www.pwc.com/us/insurance

PwC’s 2012 U.S. Insurance ERM & ORSA Readiness Survey

PwC Page 2 of 15

PwC’s 2012 U.S. Insurance ERM & ORSA Readiness Survey

In September 2011, the National Association of Insurance Commissioners unanimously adopted the Risk Management and Own Risk and Solvency Assessment (RMORSA) Model Act, with an effective date of January 1, 2015.

This Act signifies a fundamental shift in the regulatory scrutiny of the insurance industry’s enterprise risk management (ERM) practices, and insurers are likely to feel its impact well before the effective date. The Act, which each jurisdiction now needs to adopt in state law, requires insurers to maintain a comprehensive risk management framework that is embedded into company operations. In particular, this includes assessments of current and prospective solvency positions under normal and stressed scenarios.

The RMORSA requires an “ORSA Summary Report” to be filed first with the insurance commissioner in the lead state of domicile starting from 2015. However, we note that some insurance departments are already asking companies for their ORSA or similar documentation as part of the review process. All documentation and evidence that supports the report must be available for regulatory inspection. Accordingly, most insurers will need to make significant investments in resources and organizational commitment in order to operationalize the process and facilitate filing a complete and comprehensive report on time.

PwC Page 3 of 15

About the survey Over May to September 2012, PwC undertook a survey of ERM practices and readiness for the RMORSA requirements. This 2012 survey is, in part, a continuation of PwC’s two previous global ERM surveys, but in this case exclusively targeted the U.S. insurance market. The survey consisted of four main sections covering risk strategy, governance, management, and quantification.

The 65 survey participants have a combined premium income in excess of $530bn (approximately 30 percent of the U.S. market) and represent a cross section of life, P&C and health insurance companies. They include U.S. headquartered international groups, U.S. domestic groups or companies, and U.S. subsidiaries of European or other foreign groups.

We conducted the survey primarily through in-person interviews and discussions with chief risk officers or others directly responsible for designing and overseeing ERM, such as chief actuaries, heads of ERM, and sometimes chief finance officers. Responding companies sometimes delegated specific questions to specialist personnel within their organizations. The responses represent individual participants’ views, and their interpretation of the questions and self-assessments vary.

For companies that are part of global groups, respondents were asked to provide feedback specific to risk management practices of the U.S. entities, as feasible. In addition to complying with the RMORSA, 45 survey participants also have to comply with other supervisory regimes. Companies’ assessments of their level of preparedness for the RMORSA do appear to vary by the additional regulatory regimes with which they may have to comply. Those additionally subject to EU Solvency II, OSFI requirements or the CISSA requirements under the new Bermuda Monetary Authority regime are generally further along the journey to being fully prepared (please see Figure 1).

Figure 1. Preparedness for RMORSA

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

No other regimes SII Canadian Bermudan Federal Reserve

Process unlikely to be adequate but preparation not yet started

Process unlikely to be adequate and at early stages of preparation

Process largely adequate or considerable progress made - some significant items still to be addressed

Process likely to be adequate or considerable progress made - awaiting further clarity from appropriate regulator(s)

PwC Page 4 of 15

Perceptions of preparedness

35% of companies indicated that they do not have a fully operational risk appetite with tolerances linked to business strategy.

38% of company boards are not engaged or are only passively engaged in risk management.

And yet, 82% of respondents believe that existing ERM processes are largely or already adequate for the RMORSA.

A potentially significant gap appears to exist between perceptions of RMORSA preparedness and the actual completeness of underlying risk frameworks.

Select highlights from the survey follow below.

Risk strategy In our experience, risk strategy should be at the heart of the organization. Risk should be a core consideration when setting strategy, formulating business plans, managing performance, and rewarding management success. Risk appetite should be clearly articulated and reflect the organization’s risk carrying capacity, business strategy, and financial goals. Processes and procedures should be in place to manage risk on an enterprise wide basis within defined boundaries, without stifling day-to-day operations.

Almost 40 percent of respondents think that their organizations will achieve additional benefits from the ORSA process. However, nearly half consider that incremental benefits were “only possible”. This split opinion appears to reflect a greater perceived future benefit for those carriers with ERM practices in the early stages of development.

