Personally, I like to find the good in situations – or the silver lining – even when it comes to something as unpleasant as regulations.
I totally understand the sighs, eyerolls, and general cynicism when the subject of regulations comes up. As someone who started her post-college career as an insurance regulator in Florida, I did my best to make compliance as painless as possible.
Which regulations apply to your company depend on your industry, location, and a host of other factors.
For banks, financial services, and insurance companies, there are risk-related regulations these companies must follow, most of which began cropping up as a response to the ‘08/’09 financial crisis.
International banks have Basel III, while publicly traded firms in the U.S. have to follow regulations set forth by the U.S. Securities and Exchange Commission (SEC).
For insurance companies (known as “carriers”), an industry I’ve worked closely with as a regulator, industry insider, and now consultant, there’s ORSA, which is short for Own Risk and Solvency Assessment.
Developed by the National Association of Insurance Commissioners (NAIC), ORSA has been adopted in all 50 states, plus Puerto Rico and the Virgin Islands. Other jurisdictions or regulators like FINRA in Switzerland have their own version of ORSA.
With very few exceptions, U.S.-domiciled stand-alone carriers with $500+ million in written premiums, and carrier groups with over $1 billion in written premiums, must submit an ORSA report annually to their respective state’s regulator.
The NAIC defines ORSA as a…
“… confidential internal assessment, appropriate to the nature, scale, and complexity of an insurer or insurance group of the material and relevant risks associated with the insurer or insurance group’s current business plan, and the sufficiency of capital resources to support those risks.”
ORSA is not synonymous with the company’s ERM framework as some say, but rather a part of it, or as the NAIC states “…is intended to be integrated into the insurer’s overall ERM framework and utilize existing risk management processes.”
Some of the basics of what regulators are seeking to understand at a high level through the ORSA report includes:
- The quality of the company’s risk governance and oversight structure, or a high-level of the company’s ERM framework.
- How the company or group of companies identifies and categorizes risks, and subsequently, assesses and monitors those risks.
- Projected outcomes of potential scenarios using a tool we’ve discussed at great length before, scenario analysis.
- Economic capital modeling of the different scenarios to determine the impact to the company’s financial solvency should risk or a combination of risks occur. This is essentially meant to help determine if the company has the financial resources to handle exposure to the risks that have been identified.
(Modeling is an area where SDS is now partnered with an expert, Graeme Keith, of Stochastic ApS).
This (of course) is a high-level, non-insurance overview of what goes into an ORSA report. For more details on the report’s different components, check out the ORSA Guidance Manual directly from the NAIC and our own ORSA article that provides some more information about the report itself. Be forewarned though that it will contain insurance jargon that may be hard to follow.
Realizing that most SDS readers are NOT from the insurance industry, the purpose of today’s article is more than a simple overview of the ORSA regulation.
For insurance carriers, especially ones in disaster-prone areas like Florida, the ORSA report is a great tool for helping regulators and the company understand the quality of risk oversight and the financial impacts should one (or more) risk event occur.
But as the list above makes clear, the ORSA concept doesn’t have to be limited to the insurance industry.
Like we discuss in a previous article on retooling other processes for ERM purposes, the ORSA report is another tool that can be tweaked for any type of organization into a powerful risk analysis and prioritization tool.
The concepts found within ORSA can serve multiple purposes – think of it like a blueprint you can then plug ERM tools and processes into to gain valuable insights to improve decision-making.
Specific ways or dual functions ORSA can serve your company include:
- Right-sizing ERM governance/oversight – part of what insurance regulators are looking for are assurances that the ERM program or function rests on a solid foundation. Does the structure of any ERM program fit the company’s needs and culture? This section of ORSA can also help management by serving as a blueprint for where changes can be made to improve how your company approaches ERM.
- Effectiveness reviews of risk processes – the next item insurance regulators are seeking to understand are the processes by which the insurer identifies, assesses, and subsequently responds and monitors risks. Again, ORSA can simply be management’s blueprint for assessing the effectiveness of ERM processes similar to a risk and control self-assessment we discuss in a previous article.
- Gain clarity on how risk(s) will impact the organization(s) – the scenario analysis and economic capital modeling sections of ORSA are arguably where the real insights lie. Not only do these tools enable you to see the financial impact of a stand-alone risk, but they also enable you to combine risks into different scenarios to understand cumulative financial impacts to facilitate prioritization.
As we mention regularly (almost incessantly really), ERM should be focused on helping the company achieve objectives and not just avert failure. It’s easy for companies in any industry to fall into the ‘enterprise list management’ trap when it comes to compliance.
Just because regulators approach their work with an “audit” or “compliance” mindset by default doesn’t mean their requirements cannot be molded to provide assurances to management that ERM is ultimately helping the company achieve its goals.
Because in the end, a company will not survive very long without taking risks and achieving goals.
It’s natural to shudder at the thought of regulations, especially when they’re done in a way that hinders progress. However, as this example of ORSA shows, there are instances where regulations can be molded into a strategic advantage when approached with an open mind or ‘glass is half full’ approach.
Are there regulations your company uses to create a competitive advantage?
Please join the conversation on LinkedIn to share your thoughts.
And if you’re struggling with risk analysis or some other processes and interested in finding creative solutions, please reach out to me directly to discuss your specific situation.
