FTI CONSULTING SOLUTIONS PAPER

Size: px

Start display at page:

Download "FTI CONSULTING SOLUTIONS PAPER"

Shanon Charles
6 years ago
Views:

1 FTI CONSULTING SOLUTIONS PAPER U.S. NAIC ORSA Read this important solutions paper to gain insights that will help your organization prepare for, implement and optimize the U.S. National Association of Insurance Commissioners (NAIC) Own Risk and Solvency Assessment (ORSA) regulation. The NAIC ORSA regulation is similar to the European Union Solvency II (SII) regulation in that both strive for a uniform framework to establish risk management and controls, capital standards, corporate governance, and disclosure and transparency requirements across borders. NAIC ORSA is tentatively set for full implementation in 2013 in order to be recognized during the 2014 review period. NAIC ORSA will have an immediate impact on U.S. insurers/reinsurers and their subsidiaries. In addition, when fully implemented, by U.S. firms, NAIC ORSA will also help those European insurers/reinsurers with U.S. operations satisfy their SII requirements. 1

2 INTRODUCTION TABLE OF CONTENTS (Ctrl + Mouse click over number to follow link) Introduction... 2 About The Authors... 3 Executive Summary... 4 Our Approach To ORSA... 6 Section One: Establishing the Foundation ERM/ORSA Integrated Management Framework... 7 Foundational Structures Governance Structures Functional/Process Structures Section Two: Implementing and Integrating ORSA Understanding NAIC Objectives 2. Following NAIC ORSA Guidance 3. Establishing Key ERM/ORSA Projects 4. Addressing ERM/ORSA Global Considerations and Challenges Section Three: Technical Considerations Internal Model - Capital Assessment/Management - Use Test Section Four: Integration/Optimization IMF Component Implementation Maps.. 24 Section Five: Future Considerations Achieving Equivalence The Race Against Time - Omnibus II - NAIC Solvency Modernization Initiative - Dodd-Frank Appendix: Tools and Aids A - Risk Tolerance Definitions B - Model Change Policy C - Gap Analysis Click the link below for more information about FTI Consulting, Global Insurance Services group. This solutions paper provides information to help insurers prepare for, implement, and optimize ORSA across their enterprise. Note: In this paper, we use the word "insurer" or "insurance" to refer to insurance and reinsurance companies and other insuring entities as applicable within the topic covered. The Global Insurance Services (GIS) group of FTI Consulting comprises insurance industry experts who support clients with a full range of comprehensive services designed to protect and enhance value actuarial, enterprise risk management (ERM), regulatory compliance, claims engineering, information technology, litigation support, performance improvement, information quality, intellectual property, e-discovery, strategic communications, and transaction advisory. GIS has extensive expertise and experience with ORSA and ORSA-related matters; and has developed an ORSA/ERM Integrated Management Framework (IMF) and methodology that leverages enterprise risk management governance and processes in support of achieving NAIC ORSA objectives. GIS capabilities in support of NAIC ORSA include: 1. Assistance with structuring the GIS framework for ORSA/ERM program management 2. Assessment and Gap analysis of ORSA and risk management capabilities/readiness 3. Support for achieving board and senior management involvement, including risk policies, risk committees, and risk reporting to the board and senior management; assessing risk culture, and addressing other critical risk management requirements 4. ORSA/ERM risk assessments and implementation, including use of the GIS web-based database management tool to identify and manage key risks and controls across the enterprise 5. Model validation and assessment actuarial, economic capital models, market, and credit and related governance structures 6. Assistance with satisfying the internal model use test, including preparing stress and reverse stress testing, pricing, reserving, and return on equity and capital allocation 7. Assistance with development of risk metrics, measurement and modeling, including valuation and enhancements specifically tailored to individual company needs, but reflective of leading industry standards 8. Assistance with achieving data quality and IT infrastructure enhancements to assure efficient support of risk management and reporting functions 9. Assistance with developing risk management processes, including establishing strong linkages between the risk management function and internal auditing in the identification, assessment, response, measurement and control; and reporting of risks throughout the enterprise and, ultimately, to the board 10. Providing support services such as documentation, training, and peer analysis Our solutions paper is organized into five sections. Following introductory material, we discuss the structure and components of IMF, since we believe it is important to first understand the role of IMF in implementing and optimizing ORSA. Sections Two and Three provide detailed information about preparing for and implementing NAIC ORSA, as well as discussions covering important technical considerations. Section Four elaborates on the components of IMF as they relate to integration and optimization of ORSA across the enterprise. Section Five highlights selected regulations having related impacts. The Appendix provides three important forms as examples of some of the tools and aids related to IMF. FTI Consulting, Inc., All rights reserved. 2

ABOUT THE AUTHORS Paul Braithwaite is a senior managing director, FTI Consulting Global Insurance Services, Forensic and Litigation Consulting segment and leader of the Actuarial Services practice.

reinsurance company management to the practice. PAUL BRAITHWAITE, FCAS, MAAA, MBA Senior Managing Director, Global Insurance Services Tel: (212) 499.3659 paul.braithwaite@fticonsulting.com Mr.

underwriting audits, due diligence, finite risk/structured product pricing analysis and regulatory services. Mr.

3 ABOUT THE AUTHORS Paul Braithwaite is a senior managing director, FTI Consulting Global Insurance Services, Forensic and Litigation Consulting segment and leader of the Actuarial Services practice. As the recent President of the Casualty Actuarial Society with 30 years of industry experience, he brings deep knowledge and understanding of actuarial science, underwriting, insurance and reinsurance company management to the practice. PAUL BRAITHWAITE, FCAS, MAAA, MBA Senior Managing Director, Global Insurance Services Tel: (212) paul.braithwaite@fticonsulting.com Mr. Braithwaite has served as appointed actuary to insurance companies, provided expert testimony and dispute resolution support, loss reserve reviews, reinsurance commutations and reserve reviews, underwriting audits, due diligence, finite risk/structured product pricing analysis and regulatory services. Mr. Braithwaite has extensive reinsurance pricing and underwriting experience including the specialty areas of professional liability, workers compensation, umbrella liability, accident and health, agriculture, surety and various other lines of property-casualty business. Mr. Braithwaite has consulted with companies on capital standards for life, health and property-casualty business and has also recently advised a major life insurance group about issues related to a potential strategic acquisition. Allan Kaufman is a managing director, FTI Consulting Global Insurance Services, Forensic and Litigation Consulting segment. Mr. Kaufman is a Fellow of the Casualty Actuarial Society with 40 years experience in actuarial and executive roles, 30 in the United States and 10 in the UK. Mr. Kaufman has worked in the United States, Europe and Asia on all types of casualty insurance actuarial consulting assignments, including expert testimony, ratemaking and rating plans, merger and acquisition analysis, loss reserving, capital analysis, new product development, financial planning, risk assessment, and regulatory issues, including Solvency II and ORSA. ALLAN KAUFMAN, FCAS, MAAA, FIA (Hon), CPCU Managing Director, Global Insurance Services Tel: (212) allan.kaufman@fticonsulting.com Mr. Kaufman s clients have included multi-line primary and reinsurance companies, Lloyd s syndicates and other London market companies, and specialty companies in areas including workers compensation, medical malpractice, professional liability, health, title and warranty insurance. Mr. Kaufman has served as president of the Casualty Actuarial Society and president of the American Academy of Actuaries, and on the boards and a variety of committees of those and other actuarial organizations in the United States and internationally. Jim Toole is a managing director, FTI Consulting Global Insurance Services, Forensic and Litigation Consulting segment. Mr. Toole has over 25 years of international experience in the life, health, and captive insurance industries, including a variety of roles with leading consulting firms and insurance companies. Mr. Toole s background includes risk management, mergers and acquisitions, product development, financial reporting, and regulatory support roles. JIM TOOLE, FSA, CERA, MAAA Managing Director, Global Insurance Services Tel: (336) jim.toole@fticonsulting.com Mr. Toole was editor of the textbook Insurance Industry Mergers and Acquisitions, published by the Society of Actuaries in spring of Mr. Toole served as lead researcher on the Society of Actuaries project to quantify the potential impact of a pandemic on the U.S. life and health insurance industries. In 2009, he became a Certified Enterprise Risk Analyst as a result of his contributions in the field of Enterprise Risk Management. He is currently serving a two year term as Vice President of the Board of Directors of the Society of Actuaries. FTI Consulting, Inc., All rights reserved. 3

