By John Winter, director of product management for iWorks Risk, SunGard’s insurance business
The National Association of Insurance Commissioners (NAIC) is a voluntary organization of the chief insurance regulatory officials of the 50 U.S. states, the District of Columbia and five U.S. territories. The goal of the NAIC is to perform a critical self-evaluation of the current solvency framework and utilize such evaluation to improve the framework.
Approximately four years ago, the NAIC launched the Solvency Modernization Initiative (SMI) to evaluate ways to improve and update the insurance solvency framework from the 1990s, the point at which a comprehensive evaluation of the solvency system was last conducted. Their work has, at least in part, been inspired by the perceived success of the Solvency II initiative in the EU for improving risk management practices in European insurers.
A major component of the Solvency II framework is the Own Risk and Solvency Assessment (ORSA), which compels firms to be able to demonstrate to the regulator that all relevant and material risk are taken into account, and that weaknesses in risk management processes are addressed by management action. The NAIC have adopted a similar approach, and their intent is that execution of the ORSA becomes part of the standard business routine, with the results periodically reported to the regulator.
Completing an ORSA
What does a business need to do in order to be able to complete an ORSA? There are a number of key items which must be included, based on the ICP 16 directive from the International Association of Insurance Supervisors (IAIC), which concentrates on Enterprise Risk Management. The key sections concerning the ORSA state:
• It must cover the adequacy of the firm’s risk management, as well as the solvency position of the firm both for now and in likely future scenarios.
• It must cover all reasonably foreseeable and relevant material risks, and identify how these risks relate to the capital held by the firm.
• It must contain an assessment of the financial resources required to manage the business taking the risk tolerance and business plans and strategy into account
• It must assess the quality and adequacy of the capital held by the firm.
• It must include information on the rationale behind the assessment, and any calculations used to support the conclusions.
• It should include information on any actions arising from the assessment.
• The responsibility for the ORSA rests with the insurer’s board – and to embody this responsibility the creation of a Chief Risk Officer (or an equivalent external officer) is recommended to ensure the effectiveness of the ORSA process.
• ORSAs should be performed regularly, but also as an immediate consequence of any significant change in the risk profile of the firm.
• ORSAs should cover risks from the current or any future structural changes within the firm, for example, membership of an insurance group, or the effects of any changes in subsidiaries.
Much of the rest of the ICP 16 directive is taken up with a definition of what adequate risk management means, and includes items such as the use of internal models to measure risk and initiate management actions or capital requirements, and the inclusion of risk in business decision making, particularly around new business, capital allocation and pricing.
Of course, some of the insurers in the U.S. will already be doing much of this analysis, particularly those with operations in Europe which already have to demonstrate Solvency II compliance on a standalone basis. To avoid unnecessary duplication of this existing effort, both the U.S. and European ORSA definitions leave scope for insurers to use their own internal models and procedures to create their ORSAs, provided they address the key areas above.
Preparation challenges
For many businesses, however, preparing an ORSA still presents many challenges, particularly when it has to be done on a regular basis. For each part of the business, risk registers need to be created, reviewed and assessed. The documentation around these risks, and the controls set up to mitigate them, needs to be updated. Tolerances need to be agreed, and aligned with overall corporate risk policy. Only once this ERM Framework has been put in place, can the process of calculation of the risk exposures begin.
The calculation effort required to support the ORSA process can often be surprisingly large. The exposures need to be calculated repeatedly, using a range of stresses. The quantitative parts of Solvency II (Pillar 1) pre-define appropriate stresses for the capital calculation (for example, changes in equity values of 45%). But for ORSA, the insurer has more freedom to select the types of stresses which might be relevant, depending on the risk under consideration. Further tests can be run to support more complex scenarios, which combine stresses to model a specific market event, for example, a default on sovereign debt or a pandemic. Combining risk exposures, both stressed and unstressed, into an overall risk number requires risk aggregation techniques using correlation matrices or copulas to model the relationships between the individual components.
Once the exposures are known, and their effects on the required capital been calculated, they must be documented, along with the assumptions which gave rise to them. There must be a clear audit trail allowing any of the results to be challenged, and traced back through the calculation process to the original input data.
The “spreadsheet culture” of many organisations has made a significantly greater challenge than expected. However, as the ORSA is viewed as an ongoing, repeatable process, being able to drill-down through the contents of not just the current ORSA, but ORSAs from prior periods, can be a vital component in understanding how a business’ risk profile develops over time.
The intent of ORSA, to become part of business as usual, means that the decision makers need to be deeply involved in the ORSA process, and have easy access to its results. More importantly, those results need to be presented in such a way that their meaning is clear, and the effects of a specific decision are obvious. They may also need to be referenced as supporting material to justify management actions, and must therefore be understandable to a wide audience. Unlike many regulatory initiatives in the past, the ORSA is seen not so much as a tool for external supervisors, but as an advantage to the insurers, putting the solvency of the firm very much front of mind.
The ORSA, it seems, is here to stay, and, correctly implemented, can be a great benefit to firms seeking to reassure their stakeholders that their risk management practices are comprehensive. Whilst the first iterations of the process are likely to be difficult and unfamiliar to many, as the supporting activities become automated, reducing the burden on the business and the chances of errors or omissions, it is likely to become a central part of any insurance business.
|