Forward Focus Fall 2012 Insurance issues and insights from Howard Mills The Own Risk and Solvency Assessment (ORSA) A regulatory guidepost to the future
Contents The Own Risk and Solvency Assessment (ORSA), in brief 1 Getting started 3 Early feedback 5 What should be in the ORSA report? 6 Implementing the ORSA 7 Operational considerations 9 The road ahead 10 2
The Own Risk and Solvency Assessment (ORSA), in brief Sometime in 2015, the first American insurer will file with its domestic regulator the first-ever Own Risk and Solvency Assessment (ORSA) Summary Report to be formally filed in the United States. By the end of that year, the vast majority of insurers operating in the member jurisdictions of the National Association of Insurance Commissioners (NAIC) will have followed suit. That first ORSA filing, expected to be mandated as a result of state adoption of the NAIC s Risk Management and Own Risk and Solvency Assessment (RMORSA) Model Act, will represent, in the words of Pennsylvania Deputy Insurance Commissioner Steve Johnson, a game changer for the insurance industry. This first filing will be the culmination of a years-long process of preparation as insurance regulators worldwide labored to create a new regulatory framework capable of withstanding economic shocks such as the one that battered the financial services sector and the larger economy in 2008. It will mark the complete integration of a robust risk management function as a basic regulatory expectation. For insurers, getting to that first ORSA may require a significant investment of time, talent, and resources. The ORSA will represent a major step in solvency regulation modernization, and as Mr. Johnson indicated, may well be considered one of the most significant events in insurance regulation in general and Enterprise Risk Management (ERM) in particular in recent decades. An integral part of proposed new solvency regimes globally, the ORSA symbolizes a commitment by both regulators and regulated to a customized, forward-looking system of solvency regulation, involving a more holistic real-time assessment of risk and its short- and medium-term impact on insurers. In the United States, the ORSA also adds a focus on group solvency and interrelated risks to an American solvency regime that largely has been focused at a legal-entity level. The ORSA is an integrated framework using several tools to give a forward-looking vision of the risk and solvency position of an insurer. It encompasses both quantifiable and nonquantifiable risks in the near- to medium-term future. With the ORSA, companies bear significant responsibility for determining their capital standing and adequacy. It facilitates an insurer s full integration of ERM into decision-making. As envisioned, the ORSA is expected to be a key part of both the ERM framework and of the supervisory review process. Forward Focus ORSA: A regulatory guidepost to the future 1
Global regulators have placed the ORSA in this central role in the emerging global solvency regulatory frameworks in response to the revised Insurance Core Principles (ICPs) adopted in October 2011 by the International Association of Insurance Supervisors (IAIS). ICP 16, which governs ERM, mandates that solvency regimes should require insurers to regularly perform an ORSA to assess the adequacy of their risk management and current and likely future solvency positions. Various regulatory and supervisory bodies have begun the implementation process. For example, the European Insurance and Occupational Pensions Authority (EIOPA) began its public consultation process on its Level 3 Draft Guidance on ORSA in November 2011. Class 4, Class 3B and Class 3A Bermudian insurers were required to send the Bermuda Monetary Authority (BMA) their ORSA fillings by April 30, 2012. The United States is no exception, with the NAIC including the ORSA as part of its Solvency Modernization Initiative (SMI). At its 2012 spring meeting, the NAIC adopted its ORSA Guidance Manual (the Manual ). This set out the principles to be adopted by U.S. regulators. The NAIC adopted the Risk Management and Own Risk and Solvency Assessment (RMORSA) Model Act on September 12, 2012. According to that Act, the ORSA is a confidential internal assessment, appropriate to the nature, scale and complexity of an entity, conducted by that entity of the material and relevant risks associated with the entity s current business plan, and the sufficiency of capital resources to support those risks. 1 The ORSA process is one element of an insurer s broader ERM framework. The two primary goals of the ORSA are to foster an effective level of ERM, and to provide a grouplevel perspective on risk and capital as a supplement to the existing legal entity view. For American insurers used to static solvency measurements, the ORSA heralds a brave new world. While previously, in-depth solvency evaluations were usually conducted retrospectively by regulators about every five years or so, now insurers will join regulators in projecting and assessing solvency needs essentially on a rolling basis. No longer will insurers passively wait on regulators to review year-end statements and risk-based capital (RBC) numbers that may fail to fully adapt to the fast-moving economic environment. Indeed, a recent interim report by the American Academy of Actuaries (AAA) found various deficiencies in the current propertycasualty RBC formula for numerous reasons, varying from cash flow discounts that do not adequately reflect current low interest rates, to some charges not having been updated in 20 years. 