4 EXECUTIVE SUMMARY This solutions paper "U.S. NAIC ORSA: Guidance for Implementation and Creation of Optimal Value," from FTI Consulting, Global Insurance Services group, provides information to help insurers prepare for, implement, and optimize their Own Risk and Solvency Assessment (ORSA) defined by the European Insurance and Occupational Pensions Authority in Article 44 of the Framework Directive as: the entirety of the processes and procedures employed to identify, assess, monitor, manage, and report the short and long term risks an insurance undertaking faces or may face and to determine the own funds necessary to ensure that the undertaking s overall solvency needs 1 are met at all times. Although ORSA was first introduced as a regulatory requirement via Solvency II (SII) in Europe, our solutions paper stresses the requirements of ORSA established by the U.S. National Association of Insurance Commissioners (NAIC), which has greater impact on most U.S. insurance companies. However, because of the similarities between NAIC ORSA and SII ORSA, as well as the role that enterprise risk management (ERM) plays in ORSA, our approach enables consideration of those programs as well. However, we firmly believe that ORSA cannot be effectively implemented without the ability to globally manage the governance and technical requirements of integrating risk information and controls across the enterprise. To support ORSA and these requirements, the Global Insurance Services (GIS) group of FTI Consulting has developed an Integrated Management Framework (IMF) as a structure upon which to build an effective ORSA program. Concurrent with implementing ORSA, insurers must also consider the requirements of other regulatory entities. IMF helps address those requirements as well. Our solutions paper covers preparing for, implementing and achieving optimal value of ORSA in five sections and an Appendix that are summarized below. Establishing the Foundation - ERM/ORSA Integrated Management Framework IMF, illustrated in the graphic, comprises critical components that facilitate ERM/ORSA preparedness, implementation and optimization. Foundational Structures include corporate organization; ERM/ORSA charter and program office; external factors; the information technology (IT) infrastructure; culture; communications; education; training; and performance. Governance Structures include internal model governance, risk management governance, and data / IT governance. Functional and Process Components primarily comprise operational components that support ORSA. Preparing for, and executing ERM/ORSA under our IMF model is, for the most part, a top down, non-linear, iterative process comprising projects that address the major functions within the model. The IMF model provides guidance and direction, taking the organization through various stages to final validation and ongoing compliance with regulatory requirements, while transparently informing all stakeholders, including the board, executives, shareholders, and regulators of progress and results. Implementing and Integrating ORSA NAIC ORSA is similar to SII in that both strive for a uniform framework to establish risk management and controls, capital standards, corporate governance, and disclosure and transparency requirements across borders. The primary objectives of the NAIC are to provide for a more integrated insurance market, achieve better protection of policyholders / beneficiaries, improve competitiveness, and improve and promote better regulation. The addition of ORSA broadens those objectives in that the NAIC will now require insurers to complete ORSA annually for each statutory company and at the group level. Upon completion of ORSA, insurers will also be required to submit the results to the NAIC. The primary objective is for insurers to be able to demonstrate that the statutory company and group have enough regulatory and economic capital to cover all of Integrated Management Framework FTI Consulting, Inc., All rights reserved. 4

5 its risks and run its business. The NAIC will expect ORSA to play a significant role in U.S. insurance supervision in three key areas. 1. Group capital assessments will be performed, and examiners and analysts will use ORSA to assess the groups own assessment and management of capital. ORSA will also provide information that supervisors can use when determining supervisory action. 2. Risk management will require the implementation of ORSA as a tool to help supervisors understand the insurer's risks and to determine how risks are managed. 3. The bar will surely raise on an insurer's ERM practices. Technical Considerations Implementing ORSA presents a number of challenges, most of which center around issues related to the ability to leverage ORSA as a driver of performance improvement opportunity, including overcoming silo-based organizational and cultural obstacles, assuring the integrity and effective integration of risk-based information, and demonstrating the ability to manage concurrent enterprise-wide projects, to name a few. Technical considerations center on the internal model, capital assessment and management, and execution of the use test, all of which require a high degree of technical expertise and experience, complemented by appropriate technology tools and systems. Integration and Optimization: IMF Component Implementation Maps We have provided a series of graphic representations that help illustrate how ERM/ORSA components and processes are interrelated in a typical implementation. The functional components depicted on the example charts are structured as cycles in four major layers strategy, process, infrastructure, and environment. Each layer is expanded to display a list of objectives or deliverables related to the respective components within the respective cycle. These charts help demonstrate the completeness and efficacy of our IMF approach, and serve as an additional guide for structuring ORSA implementation. Future Considerations It is apparent that global financial regulatory harmonization is continuing, and that the myriad of regulations will require insurers to have a unified approach to implementation and management of multiple regulations. While it is beyond the scope of this paper to address all the various financial regulatory matters, we have highlighted four that deserve attention; Achieving Equivalence, Omnibus II, the NAIC Solvency Modernization Initiative, and Dodd- Frank. Achieving Equivalence: It seems likely that the United States will achieve SII equivalence when the time comes for it to do so. However, insurers must address significant organizational and other issues in order to ensure that they are prepared to meet the requisite criteria associated with equivalence. Omnibus II: The Omnibus II directive of the European Commission, is intended to make SII consistent with the European regulatory architecture for financial supervision. Omnibus II contains the process for draft technical standards produced by EIOPA to be adopted by the European Commission. Solvency Modernization Initiative: The NAIC Solvency Modernization Initiative is a critical self-examination of the U.S. insurance solvency regulation framework, and includes a review of international developments regarding insurance supervision, banking supervision, and international accounting standards and their potential use in U.S. insurance regulation. Dodd-Frank: A key provision of Dodd-Frank is the establishment of the Federal Insurance Office Act of 2010 (FIO), which focuses on the insurance industry, and is designed to play a prominent role in oversight and coordination between the United States and international insurance markets. Tools and Aids We have provided three sample documents Risk Tolerance Definitions, Model Change Policy, and Gap Analysis that are representative of the tools and aids applicable within the IMF approach. Summary IMF is a proven approach to addressing the important structures and processes essential to large-scale, enterprise-wide program success. Application of IMF to the implementation and optimization of ORSA, and specifically NAIC ORSA, provides an opportunity for insurers to improve their risk management performance, and thus their prospects for long term sustainability. Therefore, it seems evident that adoption of IMF as a foundation for implementing ORSA, with its inherent benefits, could facilitate preparedness and compliance with respect to other regulatory requirements as well. FTI Consulting, Inc., All rights reserved. 5

6 OUR APPROACH TO ORSA ERM/ORSA Integrated Management Framework... 7 Implementing and Integrating ORSA Technical Considerations IMF Component Implementation Maps Future Considerations Tools and Aids In attempting to gain optimum value from ORSA, it is helpful to understand that ORSA is only one component indicative of the shift toward integrated financial and risk management, i.e., enterprise risk management. Other business imperatives are also driving financial and risk integration. We are advocates of an ORSA framework and process that is fit for purpose, that reveals the benefits of ORSA, and that enables support of ORSA by all stakeholders, including board members, management, staff, investors, and creditors. Our solutions paper is intended to inform and educate readers regarding the issues and requirements related to preparing for, and gaining optimum value from implementation of NAIC ORSA. In this paper, we use the term, "ORSA" or "NAIC ORSA" when referring to regulatory matters, and the term, "ERM/ORSA" in discussions referring to our Integrated Management Framework (IMF), simply because we believe that enterprise risk management and an integrated management framework are essential for implementing and achieving ORSA objectives. In setting forth our approach and recommendations, we have assumed that most U.S. organizations are in the early stages of developing their ORSA program; and that EU operations, regardless of whether or not they have a United States presence, are well on their way to creating their own ORSA program as part of their SII initiative. We believe that international organizations that are required to perform ORSA, as part of either their EU regulatory requirements or their U.S. NAIC requirements, would be wise to leverage their efforts in satisfying the requirements of both regulatory regimes. We have also assumed that some planning and assessment has started, including Gap analysis, and that steps have been taken toward implementation. However, regardless of where your organization is in the process, we believe you will find this solutions paper informative and useful. In attempting to gain optimum value from ORSA, it is helpful to understand that ORSA is only one component indicative of the shift toward integrated financial and risk management, i.e., enterprise risk management. Other business imperatives are also driving financial and risk integration. In addition, ORSA will be an important component of the transition toward harmonization of global regulatory standards for corporate financial and risk governance, a movement that will continue to impose significant changes within the corporate organization its culture, its information infrastructure, and its risk management practices, particularly with the parallel implementation of SII and other financial regulations. It is within this broader context that we have developed and applied our Integrated Management Framework to assist companies in preparing for, and gaining optimum value from ORSA. Our approach to IMF is an outgrowth of our extensive experience in large-scale enterprise programs, tailoring that experience to the specific requirements of ERM/ORSA. We are advocates of an ORSA framework and process that is fit for purpose, that reveals the benefits of ORSA, and that enables support of ORSA by all stakeholders, including, board members, management, staff, investors, and creditors. As important, we believe there are three key principles that insurers should follow; especially those global insurers that must satisfy the overlapping requirements of SII, ORSA and ERM as a result of being under multiple regulatory and rating agency regimes. 1. Proportionality: The framework and process are practical, fit for purpose, and proportional to the size and risk profile of the insurer. 2. Commonality and Differences: Although there are many similarities between NAIC ORSA and SII ORSA, there are also significant differences. insurers will benefit from the early identification of these commonalities and differences between the two regulatory regimes and from developing plans that address both. 3. Duplication: Although there are still unresolved questions regarding some of the requirements under NAIC ORSA and SII ORSA, insurers should leverage the work and initiatives performed to date, taking into account the plans developed as mentioned above. u FTI Consulting, Inc., All rights reserved. 6

7 SECTION ONE: ESTABLISHING THE FOUNDATION ERM/ORSA INTEGRATED MANAGEMENT FRAMEWORK OVERVIEW ERM/ORSA Integrated Management Framework... 7 Implementing and Integrating ORSA Technical Considerations IMF Component Implementation Maps.. 24 Future Considerations Tools and Aids We firmly believe that ORSA can only be effectively implemented when established upon a firm foundation that enables integration of risk management structures and processes across the enterprise. Our Integrated Management Framework has been designed to accomplish that objective. Figure (1) below depicts a graphic representation of our ERM/ORSA Integrated Management Framework model showing the various components and functional entities addressed within the model. The intent of the graphic is to provide a point of reference during our discussion of IMF, and to indicate how these entities are interrelated. Figure (1) INTEGRATED MANAGEMENT FRAMEWORK FTI Consulting, Inc., All rights reserved. 7

