Sections of the ORSA Report

Similar documents
DRAFT 3/18/14 Financial Analysis Handbook 2014 Annual/2015 Quarterly

2014 Own Risk and Solvency Assessment (ORSA) Feedback Pilot Project Observations of the Group Solvency Issues (E) Working Group

NAIC OWN RISK AND SOLVENCY ASSESSMENT (ORSA) GUIDANCE MANUAL

Enterprise Risk Management

ERM Implementation and the Own Risk and Solvency Assessment (ORSA)

American Academy of Actuaries Webinar: The Practice of ERM in the Insurance Industry. Enterprise Risk Management Committee November 19, 2013

GUIDELINE ON ENTERPRISE RISK MANAGEMENT

Academy Presentation to NAIC ORSA Implementation (E) Subgroup

OWN RISK AND SOLVENCY ASSESSMENT. ERM Seminar Compliance All Dealing from the same deck now

ERM and ORSA Assuring a Necessary Level of Risk Control

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Re: Comments on ORSA Guidance in the Financial Analysis and Financial Condition Examiners Handbooks

Emerging Trends in Quantitative ERM

Own Risk Solvency Assessment (ORSA) Linking Risk Management, Capital Management and Strategic Planning

Overview of ERM Assessment Viewpoints (June 2016) Overview

NAIC OWN RISK AND SOLVENCY ASSESSMENT (ORSA) GUIDANCE MANUAL

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Southeastern Actuaries Conference 2012 Annual Meeting. Jeffrey S. Schlinsog, CFA, FSA, MAAA

The ORSA opportunity:

The Role of Finance and Accounting as Critical Players in ERM and ORSA

General questions 1. Are there areas not addressed in the Guidance that should be considered in assessing risk culture?

Risk Appetite Survey Current state of the Insurance Industry

Risk Appetite for Life Offices IFoA working party

INSURANCE CORE PRINCIPLES, STANDARDS, GUIDANCE AND ASSESSMENT METHODOLOGY

GOV : Enterprise Risk Management Policy

Risk Management Policy

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Critical Reflection of Two State-of-the-Art Risk Management Frameworks (SRM004)

Risk Appetite. What is risk appetite?

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

ERM Sample Flashcards

Exploring the New Era of ORSA Enterprise Risk Management (ERM)/ Own Risk and Solvency Assessment (ORSA) Committee

ORSA An International Development

ERM and Reserve Risk

Actuaries Club of the Southwest

GENERAL RISK CONTROL AND MANAGEMENT POLICY

Global Enterprise Risk Management in Insurance

Solvency II Insights for North American Insurers. CAS Centennial Meeting Damon Paisley Bill VonSeggern November 10, 2014

Certified Enterprise Risk Professional (CERP) Test Content Outline

Enterprise Risk Management Symposium. Embedding ERM in the DNA of an insurer

RED 2.1 & 4.2: Quantifying Risk Exposure for ORSA. Moderator: Presenters: Lesley R. Bosniack, CERA, FCAS, MAAA

ESTABLISHING RISK BOUNDARIES. Michel Rochette, MBA, FSA Caribbean Actuarial Association Annual Meeting Trinidad & Tobago December 4th 2008

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

NAIC ORSA: A Practical Guide to the DOI s First Year Reviews

ERM Benchmark Survey Report A report on PACICC's third ERM benchmarking survey

Subject SP9 Enterprise Risk Management Specialist Principles Syllabus

The Rating Agency View of Capital Modelling. Simon Harris Team Managing Director European Insurance

RISK MANAGEMENT FRAMEWORK

May 2015 DISCUSSION DRAFT For Illustrative Purposes Only Content NOT Reviewed or Approved by the Actuarial Standards Board DISCUSSION DRAFT

Introduction. The Assessment consists of: A checklist of best, good and leading practices A rating system to rank your company s current practices.

