IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ORSA: Why Should Exempt Companies Care?
Jim Stangroom, Partner Bob Marshall, VP & CRO
ParenteBeard LLC Chesapeake Employers
Insurance Company
Session #: 304
What is an ORSA?
ORSA = Own Risk and Solvency Assessment
A tool that is prepared by an insurer or group to demonstrate
how its management measures, evaluates and understands how
well it manages/mitigates the risks it faces
A comprehensive view of risks: from underwriting, operational,
market, credit, strategic, reputational, etc.; each would be
assessed along with the inter-relationships between them
Would demonstrate management’s critical evaluation of the
overall completeness and effectiveness of its ERM process and
its potential impact on capital adequacy and solvency – ORSA is
one element of ERM
Of value to regulators, e.g., in connection with a risk-focused
examination, or between examinations
ORSA– NAIC Guidance Manual
General Guidance
Section 1 - Description of the Insurer’s Risk
Management Framework
Section 2 - Insurer’s Assessment of Risk Exposure
Section 3 – Group Risk Capital and Prospective
Solvency Assessment
ORSA Timeline
NAIC ORSA:
Intern’l ORSA:
2015 2014 2013 2012 2011
2015 2014 2013 2012 2011
Pilot project I
IAIS ICP 16 in
force Oct. 1,
2011
Bermudian
ORSA in force
Jan. 1, 2012
Australian ORSA
in force Jan. 1,
2013
Canada – Insurers notify
OSFI by March 31, 2014 of
expected ORSA Report
2014 filing date
Solvency II
ORSA in force
Jan. 1 ,2014
NAIC Guidance
Manual Nov.
2011
NAIC ORSA
Model Act
adopted Sept.
2012
NAIC ORSA
requirements
effective Jan. 1,
2015
Pilot project II Pilot project III
NAIC Guidance
Manual
Updates
2013/14
ORSA Guidance Manual & Model Act
Guidance Manual adopted March 2012
Model Act adopted by NAIC Financial Condition
Committee September 2012
Feedback Pilot Project I Fall 2012
Guidance Manual revised March 2013
Feedback Pilot Project II Fall 2013
Guidance Manual revised March 2014
Feedback Pilot Project III Fall 2014
ORSA – Applicability
Applicability based upon premium threshold: • Individual insurer – direct plus unaffiliated assumed equal or > $500 million
• Insurer Group - direct plus unaffiliated assumed equal or > $1 billion
Commissioner has discretion/authority to request an ORSA
from otherwise exempt company based on: • Type of business written
• Ownership and organizational structure
• Federal agency and/or international supervisor requests
• Regulatory concerns about rapidly growing risk concentration/exposure
• Triggered RBC action level
• Otherwise considered to be troubled
Insurer may request waiver if unique circumstances
ERM Framework – Key Principles
Risk Culture & Governance
Risk Identification & Prioritization
Risk Appetite, Tolerances & Limits
Risk Management & Controls
Risk Reporting & Communication
ORSA/ERM – Why Should Exempt Companies Care?
ERM/ORSA have become industry best practices
• Likely to trickle down (like MAR/SOX-lite did) and become common
practice
Rating agency expectations
• Companies with strong ERM and ORSA processes may be allowed to
maintain lower BCAR levels relative to peer companies with similar
ratings but less effective ERM and ORSA
Strong ERM and ORSA processes can favorably influence
a company’s relationship with its state regulators.
• Regulators are coming to expect some level of ERM/ORSA and will
ask and evaluate
• Effective and well-documented ERM/ORSA can influence financial
exam efficiency
ORSA/ERM – Why Should Exempt Companies Care? (cont’d)
Risk identification and risk mitigation strategies should link
to strategic planning
ORSA should link to budgeting/forecasting and capital
projections
Commissioner has discretion/authority to request an ORSA
from otherwise exempt company based on: • Type of business written
• Ownership and organizational structure
• Federal agency and/or international supervisor requests
• Regulatory concerns about rapidly growing risk concentration/exposure
• Triggered RBC action level
• Otherwise considered to be troubled
ORSA/ERM – Why Should Exempt Companies Care? (cont’d)
Certain states may require that companies adopt ERM
practices, regardless of size
• NY Reg 203 for example
Could become a competitive advantage
• Early identification and initiatives re emerging risks
• Effective use of risk capital
Monitoring risk appetite/tolerances/limits can identify
exposure and enable corrective action
May improve Board and senior management interaction
Promotes better understanding of business drivers and of
“what can go wrong”
ERM Defined - RIMS
Enterprise Risk Management (ERM) is a
strategic business discipline that supports
the achievement of an organization’s
objectives by addressing the full spectrum of
its risks and managing the combined impact
of those risks as an interrelated risk
portfolio.*
*Risk Insurance Management Society (RIMS)
ERM Defined - COSO
A process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.