8 ERM/ORSA Program Office The ERM/ORSA Program Office is especially important since ERM/ORSA is composed of separate projects each with distinct resources, tasks, schedules, deliverables, and issue resolution requirements and accountability that need to be continuously synchronized in accord with corporate objectives and goals. An ERM/ORSA Program Office is essential to the overall governance of ERM/ORSA, and serves as the primary interface for regulators and other stakeholders. The ERM/ORSA Program Office and the program director (ERM/ORSA PD) are chartered by the board with responsibility and accountability for establishing ERM/ORSA projects in concert with applicable business/organizational units. Reporting to the board of directors, the ideal ERM/ORSA PD would currently hold the position of chief risk officer, chief financial officer or senior managing actuary; would have an excellent understanding of information systems and tools, especially those related to risk management and ORSA; and would have the experience and skills for managing large-scale projects. The ERM/ORSA PD ensures that projects are funded, that resources are available, and that generally accepted project management standards and practices are in place and complied with. Also, the ERM/ORSA PD establishes goals and objectives, task definitions, schedules, deliverables, controls, issue resolution, and reporting requirements of the respective projects. These are accomplished in concert with project teams and in accord with ORSA regulatory mandates, and corporate strategies, goals and objectives. The ERM/ORSA PD also serves as a central point for communication and reporting to the board and executive management, and, at executive and board direction, to other stakeholders on ERM/ORSA matters. If an ERM/ORSA Program Office does not currently exist, it is important to establish one, and to ensure that specific projects are established in line with the critical functions comprising ERM/ORSA, even if they are already underway on an informal, ad hoc basis. Preparing for, and executing ERM/ORSA under our IMF model is for the most part, a top down, non-linear, iterative process comprising projects that address the major functions within the model. The IMF model provides guidance and direction, taking the organization through various stages to final validation and ongoing compliance with regulatory requirements; while transparently informing all stakeholders, including the board, executives, shareholders, and regulators of progress and results. As stated earlier, although your organizations will have started, or may have completed some of the projects covered, we believe you will benefit from applying our approach and recommendations to your remaining projects, including ongoing projects related to capital optimization. CRITICAL COMPONENTS WITHIN THE INTEGRATED MANAGEMENT FRAMEWORK ERM/ORSA comprises several critical components that facilitate ERM/ORSA implementation and optimization. Foundational Structures include corporate organization; ERM/ORSA charter and program office; external factors; the IT infrastructure; culture; communications; education; training; and performance. Governance Structures include internal model governance; risk management governance: and data / IT governance. Functional/Process Components primarily comprise ORSA processes, which are highlighted in this section and discussed more fully under "Section Two: Implementing and Integrating ORSA." FOUNDATIONAL STRUCTURES 1. Corporate Legal and Organizational Structure The whole is more than the sum of its parts. ORSA regulators and rating agencies view ORSA from a holistic perspective, expecting a seamless process that provides risk and capital transparency throughout the organization including holding companies, parent companies, subsidiaries, divisions and groups within divisions. This implies that insurers need to implement a hierarchical, top-down approach to ORSA that is relatively seamless and closely managed, enabling visibility of the aggregate impact of risk/capital decisions. The ERM/ORSA IMF model is ideally suited to this imperative since it can be replicated at any level, thus ensuring consistency and integrity throughout the organization. However, to reiterate earlier points and themes, ORSA must be practical and implementable and most important, it must be fit for purpose and proportional to the insurer s size and risk profile. ORSA will be ineffective if it is treated as a regulatory exercise and is bogged down in bureaucracy. 2. Board/Executive Charter and Program Office The board and executive management should have the ultimate responsibility and accountability for ERM/ORSA. This includes commitment to, and authorization and support for the ERM/ORSA Program Office and the ERM/ORSA projects. (See sidebar, "ERM/ORSA Program Office.") The board and executive officers are also responsible and accountable for setting examples that guide corporate culture and the conduct of individuals throughout the organization; as well as identifying and meeting the needs of other stakeholders that have an interest in regulatory compliance, including employees, shareholders, customers, trading partners, regulators, and government entities. 8

9 Based largely on failures of the past, regulators are fully aware of the importance culture plays in achieving ERM/ORSA objectives, and accordingly, are prepared to evaluate and penalize firms that do not demonstrate a strong risk management culture. Creating an appropriate ERM/ORSA culture begins with the tone set by the words and actions of senior leadership, followed by programs to educate and train management and employees, and to continuously communicate the value of risk-based behavior. 3. External Factors ERM/ORSA is implemented taking into account current and future marketplace factors, including financial risk; demographics; customer needs; social/political issues; competition; regulatory and government requirements; and various physical threats and risks. Information regarding these factors contributes to the aggregate business intelligence (BI) of the organization. How well this information is gathered, synthesized, analyzed and used to help manage risk and capital depends heavily on the capabilities of the organization both in terms of people and technology. Recognizing this imperative, organizations should ensure that BI technology is in place, with integrated data supporting the ERM/ORSA risk management process, and that people are trained in BI and data management. 4. Organizational Culture Effective ERM/ORSA implementation demands a risk-centric culture in which the norms of behavior include proactive responsibility for risk management appetites, thresholds, identification, analysis, mitigation and reporting embedded within individual and group standard practice, and ultimately reflected in performance. Based largely on failures of the past, regulators are fully aware of the importance culture plays in achieving ERM/ORSA objectives, and accordingly, are prepared to evaluate and penalize firms that do not demonstrate a strong risk management culture. It should also be noted that this cultural imperative will likely take precedent over sophisticated technology and systems, especially since it has been demonstrated that factbased judgment by individuals is the most critical factor in risk decision making. 5. Communication, Education and Training Creating an appropriate ERM/ORSA culture begins with the tone set by the words and actions of senior leadership, followed by programs to educate and train management and employees, and to continuously communicate the value of risk-based behavior. This is best achieved using a top down approach in which high-level business strategies and goals are defined, then translated into subordinate goals and objectives within and throughout the organization and within the various ERM/ORSA projects. Education and training programs should focus on how these strategies, goals and objectives are achieved within the practical work environment when applying technology, tools, systems, and methodologies to make decisions that satisfy ERM/ORSA requirements. Working to achieve and sustain this cultural alignment to realize desired performance is a continuous process requiring the ongoing commitment and support of senior leadership. GOVERNANCE STRUCTURES When applied to corporations, the term governance typically refers to the set of laws, rules, policies, and processes that guide and control how the corporate entity is directed and administered. In this context, corporate governance is primarily focused on legal issues and is essentially a function of the board and its committees and the executive office. However, within the context of ERM/ORSA IMF, governance is more operational, providing guidance, compliance assurance, and oversight of the overall ERM/ORSA program, as well as major segments of the program specifically internal model governance, risk management governance, and data and IT governance. The overarching governance function is essentially performed by the ERM/ORSA PD (as outlined in the sidebar, "ERM/ORSA Program Office"), to ensure implementation and optimization of ERM/ORSA in compliance with ORSA regulatory directives and corporate strategies, goals and objectives. 9

10 At the heart of ERM/ORSA risk management is a clear understanding, at every level within the organization, of risk appetite how it is determined, interpreted and applied within business processes to make riskrelated decisions, and how those decisions are aligned with the business strategies, goals and objectives of the organization. Information cannot be reliable if the underlying data used to create it is not reliable. Therefore, the focus of any information quality assurance effort must be on the integrity of information sources and processing, including chains of custody. Key components such as risk management, data/it, and the internal model comprise a high degree of technical issues, and so are governed using program and project methodologies through the ERM/ORSA PD. 1. Risk Management Governance Risk management comprises a continuum of integrated processes: identifying, measuring, and analyzing current and emerging risks; setting risk appetites; ensuring mitigation; and monitoring and reporting results. This requires support of complementary information systems, as discussed below under topic 2, Data and IT Governance." However, at the heart of ERM/ORSA risk management is a clear understanding, at every level within the organization, of risk appetite how it is determined, interpreted and applied within business processes to make risk-related decisions, and how those decisions are aligned with the business strategies, goals and objectives of the organization. Establishing risk appetites in essence involves strategic decisions that must be thoroughly understood and endorsed by the board as a corporate governance function. This means that the board and executive management must have sufficient strategic and operational intelligence about the marketplace, the business, and the ERM/ORSA program. Once risk appetites are defined, the board, through the ERM/ORSA PD must establish policies, procedures and controls that enable all levels of the organization to identify, measure, monitor and mitigate risk, and report on risk-related matters. The operational governance component for risk management is carried out through the ERM/ORSA PD, with a primary focus on the ORSA process, as discussed on page 13, "Functional and Process Structures." 2. Data and IT Governance The IT infrastructure and information systems and tools of most organizations are dynamic, continuously undergoing maintenance and upgrades in response to changing requirements. Although most organizations have in place structures to help manage and control their IT environment, IMF requires that organizations establish a separate data and IT governance structure for ERM/ORSA. This governance structure is essential for ensuring that data and the various information technology tools related to risk management decision-making meet quality standards, and that policies, procedures and controls are in place in support of those standards. Only when data quality standards are met can data be trusted, and only when data is trusted can it be used with confidence for decision making. The terms "data" and "information" are often used interchangeably within organizations to refer to the content of databases and files structured and unstructured content respectively. To be precise, data comprises the building blocks of information. Nevertheless, it should be understood that information cannot be reliable if the underlying data used to create it is not reliable. Therefore, the focus of any information quality assurance effort must be on the integrity of information sources and processing, including chains of custody. Because of the scope and complexity of electronically stored information and its sources, information assurance and integration can only be accomplished through a governance framework applied and complemented by information management technology. Primary desirable characteristics of the governance framework and of the information management technology as applicable to ORSA are outlined below. 2.1 Risk Information Governance Framework - Identification of all sources, custodians, and applications for information related to risk decision making (risk-based information or RBI) - Definition of policies and procedures for RBI lifecycle requirements data sources, processing (including specific applications), storage, retention, and destruction 10