2 Especially important is that unlike those static measures, even though in the U.S. the ORSA filing itself is one annual report, it is still part of an ongoing process, a feedback loop that is almost like the Japanese concept of kaizen 3 in its goal of full ERM integration and continuous adjustment to maintain solvency. For insurers, this may mean an era of new flexibility and customized risk assessment. But, as with any change, there are expected to be associated costs, and those companies that adapt to and adopt the ORSA best and most efficiently may be able to gain a lasting advantage over their peers. 1 http://naic.org/documents/committees_e_isftf_group_solvency_1208_orsa_model_draft_clean.pdf 2 Report 1: Overview of Dependencies and Calibration in the RBC Formula; CAS Research Working Party on Risk-Based Capital Dependencies and 2 Calibration; Casualty Actuarial Society E-Forum, Winter 2012- Volume 1 3 Kaizen, a system for continuous incremental improvement with full workforce involvement credited with making manufacturing world class, was actually introduced to Japan after World War II by American William Edwards Deming. http://deming.org/index.cfm?content=61
Getting started While there may be little argument that the current regulatory system has served policyholders well for the most part, the unanticipated events triggering the 2008 financial crisis serve as a reminder that it is the largely hidden iceberg ahead, not the rocks behind, that constitute the real danger to these vital economic vessels, and an ORSA should, if properly instituted, provide an early warning of that risk. Some uncertainty about compliance costs and the possible effect on the operating models of insurers may still remain as insurers work to comply with the initial ORSA directions. But even though feedback to the NAIC will probably result in tweaks and changes to the process, insurers still may best be served by preparing their organizations for the increased real-time data needs an effective ORSA requires. With the 2015 date for the first ORSA submissions fast approaching, the question of how best to prepare may be a difficult but necessary one to answer as soon as possible. Changes in reporting, information management, governance, and planning may mean adjustments to a company s operating model must be implemented. The good news is that, as proposed, the ORSAs may help the regulated at least as much as the regulators in moving toward a more integrated, relevant, and speedier ERM framework that enable undertakings to better identify, measure, monitor, manage, and report the risks inherent in their business. For some companies in the United States, a basic question may have to do with the current state of their ERM programs. With ERM programs differing in structure and degree of development from organization to organization, what will be required in order to properly implement the ORSA? Most insurers will be subject to the ORSA requirements. Generally, an insurer may be exempt from the ORSA requirements if: The individual insurer s annual direct written and unaffiliated assumed premium, including international direct and assumed premium but excluding premiums reinsured with the Federal Crop Insurance Corporation (FCIC) and Federal Flood Program (FFP), is less than $500,000,000. The insurance group s (all insurance legal entities within the group) annual direct written and unaffiliated assumed premium, including international direct and assumed premium but excluding premiums reinsured with the FCIC and FFP, is less than $1,000,000,000. However even insurers meeting the requirements for exemption may have to comply if their regulator so requires. There is, to be fair, some flexibility the other way as well. Insurers that may not qualify for exemption on statutory grounds may request a waiver from the commissioner based on unique circumstances. 4 An insurer that is subject to the ORSA requirement will be expected to have a risk management framework, regularly assess the adequacy of that risk management framework and the insurer s current prospective solvency position, internally document the process and results, and provide an annual high-level summary report to the lead state regulator. The structure of the ORSA reporting for nonexempt insurers could be in any given combination as long as all insurers within the group are covered. Possible reporting structures could include variations of a single group report, group and individual insurers reports, property and casualty insurers report and life insurers report, and so forth, so long as all insurers are included in an ORSA. Group-wide ORSA reports submitted to other jurisdictions may be able to satisfy the domiciliary regulator s filing requirements, if the domiciliary regulator deems the information presented therein comparable to and satisfying its requirements. 4 Risk Management and Own Risk and Solvency Assessment Model Act, 6D; Draft dated 8/10/2012; http://naic.org/documents/committees_e_isftf_group_solvency_1208_orsa_model_draft_clean.pdf Forward Focus ORSA: A regulatory guidepost to the future 3
