Solvency Assessment and Management: Pillar 2 - Sub ... · PDF fileprinciples to which each...

Solvency Assessment and Management: Pillar 2 - Sub Committee

ORSA and Use Test Task Group

Discussion Document 34 (v 4)

Own Risk and Solvency Assessment

EXECUTIVE SUMMARY

1. INTRODUCTION AND PURPOSE

The purpose of this document is to present the currently available international guidance on the Own Risk and Solvency Assessment (ORSA), to discuss its relevance to the South African context and to make recommendations as to the secondary legislation on the ORSA to be adopted under the Financial Services Board‘s (FSB‘s) Solvency Assessment and Management (SAM) framework.

As this discussion document has been written based on the currently available international guidance, it specifically excludes the Solvency II Level 3 guidance on the ORSA that has yet to be published. Solvency II does not contain Level 2 implementing measures on the ORSA and hence only the EIOPA (formerly CEIOPS) issues paper on the ORSA is discussed in this document. Mappings and recommendations have been made assuming the issues paper is reflective of the final guidance expected under Solvency II. If the Level 3 guidance differs significantly from the issues paper, this discussion document, and the recommendations herein, will need to be revised.

The ORSA and Use Test Task Group is of the opinion that the secondary legislation under the SAM Framework should not be too prescriptive, but should rather be set as high-level principles to which each insurer or insurance group (insurer) must adhere in performing its Own Risk and Solvency Assessment. The ORSA is intended to be an insurer‘s own individual assessment of its risk management framework and the resulting capital requirements specific to it. An insurer therefore needs to focus on and think about its own individual circumstances. The Task Group agrees that high-level principles are required in order to guide the insurer‘s thinking in this regard.

There is a concern that legislation which is too prescriptive would limit the focus of the assessment to only those areas specifically covered by the legislation and this could result in significant, insurer-specific risks being excluded from the assessment. This may also reduce the ORSA from a valuable risk identification and quantification process to a compliance ―box-ticking‖ exercise.

The Task Group recognises the importance of the ORSA to be a document submitted under the ―private‖ disclosure sections. The ORSA may contain commercially sensitive information which may compromise insurers‘ (and insurance groups‘) competitive positions.

The Task Group recognises that where insurers (groups) have opted for an internal model for regulatory purposes, the internal model will also be used to produce ORSA results. To this effect, insurers (groups) may include additional information in the ORSA about the internal model such as the performance of the internal model, or additional results derived from the internal model such as profit attribution.

Solvency Assessment and Management: Pillar 2 - Sub Committee – ORSA and Use Test Task Group Discussion Document 34 (v 4) - Own Risk and Solvency Assessment

Page 2 of 26

2. INTERNATIONAL STANDARDS: IAIS ICPs

The International Association of Insurance Supervisors (IAIS) is the international standards setting body for insurance supervisors. The FSB as a member of the IAIS aims to adhere to these standards. The IAIS is currently revising its Insurance Core Principles (ICPs) and corresponding standards and guidance material, with an intended adoption date of October 2011. The IAIS has indicated that further changes may be made to the ICPs.

The most relevant of these proposed ICPs to the ORSA is ICP 16 on enterprise risk management. The ICP reads: ―The supervisory regime establishes enterprise risk management requirements for solvency purposes that require insurers to address all relevant and material risks.‖1 The ORSA, which forms part of an overall enterprise risk management framework, is included under this ICP and is discussed further under the related standards and guidance.

The IAIS insurance core principles (ICPs) that were adopted in 20032 do not make explicit mention of an ORSA. Aspects of the ORSA are however alluded to through a number of ICPs. The most relevant of these ICPs are:

ICP 6 - Licensing: ―An insurer must be licensed before it can operate within a jurisdiction. The requirements for licensing are clear, objective and public.‖ An essential requirement of this ICP is information from the applicant for licensing on its ‗business plan projected out for a minimum of three years. The business plan must reflect the business lines and risk profile, and give details of projected setting-up costs, capital requirements, projected development of business, solvency margins and reinsurance arrangements.‘ This ICP will be replaced by ICP 4 intended to be adopted in October 2011.

ICP 10 – Internal control: ―The supervisory authority requires insurers to have in place controls that are adequate for the nature and scale of the business. The oversight and reporting systems allow the board and management to monitor and control the operations.‖ This ICP requires the establishment of a ‗risk management system that includes setting and monitoring policies so that all major risks are identified, measured, monitored and controlled on an ongoing basis.‘

ICP 17 – Group-wide supervision: ―The supervisory authority supervises its insurers on a solo and a group-wide basis.‖ As a supplement to solo supervision, this ICP requires group-wide supervision of insurers which are part of insurance groups or financial conglomerates, including adequate policies on and supervisory oversight of group structure and interrelationships, capital adequacy, reinsurance, risk concentrations, intra-group transactions and exposures, internal control mechanisms and risk management processes. This ICP may be relevant in the setting of requirements for solo and group-wide ORSAs.

ICP 18 – Risk assessment and management: ―The supervisory authority requires insurers to recognise the range of risks that they face and to assess and manage them effectively.‖ This ICP requires risk management policies and risk control systems that are appropriate to the complexity, size and nature of the insurer‘s business. The insurer must establish an appropriate tolerance level or risk limit for material sources of risk. Insurers are also required to ‗regularly review the market environment in which they operate, draw appropriate conclusions as to the risks

1 ICP 16 of the IAIS ICP material adopted October 2010 (to be included in full set of ICPs to

be adopted in 2011) 2 IAIS Insurance core principles and methodology (2003)


Page 3 of 26

posed and take appropriate actions to manage adverse impacts of the environment on the insurer‘s business‘. This ICP will be replaced in part by ICP 16 on enterprise risk management intended to be adopted in October 2011.

ICP 20 – Liabilities: ―The supervisory authority requires insurers to comply with standards for establishing adequate technical provisions and other liabilities, and making allowance for reinsurance recoverables. The supervisory authority has both the authority and the ability to assess the adequacy of the technical provisions and to require that these provisions be increased, if necessary.‖ An advanced criterion requires insurers to ‗undertake regular stress testing for a range of adverse scenarios in order to assess the adequacy of capital resources in case technical provisions have to be increased.‘

ICP 23 – Capital adequacy and solvency: ―The supervisory authority requires insurers to comply with the prescribed solvency regime. This regime includes capital adequacy requirements and requires suitable forms of capital that enable the insurer to absorb significant unforeseen losses.‖ An advanced criterion requires ‗periodic, forward-looking analysis (e.g., dynamic solvency/stress testing) of an insurer‘s ability to meet its obligations under various conditions.‘ This ICP will be replaced in part by ICP 173 on capital adequacy intended to be adopted in October 2011. ICP 17 does not make the same references but does make reference to stress testing.

In addition to these insurance core principles, there are also IAIS principles on capital adequacy and solvency4. Relevant to the ORSA is principle 13 on solvency assessment: ―Insurance supervisory authorities have to undertake solvency assessment.‖ This principle requires insurance supervisory authorities to ‗consider the following elements when undertaking solvency assessment:

the adequacy, reliability, consistency and objectiveness of technical provisions, assets and liability valuations and statutory reporting;

compliance with the required solvency margin and control levels;

the adequacy of the internal risk assessment processes of the insurer; and

the risk management systems of the insurer.‘

Although this principle discusses the elements supervisory authorities must consider, it is likely that similar elements would need to be considered in an insurer‘s own assessment.