*Committee of Sponsoring Organizations (COSO)
ERM – Key Concepts
Board/Executive Management Driven
Enterprise-Wide
Setting Strategic Direction
Achieving Business Objectives
Managing Within Risk Appetite
Interrelated Risk Portfolio
Provide Reasonable Assurance
The ERM Challenge
Most entities have some form of risk management in place but:
•May be ad hoc and informal
•May be developed in “silos” and uncoordinated
•May fail to focus on strategic and emerging risks
•May lack transparency and sometimes objectivity
•May not provide boards / senior management with a
true “enterprise-wide” view of all business risks
Chesapeake Employers’ ERM Goals
Enterprise Risk Management Culture
• Enterprise-wide / Collaborative / Dynamic
Proactive Component of Strategic Business Planning
• Risks to address in strategic planning – both risk avoidance and “opportunities”
Quantitative Focus on Economic Capital Modeling of Risks
• Modeling of planned initiatives to determine effect on Economic Capital
• Ensuring capital adequacy considering the full inter-related risk portfolio
Two Key Enterprise Risk Management Outputs
• Risk Appetite Statement – management’s willingness to take on risk
• Risk Tolerance Limits – level beyond which risk too high in light of appetite
ERM Framework
ERM Foundation – Framework / Risk Appetite Statement
Risk Identification – What Risks – Multiple Categories
Risk Assessment – Unmitigated Impact / Probability
Risk Evaluation – Mitigated Impact / Probability
Risk Response Planning – Further Mitigation Efforts
Risk Monitoring and Reporting – Risk Limits
Linkage to Business Strategy – Risk as Opportunity
ERM Foundation – Step 1
Enterprise Risk Management Policy
• ERM Mission Statement
• ERM Team Members
• Overall ERM Process(es)
• Enterprise Risk Management
• Economic Capital Modeling
• ERM Communication Plan
• Board of Directors / Management Team / Employees
Risk Appetite / Tolerance Statement
Enterprise Risk Management / Economic Capital Modeling Process
ERM Foundation
(Policy/Appetite)
Identify Risks
Assess Risks
Evaluate Risks Risk Response
Plans
Monitor and Report
Link to Business Strategy Risk
Measurement
Economic Capital Modeling
Stress and Scenario Testing
Capital Management
Model Validation
Risk Identification – Step 2
Identify/Categorize All Risks that Could Affect the Business
Start with Weaknesses/Opportunities/Threats from SWOT
Determine a “Risk Taxonomy” appropriate for your business
• Hazard Risks – Injuries / Disasters / Product Liability
• Operational Risks (1st gen)– Disaster Response / Product Recalls
• Operational Risks (2nd gen) – IT / Supply Chains / Business Efficiency
• Legal/Regulatory Risks – Contracts / Fines / Lawsuits / Environmental
• Financial Risks – P & L / Solvency / Cash Flow / Credit / Investments
• Strategic Risks – Market Opportunities / Innovation / Reputation
• Emerging Risks – Climate Change / Geo Political / Nano Technology
Stress a “Holistic Enterprise View” to avoid “Risk Silos”
Risk Categories w/ Examples
Hazard
Workplace Accidents
Disaster Prevention
Product Liability
Operational
Business Efficiency
Information Technology
Supply Chains
Legal
Regulatory
Govt/
Industry
Regulation
Contracts and
Execution
Environ-mental
Financial
Profit/Loss Cash Flow
Balance Sheet
Credit
Strategic
Market Opportunities
Innovation
Reputation
Emerging
Geo-Political
Climate Change
Nano Technology
Enterprise View of Identified Risks
Description of Each Risk and How it Could Affect Business
Stress a “Holistic Enterprise View” to Avoid “Risk Silos”
Identified Risk Description Financial Insurance Operations Strategic Regulatory
Emerging Risks
Geo – Political Large multi-national corporations must constantly consider the
risks associated with foreign operations, especially in the case
of political risks both in terms of corruption and insurgencies. X
X X X X
Climate Change While there is still debate on this issue, all businesses must at
least address that there is a very large potential risk associated
with more frequent and impactful climate related events and
develop the appropriate strategies to mitigate exposure/impact X
X X X X
Nano Technology As an emerging risk many are not even aware of how pervasive