PwC believes a fully operational ORSA strategy and process brings significant benefits (such as a better rating agency view of the ERM framework, lower impact regulatory exams, better risk practices, and enhanced collaboration between actuaries and risk managers). In the short term, dedicating resources and budget to develop the overall risk strategy will help to align capabilities of companies with less developed ERM functions with their more advanced competitors. In the longer term, the focus of all market participants will hopefully move beyond regulatory compliance and become more strategic, as companies surpass the basic requirements and approach their ORSA from primarily a commercial, value-adding perspective.

The most commonly reported objective of risk management is to control and limit risk events. Shareholder value enhancement is the least common (however, some survey participants are mutual organizations for whom this objective is less relevant). Figure 2 shows respondents’ risk management objectives.

PwC Page 5 of 15

Figure 2. Risk management objectives

Of the publicly traded companies, 90 percent indicate that shareholder value enhancement is a risk management objective. Health companies were least likely to include policyholder protection as an objective.

65 percent of companies indicate they have a risk appetite statement that reflects strategy, financial goals and tolerances, suggesting there may not be sufficient focus on linkages to top down strategic objectives and metrics across the industry. Close to 75 percent of life and P&C companies have a risk appetite statement, while only 35 percent of health companies do. As might be expected, the largest organizations score very well in relation to having formal risk appetite statements for each key risk category, with scores then falling markedly for mid-sized carriers, and falling materially again for the smallest insurers (measured by premium volume).

PwC believes that insurers will benefit from establishing a formal risk appetite statement with their boards. This is a fundamental component of the ERM framework for any organization. For companies with less complex risk profiles, the risk appetite statement should be developed commensurately; a relatively simple risk profile does not mean a formal risk appetite statement is any less relevant. A formal risk appetite statement should be the universal currency within an organization against which to assess all major decisions. A robust and useable risk appetite statement enhances risk governance and provides a platform on which to engage every stakeholder.

Companies with risk appetite statements note that they have a large number of risk-specific statements (an average of nearly six). While having very detailed risk appetite statements is typically a positive from an ERM perspective, it can make it more difficult for insurers to ensure alignment with the corporate strategy across different functional areas. Importantly, companies also include more strategic metrics (or dimensions) in their appetite statements, the two most common being a “capital at risk” dimension (95 percent of companies) and “earnings at risk” (68 percent of companies). Many companies also include risk-specific statements, with market, underwriting, credit, liquidity and operational risks as the most common categories covered. Additionally:

Life companies are more likely than P&C or health companies to include liquidity and asset/liability matching risks;

P&C carriers are more likely than life or health companies to reference underwriting risks; and

Health insurers are more likely than life or P&C companies to focus on operational risks.

0% 20% 40% 60% 80% 100%

other

Shareholdervalue enhancement

Policyholder protection

Control and limit risk events

Risk return optimization

Other

PwC Page 6 of 15

77 percent of companies have a risk-specific limit framework to guide the business on compliance with risk appetite. This increases slightly (to 83 percent) for companies that have a risk appetite statement. 95 percent of life companies, 90 percent of P&C companies, and only 35 percent of health companies, have a limit framework. Where limit frameworks are in place, Figure 3 (below) shows where they are most advanced. This demonstrates a high correlation with the risk categories that appetite statements most typically reflect.

Figure 3. Areas where limit frameworks are most advanced

A plurality (45 percent) of respondents monitors the risk metrics that measure performance against risk appetite and tolerances on a quarterly basis. However, some companies (25 percent) responded that they more frequently produce certain metrics (most commonly, market, credit and hedge risks), while they less frequently update others (such as demographic or claims risks).

25 percent of companies report that they do not include risk appetite metrics as part of the business planning process, while 57 percent include only some metrics. This means that, for three-quarters of the industry, risk measurement and management are not yet fully integrated with the business planning process; this represents a strategic opportunity and regulatory gap with respect to RMORSA readiness.

Overall, the use of risk adjusted performance metrics is still evolving. Figure 4 shows the prevalence of aggregate risk and performance metrics.

0%

20%

40%

60%

80% Underwriting

Market

Credit

Liquidity

ALM

Operational

Reserving

Strategic

Legal

Group

Reputational

Other

PwC Page 7 of 15

Figure 4. Aggregate performance metrics

Life companies most commonly use economic capital (58 percent), followed by traditional metrics (47 percent) such as internal rate of return, return on premium and exposure metrics. P&C companies also commonly use economic capital (62 percent), but most frequently use traditional metrics (66 percent) such as combined ratios and loss ratios. P&C companies also are more likely (62 percent) to use RORAC or RAROC measures than life or health companies.

