Own Risk and Solvency Assessment (ORSA)
Within the core of the Solvency II directive, the Own Risk and Solvency Assessment (ORSA) appears as a proven decision and analytic tool and a central element assesses to define the specific risk profile of the insurance company. Risk Management Strategies and ORSA are both a dedicated regulation by the NAIC from the USA Authorities. Core Principle 16 enacted by the IAIS is leading other jurisdictions to enact similar regulations.
The quantitative capital requirements, included in the second pillar of "Solvency II" must be completed with requirements and a global / accurate risk management system. In addition to the mentioned requirements a full set of measures on governance, internal control and internal audit are established to secure all insurers. ORSA is is an internal assessment and analysis process that must be integrated in the strategic decision-making process. It constitutes a global and forward-looking approach of the overall risk management strategy
ORSA has been created to provide a group level vision on risk and capital as an addition to the existing legal entity view, as well as an appropriate level of ERM (Enterprise Risk Management), through which each insurer identifies, assesses, controls and reports on its material and relevant risks
ORSA is required to assess the adequacy of a firms risk management framework, and current/projected solvency positions. Risk assessments have to be prompt, easy to update and respect the principles of clarity openness and moderation within global requirements currently being developed.
ORSA is part of the wider Solvency II initiative that is the driving force for overall reform towards risk control and mitigation. It was first conceived in 2009 by the European Parliament and European Council.
The ORSA is detailed in "Article 45" of the Solvency II Directive.
- The high level aims of the Directive can be summarized as follows: The overall solvency of a firm needs to take into account the specific risk profile, approved risk tolerance limits and the business strategy of the Insurer
- The compliance, on a continuous basis, with the capital requirements, and with the requirements regarding technical provisions;
- The significance with which the risk profile of the undertaking concerned deviates from the assumptions underlying the Solvency Capital Requirement.
Currently companies focus on the implementation of Pillar 1 of Solvency II, only once those are implemented will the priority switch to developing their ORSA
The operational implementation of ORSA for an insurance company can be divided in to 4 steps. These are:
- Development of the risk profile
- The implementation of a strategy for risk management
- The evolution of strategic processes
- Process of executing and collating the ORSA report
The risk profile consists of grouping all of the risks that the company is subjected to, and the planned measures that will be required to mitigate against them.
A risk mapping exercise should be performed, with the risks identified as part of Pillar 1 and with the addition of the insurance risks (liquidity risk, business risk, strategic risk, reputation risk, etc..)
Four types of risks
An Insurers risk appetite and risk profile should be coherent, clearly documented and communicated. Firms have four different options available to them to when deciding upon an appropriate course of action for each risk identified. These can be summarized as follows:
- Reduction of risk
- Transfer of risk
- Abandonment of risk
- Acceptance of risk
The objective is to integrate the dimension of risk and solvency in the decision-making process, and all the aspects in terms of ALM must be reviewed
Processes should be monitored methodically to ensure that the limits are still within the threshold defined, and to ensure that all the events with major impacts are noticed and taken into account.
Risk management strategy
Second step is the implementation of a risk management strategy via two key processes :
- Determining the strategic risk appetite of a firm: maximum amount and type of risks that a company is willing to accept
- Setting a Risk tolerance: the acceptable variance regarding a risk threshold, expressed as upper and lower limits, measured against a baseline
The implementation of a risk management strategy is a key element to guide and assist the Board, with the objective being to ensure that a proper risk assessment is performed in order to monitor the overall risk to the organization. It should also help to define and embed the risk culture of the company using a top down approach
From this the risk appetite and the risk tolerance should be defined and validated by the management of the company. An agreement on the limits or variation should be reached, and then the implementation into limits of operational risks should start.
Key elements include the following: New reports required in Pillar 2 of the Solvency II, for regulators and public
Internal reports used fort the Board and those that work within the Risk Control function ORSA reporting contains:
- Description of the overall risk profile of the firm along with detailed individual drivers of risk and the risk management processes in place to provide sufficient governance to the overall process
- Description of the quantitative methodologies used in the context of the ORSA, results, defined strategy, and conclusions
ORSA will be an important component of the risk management system for insurance companies. In their risk strategy, insurers will define the level of "risk acceptability". Management must decide whether risk mitigation techniques such as risk transfer through reinsurance are appropriate, or whether it is possible to diversify the risks. That is why in Asia ORSA or similar tactical processes will be implemented.
ORSA regimes are implemented or under development in all markets.
ORSAs have been included in the International "Association of Insurance Supervisors" (IAIS') list of Insurance Core Principles (ICPs).
Regulators in Asia's markets are also planning changes to their risk measurement and management requirements.
State of Progress
- In Malaysia, the first ICAAPs have been done, and Bank Negara Malaysia (BNM - the central bank), has to propose new rules to company's processes and policies.
- Singapore's risk framework which first appeared in 2004 has evolved over the years. In 2012, the monetary authority of Singapore (MAS) issued a paper of the revised risk based capital regime. The MAS requires all licensed insurers to adopt ORSA in their ERM from January 2014.
- In China, the Insurance Regulatory Commission has a new solvency framework tht went live in May 2013. It comprises of three pillars : risk management, disclosure and capital requirements
- The Australian Prudential Regulatory Authority (APRA) has finished reviewing their "general insurance capital standards". In 2012, requirements for internal Capital Adequacy Assessments (iCAAPs) were in place, same approach than ORSA.
- There are other countries active in Asia also introducing similar measures, for example, Japan and South Korea, they are in the process of considering new regulations for insurance companies. Japan's financial services agency has, undertaken studies; which include the use of an ORSA type solution. In South Korea the Financial Supervisory Service (FSS) has been discussing the opportunity of including ORSA processes. In other markets, development is limited but when they will be more mature they will have to adopt such rules, so they need to think about it now
Download the Full Article