US ORSA heralds a brave new world 23 October 2012 Last month, the NAIC adopted the Risk Management Own Risk and Solvency Assessment model act. The move marks a dramatic shift for the industry and US insurers should start preparing for the ‘game-changing' ORSA now, not wait until 2015, say Howard Mills and Elisabetta Russo

The own risk and solvency assessment (ORSA) in brief Sometime in 2015, the first American insurer will file with its domestic regulator the first-ever own risk and solvency assessment (ORSA) summary report to be formally filed in the US. By the end of that year, the vast majority of insurers operating in the member jurisdictions of the National Association of Insurance Commissioners (NAIC) will have followed suit. That first ORSA filing, expected to be mandated as a result of state adoption of the NAIC's Risk Management and Own Risk and Solvency Assessment (RMORSA) model act, will represent, in the words of Pennsylvania deputy insurance commissioner Steve Johnson, "a game changer for the insurance industry." This first filing will be the culmination of a years-long process of preparation as insurance regulators worldwide laboured to create a new regulatory framework capable of withstanding economic shocks such as the one that battered the financial services sector and the larger economy in 2008. It will mark the complete integration of a robust risk management function as a basic regulatory expectation. For insurers, getting to that first ORSA may require a significant investment of time, talent, and resources.

Howard Mills, Deloitte

The ORSA will represent a major step in solvency regulation modernisation, and as Johnson indicated, may well be considered one of the most significant events in insurance regulation in general and enterprise risk management (ERM) in particular in recent decades. An integral part of proposed new solvency regimes globally, the ORSA symbolises a commitment by both regulators and regulated to a customised, forward-looking system of solvency regulation, involving a more holistic real-time assessment of risk and its short- and medium-term impact on insurers.

The ORSA is an integrated framework using several tools to give a forward-looking vision of the risk and solvency position of an insurer. It encompasses both quantifiable and non-quantifiable risks in the near- to medium-term future. With the ORSA, companies bear significant responsibility for determining their capital standing and adequacy. It facilitates an insurer's full integration of ERM into decision-making. As envisioned, the ORSA is expected to be a key part of both the ERM framework and of the supervisory review process.In the US, the ORSA also adds a focus on group solvency and interrelated risks to an American solvency regime that largely has been focused at a legal-entity level.

Global regulators have placed the ORSA in this central role in the emerging global solvency regulatory frameworks in response to the revised Insurance Core Principles (ICPs) adopted in October 2011 by the International Association of Insurance Supervisors (IAIS). ICP 16, which governs ERM, mandates that solvency regimes should require insurers to regularly perform an ORSA to assess the adequacy of their risk management and current and likely future solvency positions. Various regulatory and supervisory bodies have begun the implementation process. For example, the European Insurance and Occupational Pensions Authority (Eiopa) began its public consultation process on its level 3 draft guidance on ORSA in November 2011. Class 4, Class 3B and Class 3A Bermudian insurers were required to send the Bermuda Monetary Authority (BMA) their ORSA fillings by 30 April 2012. The US is no exception, with the NAIC including the ORSA as part of its Solvency Modernization Initiative (SMI). At its 2012 spring meeting, the NAIC adopted its ORSA guidance manual. This set out the principles to be adopted by US regulators. The NAIC adopted the RMORSA model act on 12 September 2012. According to that act, the ORSA is "a confidential internal assessment, appropriate to the nature, scale and complexity of an entity, conducted by that entity of the material and relevant risks associated with the entity's current business plan, and the sufficiency of capital resources to support those risks."

The ORSA process is one element of an insurer's broader ERM framework. The two primary goals of the ORSA are to foster an effective level of ERM, and to provide a group-level perspective on risk and capital as a supplement to the existing legal entity view. Pennsylvania deputy insurance commissioner Steve Johnson: "You really do need to pay close attention as you prepare your ORSA. Companies should be doing this now, not 2015." For American insurers used to static solvency measurements, the ORSA heralds a brave new world. While previously, in-depth solvency evaluations were usually conducted retrospectively by regulators about every five years or so, now insurers will join regulators in projecting and assessing solvency needs essentially on a rolling basis. No longer will insurers passively wait on regulators to review year-end statements and risk-based capital (RBC) numbers that may fail to fully adapt to the fast-moving economic environment. Indeed, a recent interim report by the American Academy of Actuaries (AAA) found various deficiencies in the current property/casualty RBC formula for numerous reasons, varying from cash flow discounts that do not adequately reflect current low interest rates, to some charges not having been updated in 20 years1. Especially important is that unlike those static measures, even though in the US the ORSA filing itself is one annual report, it is still part of an ongoing process, a feedback loop that is almost like the Japanese concept of kaizen2 in its goal of full ERM integration and continuous adjustment to maintain solvency. For insurers, this may mean an era of new flexibility and customised risk assessment. But, as with any change, there are expected to be associated costs, and those companies that adapt to and adopt the ORSA best and most efficiently may be able to gain a lasting advantage over their peers.