“nano technology” has become over the last decade
Take those miracle moisture absorbing sports fabrics and
extend the concept to super strengthen building materials
Scientific studies have already shown that some levels of
certain “nano materials” cause mesothelioma in lab animals
Could one of these “nano particles” be the next ASBESTOS? X
X X X X
Risk Assessment – Step 3
Determine Unmitigated/Inherent Risk Probability and Impact
• Quantify Probability and Rank using 3 to 5 Levels
•Expected Once Every “x” Years or “x” % Chance in Any Year
• Quantify Impact and Rank using 3 to 5 Levels
•Effect on Revenue, Income, Cash Flow, or Balance Sheet
Quadrant Analysis / “Risk Heat Map”
•Plot Probability and Impact of Each Identified Risk
•Goal is to Highlight High Probability / High Impact Risks
Since Not Considering Mitigation Expect Many High Risks
Risk Heat Map / Quadrant Analysis
Risk Evaluation– Step 4
Document Enterprise-Wide Controls & Mitigation Efforts
Assess Effectiveness of Controls to Eliminate/Mitigate Risk
Determine Mitigated Probability / Impact (Highly Quantifiable)
Quadrant Analysis - High Probability / Impact Residual Risks
Determine if any “Black Swans” exist – risks so catastrophic
that even if extremely low probability must consider impact
Top 10 Risks - based on “Probability x Impact” but some risk
aggregation does occur as well as accounting for Black Swans
Risk Heat Maps / Quadrant Analysis
Risk Probability, Impact, and Mitigation Analysis
Brief Explanation of How the Unmitigated and Mitigated
Risk Probability and Impact Scores were Determined
Document Key Mitigation Tactics and which Score Affected
Identified Risk Unmitigated
Probability Unmitigated
Impact Probability, Impact, and Mitigation Analysis Mitigated
Probability Mitigated
Impact
Emerging Risks
Nano Technology
5 4
Unmitigated / Inherent Risk
- Short Explanation of Assumptions Used in Probability Rating
- Financial Impact via Results from Economic Capital Modeling
Key Risk Mitigation Tactics
- List 3-5 Key Business Tactics Developed to Mitigate this Risk
- For Each Tactic Note Whether Mitigates Probability, Impact, or Both
Mitigated / Residual Risk
- Short Explanation of Assumptions Used in Probability Rating
- Financial Impact via Results from Economic Capital Modeling 4 2
Risk Response Plans– Step 5
Top 10 Risks - Develop a Risk Response Plan for Each
Assign Leader to Champion Each Risk Response Plan
Include Multiple Divisions to Stress “Enterprise” View
Develop Strategic/Tactical Initiatives as Part of Strategic
Business Planning to Mitigate Risk Probability/Impact
Determine ROI on Initiatives to Compare Cost vs. Risk
Stress Accountability - Deadlines/Adherence to Risk Limits
Monitor and Report – Step 6
Ongoing Monitoring to Ensure Within Risk Tolerances
• Risk Limits - max/min tolerances for key risk/performance indicators
• Risk Dashboard – enterprise communication of adherence to risk limits
Regularly Scheduled ERM Team Meetings to:
• Review adherence to risk limits/progress on risk response plans
• Determine if any new risks have arisen/existing risks to be removed
• Assess and evaluate new risks including capital modeling efforts
Communicate Updates on New Risks/Mitigation Progress
Link to Business Strategy – Step 7
ERM Analysis Helps to Define Business Strategy
• Top “x” risks to be addressed in strategic plan
• Key risk response plan initiatives as tactics
• Risk as an “Opportunity” vs. “Impediment”
ERM Analysis Helps to Evaluate Potential Strategies
• For each strategy identify/assess/evaluate associated business risks
• Prospectively model expected business outcomes of new strategies
Recurring Annual Assessment of Risks & Mitigation Efforts
Enterprise Risk Management / Economic Capital Modeling Process
ERM Foundation
(Policy/Appetite)
Identify Risks
Assess Risks
Evaluate Risks Risk Response
Plans
Monitor and Report
Link to Business Strategy Risk
Measurement
Economic Capital Modeling
Stress and Scenario Testing
Capital Management
Model Validation
ERM Evolution to Desired State
Cannot Accomplish Everything the First Time
Framework and Process Completion
More in Depth and Quantitative Risk Focus
