At the heart of the prudential Solvency II directive, the own risk and solvency assessment (ORSA) is defined as a set of processes constituting a tool for decision-making and strategic analysis. It aims to assess, in a continuous and prospective way, the overall solvency needs related to the specific risk profile of the insurance company. Risk Management and own risk and solvency assessment is a similar regulation that has been enacted in the US by the NAIC. Other jurisdictions are enacting similar regulations to comply with the Insurance Core Principle 16 enacted by the IAIS.
The second pillar of Solvency II plans to complete the quantitative capital requirements with quality requirements and a global and appropriate risk management system. The reform provides measures on governance, internal control and internal audit in order to ensure sound and prudent management practices from insurers. Impacts in terms of risk and solvency should supply into upstream strategic decisions. The internal assessment process of risks and solvency, known as the ORSA, is the centerpiece of this plan.
In an operational way, the ORSA is part of global process of enterprise risk management (ERM).
It is part of a cyclical and iterative system involving the board of directors, senior management, internal audit, internal control and all employees of the company. It aims to provide a reasonable insurance on compliance with the strategy of the company against risks.
The ORSA is voluntarily defined broadly by the regulation to encourage insurers to question themselves on the framework of an internal system dedicated to control and risk management. It must in all cases be succinct, easy to update and respect the principles of materiality and proportionality.
Since 2003, Solvency II regulation follows the Lamfalussy process, which distinguishes 3 levels of measures, starting from the big principles to the enforcement measures necessary for the operational implementation. The ORSA regulatory update from the NAIC follows the Solvency Modernization Initiative aimed at updating the US regulatory system.
Level 1 measures
Level 1 text is the regulatory basis of the reform. It was adopted in 2009 on the same text by the European Parliament and European Council.
The ORSA is defined in Article 45 of the Directive.
Article 45 of Solvency 2 directive framework (extracts)
As part of its risk-management system every insurance undertaking and reinsurance undertaking shall conduct its own risk and solvency assessment.
That assessment shall include at least the following:
(a) the overall solvency needs taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the undertaking;
(b) the compliance, on a continuous basis, with the capital requirements, and with the requirements regarding technical provisions;
(c) the significance with which the risk profile of the undertaking concerned deviates from the assumptions underlying the Solvency Capital Requirement.
Level 2 measures
Level 2 measures are technical implementing measures to complement the principles defined in the level 1 text, in view of the operational implementation requirements. Level 2 measures should be adopted by the European Commission on a proposal from EIOPA (European Insurance and Occupational Pensions Authority). In order to advance the development of the reform, EIOPA consults the market, including through Consultation Papers.
The ORSA does not fall within Level 2 measures and as such in 2009, during the broad consultation on Level 2 measures, there were no Consultation Papers devoted exclusively to the ORSA. However, a significant number of them refer to it, for example:
Consultation paper No. 17 on the calculation of capital add-on
Consultation paper No. 24 on the principle of proportionality
Consultation paper No. 33 on the governance system
Consultation paper No. 56 on the validation of internal models
Thus, if Level 2 measures do not specify the requirements for the ORSA, they can be used to better understand the interactions of the ORSA with other requirements and clarify the role of the ORSA within the Solvency II system of insurers.
Level 3 measures
Level 3 measures will be directly adopted by EIOPA. They generally correspond to non-binding recommendations. Since the creation of EIOPA in January 2011, its responsibilities were, however, extended to the production of Level 3 binding measures.
The ORSA comes under level 3 texts. To this end, a consultation paper was published in 7 November 2011.
This consultation paper presents a set of instructions for the ORSA:
- General considerations: the importance of the principle of proportionality, the key role played by the administrative, management and supervisory body, the documentation for the ORSA and the principles supervising the governance of the ORSA ;
- Justification and communication for the ORSA processes;
- Specific features regarding the implementation of the ORSA:
- Assessment of the overall solvency needs: the approach retained must be justified, must be both quantitative and qualitative, must include a sufficient number of stress test and scenarios and must include a prospective dimension;
- The ORSA should incorporate the information provided by the actuarial function on the validation of technical provisions;
- The results of the ORSA should be integrated into all strategic management processes;
- Frequency of the ORSA: at least annually, and must be adapted to the volatility of the risk profile of insurer
- Group specificities of the ORSA
This text is still under consultation, but can anticipate the impact of Level 3 measures on the ORSA.
