ORSA: A game-changer for the industry
With the 2015 date for the first ORSA submissions in the US fast approaching, the question of how best to prepare is a necessary, but difficult, one to answer. Some time in 2015, an American insurer will file the first Own Risk and Solvency Assessment (ORSA) summary report with its domestic regulator. By the end of that year, the vast majority of insurers operating in the member jurisdictions of the National Association of Insurance Commissioners (NAIC) will have followed suit.
The ORSA is central in the emerging global risk and solvency regulatory frameworks in response to the revised Insurance Core Principles (ICPs) adopted in October 2011 by the International Association of Insurance Supervisors (IAIS). ICP 16, which governs enterprise risk management (ERM), mandates that solvency regimes should require insurers to regularly perform an ORSA to assess the adequacy of their risk management and current—and likely future— solvency positions.
The US is no exception, with the NAIC including the ORSA as part of its Solvency Modernisation Initiative (SMI). At its 2012 springmeeting, the NAIC adopted its ORSA guidance manual, which sets out the principles to be adopted by US regulators.
That first ORSA filing, expected to be mandated as a result of state adoption of the NAIC’s Risk Management and ORSA Model Act, will represent, in the words of Pennsylvania state regulator Steve Johnson, “a game-changer for the insurance industry”.
Provided all goes as expected, this first filing will be the culmination of efforts by insurance regulators worldwide to enhance regulatory frameworks’ capabilities to withstand economic shocks such as the one that battered the financial services sector and the wider economy in 2008. It will mark the complete integration of a robust risk management function as a basic regulatory expectation. For insurers, getting to that first ORSA may require a significant investment of time, talent and resources.
"For Bermuda, this has meant that commercial insurers are now required to file a Commercial insurers solvency self-assessment (CISSA) as part of their annual filings."
Various regulatory and supervisory bodies have begun the implementation process around the globe. A risk-based supervisory framework allows the regulator to analyse the risk associated with an insurer and ensure policyholder protection.The Bermuda Monetary Authority has stated that understanding the risk associated with an insurer allows the regulator to deploy its supervisory resources appropriately. For Bermuda, this has meant that commercial insurers are now required to file a Commercial Insurers Solvency Self-Assessment (CISSA) as part of their annual filings. For the largest Bermuda insurers, this journey began in 2010. In Europe, the European Insurance and Occupational Pensions Authority (EIOPA) began its public consultation process on its Level 3 draft guidance on ORSA in November 2011.
The ORSA is an integrated framework using several tools to give a forward-looking vision of the risk and solvency position of an insurer. It encompasses both quantifiable and non-quantifiable risks in the near to medium term. With the ORSA, companies bear significant responsibility for determining their capital standing and adequacy. It facilitates an insurer’s full integration of ERM into decision-making. As envisioned, the ORSA is expected to be a key part of both the ERM framework and of the supervisory review process.
While insurers have built ERM and capital management programmes, many may be required to consider changes to underlying operations, ownership, and governance as well as infrastructure changes. Some of the key areas of focus are expected to be, but are not limited to:
Almost all US insurers will be subject to the NAIC ORSA requirements. Generally, an insurer may be exempt from the ORSA requirements if:
• The individual insurer’s annual direct written and unaffiliated assumed premium, including international direct and assumed premium but excluding premiums reinsured with the Federal Crop Insurance Corporation (FCIC) and Federal Flood Program (FFP), is less than $500 million; and
• The insurance group’s (ie, all insurance legal entities within the group) annual direct written and unaffiliated assumed premium, including international direct and assumed premium, but excluding premiums reinsured with the FCIC and FFP, is less than $1 billion.
However, even insurers meeting the requirements for exemption may have to comply if their domestic regulator so requires. There is also some flexibility the other way. Insurers that may not qualifyfor exemption on statutory grounds may request a waiver from the commissioner based on “unique circumstances”.
According to the draft NAIC ORSA Model Act, the proposed effective date of the ORSA under the SMI will be January 1, 2015, with the first report due in 2015. Insurers normally will need to file an ORSA summary report no more than once each year. Regulators expect this to be done soon after a company’s internal strategic planning process is complete. Insurers must apprise the commissioner of the expected time of filing. Insurers will also have to submit an ORSA filing whenever there are significant changes to the risk profile of the insurer or the insurance group of which the insurer is a member.
An insurer that is subject to the ORSA requirement will be expected to have a risk management framework, regularly assess the adequacy of that risk management framework and the insurer’s current solvency position, internally document the process and results, and provide an annual high-level summary report to the lead state regulator.
The NAIC ORSA will represent a major step in the US’s solvency regulation modernisation, and may well be considered one of the most significant events in insurance regulation (and ERM in particular) in recent decades.
An integral part of proposed new solvency regimes globally, the ORSA symbolises a commitment by both regulators and regulated to a customised, forward-looking system of solvency regulation, involving a more holistic real-time assessment of risk and its short- and medium- term impact on insurers.
In the NAIC’s concept of the ORSA, regulators may work with management to tweak or seek further information on models and inputs. For insurers, this input from—and interplay with—regulators may allow for more insight into regulatory requirements, and lower the possibility of inadvertently failing to satisfy written or unwritten regulatory expectations. The information feedback loop provides management, the board and other stakeholders with access to information on the risk and capital profile of the enterprise, allowing them to evaluate current strategies and their execution, and modify as necessary. Properly designed, it should also serve as an early warning system, providing enough time to respond to emerging risks and other potential concerns.
"Although NAIC's proposed deadline of 2015 may seem far away, insurers would be wise to start designing, implementing and fine-tuning their ORSA framework, tools, and processing now."
With the 2015 date for the first NAIC ORSA submissions fast approaching, the question of how best to prepare may be a difficult but necessary one to answer—and as soon as possible. Changes inreporting, information management, governance and planning may mean adjustments to a company’s operating model must be implemented. The good news is that as proposed, the ORSAs may help the regulated at least as much as the regulators in moving towards a more integrated, relevant and speedier ERM framework that enables undertakings to better identify, measure, monitor, manage and report the risks inherent in their businesses.
The structure of the NAIC ORSA reporting for non-exempt insurers could be in any given combination as long as all insurers within the group are covered. In the US, an insurer’s chief risk officer or equivalent will be required to attest to the accuracy of the ORSA summary report and that a copy has been provided to the company’s board of directors or its designated committee. Insurers filing late or incomplete reports may face civil penalties.
On many levels, the ORSA represents a sea change in insurance regulation in the US and globally. It is expected to have a major impact and may pose significant challenges to insurers, even those that already have ERM and capital processes in place.
Although the NAIC’s proposed deadline of 2015 may seem far away, insurers would be wise to start designing, implementing and fine- tuning their ORSA framework, tools, and processes now. There is already regulatory incentive to begin such preparation: the NAIC started training state financial examiners on ORSA in 2012. In addition, some states have already been urging insurers to address their ERM framework. New York, for example, issued a circular letter to insurers licensed in that state listing its expectations for an ERM function within insurers. Insurers whose statutory examination is before 2015 may be asked to answer questions on ERM and whether they will be ORSA-compliant by the proposed deadline.
Implementing ORSA provides an opportunity for better risk and capital management, integrating several existing risk-management processes into one consistent framework and embedding in the whole organisation a risk culture and risk decision-making process in which strategy and risk appetite are aligned.
Nicole Valadao is ERS director at Deloitte. She can be contacted at: email@example.com
Liz Cunningham is an acturial senior manager at Deloitte. She can be contacted at: firstname.lastname@example.org