Key Next Steps in Achieving Desired State
Identify Quantify Mitigate
Risk
Appetite
Risk
Tolerances Risk Limits
Risk Monitoring Enterprise-wide Communication
Stochastic Modeling
ERM and ORSA
NAIC goal is to ensure strong ERM throughout the industry
ERM unique for each insurer / hence the “OWN” in ORSA
ORSA as annual documentation of insurers ERM efforts
ERM themes directly tie to NAIC suggested report outline
• Description of the Insurer’s Risk Management Framework
• Evidence of a proactive ERM program following best practices in terms of risk framework
• Insurer’s Quantitative Assessment of Risk Exposures
• Risk quantification via Economic Capital Modeling including scenario and stress testing
• Group Risk Capital and Prospective Solvency Assessment
• Aggregation of risks to determine effect on economic capital in light of risk appetite/tolerances
ERM – Regulators / Rating Agencies
Even if below ORSA threshold – regulators are requiring a
documented ERM model as part of risk-focused examinations
Quality of ERM Summary Report may affect timing, scope, and
depth of regulator’s subsequent risk-focused examinations
Standard & Poor’s Rating Services view on ERM • Our assessment of ERM examines whether insurers execute risk management practices in
a systematic, consistent, and strategic manner across the enterprise that effectively limits
future losses within the insurers' optimal risk/reward framework.*
ERM can significantly affect an Insurer’s AM Best rating
• The fundamental difference in the revised approach is that for companies with STRONG risk
management capabilities, A.M. Best will consider allowing companies to maintain lower
BCAR levels relative to the guideline for their ratings based on a case-by-case evaluation of
an insurer’s overall risk management capabilities – relative to its risk profile.**
* S&P Rating Direct ® - Enterprise Risk Management - 5/7/13
** AM Best – Risk Management and the Rating Process for Insurance Companies - 4/2/13
Questions for Insurers to Ask Themselves to Assess Their ORSA Readiness
Do we understand the requirements in the ORSA Guidance
Manual? ICP on ERM?
Do we have an ERM framework?
Do we have a documented risk appetite? Does it influence
business decision making?
Do we have a consistent approach to measuring risks?
Are we able to project future risk capital requirements consistent
with short-term and multi-year business plans?
Have we dedicated the resources to make the implementation a
success?
Do we foster a risk-aware culture?
Starting at Ground Zero?
Drive from top down
• Get the board on board
Appoint a facilitator
Brainstorm about current and emerging risks
• Include mid-management
Build consensus across the organization and business units
Assess current state and define desired future state
• Governance and culture
• Leverage existing risk functions, processes and controls
Assign responsibility and accountability
ERM framework 1st – then ORSA
One Size Does Not Fit All
Consider:
•Nature/number of product lines/business segments
•Complexity of risks or products
• Investment portfolio risk profile
•Volatility of operating performance
• Leverage – premiums, reserves, financial
•Competitive markets
• Financial flexibility
•Available resources
Risk Identification
Self assessment processes
• Periodic ongoing, but at least annual, process
• Each business unit and major functional area participates in a joint
effort with ERM to define and assess the risks inherent in the
business
• Continuous monitoring and updating as risks intensify and new risks
emerge
Emerging risks identification
• Typically Committee driven
• CRO lead effort
• Requires creative thought about events that have not occurred before
• Critical assessment of the balance sheet and company practices
Risk Universe – One Example
Financial Operational External/Environmental
Mortality/morbidity - Life Business process Macro-economic
Catastrophe – P&C Information systems Regulatory
Interest rate Strategic Tax
Credit Employee fraud Competitive pressure
Equity market price Disaster recovery Terrorism
Currency Financial reporting Reputational
Capital adequacy Compliance/market
conduct
Etc.