11 As the NAIC and rating agencies raise the bar for ERM and ORSA, we believe that insurers would be well-served to use as a principle guide when implementing ORSA, the six tests EU insurers must pass Use Test; Statistical Quality Standards; Calibration Standards; Profit and Loss Attribution; Validation Standards; and Documentation Standards. Regulators consider the process of ORSA as important as the output of ORSA, and view ORSA as an internal assessment process of the enterprise, as well as a supervisory tool for regulatory authorities. - Definition of RBI quality standards security, accuracy, completeness, relevancy, and reliability - Description of methodology and technology used to cleanse, condition and integrate RBI for specific applications, including aggregations for ORSA modeling - Controls, including technology and processing validations, integrity checks and audits 2.2 Risk Information Management Technology Technology that facilitates the management of RBI comprises a combination of systems that enable many of the governance requirements defined above, as well as: - Security of network, hardware, applications, and storage of electronically stored information across the RBI lifecycle - Management of custodian requirements and information, including security and mapping of custodian/rbi transactions and threads - RBI transaction logging and/or tracing for integrity checks and audits - E-discovery system for identifying sources and relevance of RBI 2 - System for information extraction, cleansing, conditioning, and loading of RBI into risk data vaults for aggregation and processing - Business intelligence system for processing RBI and creating information used in specific ORSA applications such as models The ERM/ORSA PD, working closely with the IT team, establishes and executes the requirements of the governance framework for RBI. Concurrently, the IT team takes the necessary measures to ensure that applicable information technology systems and tools are functioning to facilitate risk information quality assurance and integration. 3. Internal Model Governance There is no specific definition of an internal model. The only guidance on the subject was provided by the Bermuda Monetary Authority and the International Association of Insurance Supervisors, which was based on the Groupe Consultatif/CEA Glossary, which stated: [An internal model is] a risk measurement system developed by an insurer to analyse its overall risk position, to quantify risks and to determine the economic capital required to meet those risks. Internal models may also include partial models which capture a subset of the risks borne by the insurer using an internally developed measurement system which is used in determining the insurer s economic capital (IAIS, 2008). There are six tests that the internal model must meet under SII in the EU. It would seem prudent that these same tests apply when implementing ORSA and when using the internal model as part of ORSA in the United States. However, in the United States, there is no requirement for insurers to obtain approval for the internal model from regulators. However, as the NAIC and rating agencies raise the bar for ERM and ORSA, we believe that insurers would be well served to use the six tests as a principal guide when implementing ORSA. The tests that EU insurers must pass include the use test; statistical quality standards; calibration standards; profit and loss attribution; validation standards; and documentation standards. We recommend that the ERM/ORSA PD address the above definition and test requirements in clear and concise policies, procedures, and controls that capture the full spectrum of the risk assessment and management process. This implies that the risk assessment and management process itself must take into account the above definition and test requirements. This is not circular logic. Rather, it is an indication of the integration and linkages that are inherent in IMF. Accordingly, the ERM/ORSA PD must first map these processes and linkages in order to develop appropriate governance documents. The internal model is discussed in more detail under the "Section Three, Technical Considerations, on page 19." 11

12 Operational Risk: Its Role and Importance for ERM/ORSA Success Insurers have typically viewed operational risk as having much less impact than financial risk. Accordingly, operational risk has traditionally been given lower priority within the industry. However, recent events have demonstrated that operational risk comprises critical components that individually and collectively contributed to systemic exposures underlying disruption of global systems and markets. These critical components of operational risk include categories such as people, processes, systems, legal, physical, and environmental; and span a broad range of functions, including the quality of underlying information; the integrity of processing systems (models, databases, applications, and transactions) and outputs; business and regulatory practices and requirements (as well as non-compliance issues); and the protection and pricing of assets. Operational risk exposures have increased in concert with the increased complexity of products and the increased complexity and volatility of the marketplace, thus increasing pressure on insurers to maintain solvency. In order to deal with these increased threats to solvency, insurers need to better understand the individual components of operational risk, how they interact to satisfy business goals and objectives, and their individual and collective impact on strategic and financial risk, especially as it relates to ORSA requirements. This imperative is made more difficult because most operational risk is qualitative in nature and not easily converted to quantification for measurement and modeling. This constraint can be overcome however, by use of methodologies and software tools specifically designed to identify processes, events, and discrete, measurable components of operational risk (key risk indicators) so they can be measured and monitored, and losses mitigated and controlled. Use of operational risk management methodologies and software also support ORSA by facilitating business process modification and self-assessments. FUNCTIONAL/PROCESS STRUCTURES ERM/ORSA processes within IMF are essentially actuated through projects of various size and complexity, most of which are active concurrently. Major processes such as ORSA will require the completion of other projects or tasks that may begin concurrently with the inception of the ORSA program. When viewed in their entirety, ORSA processes should be considered as complementary to enterprise operational risk management, as discussed in the accompanying sidebar, "Operational Risk: Its Role and Importance for ERM/ORSA Success." All projects within an enterprise-wide program should adhere to generally accepted project management methodologies and standards, including policies, procedures, documentation, and reporting transparency. Reliability of project outcomes is dependent on the integrity of the respective project process. Accordingly, it should be noted that regulators consider the process of ORSA as important as the output of ORSA, and view ORSA as an internal assessment process of the enterprise, as well as a supervisory tool for regulatory authorities. ORSA Processes ORSA is all about own risk and solvency assessment, with a greater emphasis on the term own. It s not about someone else s ORSA. Since the NAIC will not create a template or a fill-in-the-blanks schedule, it seems reasonable to infer that the NAIC expects insurers to create their own risk and solvency assessment. In our view, and as stated in Article 44 of the Framework Directive and subsequent CEIOPS ORSA Issues Paper, ORSA should be viewed as a core element and key driver of ERM; accomplished as an integral part of business operations while taking into account six guiding principles ORSA is the responsibility of the undertaking and should be regularly reviewed and approved by the undertaking's administrative or management body. 2. ORSA should encompass all material risks that may have an impact on the undertaking's ability to meet its obligations under insurance contracts. 3. ORSA should include processes and methods used for monitoring risk and include risk tolerance statements. 4. ORSA should be based on adequate measurement and assessment processes and form an integral part of the management process and decision making framework of the undertaking. 5. ORSA should be forward-looking, taking into account the undertaking's business plans and projections. ORSA should not only be linked to risks over the short term, but should also be geared towards the risks the business is exposed to and the risk preference of the board. 6. ORSA processes and outcomes should be appropriately evidenced and internally documented as well as independently assessed. ORSA processes, as interpreted and implemented under our ERM/ORSA IMF model, are designed to meet the objectives of the NAIC, but could also be used to satisfy the SII regulatory requirements by specifically focusing on the integration and management of seven key ERM/ORSA functions performed within the organization. - Risk strategy (appetite) - Risk identification and risk registers - Risk policies (tolerances/limits/mitigation) - Departmental actuating policies and procedures - Internal models and allocation of capital - Board and senior management review and input - Execution of business plans ORSA processes are discussed more fully in Section Two: "Implementing and Integrating ORSA" on the following pages. 12