3. EU DIRECTIVE ON SOLVENCY II: PRINCIPLES (LEVEL 1)

Article 45 of the EU directive on Solvency II is dedicated to the ORSA. It is reproduced here, with explanations of the referenced sections in the EU directive where it would otherwise be unclear. 1. As part of its risk-management system every insurance undertaking and reinsurance undertaking shall conduct its own risk and solvency assessment. That assessment shall include at least the following:

(a) the overall solvency needs taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the undertaking;


be adopted in 2011) 4 IAIS Principles on capital adequacy and solvency (2002)


Page 4 of 26

(b) the compliance, on a continuous basis, with the capital requirements, as laid down in Chapter VI, Sections 4 and 5 and with the requirements regarding technical provisions, as laid down in Chapter VI, Section 2; (c) the significance with which the risk profile of the undertaking concerned deviates from the assumptions underlying the Solvency Capital Requirement as laid down in Article 101(3), calculated with the standard formula in accordance with Chapter VI, Section 4, Subsection 2 or with its partial or full internal model in accordance with Chapter VI, Section 4, Subsection 3. 2. For the purposes of paragraph 1(a), the undertaking concerned shall have in place processes which are proportionate to the nature, scale and complexity of the risks inherent in its business and which enable it to properly identify and assess the risks it faces in the short and long term and to which it is or could be exposed. The undertaking shall demonstrate the methods used in that assessment. 3. In the case referred to in paragraph 1(c), when an internal model is used, the assessment shall be performed together with the recalibration that transforms the internal risk numbers into the Solvency Capital Requirement risk measure and calibration. 4. The own-risk and solvency assessment shall be an integral part of the business strategy and shall be taken into account on an ongoing basis in the strategic decisions of the undertaking. 5. Insurance and reinsurance undertakings shall perform the assessment referred to in paragraph 1 regularly and without any delay following any significant change in their risk profile. 6. The insurance and reinsurance undertakings shall inform the supervisory authorities of the results of each own-risk and solvency assessment as part of the information reported under Article 35 [Information to be provided for supervisory purposes]. 7. The own-risk and solvency assessment shall not serve to calculate a capital requirement. The Solvency Capital Requirement shall be adjusted only in accordance with Articles 37 [Capital add-on], 231 to 233 [Group internal model, group capital add-on, and deduction and aggregation method of calculating the group solvency capital requirement] and 238 [Subsidiaries of an insurance or reinsurance undertaking: determination of the Solvency Capital Requirement]. The proposed SAM primary legislation in respect of the ORSA is similar to Article 45 of the EU directive, amended as appropriate to reference the relevant sections in the SAM primary legislation.

4. MAPPING ANY PRINCIPLE (LEVEL 1) DIFFERENCES BETWEEN IAIS ICP & EU DIRECTIVE

The proposed IAIS ICP 165 only requires entities to establish an enterprise risk management framework that addresses all relevant and material risks. The EU Directive contains more detailed ORSA requirements, but does not contradict the proposed IAIS ICP 16, nor the dedicated sections on the ORSA included in the standards and guidance related to the proposed ICP 16 (paragraph 16.11 onwards.

5. STANDARDS AND GUIDANCE (LEVELS 2 & 3)

5 IAIS ICP material adopted October 2010 (to be included in full set of ICPs to be adopted in

2011) http://www.iaisweb.org/__temp/ICP_16_Enterprise_Risk_Management__standards_and_guidance_material.pdf

http://www.iaisweb.org/__temp/ICP_16_Enterprise_Risk_Management__standards_and_guidance_material.pdf

http://www.iaisweb.org/__temp/ICP_16_Enterprise_Risk_Management__standards_and_guidance_material.pdf


Page 5 of 26

5.1 IAIS standards and guidance papers

Several IAIS standards and guidance are directly relevant to or contain elements that would be applicable to the ORSA.

The standards and guidance related to the proposed ICP 16 on enterprise risk management have dedicated sections on the ORSA (from paragraph 16.11 onwards). The broader topics on ERM discussed in the paper such as risk identification and measurement, documentation, the risk management policy, the risk tolerance statement and the risk responsiveness of the ERM framework are also applicable to the ORSA.

This guidance states that as part of its ORSA process, an insurer would be expected to prepare a report which includes a detailed description of the relevant material categories of risk that the insurer faces, its overall financial resource needs including its economic capital and regulatory capital requirements as well as the available capital to meet these requirements and projections of how such factors will develop in future. This report should also include detailed descriptions and explanations of the risks covered in the ORSA, the measurement approaches used and the key assumptions made. Other IAIS standards on disclosures have limited relevance to the ORSA.

The standards and guidance on ICP 16 appear to replace the prior adopted standard6 and guidance7 on ERM for capital adequacy and solvency purposes as much of the material covered is the same. The prior adopted standard and guidance have thus not been explicitly included for the purposes of this document.

The guidance paper on the structure of regulatory capital requirements8, as well as the proposed ICP 179 to be adopted in October 2011, raises additional points about the ORSA.

In the context of the ORSA, an insurer would generally be expected to consider its financial position from a going concern perspective (that is, assuming that it will carry on its business as a going concern and continue to take on new business) but may also need to consider a run-off and/or winding-up perspective (e.g. where the insurer is in financial difficulty).

Whilst the IAIS recognises that some risks may be difficult to quantify (e.g. operational or liquidity risk), it is important that the insurer nevertheless addresses all material risks in its ORSA.

In undertaking the ORSA, the insurer would be expected to have considered the extent to which the regulatory capital requirements (in particular, any standardised formula) adequately reflect its particular risk profile. In this regard, the ORSA can be a useful source of information to the supervisor in reviewing the adequacy of the regulatory capital requirements of the insurer and in assessing the need for variation in those requirements.

The standard on the structure of capital resources10 for solvency purposes specifies that ―the solvency regime should require the insurer to assess the quality and adequacy of its capital resources to meet regulatory capital requirements and any additional capital needs.‖ The

6 IAIS Standard no. 2.2.6 on enterprise risk management for capital adequacy and solvency

purposes (2008) 7 IAIS Guidance paper no. 2.2.5 on enterprise risk management for capital adequacy and

solvency purposes (2008) 8 IAIS Guidance paper no. 2.1.1 on the structure of regulatory capital requirements (2008)


be adopted in 2011) 10

IAIS Standard no. 2.1.2 on the structure of capital resources for solvency purposes (2009)


Page 6 of 26

corresponding guidance paper11 discusses that ‗if an insurer suffers losses that are absorbed by its available capital resources, it may need to raise capital to meet ongoing regulatory capital requirements and to maintain its business strategies. It cannot be assumed that capital will be readily available at the time it is needed. Therefore, an insurer‘s own assessment of the quality of capital should also consider the issue of re-capitalisation, especially the ability of capital to absorb losses on a going-concern basis and the extent to which the capital instruments or structures that the insurer uses may facilitate or hinder future re-capitalisation.‘

5.2 EIOPA’S CPs (consultation papers)

The European Commission will not be issuing any Level 2 implementing measures on the ORSA but EIOPA (formerly CEIOPS) will be issuing Level 3 guidance on the principles relating to the ORSA. At the time of writing this discussion document, this Level 3 guidance had not yet been published. EIOPA has, however, published its views in an issues paper12 on the ORSA in May 2008.

EIOPA‘s consultation paper on ―Supervision of Group Solvency for Groups with Centralised Risk Management‖ (former CP66) discusses an ORSA in the context of insurance groups. Where an insurer is part of an insurance group and the group complies with the principles of ―Consistent Group Wide Risk Management‖ (as set out in section 3.2) or the Group Risk Management Function is centralised in such a way that section 3.3 of former CP66 applies, then it is possible to have one document covering the assessment on solo and group level.