IAIS: Enterprise Risk Management for Capital Adequacy & Solvency Purposes. George Brady. IAIS Deputy Secretary General

The Central Bank of Ireland Risk Appetite: A Discussion Paper

Solvency & Financial Condition Report. Surestone Insurance dac March

Risk Appetite: Survey Results. March 2015

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

Navigating the New Normal Enterprise Risk Management After e-risk Identification and Assessment

ENTERPRISE RISK MANAGEMENT (ERM) POLICY

Enterprise Risk Management Economic Capital Modleing and the Financial Crisis

SOCIETY OF ACTUARIES Enterprise Risk Management General Insurance Extension Exam ERM-GI

FIL Life Insurance (Ireland) DAC. Solvency and Financial Condition Report as at 30 June 2016

ENTERPRISE RISK MANAGEMENT Framework

Delivering Clarity to Credit Unions Through Expertise and Experience

An Overview of the Enterprise Risk Management Process

ERM/ORSA Training Thai General Insurance Association (TGIA)

LEGAL & GENERAL GROUP PLC risk management supplement

Session 8A: Risk Appetite in Practice. Moderator: Presenters: Anthony Dardis, FSA, CERA, FIA, MAAA. Damon Levine

Guidance Note System of Governance - Insurance Transition to Governance Requirements established under the Solvency II Directive

SOLVENCY & FINANCIAL CONDITION REPORT. SureStone Insurance dac

Does the ORSA add value? Challenges and initial achievements. Lukas Ziewer Risk Management Perspectives, 18/11/2014

SOLID GROUP INC. ENTERPRISE RISK MANAGEMENT POLICY

Defining the Internal Model for Risk & Capital Management under the Solvency II Directive

Preparing for the New ERM and Solvency Regulatory Requirements

Own Risk and Solvency Assessment (ORSA)

New Actuarial Standards of Practice No. 46 Risk Evaluation in ERM No. 47 Risk Treatment in ERM

The Components of a Sound Emerging Risk Management Framework

Keeping Pace With Solvency II

ERM in the U.S. life and annuity industry

ORSA reports: gaps and opportunities

RISK APPETITE FRAMEWORK

For the PMP Exam using PMBOK Guide 5 th Edition. PMI, PMP, PMBOK Guide are registered trade marks of Project Management Institute, Inc.

REGULATORY GUIDELINE Liquidity Risk Management Principles TABLE OF CONTENTS. I. Introduction II. Purpose and Scope III. Principles...

Thirty-Second Board Meeting Risk Management Policy

Draft Guideline. Corporate Governance. Category: Sound Business and Financial Practices. I. Purpose and Scope of the Guideline. Date: November 2017

BERMUDA INSURANCE (GROUP SUPERVISION) RULES 2011 BR 76 / 2011

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

Forward Focus. The Own Risk and Solvency Assessment (ORSA) A regulatory guidepost to the future. Insurance issues and insights from Howard Mills

ENTERPRISE RISK MANAGEMENT IN HEALTH CARE. April 27, 2017

Presentation by: Nasumba Kizito Kwatukha CPA,CIA, CISA,CFE,CISSP,CRMA,CISM,IIK 6 th JULY 2017

Guidance Note: Internal Capital Adequacy Assessment Process (ICAAP) Credit Unions with Total Assets Greater than $1 Billion.

M_o_R (2011) Foundation EN exam prep questions

RULES OF DEPARTMENT OF COMMERCE AND INSURANCE CHAPTER CORPORATE GOVERNANCE ANNUAL DISCLOSURE TABLE OF CONTENTS

ORSA Summary Report Similarities/Differences Regulator Observations

QBE INSURANCE GROUP LIMITED RISK AND CAPITAL COMMITTEE CHARTER. Nature of committee: Risk and Capital Committee. Owner: Company Secretary.

Amex Bank of Canada. Basel III Pillar III Disclosures December 31, AXP Internal Page 1 of 15

Sharing insights on key industry issues*

ERM, the New Regulatory Requirements and Quantitative Analyses

Enterprise Risk Management by Many Other Names is Still Enterprise Risk Management David K. Whatley UTH Advisors April 15,2008

Preparing for an Own Risk & Solvency Assessment

Risk Evaluation, Treatment and Reporting

Transcription:

Lessons Learned From Orsa Reviews Impact on Risk Focused Examination NAIC Insurance Summit INS Companies Joe Fritsch, Director INS Companies Don Carbone, Exam Manager INS Companies Sections of the ORSA Report Section 1 Description of the Insurer s Risk Management Framework Section 2 Insurer s Assessment of Risk Exposure Section 3 Group Assessment of Risk Capital and Prospective Solvency Assessment