Getting started While there may be little argument that the current regulatory system has served policyholders well for the most part, the unanticipated events triggering the 2008 financial crisis serve as a reminder that it is the largely hidden iceberg ahead, not the rocks behind, that constitute the real danger to these vital economic vessels, and an ORSA should, if properly instituted, provide an early warning of that risk. Some uncertainty about compliance costs and the possible effect on the operating models of insurers may still remain as insurers work to comply with the initial ORSA directions. But even though feedback to the NAIC will probably result in tweaks and changes to the process, insurers still may best be served by preparing their organisations for the increased real-time data needs an effective ORSA requires. With the 2015 date for the first ORSA submissions fast approaching, the question of how best to prepare may be a difficult but necessary one to answer as soon as possible. Changes in reporting, information management, governance, and planning may mean adjustments to a company's operating model must be implemented. The good news is that, as proposed, the ORSAs may help the regulated at least as much as the regulators in moving toward a more integrated, relevant, and

speedier ERM framework that enable undertakings to better identify, measure, monitor, manage, and report the risks inherent in their business. For some companies in the US, a basic question may have to do with the current state of their ERM programmes. With ERM programs differing in structure and degree of development from organisation to organisation, what will be required in order to properly implement the ORSA? Most insurers will be subject to the ORSA requirements. Generally, an insurer may be exempt from the ORSA requirements if: 



The individual insurer's annual direct written and unaffiliated assumed premium, including international direct and assumed premium but excluding premiums reinsured with the Federal Crop Insurance Corporation (FCIC) and Federal Flood Program (FFP), is less than $500,000,000. The insurance group's (all insurance legal entities within the group) annual direct written and unaffiliated assumed premium, including international direct and assumed premium but excluding premiums reinsured with the FCIC and FFP, is less than $1,000,000,000.

However even insurers meeting the requirements for exemption may have to comply if their regulator so requires. There is, to be fair, some flexibility the other way as well. Insurers that may not qualify for exemption on statutory grounds may request a waiver from the commissioner based on "unique circumstances." An insurer that is subject to the ORSA requirement will be expected to have a risk management framework, regularly assess the adequacy of that risk management framework and the insurer's current prospective solvency position, internally document the process and results, and provide an annual high-level summary report to the lead state regulator. The structure of the ORSA reporting for non-exempt insurers could be in any given combination as long as all insurers within the group are covered. Possible reporting structures could include variations of a single group report, group and individual insurers' reports, property and casualty insurers report and life insurers report, and so forth, so long as all insurers are included in an ORSA. Group-wide ORSA reports submitted to other jurisdictions may be able to satisfy the domiciliary regulator's filing requirements, if the domiciliary regulator deems the information presented therein comparable to and satisfying its requirements. The NAIC plans to have a designated lead state for each group. The lead state regulator will coordinate questions for and requests of insurers. Insurers will file their ORSA summary with that lead state, though other states of licensing may request or require copies of the ORSA summary from the insurer.

An insurer's chief risk officer or equivalent will be required to attest to the accuracy of the ORSA summary report and that a copy has been provided to the company's board of directors or its designated committee. Insurers filing late or incomplete reports may face civil penalties. According to the NAIC RMORSA model act, the effective date of the ORSA under the SMI will be 1 January 2015; the first report would be due in 2015. Insurers normally will need to file an ORSA summary report no more than once each year. Regulators expect this to be done soon after a company's internal strategic planning process is complete. Insurers must apprise the commissioner of the expected time of filing. Insurers will also have to submit an ORSA filing whenever there are significant changes to the risk profile of the insurer or the insurance group of which the insurer is a member. An effective ORSA will depend on the use and inclusion of proprietary company-specific material, often trade secrets. Because of this, regulators have been persuaded to strengthen

confidentiality provisions surrounding the submissions. The ORSA summary report is expected to "be a confidential document" and "in no event shall the ORSA summary report be subject to public disclosure."