Risk governance A governance structure based on a “three lines of defense” model is emerging as a leading practice in the industry. Senior management should be accountable and responsible for “top tier” risks, and clear risk management policies and procedures should exist for managing all material risks.

Two thirds of responding companies have a dedicated chief risk officer (CRO). Life companies are most likely, and health companies least likely, to have a dedicated CRO. Three quarters of the companies that do not have a dedicated CRO report that other positions cover the role. In some companies, the various individuals who carry out the ERM tasks and responsibilities that a CRO would handle do so in addition to their other duties. PwC believes it is imperative that, in the absence of a CRO, there are clearly identified individuals who are responsible and accountable for their part of risk management, and that someone at a higher level is responsible and accountable for ensuring that the company is properly addressing all aspects of the ERM framework.

At 40 percent of responding companies, the CRO does not report directly to the CEO or the board. In these cases, the most common reporting line is to the chief finance officer (CFO). Regardless of reporting structure, we think it is crucial for the CRO to have enough autonomy to lead open and honest assessments and management of the insurer’s risks. In addition, there should be controls that address actual and perceived conflicts of interest at companies where CROs do not report directly to the board, or where the role is performed by individual(s) with other management responsibilities.

0% 20% 40% 60% 80%

Traditional metrics making no reference to risk or capital (please specify)

Non‐adjusted returns on capital/equity

Other risk-adjusted performance metrics (please specify)

Embedded value

Economic capital

Economic value added

Return on risk‐adjusted capital (RORAC)/

risk‐adjusted return on capital (RAROC)

Life P&C Health

PwC Page 8 of 15

Survey responses indicate that the CRO or risk committees will be largely responsible - either solely or jointly - for compliance with RMORSA requirements. Other stakeholders taking a role include the CFO, the wider risk team (including risk managers, internal audit and compliance), and the CEO. This is not a surprising finding, as a key component of successful ERM is a risk culture that permeates the organization, as well as a sense of shared responsibility throughout the company for risk management. (However, we note that sharing key responsibilities too broadly presents the risk that key tasks will go unperformed and/or an organization may not adequately address critical issues because of a common perception that they are someone else’s responsibility.)

Against this background, 38 percent of company boards reported to being either unengaged or only passively engaged in risk management. In many of these cases, companies noted that their boards are passively engaged because members are still trying to learn about RMORSA requirements. PwC expects that this will change with the approach of the RMORSA implementation date, and as regulators begin to focus more on ERM in their reviews. Now that the NAIC has adopted the ORSA Guidance Manual and Model Act, being closely involved in risk management should be of paramount importance to all boards and management teams.

Just over 40 percent of respondents have board risk committees, and nearly all respondents have formal terms of reference in place for corporate and other risk committees. However, the existence of formal terms of reference starts to fall off dramatically for business unit risk committees. PwC notes that this may prevent some insurers from complying with the NAIC’s expectation of governance structures that clearly define and articulate roles, responsibilities and accountabilities. It is also necessary to evidence a risk culture that supports accountability in risk-based decision making, as per the ORSA Guidance Manual.

The reported headcount of the risk function varies by the size of the organization, with larger companies generally reporting a larger risk function. In addition, the risk function size also varies significantly depending on organizational and group structures, and how responsibility for risk management is allocated. Figure 5 below shows the spread of sizes of risk functions across our survey participants. 84 percent of companies note that the risk function is responsible for risk oversight, with business areas owning and managing the risks. In 72 percent of participating companies, the internal audit function provides oversight of risk management activities.

Figure 5. Size of risk function

0 5 10 15 20 25 30 35

30+ staff

1-30 staff

5-15 staff

1-5 staff

No separate function

Life P&C Health

PwC Page 9 of 15

Risk management A formal risk identification process will improve the likelihood that companies will identify all significant existing and new risks on a regular basis. We believe that a robust stress and scenario testing process is an essential part of a risk management framework. The RMORSA process is an ideal opportunity to perform a comprehensive stress and scenario exercise. When properly orchestrated, the RMORSA will take place in conjunction with an organization’s business planning process. This is an ideal time to stress- and scenario-test business plans, risk exposures, and appetite metrics in a comprehensive and coordinated manner. Insurers should appropriately tailor risk management metrics and dashboards to facilitate the monitoring of exposures and tracking against appetite according to roles, responsibilities and authority levels.

78 percent of companies have a formal process and 18 percent an informal one to address risk identification. The remaining companies reported that they do not have or do not see a need for a formal process. Only one in five companies has a dedicated emerging risks team. More commonly, responsibility for emerging risks resides with business risk owners (89 percent), risk committees (71 percent) and risk function managers (66 percent). Some companies identify the CRO, CFO, CEO or board as responsible for risk identification. Figure 6 below shows the level of concern for different emerging risks. This chart shows how companies responded on various risks, using a 1 to 5 rating (1 = light shading progressing to 5 = dark shading), with 5 being very concerned and 1 being unconcerned. For example, more than 75% of companies rated regulatory risk a 4 or a 5, as shown by the darker reds in the chart. Other most commonly reported emerging risks include technology/cybercrime, regulatory and legislation, economic and financial crisis, hyper-inflation/deflation and sustained low interest rates.

Figure 6. Concern over emerging risks

0%

25%

50%

75%

100%

PwC Page 10 of 15

Many companies report that they do not have fully documented risk policies that cover the significant risks to which they are exposed. Unsurprisingly, smaller companies report having fewer risk policies than larger ones. In aggregate, the risks a risk policy is most likely to cover include:

Investments;

Disaster recovery;

Reinsurance;

IT; and

Liquidity management.

Furthermore:

Life companies are more likely to have risk policies that cover asset/liability matching, mortality, morbidity, longevity and persistency risks;

P&C companies are more likely to have policies that cover catastrophe risk modeling and aggregations; and

Health companies are more likely to have an expense risk policy.

41 percent of companies report that they actively review, update and enforce risk management policies. A further 33 percent note that they review most, though not all, of their policies, and another 25 percent report that they do not review most or all of them. P&C companies most actively manage risk policies, followed by life and then health insurers. Larger companies also appear to manage risk policies more actively.

55 percent of companies report a high degree of coordination between risk, finance and compliance functions, and a further 42 percent reported a moderate level of coordination. Health companies are more likely to have a moderate rather than high level of coordination. Of those that reported a high degree of coordination, 28 percent say that they fully embed risk appetite in the business planning cycle; 25 percent report that internal audit does not provide oversight of risk management activities, which might suggest that there are no clear boundaries or divisions of responsibility.

The majority of companies do not have a fully operational stress testing program. Furthermore, the reported level of stress testing maturity varies across sectors. In particular:

Compared to P&C and health insurers, life companies are more likely to have a stress testing program that is integrated across assets and liabilities. This likely reflects the greater importance of asset/liability matching for longer duration liabilities.

Market stress testing takes place across the industry as a whole.

The industry as a whole is least likely to conduct liquidity risk stresses.

Insurance risk stresses vary significantly by sector. Life companies focus on demographic risk stresses, while P&C and health companies focus on loss ratios, claim frequency/severity and catastrophe events.

The most common liquidity stress events are post-catastrophe stress events (mainly P&C), market risk events, and liquidity crunch (mainly life). Life companies perform an average of three different liquidity risk stresses, compared with two for P&C insurers and less than one for health companies.

PwC Page 11 of 15

Three quarters of companies indicate that they have a risk dashboard or risk management information pack. Of those that have such information, 36 percent of companies report that the process to produce this information takes longer than a month. 60 percent of companies produce this risk information quarterly, and a further 20 percent report monthly. The most common metrics are:

Statutory capital (over half of companies also include economic capital as a metric in risk reporting);

Liquidity;

Operational metrics; and

Earnings sensitivity/variance from plan.

Figure 7 summarizes the top uses of these risk metrics, where they are available.

Figure 7. Risk metric usage

Risk quantification Internal risk and capital models are at the heart of an ERM framework. The latest draft of the NAIC ORSA Guidance Manual requires models to meet the highest quality standards, be appropriately calibrated (“real time”), and fully tested and documented, as well as subject to independent scrutiny and validation.

Most respondents (63 percent) report using an economic capital measure in addition to the more traditional capital metrics of statutory capital (i.e., GAAP and rating agency capital). U.S. domestic companies have the lowest take-up rate of economic capital (51 percent), compared to U.S. international groups and subsidiaries of overseas groups. This is likely to be the result of international groups needing to comply with other regulatory regimes (such as Solvency 2), which may engender more detailed capital modeling.