Section I -Description of insurer s Risk Management Framework Section should contain a high-level summary of the aforementioned ERM framework principles, Describe how the insurer identifies and categorizes relevant and material risks and manages those risks as it executes its business strategy. Describe risk monitoring processes and methods, provide risk appetite statements, and explain the relationship between risk tolerances and the amount and quality of risk capital. The ORSA Summary Report should identify assessment tools (feedback loops) used to monitor and respond to any changes in the insurer s risk profile due to economic changes, operational changes, or changes in business strategy. The ORSA Summary Report should describe how the insurer incorporates new risk information in order to monitor and respond to changes in its risk profile due to economic and/or operational changes and changes in strategy Meeting with Insurer walkthrough of ORSA Set up meeting 1 to 3 hours depending on complexity with insurer give an overview of its ORSA summary report Prepare question based on examiners review of ORSA Report and knowledge of company insurer profile, EIC last exam, chief actuary, chief examiner etc. Focus on the need complete assessment of five key principles and identifying branded risks It should be summary of the company s risk management process and how ties to overall business strategy (business plan)

Meeting with Insurer walkthrough of ORSA Ask Company describe where they think the maturity the company has achieved meeting 5 keys principle risk culture, risk ID, risk appetite, ERM controls, ERM reporting and communication Have company describe how company culture that demonstrate the use of risk management throughout the organization Describe how risk management is integrated into business operating plans. Are the business objectives driven only from the top of the organization, or are they also driven from the individual business units? Meeting with Insurer walkthrough of ORSA Describe your board of directors review of the ORSA Summary Report and their reaction, sample report Describe the CRO position who he reports to in senior management, but at the same time, has an independent voice to the Board of Directors Describe if applicable, how risk management is integrated into compensation practices What reports go to the audit committee, risk committee, other committees responsible for risk and what reports go to the full board of directors?

5 Key Principles An effective ERM framework should, at a minimum, incorporate the following key principles: Risk Culture and Governance Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision-making. Risk Identification and Prioritization Risk identification and prioritization process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels. Risk Appetite, Tolerances and Limits A formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk appetite statement ensures alignment with risk strategy by the board of directors. Risk Management and Controls Managing risk is an ongoing ERM activity, operating at many levels within the organization. Risk Reporting and Communication Provides key constituents with transparency into the riskmanagement processes and facilitate active, informal decisions on risk-taking and management. Analyst Deliverables Section 1 The Examiner is required to provide a summary report on the 5 principles. Rate each principle as follows: - Level 5 Leadership: - highest, Departments are reluctant to give this one Level 4 Managed: Level 3 Repeatable: Level 2 Initial: Level 1 Ad hoc: Level 0 Non-existent: The financial analyst handbook gives example of each level by each key Principle

Analyst Deliverables Section 1 Prepare a summary of Section I by developing an assessment of each of the five principles set forth in the ORSA Guidance Manual followed by a narrative that supports the assessment. A. Risk Culture and Governance Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision making. 5 Leadership 4 Managed 3 Repeatable 2 Initial 1 Ad Hoc 0 Non-existent Supporting Narrative ( why the company was rated repeatable or initial etc) Risk Culture and Governance A. Risk Culture and Governance Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision making. The objective is to have a structure in place that creates a top driven atmosphere and rigor within the organization that manages risk in a way that is continuously improved. Board of Directors is responsible for the framework and the risk culture established by senior management and approves the risk appetite statement in collaboration with the chief executive officer (CEO), chief risk officer (CRO) where applicable, and chief financial officer (CFO).

Risk Culture and Governance NAIC defines risk culture as: Supervisors are focusing on the institution's norms, attitudes and behaviors related to risk awareness, risk taking and risk management The norms and traditions of behavior of individuals and of groups within an organization that determine the way in which the identify, understand, discuss, and act on the risks the organization confronts and the risks it takes. The organization's propensity to take risks as perceived by the managers in the organization. Organizational behaviors and processes that enable the identification, assessment and management of risks relative to objectives ranging from compliance to operational, financial and strategic. Risk Culture and Governance An example of best practice Risk Culture and Governance -Leadership Practices Risk culture is analyzed and reported as a systematic view of evaluating risk. Executive sponsorship is strong and the tone from the top has sewn an ERM Process into the corporate culture. The Board of Directors establishes the framework and the risk culture and approves the risk appetite statement in collaboration with the chief executive officer (CEO), chief risk officer (CRO) where applicable, and chief financial officer (CFO). Those officers translate the expectations into targets through various practices embedded throughout the organization. Risk management is embedded in each business function. Internal audit, information technology, compliance, controls and risk management are highly integrated and coordinate and report risk issues. All areas use risk-based best practices. The risk management lifecycle for each business process area is routinely improved.

Risk Culture and Governance Risk Governance What are the roles and responsibilities within organization with regard to ERM ie Board of Directors, Senior management, heads of business units (tone at top but also report from business units to leadership of ERM) ERM process and framework how does it interact throughout organization (You want holding company chart for ERM). Risk Culture and Governance Questions to consider: Who is responsible establishment, review and update of ERM framework How often is framework reviewed and updated if needed How often is it reported to the Board How are individual business unit educated on ERM framework including risk appetite and limits How do business units report new risks Who monitors if breach in risk limits what is procedure.

Risk Culture and Governance Areas of concern Are all entities covered by ORSA ( during crisis that was issue AIG) Financial product division was not regulated CDS. No CRO or CRO is not involved in the business planning CRO or head of ERM does not have direct reporting line to the Board ( its ok have doted line reporting CFO or CEO) Compensation is based on volume or taking additional risks ORSA is prepared for regulators but clear not embedded organization Risk IDENTIFICATION AND PRIORITZATION B. Risk Identification and Prioritization The ORSA Guidance Manual defines this as key to the organization; and responsibility for this activity should be clear; and the risk management function is responsible for ensuring the process is appropriate and functioning properly at all organizational levels. Therefore, the objective is to have a process in place that identifies risk and prioritizes such risks in a way that all potential material risks are addressed in the framework.

Risk IDENTIFICATION AND PRIORITZATION Leadership Best Practices Internal and external best practices, support functions, business lines and regions are systematically gathered and maintained. A routine, timely reporting structure directs risks and opportunities to senior management. The ERM Process promotes frontline employees participation and documents risk issues or opportunities significance. Process owners regularly review and recommend risk indicators that best measure their areas risks. The results of internal adverse event planning are considered a strategic opportunity. Risk IDENTIFICATION AND PRIORITZATION A good ERM will have process to identify risks Risks can be identified both from business units and at high level based on strategic plan of the insurer that should correlate to business plan filed with the Department Should have an emerging risk framework for ID new risks Company will have risks register the has risk universe and methid to prioritize the risk ie risk prioritization Listing is sometimes reffered to risk taxonomy This should result heat map of top risks

Risk IDENTIFICATION AND PRIORITZATION Some question examiners may ask: How are emerging risks identified within organization and how are they tracked Who is responsible for providing update on risks identified whether identified senior level or from business units How are the risk prioritized (heat map) and how often updated What groups or teams are in in the assessment an prioritization What do they consider in the ranking likelihood of occurrence, magnitude of impact and mitigating controls Risk IDENTIFICATION AND PRIORITZATION Some question or concerns the examiners may have: Risk identification is done strictly for ORSA Report not embedded in organization ORSA does not clearly identify how material risk are ID out of the universe Disconnect between material risk and company business plan or strategy Does not consider affiliated risks No consideration of merger or acquisitions

Risk Appetite, Tolerances and Limits The ORSA Guidance Manual states that a formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk appetite statement ensures alignment with risk strategy by the board of directors (e.g. relationship between risk tolerances and the amount and quality of risk capital) risk appetite statements should be easy to communicate to understand, and closely tied to the organizations strategy and address its material risks. It should be used to help set boundaries and expectations by using quantitative limits and statements for risk that are difficult to measure. These boundaries may be expressed in terms of earnings, capital, or other metrics (growth, volatility). The objective is to put mechanisms in place to measure the risk the organization is willing to accept. Ie risk appetite statement may require the organization to maintain sufficient capital to cover a 1 year horizon with 99.97% confidence, or maintain an AA solvency standard. Risk Appetite, Tolerances and Limits ORSA should have minimum: A formal risk appetite statement and associated risk tolerances and limits are foundational elements of risk management for an insurer; Risk Appetite should be in alignment with business plan and corporate strategy of the company. Tolerance and limits should be described in metrics that are easy for the company to monitor. Examples of breaching a limit and the remediation that occurred is often helpful..