13 SECTION TWO: IMPLEMENTING AND INTEGRATING ORSA ERM/ORSA Integrated Management Framework... 7 Implementing and Integrating ORSA...13 Technical Considerations...18 IMF Component Implementation Maps...24 Future Considerations...28 Tools and Aids...32 Transparency and Confidentiality Although implementation and selfassessment of the ORSA program will serve the industry well, it could conceivably result in the inadvertent disclosure of closely guarded strategies and confidential information that an insurer is not required to disclose. Even though full disclosure and transparency go hand in hand, care must be taken by all stakeholders, including the NAIC to ensure that handling of all information protects confidentiality until such time that an insurer is prepared to disclose information voluntarily or as may be required by regulatory or legal authority. 1. UNDERSTANDING NAIC OBJECTIVES As stated on the cover, NAIC ORSA is similar to SII in that both strive for a uniform framework to establish risk management and controls, capital standards, corporate governance, and disclosure and transparency requirements across borders. The NAIC primary objectives are to provide for a more integrated insurance market, achieve better protection of policyholders and beneficiaries, improve competitiveness, and improve and promote better regulation. The addition of ORSA broadens those objectives in that the NAIC will now require insurers to complete ORSA annually for each statutory company and at the group level. Upon completion of ORSA, insurers will also be required to submit the results to the NAIC. The primary objective is for insurers to be able to demonstrate that the statutory company and group have enough regulatory and economic capital to cover all of its risks and run its business. The NAIC will expect ORSA to play a significant role in U.S. (re)insurance supervision in three key areas. 1. Group capital assessments will be performed and examiners and analysts will use ORSA to assess each group's own assessment and management of capital. ORSA will provide information that supervisors can use when determining supervisory action. 2. Satisfying risk management objectives will require the implementation of ORSA as a tool to help supervisors understand the insurer's risks and to determine how risks are managed. 3. The bar will surely raise on an insurer's ERM practices. There are many benefits that insurers can derive from ORSA. However, to achieve ORSA optimization insurers need to understand that an effective ORSA is proportional to the respective insurers size and own risk profile. The NAIC recognizes that ORSA may not be completely beneficial to some insurers, and accordingly, has stipulated that an insurer and/or an insurance group shall be exempt from the requirements of ORSA, if: a. The individual insurer s annual direct written and unaffiliated assumed premiums, including international direct and assumed premium excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, is less than $500 million, and; b. The insurance group s (all insurance legal entities within the group) annual direct written and assumed premium, including international and direct assumed premium but excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program and excluding affiliated reinsurance premium, is less than $1 billion. 2. FOLLOWING NAIC ORSA GUIDANCE Insurers will be expected to conduct ORSA on a regular basis in order to assess the adequacy of their risk management and solvency position; internally document the process and results; and provide a high level summary report annually to the domiciliary supervisor, if requested. The frequency of conducting ORSA could depend on the size or complexity of the insurer as well as the insurer's own risk profile. For example, a midsize property catastrophe insurer may desire to perform ORSA on at least a quarterly basis during hurricane season. 13

14 The NAIC Guidance Manual 4 requires an ORSA Summary Report comprising three sections. The ORSA Summary Report should help in determining the level of analysis and examination procedures that will need to be performed by the supervisors. Please note that these requirement are addressed in our IMF model. Perhaps more important than meeting regulatory requirements, successful execution of ERM/ORSA provides opportunities for organizations to improve their risk management capabilities. ORSA non-compliance issues on the other hand, may expose organizations to potential risks and liabilities. Therefore, it is important that boards, management and their counsel understand and be prepared for all ORSA requirements and related issues. ORSA is about an insurer's own risk and own solvency For ORSA to be objectively evaluated, it must be management s own work and reported in management s own words. Section 1 Summary of the Risk Management Framework and Policies These should be aligned with the principles listed below. (Note: These principles are similar to those listed on page 13 that are from Article 44 of the Framework Directive and subsequent CEIOPS ORSA Issues Paper.) Risk appetite, tolerances and limits The risk tolerance definition can be a statement on the desire of the board and management to maximize its risk-adjusted returns over the long term. Risk tolerances and risk limits can be prescribed that set specific hard limits around the amount of capital the insurer is willing to lose after certain modeled event(s). For example, an insurer may not want to lose 20% or 25% or more of its capital on U.S. and Non-U.S. elemental risks on either a 1/100 or 1/250 year event. Risk culture and governance The tone must be set at the top by the board and management. An effective way to demonstrate a strong risk and governance culture is through the risk and controls process that can include regularly updated risk registers, a controls affirmation process, and a robust reporting process that involves the board, management, staff and the risk, underwriting, credit, and investment committees. Risk identification and prioritization Insurers should develop processes to identify and prioritize risks. An effective process, for example would include identification of an emerging risk, while the ranking and prioritization would recognize probability and severity before and after the application of key controls. Risk management and controls Insurers must establish and demonstrate that an effective internal control system is in place. The internal control system is the means by which the insurer's resources are directed, monitored and measured. The control system could include enterprise and departmental sets of policies and procedures that specifically address risks within functions such as accounting and information systems for example. Risk management and control systems should be combined with an effective communications process. Risk reporting and communication The reporting and communication process could include the results from the regularly produced internal model as measured against the board approved risk tolerances and any other non-modeled risk tolerance that needs to be reported. The reporting of the information could be provided in a risk dashboard format submitted to, board members, management and management committees, and others as may be required. However, as we have previously stated, ORSA is about an insurer's own risk and own solvency, and for it to be objectively evaluated, it must be management s own work and in management s own words. We discussed the interpretation/application of these principles in Section One: "Establishing the Foundation ERM/ORSA Integrated Management Framework," on page 8, and elaborate further in Section Three: "Technical Considerations," starting on page 19. Section 2 Insurers Assessment of Risk Exposures This process documents management s quantitative, or where quantitative assessment is not feasible, the qualitative assessment of risk exposures in normal stressed environments. We understand that insurance examiners and NAIC analysts will use ORSA to assess the groups own assessment and management of their capital at a group or holding company level. ORSA is not intended to set a group capital requirement, but instead, will be used to provide information to the supervisors that will enable supervisory action. 14

15 At a minimum, Section 2 should include: Details of risks identified, measurement approaches, and assumptions could include a comprehensive set of risk registers that include identified risks, key controls and a risk scoring approach that includes the likelihood and severity impact. Stress testing, reverse stress testing analysis, and their subsequent impact on available capital considering multiple view points if relevant. Results and impact of plausible outcomes. This could include realistic disaster scenarios, impact of multiple natural catastrophes, or a major terrorist event that has a significant economic consequence. Insurers with strong ERM frameworks considered comprehensive enough for their risks may not require the same scope or depth of review, or minimum timing for a risk-focused review, as those insurers with less comprehensive ERM frameworks. Section 3 Group Risk Capital and Solvency Assessment This process requires that insurers explain how their risk assessment will be used to establish the financial resources the company requires to achieve its business objectives over its planning cycle considering normal and stressed conditions. The assessment could include: Definition of solvency could reflect a cash flow or balance sheet basis. If a balance sheet basis is used, the NAIC would probably require the basis of accounting that was employed. Insurers with global presence should consider leveraging regulatory requirements of other supervisors and their internal processes in establishing solvency levels. As an example, the minimum capital requirements (MCR) and solvency capital requirements (SCR) under SII. Time horizon of risk exposure such as one year to lifetime. As an example, under SII, the time horizon is one year. Risk quantification will need to be described and could include stress testing, stochastic modeling or factors utilized in the quantification, as well as the methodology of group capital across insurance legal entities. Risk to be modeled must be described and could be classified as material or immaterial. For example, insurers could model their economic capital requirements using a value-atrisk measure calibrated to a 99.5% confidence level over a one-year time horizon. The economic capital requirements could cover all risks that an insurer faces (e.g., insurance, market, credit and operational risk) and should take full account of any risk mitigation techniques, such as reinsurance and securitization applied by the insurer. Measurement metrics must be described, such as value-at-risk in percentile, tail value-atrisk, and probability to ruin. Again, it would be prudent to leverage other similar risk metrics required by other supervisors if possible. Target level of capital will need to be described. Insurers could set their risk tolerances at a 99.5% confidence level for a modeled event. An appropriate risk tolerance would be one where the insurer maintained the regulatory minimum capital requirements and a sufficient amount of capital above that in order to obtain/retain its targeted ratings from the ratings agencies should the modeled event(s) occur. Diversification benefits should be considered and included in the summary report. Diversification can come from changing the risk exposure, such as product line mix, reinsurance mechanisms, and the structure of the organization. The more complex an insurer, the more detailed risk analysis and documentation may be required in the report. Insurers with strong ERM frameworks that are deemed comprehensive enough for their risks may not require the same scope or depth of review, or minimum timing for a risk-focused review, as those insurers with less comprehensive ERM frameworks. 15

16 3. ESTABLISHING KEY ERM/ORSA PROJECTS As stated earlier under the discussion of our IMF model, one of the first requirements of the board and/or CEO is designation of an executive sponsor who is capable of evangelizing the ERM/ORSA program, and who has responsibility for establishing the ERM/ORSA program office and for appointing an ERM/ORSA PD. After organizing the ORSA team, one of the next requirements of the ERM/ORSA PD is the establishment of projects that actuate the ERM/ORSA program. Selected key projects are listed below in no specific order. Appoint ERM/ORSA Team A small group of individuals should be formed, each of whom represent the major critical functional areas of underwriting, actuarial, investments, reinsurance, finance, operations, and compliance. This group, led by the ERM/ORSA PD, has responsibility for project planning, implementation and execution. Establish Governance Structure This must be in place In Figure (5) "ERM/ORSA Strategy Level Framework" on page 27, we have provided an example of a suggested approach to establishing a risk and governance structure. Our example elaborates on each component of the infrastructure layer including the organization and people, limits and controls, methodologies and models, systems, data, policies, reporting and planning. Develop ERM/ORSA Plans These are detailed project plans, identifying resources, tasks, schedules, deliverables, issues and reporting and communications. Establish Risk Culture Continuous guidance and communication on the importance of risk management need to be developed to ensure the adoption of a risk culture throughout the organization. Prepare Risk Appetite Statement The risk appetite statement is a board approved statement on the level of risk the firm is willing to take. Risk tolerances are also board approved and usually define or limit the minimum tolerance level for a particular risk. Appendix A, "Risk Tolerance Definitions" on page 32, contains a sample of a risk tolerance statement and several risk tolerances that an insurer could consider. Develop Risk Policies There are any number of policies that should be written, but the most important include ORSA, underwriting, investment, capital management, internal model governance, internal model change, credit, and liquidity. Appendix B, "Model Change Policy" on page 34, includes a suggested template and an example of an Internal model change policy. Identify Risk Categories Examples include compliance, strategic operational, insurance, credit, and liquidity. Establish Risk Tolerances Risk tolerances could range from the minimum capital requirement needed to achieve/retain an A.M. Best rating of A or A- to the capital needed to withstand a natural catastrophic event for wind and earthquake (1/100 and 1/250 respectively). Other risk tolerances could include consideration for the investment portfolio mix (quality of assets) and duration. Risk tolerances could also be designed around the economic versus regulatory capital requirements. Finally, the board and management must set the amount of capital headroom that is required to run the business. See Appendix A, "Risk Tolerance Definitions" on page 32, for sample risk tolerances. Identify Highest Rated Risks The company should identify and report quarterly to the board the highest rated risks the firm faces. This will require a consistent view of risk across the enterprise and how risks are identified throughout the organization The use of risk registers and a consistent risk scoring methodology is recommended. This will require an objective self-assessment. Perform ERM/ORSA Gap Analysis This should be performed immediately. Appendix C, "Gap Analysis" on page 37, contains a sample page of a suggested ORSA Gap Analysis template. 16