5.3 Other relevant jurisdictions (e.g. OSFI, APRA)

The Australian Prudential Regulatory Authority (―APRA‖) and the Office of the Superintendent of Financial Institutions Canada (―OSFI‖) are the only two jurisdictions that are considered in detail in this section. This is in line with the direction from the FSB to focus on these jurisdictions. A brief reference to Bermuda‘s version of the ORSA process is however made.

Australia

There would not appear to be an ORSA requirement in its pure form. However, the emphasis is more on risk management and governance elements as contained in Solvency II. The Australian Prudential Regulatory Authority (―APRA‖) has issued Level I prudential standards13 that refer to internal models in assessing capital requirements.

In most cases an insurer must have an appointed actuary14 who must provide an assessment of the overall financial condition and advice on the valuation of its liabilities on an annual basis, in particular a Financial Condition Report and an Insurance Liability Valuation Report (―ILVR‖).

11

IAIS Guidance paper no. 2.1.2 on the structure of capital resources for solvency purposes (2009) 12

CEIOPS Issues paper CEIOPS-IGSRR-09/08 on the ORSA (May 2008) https://eiopa.europa.eu/fileadmin/tx_dam/files/consultations/IssuesPaperORSA.pdf 13

GPS 220 14

GPS 310 and APRA Solvency Modernisation Initiative issued November 2009; in the South African context this would be the Statutory Actuary

https://eiopa.europa.eu/fileadmin/tx_dam/files/consultations/IssuesPaperORSA.pdf


Page 7 of 26

The Appointed Actuary‘s Financial Condition Report must include15, where relevant:

a business overview;

an assessment of the insurer‘s recent experience and profitability;

summary of the key results of the ILVR;

assessment of the adequacy of past estimates for insurance liabilities;

assessment of asset and liability management, including the insurer‘s investment strategy;

assessment of current and future capital adequacy and a discussion of the insurer‘s approach to capital management;

assessment of pricing, including adequacy of premiums;

assessment of the suitability and adequacy of reinsurance arrangements; and

high-level assessment of the suitability and adequacy of the risk management framework.

The General Insurance Prudential Standard GPS 220 requires that insurers have in place a risk management framework that includes certain key elements, to be described in a Risk Management Strategy. The Risk Management Strategy would typically not contain policies or procedures that underpin the risk management framework but may refer to them for illustration purposes. Further details of this are provided in Appendix A.

Canada

There is no specific mention of an ORSA, but the internal modelling requirement and other aspects indicate such an approach. The Office of the Superintendent of Financial Institutions Canada (―OSFI‖) first required prospective scenario testing in 199016. This has developed into the Dynamic Capital Adequacy Testing (―DCAT‖). An annual report on DCAT must be filed, based on the analysis and projection of trends on the insurer‘s capital position given its current circumstances, its recent past, and its intended business plan under a variety of future scenarios.

They too require an Appointed Actuary to perform a series of deterministic adverse scenario tests using the insurer‘s financial results and must certify that the financial position is satisfactory after these tests. OSFI does not currently require the DCAT to be incorporated into the insurer‘s risk management process. While some insurers incorporate the exercise into their risk management process, some companies view DCAT as a compliance exercise. Partly for this reason, OSFI is implementing more stress testing requirements.

Guidance on stress, scenario and sensitivity testing has been published by OSFI17 to extend the use of testing beyond DCAT. Stress testing must:

Be documented, available to review and be embedded in enterprise-wide risk management.

Be utilized in decision making, including setting the institution‘s risk appetite, setting exposure limits, and evaluating strategic choices in longer term business planning.

15

APRA Solvency Modernisation Initiative issued November 2009 16

NAIC Consultation Paper on ORSA for the Solvency Modernization Initiative Aug 2010 17

OSFI Guideline E -18, December 2009


Page 8 of 26

Help to detect vulnerabilities such as unidentified risk concentrations or potential interactions between types of risk that could threaten the viability of the institution.

Be a central tool for assessing liquidity risks.

Place special attention on risk mitigation, securitization and warehousing risks, risks to reputation, counterparty credit risk, and risk concentrations.

Each federally registered institution is rated by OSFI according to its composite risk rating, which is the institution‘s overall net risk rating after taking into account the institution‘s capital and earnings. Net risk is obtained by offsetting the aggregate quality of risk management against the aggregate level of inherent risk of the insurer. Inherent risks18 are classified into the following groups:

Credit risk

Market risk

Insurance risk

Operational risk

Liquidity risk

Legal and Regulatory risk

Strategic risk An insurer is rated as low, moderate, above average or high for each of these categories. The quality of risk management is also divided into groups19:

Operational Management (i.e., day to day management)

Financial Analysis

Compliance

Internal Audit

Risk Management

Senior Management

Board Oversight

The quality of an insurer‘s risk management processes is assessed as strong, acceptable, needs improvement or weak. The assessment of aggregate inherent risk and aggregate risk management quality are based on judgments of all of the inherent risk and risk management functions.

In addition to the assessment of net risk, the direction of net risk is considered in rating an insurer. The level and frequency of supervisory scrutiny will depend on the risk assessment of the institution.

Bermuda

The Bermuda Monetary Authority (BMA) has issued guidance20 on the ORSA, known in their jurisdiction as the ―Commercial Insurer‘s Solvency Self Assessment‖ (―CISSA‖). This is not reproduced in detail in this section but relevant points have been included where appropriate in this document.

18

OSFI Solvency Modernization Initiative issued November 2009 19

OSFI Solvency Modernization Initiative issued November 2009 20

BMA Consultation paper on Commercial Insurer‘s Solvency Self Assessment (June 2010) http://www.bma.bm/uploaded/507-100709_Consultation_Paper_on_Commercial_Insurer_s_Solvency_Self-Assessment_(REVISED).pdf

http://www.bma.bm/uploaded/507-100709_Consultation_Paper_on_Commercial_Insurer_s_Solvency_Self-Assessment_(REVISED).pdf

http://www.bma.bm/uploaded/507-100709_Consultation_Paper_on_Commercial_Insurer_s_Solvency_Self-Assessment_(REVISED).pdf


Page 9 of 26

5.4 Mapping of differences between above approaches (Level 2 and 3)

This section focuses primarily on mapping the differences between the IAIS standards and guidance and the EIOPA issues paper on the ORSA. As the Level 3 guidance has not yet been published by EIOPA, no mapping has been performed in this respect. Where differences exist to the Bermudan CISSA process, these have been highlighted.

Whilst APRA and OSFI contain guidance that is relevant to the ORSA, it is not as directly applicable as the guidance from the IAIS and EIOPA and hence is only mentioned briefly in this section.

None of these papers differentiate between life insurers, non-life insurers and reinsurers, and hence the guidance on the ORSA should be viewed as being applicable to all of these undertakings.

Overall, the IAIS, EIOPA and BMA guidance are very similar in context, with differences arising primarily in terms of style and the level of detail at which principles are discussed. This section will therefore highlight any contradictions that may exist between these papers and point out for each jurisdiction where it has elaborated on principles more so than the other jurisdictions.

Contradictions

There are no contradictions in the reviewed guidance on the ORSA. This demonstrates that the principles underlying the ORSA are consistent across jurisdictions.

Extensions of one jurisdiction over the others

Definition of the ORSA

The EIOPA issues paper provides a definition for the ORSA. The Bermuda Monetary Authority extends on this in their CISSA definition and includes a requirement for entities to hold sufficient capital to ‗achieve its business goals‘. This is in line with the requirement for the ORSA to be embedded in the business and reflect an undertaking‘s business plans.

Going concern versus wind-up

The IAIS specifically mentions that the ORSA should be conducted assuming the insurer will continue to operate on a going concern basis unless the insurer is in financial difficulty. This is not explicitly stated by EIOPA.

