Kalpana Kalpana (Editor)

Own Risk and Solvency Assessment

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

At the heart of the prudential Solvency II directive, the Own Risk and Solvency Assessment (ORSA) is defined as a set of processes constituting a tool for decision-making and strategic analysis. It aims to assess, in a continuous and prospective way, the overall solvency needs related to the specific risk profile of the insurance company. Risk Management and Own Risk and Solvency Assessment is a similar regulation that has been enacted in the USA by the NAIC. Other jurisdictions are enacting similar regulations to comply with the Insurance Core Principle 16 enacted by the IAIS.

Contents

Context

The second pillar of Solvency II plans to complete the quantitative capital requirements with quality requirements and a global and appropriate risk management system. The reform provides measures on governance, internal control and internal audit in order to ensure sound and prudent management practices from insurers. Impacts in terms of risk and solvency should supply into upstream strategic decisions. The internal assessment process of risks and solvency, known as the ORSA, is the centerpiece of this plan.

In an operational way, the ORSA is part of global process of Enterprise Risk Management (ERM).

It is part of a cyclical and iterative system involving the board of directors, senior management, internal audit, internal control and all employees of the company. It aims to provide a reasonable insurance on compliance with the strategy of the company against risks.

The ORSA is voluntarily defined broadly by the regulation to encourage insurers to question themselves on the framework of an internal system dedicated to control and risk management. It must in all cases be succinct, easy to update and respect the principles of materiality and proportionality.

Operational implementation

Insurance companies are in the process of setting up their Solvency II plans and generally, the setting up of the pillar 1 has been prioritized. Therefore the ORSA plans are still not mature on the market.

However, it appears that four key steps can be identified in the operational implementation of the ORSA:

  • The definition of the risk profile
  • The implementation of a strategy for risk management
  • The evolution of strategic processes
  • The production of the ORSA report

    • In the USA, companies are at various stages of ORSA readiness.

    Definition of the risk profile

    The risk profile includes all of the risks that the company is exposed, the quantification of these exposures and all protective measures to those risks.

    The risk profile is different from the regulatory capital determined under Pillar 1. It takes into account the specificities of each insurance company, it integrates all material risks, in a prospective view, and the ORSA leaves open the definition of solvency or the risk aggregation methodologies.

    In practice, the definition of the risk profile will be increased by the realization of an all-risks mapping, including both the risks identified as part of pillar 1 of the reform Solvency II - underwriting risk, market risk, counterparty default risk, operational risk, intangible asset risk - but also other risks specific to each insurer - illiquidity risk, business risk, strategic risk, reputation risk, etc..

    Once the mapping is done, a metric must be defined to quantify the risks. The company can use what is done on the pillar 1 such as a measure of risk, a time horizon and/or a different security level most suitable to its strategy for controlling the risks.

    Implementation of a risk management strategy

    Once the risk profile is established, the administrative, management and supervisory body must set up the risk management strategy of the company through the following elements:

  • The risk appetite
  • The risk tolerances

    • The risk appetite is the maximum aggregated level of risk that a company wishes to take. The risk tolerances represent bounds on the acceptable performance variation associated with the different risk factors.

    One of the major roles of the risk management function is to support the administrative, management and supervisory body in order to get him to comment on this strategy. The risk management function must not only pass the information necessary to operate, but also give the keys to an appropriation of the culture of risk and a critical analysis of these elements by the leaders.

    Finally, the risk limits are the operational implementation of the risk tolerances. The risk management function shall coordinate the trades in order to define:

  • How these risk limits should be expressed;
  • The methodology for the translation of appetite and tolerances into limits of operational risks.

    • Evolution of strategic processes

    All decisions made in the daily management of the company must then respect the strategy defined. In order to maintain the risk profile to a level consistent with the risk appetite, the leaders have four main strategies:

  • Abandonment of risk ;
  • Reduction of risk ;
  • Transfer of risk ;
  • Acceptance of risk.

    • Major strategic processes of the insurance company, as the definition of trade policies, reinsurance and asset liability management, should be revised to integrate the dimensions of risk and solvency in the decision-making process.

    Moreover, the ORSA should enable continued compliance with regulatory requirements in terms of own funds. For that the insurer must establish a set of systematic processes to monitor and control continuous compliance with the risk limits and identify major events - internal or external – which have a significant impact on the risk profile and lead to the update of the ORSA.

    ORSA report

    The ORSA is the subject of several reporting requirements:

  • The ORSA is integrated into the narrative of new reports required in Pillar 3 of the reform, both destined for the supervisor and the public;
  • The ORSA should be a set of internal reporting, particularly during the strategic processes that it must supply;
  • As part of Level 3 measures being drafted by EIOPA, the ORSA should be a specific reporting, the ORSA report, bound for the administrative, management and supervisory body.

    • Generally, a reporting on the ORSA will contain two parts:

  • A qualitative report: Description of the risk profile and risk management processes in place;
  • A quantitative report: Description of the quantitative methodologies used in the context of the ORSA, results, defined strategy, and conclusions.

    • The US ORSA report will contain three sections, as described in the ORSA Guidance Manual:

  • Description of the insurer’s enterprise risk management framework
  • Insurer assessment of risk exposures
  • Group risk capital and prospective solvency assessment

    • References

    Own Risk and Solvency Assessment Wikipedia
    (Text) CC BY-SA