans.

For some product lines and balances, projecting risk capital may seem fairly simple and straightforward. However, for any economic capital measurement or products that involve a stochastic analysis to measure risk-based capital (RBC), the projection of future capital requirements is very complex. Therefore, it is important to think through possible scenarios to simplify calculations while retaining the direction and magnitude of actual results.

Start with ERM Assessments

The connection points between the ORSA process and ERM frameworks are numerous and straightforward, so much so that the requirements outlined in the NAIC ORSA Guidance Manual can be aligned to overarching ERM framework components.

For example, ORSA summary reports will define the existing ERM framework and its outputs. ORSA Section 1 requires information about overall governance arrangements and risk appetites, as well as risk monitoring, policies and internal controls.

Other areas of the report focus on risk reporting, management information, and decision and planning support. In the same way, ORSA reports emphasize risk assessment and measurement — critical components of all ERM frameworks.

This is not to say that ERM frameworks are sufficient for ORSA compliance alone. Rather, ORSA assessments can facilitate the evaluation of current ERM capabilities, identify gaps and prioritize improvement plans.

For instance, ORSA can help insurers address seemingly common organizational struggles such as fragmented committee structures and lack of board participation. Similarly, the ORSA process can help clarify risk identification, risk categorization and control, in addition to risk-reporting issues, including data quality.

Achieving an effective path toward short-term ORSA compliance and bolstering overall ERM practices are not mutually exclusive goals. In fact, operating on both fronts will enable insurers to realize several benefits simultaneously.

A more efficient compliance process can certainly result in money saved associated with the automation of manual tasks and reduction of repetitive efforts. An efficient compliance process should be built on insights about current data feeds and information assets that can be used for ORSA compliance and a clear picture of the resources necessary for compliance.

Looking at longer-term ERM capabilities, ORSA provides clear justification for insurers to take a more critical eye to current structures and practices, and identify gaps and opportunities for improvement. In this sense, it is a unique opportunity to drive maturity into ERM models and help position risk management programs and teams for future evolution.

Questions to Assess Readiness

Insurers should ask themselves the below set of questions to assess their own readiness for ORSA:

• Does the company understand the requirements in the ORSA Guidance Manual and the key components of ICP 16 on ERM?

• Is a documented risk appetite statement used to inform business decision-making?

• Is exposure for all types of risks measured in a consistent way?

• Can your organization project future risk capital requirements consistent with short-term business plans?

• Is it possible to create a group-wide risk and capital assessment with a consistent measurement framework?

If you answered “yes” to all of these questions, your organization is on the right track to deliver quality ORSA summary reports.

Organizations answering “no” to any of these questions should not panic because there is still time to enhance capabilities prior to ORSA’s effective date. Some of the items on the list above are straightforward and manageable. Others, however, can be complex and require substantial planning and resources to execute.

But, once implemented, capabilities like risk appetite, consistent risk quantification, projection of capital and group-wide risk, and capital assessments are tremendously valuable tools for effective ERM programs and for providing your management team with a much clearer picture of companywide risk exposure.

James Collingwood is an actuarial consultant with Ernst & Young LLP in the Chicago office. He can be reached at [email protected]