Frequency of calculation

EIOPA requires undertakings to ‗continuously meet the regulatory capital requirement, as well as the internal capital targets they set themselves‘. This does not mean that an insurance undertaking is required to calculate the SCR and MCR on a continuous basis, but rather that it should comply with these capital requirements continuously. Thus the undertaking will need to estimate the change in its capital requirements and eligible own funds since the last full solvency calculation. EIOPA specifies that the ORSA should be


Page 10 of 26

performed at least annually or following a significant change in risk profile. The undertaking should justify the adequacy of the frequency of the assessment. The IAIS guidance states that the ORSA should be performed regularly but does not specify this to be at least annually. The IAIS also requires the ORSA to be performed following significant changes in risk profile, and implies, though does not state explicitly, that the regulatory capital requirements should be met at all times.

Risks covered

Although all the jurisdictions require the ORSA to consider all current and reasonably foreseeable relevant material risks, the actual risks listed as a minimum differ across the jurisdictions (as can be seen in the table below):

Risks EIOPA IAIS OSFI

Underwriting / Insurance

√ √ √

Market √ √ √

Credit √ √ √

Operational √ √ √

Liquidity √ √

Strategic √

Legal √

Regulatory √

Group √

Other Any other material risks, examples of

which are liquidity risk, reputational risk and

strategic risk.

Risk mitigation Consider impact of risk mitigation techniques

e.g. reinsurance, diversification effects,

loss-absorbing capacity of technical

provisions and deferred taxes

Consideration of effectiveness of

applicable controls to mitigate risks

The IAIS and the Bermuda Monetary Authority recognise that some risks may be difficult to quantify but require insurers to effectively consider these risks in their assessment and address them appropriately.

Analysis of differences in economic and regulatory capital


Page 11 of 26

The IAIS guidance states that although the amounts of economic capital21 and regulatory capital requirements and the methods used to determine them may differ, an insurer should be aware of, and be able to analyse and explain these differences. The EIOPA paper is worded more strongly, specifying that although an insurer may perform its ORSA at a different time horizon, confidence level and using different assumptions and assumed management actions, it is required to perform the internal calculation on the basis of a 99.5% confidence level and a one-year time horizon. EIOPA is however clear that the purpose of the ORSA is not to duplicate, validate or analyse in detail the parameterisation of the SCR calculation. The BMA makes a recommendation that Class 4 and Class 3B22 insurers‘ own capital calculation be done at a 99.0% TVaR23 over a one year horizon (same confidence level and time horizon as the regulatory capital).

Forward-looking analysis and stress testing

In performing the forward-looking analysis of the ORSA, the IAIS guidance states that the time horizon should be consistent with that needed for effective business planning, an example of which is 3-5 years. EIOPA does not mention a specific time horizon, only that it should be an ‗appropriate planning horizon‘. An insurer should be able to demonstrate an ability to manage its risks over this longer time horizon under a range of plausible adverse scenarios. Unlike EIOPA, the IAIS guidance states that the insurer should apply reverse stress testing to identify scenarios that would likely cause business failure and the actions necessary to manage this risk. The IAIS guidance notes that whilst insurers must carry out stress testing, scenario analysis and risk modelling that are most appropriate for the business, the supervisor may develop additional stress testing for insurers to perform. The purposes of such testing may be to improve consistency of testing among a group of similar insurers, and to assess the financial stability of the market to stresses such as pandemics that impact a number of insurers simultaneously.

Proportionality

Both EIOPA and the IAIS advocate the use of the proportionality principle when performing and reviewing ORSAs. This principle requires the ORSA to be proportionate in its sophistication and depth to the nature, scale and complexity of the undertaking‘s business. The IAIS gives further guidelines on this, specifying that when assessing risks, the methods by which this could be done can range from simple stress testing events to more complex interlocking stochastic modelling as appropriate to the nature, scale and complexity of the risks concerned. The IAIS further comments that supervisors should not take a ‗one-size-fits-all‘ approach to insurers‘ risk management but apply the principle of proportionality.

Group-wide and solo ORSAs

21

‗Economic capital‘ refers to the capital needed by the insurer to satisfy its risk tolerance and support its business plans which is determined from an economic assessment of the insurer‘s risks, the relationship between them and the risk mitigation in place. 22

As defined in the Bermuda Insurance Act 1978. Class 3B insurers include all short term insurance companies which have annual premium income of more than $50m from unrelated business. Class 4 insurers include all short term insurance companies which have statutory capital requirements of $100m or greater and which write excess liability business or property catastrophe reinsurance business provided that more than 80% of this business is in respect of unrelated parties. 23 Tail Value-at-Risk (TVaR) is the expected value of the loss in those cases where it

exceeds a predefined confidence level.


Page 12 of 26

The EIOPA issues paper provides little guidance on ORSAs to be conducted by insurance groups, barring a comment that EIOPA will likely develop additional guidance in future on the group ORSA requirements. In contrast, the IAIS provides detailed guidance on the areas to consider when performing group-wide and solo ORSAs. Apart from performing a group-wide ORSA, the IAIS requires an ORSA to be done at the insurance legal entity and should include any additional risks that arise as a result of it being part of an insurance group. An insurance group should perform its ORSA to assess the adequacy of the group‘s risk management and current, and likely future solvency position. This group ORSA should capture all material risks of the group and the assessment of group-wide capital resources including fungibility of capital, the transferability of assets within the group, multiple gearing, leverage and intra-group creation of capital and reciprocal financing. It should also be ensured that capital is not double counted. In normal circumstances, surplus capital at the top of a group structure may be down-streamed to cover losses in group entities lower down the chain. The ORSA should reflect that this parental support may not always be forthcoming or permitted in times of stress. It may also be appropriate to consider scenarios in which the group structure changes.

The proportionality principle applies to groups as well as solo entities, with particular care to be given to group risks and group-wide capital resources for large complex groups. Given that risks may be more complex and diverse for an insurance group, it may be appropriate to use an internal model for a group‘s ORSA even where the use of an internal model is not a proportionate approach for the insurance legal entities that form part of that group. The IAIS provides further guidance to supervisors on how to review the group‘s ORSA.

Where the Bermuda Monetary Authority is the group-wide supervisor, insurers will be required to file a legal entity CISSA in addition to the group CISSA. However, insurers may apply for exemptions or modifications. An example of circumstances where an application for an abbreviated CISSA would be considered includes instances where centralised risk management exists so that the qualitative content of the legal entity and group CISSAs are largely duplicative. For instance, the BMA would consider an exemption entirely from a legal entity CISSA, where the scale of the legal entity comprises almost that of the entire group, so that no material difference exists in relation to the quantification of CISSA capital and the qualitative description of risk management in respect of the legal entity and group.

Where the BMA is not the group-wide supervisor, the BMA still requires an insurer to submit a legal entity CISSA. Where the group CISSA submitted to the group-wide supervisor is of a broadly equivalent nature and the results for the Bermuda legal entity are discernable, then the BMA may accept the group CISSA submission and require no separate legal entity CISSA.

Thus the BMA recognises that there may be instances where the ORSA at the legal entity level may be waived. No such allowance is mentioned in the IAIS guidance.

Governance

The BMA includes a requirement that those who administer the CISSA be fit and proper. Whilst the IAIS and EIOPA have fit and proper requirements for Board members and all persons who effectively run the undertaking or have key functions, these requirements are not stated explicitly in their guidance on the ORSA. All jurisdictions place ultimate responsibility for the ORSA on the Board and senior management. EIOPA and the BMA explicitly require the Board or senior management to challenge the ORSA/CISSA.

Risk appetite


Page 13 of 26

The BMA makes an explicit recommendation for the CISSA to include a description of how an insurer‘s risk appetite is defined and measured as well as details around limits imposed and how these limits are enforced. There is also an explicit recommendation around reconciling the impact of stress and scenario testing on capital to risk appetite. Whilst the IAIS notes that stress testing can help an insurer in ascertaining whether its tolerance limits are suitable for its business, it does not explicitly require such a reconciliation.

Documentation standards

Each of the jurisdictions has provided different levels of guidance in respect of documentation. The most rigorous of these is Bermuda which supplies reporting templates that undertakings should complete. EIOPA lists the minimum requirements for documentation. It is unclear whether reporting templates will be developed as part of EIOPA‘s Level 3 guidance. The IAIS does not include documentation standards explicitly but makes broad comments of what insurers would be expected to report to the supervisor. The IAIS states that while disclosing information on risk management helps to improve transparency and comparability of solvency regimes, it recognises that care should be taken in deciding what is publicly disclosed given the commercially sensitive nature of some of the information.

6. ASSESSMENT OF AVAILABLE APPROACHES GIVEN THE SOUTH AFRICAN CONTEXT

6.1 Discussion of inherent advantages and disadvantages of each approach

When discussing the approaches that may be followed in conducting an ORSA, and in particular the differences highlighted in section 5.4, it is important to consider the benefits as well as any particular restrictions that may be imposed by following a given approach.

The nature of the ORSA

The secondary legislation under the SAM Framework should not be too prescriptive, but should rather be set as high-level principles to which each insurer must adhere in performing its ORSA. Legislation that is too prescriptive has the disadvantage of potentially being too restrictive and narrowly-defined as well as setting a standard that insurers may view as a minimum standard which must be met and no more. In the context of the ORSA, the fundamental principle is that insurers should have robust risk and capital assessment and management processes that reflect their unique circumstances. It would therefore be expected that the application of the ORSA principles should be proportionate to the nature, scale and complexity of risks inherent in the business. Further guidance on the implementation of an ORSA, whilst not viewed as prescriptive, can provide clarity to insurers around the ORSA requirements.

Similar advantages and disadvantages can be applied to documentation standards. Templates, as proposed by Bermuda, ease the collection and comparison of ORSAs from different insurers. This is more efficient for the regulator than having to review ORSAs with different styles and contents and may be particularly helpful in South Africa where resources at the regulator may be limited. However, as the ORSA is an insurer‘s own assessment, it follows that an insurer would be expected to discuss its risk and solvency landscape in a


Page 14 of 26

way that makes sense for its business, subject to covering all the requirements that may be expected in an ORSA. By not setting formal ORSA templates, this also encourages an insurer to embed the ORSA in its business and decision-making processes and to derive value from it rather than viewing it as a compliance exercise.

The IAIS guidance requires an ORSA to be performed at the group level and for each insurance legal entity within the group. The advantage of performing the solo ORSAs at the legal entity level is that it can assure the regulator (and the companies) that policyholder interests within the group and each legal entity are expected to be met and that adequate capital is held. This is also consistent with regulatory reporting that is required at legal entity level.

There are however disadvantages to this approach and these are highlighted in the Bermuda CISSA process, where the BMA may waive the ORSA requirement for an insurance legal entity. There may be valid reasons for this, such as one legal entity making up the vast majority of the group such that an individual ORSA would largely duplicate the group ORSA. Furthermore, a group may contain a large number of small legal entities but it may manage the business and its risks not by legal entity but rather according to some other (e.g. business cluster) structure. In such a case, an ORSA for each legal entity would be a drain on resources both for the insurer and the regulator reviewing them, likely add limited value and may even be misleading as it does not reflect how the business is actually managed. This may be a reason for the regulator waiving the solo ORSAs at legal entity level. A group ORSA conducted at the level at which the business is managed, rather than at legal entity level, may be more appropriate. The regulator may still need to be assured that the material risks and capital requirements at the legal entity level have been allowed for adequately.

Frequency of calculation

EIOPA requires entities to perform an ORSA at least annually and following any significant changes in the entity‘s risk profile. More frequent assessments will have a resultant impact on resources but the additional management information gained may be beneficial. The adequacy of the frequency of the assessment should be justified by the insurer.

Risks covered

The reviewed international jurisdictions require the ORSA to consider all current and reasonably foreseeable relevant material risks. Although minimum risks may be prescribed, the list is not meant to exclude other risks that may be material to the insurer. This forces insurers to identify and understand the materiality of its own risks.

Reconciliations

Reconciliations are useful in validating model assumptions and results. EIOPA recommends a high level reconciliation between key items used in the ORSA and those corresponding items in the financial statements. In addition, insurers are required to understand and assess the differences between their regulatory and economic capital requirements. This aids an insurer in better understanding, amongst others, how its business plans, inclusion of additional risks not modelled in the SCR and any differences in confidence level or time horizon impact on its capital requirements. Although not the primary purpose, this reconciliation can aid the regulator in assessing the appropriateness of the calibration of the standard formula SCR. This is particularly useful in South Africa, where parameterisation of


Page 15 of 26

the standard formula is challenging given data and time constraints. It is noted that a higher economic capital requirement as shown in the ORSA will not necessarily lead to a capital add-on to the regulatory capital requirement. Capital add-ons may however be applied if significant risks are highlighted in the ORSA which are not covered in the SCR or if the risk management framework as described in the ORSA is considered to be inadequate.

Forward-looking analysis and stress testing

Under the ORSA, stress testing and scenario analysis are useful tools that insurers may use to understand the risks to which they are exposed. These scenarios should reflect plausible but severe events that may happen over the business planning projection period (e.g. 3-5 years). It can be time-consuming to derive and quantify the impact of the scenarios, but it is very insightful for an insurer to go through the process of discussing possible scenarios, their financial impacts, and possible management actions. It is therefore recommended that the details of the scenarios (e.g. the quantum of the stresses) not be prescribed by the regulator but rather be set by each insurer in accordance with its risk profile and business plans. There can be a use for prescribed stresses by the regulator (e.g. to assess systemic risk across insurers), but this will likely be viewed as ad-hoc or additional information that does not absolve insurers from performing their own scenario analysis. The IAIS guidance recommends testing more severe scenarios, known as reverse stress tests, which could result in business failure or a breach of regulatory or economic capital requirements. The number and complexity of these scenarios should be appropriate to the insurer and is not viewed as unreasonably cumbersome in the South African environment.

Governance

A strong governance structure is required given the importance of the ORSA. This includes, for example, fit and proper requirements for key personnel, robust documentation and internal and/or external validation of the process. The Board and senior management are responsible for and should ask probing questions on the ORSA. This challenging of the ORSA is a vital part in ensuring the business derives value from this process and will require Board members and senior management to become knowledgeable in this area.

Embedment in the business

The ORSA should be embedded in the business. It therefore makes sense to extend the EIOPA definition to include that the ORSA is used to ensure that own funds are sufficient for the insurer to achieve its business strategy. This is not viewed as being too restrictive. Indeed, certainly if an approved internal model (partial or full) is used in the calculation of the SCR and ORSA process, it would need to be shown that the model is being used in the decision-making processes of the business to pass the ‗use test‘. If not using an internal model, this does not absolve insurers from using the ORSA as a means to assess its ability to ‗achieve its business goals‘.

6.2 Impact of the approaches on EU 3rd country equivalence

APRA and OSFI do not directly address the ORSA, but contain references and requirements to principles addressed under the ORSA as defined by EIOPA. Thus considering adopting the principles of these regimes as is, may not achieve third country equivalence.

The IAIS guidance, similar to EIOPA‘s guidance, is principles based. There are numerous similarities between the IAIS guidance and EIOPA‘s issues paper on the ORSA. It should however not be recommended that the IAIS guidance is adopted as is in South Africa since


Page 16 of 26

the issues paper addresses areas not referred to by the IAIS (one such example is that there is no clear definition of an ORSA in the IAIS guidance).

Bermuda guidance has been developed with the specific aim of achieving third country equivalence and the BMA requirements are generally more onerous than those of EIOPA. EIOPA is currently performing its assessment of Bermuda for purposes of third country equivalence.

The approach that the Task Group has followed in developing the South African guidance is to start with EIOPA‘s issues paper as the basis and adding on guidance from the IAIS, BMA and other supervisors where applicable.

It should also be noted that the Task Group‘s information from EIOPA was limited, because Level 3 guidance on the ORSA has not yet been issued by EIOPA and there is no Level 2 implementing measures. Thus to fully assess the impact on third country equivalence of the suggested approach for South Africa, more work needs to be performed once the Level 3 ORSA guidance has been issued.

6.3 Comparison of the approaches with the prevailing legislative framework

There is no prevailing South African legislation that is comparable to an ORSA.

As part of its interim measures, the FSB has requested insurers to conduct stress testing. This stress testing however differs from the stress testing envisioned under the ORSA in the following ways:

The FSB‘s interim stress testing involves applying instantaneous stresses and calculating a metric such as the Capital Adequacy Requirement thereafter. Under the ORSA, the stresses are applied gradually over a multi-year projection period and the metrics of interest are the financial position, regulatory capital requirement and economic capital requirement for each year of the projection.

The type and quantum of the FSB‘s stresses are prescribed. Under an ORSA, however, stresses should not be prescribed but should rather be determined by each insurer in accordance with its own risk landscape and risk management framework. Any stresses that may be prescribed by the FSB under the SAM framework should thus fall under the ambit of the stress testing task group and not form part of the ORSA.

6.4 Conclusions on preferred approach

In summary, the Task Group considered the following sources as input to the recommendations set out in the next section:

Solvency II Level I Directive, Article 45

EIOPA‘s ORSA Issues Paper, dated May 2008

EIOPA‘s former CP66 on Supervision of Group Solvency for Groups with Centralised Risk Management

IAIS Principles, specifically ICP16 and Guidance Paper 2.2.5

Bermuda Monetary Authority (BMA), Consultation Paper on Commercial Insurer‘s Solvency Self Assessment (June 2010)

APRA framework (specific references indicated in the sections above)


Page 17 of 26

OSFI framework (specific references indicated in the sections above)

Generally, there is very little reference to the ORSA (or a similar concept) in both the APRA and OSFI frameworks. The Task Group did however consider the relevant references and factored those into the recommendation below.

The BMA Consultation paper was considered and although the Task Group‘s overall view was that the paper establishes requirements that are perhaps too prescriptive, certain areas were adopted in the recommendations set out below.

The Task Group supports a principle based approach to subordinated legislation for purposes of the ORSA. Thus the majority of the recommendations set out in the section below stem from EIOPA‘s Issues Paper on the ORSA and ICP16.

7. RECOMMENDATION

Minimum Requirements for the ORSA

This section could be included as secondary legislation.

Definition of an Own Risk and Solvency Assessment (ORSA)

The ORSA is defined as the entirety of the processes and procedures employed to identify, assess, monitor, manage, and report the short and long term risks an insurance undertaking (and insurance group) faces or may face and to determine the own funds necessary to ensure that insurers (and groups) overall solvency needs are met at all times and are sufficient to achieve its business strategy.

The ORSA is deemed to be a confidential document and is to be reported to the Regulator as part of the ―private‖ disclosure requirements.

Requirement to perform an ORSA

Every insurer (solo requirement) and insurance group (group requirement) should perform an ORSA and document the methodologies, rationale, calculations and results arising from the assessment. The solo requirement should as a minimum be an assessment for each legal insurance entity. In principle, the solo and group ORSA should be aligned with how the insurer manages its business.

Where an insurer is part of an insurance group, the Regulator may waive the solo submission/reporting requirement if the Regulator is assured that the material risks and capital requirements at the legal entity level have been allowed for adequately at group level.

The frequency of the assessment should be of such a nature that the assessment provides relevant information for current decision making. As such, insurers should produce the full assessment at least annually and when there is a significant change in the insurer‘s risk profile due to internal or external conditions changing. Although insurers (groups) may perform partial assessments during period ends, it is only expected that the results of each full ORSA run will be submitted to the Regulator (i.e. annual or upon significant change of the risk profile).

The Task Group recognises that the impact of the above is that entities or businesses forming part of a group would not necessarily have to produce ORSA submissions/reports. This may result in gaps. The Task Group proposes to follow Level 3 guidance in this respect and recognises this as a specific area to address


Page 18 of 26

once Level 3 guidance becomes available from EIOPA and market practices emerge from Europe. The Task Group further has to consider the ORSA treatment of insurance sub-groups.

Scope of the ORSA

The ultimate purpose of the ORSA would be to provide the Board and Senior Management with an assessment of the risks that the insurer (group) is exposed to and the resulting solvency requirements arising from this exposure. The ORSA should also inform the Board as to the potential impact that this may have on the current (and likely future) solvency position of the insurer (group). The level of sophistication of the ORSA should correspond to the nature, complexity and scale of risks inherent in the business.

The ORSA should consider all material current and foreseeable risks that are relevant to the insurer.

Underlying the ORSA should be the assumption that the insurer will continue as a going concern for the foreseeable future. This assumption should be validated by the assessment. Where this assumption is invalid, an insurer should specifically state this in the assessment. This would include insurers which are either in run-off or being wound-up. In such cases, the ORSA should reflect the actual circumstances of the insurer and so exclude any future new business. The insurer must however ensure that any additional risks arising as a result of the company being in run-off or being wound up are adequately allowed for within the ORSA.

The insurer should assess its ability to continue in business and assess the adequacy and quality of economic capital over a longer time horizon (typically 3 – 5 years) than used to determine regulatory capital requirements. This time horizon should correspond with the business planning time horizon.

Governance of the ORSA

The ultimate accountability of the ORSA resides with the Board who should approve the ORSA. When evaluating the ORSA, the Board and Senior Management should assess the adequacy of the current and future solvency position. In addition the Board and Senior Management are responsible to ensure that the ORSA is embedded in the business and decision making processes.

The Board and Senior Management should also, through direct review and challenge and through reliance on the governance process, conclude on the accuracy and completeness of the ORSA calculations, assumptions and data used as input to the ORSA.

The ORSA should be appropriately evidenced and documented.

The effectiveness of the ORSA should be independently assessed either internally (e.g. Internal Audit) or externally. This review must be carried out by persons different to those performing the ORSA

Additional Guidance

The following section contains recommendations and guidance around the implementation and performance of an ORSA. It is not the intention that this section represents prescriptive ORSA requirements. Insurers should however look to this section for further guidance and clarity around the ORSA requirements. This represents the task group‘s current views on the


Page 19 of 26

guidance that will form part of Level 3, and is not intended to be included in the secondary legislation. This guidance will be reviewed once EIOPA has published its Level 3 supervisory standards on the ORSA.

Further Guidance on Aim and Purpose

The aims of the ORSA include:

Ensuring that insurers and groups have robust processes for assessing and monitoring risks and their overall solvency needs

A risk management tool that requires entities to assess their own short and long term risks and the amounts required as own funds to cover these risks. It may serve as a tool to enhance the entity‘s understanding of the interrelationships between current (and future risks) and capital (both long and short term capital).

The results of the ORSA should be used to inform and improve business decisions, business strategy and the ERM framework. The ORSA process should also identify the major issues affecting the solvency of an insurer (or group).

In Article 45 (4), the Level 1 Directive makes a very clear link between the ORSA and the business strategy. This implies that the business strategies should be at the heart of the ORSA and the processes and procedures to manage risk be built around the business strategies. This would highlight the need for very clear risk appetite statements that cascade through to all areas of strategic importance. It is also implied that the ORSA should be constructed in line with how the business is managed (e.g. business clusters) rather than in such a way to support regulatory reporting (legal entity).

Further Guidance on Scope

The overarching principle for the submission of an ORSA report to the Regulator is that the information provided to the Regulator should be sufficient for the Regulator to exercise its supervisory duties for both solo legal entities as well as groups. It is also not the purpose of this guidance to change the management structure of insurers. The ORSA should however best reflect how an insurer or insurance group manages its business and risks. Should an insurer manage its business on a business unit basis (rather than on a legal entity basis), the insurer could perform an ORSA for each significant business unit (aligned with how the business is managed and reported). The Board and Senior Management should however be able to demonstrate that through the ORSA processes at business unit (or other organisational levels) all reasonably foreseeable and relevant material risks arising from legal entities have been appropriately addressed and assessed. The ORSA should also clearly explain how the information provided at business unit levels relates to the legal entities.

The Regulator may also waive the requirement for a solo ORSA submission/report under certain circumstances. The Regulator should however be satisfied that upon waiving the solo reporting requirement, that the group ORSA will contain the relevant quantitative and qualitative information necessary to allow the Regulator to exercise its supervisory duties. Examples of instances where the Regulator may waive the solo reporting requirement could include cases where centralised risk management exists such that the qualitative content of the solo and group ORSAs are largely duplicative or where the scale of the legal entity or business unit comprises almost that of the entire group. The Task Group recognises that this might be controversial and that this guidance may need to be reassessed once Level 3 guidance becomes available from EIOPA.


Page 20 of 26

The ORSA should include an assessment (quantitative and qualitative) of the own funds held, together with changes expected in stress situations. There is not an obligation on insurers and groups to continuously recalculate SCR, MCR and economic capital. The ORSA process should however by design enable entities to estimate changes in capital requirements and the Economic Balance sheet since the last full calculation process. A full calculation may however be required if an entity‘s risk profile changes significantly.

The ORSA report should be submitted to the Regulator at least annually, but should also be submitted if an ORSA is performed in between annual period end dates due to significant changes in the risk profile of the insurer or insurance group.

Further Guidance on Coverage

Insurers and insurance groups may consider addressing the following risks in the ORSA:

Underwriting and insurance risk

Market risk

Credit risk (including e.g. counterparty default risk, instrument rating downgrades)

Liquidity risk

Operational risk

Other risks relating to insurance groups, e.g. group contagion risk, both at group and subsidiary level (e.g. subsidiary companies should discuss the risk of contagion in the context of them belonging to a group)

Other risks not considered adequately covered by the SCR calculation, for example reputation and strategic risks

The above is a non-exhaustive list and it is recommended that risks are classified and included in the ORSA consistently to which risks are classified and managed in the business.

The Task Group recognises that this list of risks may need to be reassessed once Level 3 guidance becomes available from EIOPA. It will also be ensured that these risks are defined in the primary legislation.

Insurers and insurance groups should have in place a system of systematically identifying current and future risks and gather information about these risks over all organisational and operational levels.

The ORSA should address any risks that arise as a result of membership of a group structure. The fungibility of capital and the transferability of assets within the group should be taken into account.

The ORSA should identify dependencies and interrelationships between various risks.

The ORSA should (amongst other items) include assessments of an insurer and insurance group‘s:

Enterprise Risk Management framework. The ORSA should be performed in the context of an insurer’s overall ERM framework. As part of the ERM framework, an insurer should have sound and prudent capital management and monitoring practices in place.

Adequacy of current and future internal (economic) capital resources given its risk appetite and tolerance levels. Current and future capital levels should take account of longer term business strategies, risk tolerances, current and new business plans and risk mitigation processes and techniques. An insurer should understand how its risk management and capital management approaches and processes interact and


Page 21 of 26

thus determine how best to optimise its capital base, transfer or retain risk and price risk.

Risk management actions. The management actions included in the assessment should be approved by Senior Management and the Board.

Reinsurance. The ORSA should explain the mitigating objectives of reinsurance arrangement together with an assessment of effectiveness of reinsurance programmes. The assessment should also conclude on whether reinsurance coverage is adequate.

Adequacy of current and future regulatory capital position. The amounts of economic and regulatory capital may differ. The insurer should however understand and explain these differences.

Quality of economic and regulatory capital resources. The economic capital of an insurer should have loss absorbing capacity. It can however not be assumed that new capital will be readily available.

Adequacy and quality of economic and regulatory capital in stressed conditions. Stressed conditions may include most likely and worst case stress scenarios. Stress scenarios should include economic stresses, demographic stresses and stresses resulting from operational risk. Reverse stresses should also be performed identifying and quantifying those scenarios that could result in business failure, breach of economic solvency, breach of SCR and MCR and other circumstances considered appropriate by Senior Management and the Board.

Further Guidance on Calculation

While there may be insurers or insurance groups using the SCR standard formula for ORSA purposes, due to the size and complexity of the organisations, it may not be the case for all insurers and groups that their risk profiles are reflected appropriately within the standard formula. More complex insurers and groups should consider using an internal model for ORSA purposes. The models used for calculating economic capital for ORSA purposes should appropriately reflect and quantify all the material risks identified by the insurer‘s ERM framework, their impact on the insurer and potential mitigating actions. It is therefore likely that most insurers will use internal models to calculate economic capital for ORSA purposes. The following requirements should be considered:

Risk categories should be clearly identified and documented

Methods used in identifying and analysing risks for economic capital purposes should be documented

Modelling criteria and calibrations should be clearly documented. Some examples include methods used for valuing assets and liabilities, risk modelling techniques, confidence levels and time horizons.

In determining economic capital, an insurer should ensure that its economic capital requirement is sufficient to continuously meet its policyholder liabilities. In calculating and meeting economic capital requirements, policyholder interests should not be put at risk.

Although the model used for calculating economic capital is not expected to meet regulatory approval, the insurer should ensure that the model is subject to periodic independent review. The independent review can either be internal, where an insurer has the appropriate independent skills and expertise in-house (e.g. Internal Audit), or external. Where modelling and analysis techniques remain consistent from one year to the next, these elements need to be reviewed once every three years. Other elements of the model (such as completeness and accuracy of data, appropriateness of assumptions, etc) should be reviewed annually.


Page 22 of 26

The output of the ORSA process should be a report which (amongst other items) evidences the risk and capital management processes and procedures and express a view of the current and future capital positions of the undertaking.

Forward looking nature of the ORSA

Forward looking economic capital should be determined, taking into account the following:

Overall risk management strategy

Future cash flow position

Business plans and new business strategies

Changes in the external environment (such as economic, demographic and environmental changes)

Contingency plans

Product design and pricing

An insurer and insurance group should apply reverse stress testing to identify scenarios that could most likely cause business failure.

An insurer and insurance group should evaluate the results and conclusions from its forward looking capital projections and use this to inform business decisions, business strategy and the ERM framework.