Risk Appetite, Tolerances and Limits questions to consider Does the ORSA explain how the quantitative and qualitative measures are used in explaining risk appetite. (Ie not more 10 % of surplus in any one investment or limit credit risk reinsurer) How often risk appetite update and how is it communicated How are risk limits applied throughout organization group level, legal entity, business unit, line of business etc How is risk appetite addressed in potential acquisitions or new lines of business?. Risk Appetite, Tolerances and Limits additional questions or concerns Not all material risk have stated limits Company does not track current exposures compared with risks limits the risk appetite process is not well defined or does not tie to company s business plan Risks appetite, tolerances and limits are not clearly communicated to business unit head There is not monitoring of breaches of limits and risk appetite metrics Board of directors are not involved in process.

Risk Management and Controls The ORSA Guidance Manual stresses managing risk is an ongoing ERM activity, operating at many levels within the organization. (eg monitoring process and methods) A key aspect of managing and controlling the risks of the organization is the governance process put in place. For many companies, the day to day governance starts with the business units, but those units put mechanisms in place to identify, quantify and monitor risks, which is reported up to the next level based upon the risk reporting and risk limits put in place. You want look at Tone at the Top and how it is embedded into the organization In addition, controls are also put in place on the backend, by either the internal audit team, or some independent consultant, which is designed to ensure compliance and a continual enhancement approach. Therefore, the objective is to put controls in place to ensure the organization is abiding by its limits.. Risk Management and Controls When the company has identified a risk, as discussed previously, the company should have process manage the risk. This can be done by the following 1. controls in place to mitigate the risks identified (examiner will concentrate on material risks) 2. The company may mitigate risks by reinsurance therefore limiting risk (ie purchasing Catastrophe Reinsurance ) 3. It may intentional decide keep risk and will use capital to mitigate the residual risk. "

Risk Management and Controls Examiners should expect to understand from the ORSA Report: How the Company is utilizing the mitigating strategies of controls, reinsurance or additional capital Process in place to: managed on regular basis, control risks, and provide early warning to risk owner Board of Directors are kept informed Risk Management and Controls Questions to consider How and to what extent does the Company internally the effectiveness of the organization ERM evaluated What process are in place to ensure the ERM is being followed What process in place if there is breach? How is it communicated Is there an effective internal audit function performing independent review and providing reports to senior management and the Board

Risk Management and Controls Concerns to consider ORSA report not clear how material risks are managed by risk owners and who monitors the process Lack of risk controls in the internal audit plan Controls are at group level not clear how pushed down into organization No early warning system for approaching limits No procedure in place report breaches to senior management Risk Management and Controls Concerns to consider ORSA report not clear how material risks are managed by risk owners and who monitors the process Lack of risk controls in the internal audit plan Controls are at group level not clear how pushed down into organization No early warning system for approaching limits No procedure in place report breaches to senior management

Risk Reporting and Communication Risk reporting and communication should provide key constituents with transparency into the risk-management processes and facilitates active, informal decisions on risk-taking and management. The transparency- reporting that can be made available to board members or compliance departments and regulators. Important is how the reports are being utilized to identify and manage risk at either the business unit level or some other level within the organization where decisions are made. The reporting provides the current measure of risk used to monitor such risk. Therefore, the objective is to have reporting in place that allows various decisions to be made throughout the organization and by the appropriate people, with ultimate ownership by the Board of Directors. Risk Reporting and Communication Leadership Practices The ERM Process is an important element in strategy and planning. Evaluation and measurement of performance improvement is part of the risk culture. Measures for risk management include process and efficiency improvement. Deviations from plans or expectations are also measured against goals. A clear, concise and effective approach to monitor progress toward risk management goals is communicated regularly with business areas. Individual, management, departmental, divisional and corporate goals are linked with standard measurements. The results of key measurements and indicators are reviewed and discussed by senior management and board (or committee) members on a regular basis and as frequently as necessary to address breaches in risk tolerances or limits in a timely manner.

Risk Reporting and Communication Examples of reporting and communication Board of directors to Senior management (ie CFO, CEO, COO) and business units functional heads (management/head of finance, internal audit etc You would want to know what is sample content, format, frequency and use of reports Risk Reporting and Communication Questions to consider: How is the importance of ERM communicated to the Organization? What kind of training is involved? How is compliance with limits and tolerance communicated and tracked? How are results tracked by senior management or the board? How are breaches of limits and tolerance addressed and communicated

Risk Reporting and Communication Concerns to consider: Needs be both Top down and bottom up communication Board is not regularly given key reports Lack clarity about what action should be taken ie breach limits etc Communication is not documented There is not timely reporting of new risks or breaches identified Questions Joe Fritsch, Director INS Companies Don Carbone, Exam Manager INS Companies

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback