To help these organizations asses their risk culture, in 2010 the Financial Stability Board (FSB) issued guidance regarding risk for those companies deemed global systemically important financial institutions1. This guidance also applies to those insurers designated as global systemically important insurers by the FSB2.

In 2012, the National Association of Insurance Commissioners (NAIC) issued the Risk Management Own Risk and Solvency Assessment (ORSA) Model Act3, which provides insurers with the requirements for maintaining a risk management framework and completing an ORSA Summary Report. Insurers will be required to complete the ORSA beginning on Jan. 1, 2015.

The pilot projectAs part of the process, the NAIC conducted a two separate pilots in which insurance groups submitted trial ORSA Summary Reports to a working group of regulators from 16 different states. The goals of the project: to help supervisors develop regulatory guidance for reviewing the ORSA filings and to provide guidance to the industry at large as they get ready to prepare their ORSA Summary Reports. It also gave participating companies valuable insight into how their ORSA will be received.

10 tips for completing your first ORSA

In the wake of the 2008 crisis, enterprise risk has understandably been top of mind for the leaders of the world’s most complex financial groups.

1 Financial Stability Board, Reducing the Moral Hazard Posed by Systemically Important Financial Institutions, Oct. 20, 2010. See http://www.financialstabilityboard.org/publications/r_101111a.pdf for details.

2 National Association of Insurance Commissioners, Global Systemically Important Insurers (G-SIIs) , April 11, 2014. See http://www.naic.org/cipr_topics/topic_global_sys_insurers.htm for details.

3 National Association of Insurance Commissioners, Risk Management and Own Risk and Solvency Assessment Model Act, adopted Sept. 6, 2012. See http://www.naic.org/documents/committees_e_risk_management_orsa_adopted_120906.pdf for details.

2

10 tips for completing your first ORSA Summary Report

In late 2013, the FSB issued a request for public comments on the ORSA Summary Reports4, prompting the NAIC ORSA Subgroup to release its feedback5 based on the comments and the pilot. The feedback gives more specifics on completing the ORSA, and provides actionable advice for insurers. Volunteer spots for the NAIC’s third pilot program, taking place this year, are still open.

Enterprise risk for insurersThe ORSA Summary Report is designed to help regulators more fully assess an insurance company’s capital adequacy. While it takes into account differing risk profiles based on insurers’ size and complexity, there are three main areas of focus.

• Section 1 — the Insurer’s Risk Management Framework: Section 1 provides a high-level summary of the enterprise risk management (ERM) framework principles, if present. The ORSA Summary Report should describe how the insurer identifies and categorizes relevant and material risks, and how it manages those risks as it executes its business strategy.

• Section 2 — the Insurer’s Assessment of Risk Exposure: Section 2 of the ORSA Summary Report should provide a high-level summary of the quantitative and/or qualitative assessments of risk exposure in both normal and stressed environments for each material risk category in Section 1.

• Section 3 — Group Assessment of Risk Capital and Prospective Solvency Assessment: Section 3 of the ORSA Summary Report should describe how the insurer combines the qualitative elements of its risk management policy with the quantitative measures of risk exposure in determining the level of financial resources needed to manage its current business and over a longer term business cycle (e.g., the next one to three years).

It might be tempting to look at the ORSA as “just another report,” but this is a real opportunity to focus on ERM in a way that will benefit the consumer, the industry and the insurer.

Preparing your first ORSAInsurers have some flexibility in how they answer the ORSA questions. Larger insurers with more robust ERM processes in place may have most or all of the answers they need ready to report. For those, the ORSA Summary Report can be a good planning tool and a reminder to keep processes strong. The ORSA can also help smaller insurers with less risk (and consequently less robust ERM systems in place) begin bolstering their ERM to a point where it is appropriately robust. This may include making any necessary operational changes to satisfy the ORSA requirements, particularly when it comes to integrating strategic planning into the ERM process. The NAIC clearly recognizes the differences in insurer risk profiles, but expects a strong risk management process in every case. The ORSA guidance lets individual insurers decide on their own processes as long as the summary report demonstrates effective risk management.

