ORSA is more than just another four-letter word. Or acronym, to be precise. For insurers, ORSA is, as Pennsylvania Deputy Insurance Commissioner Steve Johnson said a couple NAIC meetings ago, “a game changer for the insurance industry.”
Executive SummaryUnlike current solvency management, which is largely retrospective, ORSA will allow regulators—and insurers themselves—to look ahead to understand how the carriers will fare in the future, explains the former New York Insurance Department Superintendent.
But what is it? That’s a little more complicated than an elevator speech, since the Own Risk and Solvency Assessment, ORSA, is more than just a report. It is a system that may mean process changes for some insurers, and could mean business-model changes for others.
ORSA is defined as “a confidential internal assessment, appropriate to the nature, scale and complexity of an entity, conducted by that entity of the material and relevant risks associated with the entity’s current business plan, and the sufficiency of capital resources to support those risks,” under the Risk Management and Own Risk and Solvency Assessment Model Act, put together by the National Association of Insurance Commissioners.
In practical terms, ORSA is an integrated framework using several tools to give a forward-looking vision of the risk and solvency position of an insurer. It encompasses both quantifiable and non-quantifiable risks in the near- to medium-term future. With ORSA, companies bear significant responsibility for determining their capital standing and adequacy. It facilitates an insurer’s full integration of ERM into decision-making. As envisioned, ORSA is expected to be a key part of both the ERM framework and of the supervisory review process.
The ORSA requirements will become fully effective on Jan. 1, 2015. Less than two years from now, insurers will file their first ORSA Summary Report to regulators. For some, this may be more than enough time to get ready. But for others, especially those with a fully developed dedicated risk management structure, the importance of early preparation cannot be overstated.
Consider that in 2012, the NAIC held its first ORSA pilot filing, a confidential exercise that was expected to include about 15 participants. One could reasonably presume that since these companies volunteered to participate in the ORSA pilot, not only would they be the most capable and the most interested, they would be the most prepared.
They may well have been. There is no way to measure the general level of preparedness of insurers. But the results, revealed at the NAIC’s August 2012 meeting, were thought-provoking.
Of the 13 respondents, only eight submitted reports considered complete by regulators. Of those eight, five had data redacted, while the other three had complete datasets. Regulators said the lengths of the submitted reports varied widely, from 10 to about 100 pages, as did their degree of completeness.
Discussing the pilot project, at that August meeting, Pennsylvania’s Johnson exhorted insurers to pay heed to the lessons learned. “You really do need to pay close attention as you prepare your ORSA,” he said. “Companies should be doing this now, not 2015. You need to start now and you need to have your board engaged. We saw what somebody who really takes this seriously has done. Get started now.”
This industry is all about managing risk, and ORSA is in a sense a call to arms that says, “Physician, heal thyself.” In the wake of the industry’s performance during the fiscal crisis near the end of the last decade, it would be hard to argue that insurers and regulators have not done a reasonably good job of managing risk, but both know that more could—and probably should—have been done to prepare for risks outside the narrowly defined focus of the current risk-based capital exams.
The problem with current solvency management, if there is one, is that effective as it has been largely retrospective. It tells you how an insurer has done, but may not necessarily give you the most accurate idea of how it will do in the future under different stress factors. In a period of slow economic growth where low interest rates could mean an inability to rely on investment returns to provide a cushion, not being able to see ahead may raise concern.
Adopted in 2011 by the International Association of Insurance Supervisors, Insurance Core Principle 16, which governs enterprise risk management (ERM), seeks to address this. It mandates that solvency regimes should require insurers to regularly perform an ORSA to assess the adequacy of their risk management and current and likely future solvency positions.
In the United States, ORSA symbolizes a commitment by both regulators and regulated to a customized, forward-looking system of solvency regulation, involving a more holistic real-time assessment of risk and its short- and medium-term impact on insurers. It also adds a focus on group solvency and interrelated risks to an American solvency regime that largely has been focused at a legal-entity level.
Some uncertainty about compliance costs and the possible effect on the operating models of insurers may still remain as there will be tweaks and changes to the process, most likely after the conclusion of the NAIC’s 2013 ORSA pilot project. But insurers still may best be served by preparing their organizations for the increased real-time data needs an effective ORSA requires.
With the 2015 date for the first ORSA submissions fast approaching, the question of how best to prepare may be a difficult but necessary one to answer as soon as possible. For some companies in the United States, a basic question may have to do with the current state of their ERM initiatives. With ERM programs differing in structure and degree of development from organization to organization, what will be required in order to properly implement ORSA?
These are difficult and possibly costly questions, but to look at ORSA as simply a compliance exercise may be to recognize its costs while missing its potential benefits. ERM in general has gained in importance over the years, and should now be considered as integral to good management as optimally performing finance or distribution functions, just to pick a couple. As senior executives of one rating agency told this writer, there is nothing required in ORSA we would not expect a well-managed insurer to be doing as a matter of course.
While insurers already may have built ERM and capital management programs, many insurers may be required to consider changes to underlying operations, ownership, and governance of these programs as well as infrastructure changes as they work through the ORSA process.
Done properly, an ORSA should help an insurer to run its business better. It is a process by which every business unit and operation of the enterprise will look at its risks—concentration risks, process risks, technology risks, investment risks, human resources risks, and all others—helping the insurer to determine whether these could combine somehow to impair the group’s solvency. When the process is completed, the insurer may find problem areas—perhaps even seeing risks pop up that it had never previously identified—in turn, highlighting areas where business reengineering or business unit restructuring might be warranted.
As ORSA processes take shape, some of the key areas of focus are expected to be, but are not limited to:
- ERM framework – To comply with ORSA requirement, insurers will likely need to integrate existing risk management processes into one consistent ORSA process, based on a common planning, maturity level, valuation basis, and assumption set. This may require strengthening the group and subsidiary ERM and governance frameworks, and establishing a link between the risk tolerance of subsidiaries and the group.
- Capital management – As insurers approach the tasks of calculating economic capital and making forward-looking risk assessments for an ORSA, they would likely have to make significant efforts to establish a group view on capital and solvency, as well as devote resources to establish the feasibility and determine the accuracy of models.
- Strategy – Insurers will need to embed the ORSA process into their strategic processes. This will require alignment of risk indicators and model parameters between strategic planning and risk modeling, so as to increase the relevance of ORSA for decision-making.
- Resources – Skill sets for finance, actuarial, and risk management would likely have to change to meet the needs for adequate processes, controls, and risk quantification tools.
- Risk culture – Carrier boards of directors will need to take ownership of the ORSA process to prevent the development of “silo-based” approaches across entities and risk categories. Communication among different capabilities within the insurer may need to be improved. The business should be managed in accordance with risk appetite and risk tolerance levels.
- Technology – The ORSA standards demand a strong alignment of business, actuarial and risk management areas with technology. Establishing that alignment, as well integrating existing and designing new technology solutions around data governance and architecture, process automation, modeling platforms optimization, and reporting or decision-management domains under the tight time constraints is critical for the robust ORSA environment.
The good news is that, as proposed, ORSA may help the regulated at least as much as the regulators in moving toward a more integrated, relevant, and speedier ERM framework that enable undertakings to better identify, measure, monitor, manage, and report the risks inherent in their business. For insurers and regulators, and most especially for the insured, that is a good thing.