My conversations with carrier CEOs, CFOs, and CROs about enterprise risk management and ORSA–Own Risk and Solvency Assessment—tend to go down the path of strict compliance and a sense of begrudging reluctance.

After we dig into the topic, I realize that they feel overwhelmed and resigned to the level of effort and time involved in the actual creation of the report for the regulators. They miss the “O” in ORSA—the idea that they own the information, the assessment, and the report. They also fail to appreciate the benefits of assessing their strategic, enterprise, and operational risks to determine potential implications to capital resources. Eureka!

Let’s dig into this more. But before we do that, a little background is needed.

It is hard to believe that we are close to two decades since the 2008-09 financial crisis.

Some readers of this article can remember where we were during that time and how the events impacted us, our families and friends, and our companies.

Although the epicenter of the panic was in banking and on Wall Street, insurance carriers did not go unscathed. According to data from the Insurance Information Institute, the P/C insurance industry reported an annualized statutory rate of return on average surplus of only 0.5% in 2008, down from a return of 12.7% the year prior.

As these numbers allude to, much of the impact to insurers, especially ones connected to giants like AIG, were borne out of risky investments.

At the time, many companies were buying mortgage-backed securities without understanding the complexity or upstream effects of the investment. As the return on those investments declined throughout 2007 and 2008, the financial performance of insurance carriers suffered.

The events of this time really grabbed the attention of regulators focused on solvency.

Up until 2007/08, insurance regulators, including myself in a previous time in my career, used two primary tools for understanding a company or companies’ financial risk—risk-based capital (RBC) and IRIS ratios. As the crisis unfolded and its aftermath started to become clear, regulators began to understand that carriers are vulnerable to more than just financial risk (e.g., premium volume to surplus, reserving practices, investment diversification). Strategic and operational risks, either in isolation or as a combination, can take down a company as well.

The triggering event of the financial crisis prompted regulators through the NAIC to begin shifting the focus from static, formulaic capital requirements to a more proactive, risk-based approach. This effort culminated with the model legislation we know today as Own Risk Solvency Assessment Model Act, a.k.a. ORSA. The model legislation became effective in 2015, and by the end of 2020, 52 jurisdictions had implemented the model act.

The NAIC defines ORSA as a “confidential internal assessment appropriate to the nature, scale, and complexity of an insurer or insurance group of the material and relevant risks associated with the insurer or insurance group’s current business plan, and the sufficiency of capital resources to support those risks.” (emphasis added)

While some states have specifics within the ORSA law that vary from the model act, there is some unanimity, such as who is required to file an ORSA report with their state’s regulator.

Carriers who are subject to these requirements fall into one of two camps according to the NAIC.

1. Individual carriers, including ‘captives,’ whose written premiums exceed $500 million. This does not include any premiums reinsured through the National Flood Insurance Program or the Federal Crop Insurance Corporation.

2. All entities who are part of an insurance group and whose combined written premiums, excluding any reinsured premiums as described above, exceed $1 billion annually.

A carrier or group has one year following the year they exceeded the threshold to file their ORSA report. So, let’s say Company A exceeded the threshold on 12/31/2025. They will have to prepare a report for the year ending 12/31/2026 and file it no later than 12/31/2027.

There are also other conditions such as the type of business written, organizational structure, ownership, or concerns about a rapid concentration or increase of risk and risk exposure that may prompt a state’s insurance commissioner to require an ORSA to be filed, regardless of premium volume.

Also, any carrier deemed to be in a hazardous financial condition or who has triggered an RBC company-action-level event may be ordered to file a report.

You know who needs to file an ORSA, but what is ORSA exactly?

The “what” is covered in two areas: 1) the actual assessment and 2) the report filed with your domestic regulator.

There is a belief that the ORSA simply means a carrier’s enterprise risk management (ERM) framework, but as the NAIC explains in its guidance, the ORSA is intended to be integrated into the insurer’s overall ERM framework and utilize existing risk management processes.

Also, many carrier leaders think that, because of the industry we are in, that good risk management = good reinsurance program + good exposure management. While certainly a part of it, enterprise risk management covers so much more.

There are certain things regulators want to understand from a carrier’s ORSA report.

At its core, regulators want to know if and how strategic and operational risks will impact the company’s solvency.

To be clear, they are not interested in seeing strategic plans. Instead, through the ORSA report, regulators want to understand how management views different scenarios and how one or a combination of strategic and operational risks would have to be before impacting the company’s solvency.

The ORSA is essentially a more in-depth, comprehensive scenario analysis.

Although carriers are given discretion on how to best communicate non-financial risks to company solvency, a regulator expects the reports they receive to align with the company’s ERM framework and include the material risks the company is exposed to.

A brief narrative about each material risk is certainly appropriate, but also some specifics regarding the scenarios, including any assumptions and dependencies, are really what the regulator expects to see.

Rest assured that they do not want to know trade secrets, but instead a high-level overview of the company’s key risks to its mission and their potential impact on solvency.

Preparing an ORSA Summary Report for your domestic state regulator consists of walking a fine line between being too high-level and saying nothing (which invites additional questions from regulators) versus being so detailed that it provides too much information (which invites greater scrutiny from regulators).

Preparing an ORSA Summary Report for your domestic state regulator consists of walking a fine line between being too high-level and saying nothing (which invites additional questions from regulators) versus being so detailed that it provides too much information (which invites greater scrutiny from regulators).

As a former insurance regulator, ERM practitioner at a carrier, and now ERM consultant to carriers, I have been on both sides of this fence. In the interest of having a healthy P/C market that delivers what policyholders need, I can (mostly) appreciate the work that regulators do and why. On the flipside, I also understand compliance activities can cause headaches at times. No matter how smoothly it goes, regulatory compliance still costs time and money, especially if the report gets too details and becomes overwhelming or complex to compile.

This is why special care must be taken to provide an ORSA report that is not too high-level but not too detailed either.

As I mentioned earlier, carriers are given much latitude in how they prepare their reports. Some carriers go way too high-level and some go overboard (I have seen some with 100+ pages). Personally, I wouldn’t recommend either extreme.

Here are 10 recommendations for how to structure your ORSA report to successfully walk that balancing act of detail:

1. Do: Provide some context (i.e., strategic or business objective) to the risks before discussing details about the risks. After all, risk is defined as the effect of uncertainty on the achievement of a specific objective. Therefore, the linkage between risk and objective should be clear.
2. Do: Ensure the report provides sufficient details on each scenario, including risks included, assumptions made, and dependencies.
3. Do: Use diagrams and visuals where appropriate; most people are visual learners.
4. Do: Define acronyms once then be consistent.
5. Do: Provide types (and versions if applicable) of specific models being used.
6. Don’t: Avoid process-level details; regulators don’t need to know the step-by-step process used to identify and assess the risks.
7. Don’t: Internal risk reports are just that—internal; keep them out of the report.
8. Don’t: Regulators don’t need to know who owns what risk; don’t identify specific individuals as risk owners.
9. Don’t: Avoid appendices when possible; all relevant topics should be covered in the body of the report.
10. Don’t: Avoid including static documentation (e.g., charters, frameworks); this information is for the first submission only unless something in the documents has substantially changed.

Two additional things to remember:

1. Regulators can ask the company for any referenced document, so there is no need to include a bunch of information in the report. If the regulator asks for any supporting documentation, you should be able to provide it without hesitation or delay.
2. This is Own Risk and Solvency Assessment, so make this report yours. What are your objectives, your potential obstacles to achieving those objectives, your comfort levels with taking risk?

The bonus—if your company follows these practices, the chances of any follow-up questions or information request drastically decrease.

The 2008 financial crisis exposed huge regulatory gaps, and it became clear that certain non-financial risks could dramatically impact a carrier’s solvency as well.

Hence, the ORSA regulation was born, and while it is important, any reporting should be done in a way that invites as little scrutiny as possible.

I want to clear—the intention is NOT to hide anything but instead provide regulators with what they need in a cost-effective way and still beneficial for everyone.

Regulations like ORSA can seem like a cost center, but they do not have to be. In the second installment of this ORSA series on ORSA, learn how carriers can use it to build and maintain a competitive advantage.

Until then…

Are you ready to streamline your company’s ORSA reporting?

Featured Image: AI-generated (ChatGPT)