The NAIC plans to have a designated lead state for each group. The lead state regulator will coordinate questions for and requests of insurers. Insurers will file their ORSA summary with that lead state, though other states of licensing may request or require copies of the ORSA summary from the insurer. NAIC ORSA timeline NAIC Guidance Manual on ORSA Nov. 2011 NAIC RMORSA Model Act adopted Sept. 2012 NAIC ORSA requirements in force Jan.1, 2015 An insurer s chief risk officer or equivalent will be required to attest to the accuracy of the ORSA Summary Report and that a copy has been provided to the company s board of directors or its designated committee. 5 Insurers filing late or incomplete reports may face civil penalties. 2011 2012 2013 2014 2015 Pilot draft reports on ORSA received June 30, 2012 According to the NAIC RMORSA Model Act, the effective date of the ORSA under the SMI will be January 1, 2015; the first report would be due in 2015. Insurers normally will need to file an ORSA Summary Report no more than once each year. Regulators expect this to be done soon after a company s internal strategic planning process is complete. Insurers must apprise the commissioner of the expected time of filing. Selected worldwide ORSA timelines IAIS ICP 16 in force Oct. 1, 2011 2011 2012 2013 2014 Solvency II ORSA in force Jan. 1, 2014 2015 Insurers will also have to submit an ORSA filing whenever there are significant changes to the risk profile of the insurer or the insurance group of which the insurer is a member. Bermudian ORSA in force Jan. 1, 2012 Australian ORSA in force Jan 1, 2013 An effective ORSA will depend on the use and inclusion of proprietary company-specific material, often trade secrets. Because of this, regulators have been persuaded to strengthen confidentiality provisions surrounding the submissions. The ORSA Summary Report is expected to be a confidential document and in no event shall the ORSA Summary Report be subject to public disclosure. 6 5 Risk Management and Own Risk and Solvency Assessment Model Act, 1; Draft dated 8/10/2012; http://naic.org/documents/committees_e_isftf_group_solvency_1208_orsa_model_draft_clean.pdf 6 Risk Management and Own Risk and Solvency Assessment Model Act, 1; Draft dated 8/10/2012; http://naic.org/documents/committees_e_isftf_group_solvency_1208_orsa_model_draft_clean.pdf 4
Early feedback In preparation for the ORSA implementation, the NAIC created an ORSA Feedback Pilot Project in which 13 undisclosed insurers voluntarily submitted an ORSA Summary Report by June 30, 2012, for regulatory review under a confidentiality agreement. This allowed regulators to review the process and begin providing some high-level (nongroup specific) feedback to the industry this year prior to the actual ORSA Summary Report effective date. The NAIC also expects to use these results to help modify and provide additional guidance in the Manual. Of the 13 respondents presumably as volunteers selfselected as most prepared for the ORSA process only eight submitted reports considered complete by regulators. Of those eight, five had data redacted, while the other three had complete datasets. Regulators said the lengths of the submitted reports varied widely, from 10 to about 100 pages, as did their degree of completeness. Pennsylvania Deputy Insurance Commissioner Steve Johnson exhorted attendees at the NAIC s August 2012 meeting to pay heed to the lessons learned from the pilot project. You really do need to pay close attention as you prepare your ORSA, he told industry. Companies should be doing this now, not 2015. You need to start now and you need to have your board engaged. We saw what somebody who really takes this seriously has done. Get started now. Among the lessons regulators learned were that several helpful sections could be added or beefed up to make the ORSA report more useful. There was, many regulators opined, a need to provide historical context and organizational structure. Insurers will also be asked to examine the relationship between their compensation structures and risk. Regulators suggested numerous other items should be part of the ORSA Summary Report, including: A detailed explanation of the company s risk limits including key risks and materiality Single and combined stress test scenarios Descriptions of how capital model were calculated Graphical comparisons of capital models Heat maps of risks Stress testing on liquidity distress in life insurance Emerging risks for prospective risk areas The NAIC hopes to repeat the pilot project in 2013. You really need to pay close attention as you prepare your ORSA. Companies should be doing this now, not 2015. You need to start now and need to have your board engaged. We saw what somebody who really takes this seriously has done. Get started now. Steve Johnson Deputy Insurance Commissioner, Pennsylvania Forward Focus ORSA: A regulatory guidepost to the future 5
What should be in the ORSA report? While each insurer s ORSA report should reflect its own business, at a minimum it must include three sections addressing the following topics: Section 1 Description of the insurer s risk management framework Section 2 Insurer s assessment of risk exposure Section 3 Group risk capital and prospective solvency assessment Section 1 Description of the insurer s risk management framework Regulators expect the first section of the ORSA Summary Report to focus on the insurer s risk management practices. It should provide a high-level summary showing that the following ERM key principles are implemented: Risk culture and governance There should be a governance structure that clearly defines and articulates roles, responsibilities, and accountabilities; and a risk culture that supports accountability in risk-based decision making. Risk identification and prioritization There should be a risk identification and prioritization process that is key to the organization, and ownership of these activities must be clear. The risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels. Risk appetite, tolerances, and limits A formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer. Board understanding of the risk appetite statement ensures alignment with risk strategy. Risk management and controls Managing risk is an ongoing enterprise risk management activity, operating at many levels within the organization. Risk reporting and communication This should provide key constituents with transparency into the risk management processes and facilitate active, informed decisions on risk taking and management. This should be accompanied by a description of the approach used in conducting the analysis, including key methodologies and assumptions. Section 2 Insurer s assessment of risk exposures The second section of the ORSA Summary Report should focus on the insurer s quantitative and/or qualitative assessment of risk exposure in both normal and stressed environments for each material risk category. This section includes detailed descriptions and explanations of identified risks, as well as the applied measurement approaches, key assumptions made, and results A range of complexity is allowed for risk measurement, ranging from stress tests to complex stochastic analysis, as long as the nature, scale, and complexity of the risks are taken into account. Model validation processes should also be demonstrated. Section 3 Group risk capital and prospective solvency assessment The third section of the ORSA Summary Report should include an analysis of the solvency position for the group as a whole, as well as a prospective solvency assessment. The latter implies a forward-looking assessment of capital adequacy, on a horizon that is consistent with the business planning process, under various risk scenarios. As part of Section 3, an insurer should: Assess its ability to meet the capital requirements, both internal and regulatory, given its current risk profile, its current risk management policy, its current quality and level of capital and reflecting any changes to its current risk profile caused by executing the multi-year business plan Explain plans to resolve any deficiencies Consider both normal and stressed environments 6
Implementing the ORSA Organizations most likely will need to align several quantitative and qualitative processes in order to respond to the ORSA requirements as set out in the Manual. Examples of qualitative processes are the risk governance framework, independent review processes, and internal and external reporting processes. Examples of quantitative processes include the setting of risk tolerances and risk limits, the calculation of economic indicators such as economic capital, the simulation processes per risk type, and the creation of capital projections. Many of these processes may already exist at most insurers, though possibly in varying degrees of maturity. At some insurers, some of the required processes may not yet have been implemented at all. Implementing the ORSA requirements means that a general ORSA framework may need to be designed that binds all of these processes together. This may require the frequency, scope, and interactions of the processes to be aligned in order to match the ORSA s objective of an integrated view of strategy, risk, and capital. Implementing the ORSA should begin by defining clear requirements, compliant with the principles set out in the Manual. The process can be further structured by segmenting all required activities into distinct building blocks, and matching the requirements with the building blocks. Illustrative building block structure for the ORSA Implementation of the ORSA may be structured around segmented building blocks, each with its own principles. Section1 Section2 Section3 Risk management framework Risk identification and tolerance statement Risk exposure assessment Risk exposure assessment Risk culture & governance Assumptions & scenarios Detailed risk descriptions Building blocks Risk prioritization process Risk appetite statement Risk assessment techniques Qualitative risk assessment Quantitative risk assessment Group risk capital assessment Capital projection Risk tolerance statement Risk monitoring & controls Risk reporting & communication Management intervention plan Stress testing Validation & Assurance Prospective solvency assessment Feedback loop Source: Deloitte Forward Focus ORSA: A regulatory guidepost to the future 7
Requirements, if properly defined, should help aid efficient implementation of the ORSA by leveraging the existing processes. It should help ensure that the outcome is aligned to the company s objectives, and should ultimately serve as a framework to help monitor compliance with the regulatory requirements. Completing a readiness assessment against the ORSA requirements for each building block should assist in the drafting of an action plan. This remediation plan is a stepby-step plan to address the areas identified as needing improvement. At the same time, the company s vision of the ORSA should be translated into the overall ORSA framework, which includes a consistent process, ORSA governance, defined methodologies, and a report template. The final step is to embed the ORSA framework in the organization, executing the actions set out in the remediation plan. A common way to do this has been to perform a series of dry runs, each in a further state of maturity. Performing dry runs may enhance awareness of the ORSA and its requirements within the organization, and allows for testing of the organization s ORSA readiness in practice. Getting started: Recommended process for implementation Raise ORSA awareness among senior management Establish a focus group of key functions within the company to articulate your vision for the ORSA Carry out a readiness assessment to identify gaps against NAIC requirements Discuss the results within the focus group and decide how to mitigate gaps Design the implementation plan and the ORSA framework (for current and future submissions) Implement the plan and the framework Source: Deloitte 8
Operational considerations While insurers already may have built ERM and capital management programs, many insurers may be required to consider changes to underlying operations, ownership, and governance as well as infrastructure changes. Some of the key areas of focus are expected to be, but are not limited to: ERM framework Several existing risk management processes would be integrated into one consistent ORSA process, based on a common planning, maturity level, valuation basis, and assumption set. This may require strengthening the group and subsidiary ERM and governance frameworks and establishing a link between the risk tolerance of subsidiaries and the group. Capital management Similarly an approach for economic capital calculations and forward-looking assessments would likely require significant efforts to establish a group view on capital and solvency and the need for balancing feasibility and accuracy of models. Strategy The ORSA process would be required to be embedded into the strategic process. This will require alignment of risk indicators and model parameters between strategic planning and risk modeling, so as to increase the relevance of the ORSA for decision-making. Resources Skill sets for finance, actuarial, and risk management would likely have to change to meet the needs for adequate processes, controls, and risk quantification tools. Risk culture Board ownership of the ORSA process would be essential, to prevent a silo-based approach across entities and risk categories. Communication among different capabilities within the insurer may need to be improved. The business should be managed in accordance with risk appetite and risk tolerance levels. Technology The ORSA standards demand a strong alignment of business, actuarial and risk management areas with technology. Establishing that alignment, as well integrating existing and designing new technology solutions around data governance and architecture, process automation, modeling platforms optimization, and reporting and/or decision management domains under the tight time constraints is critical for the robust ORSA environment. Forward Focus ORSA: A regulatory guidepost to the future 9
The road ahead On many levels, the ORSA represents a sea change in insurance regulation in the United States. It is expected to have a major impact and may pose significant challenges to some insurers, even those that already have ERM and capital processes in place. Although the proposed deadline of 2015 may seem far away, insurers may be wise to start designing, implementing and fine tuning their ORSA framework, tools, and processes today. There already is regulatory incentive to begin preparation: the NAIC started training state financial examiners on ORSA in 2012. In addition, some states have already been urging insurers to address their ERM framework. New York, for example, issued a circular letter to insurers licensed in that state listing its expectations for an ERM function within insurers. Insurers whose statutory examination is before 2015 may be asked to answer questions on ERM and whether they will be ORSA-compliant by the proposed deadline. Challenges also mean opportunities. Implementing the ORSA is expected to provide an opportunity for better risk and capital management, integrating several existing riskmanagement processes into one consistent framework, and embedding in the whole organization a risk culture and risk decision-making process in which strategy and risk appetite are aligned. The information feedback loop provides management, the board, and other stakeholders with access to information on the risk and capital profile of the enterprise, allowing them to evaluate current strategies and their execution, and modify as necessary. Properly designed, it should also serve as an early warning system, providing enough time to respond to emerging risks and other potential concerns. In the NAIC s concept of the ORSA, regulators may work with management to tweak or seek further information on models and inputs. For insurers, this input from and interplay with regulators may allow for more insight into regulatory requirements, and lower the possibility of inadvertently failing to satisfy written or unwritten regulatory expectations. This will all require an investment of time, talent, and technology to begin with. But there is a great potential payoff in enhanced risk management and better decision making. Solvency regulation in the United States has often functioned retrospectively, like mariners navigating by looking back on the harbor they left, restricted by having to keep that land in sight. The ORSA, properly customized for both external and internal stakeholders, allows regulators and the regulated a clear vision, enabling them to sail into the future with more confidence, reducing the risks of hidden shoals and providing more time to prepare for any storms on the horizon ahead. 10
Contacts Howard Mills Director and Chief Advisor Insurance Industry Group Deloitte LLP +1 212 436 6752 howmills@deloitte.com Elisabetta Russo Principal U.S. Solvency II Leader Deloitte Consulting LLP +1 212 313 2702 erusso@deloitte.com Forward Focus ORSA: A regulatory guidepost to the future 11
About this newsletter This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2012 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited