Lessons Learned From Orsa Reviews Impact on Risk Focused Examination NAIC Insurance Summit INS Companies Joe Fritsch, Director INS Companies Don Carbone, Exam Manager INS Companies Sections of the ORSA Report Section 1 Description of the Insurer s Risk Management Framework Section 2 Insurer s Assessment of Risk Exposure Section 3 Group Assessment of Risk Capital and Prospective Solvency Assessment
Section I -Description of insurer s Risk Management Framework Section should contain a high-level summary of the aforementioned ERM framework principles, Describe how the insurer identifies and categorizes relevant and material risks and manages those risks as it executes its business strategy. Describe risk monitoring processes and methods, provide risk appetite statements, and explain the relationship between risk tolerances and the amount and quality of risk capital. The ORSA Summary Report should identify assessment tools (feedback loops) used to monitor and respond to any changes in the insurer s risk profile due to economic changes, operational changes, or changes in business strategy. The ORSA Summary Report should describe how the insurer incorporates new risk information in order to monitor and respond to changes in its risk profile due to economic and/or operational changes and changes in strategy Meeting with Insurer walkthrough of ORSA Set up meeting 1 to 3 hours depending on complexity with insurer give an overview of its ORSA summary report Prepare question based on examiners review of ORSA Report and knowledge of company insurer profile, EIC last exam, chief actuary, chief examiner etc. Focus on the need complete assessment of five key principles and identifying branded risks It should be summary of the company s risk management process and how ties to overall business strategy (business plan)
Meeting with Insurer walkthrough of ORSA Ask Company describe where they think the maturity the company has achieved meeting 5 keys principle risk culture, risk ID, risk appetite, ERM controls, ERM reporting and communication Have company describe how company culture that demonstrate the use of risk management throughout the organization Describe how risk management is integrated into business operating plans. Are the business objectives driven only from the top of the organization, or are they also driven from the individual business units? Meeting with Insurer walkthrough of ORSA Describe your board of directors review of the ORSA Summary Report and their reaction, sample report Describe the CRO position who he reports to in senior management, but at the same time, has an independent voice to the Board of Directors Describe if applicable, how risk management is integrated into compensation practices What reports go to the audit committee, risk committee, other committees responsible for risk and what reports go to the full board of directors?
5 Key Principles An effective ERM framework should, at a minimum, incorporate the following key principles: Risk Culture and Governance Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision-making. Risk Identification and Prioritization Risk identification and prioritization process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels. Risk Appetite, Tolerances and Limits A formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk appetite statement ensures alignment with risk strategy by the board of directors. Risk Management and Controls Managing risk is an ongoing ERM activity, operating at many levels within the organization. Risk Reporting and Communication Provides key constituents with transparency into the riskmanagement processes and facilitate active, informal decisions on risk-taking and management. Analyst Deliverables Section 1 The Examiner is required to provide a summary report on the 5 principles. Rate each principle as follows: - Level 5 Leadership: - highest, Departments are reluctant to give this one Level 4 Managed: Level 3 Repeatable: Level 2 Initial: Level 1 Ad hoc: Level 0 Non-existent: The financial analyst handbook gives example of each level by each key Principle
Analyst Deliverables Section 1 Prepare a summary of Section I by developing an assessment of each of the five principles set forth in the ORSA Guidance Manual followed by a narrative that supports the assessment. A. Risk Culture and Governance Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision making. 5 Leadership 4 Managed 3 Repeatable 2 Initial 1 Ad Hoc 0 Non-existent Supporting Narrative ( why the company was rated repeatable or initial etc) Risk Culture and Governance A. Risk Culture and Governance Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision making. The objective is to have a structure in place that creates a top driven atmosphere and rigor within the organization that manages risk in a way that is continuously improved. Board of Directors is responsible for the framework and the risk culture established by senior management and approves the risk appetite statement in collaboration with the chief executive officer (CEO), chief risk officer (CRO) where applicable, and chief financial officer (CFO).
Risk Culture and Governance NAIC defines risk culture as: Supervisors are focusing on the institution's norms, attitudes and behaviors related to risk awareness, risk taking and risk management The norms and traditions of behavior of individuals and of groups within an organization that determine the way in which the identify, understand, discuss, and act on the risks the organization confronts and the risks it takes. The organization's propensity to take risks as perceived by the managers in the organization. Organizational behaviors and processes that enable the identification, assessment and management of risks relative to objectives ranging from compliance to operational, financial and strategic. Risk Culture and Governance An example of best practice Risk Culture and Governance -Leadership Practices Risk culture is analyzed and reported as a systematic view of evaluating risk. Executive sponsorship is strong and the tone from the top has sewn an ERM Process into the corporate culture. The Board of Directors establishes the framework and the risk culture and approves the risk appetite statement in collaboration with the chief executive officer (CEO), chief risk officer (CRO) where applicable, and chief financial officer (CFO). Those officers translate the expectations into targets through various practices embedded throughout the organization. Risk management is embedded in each business function. Internal audit, information technology, compliance, controls and risk management are highly integrated and coordinate and report risk issues. All areas use risk-based best practices. The risk management lifecycle for each business process area is routinely improved.
Risk Culture and Governance Risk Governance What are the roles and responsibilities within organization with regard to ERM ie Board of Directors, Senior management, heads of business units (tone at top but also report from business units to leadership of ERM) ERM process and framework how does it interact throughout organization (You want holding company chart for ERM). Risk Culture and Governance Questions to consider: Who is responsible establishment, review and update of ERM framework How often is framework reviewed and updated if needed How often is it reported to the Board How are individual business unit educated on ERM framework including risk appetite and limits How do business units report new risks Who monitors if breach in risk limits what is procedure.
Risk Culture and Governance Areas of concern Are all entities covered by ORSA ( during crisis that was issue AIG) Financial product division was not regulated CDS. No CRO or CRO is not involved in the business planning CRO or head of ERM does not have direct reporting line to the Board ( its ok have doted line reporting CFO or CEO) Compensation is based on volume or taking additional risks ORSA is prepared for regulators but clear not embedded organization Risk IDENTIFICATION AND PRIORITZATION B. Risk Identification and Prioritization The ORSA Guidance Manual defines this as key to the organization; and responsibility for this activity should be clear; and the risk management function is responsible for ensuring the process is appropriate and functioning properly at all organizational levels. Therefore, the objective is to have a process in place that identifies risk and prioritizes such risks in a way that all potential material risks are addressed in the framework.
Risk IDENTIFICATION AND PRIORITZATION Leadership Best Practices Internal and external best practices, support functions, business lines and regions are systematically gathered and maintained. A routine, timely reporting structure directs risks and opportunities to senior management. The ERM Process promotes frontline employees participation and documents risk issues or opportunities significance. Process owners regularly review and recommend risk indicators that best measure their areas risks. The results of internal adverse event planning are considered a strategic opportunity. Risk IDENTIFICATION AND PRIORITZATION A good ERM will have process to identify risks Risks can be identified both from business units and at high level based on strategic plan of the insurer that should correlate to business plan filed with the Department Should have an emerging risk framework for ID new risks Company will have risks register the has risk universe and methid to prioritize the risk ie risk prioritization Listing is sometimes reffered to risk taxonomy This should result heat map of top risks
Risk IDENTIFICATION AND PRIORITZATION Some question examiners may ask: How are emerging risks identified within organization and how are they tracked Who is responsible for providing update on risks identified whether identified senior level or from business units How are the risk prioritized (heat map) and how often updated What groups or teams are in in the assessment an prioritization What do they consider in the ranking likelihood of occurrence, magnitude of impact and mitigating controls Risk IDENTIFICATION AND PRIORITZATION Some question or concerns the examiners may have: Risk identification is done strictly for ORSA Report not embedded in organization ORSA does not clearly identify how material risk are ID out of the universe Disconnect between material risk and company business plan or strategy Does not consider affiliated risks No consideration of merger or acquisitions
Risk Appetite, Tolerances and Limits The ORSA Guidance Manual states that a formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk appetite statement ensures alignment with risk strategy by the board of directors (e.g. relationship between risk tolerances and the amount and quality of risk capital) risk appetite statements should be easy to communicate to understand, and closely tied to the organizations strategy and address its material risks. It should be used to help set boundaries and expectations by using quantitative limits and statements for risk that are difficult to measure. These boundaries may be expressed in terms of earnings, capital, or other metrics (growth, volatility). The objective is to put mechanisms in place to measure the risk the organization is willing to accept. Ie risk appetite statement may require the organization to maintain sufficient capital to cover a 1 year horizon with 99.97% confidence, or maintain an AA solvency standard. Risk Appetite, Tolerances and Limits ORSA should have minimum: A formal risk appetite statement and associated risk tolerances and limits are foundational elements of risk management for an insurer; Risk Appetite should be in alignment with business plan and corporate strategy of the company. Tolerance and limits should be described in metrics that are easy for the company to monitor. Examples of breaching a limit and the remediation that occurred is often helpful..
Risk Appetite, Tolerances and Limits questions to consider Does the ORSA explain how the quantitative and qualitative measures are used in explaining risk appetite. (Ie not more 10 % of surplus in any one investment or limit credit risk reinsurer) How often risk appetite update and how is it communicated How are risk limits applied throughout organization group level, legal entity, business unit, line of business etc How is risk appetite addressed in potential acquisitions or new lines of business?. Risk Appetite, Tolerances and Limits additional questions or concerns Not all material risk have stated limits Company does not track current exposures compared with risks limits the risk appetite process is not well defined or does not tie to company s business plan Risks appetite, tolerances and limits are not clearly communicated to business unit head There is not monitoring of breaches of limits and risk appetite metrics Board of directors are not involved in process.
Risk Management and Controls The ORSA Guidance Manual stresses managing risk is an ongoing ERM activity, operating at many levels within the organization. (eg monitoring process and methods) A key aspect of managing and controlling the risks of the organization is the governance process put in place. For many companies, the day to day governance starts with the business units, but those units put mechanisms in place to identify, quantify and monitor risks, which is reported up to the next level based upon the risk reporting and risk limits put in place. You want look at Tone at the Top and how it is embedded into the organization In addition, controls are also put in place on the backend, by either the internal audit team, or some independent consultant, which is designed to ensure compliance and a continual enhancement approach. Therefore, the objective is to put controls in place to ensure the organization is abiding by its limits.. Risk Management and Controls When the company has identified a risk, as discussed previously, the company should have process manage the risk. This can be done by the following 1. controls in place to mitigate the risks identified (examiner will concentrate on material risks) 2. The company may mitigate risks by reinsurance therefore limiting risk (ie purchasing Catastrophe Reinsurance ) 3. It may intentional decide keep risk and will use capital to mitigate the residual risk. "
Risk Management and Controls Examiners should expect to understand from the ORSA Report: How the Company is utilizing the mitigating strategies of controls, reinsurance or additional capital Process in place to: managed on regular basis, control risks, and provide early warning to risk owner Board of Directors are kept informed Risk Management and Controls Questions to consider How and to what extent does the Company internally the effectiveness of the organization ERM evaluated What process are in place to ensure the ERM is being followed What process in place if there is breach? How is it communicated Is there an effective internal audit function performing independent review and providing reports to senior management and the Board
Risk Management and Controls Concerns to consider ORSA report not clear how material risks are managed by risk owners and who monitors the process Lack of risk controls in the internal audit plan Controls are at group level not clear how pushed down into organization No early warning system for approaching limits No procedure in place report breaches to senior management Risk Management and Controls Concerns to consider ORSA report not clear how material risks are managed by risk owners and who monitors the process Lack of risk controls in the internal audit plan Controls are at group level not clear how pushed down into organization No early warning system for approaching limits No procedure in place report breaches to senior management
Risk Reporting and Communication Risk reporting and communication should provide key constituents with transparency into the risk-management processes and facilitates active, informal decisions on risk-taking and management. The transparency- reporting that can be made available to board members or compliance departments and regulators. Important is how the reports are being utilized to identify and manage risk at either the business unit level or some other level within the organization where decisions are made. The reporting provides the current measure of risk used to monitor such risk. Therefore, the objective is to have reporting in place that allows various decisions to be made throughout the organization and by the appropriate people, with ultimate ownership by the Board of Directors. Risk Reporting and Communication Leadership Practices The ERM Process is an important element in strategy and planning. Evaluation and measurement of performance improvement is part of the risk culture. Measures for risk management include process and efficiency improvement. Deviations from plans or expectations are also measured against goals. A clear, concise and effective approach to monitor progress toward risk management goals is communicated regularly with business areas. Individual, management, departmental, divisional and corporate goals are linked with standard measurements. The results of key measurements and indicators are reviewed and discussed by senior management and board (or committee) members on a regular basis and as frequently as necessary to address breaches in risk tolerances or limits in a timely manner.
Risk Reporting and Communication Examples of reporting and communication Board of directors to Senior management (ie CFO, CEO, COO) and business units functional heads (management/head of finance, internal audit etc You would want to know what is sample content, format, frequency and use of reports Risk Reporting and Communication Questions to consider: How is the importance of ERM communicated to the Organization? What kind of training is involved? How is compliance with limits and tolerance communicated and tracked? How are results tracked by senior management or the board? How are breaches of limits and tolerance addressed and communicated
Risk Reporting and Communication Concerns to consider: Needs be both Top down and bottom up communication Board is not regularly given key reports Lack clarity about what action should be taken ie breach limits etc Communication is not documented There is not timely reporting of new risks or breaches identified Questions Joe Fritsch, Director INS Companies Don Carbone, Exam Manager INS Companies