Rules and regulations – we all have to deal with them right?
Nowhere is this truer than with financial service and insurance companies, which are by far one of the most tightly regulated industries, especially after the 2008/09 financial crisis.
While much of the world’s attention has been focused on banks and financial firms in the form of the Dodd-Frank legislation, insurance regulations have been undergoing a transformation as well.
Developed by the National Association of Insurance Commissioners (NAIC), regulatory changes are going beyond solvency requirements to include governance, risk management and more. This effort, started in 2010 by the NAIC, culminated with the adoption of ORSA, short for Own Risk and Solvency Assessment.
Before diving into what ORSA means for insurance companies throughout the U.S., I want to first ask – If the regulators are using this tool to examine a company’s risk and their methods and capital resources for handling those risks, then ORSA is just another box on the company’s regulatory compliance checklist, right?
NO!!
As I’ll explain later on, ORSA can bring more value to the organization than simply a regulatory checklist.
In the meantime, I want to talk more about what ORSA is, who it applies to, the components of an ORSA filing, and why regulators are seeking this information.
What is ORSA and what are its goals?
ORSA is model legislation developed by the NAIC that will need to be adopted by individual states. Following many states, Florida passed its version of ORSA in 2016, and it’s expected that all states will adopt the standard or a variant thereof by the end of 2017.
As explained in the NAIC’s guidance manual, part of the ORSA requirement is to conduct:
a confidential internal assessment…of the material and relevant risks associated with the insurer or insurance group’s current business plan, and the sufficiency of capital resources to support those risks.”
The ultimate goal of ORSA is to improve insurance companies’ capability to endure severe weather and man-made events, negative claims trends, and economic downturns that have significantly impacted the financial services industry.
Diving a little deeper, a white paper released jointly by the ERM Committees of the Property Casualty Insurers Association of America (PCI) and RIMS explains:
“ORSA aims for the insurer to demonstrate and document its ability to:
- Withstand financial and economic stress by performing quantitative and qualitative assessments of exposure from material risks in both normal and stressed environments;
- Effectively apply enterprise risk management to support risk and capital decisions; and,
- Provide insights and assurance to external stakeholders regarding financial condition.”
Essentially, ORSA should be part of a company’s ERM framework and is meant to utilize (and improve) existing risk management processes and activities to identify and properly manage the company’s biggest risks.
Who does ORSA apply to?
While I believe it is wise for any insurance company to have a robust ERM framework for a variety of reasons, only companies that fall within the following criteria will be required to comply with these regulations.
- Individual carriers’ whose annual direct written and unaffiliated assumed premiums, including international direct and assumed premiums, exceed $500 million annually. This does NOT include premiums reinsured through the Federal Crop Insurance Corporation or National Flood Insurance Program.
- For carriers who are members of an insurance group, ORSA will be required if premiums exceed $1 billion annually. All other parameters that apply to individual carriers apply to an insurance group. Companies who are part of an insurance group will need to submit their ORSA report to their respective lead state’s agency.
Insurers can apply to their respective state’s agency for a waiver under special circumstances.
Regulatory agencies may require insurers falling outside these parameters to maintain an ERM framework and file an ORSA report based on unique circumstances, which can include:
- Type of business written
- Ownership and organizational structure
- Requests from federal agencies
- International supervisor requests
- Concerns about rapidly growing risk exposures or concentrations of risk.
- The company has triggered an risk-based capital (RBC) company action level event.
- If the regulator deems the company to be in a hazardous financial condition or otherwise troubled.
Even if an insurance company is not currently required to file an ORSA report, it’s a good idea to get ahead of the curve and prepare. For example, I would recommend starting an ERM program now if a company’s premiums are approaching $300 million and the growth projections meet the requirement threshold in the next few years.
Here is the best way to think about it: You will have a learning curve as you implement an ERM program, which will take time. Why not take advantage of the learning curve the regulators will also have right now? Otherwise, the regulators will be more aware of how to evaluate the ORSA report when you are just getting started. Wouldn’t it be best to be learning at the same time?
Regardless of any requirements, having a robust ERM framework is considered an industry best practice. In fact, as mentioned in a previous article on launching an ERM program, organizations like Moody’s, Standard and Poor’s, and A.M. Best are increasingly evaluating ERM as part of their credit and financial ratings.
What is included in an ORSA filing?
It is important to understand that the ORSA –the actual risk assessment portion – is not an insurer’s ERM framework, but rather a part of it. The company’s assessment under ORSA and the report “…link the insurer’s risk identification, assessment, monitoring, prioritization, and reporting processes with capital management and strategic planning.”
The Summary Report and any supporting materials filed with the regulator should provide a high-level understanding of an insurer’s Own Risk and Solvency Assessment. Since the report and any materials from within the organization will contain sensitive information, the filing with the regulator is completely confidential, meaning that any public records laws do not apply.
According to the NAIC’s guidance manual, the ORSA Summary Report includes three main parts.
Section #1 – Description of Insurer’s Risk Management Framework – This section is the core of where ORSA and a company’s ERM framework work together. In short, you won’t be able to conduct an ORSA and file the report without an ERM program at your company.