The Regulator may also require insurers and insurance groups to perform an assessment of its ability to meet regulatory solvency capital under various prescribed stresses and/or scenarios. The Task Group recognises that while this may be a Pillar II requirement, it wishes to highlight that the reporting on this requirement (or a similar requirement) may more appropriately be included in the output from the Reporting and Disclosure Task Group rather than as part of the ORSA submission.

Further Governance Considerations

The Board and Senior Management are responsible to ensure that the ORSA is administered by personnel with the relevant skills and expertise to do so.

Insurers and insurance groups should explain how the ORSA is used in management of the business and decision making. Entities should also explain how the ORSA is embedded within strategic, operational and risk management processes.

The ORSA should clearly document the assumptions used to assess and aggregate risks and highlight where these are different from those used in the SCR calculation.

An entity should be able to explain and justify:

Methodology and key assumptions used in assessing each risk type

The result of the assessment including sensitivity of the result to key assumptions

Appropriateness of the modelling approach, including how it captures all risk types

Sources of data used in the ORSA and the controls around the integrity of the data

Differences in the valuation bases used for ORSA purposes from that used for purposes of SCR calculations should be clearly identified together with justification and impact of the variances.


Page 23 of 26

A high level reconciliation should be performed between key items used in the ORSA and those corresponding items in the financial statements. Entities should explain key differences between economic capital and financial measures.

Other specific documentation requirements should include, but are not limited to:

Description of areas included in the ORSA

Description of processes conducted in the ORSA and the personnel involved

Stress tests used and their results

Amount of overall solvency needs and the financial condition of the insurer (and group)

Description of the insurer‘s policy on independent assessments, a description of the assessment process and the results of the last assessment

Other key management information that may be useful for decision making purposes

The Task Group recognises the potential need for a document (internal to the insurer) that describes the principles underpinning the process whereby the ORSA is performed and the ORSA report. Thus insurers and insurance groups should develop a policy specifically relating to the ORSA. This policy should form part of the overall policy suite and governance framework. The Task Group will consider developing further guidance on the ORSA policy based on EIOPA level 3 guidance and further Task Group debates.

The ORSA and documentation around the ORSA should be performed in such a way that it can be reviewed with reasonable effort by a third party. Thus the documentation should be complete, accurate and present clear audit trails. Documentation should not be overly and unnecessarily complex.

The independent assessment should include the processes whereby the ORSA has been performed and the report has been compiled. The independent assessment of the ORSA should be performed by persons who do not have specific responsibility for the ORSA process (or section of the process). The results of the independent assessment should be communicated to Senior Management and the Board, who are responsible for the identification and implementation of remedial actions. The implementation of remedial actions should be tracked by Senior Management and the Board. The overall conclusion from the independent assessment should be reported to the Regulator, together with the ORSA report/submission. The detailed findings from the independent assessment, together with the Board and Senior Management‘s responses to these findings should be available to the Regulator upon request.

Regarding the independent assessment, the following principles should apply:

The scope and corresponding timing of the independent assessment of the ORSA should correspond with the related information reported to the Regulator in the relevant statutory returns.

It is also not intended that the independent assessment of the ORSA should duplicate areas subject to independent assurance in the statutory regulatory reports and annual financial statements.

The independent assessment should include an assessment of the process whereby the ORSA has been performed and whether the ORSA policy has been complied with.

The Task Group subscribes to the combined assurance concept introduced by the King III code and thus recognises that the independent assessment can be achieved through a combination of assurance providers.

The Task Group recommends that the ORSA policy explicitly states which areas of the ORSA is subject to independent review and the frequency at which these assessments are


Page 24 of 26

performed. In addition, the assessment report on the ORSA should stipulate the areas of the ORSA that are within the scope of the assessment and the frequency at which these areas are subject to review.

The Task Group recognises that the scope and basis of the independent assessment needs to be refined throughout the SAM programme. Thus this is an area where the Task Group will perform further work.


Page 25 of 26

APPENDIX A

Australian guidance on risk management

GPS 220 requires that insurers have in place a risk management framework that includes certain key elements, to be described in a Risk Management Strategy. The Risk Management Strategy would typically not contain policies or procedures that underpin the risk management framework but may refer to them for illustration purposes.

The process of risk identification, as part of an insurer‘s risk management framework24, would typically be comprehensive and systematic and include a process for updating and re-assessing risks and/or identifying new risks. There are a number of techniques available to an insurer to enable the identification, assessment and quantification of risks and their impact on the insurer‘s operations. Where appropriate, an insurer may typically consider using such techniques as:

self or risk assessment — the insurer assesses its operations and activities against a menu of potential risk vulnerabilities. This process can be facilitated through a workshop conducted by the risk management function and may incorporate checklists or the use of other risk identification tools to identify the strengths and weaknesses of the risk environment;

risk mapping — during this process, various business units, organisational functions, process flows and interdependencies are mapped by risk type. This exercise can reveal areas of weakness and help prioritise subsequent management action; and

risk indicators — risk indicators are statistics and/or metrics, often financial, which can provide insight into an insurer‘s risk position. These risk indicators would normally be reviewed on a regular basis (such as monthly or quarterly) to alert the board to changes that may be indicative of risk concerns.

In the assessment of risks, an insurer would typically indicate the level of confidence it places on the estimations as to the levels of risk. Also, an insurer would typically indicate the assumptions made as part of the assessment and analysis of risks. As a guide, for each identified risk, APRA25 envisages that an insurer would:

assess the inherent impact and likelihood;

decide whether to accept the risk;

identify risk mitigation and control strategies; and

assess the residual risk.

APRA has created a risk rating model called Probability and Impact Rating System or PAIRS. This model directs supervisory attention to entities based on their likely failure rate and on the impact should they fail. (That is, size of the institution is reflected in the impact of failure.)

When performing a PAIRS risk assessment, supervisors make an assessment of the following categories: Board; Management; Risk Governance; Strategy and Planning; Liquidity Risk; Operational Risk; Credit Risk; Market and Investment Risk; Insurance Risk; Capital Coverage/Surplus; Earnings; and Access to Additional Capital.

24

GPG 200 issued July 2008 25

GPG 200 issued July 2008


Page 26 of 26

PAIRS involves an assessment of four key factors:

Inherent Risk – any uncertainty in relation to the business operations of an entity, whether statistically quantifiable or not, that has the potential to affect the financial position of an entity. (Involves supervisory rating of the categories: Strategy & Planning, Liquidity Risk; Operational Risk; Credit Risk; Market and Investment Risk; and Insurance Risk)

Management and Control – encapsulates how an entity identifies, measures, monitors, and controls the risks inherent in its business. The capability of an entity to manage and control inherent risks arises from the underlying policies, practices, systems, and controls established. (Involves supervisory rating of the categories Strategy & Planning; Liquidity Risk; Operational Risk; Credit Risk; Market and Investment Risk; and Insurance Risk)

Net risk – residual risk remaining after taking into account the mitigating effect of management and controls. (Involves averaging of Strategy & Planning, Liquidity Risk; Operational Risk; Credit Risk; Market and Investment Risk; and Insurance Risk ratings. Also involves supervisory assessment of the categories Board, Management, and Risk Governance.)

Capital support – buffer available to absorb unexpected losses. Most regulated entities are required to maintain minimum levels of regulatory capital, but APRA expects such entities to target a level of economic capital that is sufficient to support their particular risk exposures and continuing business needs rather than simply meeting minimum regulatory requirements. (Involves supervisory rating of the categories Capital Coverage/ Surplus; Earnings; and Access to Additional Capital.)

Date post:	06-Mar-2018
Category:	Documents
Upload:	nguyencong
View:	214 times
Download:	1 times

Solvency Assessment and Management: Pillar 2 - Sub ... · PDF fileprinciples to which each...

Documents