NAIC ORSA regulation
While the high-level Risk Management and Own Risk and Solvency Assessment Model Act (#505) has been adopted by the NAIC in September 2012, the NAIC ORSA Guidance Manual is being revised in early 2013.
The State legislative process is still ongoing, but we can anticipate the regulation to be fully in place in 2015.
South Africa: Solvency Assessment and Management (SAM) ORSA regulation
Similar to Solvency II, Insurers and Reinsurers registered in South Africa will be required from 1 April 2017 to perform regular ORSAs. ORSA requirements in South Africa will meet the IAIS standards. Regular reporting will also be required to the Registrar of Insurers.
Insurance companies are in the process of setting up their Solvency II plans and generally, the setting up of the pillar 1 has been prioritized. Therefore the ORSA plans are still not mature on the market.
However, it appears that four key steps can be identified in the operational implementation of the ORSA:
- The definition of the risk profile
- The implementation of a strategy for risk management
- The evolution of strategic processes
- The production of the ORSA report
In the US, companies are at various stages of ORSA readiness.
Definition of the risk profile
The risk profile includes all of the risks that the company is exposed, the quantification of these exposures and all protective measures to those risks.
The risk profile is different from the regulatory capital determined under Pillar 1. It takes into account the specificities of each insurance company, it integrates all material risks, in a prospective view, and the ORSA leaves open the definition of solvency or the risk aggregation methodologies.
In practice, the definition of the risk profile will be increased by the realization of an all-risks mapping, including both the risks identified as part of pillar 1 of the reform Solvency II – underwriting risk, market risk, counterparty default risk, operational risk, intangible asset risk – but also other risks specific to each insurer – illiquidity risk, business risk, strategic risk, reputation risk, etc..
Once the mapping is done, a metric must be defined to quantify the risks. The company can use what is done on the pillar 1 such as a measure of risk, a time horizon and/or a different security level most suitable to its strategy for controlling the risks.
Implementation of a risk management strategy
Once the risk profile is established, the administrative, management and supervisory body must set up the risk management strategy of the company through the following elements:
- The risk appetite
- The risk tolerances
The risk appetite is the maximum aggregated level of risk that a company wishes to take. The risk tolerances represent bounds on the acceptable performance variation associated with the different risk factors.
One of the major roles of the risk management function is to support the administrative, management and supervisory body in order to get him to comment on this strategy. The risk management function must not only pass the information necessary to operate, but also give the keys to an appropriation of the culture of risk and a critical analysis of these elements by the leaders.
Finally, the risk limits are the operational implementation of the risk tolerances. The risk management function shall coordinate the trades in order to define:
- How these risk limits should be expressed;
- The methodology for the translation of appetite and tolerances into limits of operational risks.
Evolution of strategic processes
All decisions made in the daily management of the company must then respect the strategy defined. In order to maintain the risk profile to a level consistent with the risk appetite, the leaders have four main strategies:
- Abandonment of risk ;
- Reduction of risk ;
- Transfer of risk ;
- Acceptance of risk.
Major strategic processes of the insurance company, as the definition of trade policies, reinsurance and asset liability management, should be revised to integrate the dimensions of risk and solvency in the decision-making process.
Moreover, the ORSA should enable continued compliance with regulatory requirements in terms of own funds. For that the insurer must establish a set of systematic processes to monitor and control continuous compliance with the risk limits and identify major events – internal or external – which have a significant impact on the risk profile and lead to the update of the ORSA.
The ORSA is the subject of several reporting requirements:
- The ORSA is integrated into the narrative of new reports required in Pillar 3 of the reform, both destined for the supervisor and the public;
- The ORSA should be a set of internal reporting, particularly during the strategic processes that it must supply;
- As part of Level 3 measures being drafted by EIOPA, the ORSA should be a specific reporting, the ORSA report, bound for the administrative, management and supervisory body.
Generally, a reporting on the ORSA will contain two parts:
- A qualitative report: Description of the risk profile and risk management processes in place;
- A quantitative report: Description of the quantitative methodologies used in the context of the ORSA, results, defined strategy, and conclusions.
The US ORSA report will contain three sections, as described in the ORSA Guidance Manual:
- Description of the insurer’s enterprise risk management framework
- Insurer assessment of risk exposures
- Group risk capital and prospective solvency assessment
- ^http://www.iaisweb.org/view/element_href.cfm?src=1/16689.pdf from the International Association of Insurance Supervisors