2015 marks the first year that an ORSA Summary Report must be filed with an insurer’s state of regulatory domicile. Some state regulators have already notified companies of the report due date, while other states have not. Regardless, all insurance companies that exceed the $500 million written premium threshold should be preparing the first drafts of their reports.
During a recent Baker Tilly educational webinar, Best practices for ORSA implementation, almost 50%1 of respondents indicated that their biggest challenge in implementing ORSA is defining the content to be assessed and included in the Summary Report. This is significant, as almost 60%2 of respondents were in the gathering information stage of their ORSA implementation.
How regulators will evaluate ORSA Summary Reports
Insurance executives may be asking, “What level of detail of our internal policies and procedures do we have to disclose to demonstrate that we have an appropriate enterprise risk management program in place and satisfy our regulator?”
One response to the question posed above is to consider how regulators will be evaluating the ORSA Summary Reports when they are submitted. The NAIC Financial Analysis Handbook Working Group is developing guidance for the regulatory review of the ORSA submissions. The guidance indicates that regulators will adopt certain concepts from the Risk and Insurance Management Society’s Risk Maturity Model (RMM).
Based on the RMM framework, regulators will be evaluating the effectiveness of a company’s ERM practices using a scale of six maturity levels, ranging from non-existent practices (level 0), to consistent and sustainable practices (level 3), to practices that are embedded in strategic planning, capital allocation, and daily decision making (level 5).
Another starting point when determining the level of disclosure appropriate would be to consider the level of detail you provide to your board or risk committee to allow to them to fully evaluate the company’s ERM function and fulfill their oversight responsibility; and recognize that such a level of detail must go beyond a PowerPoint slide deck.
Preparing your summary report
Ensure your ORSA Summary Report clearly describes your enterprise risk management (ERM) framework.
Explain how the current process provides for effective identification, assessment, monitoring, prioritization, and reporting of material risks to the company. The details of elements within each insurer’s ERM framework will vary from company to company. However, the goal is to create an effective report clearly describing the elements of your supporting ERM framework, and how those elements allow your company to monitor and mitigate key identified risks.
The ORSA Summary Report is an opportunity to provide information to your regulators that demonstrates your company knows and understands the material risks it bears in operating the business. It is a chance to show a robust risk and capital assessment process that provides management comfort in the amount of loss absorbing capital held to enable your company to continue operating and executing its strategy in adverse environments.
Develop a report structure and define the nature of the content contained within your report.
Guidance in developing the structure of your ORSA Summary Report and the key sections to include is provided in the contents of the NAIC Own Risk and Solvency Assessment Guidance Manual. In addition to the core sections outlined in the Manual, additional sections can be included based on each company’s unique risk profile. Additionally, appendices should be included to provide supporting documentation, especially for the quantitative aspects of risk and capital adequacy analysis.
Sample table of contents for an ORSA Summary Report
- Risk management policy statement (objectives, approach, and culture)
This statement sets the tone for the entire report. Demonstrate a clear understanding of ERM and ORSA by customizing the policy statement to your company’s own unique risk profile and your approach to managing key enterprise-wide risks.
- Corporate and risk governance (management, boards, and risk committees)
Show that the company has committed the appropriate resources with responsibility for risk management and oversight.
- Business and financial management planning cycles (business strategy)
Align this section closely to the management of key business risks in meeting your company’s strategic business objectives – focus on the critical few risks that really matter.
- Risk management communication and reporting cycles
Clearly document the frequency and content of communication throughout all levels of the organization related to risk management.
- Risk and control assessment and monitoring framework
Take credit for the risk management policies, procedures, and control activities that are already in place. Identifying how those elements of risk management provide management and the board with a level of comfort that key risks are being addressed.
- Identification, classification, quantification, and prioritization of business risks
Disclose the key risks that were identified and provide a priority ranking based on your qualitative and quantitative assessment of risks in both a normal and stressed environment.
- Risk appetite statements and risk tolerance limits
Risk appetites should be clearly linked to the risks in achieving business objectives. Risk appetite and tolerance limits may apply quantitative and qualitative exposure boundaries, and may be expressed in terms of earnings, capital, or other measures, such as growth or volatility.
- Results of economic capital models (BCAR, ECM, RBC) and financial models (EAR)
Output from financial models such as capital models, catastrophe models, and financial projections (whether stochastic, deterministic, or cash-flow driven) can be utilized to assess risk reward trade-offs and create a linkage between risk appetite and risk-based decision making.
- Key business risk mitigation and management action plans
Describe the risk mitigation strategies and management action plans in place to address high priority risks identified.
- Independent assurance (actuarial review, internal audit, and external audit)
Leverage the results of independent assessments by actuaries, internal audits, and external audits.
- Assessment of risk capital
Demonstrate sound processes for assessing capital adequacy in relation to your risk profile. Those processes should be integrated into your company’s business decision making. Your processes may assess risk capital through myriad metrics and future forecasting periods. This may reflect varying time horizons, valuation approaches, and capital management strategies (e.g., economic, rating agency, regulatory). This section is intended to assist commissioners in understanding your current and prospective assessment of capital adequacy in relation to your aggregate risk profiles.
This sample table of contents is intended to provide a possible structure as you begin drafting your ORSA Summary Report. Regardless of how you structure the report, we would encourage you to consult the guidance being developed by the NAIC Financial Analysis Handbook Working Group, as described above, to gain insight into how regulators may be evaluating your ORSA Summary Report.
For more information on this topic, or to learn how Baker Tilly insurance industry specialists can help, contact our team.
48.3% of respondents answered “defining or clarifying information.” Poll question during Best Practices for ORSA implementation webinar on 10/21/14.
58.3% of respondents answered “gathering information stage.” Poll question during Best Practices for ORSA implementation webinar on 10/21/14.