Sections of the ORSA Report...• Describe risk monitoring processes and methods, provide risk...

Lessons Learned From Orsa Reviews Impact on Risk Focused Examination

NAIC Insurance SummitINS Companies

Joe Fritsch, Director INS CompaniesDon Carbone, Exam Manager INS Companies

The INS Companies, 2015©

Sections of the ORSA Report

• Section 1 – Description of the Insurer’s Risk Management Framework

• Section 2 – Insurer’s Assessment of Risk Exposure • Section 3 – Group Assessment of Risk Capital and Prospective

Solvency Assessment


Section I -Description of insurer’s Risk Management Framework

• Section should contain a high-level summary of the aforementioned ERM framework principles,

• Describe how the insurer identifies and categorizes relevant and material risks and manages those risks as it executes its business strategy.

• Describe risk monitoring processes and methods, provide risk appetite statements, and explain the relationship between risk tolerances and the amount and quality of risk capital.

• The ORSA Summary Report should identify assessment tools (feedback loops) used to monitor and respond to any changes in the insurer’s risk profile due to economic changes, operational changes, or changes in business strategy.

• The ORSA Summary Report should describe how the insurer incorporates new risk information in order to monitor and respond to changes in its risk profile due to economic and/or operational changes and changes in strategy


Meeting with Insurer walkthrough of ORSA• Set up meeting 1 to 3 hours depending on complexity with

insurer give an overview of its ORSA summary report• Prepare question based on examiners review of ORSA

Report and knowledge of company insurer profile, EIC last exam, chief actuary , chief examiner etc.

• Focus on the need complete assessment of five key principles and identifying branded risks

• It should be summary of the company’s risk management process and how ties to overall business strategy (business plan)


Meeting with Insurer walkthrough of ORSA• Ask Company describe where they think the maturity the

company has achieved meeting 5 keys principle risk culture, risk ID, risk appetite, ERM controls, ERM reporting and communication

• Have company describe how company culture that demonstrate the use of risk management throughout the organization

• Describe how risk management is integrated into business operating plans. Are the business objectives driven only from the top of the organization, or are they also driven from the individual business units?


Meeting with Insurer walkthrough of ORSA• Describe your board of directors’ review of the ORSA

Summary Report and their reaction, sample report• Describe the CRO position who he reports to in senior

management, but at the same time, has an independent voice to the Board of Directors

• Describe if applicable, how risk management is integrated into compensation practices

• What reports go to the audit committee, risk committee, other committees responsible for risk and what reports go to the full board of directors?


5 Key Principles• An effective ERM framework should, at a minimum, incorporate the following key principles:

• Risk Culture and Governance – Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision-making.• Risk Identification and Prioritization – Risk identification and prioritization process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels.• Risk Appetite, Tolerances and Limits – A formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk appetite statement ensures alignment with risk strategy by the board of directors.• Risk Management and Controls – Managing risk is an ongoing ERM activity, operating at many levels within the organization.• Risk Reporting and Communication – Provides key constituents with transparency into the risk-management processes and facilitate active, informal decisions on risk-taking and management.


Analyst Deliverables – Section 1

• The Examiner is required to provide a summary report on the 5 principles. Rate each principle as follows:

- Level 5 – Leadership: - highest, Departments are reluctant to give this one– Level 4 – Managed:– Level 3 – Repeatable:– Level 2 – Initial:– Level 1 – Ad hoc:– Level 0 – Non-existent:The financial analyst handbook gives example of each level by each key

Principle


Analyst Deliverables – Section 1Prepare a summary of Section I by developing an assessment of each of the five

principles set forth in the ORSA Guidance Manual followed by a narrative that supports the assessment.

A. Risk Culture and Governance—Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision making.

☐5 – Leadership ☐4 – Managed ☐3 – Repeatable ☐2 – Initial ☐1 – Ad Hoc ☐0 – Non-existent

Supporting Narrative ( why the company was rated repeatable or initial etc)


Risk Culture and GovernanceA. Risk Culture and Governance—Governance structure that

clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision making. The objective is to have a structure in place that creates a top driven atmosphere and rigor within the organization that manages risk in a way that is continuously improved. Board of Directors is responsible for the framework and the risk culture established by senior management and approves the risk appetite statement in collaboration with the chief executive officer (CEO), chief risk officer (CRO) where applicable, and chief financial officer (CFO).


Risk Culture and GovernanceNAIC defines risk culture as:

Supervisors are focusing on the institution's norms, attitudes and behaviors related to risk awareness , risk taking and risk managementThe norms and traditions of behavior of individuals and of groups within an organization that determine the way in which the identify, understand, discuss, and act on the risks the organization confronts and the risks it takes .The organization's propensity to take risks as perceived by the managers in the organization.Organizational behaviors and processes that enable the identification, assessment and management of risks relative to objectives ranging from compliance to operational, financial and strategic.


Risk Culture and Governance• An example of best practice Risk Culture and Governance -Leadership Practices

• Risk culture is analyzed and reported as a systematic view of evaluating risk. • Executive sponsorship is strong and the tone from the top has sewn an ERM Process into

the corporate culture. • The Board of Directors establishes the framework and the risk culture and approves the risk

appetite statement in collaboration with the chief executive officer (CEO), chief risk officer (CRO) where applicable, and chief financial officer (CFO).

• Those officers translate the expectations into targets through various practices embedded throughout the organization.

• Risk management is embedded in each business function.

• Internal audit, information technology, compliance, controls and risk management are highly integrated and coordinate and report risk issues. All areas use risk-based best practices. The risk management lifecycle for each business process area is routinely improved.


Risk Culture and GovernanceRisk GovernanceWhat are the roles and responsibilities within organization with regard to ERM ie Board of Directors, Senior management, heads of business units (tone at top but also report from business units to leadership of ERM)ERM process and framework how does it interact throughout organization (You want holding company chart for ERM).


Risk Culture and GovernanceQuestions to consider:Who is responsible establishment, review and update of ERM frameworkHow often is framework reviewed and updated if neededHow often is it reported to the BoardHow are individual business unit educated on ERM framework including risk appetite and limitsHow do business units report new risksWho monitors if breach in risk limits what is procedure.


Risk Culture and GovernanceAreas of concern• Are all entities covered by ORSA ( during crisis that was issue

AIG) Financial product division was not regulated CDS. • No CRO or CRO is not involved in the business planning• CRO or head of ERM does not have direct reporting line to the

Board ( its ok have doted line reporting CFO or CEO)• Compensation is based on volume or taking additional risks• ORSA is prepared for regulators but clear not embedded

organization


Risk IDENTIFICATION AND PRIORITZATIONB. Risk Identification and Prioritization The ORSA Guidance Manual defines this as key to the organization; and responsibility for this activity should be clear; and the risk management function is responsible for ensuring the process is appropriate and functioning properly at all organizational levels. Therefore, the objective is to have a process in place that identifies risk and prioritizes such risks in a way that all potential material risks are addressed in the framework.


Risk IDENTIFICATION AND PRIORITZATIONLeadership Best PracticesInternal and external best practices, support functions, business lines and regions are systematically gathered and maintained. A routine, timely reporting structure directs risks and opportunities to senior management. The ERM Process promotes frontline employees’ participation and documents risk issues’ or opportunities’ significance. Process owners regularly review and recommend risk indicators that best measure their areas’ risks. The results of internal adverse event planning are considered a strategic opportunity.


Risk IDENTIFICATION AND PRIORITZATIONA good ERM will have process to identify risks• Risks can be identified both from business units and at high

level based on strategic plan of the insurer that should correlate to business plan filed with the Department

• Should have an emerging risk framework for ID new risks• Company will have risks register the has risk universe and

methid to prioritize the risk ie “risk prioritization” • Listing is sometimes reffered to risk taxonomy• This should result heat map of top risks


Risk IDENTIFICATION AND PRIORITZATIONSome question examiners may ask:• How are emerging risks identified within organization and how

are they tracked• Who is responsible for providing update on risks identified

whether identified senior level or from business units• How are the risk prioritized (heat map) and how often updated • What groups or teams are in in the assessment an

prioritization• What do they consider in the ranking likelihood of occurrence,

magnitude of impact and mitigating controls


Risk IDENTIFICATION AND PRIORITZATIONSome question or concerns the examiners may have:• Risk identification is done strictly for ORSA Report not

embedded in organization• ORSA does not clearly identify how material risk are ID out of

the universe• Disconnect between material risk and company business plan

or strategy• Does not consider affiliated risks• No consideration of merger or acquisitions


Risk Appetite, Tolerances and LimitsThe ORSA Guidance Manual states that a formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk appetite statement ensures alignment with risk strategy by the board of directors (e.g. relationship between risk tolerances and the amount and quality of risk capital) • risk appetite statements should be easy to communicate to understand, and

closely tied to the organizations strategy and address its material risks. It should be used to help set boundaries and expectations by using quantitative limits and statements for risk that are difficult to measure.

• These boundaries may be expressed in terms of earnings, capital, or other metrics (growth, volatility). The objective is to put mechanisms in place to measure the risk the organization is willing to accept. Ie risk appetite statement may require the organization to maintain sufficient capital to cover a 1 year horizon with 99.97% confidence, or maintain an “AA” solvency standard.


Risk Appetite, Tolerances and Limits•ORSA should have minimum:

A formal risk appetite statement and associated risk tolerances and limits are foundational elements of risk management for an insurer;• Risk Appetite should be in alignment with business plan and corporate strategy of the company.

• Tolerance and limits should be described in metrics that are easy for the company to monitor.

• Examples of breaching a limit and the remediation that occurred is often helpful.

.


Risk Appetite, Tolerances and Limits•questions to consider• Does the ORSA explain how the quantitative and qualitative

measures are used in explaining risk appetite. (Ie not more 10 % of surplus in any one investment or limit credit risk reinsurer)

• How often risk appetite update and how is it communicated• How are risk limits applied throughout organization – group level,

legal entity, business unit, line of business etc• How is risk appetite addressed in potential acquisitions or new

lines of business?

. The INS Companies, 2015©

Risk Appetite, Tolerances and Limits• additional questions or concerns• Not all material risk have stated limits • Company does not track current exposures compared with risks limits• the risk appetite process is not well defined or does not tie to company’s

business plan• Risks appetite, tolerances and limits are not clearly communicated to

business unit head• There is not monitoring of breaches of limits and risk appetite metrics• Board of directors are not involved in process

.


Risk Management and Controls•The ORSA Guidance Manual stresses managing risk is an ongoing ERM activity, operating at many levels within the organization. (eg monitoring process and methods)• A key aspect of managing and controlling the risks of the organization is the governance

process put in place. For many companies, the day to day governance starts with the business units, but those units put mechanisms in place to identify, quantify and monitor risks, which is reported up to the next level based upon the risk reporting and risk limits put in place.

• You want look at Tone at the Top and how it is embedded into the organization

• In addition, controls are also put in place on the backend, by either the internal audit team, or some independent consultant, which is designed to ensure compliance and a continual enhancement approach. Therefore, the objective is to put controls in place to ensure the organization is abiding by its limits.

. The INS Companies, 2015©

Risk Management and Controls•• When the company has identified a risk, as discussed previously, the company should have process manage the risk. This can be done by the following1. controls in place to mitigate the risks identified (examiner will

concentrate on material risks)2. The company may mitigate risks by reinsurance therefore limiting

risk (ie purchasing Catastrophe Reinsurance )3. It may intentional decide keep risk and will use capital to mitigate

the residual risk.

• "The INS Companies, 2015©

Risk Management and ControlsExaminers should expect to understand from the ORSA Report:

How the Company is utilizing the mitigating strategies of controls, reinsurance or additional capitalProcess in place to: managed on regular basis,control risks, and provide early warning to risk owner

Board of Directors are kept informed


Risk Management and ControlsQuestions to consider• How and to what extent does the Company internally the

effectiveness of the organization ERM evaluated• What process are in place to ensure the ERM is being followed• What process in place if there is breach? How is it

communicated• Is there an effective internal audit function performing

independent review and providing reports to senior management and the Board


Risk Management and ControlsConcerns to consider• ORSA report not clear how material risks are managed by risk

owners and who monitors the process• Lack of risk controls in the internal audit plan• Controls are at group level not clear how pushed down into

organization• No early warning system for approaching limits• No procedure in place report breaches to senior management


Risk Management and ControlsConcerns to consider• ORSA report not clear how material risks are managed by risk

owners and who monitors the process• Lack of risk controls in the internal audit plan• Controls are at group level not clear how pushed down into

organization• No early warning system for approaching limits• No procedure in place report breaches to senior management


Risk Reporting and CommunicationRisk reporting and communication should provide key constituents with transparency into the risk-management processes and facilitates active, informal decisions on risk-taking and management. • The transparency- reporting that can be made available to board members

or compliance departments and regulators. • Important is how the reports are being utilized to identify and manage risk

at either the business unit level or some other level within the organization where decisions are made. The reporting provides the current measure of risk used to monitor such risk.

• Therefore, the objective is to have reporting in place that allows various decisions to be made throughout the organization and by the appropriate people, with ultimate ownership by the Board of Directors.


Risk Reporting and CommunicationLeadership Practices• The ERM Process is an important element in strategy and planning. • Evaluation and measurement of performance improvement is part of the

risk culture. Measures for risk management include process and efficiency improvement.

• Deviations from plans or expectations are also measured against goals. A clear, concise and effective approach to monitor progress toward risk management goals is communicated regularly with business areas. Individual, management, departmental, divisional and corporate goals are linked with standard measurements.

• The results of key measurements and indicators are reviewed and discussed by senior management and board (or committee) members on a regular basis and as frequently as necessary to address breaches in risk tolerances or limits in a timely manner.


Risk Reporting and CommunicationExamples of reporting and communication

Board of directors to Senior management (ie CFO, CEO, COO) and business units functional heads (management/head of finance, internal audit etc

You would want to know what is sample content, format, frequency and use of reports


Risk Reporting and CommunicationQuestions to consider:• How is the importance of ERM communicated to the

Organization?• What kind of training is involved?• How is compliance with limits and tolerance communicated

and tracked?• How are results tracked by senior management or the board?• How are breaches of limits and tolerance addressed and

communicated


Risk Reporting and CommunicationConcerns to consider:• Needs be both Top down and bottom up communication• Board is not regularly given key reports• Lack clarity about what action should be taken ie breach limits

etc• Communication is not documented• There is not timely reporting of new risks or breaches

identified


Questions

Joe Fritsch, Director INS Companies Don Carbone, Exam Manager INS Companies


Sections of the ORSA Report...• Describe risk monitoring processes and methods, provide risk...

Documents

Transcript of Sections of the ORSA Report...• Describe risk monitoring processes and methods, provide risk...