17 ERM/ORSA Challenges ERM/ORSA implementation and optimization requires comprehensive planning that takes into account a myriad of competing business requirements and priorities. However, done correctly, ERM/ORSA can create significant opportunities for competitive advantage. Summarized below are what many experts consider the key challenges. Fully understanding the requirements and implications of ORSA and the expectations of regulators Developing the linkage between business strategies and financial and operational risk management Viewing ERM/ORSA as an opportunity, not simply as a compliance burden Developing legal structures that enable tax and capital optimization Focusing on achieving business performance improvement concurrent with ERM/ORSA compliance Developing an ERM/ORSA roadmap and identifying and prioritizing resources, projects and tasks Demonstrating the ability to manage concurrent enterprise-wide projects Institutionalizing a risk-ownership culture at all levels throughout the extended enterprise Integrating risk management into daily decision making Identifying and leveraging synergies among various regulatory requirements and among multiple business units Overcoming silo-based organizational and cultural obstacles Ensuring the use of quality information for risk-related decision making Satisfactorily performing the use test Achieving sufficient detail from ERM/ORSA information so as to gain insights that enable competitive differentiation Reconciling differences in how risk is viewed within accounting standards and how risk is viewed by ORSA Eliminating inherent model risk Create Risk Dashboard This serves as a primary reporting and communication vehicle serving the leadership team and the board of directors. Create Stress and Reverse Stress Testing Processes and Methodologies This will require the engagement and involvement of the board on at least an annual basis. Charters must be developed and board approved for each of the board committees so that the responsibility of each committee is clearly understood. Create Methods for Alignment of Risk and Capital Inject risk information into existing strategic decisions, pricing, product design and risk transfer strategies. Develop Internal Model Use Test Section Three: "Technical Considerations" starting on page 19, contains a definition and examples of what this would mean and what the use test could include. Set Confidence Level We recommend a 99.5% confidence level which is consistent to the minimum required confidence level under SII in the EU. 4. ADDRESSING ERM/ORSA GLOBAL CONSIDERATIONS AND CHALLENGES In accord with the NAIC objectives, ERM/ORSA is people and risk centric, primarily employing a principles-based approach, as opposed to a rules-based approach. This means that risk is integrated and that risk decisions are largely based on the judgment of individuals relying on underlying facts, as opposed to decisions being made by mostly following intricate sets of rules. (This is similar to the principles-based approach taken by IFRS.) This feature of ERM/ORSA has several significant implications. Under ERM/ORSA, more people will be involved in risk-related decisions, relying heavily on data aggregated throughout the enterprise. Accordingly, that data must be of high quality in order for those decisions to be credible and defensible. This places greater emphasis on the role of information technology tools, and the underlying IT infrastructure, to deliver quality data that must be integrated from various business silos for key decision making. For most organizations, achieving optimum data quality and integration goals is a long-term process. This means that organizations may need to implement migration strategies that include a master data firewall and an interim risk-related data vault that maintain the integrity of risk-related data secure, accurate, complete, relevant, and reliable to enable transformation of that data into actionable information. A full spectrum of risks must be identified and assessed, and risk appetites and thresholds established, with models and mechanisms for risk and capital management, including extensive validation testing and reporting transparency. This requires a change in culture. The culture must be transformed into a risk-ownership culture in which a broad spectrum of employees understand and take ownership and accountability for risk, with everyone aligned and sharing a common language. This in turn requires a high degree of integration, education, training, and leadership by example. All of the above imply enhancements to information systems, establishment of new policies and procedures; and a greater need for education, training and communication if employees are to better understand their roles, if business processes and information silos are to become more integrated, and if risks are to be identified and managed. It also implies the need for governance mechanisms that set direction and guide these transformational imperatives. These imperatives, summarized in the sidebar, "ERM/ORSA Challenges," touch on every facet of the enterprise, requiring establishment of an overarching operational governance framework, an integrated management framework much different from what most organizations have followed in the past. 17

18 SECTION THREE: TECHNICAL CONSIDERATIONS ERM/ORSA Integrated Management Framework... 7 Implementing and Integrating ORSA...13 Technical Considerations...18 IMF Component Implementation Maps...24 Future Considerations...28 Tools and Aids...32 ORSA seeks to create a harmonized, risk-based approach to capital management. We believe that most of the NAIC required core financial information can be obtained from the existing financial and management information systems. With this in mind, we believe there are three specific and important areas that pose technical challenges and considerations for insurers when implementing ORSA internal model, capital assessment/management and the use test. INTERNAL MODEL When insurers address ORSA, it is widely recognized that some form of an internal model and calculation will be required. However, there is no specific NAIC definition of an internal model. Board members, executives, and management or professionals in positions of control, must have knowledge and a firm grasp of the technical provisions of ORSA in order to ensure proper implementation and compliance. Technical provisions are the largest item on an insurer's balance sheet, making the company s financial strength sensitive to movements in the carrying values of assets and liabilities. Accordingly, ORSA will result in changes to the evaluation of the technical provisions and especially the impact on the reserving processes. The NAIC has stated that quantitative risk measurement should incorporate a range of outcomes and that an insurer should use risk measurement techniques that are fit for purpose and that are proportional to the insurers risk size and profile. Unlike the FSA and the SII initiative, the NAIC is currently not requiring pre-approval of the insurer s internal model prior to its use. However, it seems prudent to consider that the NAIC will expect an insurer to review its own internal model, and its processes and data controls. The review or validation of the internal model should be performed by an independent internal or external reviewer. There are six tests that an insurer's internal model should meet. Under SII, insurers must pass all six tests in order to achieve model approval. While the NAIC does not require an insurer to pass any of the six tests, it would seem prudent that insurers give full consideration to each when implementing ORSA: 1. Use test 2. Statistical quality standards - data 3. Governance and standards surrounding the model process 4. Assumptions and parameterization rationale and application 5. Validation and testing standards 6. Documentation standards Methodology Supporting the Model Some insurers are using an internal model in a limited way. Others are redesigning their internal model and establishing how they might fully integrate the model into the day-today decision-making process. However, a large majority of insurers have not determined how to fully integrate their internal model into their business. No matter at what stage insurers may be in this process, the FTI Consulting, Global Insurance Services group IMF model enables insurers to envision what a fully integrated process might look like, and determine how to improve that process. Developing and effectively deploying an internal model should provide benefits that outweigh the effort and costs involved. Ensuring that this is the case, however, requires overcoming certain challenges. Foremost among these challenges is the ability to develop a clear and coherent articulation of the capabilities and limitations of an internal model in 18

19 terms of its practical use in meeting business and ORSA objectives, and then integrating disparate systems and processes into a cohesive, auditable system. To amplify the challenges listed in the sidebar, "ERM/ORSA Challenges" on page 18, it is worth considering the following challenges related directly to the use test. Insurers must maintain a strong underwriting discipline regardless of the amount of capital. For this reason, underwriting drives capital, not the other way around. - Eliminating inherent model risk, especially when aggregating discrete model outputs into, or within the internal model - Using the appropriate input data, especially balancing use of experience data with forward looking assumptions - Achieving the ability to measure and correlate risks (existing, emerging, and speculative) under various scenarios, including cycles and stressed conditions - Achieving the ability to temper internal model output with sound business acumen and judgment - Passing the use test by demonstrating the effective integration of the internal model within risk management decision making and business practice CAPITAL ASSESSMENT AND MANAGEMENT Insurers must maintain a strong underwriting discipline regardless of the amount of capital. For this reason, underwriting drives capital not the other way around. Corrective action will be required when an insurer breaches a risk tolerance as a result of an event or events that reduce capital to a level below its internal tolerance. Corrective action is also required when the insurer's capital falls below the minimum regulatory or respective rating agency capital requirements. There is no easy way to accomplish a determination of using the standard model versus an internal model, as it must take into account a broad and complex range of considerations. As noted earlier, insurers may comply with ORSA requirements by using an internally developed model (or one developed by a third party). The initial decision to use an internal model is usually based on: Size and characteristics of the business global multiline, niche or monoline, small/mid-size Amount and sophistication of resources available to develop and administer an internal model Flexibility to more effectively manage and monitor the economic or regulatory capital requirements Insurers may consider that the assessment of current financial resources and the calculation of capital requirements, either economic or regulatory, are better achieved through the employment of an internal model. It is important to keep in mind that ORSA should consider economic capital requirements over a business planning timeframe, while the regulatory capital requirements are intended to consider a one-year timeframe. Assessing whether or not to use an internal model, determining strategies and capital requirements, and achieving capital management in conformance with business objectives, and in line with ERM/ORSA stipulations, requires a dynamic, iterative exercise of comparing existing capital situations with various options under ORSA in order to determine optimum results. There is no easy way to accomplish this process, as it must take into account a broad and complex range of considerations, including issues related to equivalency (Discussed in Section Five: "Future Considerations" on page 28.); alternative legal structures; tax options; capital availability and pricing; liability management; the use of reinsurance; asset valuations; product mix and profitability; potential operational realignments; run-off considerations; risk mitigation costs; and other attendant risk factors, including those related to third parties such as asset managers and servicers. 19

