At the heart of the prudential Solvency II directive, the own risk and solvency assessment (ORSA) is defined as a set of processes constituting a tool for decision-making and strategic analysis. It aims to assess, in a continuous and prospective way, the overall solvency needs related to the specific risk profile of the insurance company. Risk Management and own risk and solvency assessment is a similar regulation that has been enacted in the US by the NAIC. [1] Other jurisdictions are enacting similar regulations to comply with the Insurance Core Principle 16 enacted by the IAIS. [2]
The second pillar of Solvency II plans to complete the quantitative capital requirements with quality requirements and a global and appropriate risk management system. The reform provides measures on governance, internal control and internal audit in order to ensure sound and prudent management practices from insurers. Impacts in terms of risk and solvency should supply into upstream strategic decisions. The internal assessment process of risks and solvency, known as the ORSA, is the centerpiece of this plan.
In an operational way, the ORSA is part of global process of enterprise risk management (ERM).
It is part of a cyclical and iterative system involving the board of directors, senior management, internal audit, internal control and all employees of the company. It aims to provide a reasonable insurance on compliance with the strategy of the company against risks.
The ORSA is voluntarily defined broadly by the regulation to encourage insurers to question themselves on the framework of an internal system dedicated to control and risk management. It must in all cases be succinct, easy to update and respect the principles of materiality and proportionality.
Since 2003, Solvency II regulation follows the Lamfalussy process, which distinguishes 3 levels of measures, starting from the big principles to the enforcement measures necessary for the operational implementation. The ORSA regulatory update from the NAIC follows the Solvency Modernization Initiative [3] aimed at updating the US regulatory system.
Level 1 text is the regulatory basis of the reform. It was adopted in 2009 on the same text by the European Parliament and European Council.
The ORSA is defined in Article 45 of the Directive.
Article 45 of Solvency 2 directive framework (extracts)
As part of its risk-management system every insurance undertaking and reinsurance undertaking shall conduct its own risk and solvency assessment.
That assessment shall include at least the following:
(a) the overall solvency needs taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the undertaking;
(b) the compliance, on a continuous basis, with the capital requirements, and with the requirements regarding technical provisions;
(c) the significance with which the risk profile of the undertaking concerned deviates from the assumptions underlying the Solvency Capital Requirement.
Level 2 measures are technical implementing measures to complement the principles defined in the level 1 text, in view of the operational implementation requirements. Level 2 measures should be adopted by the European Commission on a proposal from EIOPA (European Insurance and Occupational Pensions Authority). In order to advance the development of the reform, EIOPA consults the market, including through Consultation Papers.
The ORSA does not fall within Level 2 measures and as such in 2009, during the broad consultation on Level 2 measures, there were no Consultation Papers devoted exclusively to the ORSA. However, a significant number of them refer to it, for example:
Consultation paper No. 17 on the calculation of capital add-on
Consultation paper No. 24 on the principle of proportionality
Consultation paper No. 33 on the governance system
Consultation paper No. 56 on the validation of internal models
... etc.
Thus, if Level 2 measures do not specify the requirements for the ORSA, they can be used to better understand the interactions of the ORSA with other requirements and clarify the role of the ORSA within the Solvency II system of insurers.
Level 3 measures will be directly adopted by EIOPA. They generally correspond to non-binding recommendations. Since the creation of EIOPA in January 2011, its responsibilities were, however, extended to the production of Level 3 binding measures.
The ORSA comes under level 3 texts. To this end, a consultation paper was published in 7 November 2011.
This consultation paper presents a set of instructions for the ORSA:
This text is still under consultation, but can anticipate the impact of Level 3 measures on the ORSA.
While the high-level Risk Management and Own Risk and Solvency Assessment Model Act (#505) has been adopted by the NAIC in September 2012, the NAIC ORSA Guidance Manual is being revised in early 2013.
The State legislative process is still ongoing, but we can anticipate the regulation to be fully in place in 2015.
Similar to Solvency II, Insurers and Reinsurers registered in South Africa will be required from 1 April 2017 to perform regular ORSAs. ORSA requirements in South Africa will meet the IAIS standards. Regular reporting will also be required to the Registrar of Insurers.
Insurance companies are in the process of setting up their Solvency II plans and generally, the setting up of the pillar 1 has been prioritized. Therefore the ORSA plans are still not mature on the market.
However, it appears that four key steps can be identified in the operational implementation of the ORSA:
In the US, companies are at various stages of ORSA readiness.
The risk profile includes all of the risks that the company is exposed, the quantification of these exposures and all protective measures to those risks.
The risk profile is different from the regulatory capital determined under Pillar 1. It takes into account the specificities of each insurance company, it integrates all material risks, in a prospective view, and the ORSA leaves open the definition of solvency or the risk aggregation methodologies.
In practice, the definition of the risk profile will be increased by the realization of an all-risks mapping, including both the risks identified as part of pillar 1 of the reform Solvency II – underwriting risk, market risk, counterparty default risk, operational risk, intangible asset risk – but also other risks specific to each insurer – illiquidity risk, business risk, strategic risk, reputation risk, etc..
Once the mapping is done, a metric must be defined to quantify the risks. The company can use what is done on the pillar 1 such as a measure of risk, a time horizon and/or a different security level most suitable to its strategy for controlling the risks.
Once the risk profile is established, the administrative, management and supervisory body must set up the risk management strategy of the company through the following elements:
The risk appetite is the maximum aggregated level of risk that a company wishes to take. The risk tolerances represent bounds on the acceptable performance variation associated with the different risk factors.