Derivatives/hedge
effectiveness
Litigation
Liquidity Pricing adequacy
Etc. Etc.
Inherent Risk Assessment
High
Low
Low Impact High
Lik
elih
oo
d
Residual Risk Assessment
High
Low
Strong Mitigating Controls Weak
Inh
eren
t R
isk
Financial Risk Mapping – One Example
Risk Sector Risk
Categories
SubRisks Sr. Mgmt. Risk
Oversight
Board Committee
Financial
Risks
Insurance
Risks
Reserve Risk
Mortality, Longevity,
Lapses, Other customer
behavior, expense
ALM Committee
Underwriting
Committee
New Product
Committee
Investment &
Finance Committee
Board Underwriting
Risk
Disability, Long Term
Care
Catastrophic
Risk
Cat event, Pandemic
Operational
Risks
Other Risks
Quantitative Models
Appropriate for the size and complexity of the business and its products
Stress tests, scenario analysis
Address risk correlation
Pass the “use test”
Back-testing
Liquidity and group-wide risks
Model validation controls and source data input controls
Models inform risk management; they aren’t management
Enterprise Risk Management / Economic Capital Modeling Process
ERM Foundation
(Policy/Appetite)
Identify Risks
Assess Risks
Evaluate Risks Risk Response
Plans
Monitor and Report
Link to Business Strategy Risk
Measurement
Economic Capital Modeling
Stress and Scenario Testing
Capital Management
Model Validation
Economic Capital Modeling Process
Risk Measurement
Economic Capital Modeling
Stress and Scenario Testing
Capital Management
Model Validation
Identified
Risks
Economic Capital Modeling Process
Risk Measurement
• Determine most appropriate way to measure business impact and assumptions to use
Economic Capital Modeling
• Develop quantitative model to determine business impact on key performance indicators
Stress and Scenario Testing
• Consider effects on economic capital over a wide range of scenario’s including “Extremes”
• European Solvency II requires modeling for the “1 in 200 Year Event” (0.5% probability)
Capital Management
• Correlate and aggregate risk impacts to ensure regulatory/rating agency capital adequacy
Model Validation
• Ensure model results are accurate and based on sound business assumptions / calculations
Economic Capital Modeling Working Group
Economic Capital Modeling Working Group Membership
• Chief Risk Officer–coordinate / compile results / document efforts
• Chief Finance Officer–audited financials / multi-year forecasting
• Chief Actuary–actuarially sound reserve and base rate calculations
• Chief Investment Officer–historical market trends / portfolio allocation
More Frequent/Hands-on Meetings Developing Detailed
Risk Quantification Strategies and the Actual Risk Models
Each Year 1-4 In Depth Key Risks Analyses Undertaken
ORSA– NAIC Guidance Manual
General Guidance
Section 1 - Description of the Insurer’s Risk
Management Framework
Section 2 - Insurer’s Assessment of Risk Exposure
Section 3 – Group Risk Capital and Prospective
Solvency Assessment
For more information, contact
Jim Stangroom, CPA
Partner
ParenteBeard, LLC
410-824-6001
Bob Marshall
Vice President & Chief Risk Officer
Chesapeake Employers Insurance
Company
410-494-2214
IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Please Complete the Session Evaluation Form on the Conference App and Include Your Conference Registration ID# to be Included in a Drawing for a Free Conference Registration for the 2014 Annual Conference! NOTE: Your Conference Registration ID# is Located at the
Bottom Left Hand Corner of Your Badge.