Articles - Insights: Own Risk and Solvency Assessment


 Engaging the business in Solvency II
 
 By Towers Watson
 Solvency II goes beyond defining the technical specifications to calculate the solvency capital requirement and this is no better demonstrated than in the need for companies to perform an Own Risk and Solvency Assessment (ORSA).
 The requirements around the ORSA are still developing but the emphasis is on robust processes and governance structures to support effective risk management and measurement. In this article we discuss the emerging requirements around the ORSA and what companies can do now to use the ORSA to generate wide business engagement.
  
 The ORSA in context
 In the broadest sense, the ORSA represents a further step on the road to a fully functioning Enterprise Risk Management (ERM) framework (see Figure 01). The ORSA is a means by which an insurer can bring
 together their risk management and measurement activities and use the information to support business decisions.
  
 
  
 Unlike the standard formula or internal model, the approach to the ORSA, subject to some minimum requirements, is deliberately non-prescriptive. This puts the onus on companies to decide on how they implement the ORSA. This flexibility means that companies can iteratively improve the ORSA to better reflect their individual risk profile. Looking longer term, we can see companies using the ORSA as a stepping stone towards the use of an internal model. Indeed, companies are expected to submit their ORSA or part of the internal model application to supervisors.
 In a Solvency II world, we expect the ORSA to exert increasing influence over key operational activities such as strategy, business planning, pricing, capital management, product design, risk transfer and asset liability management, as well as acting as a key reference point for the Board and other decision-making bodies.
  
 In effect, the ORSA will be the active face of Solvency II both within the wider business and for external stakeholders. In practice, the significant overlap between the ORSA and ERM means that there is an opportunity for companies to embrace the ORSA as a mechanism to gain business benefits out of their substantial investment in implementing Solvency II.
 Interestingly, the ORSA extends beyond Solvency II and we have seen a number of other territories looking to incorporate similar concepts within their regulatory regime. Going forward, it is clear that the ORSA will form a key reference point for supervisors and other stakeholders such as rating agency analysts and shareholders.
  
 Understanding the ORSA requirements
 The requirement for an ORSA is described under Article 45 within the ‘System of Governance’ section of the Solvency II Directive. Further regulatory guidance on the ORSA was provided in a CEIOPS (now EIOPA) issues paper in 2008. In this paper, ORSA was defined as “the entirety of the processes and procedures employed to identify, assess, monitor, manage, and report the short and long-term risks a (re) insurance undertaking faces or may face and to determine the own funds necessary to ensure that the undertaking’s overall solvency needs are met at all times”. Table 01 summarises some of the key requirements around the ORSA from various stakeholders worldwide.
  
 EIOPA has indicated that all undertakings, including small ones, will need to perform an ORSA in order to understand their own financial condition and solvency position. Although no explicit guidance is given on proportionality and the expectations for different types or sizes of companies, we would expect that the ORSA requirements (for example, frequency) will vary depending on the nature, complexity and scale of the risks inherent in the business. Groups will be required under Solvency II to perform an ORSA at the overall group level as well as preparing one for each solo entity. The principle of proportionality means that complex groups are likely to face increased scrutiny on the ORSA. The group analysis will require a number of additional steps beyond those faced by solo entities. This includes analysis of risks observable only at group level such as contagion risk and intra-group transactions, examining the availability, transferability and functibility of capital within the group and reflecting differences in strategy at the group level compared to the solo level.
  
 Additional Level 3 guidance from EIOPA is expected to be released for formal consultation later this year
 following the publication of the Level 2 measures by the European Commission. We expect this guidance to include a requirement for the management body to develop an ORSA policy. This will include details on governance, processes and procedures, links between the risk profile and solvency needs, stress and sensitivity testing, assumptions, risk aggregation, data quality and ORSA frequency.
  
 For many companies, the ORSA policy is likely to be a wide-ranging document, so making an early start will help to ensure that the ORSA project heads in the right direction. Setting the ORSA context early will also help ensure that it is appropriately linked with the business plans and processes from the outset and will therefore enable the work to be completed more efficiently and robustly, making best use of increasingly scarce resource. Further regulatory guidelines are likely to be non-prescriptive, deliberately so, and will ‘focus on what is to be achieved by the ORSA rather than how itis to be performed’.
  
 Comparing ORSA to Pillar 1 requirements
 Under Solvency II, the ORSA does not in itself constitute a regulatory capital requirement. However, for standard formula companies we would expect that if the ORSA were to highlight that the standard formula SCR did not adequately reflect the risk profile of the company, for example because the standard formula operational or
 catastrophe risks were too simplistic, then there may be a stronger case for capital add-ons or pressure from supervisors to move to develop a full or partial internal model.
  
 Although it is not a requirement for companies to have an internal model in order to complete the ORSA, we do expect that for companies managing complex or large scale risks, the ORSA would build on their internal model framework, and will be a key element of meeting the use test for internal model approval. If a company identifies additional risks impacting the business over a one-year period as part of the ORSA process, then there may be pressure from supervisors to include these within the internal model.
  
 There may however be good reasons why the ORSA gives rise to a capital amount that differs from the regulatory assessment. For example, a company’s risk appetite may require it to hold capital in excess of the regulatory minimum. This should certainly not lead to regulatory capital add-ons. Overall, there needs to be a constructive dialogue between companies and supervisors in order to ensure that fear of a capital add-on does not inhibit the production of a robust ORSA.
  
 
 
 
  
 What does the ORSA actually mean for companies?
 The ORSA builds on pre-existing concepts from an ERM framework, such as risk appetite and the need to link to business strategy, and translates them into a specific process that presents management with a picture of their own company’s capital and risk position that can be used to steer the business.
 Some of the key components that would underlie the ORSA process are shown in the Figure 02.
  
 At the heart of the ORSA is the risk culture 2 of the organisation. Risk culture can be defined as the norms and traditions of behaviour of individuals and of groups within an organisation that determine the way in which they identify, understand, discuss, and act on the risks the organisation confronts and takes. Evidence of a positive risk culture includes committed leadership, vertical escalation of concerns, appropriate sharing of information, active learning from mistakes and incentives that reward thinking about risk across the organisation. Lack of
 a positive risk culture is likely to lead to ineffective risk management within the organisation.
  
 Risk culture is the responsibility of the leadership team. It has been argued that a poor risk culture in certain organisations helped contribute to the last financial crisis. It is therefore no surprise that regulators and rating agencies see this as one of the areas of focus in order to understand whether risk is handled appropriately in the organisation. The risk appetite of an organisation represents its overall philosophy to risk taking and the
 expectations of its stakeholders such as shareholders, policyholders and bondholders. It is set and endorsed by the board through discussions with management. Specifically, it defines the amount of total risk exposure that an organisation is willing to accept or retain. This could also include an assessment of which risks the organisation does not wish to accept and the reasons for this. The risk appetite should reflect of the company’s business strategy and, typically, would include earnings, capital related and other measures which are important to the organisation. Normally the risk appetite is expressed in qualitative terms using key metrics and forms the basis for the overall risk management framework. It is then translated into quantitative definitions of risk tolerances and associated limits by which risk is managed in the undertaking.
  
 
 
  
 The risk identification and assessment process is a holistic review of all the risks to which the organisation may be exposed and an assessment of these for consistency with the risk appetite. Recent developments such as the recent Quantitative Impact Studies, have given a standard nomenclature to many of the risks to which an
 organisation is exposed. For companies looking to use the standard formula, the risk identification process may highlight certain risks such as liquidity, volatility and operational risks which are either not covered or for which a simplified approach has been adopted in the standard formula.
  
 Companies that are using an internal model would be expected to have already identified the material risks that impact the business over the one-year SCR calculation period. If additional material risks are identified as part of the ORSA process then it is likely that the regulator would expect these to be included in the internal model.
 Additional work for the ORSA would include wider thinking around the areas of emerging risks, risks associated with new business and operational risks to which the organisation may be exposed particularly over a longer time horizon. Risk measurement is an area which is already being enhanced due to other work around Solvency II.
  
 The recent QIS exercises and internal model option have helped standardise the methodology around economic capital assessments (VAR measure over one year to protect against 1 in 200 year events). This forms the basis of the regulatory standard, but we would also expect the risk measurement capability to reflect the additional requirements needed to meet the risk appetite. For example, if the organisation wished to hold capital to a higherstandard than the basic regulatory requirements for internal purposes, then the risk measurement process would need to reflect this. Our interpretation of the continuous monitoring requirement is that companies will need todemonstrate that they can meet the regulatory requirements (SCR and MCR) as the operating environment changes. For companies with significant surplus capital this could be done with some simple calculations.
  
 Other companies may need to develop a series of key risk indicators (KRIs) which are linked to the capital requirements but relatively easy to monitor and communicate. These indicators could be updated at different frequencies for example, daily for market movements, weekly or monthly for operational items such as customer complaints and quarterly or semi-annually for life insurance risks. We note for a number of companies, the continuous monitoring requirements as well as the need to make more granular information available to the business for timely decision making has led to the development of more sophisticated modelling systems. In particular, we have greater use of ‘lite’ models such as replicating portfolios or curve fitting techniques for life business, particularly for products with significant options and guarantees as these products are heavily dependent on financial market conditions and traditional techniques for valuing these products do not lend themselves to continuous monitoring.
  
 Risk reporting disseminates the risk measurement information to users across the organisation. It is therefore important that it is presented in a way that facilitates understanding from different parts of the business. This would likely lead to the development of risk dashboards with early warning indicators in order to help users interpret the risk measurement information. For example, a traffic light system could be used to indicate if the actual risk exposure is outside the limits developed from the risk appetite. This will allow management to take necessary risk mitigation actions to bring the exposure back inside risk appetite.
  
 The ORSA also has a forward looking element and link to the business strategy. For many companies this should build on existing capital management processes. These tend to be based on the current Solvency I requirements but in the future capital planning will need to link to the Solvency II requirements. Typically, companies have business planning processes which look at new business sales under base, optimistic and pessimistic scenarios. As part of the business planning process, companies would need to understand the implications for the capital position under these scenarios; for example, does the company have sufficient capital to support organic growth under optimistic sales plans? These would also be tested under different risk scenarios, as described below.
  
 Equally, organisations contemplating major strategic acquisitions or divestments will need to look at the impact on the risk profile of the organisation and confirm that it remains within the accepted appetite and tolerances set by the Board. Similarly, product pricing, product design, risk transfer and asset liability management processes will need to be regularly reviewed in order to ensure consistency with risk appetite and capital constraints.
 There is some debate on the extent to which companies need to develop sophisticated projection capability to satisfy the ORSA requirement. This would depend on the level of complexity within the organisation and methods employed may range from (simple) stress and scenario tests to varying levels of sophistication in economic capital modelling. In reality, projection capability is likely to be developed iteratively and the focus should be on the high-level messages on how the risks carried by the company may unfold over time and a description of the actions that senior management could take in reaction to certain potential future events.
 Scenario testing is another tool within the ORSA and our experience is that the use of scenarios helps make risk management real for those responsible for running the business. The value for decision makers is to think through the business impact of real life events such as a deep recession or high inflation environment and how they might respond in such situations. We are seeing greater use of scenarios in other areas such as the stress testing being undertaken by EIOPA. Scenario testing need not be confined to the impact on capital measures but also linked to elements deemed important within the risk appetite, for example IFRS or other earnings.
  
 For larger groups, scenarios would need to be considered both for the individual legal entities and for the group as a whole and these can be quite different. Some work would be required at the group level in developing consistent group-wide scenarios and a natural starting point might be the work currently being undertaken as part of the proposed EIOPA stress testing for large insurance groups. We have also seen greater development around the area of reverse stress testing. For reverse stress testing, the organisation considers its key business objectives and then thinks more widely about the scenarios that could lead to a failure to meet these objectives. For example, the company may think about scenarios which could cause the market to lose confidence in its ability to write new insurance business. These scenarios help make risk management real and encourage the organisation to think more widely about the environment in which it operates. Given the focus of reverse stress tests on the viability of the business model, they are likely to play a key part in strategic planning and, hence, playa key part in the ORSA process. To support the ORSA, appropriate governance structures would be required. In many cases, ALM, risk, capital and audit committees have evolved over time with sometimes overlapping responsibilities. Some companies are using Solvency II as an opportunity to rationalise their decision-makingcommittees. Going forward, companies will also have more granular and timely risk information available and the committee structure may need to reflect this, for example, meeting more frequently or providing delegated authorities to act within certain risk positions. Although many companies will have components of the ORSA already in place, we believe one of the major challenges is joining up the process in a coherent manner. For example, companies typically have risk identification, risk measurement and risk reporting processes already in place, but often these are not aligned and this will need to be done as part of the ORSA development.
  
 There willbe multiple stakeholders, often located in different places and it is therefore essential that the process is well understood and that communication between linked elements is clear, efficient and timely. Clear ownership for delivery of the elements of the ORSA will need to be defined.
 To support the ORSA, documentation will be required, such as an ORSA policy, ORSA process and ORSA report. For the ORSA to be used by senior management, we feel there should be focus on developing a slim-line report which can be used to engage the executive; effectively a high-level explanation of how risk is managed within the business. This report could follow a cascade structure and link to the other significant documentation requirements that exist around the public and supervisory reporting, internal models and internal requirements.
  
 Although the depth and breadth of ORSA documentation is in line with Solvency II general standards, it is likely to be in excess of what most companies are producing under the current Solvency I framework. This is likely to be a challenge for organisations (especially groups) that are not already enhancing their existing documentation aspart of the internal model application.
  
 Responsibilities for the ORSA
 The key to success will be in achieving a timely and understandable low of information leading to timely and appropriate decisions and actions if required. Within the organisation, the ORSA will be a joint effort and Table 02 shows some expected responsibilities from the various stakeholders. In addition, companies will need to consider the sequencing of activities that would be required as the ORSA becomes embedded as part of an annualbusiness as usual process.for the ORSA
  
 
 
  
 An illustrative timeline for the ORSA process is shown in Figure 03. Deciding on the sequencing of activities will be a challenge and the results will be company specific. It will depend on amongst other things, the requirements from other stakeholders such as the group parent, business complexity and volatility, the level of dependency between the various activities and the availability of resources. For example, some companies may decide tocomplete their ORSA report early in the year, once a robust annual SCR has been calculated. Others, as illustrated, may decide to complete their report once the business planning cycle has completed, and others may decide to complete the report when resources are less busy with other activities.
  
 Companies for which the risk appetite is stable over time may look to apply a light touch refresh early in the year whilst companies who frequently update their risk appetite to target specific business opportunities may need to have stronger links to the business planning process.
  
 Many of the activities required for the ORSA process will already exist as part of the business as usual process. However, it may be necessary to reconsider the sequencing of these activities to ensure that they make sense in the context of the ORSA process. This will require involvement from the existing stakeholders with a view to developing designated owners for the new process. There are also some new activities which will take place. The Solvency II SCR calculation will be carried out at least on an annual basis and may be updated regularly to allow for continuous monitoring. The regularity and robustness of the updated calculation will vary from company to company. Companies may also wish to measure the risk culture of the organisation on a regular basis.
  
 It is important to note, however, that the ORSA does encompass all the activities shown and it is not just about producing the report. There should be designated owners for the activities but the company needs to maintain flexibility to change the business as usual process and repeat activities if certain events occur, for example, a market crash or the acquisition of a block of business. A rigid process will not encourage dynamic and effective
 risk management.
  
 
  
 Implementing the ORSA – A different way of working
 The ORSA features in many companies’ project plans for implementing Solvency II. However, our experience is that companies often treat the ORSA as something new and do not recognise how much pre-existing work can be used to develop the ORSA. There is also a risk that companies fall into planning paralysis as the views on the ORSA evolve leading to a constant re-planning exercise. For companies implementing the ORSA the challenges include leadership engagement, risk culture enhancement, access to sufficient skilled actuarial and risk management resources and dealing with legacy systems, data and processes.
 However, given its strategic nature, the ORSA should be a value-adding project which engages with senior management. We would recommend the following approach to ensure a good outcome from your ORSA project:
  
 Focus on deliverables and outcomes
 Deliverables provide a point of focus for the organisation and many of the ORSA components are “no regrets” projects. They also break the project into manageable pieces and allow learnings to be shared across the organisation. A sample of the deliverables which companies could meaningfully work on now is provided in
 the following section. Such deliverables can be used to engage management and supervisors early in the process. They help identify links and dependencies with other part of the Solvency II project and build momentum internally for the view that Solvency II can be more valuable than just a regulatory compliance exercise.
  
 Simultaneous top-down and bottom-up assessments
 Thus far, the focus of Solvency II has been improved risk measurement (Pillar 1) with the QIS exercises and internal model development. However, the risk information produced will ultimately be used to help steer the business.
 We believe that companies need to work in parallel on the top-down reports (which would specify the information that will be available in the future) and bottom-up assessment of systems (to populate the reports on a best-efforts basis) based on existing capabilities. This parallel work maximises progress and allows the organisation to engage early with management on the content and structure of the top-down reports such as the risk appetite, scenario testing and ORSA report (although recognising that the systems may not yet be able to fully populate these reports).
  
 Iterative approach
 Our suggested approach to the ORSA is iterative in that several pilots are conducted with incremental advances each time. This ‘improvement in stages’ approach, so that there are several iterations in advance of January 2013, is better able to cope with the Solvency II regulatory process where the new regime is agreed in stages. It will also enable the ORSA to take account of emerging best practice and for this to feed in between iterations
 without resulting in a constantly moving target during development. An illustration of the iterative approach for the ORSA is shown in Figure 04. We would expect such an approach to be more efficient than the alternative of a ‘big bang’ implementation as it raises issues early and in a practical manner and again reinforces the decision process on key priorities and actions. It has the additional key advantage that it enables concrete progress to be seen by the management and supervisors as the Solvency II deadline approaches.
  
 

Back to Index


Similar News to this Story

Actuarial Post Magazine Awards Winners Edition December 2024
Welcome to the Actuarial Post Awards 2024 winner’s edition and we hope you enjoy reading about their responses on having won their award. The awards
Guide to setting expense reserves under the new Funding Code
The new defined benefit (DB) funding code of practice (new Funding Code) requires all schemes to achieve funding levels that ensure low dependency on
Smooth(ing) Operator
Private equity can be a great asset. It’s generally the most significant way to have any real world impact as an investor (eg infrastructure assets li

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.