This section of the report will provide a high-level overview of your company’s ERM framework. How do you identify and categorize (e.g., credit, market, liquidity, people, operational, compliance, underwriting) risks? What tools do you use to assess and monitor risks? What is your company’s risk appetite statement and tolerance? How do you report and communicate risks with key stakeholders?
Check out one of my previous articles to learn more about the core elements of an ERM framework and areas to consider when designing an ERM program.
Section #2 – Insurer’s Assessment of Risk Exposure – The next section in your annual report will provide a high-level summary of both quantitative and qualitative assessments of the company’s exposure for each of the risk categories outlined in Section #1. These assessments will need to be done for both normal and stressed operating environments.
This section will also include more detailed information on your company’s material and relevant risks (typically called “Top Risks”), methods you used to assess them, mitigation activities, and projected outcomes of possible scenarios.
While many risk categories can be measured through quantitative analysis and economic capital modeling (ECM), certain risks, especially in the operational or reputation categories, will only be measurable through a qualitative assessment.
Disclaimer: my experience with modeling is quite limited – this rather technical task is usually handled by an actuary or data scientist. To learn more about ECM modeling aspects of ORSA, check out this presentation from Conning and Milliman.
But when it comes to qualitative or quantitative risk assessments not involving modeling…this is what I know! I describe risk assessments at a high-level in my articles comparing traditional risk management and ERM and creating ERM framework governance documentation.
A recent study by Protiviti and St. John’s University found that the quantitative and qualitative assessments for the stressed environments ranked as the highest and third highest challenges for completing the ORSA report.
Section #3 – Group Risk Capital and Prospective Solvency Assessment – The best way to describe section #3 is that it combines quantitative measures of risk exposure from section #2 with qualitative parts of your framework to determine if your company has the financial resources to handle risk exposures.
This section of the report will consist of two sub-sections – Group Assessment of Risk Capital (A) and Prospective Solvency Assessment (B).
The purpose of sub-section A is to help the regulator understand the company’s capital reserves and their adequacy “…in relation to its aggregate risk profiles,” according to NAIC’s guidance manual. The “aggregate risk profiles” is referring to the total risk exposures based on the risk assessments that have been conducted for the entire group, not an individual company. If the report is only for one company, then of course the risk profile is for the single company. Basically, sub-section A is going to tell the regulator if the company or group has sufficient capital to withstand the expected impacts of the identified risks.
Internal processes for making the group assessment should align with the company’s management and decision-making culture. In addition to this information, the ORSA model legislation requires insurers to explain methods used in conducting this analysis.
Oh, and that study by Protiviti and St. Johns – it found that the group assessment was the fourth hardest challenge of the ORSA report.
Sub-section B includes some of the same capital adequacy information outlined above but instead focuses on future conditions. How will you prepare for risk events in the future? How will your company deal with future changes to your risk profile? Are there any emerging risks that may impact the organization in the future? The Prospective Solvency Assessment should include normal and stressed operating environments.
It doesn’t get any easier…this sub-section was the second hardest challenge within the ORSA report.
While the ORSA report will not go into as much detail as your internal reporting – the filed version is a summary, after all! – it needs to be consistent with how ERM information is presented and communicated to senior management, the board of directors, and any other appropriate personnel.
Is ORSA just another compliance activity? My thoughts…
As explained earlier, ORSA should be part of a company’s ERM framework and is meant to utilize (and improve) existing risk management processes and activities to identify the company’s biggest risks. Without a properly designed and functioning ERM program, aggregating risks and identifying interdependent risks to include in an ORSA report will be really difficult, especially at the group level.
This doesn’t mean that insurance companies can just complete a yearly assessment and file the ORSA report– the process should not be viewed as just checking off another box, but rather as a reason to review existing forecasting processes, risk-related procedures, use of capital, and data and analytics standards.
An ERM program can be a powerful tool to help ensure management achieves strategic and operational objectives, but it must be ongoing and not stagnate like many programs do.
To further encourage the use of an ERM program, that same study conducted by Protiviti and St. John’s University found:
- 2 out of 3 insurance companies believe that ORSA will help the organization improve the identification and management of strategic risks.
- Nearly 3 out of 4 insurance companies believe that preparing for ORSA reporting will lead to an improved process.
Despite the overwhelming view that ORSA can help a company improve its ERM process, the study also revealed concerns that many insurance companies have. These include:
- Just over half of survey respondents believe that heightened regulatory scrutiny will change the type of insurance products they offer.
- Many insurance organizations view ORSA to be a requirement that will lead to significant changes in governance and formalization of ERM programs and frameworks.
- More than half of all survey respondents indicated management is not comfortable that they have examined all possible risk outcomes in stress tests.
- The board may be more skeptical than management about current risk reporting. This includes timeliness and content of risk reports, depth of discussions into ERM processes, the level of understanding by board directors of the company’s risks, and the extent of engagement with the board by management over risk matters.
Overall, ORSA is a valuable exercise for any insurance company, even those who are not required to meet this regulatory obligation – but there are challenges along the way.
Regardless of whether you’re starting from scratch or your program is simply stuck in neutral, my experience as both a regulator and an ERM practitioner at a property insurance company equips me to help organizations that need to meet the ORSA requirement and want a powerful tool for helping to achieve objectives.
If you need assistance with your ERM program or determining your next steps down the ORSA path, please don’t hesitate contact me today!