Early feedback In preparation for the ORSA implementation, the NAIC created an ORSA feedback pilot project in which 13 undisclosed insurers voluntarily submitted an ORSA summary report by 30 June 2012, for regulatory review under a confidentiality agreement. This allowed regulators to review the process and begin providing some high-level (non-group specific) feedback to the industry this year prior to the actual ORSA summary report effective date. The NAIC also expects to use these results to help modify and provide additional guidance in the manual. Of the 13 respondents - presumably as volunteers self-selected as most prepared for the ORSA process - only eight submitted reports considered complete by regulators. Of those eight, five had data redacted, while the other three had complete datasets. Regulators said the lengths of the submitted reports varied widely, from 10 to about 100 pages, as did their degree of completeness. Pennsylvania deputy insurance commissioner Steve Johnson exhorted attendees at the NAIC's August 2012 meeting to pay heed to the lessons learned from the pilot project. "You really do need to pay close attention as you prepare your ORSA," he told industry. "Companies should be doing this now, not 2015. You need to start now and you need to have your board engaged. We saw what somebody who really takes this seriously has done. Get started now." "On many levels, the ORSA represents a sea change in insurance regulation in the US. It is expected to have a major impact and may pose significant challenges to some insurers, even those that already have ERM and capital processes in place." Among the lessons regulators learned were that several helpful sections could be added or beefed up to make the ORSA report more useful. There was, many regulators opined, a need to provide historical context and organisational structure. Insurers will also be asked to examine the relationship between their compensation structures and risk. Regulators suggested numerous other items should be part of the ORSA summary report, including:      

A detailed explanation of the company's risk limits including key risks and materiality Single and combined stress test scenarios Descriptions of how capital model were calculated Graphical comparisons of capital models Heat maps of risks Stress testing on liquidity distress in life insurance



Emerging risks for prospective risk areas

The NAIC hopes to repeat the pilot project in 2013.

What should be in the ORSA report? While each insurer's ORSA report should reflect its own business, at a minimum it must include three sections addressing the following topics:   

Section 1 - Description of the insurer's risk management framework Section 2 - Insurer's assessment of risk exposure Section 3 - Group risk capital and prospective solvency assessment

Section 1 - Description of the insurer's risk management framework Regulators expect the first section of the ORSA summary report to focus on the insurer's risk management practices. It should provide a high-level summary showing that the following ERM key principles are implemented: 





 

Risk culture and governance - There should be a governance structure that clearly defines and articulates roles, responsibilities, and accountabilities; and a risk culture that supports accountability in risk-based decision making. Risk identification and prioritisation - There should be a risk identification and prioritisation process that is key to the organisation, and ownership of these activities must be clear. The risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organisational levels. Risk appetite, tolerances, and limits - A formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer. Board understanding of the risk appetite statement ensures alignment with risk strategy. Risk management and controls - Managing risk is an ongoing enterprise risk management activity, operating at many levels within the organisation. Risk reporting and communication - This should provide key constituents with transparency into the risk management processes and facilitate active, informed decisions on risk taking and management.

This should be accompanied by a description of the approach used in conducting the analysis, including key methodologies and assumptions. Section 2 - Insurer's assessment of risk exposures The second section of the ORSA summary report should focus on the insurer's quantitative and/or qualitative assessment of risk exposure in both normal and stressed environments for each material risk category. This section includes detailed descriptions and explanations of identified risks, as well as the applied measurement approaches, key assumptions made, and results.

Elisabetta Russo, Deloitte

A range of complexity is allowed for risk measurement, ranging from stress tests to complex stochastic analysis, as long as the nature, scale, and complexity of the risks are taken into account. Model validation processes should also be demonstrated. Section 3 - Group risk capital and prospective solvency assessment The third section of the ORSA summary report should include an analysis of the solvency position for the group as a whole, as well as a prospective solvency assessment. The latter implies a forward-looking assessment of capital adequacy, on a horizon that is consistent with the business planning process, under various risk scenarios. As part of Section 3, an insurer should: 

 

Assess its ability to meet the capital requirements, both internal and regulatory, given its current risk profile, its current risk management policy, its current quality and level of capital and reflecting any changes to its current risk profile caused by executing the multiyear business plan Explain plans to resolve any deficiencies Consider both normal and stressed environments

Implementing the ORSA Organisations most likely will need to align several quantitative and qualitative processes in order to respond to the ORSA requirements as set out in the manual. Examples of qualitative processes are the risk governance framework, independent review processes, and internal and external reporting processes. Examples of quantitative processes include the setting of risk tolerances and risk limits, the calculation of economic indicators such as economic capital, the simulation processes per risk type, and the creation of capital projections. Many of these processes may already exist at most insurers, though possibly in varying degrees of maturity. At some insurers, some of the required processes may not yet have been implemented at all. Implementing the ORSA requirements means that a general ORSA framework may need to be designed that binds all of these processes together. This may require the frequency, scope, and interactions of the processes to be aligned in order to match the ORSA's objective of an integrated view of strategy, risk, and capital.

Implementing the ORSA should begin by defining clear requirements, compliant with the principles set out in the manual. The process can be further structured by segmenting all required activities into distinct building blocks, and matching the requirements with the building blocks.

Requirements, if properly defined, should help aid efficient implementation of the ORSA by leveraging the existing processes. It should help ensure that the outcome is aligned to the company's objectives, and should ultimately serve as a framework to help monitor compliance with the regulatory requirements. Completing a readiness assessment against the ORSA requirements for each building block should assist in the drafting of an action plan. This remediation plan is a step-by-step plan to address the areas identified as needing improvement. At the same time, the company's vision of the ORSA should be translated into the overall ORSA framework, which includes a consistent process, ORSA governance, defined methodologies, and a report template. The final step is to embed the ORSA framework in the organisation, executing the actions set out in the remediation plan. A common way to do this has been to perform a series of dry runs, each in a further state of maturity. Performing dry runs may enhance awareness of the ORSA and its requirements within the organisation, and allows for testing of the organisation's ORSA readiness in practice.

Operational considerations While insurers already may have built ERM and capital management programs, many insurers may be required to consider changes to underlying operations, ownership, and governance as well as infrastructure changes. Some of the key areas of focus are expected to be, but are not limited to: 





ERM framework - Several existing risk management processes would be integrated into one consistent ORSA process, based on a common planning, maturity level, valuation basis, and assumption set. This may require strengthening the group and subsidiary ERM and governance frameworks and establishing a link between the risk tolerance of subsidiaries and the group. Capital management - Similarly an approach for economic capital calculations and forward-looking assessments would likely require significant efforts to establish a group view on capital and solvency and the need for balancing feasibility and accuracy of models. Strategy - The ORSA process would be required to be embedded into the strategic process. This will require alignment of risk indicators and model parameters between strategic planning and risk modelling, so as to increase the relevance of the ORSA for decisionmaking.





Resources - Skill sets for finance, actuarial, and risk management would likely have to change to meet the needs for adequate processes, controls, and risk quantification tools. Risk culture - Board ownership of the ORSA process would be essential, to prevent a ‘silobased' approach across entities and risk categories. Communication among different capabilities within the insurer may need to be improved. The business should be managed in accordance with risk appetite and risk tolerance levels.



Technology - The ORSA standards demand a strong alignment of business, actuarial and risk management areas with technology. Establishing that alignment, as well integrating existing and designing new technology solutions around data governance and architecture, process automation, modelling platforms optimisation, and reporting and/or decision management domains under the tight time constraints is critical for the robust ORSA environment.

The road ahead On many levels, the ORSA represents a sea change in insurance regulation in the US. It is expected to have a major impact and may pose significant challenges to some insurers, even those that already have ERM and capital processes in place. Although the proposed deadline of 2015 may seem far away, insurers may be wise to start designing, implementing and fine tuning their ORSA framework, tools, and processes today. There already is regulatory incentive to begin preparation: the NAIC started training state financial examiners on ORSA in 2012. In addition, some states have already been urging insurers to address their ERM framework. New York, for example, issued a circular letter to insurers licensed in that state listing its expectations for an ERM function within insurers. Insurers whose statutory examination is before 2015 may be asked to answer questions on ERM and whether they will be ORSA-compliant by the proposed deadline. Challenges also mean opportunities. Implementing the ORSA is expected to provide an opportunity for better risk and capital management, integrating several existing risk management processes into one consistent framework, and embedding in the whole organisation a risk culture and risk decision-making process in which strategy and risk appetite are aligned. The information feedback loop provides management, the board, and other stakeholders with access to information on the risk and capital profile of the enterprise, allowing them to evaluate current strategies and their execution, and modify as necessary. Properly designed, it should also serve as an early warning system, providing enough time to respond to emerging risks and other potential concerns. In the NAIC's concept of the ORSA, regulators may work with management to tweak or seek further information on models and inputs. For insurers, this input from and interplay with regulators may allow for more insight into regulatory requirements, and lower the possibility of inadvertently failing to satisfy written or unwritten regulatory expectations. This will all require an investment - of time, talent, and technology to begin with. But there is a great potential payoff in enhanced risk management and better decision making. Solvency regulation in the US has often functioned retrospectively, like mariners navigating by looking back on the harbour they left, restricted by having to keep that land in sight. The ORSA, properly customised for both external and internal stakeholders, allows regulators and the regulated a clear vision, enabling them to sail into the future with more confidence, reducing the risks of hidden shoals and providing more time to prepare for any storms on the horizon ahead.