0%

20%

40%

60%

80%

Measurement against limits

To monitor compliance with risk appetite

To enable mitigation strategies to be

employed

To maintain capital adequacy

To meet rating agency objectives

To gain competitive edge

To assess and improve risk adjusted profitability

To inform investment strategies

To inform strategic planning

To measure risk-adjusted compensation

Other (please specify)

PwC Page 12 of 15

Where economic capital is used:

71 percent of respondents have the ability to project economic capital into the future. Of this group, 41 percent report the ability to project economic capital over one year, and 55 percent can project it beyond three years.

60 percent can produce economic capital in a “timely” manner. The other 40 percent cite a variety of reasons why they cannot, including computer run times, prioritization with other metrics, and process inefficiencies.

48 percent of companies allow for hedging strategies in their economic capital assessment. The need and significance of such hedging strategies will depend on the business profile and types and levels of exposure. All P&C companies allow for hedging strategies, whereas only 60 percent of life companies do (perhaps because of the complexity of longer term hedging strategies). Health companies are the least likely (27 percent) to do so, likely due to less hedging activity.

40 percent of companies allow for dynamic management actions and policyholder reactions. Life companies are most likely to do so (60 percent), due to the significance of these activities to their business.

Over half of companies’ economic capital models include the projection of future macroeconomic scenarios, and most of them use a sophisticated economic scenario generator to do so.

In quantifying risks, insurers are most likely to stochastically model market and underwriting risks. Figure 8 shows approaches adopted by respondents to model specific risks. 40 percent of companies report that they have had infrastructure or data issues that prevented them from following their desired approach to risk quantification.

Figure 8. Risk-specific modeling methods

39 percent of companies believe their risk aggregation approach needs improving or is at a low level of sophistication. However, this increases to 60 percent for U.S. domestic companies. This discrepancy may result from the fact that groups have to address aggregation across entities and geographies, as well as risk types, which may result in a greater focus on risk aggregation (and therefore a higher level of comfort with their approach).

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Market

Credit

Liquidity

Underwriting

Reserving

Operational

Not modeled Factor based Stress test Stochastic Other

PwC Page 13 of 15

Nearly two thirds of respondents use vendor models to monitor aggregations of catastrophe risk, with more and more insurers licensing more than one commercial model. Some large P&C insurers use these models in tandem with proprietary catastrophe models; insurers generally apply adjustments – often significant ones, depending on the peril and peril zone – to model results. They typically use different models for different peril types and geographical zones, depending on each model’s perceived appropriateness and relevance. In nearly all cases, P&C insurers undertake extensive back-testing of their catastrophe quantification against historical events. Interestingly, many survey participants note a growing need for an internal catastrophe risk indicator, since, in the past, vendor model version upgrades have caused large changes in catastrophe risk outputs. 44 percent of companies either do not have a model risk management framework or have a framework that does not include model validation requirements.

Unsurprisingly, all P&C companies report that they have catastrophe risk exposure. 63 percent of life and 76 percent of health companies report they also have such exposure. However, life and health companies tend to view data quality for catastrophe risks as no more important than for other risks. P&C companies understandably attributed higher importance to catastrophe data quality.

Summary While the U.S. insurance industry is making strides towards RMORSA readiness, a number of material gaps still exist at many companies. Furthermore, in PwC’s view, there are many important advantages to having a well embedded ERM framework that helps insurers exploit key opportunities and maximize risk-adjusted returns, while protecting policyholders’ interests. Meeting regulatory requirements as a by-product of an effective ERM framework and risk-aware culture, rather than seeing the RMORSA as a pure compliance requirement, will help differentiate tomorrow’s winners in the market.

PwC Page 14 of 15

Contacts

For a deeper conversation about ERM in the insurance industry and the RMORSA, please contact: Brian Paton Director, Actuarial and Insurance Management Solutions (AIMS) 312 298 2268 brian.paton@us.pwc.com Paul Delbridge Leader, Risk and Capital Management Services 646 471 6345 paul.p.delbridge@us.pwc.com Thomas Sullivan Leader, Insurance Regulatory Advisory Services 860 241 7209 thomas.sullivan@us.pwc.com Rich De Haan Leader, Life Actuarial and Insurance Management Solutions (AIMS) 646 471 6491 richard.d.de.haan@us.pwc.com Maryellen Coggins Managing Director, Risk and Capital Management Services 617 530 7427 mary.ellen.j.coggins@us.pwc.com Joe Calandro Managing Director, Risk and Capital Management Services

646 471 3572 joseph.calandro@us.pwc.com

© 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.