20 The use test may be the most intimidating aspect of the ORSA initiative for insurers, when in reality it should be the most basic and fundamental, especially for successful organizations. Organizations should look at the benefits of performing certain tests and how these tests can create a collaborative environment that results in the full engagement of the board and management in the process. Ask any risk manager, and he or she will tell you that one of the main benefits of stress testing is the focused dialogue it generates around risk-taking and risk appetite. John C. Dugan Former U.S. Comptroller of the Currency To deal with this myriad of requirements and issues, insurers should make use of a softwarebased decision matrix that enables alignment of ORSA requirements with their current situation and definition (including quantification) of the impact of each, along with identification of alternatives and their respective impacts. This assessment and decision making is an iterative process that requires involvement of senior actuaries and risk management specialists. USE TEST As stated earlier, insurers do not have to satisfy the use test since it is not an explicit regulatory requirement of the NAIC as it is with the EU FSA. However, we believe that the need for the use test is apparent. For example, if insurers assess their financial resources and regulatory capital requirements through an internal model, they will be required to use that same model and must be able to demonstrate that it is part of the ORSA program. In addressing these requirements, insurers are advised to view the use test, not as a regulatory exercise, but as an opportunity to fully integrate the internal model into the business, as indicated in our ERM/ORSA IMF model. Also, as our ERM/ORSA IMF model suggests, satisfying the use test can be accomplished in any number of ways including, but not limited to stress testing, reverse stress testing, scenario testing, risk adjusted return on capital / return on equity, pricing, and reinsurance. 1. Stress Testing Stress testing is a form of testing used to determine the stability of the risk management system. For insurers, it involves testing beyond the normal operational capacity in order to observe results. Insurers will use their internal models in preparing stress scenarios in underwriting, investing, budgeting and capital management. These stressed scenarios can typically include consideration for changes in an insurers inward risk profile, outward reinsurance programs, asset mix and regulatory requirements. Other stress scenarios might include assumptions for increases in frequency and severity, assumptions on lower to negative returns, or lower than expected pricing levels. For example, insurers might stress test their capital adequacy from certain tail events that might include the expected median result plus a $100 billion event in a catastrophe prone region. In stressed scenarios, insurers would determine how much of their capital they would lose and whether they might be in breach of one or more of their own board-approved risk tolerances. 2. Reverse Stress Testing Reverse stress testing is similar to stress testing. The key difference is that in a reverse testing scenario insurers are to explicitly identify and assess scenarios most likely to render their business model unviable. Under ORSA, reverse stress testing is not as much about the event as it is about getting the board and management engaged in the process and identifying those scenarios that might make the company unviable. For example, many insurers have no doubt identified a rating agency downgrade to something less than an A- quality as an event that could make the entity unviable. However, the board and management should give due consideration to the scenario that led to the downgrade. A downgrade below an A- could be viewed as a risk tolerance breach and for some insurers it could place their viability at risk. 3. Scenario Testing Scenario testing involves single runs of the internal model where each run is based on a complex set of interrelated assumptions and describe a comprehensive, often troublesome scenario. Scenario testing also helps test an insurer's resiliency under a situation that involves complex and severe interactions that would not be tested using the usual correlation assumptions of stochastic testing. Scenario testing can be a way to test the effects on the insurer from extreme tail events. 20

21 RAROC/ROE will help insurers establish when it makes sense to grow the business, or when it makes sense to cut back on a particular class of business or redeploy capital to other areas in order to achieve risk optimization. Insurers that are able to demonstrate a linkage between their internal model and their pricing framework will go a long way in satisfying the use test, especially if this linkage can be pushed down to the underwriter desk and account level. 4. Risk Adjusted Return on Capital (RAROC) / Return on Equity (ROE) Many EU insurers are currently in the process of enhancing their own internal models in order to make them SII ready/compliant. For many, the internal model will provide them with the desired level of information needed in order to effectively manage the business, including how capital is to be deployed to the business units and ultimately to each class of business. The next logical step for insurers, post internal model, is the development of an integration of RAROC or ROE view of risks that are in a suitable framework. Accordingly, many insurers are in the early stages of developing such a view. Once they do, they will need to establish hurdle rates for their decisions and quite possibly create what some consider as the line in the sand view of risk and pricing. Crossing over the line will result in returns that are below the established hurdle rates. In satisfying the use test, RAROC/ROE will help insurers establish when it makes sense to grow the business, or when it makes sense to cut back on a particular class of business or redeploy capital to other areas in order to achieve risk optimization. In accomplishing this requirement, insurers must answer the following questions: - How much capital is required for each activity, business or class? Identifying the amount of capital required for each class will create a fair amount of internal debating especially between the underwriting and actuarial functions. - What is the expected or desired return on capital from each business and class relative to the risk that is taken? This task is difficult and will probably require the collaboration of business unit leaders, product managers, executives and perhaps even the board of directors. - What is the equity hurdle rate for the activity, business or class? - Has the right class mix of business strategy been set in order to optimize the RAROC/ROE? Like the other questions, this one may be more difficult to answer because underwriters will have to balance/mix high return with lower return business. However, achieving the right mix is paramount to optimizing RAROC/ROE. 5. Pricing Insurers that are able to demonstrate a linkage between their internal model and their pricing framework will go a long way in satisfying the use test, especially if this linkage can be pushed down to the underwriter desk and account level. That said, one of the greatest challenges in finding this linkage is the ability to develop a pricing tool and framework that enables the underwriting decision-making process while avoiding an over dependence on them. In short, prescribing the final or walk away price of an account as the answer produced by the model will create significant issues. Instead, underwriters must find a balance between judgment and model pricing, while management must monitor the achieved pricing at a portfolio level and carefully communicate when and which pricing tactics need to change. Many actuarial papers have been written providing a myriad of detailed technical guidelines on pricing that go beyond the scope of this paper. However, those insurers planning stronger linkages among their internal models, capital allocations by class, and their strategic and tactical pricing, should, at minimum include the following in their plans. 1. An assessment of the current pricing framework and the level of its integration with RAROC/ROE modules 2. Accident Year, Calendar Year and Policy Year view of RAROC/ROE 3. Capital allocation methodologies by class of business and entity in order to better link tactical decisions with strategic goals 21

22 Internal models can enable an effective reinsurance purchasing strategy, as they can help to identify the most optimum level of reinsurance that is required. Reinsurance is included in the risk management process within the ERM/ORSA IMF framework. Reinsurance is arguably the most important and perhaps most powerful tool in the mitigation of risk process, also serving as an effective option for capital management. 4. Pricing models and the internal models using the same data sources and parameterization of the risk. (There are instances where there can be inconsistencies in the assumptions between the two models but these inconsistencies should be minimized.) 5. Overhead expense allocation methodologies in order to report fully loaded ROE indications 6. Investment allocation/credit methodology in order to assure appropriate asset liability matching 7. Agreement on the type of capital to be allocated, i.e., (equity vs. economic capital). (Economic does not always equal equity capital.) 8. Validation and concurrence between actuarial and underwriting on methodologies and loadings by class. Classes of business with low average premiums and high attachment points, as an example, will be debated. 9. Education and communication to board, management and staff, in order to assure appropriate interpretation and application of the tools 10. A functional and working framework for the regular monitoring of pricing and RAROC/ROE 11. Integration of the RAROC/ROE and pricing module into strategic planning and budgeting process 12. Agreed upon benchmark/target pricing levels by class of business There is undoubtedly a lot more that needs to go into a robust pricing and RAROC/ROE module, and the list above only touches the surface. A successful implementation will require a significant amount of effort and thought by everyone involved. These frameworks are not one-size-fits-all, so insurers must develop their own customized pricing tools that are fit for purpose and that achieve the desired goal. Undoubtedly, and for all property/casualty insurers, the largest driver of pricing is the cost of capital (amount of capital and the required return) to support the risks. But until recently, insurers had a tendency to manage the capital available rather than the required capital to support the risks that have been taken in order to achieve a desired rate of return. 6. Reinsurance Reinsurance is included in the risk management process within the ERM/ORSA IMF framework. Reinsurance is arguably the most important and perhaps most powerful tool in the mitigation of risk, also serving as an effective option for capital management. Under ORSA, insurers must establish their regulatory and economic capital requirements. In addition, insurers must also establish the capital required by the ratings agencies, especially if insurers desire a specific rating from A.M. Best, Standard & Poor's or Moody s Investor Services. The regulatory capital requirements of an insurer will likely increase under ORSA. For smaller insurers this could result in their inability to meet the new minimum regulatory capital requirements. The amount, if any, of reinsurance that an insurer purchases helps to quantify the capital requirements of the organization. ORSA should not prescribe the type and amount of reinsurance that insurers should purchase. A forced or suggested level of reinsurance only serves to weaken the ORSA program. Therefore, in satisfying the use test, insurers need to look at the reinsurance buying process as a way of creating economic value through the optimization of its capital. Insurers will need to find the balance between the levels of risk taken net of reinsurance, versus the price they must pay for that reinsurance. Despite the profound impact that a sound reinsurance program can have on insurers' balance sheets and capital requirements, insurers must also weigh the credit risk that the purchasing of reinsurance will impose. Transacting business with poorly rated or with questionable 22