The NAIC’s guidance is fairly general in order to reflect the differing types and sizes of insurer, leaving many questions for those filling out the ORSA Summary Report. This should not be taken as an invitation to respond in a general or superficial way — it is clear that the NAIC wants specific answers that address each insurer’s ERM in a thoughtful way.

CONTRACTREPORT

4 Financial Stability Board, Guidance on Supervisory Interaction with Financial Institutions on Risk Culture, issued Nov. 18, 2013. See http://www.financialstabilityboard.org/publications/c_131118.htm for details.

5 National Association of Insurance Commissioners, Comments Regarding December 23, 2013 Questions Regarding the November 18 2013 FSB Consultative Document on Increasing the Intensity and Effectiveness of Supervision, issued Jan. 30, 2014. See http://www.financialstabilityboard.org/publications/c_140206q.pdf for details.

3

10 tips for completing your first ORSA Summary Report

10 tips for completing your ORSA Based on Grant Thornton LLP’s observations and the feedback that came out of the pilot, here are some specific recommendations that can help you effectively prepare the report. What the tips have in common is in encouraging all insurance companies to closely examine their risk management processes and challenging you to take this opportunity to build a robust process that is more than just a compliance exercise.

Tip #1: Fully describe management’s role in building a sound risk culture.The role of leadership in the risk process is a key component of ORSA, which asks for an accurate analysis of the tone from the top and much more. The ORSA should fully describe the risk culture and the steps that are being taken to promote and expand it, as well as include the specific roles and responsibilities of management. In the event that an insurer’s board of directors is failing to fully embrace a robust risk management process and become a significant part of a sound risk culture, the NAIC recommends that supervisors take corrective action in response (e.g., require board membership changes, increase the scope of supervisory activity, etc.). Insurers should fully describe the options under consideration and the steps taken in the ORSA.

Tip #2: Be thorough and specific in your answers.In the pilot, it was noted that some responses came back that were incomplete or superficial. For example, in response to “Describe your process for transitioning emerging risks to current risks,” some insurance companies answered with “We have a process in place for transitioning risks to current.” In this case, the specific process needs to be described in detail, with all data and planning documents included. Insurers should think expansively, and develop and include the specific tools used to collect information (e.g., interviews, questionnaires, analyses, policy descriptions, etc.). Regulators expect the ORSA to reflect the actual ERM that the board of directors oversees.

Tip #3: Define specific organizational risk roles.It is critical to map the specific organizational risk roles, as well as the people and departments assigned to those roles. Insurers should clearly communicate those roles within the organization (via risk dashboards, for example) and fully explain them in the ORSA. Assigning these roles broadly throughout the organization can help build an effective risk culture more quickly — the Subgroup noted that a table identifying the risk owners, the assigned risk, their roles and responsibilities, and to which committee/department/chief officer they report on their risk management was helpful in bringing clarity to the insurer’s risk management structure. A flowchart of risk management and control, which depicts how ERM and control flows within the organization (bottom-up or top-down, or both), is key.

Tip #4: Provide robust, multidimensional data reporting.Data included in the ORSA should be robust and should include a comparative multiyear view of any financial data. For some data points (e.g., multiyear economic model parameters and multiyear liquidity ratios), it is helpful to include historical trend illustrated over a multiyear period (e.g., three to five years). The priority ranking/rating of material risks can be illustrated in formats such as lists, charts, graphs or dashboards.

Tip #5: Identify and describe specific risk limits.The ORSA should include detail of actual risk limits to demonstrate that the insurer has risk limits. Some reports in the trial said things like “we have risk limits” but did not identify them. The NAIC Subgroup did not suggest listing all risk limits, but rather those that are key/material to the insurer/group.

4

10 tips for completing your first ORSA Summary Report

Tip #6: Fully describe anticipated and possible risks.The NAIC Subgroup noted that while the prospective solvency assessment included capital projections, it would also be helpful to better understand the prospective risk associated with those capital projections. The insurer/group should consider including a prospective discussion of risks, including which risk exposures are likely to increase/decrease in the coming years and what steps the insurer/group plans to take that may change risk exposures. The term “prospective” should pertain to both known and potential future risk. As prospective risk is a key component of the regulatory risk-focused surveillance process, understanding the emerging/prospective risks identified in the ORSA will help regulators focus their examination and analysis of the insurer/group. In addition to knowing the emerging risks an insurer is monitoring, the NAIC Subgroup also found it helpful to identify the key emerging risks and understand how these are elevated from “emerging” to “current.”

Tip #7: Fully describe capital models.While the use of matrices to calculate risk-based capital (RBC) and premium levels, reserve adequacy, and loss ratios (e.g., claims and administrative ratios) will be instrumental to completing the ORSA, insurers are asked to provide an explanation of how capital models are calculated and to discuss the group capital analysis performed by the insurer/group. In addition to reporting “Our risk capital is $x as of Dec.31 20xx,” insurers should also explain how that capital number was derived (i.e., explain the capital model). For complex calculations, it is acceptable to provide a high-level summary explanation. The NAIC Subgroup noted it was easier to understand the capital number if it was accompanied by an explanation of how the insurer/group calculates its capital model.

When a diversification benefit is used, insurers should provide a discussion of how the correlation amounts are developed, tested and updated. This information could be provided in a separate exhibit, if lengthy. The NAIC Subgroup also noted that while an insurer/group may not have discussed internal economic capital model validation, the insurer/group should consider a summary discussion of model validations and note that the regulator may ask about the validation process in follow-up discussions in order to better understand the insurer/group’s internal economic capital model process. In addition, when using multiple capital models, insurers should create a graphical illustration to compare the different model results (e.g., where the group capital assessment included three different models, the insurer/group should include a full-page table that shows each model side by side, including such information as the definition, assumptions and target versus actual capital).

Tip #8: Provide liquidity stress testing.Insurers should provide more stress testing on liquidity, especially for life insurance business, rather than a single focus on capital. For example, insurers should provide detailed stress scenarios regarding liquidity position along with a brief explanation, and they should also consider including a discussion on sources of liquidity and contingent financing.

“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not a worldwide partnership. All member firms are individual legal entities separate from GTIL. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. Please visit grantthornton.com for details.

© 2014 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd

Connect with us

grantthornton.com

@grantthorntonus

linkd.in/grantthorntonus

10 tips for completing your first ORSA Summary Report

Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues discussed, consult a Grant Thornton LLP client service partner or another qualified professional.

Tip #9: Define all IT risk.ORSA Summary Reports should include a discussion of IT risk in order to help regulators understand such risks as information security, business system failure, costly use of resources, etc.

Tip #10: Do a walk-through discussion with your state regulator. Upon filing the ORSA , the insurer/group and lead state regulator should plan to schedule a meeting/webinar/conference call where the insurer/group can describe and walk through their ORSA Summary Report and answer questions from the regulator. This is a critical step in the process, and should be planned and executed with complete commitment from the insurer.

ContactMark LastnerDirectorBusiness Advisory ServicesT 267.844.2029E mark.lastner@us.gt.com

John SwanickPartnerPractice LeaderU.S. InsuranceT 215.814.4070E john.swanick@us.gt.com

ConclusionThe entire ORSA process starts with a solid ERM process. We recommend that insurers first examine their ERM and take the necessary steps to build a robust process that will be a slam-dunk as the basis for an effective ORSA Summary Report. Since the ORSA is a real opportunity to enhance the ERM, the process of preparing the annual report is also an excellent opportunity to re-examine the ERM.

Filing an ORSA will become mandatory on Jan. 1, 2015. There is a fairly short window of opportunity this year to prepare. While there may still be some changes in the guidelines, insurers should already be well down the path. Requirements will likely only increase in the future, so now is the time to develop a robust process for not only the ORSA but the ERM framework itself.