After reviewing preliminary ORSA summary reports, insurance regulators are beginning to form some ideas about what they’d like insurers to say.
Insurance regulators are expecting an avalanche of new information regarding insurers’ enterprise risk management (ERM) programs—including their risk models, stress testing processes, and the complex assessments needed to produce an opinion about capital adequacy. This avalanche is called the Own Risk and Solvency Assessment (ORSA), and regulators have no one else to blame if they’re buried in information, because they asked for it.
In the United States, some states are requiring the first ORSA Summary Reports in 2015; most of the rest will be starting in 2016.
What regulators want to see
Over the past three summers, a score of US insurers have voluntarily submitted preliminary ORSA summary reports for unofficial reviews by the regulators.
At a recent conference Danny Saenz, Assistant Commissioner of the Texas Department of Insurance, discussed the perspectives that regulators have gained through these pilot reviews. He presented a list of over 75 items that regulators have seen or would like to see.
In honor of David Letterman’s retirement from late-night TV in May, we have selected our Top Ten items from Saenz’s longer list and added our commentary. You can use this as a checklist as you do your final review of your ORSA Summary Report before sending it along to your insurance department.
1. Provide clear definition of who is doing what in the ERM process
It helps make the ERM process real to have actual people’s names for each reported process.
2. Discuss the status of development of the ORSA process
Be candid: it’s OK to admit that ERM processes are not yet perfect and the ORSA isn’t either.
3. Identify model for ERM program
All ERM programs should be customized, but what was your starting point, a general ERM standard like COSO, or an insurance-specific standard?
4. Discuss linkage of overall risk appetite to preferences, tolerances and limits
How are they linked, or are they all really independently determined?
5. Describe the processes in place to manage key and non-key risks
Along with the assurance processes and roles.
6. Explain the escalation process in event of a breach
Degree of planned escalation should be consistent with the size of the breach; give evidence of actual breaches and reactions.
7. Assess all key risks under current and stressed conditions
Ii.e. losses expected under "normal volatility" and "realistic disaster" in an accessible tabular form.
8. Describe changes to risk profile over time
The CEO’s ability to tell this story is in our opinion the best “use test” for the risk measurement part of ERM.
9. Explain fitness for purpose of risk capital metrics
E.g. why a one-year 99 percentile VaR on a statutory basis (or other selected metric) makes sense for your risks and your firm.
10. Discuss use of risk management to support business decisions
Show how risk tolerance, preferences and limits are consistent with business plans, and how risk acceptance standards and mitigation support financial and other objectives.
Finally, remember that the length and format of the ORSA Summary Report can vary based on insurer size and complexity. The largest insurers are talking about a maximum page count of 100 for the summary report. If your firm is much smaller and less complex, it’s sensible to target a much shorter summary.