23 reinsurers or reinsurers whose own insurance portfolios are out of balance or skewed too heavily toward tail business, will increase the credit risk of ceding insurers. Internal models facilitate the reinsurance buying process. Internal models help to measure, precisely and efficiently, the different risk and capital positions as a consequence of buying either more or less reinsurance. Accordingly, internal models can enable an effective reinsurance purchasing strategy, as they can help to identify the most optimum level of reinsurance that is required. 7. Other ORSA Considerations insurers will learn very quickly that simply having an ORSA process is only half the battle in establishing an effective and useful ORSA program. Astute insurers understand that an effective and meaningful ORSA program that synchronizes risk and capital management requires the following: A product line mix management plan that results in the allocation of capital to those divisions and product lines where the highest risk adjusted return can be achieved while clawing back capital from those product lines where the least profit potential exists A reinsurance strategy that maximizes the purchasing power of reinsurance by a company or product line. For example, some insurers could decide that the purchasing of reinsurance is too costly and that the reward is not significant enough to outweigh the costs of the reinsurance. All major capital decisions, including the payment of extra ordinary dividends or a stock repurchase, are weighed carefully and take into account the impact on capital headroom before they are actually carried out. Current capital and capital headroom is forecast before a major change in strategy is implemented, such as a change in underwriting strategy, the raising or lowering of attachment points, territorial expansion, distribution, hedging or product design Full understanding and consideration of major changes in external factors, including tort reform, legislation, inflation, interest rates and economic factors. Consideration of scenarios in a stressed environment that significantly impact capital beyond the board approved tolerance level. For example, two 1/250 year natural catastrophic events in the same calendar year combined with a significant rise in interest rates. 23

24 SECTION FOUR: INTEGRATION AND OPTIMIZATION IMF COMPONENT IMPLEMENTATION MAPS ERM/ORSA Integrated Management Framework... 7 Implementing and Integrating ORSA Technical Considerations IMF Component Implementation Maps Future Considerations Tools and Aids Figure (1), "Integrated Management Framework" on page 8, illustrates the components of our ERM/ORSA IMF and shows how those components are interrelated. Our IMF Component Implementation Map, Figures (2-6) on this and the following pages, is designed to provide examples that help illustrate how ERM/ORSA components are interrelated in a typical implementation. The functional components depicted on these example charts are structured as cycles in four major layers strategy, process, infrastructure, and environment. Each layer is expanded to display a list of objectives or deliverables related to the respective components within the respective cycle. It should be noted that these charts are examples of ERM/ORSA IMF tailored to a specific situation, and so the levels and components may not match those depicted in the generalized view in Figure (1). Figure (2) depicts the complete Component Implementation Map with the respective components within each of the four layers. Note that the component cycle within the process layer is a closed loop that provides validation of, and if necessary, re-assessment of the strategy. Figure (2) ERM/ORSA High Level Framework 24

25 25

26 Figure (3) depicts the strategy layer with its cycle of four components and their respective objectives or deliverables. The objectives and deliverables on the charts are supported by appropriate documentation. The strategy is at the core of the IMF. It is where insurers must carefully and artfully articulate their overall risk appetite, value proposition, strategy and mission. Also, Figure (3) ERM/ORSA Strategy Level Framework - 1 insurance boards and executives should understand Process Strategy Strategy Business Mission and Strategy Risk Awareness/ Identification Emerging risks Existing or changing risks Media Current events Portfolio view Team meetings Communication Business Mission and Strategy Budget in place Strategy document Stick to the strengths Risk Assessment/ Response Risk scoring Risk escalation Controls failure form Risk mitigation Reassessment Immediate action Consistent criteria Scope of assessment Identify opportunities Risk inventories Risk Strategy Value Proposition Risk Appetite Risk appetite statement Risk policies documented Risk tolerance limits set Return capital when Risk Strategy Value Proposition Risk Appetite Operations Defined risk appetite ERM process Everyone involved Policies and procedures Key versus departmental risks Specialty market Nimble market Limited number of distributors underwriting opportunities are Limits offered weak De-risked investment portfolio Maintain headcount Figure (4) ERM/ORSA Strategy Level Framework - 2 Measurement and Control Strong risk appetite statement XYZ Company wants to maximize its risk-adjusted return Reporting Validation / Re-assessment Risk tolerances Internal model Enforcement of controls Common metrics for risk Enforcements of limits and finance Limits monitoring Regular analysis of risk and Effective modeling exposures Affirmations Regular monitoring of Internal audit changes in risk profile External audit Reporting to board and Information from third committees parties Systematic limit monitoring Risk-adjusted performance measures that, while ERM/ORSA may reduce and even eliminate some risk, the primary focus of ERM/ORSA is to determine how much risk is appropriate in order to optimize the insurers return on capital. Figure (4) depicts the component cycle within the process layer, the objectives and deliverables for each respective component, and the validation and re-assessment loop to the strategy layer. The process layer is critical in creating a robust and strong ERM/ORSA framework. Within the process layer, IMF addresses risk awareness, assessment, mitigation, reporting, measurement and control, and operational issues. More important, insurers must be able to demonstrate that all processes are linked. For example, risk awareness, and in particular the process for escalating and identifying emerging risks are critical, requiring total involvement at all layers of the organization. Once identified, emerging risks, must be assessed for likelihood and impact. Steps must also be taken to mitigate these risks with the appropriate controls. As a final step, a process for reporting and monitoring of the emerging risks must be developed. 26

27 Figure (5) depicts the component cycle within the infrastructure layer, and the objectives and deliverables for each respective component. This layer provides much of the foundation that enables the risk assessment and management process in layer two. Creating the right infrastructure is paramount to a successful ERM/ORSA implementation. Too much infrastructure will create an inordinate amount of bureaucracy, while too little infrastructure will render the risk management process ineffective. Clearly, boards must be involved and assume responsibility for the Process Strategy Board and senior management provide direction / oversight Risk committees Terms of reference Board sets risk profile Risk forum CRO reports to board Process Organisation and People Organization and People Business Mission and Strategy Risk Awareness/ Identification Strategy Limits and Controls Board sign off on major risk tolerances Management/unit tolerances in place Risk tolerances encompass risks Risks are correlated Non-monetary risk tolerances direction and oversight Business Mission and Strategy Risk Awareness/ Identification Risk management tone starts with the board and senior management Limits and Controls Figure (5) ERM/ORSA Strategy Level Framework - 3 Risk Assessment/ Response Methodologies and Models Consistent approach across departments Unit level risk reporting Frequency of internal model Affirmations Departmental reporting ROE by class and co Model validation Actuarial methods reviewed Risk Strategy Value Proposition Risk Appetite Operations Measurement and Control Systems Data Policies Risk management tool in place Internal model rewrite for SII / NAIC ORSA Data quality and standards Risk registers and scoring Data warehouse Data quality and standards Data quality audits Figure (6) ERM/ORSA Strategy Level Framework - 4 Risk Assessment/ Response Methodologies and Models Operations Culture Training Communication Regular education and learning for board on internal model / SII / ORSA Regular training for staff on internal model, ERM risk management, etc. Governance Controls Measurement and Control Departmental policies exist Board approved risk polices Other policies exist Risk Strategy Value Proposition Risk Appetite Systems Data Policies Frequency of internal model results Monthly and quarterly group-wide meetings Management meetings Quarterly board and risk committee meetings Performance Measures ROE Combined ratios Individual objectives Annual performance Reporting Reporting Validation / Re-assessment Planning Reporting Risk tolerance reporting PML monitoring Insurance risk report on tolerances Quarterly reporting to board Monthly management reporting Monthly and quarterly financial reporting Reward Validation / Re-assessment Planning Reporting Based on performance No premium incentives oversight and governance of risk, and for setting and approving the risk appetite and tolerances. Management on the other hand, has responsibility for the strategy and the tactical application of the risk management process while ensuring compliance with all board-approved tolerances. However, although the degree and character of involvement may vary, risk management must be embraced and understood at all levels of the organization in order for ERM/ORSA to be successful. Figure (6) depicts the component cycle within the environment layer, and the objectives and deliverables for each respective component. Creating a strong ERM/ORSA environment is a strenuous process that requires a significant amount of effort at each level of the organization. The risk management tone must be set by the board and management and must permeate the organization. For this to happen, insurers must create a strong risk management culture through a process of continual training, education, communication, performance standard setting, and compensation. Merely introducing the concept of ERM/ORSA without putting forth a program to achieve desired performance will only undermine the chances for success. 27

GLOBAL INSURANCE SERVICES Executive Brief

GLOBAL INSURANCE SERVICES Executive Brief Spring 2013 Post Super Storm Sandy: Lessons Applied In this issue We discuss how predictive analytics and reengineering combine to improve catastrophe claims results,