At the heart of the prudential Solvency II directive, the Own Risk and Solvency Assessment (ORSA) is defined as a set of processes constituting a tool for decision-making and strategic analysis. It aims to assess, in a continuous and prospective way, the overall solvency needs related to the specific risk profile of the insurance company. Risk Management and Own Risk and Solvency Assessment is a similar regulation that has been enacted in the USA by the NAIC. Other jurisdictions are enacting similar regulations to comply with the Insurance Core Principle 16 enacted by the IAIS.
Contents
Context
The second pillar of Solvency II plans to complete the quantitative capital requirements with quality requirements and a global and appropriate risk management system. The reform provides measures on governance, internal control and internal audit in order to ensure sound and prudent management practices from insurers. Impacts in terms of risk and solvency should supply into upstream strategic decisions. The internal assessment process of risks and solvency, known as the ORSA, is the centerpiece of this plan.
In an operational way, the ORSA is part of global process of Enterprise Risk Management (ERM).
It is part of a cyclical and iterative system involving the board of directors, senior management, internal audit, internal control and all employees of the company. It aims to provide a reasonable insurance on compliance with the strategy of the company against risks.
The ORSA is voluntarily defined broadly by the regulation to encourage insurers to question themselves on the framework of an internal system dedicated to control and risk management. It must in all cases be succinct, easy to update and respect the principles of materiality and proportionality.
Operational implementation
Insurance companies are in the process of setting up their Solvency II plans and generally, the setting up of the pillar 1 has been prioritized. Therefore the ORSA plans are still not mature on the market.
However, it appears that four key steps can be identified in the operational implementation of the ORSA:
In the USA, companies are at various stages of ORSA readiness.
Definition of the risk profile
The risk profile includes all of the risks that the company is exposed, the quantification of these exposures and all protective measures to those risks.
The risk profile is different from the regulatory capital determined under Pillar 1. It takes into account the specificities of each insurance company, it integrates all material risks, in a prospective view, and the ORSA leaves open the definition of solvency or the risk aggregation methodologies.
In practice, the definition of the risk profile will be increased by the realization of an all-risks mapping, including both the risks identified as part of pillar 1 of the reform Solvency II - underwriting risk, market risk, counterparty default risk, operational risk, intangible asset risk - but also other risks specific to each insurer - illiquidity risk, business risk, strategic risk, reputation risk, etc..
Once the mapping is done, a metric must be defined to quantify the risks. The company can use what is done on the pillar 1 such as a measure of risk, a time horizon and/or a different security level most suitable to its strategy for controlling the risks.
Implementation of a risk management strategy
Once the risk profile is established, the administrative, management and supervisory body must set up the risk management strategy of the company through the following elements:
The risk appetite is the maximum aggregated level of risk that a company wishes to take. The risk tolerances represent bounds on the acceptable performance variation associated with the different risk factors.
One of the major roles of the risk management function is to support the administrative, management and supervisory body in order to get him to comment on this strategy. The risk management function must not only pass the information necessary to operate, but also give the keys to an appropriation of the culture of risk and a critical analysis of these elements by the leaders.
Finally, the risk limits are the operational implementation of the risk tolerances. The risk management function shall coordinate the trades in order to define:
Evolution of strategic processes
All decisions made in the daily management of the company must then respect the strategy defined. In order to maintain the risk profile to a level consistent with the risk appetite, the leaders have four main strategies:
Major strategic processes of the insurance company, as the definition of trade policies, reinsurance and asset liability management, should be revised to integrate the dimensions of risk and solvency in the decision-making process.
Moreover, the ORSA should enable continued compliance with regulatory requirements in terms of own funds. For that the insurer must establish a set of systematic processes to monitor and control continuous compliance with the risk limits and identify major events - internal or external – which have a significant impact on the risk profile and lead to the update of the ORSA.
ORSA report
The ORSA is the subject of several reporting requirements:
Generally, a reporting on the ORSA will contain two parts:
The US ORSA report will contain three sections, as described in the ORSA Guidance Manual: