ORSA Compliance-5 Steps You Need to Take in 2014

A publication of

ContentRisk Culture & Governance

Risk Identification & Prioritization

Risk Appetite & Tolerance Statement

Risk Monitoring, Controls & Action Plans

Risk Reporting & Communication

LogicManager Copyright 2005-2014

Request a Demo

Enterprise Risk

Management

Vendor

Management

Regulatory

Compliance

IT Governance

and Security

Business

ContinuityFinancial

Reporting

Audit

ManagementPerformance

Management

Policy

Management

LogicManager's All-in-OneERM Software

All the content you need & all connected.

Leadership: More than 2000 organizations use our risk management solution.

Insight: Put your risk picture together. Cloud Computing: No up-front investment and

no long-term commitment required.

Chapter 1

Risk Culture & GovernanceWith the adoption of the Risk Management and Own Risk and Solvency Assessment

Model Act (RMORSA) by The National Association of Insurance Commissioners (NAIC)

insurers are required to take a broader approach to risk management. The new ORSA

requirement is one component of the NAICs initiative to bring the US into regulatory

alignment with the International Association of Insurance Supervisors Core Principle

16, Enterprise Risk Management.

Starting in 2015 insurers will be required to submit an annual ORSA summary report

to their state commissioner that details an insurers risk management, capital

management, and strategic planning along with the associated relationships between

the three. The first section of the ORSA summary report is a detailed description of

the insurers ERM framework.

RMORSA Regulation

One of the primary goals behind the implementation of RMORSA is

to foster an effective level of ERM for all insurers. This includes

identifying, assessing, monitoring, prioritizing, and reporting on all

material and relevant risks.

Insurers have the opportunity to leverage much of their existing risk

management capabilities in becoming compliant with ORSA as much

of the ORSA requirements center around an ERM framework.

It is also important to note that the ORSA Guidance Manual

stipulates that insurers with appropriately developed ERM

frameworks may not require the same scope or depth of review as

organizations with less defined processes.

For any organization, risk is an essential part of creating business value and as such it needs to be managed in a way

that is beneficial to the bottom line of the organization. A risk governance structure needs to be put in place to collect

risk information at the activity level, where most operational risks materialize and to aggregate this information to a

level senior management and the NAIC care about.

A best practice approach thats been endorsed by the Institute of Internal Auditors (The IIA) is a 3 lines of defense

structure; Operational Management, or process owners, are expected to take ownership and accountability for the

risks faced by their business area as a primary line of defense.

3 Lines of Defense

Specifically, the IIA recognizes that this front line has the primary task of

identifying, assessing, and mitigating risks on a day-to-day basis.

Questions to ask yourself to determine if the process of owners of your

organization are operating effectively as a first line of defense:

Are each of your operational managers assigned a subset of your

organizations overall risk library, and can they suggest additions to

that subset?

Do they have the ability to document control procedures in a way that

ties them directly to their subset of risks?

And finally, are there adequate supervisory functions in place to notify

managers when a control breakdown or unexpected event takes place

in upstream or downstream process areas?

First line of Defense

Process Owners

Second line of Defense

Risk Managers

The second line of defense is the risk management function, which provides oversight and

facilitates the implementation of effective risk management. The compliance function is also

considered a second line of defense, however when compared with a risk management

function, compliance is responsible for a specific subset of risks related to applicable laws

and mandates. Whereas the first line of defense is process specific, the second line of

defense is cross-functional or systemic. It serves the critical role of ensuring that mitigations

and risk analysis are taking place as intended, but cannot independently report on an

enterprise picture of risk without input from process owners. The responsibilities of an

enterprise risk manager can include: Providing a risk management framework, identifying

emerging risks and issues, setting standards, Criteria and Tolerance levels, and providing

consulting and mentoring to process owners.

Third line of Defense

Internal Audit and Senior Management

The third line of defense, internal audit and senior management, offers independent

assurance that risk management is operating effectively. ORSA mandates that a Chief Risk

Officer sign off on each ORSA report. As such, the CRO and risk committee will be largely

responsible for their organizations compliance with ORSA. With clearly defined strategic

objectives set by senior management, the risk managers role is then to close the gap

between strategic level risk and all the operational risks faced at the front line of

organizations.

Board of Directors

Risk Managers

Process Owners

Risk Managers

Process Owners

Positive

Risk

Culture

Tone From The Top

Roles and responsibilities need to be clearly defined and articulated so that there is accountability at all risk levels in your

organization. Setting the right tone for your ERM program starts at the top with your board of directors and senior executives.

Getting their support and approval of your ERM program exudes a positive risk culture to the rest of the organization. This will

lead to better engagement in risk management processes at all levels of the organization. The more integrated ERM is in

everyones job descriptions the easier risk assessments will become and the more valuable they will be.

Chapter 2

Risk Identification & Prioritization

Just discussing high level concerns with senior executives may have been sufficient

2-5 years ago, but with the implementation of ORSA insurers are now required to

detail how they identify and categorize all relevant and material risks. This means

that more business value and better decision making are expected from risk

assessments. Formalized risk assessments allow risk managers to leverage existing

activities in an objective, quantifiable, repeatable manner to show how risks and

activities at the process level are impacting strategic objectives.

Root Cause

Risk Assessments

Strategic Objectives

Formalized Risk Assessment Process

The most effective way to collect risk data is to identify risk by root cause. It is impossible to get a clear risk

picture of strategic objectives without breaking them down into root cause, actionable, silo-specific activities.

Identifying the root cause of a risk provides information about what triggers a loss, where an organization is

vulnerable and where resolving systemic risks can lead to efficiency gains.

Root Cause 1

Root Cause 2

Root Cause 3

Outcome 1

Mitigation Activity 1

Mitigation Activity 2

Mitigation Activity 3

Outcome 2

Root Cause

Root-cause concept

However, orienting process owners to root cause is often easier said than done. Typically, management tends to think in

terms of outcomes or events they want to avoid or achieve, and the effects of such events. While there are a limitless set

of outcomes, as risk managers we need to operate at the root cause level in order to design effective mitigation activities.

External Risks caused by outside people, entities and environments

People

Risks involving people who work for the organization

Process

Risks arising from the organization's execution of business operations

Relationships

Risks caused by the organization's connection with third parties

Systems

Risks due to data or information assets

5 Root-cause categories

Root Cause

Prompt root-cause

Root CauseMost assessments jump to the What could go wrong aspect of risk identification which is

often just a detailed effect or symptom. Understanding the root cause requires identifying

the drivers of the WHY of the risk. You can begin to implement this root-cause approach in

a facilitated session or you can use a system to prompt assessors on the root causes of their

concerns, which helps implement this solution on an enterprise scale.

Prompt root-cause

Root CauseAs a first step, consider prompting process owners and business areas to select the root

cause category of their concern. Beginning with a root-cause risk library enables

organizations to track the selection of root-cause risks across multiple business areas,

which helps identify systemic risks throughout the organization and areas of upstream

and downstream dependencies.

Use a common numerical scale and criteria throughout your organization

High-medium-and low scales make it difficult and time-consuming to

quantify, aggregate, and objectively rank information. You should use

at least a 1-5 scale.

Risk Assessments

Best Practice favors a 1-10 scale, with 10 having the most unfavorable

consequences to the organization, split into 5 buckets to provide a high and low

of each bucket. Using a 1-10 scale makes the math easy and having the 5

buckets gives process owners doing the assessments flexibility to select the

high or low of a bucket.

Giving people more flexibility in their assessments will give you better accuracy

and more ability to determine what your top risks really are.

9 - 10Major

7 - 8Serious

Financial: Negative impact on net income $15 million to $20 million

Financial: Alternative financing (debt), sale or restructuring of the organization could be required

Operational: Inability to remain competitive (e.g., lagging customer service, operational inefficiencies)

Regulatory: Regulatory penalties are required

Financial: Negative impact on net income over $20 million

Financial: Catastrophic impact on financial statements (e.g., critical contractual ratios are no longer met)

Operational: Long-term impairment of critical functions make the organization vulnerable to forced sale or merger

Regulatory: Regulatory agencies seize control of assets or are granted absolute decision-making authority

Carry out assessments on same standards and assumptions

9 - 10Major

Financial

Legal

Operational

Regulatory

Strategic

7 - 8Serious

Financial

Legal

Operational

Regulatory

Strategic

5 - 6Moderate

Financial

Legal

Operational

Regulatory

Strategic

3 - 4Minor

Financial

Legal

Operational

Regulatory

Strategic

1 - 2Insignificant

Financial

Legal

Operational

Regulatory

Strategic

There are multiple ways of expressing severity, both qualitatively and

quantitatively. Severity should be outlined for financial, legal,

operational, regulatory, and strategic dimensions, among others. Each

bucket should have a variation of criteria applicable to that level of

severity.

For example:

If we are looking at the Impact criteria:

9-10 Major

In Financial terms, a specific dollar amount considered to be

catastrophic to your organization. In Regulatory terms, agencies shut

you down or take over.

7-8 Serious

In Financial term, the next level down that is painful but survivable.

In Regulatory terms, penalties are required

Only one of the criteria listed for an impact level has to be met in order

to rate a risk factor at that level. This way, any qualitative criterion can

be given a score to become quantitative and comparable across the

enterprise.

Risk Assessments

Risk Assessments

Carry out assessments with the same standards and assumptionsAdditionally, you need defined evaluation criteria for these scales. Often, one persons 9 is another persons 7. You should

provide a clear definition on what each of the 5 buckets are in unambiguous terms.

Objectively aggregate risk information to a strategic high level

Strategic Objectives

Now that assessment scores are

numerical and comparable, you

can create simple formulas to

automatically calculate the

inherent and residual indexes of

risks, and risks across your

organization can be sorted and

objectively ranked. For ORSA

reports, aggregate risks relating

to the same strategic goal or

other cross-functional topic, like

risk category frameworks,

providing an overall assessment

score for leadership, with

actionable underlying data for

when direction is given.

As a mandatory component of RMORSA an organization-wide risk appetite

statement provides direction for your organization. A risk appetite statement

should be reflective of your organizations strategic objectives, stakeholder

expectations, and key aspects of the business. Once your organization has

documented your risk appetite, with the Boards approval, the question

becomes how do you measure if your organization is adhering to it?

The answer is to implement risk tolerances.

Chapter 3

Risk Appetite & Tolerance

How Do You Make Risk Appetite Actionable?

Risk Tolerance

In the chart shown, the organizations projected path of performance is plotted in green. This line and the immediate area around it

represents the risk appetite, or goal of the organization. If the organization was to pursue or retain all risks in their environment, their

performance could fall anywhere between the grey lines. Most organizations are uncomfortable taking on all available risk, and new

laws and regulations require companies to implement more narrow tolerances (Purple area).

Operating within risk tolerances provides management greater assurance that the company remains within its risk appetite, which in

turn, provides a higher degree of comfort that the company will achieve its objectives.

Risk Environment

Risk Appetite and Risk Tolerance

Doesnt accept risks that could result in a significant loss of its revenues base

Doesnt accept risks that would cause revenue from its top 10 customers to decline by more than 1%

Risk Appetite

Risk Tolerance

Risk Appetite and Risk Tolerance

In other word, while risk appetite is a higher level statement that considers broadly the levels of risk that management

deems acceptable, risk tolerance sets acceptable levels of variation around risk and can be more readily measured.

For example a company that says it does not accept risks that could result in a significant loss of its revenue base is

expressing appetite. When the same company says that it does not wish to accept risks that would cause revenue from

its top 10 customers to decline by more than 1% it is expressing tolerance.

Prioritize Resources by Cut Level View Risk Trends by Tolerance Range

Because all risk assessment are conducted on standardized criteria, you can discuss with your board or senior management to determine a uniform

tolerance, or cut level, throughout the organization based on the resulting assessment indexes. This will help you prioritize resources to the risks that

need stronger coverage.

Everyday process owners are making operational decisions about risk far

from the organizations risk appetite statement. Process owners must look at

their assessments and if a risk exceeds or is below the range of set tolerance,

they must adjust mitigation activities, procedures, or controls to get within

the risk tolerance or escalate the issue.

When risk tolerances are aligned with both overall risk appetite and

strategic goals, they will improve risk mitigation effectiveness and

contribute to achieving your strategic goals. Aligning your tolerances with

risk appetite and strategic goals can be challenging but by trending risks

over time, you can get a more accurate picture of where you are and where

you need to be to reach your goals.

Chapter 4

Risk Monitoring, Controls &

Action Plans

ORSA requires Transparency Into If And How Risks Are Being Managed

Once you have identified the root cause of risks and objectively assessed

them, ORSA requires transparency into if and how risks are being managed by

insurers as they execute their business strategy. To do this an organization

must have adequate mitigation and monitoring activities in place.

Tolerance

Actual

Develop Risk Tolerances over TimeAs risks are reassessed periodically, you can focus on emerging risks that become out of tolerance and spend less time

on risks that have decreasing indexes. This allows you to allocate resources to the issues and areas that will yield the

greatest benefits to the organization.

Increase Organization Efficiency

Systemic risk identification will detect

areas of upstream and downstream

dependencies throughout your

organization, such as when one area

of the organization is unknowingly

causing strain on other areas.

Additionally, this method could also

identify areas that would benefit

from centralized controls, so the extra

work of maintaining separate controls

is eliminated, increasing organization

efficiency.

Prioritize Activities Conduct Risk Assessments

Link Risks to Activities

Prioritize Activities to be

Monitored

Collect Business Measures

Most organizations need a greater understanding of how the

business measures that they rely on daily are tied to their risks.

If a risk or activity changes, organizations have no way of

knowing how, or even if, these changes will affect their

metrics. By conducting risk assessments and linking risks to

activities, organizations can start prioritizing which activities

need to be monitored.

If risks are formally linked to anything, it is often Internal Audit or SOX controls, but all of operational

controls, activities, policies and procedures need to be taken into consideration too. Most of the risk

management disasters we hear about were a result of poor operational risk management. Risk managers

are responsible for risk monitoring effectivenessknowing what to monitor and how to determine if your

activities are effective or not.

Boards and CEOs, public and private, are depending on risk managers to monitor key risk indicators (KRIs) at

the business process level and have the proven capability to escalate up to the board as appropriate.

Operational Risk Management

Tolerancelevels

Collecting business metrics enables you to track the progress of your mitigation activities over time. You can set targets and tolerance

levels around these metrics. Warning signs appear as metrics begin to move out of tolerance, allowing you to take action before a negative

outcome materializes. Metrics need to be forward looking so that you can detect emerging trends long before they have significantly

affected your organization.

Monitor Business Metrics

Situation: Online Banking System experiences significant downtime and the issue is not resolved in a timely manner.

What They Found: The necessary expertise is not available during down time to work on the issues.

Typical Solution: Provide Cross-training program to more individuals, giving the appearance that a preventative measure has been put in place.

Risk Monitoring Example

Business Metrics:

Collecting business metrics enables you to track the progress of your mitigation

activities over time.

In this situation, if the bank was tracking system uptime, they would have seen

that there was no improvement from the control activity put in place, and

reinvestigated to realize that the system was going down during peak usage times,

like lunch, when the subject matter expert was away from their desk! They could

then institute effective activities, like adding more memory to the system.

Testing:

Often, organizations get caught up in testing the compliance or occurrence of

the control, such as, Has every new IT hire completed the training within the

first 6 months?

Testing provides a high level view of whether a control is effective, usually in

the form of pass or fail. Testing does not necessarily provide you with

actionable steps to take to improve a mitigation activity. Over time,

organizations lose sight of why the activity was implemented in the first place,

in this case to improve system uptime.

5 Key PrinciplesChapter 5

Risk Reporting & Communication

DASHBOARD #1: ROOT CAUSE

Using a common set of standards and assumptions means your organizations risks can be brought together and displayed on a single heatmap, where

upper right corner issues are most critical. This heatmap shows all of an organizations risks based on business process level observations. The information

stays current and changes in assessments are immediately reflected.

View Organizations Overall Risks

DASHBOARD #1: ROOT CAUSE

Viewing risks by a theme, such as an initiative or concern, enables organizations to take action by measuring

progress toward a goal and adding context to what needs to be done.

View Risk by Strategic Imperative Customer Satisfaction

Strategic Goals

DASHBOARD #2: ENTERPRISE VIEW

Due to the limitations of spreadsheets, risk managers often have to choose between presenting actionable data that is too granular for the board, or

presenting a high level summary, such as a top 10 risk report, which lacks the context of how risk within business processes relate to the objectives that the

senior leadership and board requires. However, a common risk taxonomy allows organizations to gather business activity level data and aggregate it to a high

level thats better understood and more actionable for senior leadership.

View by Strategic Goals

Not sureDASHBOARD #2: ENTERPRISE VIEW

Drill-down to Activity Level when Necessary

For the top risks across the organization, often risk managers provide the more detailed underlying data, such as which business areas are

involved, what their individual risk profile of the risk is, what the mitigation strategy is, and how the risk is being monitored.

Percentage of risks formally identified & assessed

DASHBOARD #3: ERM PROGRESS

Risk management is a process and the key to successfully monitoring the effectiveness of any process is measurement. The following are examples of measures

that will quantify and measure the value your ERM program is providing:

The first measure is Efficiency: Risk assessments are done for each business process or business unit. The chart shows the number of risks identified (red) and

number of risk assessed (blue) for each business process or business unit area. This tells the board how many of the risks in the enterprise have been collected

and evaluated.

Transparency: Assurance of Risk Coverage

Percentage of risks mitigated

DASHBOARD #3: ERM PROGRESS

The next critical value measure is Transparency: Risk management doesnt stop at just risk identification and assessment. Its also critical to show the state

of ERM in terms of how many of those risks identified and evaluated are covered by mitigation activities. Notice the gap between the red bar measuring

number of risks identified and assessed and the green bar measuring the number covered by mitigation activities. Notice each quarter the gap is getting

smaller between the 2 bars. This shows how the State of ERM has evolved over the past several quarters.

Percentage of KEY risks mitigated

DASHBOARD #3: ERM PROGRESS

You can filter this gap by using a cut level, focusing only on risks on a residual basis above a tolerance threshold, for this example, simply above the average. Now the board

can have a meaningful discussion of what level of risk they are willing to accept or how many resources they wish to allocate to getting stronger mitigation activities in place

to address this gap. This is matching risk tolerance to risk appetite that is actionable since discrete risks are connected to discrete controls with ownership.

Performance Management

DASHBOARD #3: ERM PROGRESS

You can also do this same focus by now filtering out low risks to only show the above average risks and corresponding mitigation activities that

directly impact each of the organizations strategic objectives. As risks are reassessed periodically, you can focus on emerging risks that become out of

tolerance and spend less time on risks that have decreasing indexes.

Request a Demo

Enterprise Risk

Management

Vendor

Management

Regulatory

Compliance

IT Governance

and Security

Business

ContinuityFinancial

Reporting

Audit

ManagementPerformance

Management

Policy

Management

LogicManager's All-in-OneERM Software

All the content you need & all connected.

Leadership: More than 2000 organizations use our risk management solution.

Insight: Put your risk picture together. Cloud Computing: No up-front investment and

no long-term commitment required.