One of the major roles of the risk management function is to support the administrative, management and supervisory body in order to get him to comment on this strategy. The risk management function must not only pass the information necessary to operate, but also give the keys to an appropriation of the culture of risk and a critical analysis of these elements by the leaders.
Finally, the risk limits are the operational implementation of the risk tolerances. The risk management function shall coordinate the trades in order to define:
All decisions made in the daily management of the company must then respect the strategy defined. In order to maintain the risk profile to a level consistent with the risk appetite, the leaders have four main strategies:
Major strategic processes of the insurance company, as the definition of trade policies, reinsurance and asset liability management, should be revised to integrate the dimensions of risk and solvency in the decision-making process.
Moreover, the ORSA should enable continued compliance with regulatory requirements in terms of own funds. For that the insurer must establish a set of systematic processes to monitor and control continuous compliance with the risk limits and identify major events – internal or external – which have a significant impact on the risk profile and lead to the update of the ORSA.
The ORSA is the subject of several reporting requirements:
Generally, a reporting on the ORSA will contain two parts:
The US ORSA report will contain three sections, as described in the ORSA Guidance Manual: [4]
Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
Financial regulation is a form of regulation or supervision, which subjects financial institutions to certain requirements, restrictions and guidelines, aiming to maintain the stability and integrity of the financial system. This may be handled by either a government or non-government organization. Financial regulation has also influenced the structure of banking sectors by increasing the variety of financial products available. Financial regulation forms one of three legal categories which constitutes the content of financial law, the other two being market practices and case law.
Operational risk is "the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events, differ from the expected losses". This definition, adopted by the European Solvency II Directive for insurers, is a variation adopted from the Basel II regulations for banks. The scope of operational risk is then broad, and can also include other classes of risks, such as fraud, security, privacy protection, legal risks, physical or environmental risks. Operational risks similarly may impact broadly, in that they can affect client satisfaction, reputation and shareholder value, all while increasing business volatility.
Basel II is the second of the Basel Accords,, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision.
A feasibility study is an assessment of the practicality of a project or system. A feasibility study aims to objectively and rationally uncover the strengths and weaknesses of an existing business or proposed venture, opportunities and threats present in the natural environment, the resources required to carry through, and ultimately the prospects for success. In its simplest terms, the two criteria to judge feasibility are cost required and value to be attained.
The chief risk officer (CRO) or chief risk management officer (CRMO) or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes-Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as chief executive officer and chief financial officer.
Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.
The term operational risk management (ORM) is defined as a continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk. ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events. Unlike other type of risks operational risk had rarely been considered strategically significant by senior management.
Internal auditing is an independent, objective assurance and consulting activity designed to add value to and improve an organization's operations. It may help an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
The Federal Financial Supervisory Authority better known by its abbreviation BaFin is the financial regulatory authority for Germany. It is an independent federal institution with headquarters in Bonn and Frankfurt and falls under the supervision of the Federal Ministry of Finance. BaFin supervises about 2,700 banks, 800 financial services institutions, and over 700 insurance undertakings.
Solvency II is a Directive in European Union law that codifies and harmonises the EU insurance regulation. Primarily this concerns the amount of capital that EU insurance companies must hold to reduce the risk of insolvency.
Insurance in the United States refers to the market for risk in the United States, the world's largest insurance market by premium volume. According to Swiss Re, of the $6.287 trillion of global direct premiums written worldwide in 2020, $2.530 trillion (40.3%) were written in the United States.
The CELS ratings or CAMELS rating is a supervisory rating system originally developed in the U.S. to classify a bank's overall condition. It is applied to every bank and credit union in the U.S. and is also implemented outside the U.S. by various banking supervisory regulators.
The European Insurance and Occupational Pensions Authority (EIOPA) is a European Union financial regulatory institution that replaced the Committee of European Insurance and Occupational Pensions Supervisors (CEIOPS). It is established under EU Regulation 1094/2010.
A solvency ratio measures the extent to which assets cover commitments for future payments, the liabilities.
IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:
ROAM is an association at the service of mutual insurance companies for more that 150 years.
Regarding insurance in the United States, on July 21, 2010, President Barack Obama signed into law the federal Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank"), which contains the Nonadmitted and Reinsurance Reform Act of 2010 ("NRRA"). The NRRA applies to nonadmitted insurance, which includes surplus line insurance and directly-procured insurance, and to reinsurance. The NRRA took effect on July 21, 2011 and generally provides that the placement of nonadmitted insurance will be subject solely to the statutory and regulatory requirements of an insured's home state, and that no state, other than an insured's home state, may require a surplus lines broker to be licensed to sell, solicit, or negotiate nonadmitted insurance with respect to the insured. While the NRRA preempts state laws with respect to nonadmitted insurance, it does not have any impact on insurance offered by insurers licensed or authorized in a state.
The Office of Insurance Commission (OIC) is the regulator of Thailand’s insurance industry operating under the supervision of the Thai Minister of Finance. The OIC is empowered to regulate insurance companies, brokers and agents and was established under the Thailand Government Insurance Commission Act B.E. 2550 which summarized the role of the Commission as "to supervise and promote insurance business conduct". Prior to this, insurance is regulated by the Department of Insurance, part of the Thai Ministry of Commerce.
Strategic risk is the risk that failed business decisions may pose to a company. Strategic risk is often a major factor in determining a company's worth, particularly observable if the company experiences a sharp decline in a short period of time. Due to this and its influence on compliance risk, it is a leading factor in modern risk management.
{{cite web}}
: CS1 maint: archived copy as title (link)