Risk management requirements and ORSA: are you ready?
Changes effective in many states by 2015
INSIGHT ARTICLE |
The Own Risk and Solvency Assessment (ORSA) will require a significant change in the way most insurance companies conduct enterprise risk management (ERM). An ORSA submission will be required for legal entities with premiums exceeding $500 million or holding company systems with premiums exceeding $1 billion. The date on which insurers will need to comply with ORSA varies by state, but it is expected to be in force in many states by 2015. Insurers need to start now to understand how they need to adapt their ERM practices to comply.
Some historical perspective will help explain why the NAIC had made this significant change.
Insurance companies have long provided historical information and analysis to regulators on a quarterly and annual basis, which allowed regulators to understand balance sheet risk and delve deeper as necessary. As a result of the financial crisis, however, state insurance regulators had to re-evaluate how they monitor prospective business risk. They also needed a stronger approach to monitor holding company risk as well as the traditional focus on legal entities.
Most will agree the financial crisis was not the result of bad financial reporting, but rather a lack of robust risk identification and risk mitigation strategies. Many key solvency issues resulted from prospective (i.e., after the balance sheet date) risks like development of new products that were not properly vetted by senior management or boards of director, or that, when vetted, were not appropriately mitigated. While many companies had robust risk management processes in place, their business models made poor assumptions, especially regarding worst-case scenarios. In addition, many executive compensation programs were structured to reward management on short-term performance, thus not motivating proper attention to the long-term health and risk exposure of the company or holding company structure.
As a result, the NAIC, through its Solvency Modernization Initiative (SMI), has led a seismic shift in the future approach of U.S.-based insurance regulation. The amendments to the Insurance Holding Company System Model Act (#440) and Model Regulation (#450), which we refer to within this article as the HCA. or the Act, are designed to focus on prospective business risks versus the traditional retrospective focus of a point-in-time financial statement review. These changes focus on two main areas:
- Less reliance on the historical review of point-in-time financial statements in favor of a deeper focus on prospective business risks, corporate governance and risk management
- Focusing beyond the traditional boundaries of individual legal entities to include consideration of the risk throughout any holding company structure, including the perceived risk to insurance companies from non-regulated entities within their holding companies.
To broaden the focus on holding company issues, the HCA introduces the concepts of walls (the boundaries of individual legal entities) and windows (the view upward into holding company activities). The HCA clearly recognizes that many key solvency risks are generated above the legal entity level and can only be identified, mitigated and monitored appropriately at the holding company level. Therefore, the HCA will allow U.S. regulators to better understand and review holding company actions and related corporate governance issues.
The HCA aligns U.S. insurance regulation with the most sophisticated company ERM processes used today. It also better aligns U.S. regulation with international regulators, who have traditionally reviewed holding company structures. This new focus by U.S. insurance regulators on risk management will require both large and small insurers to improve their ERM programs.
An ORSA overview
ORSA incorporates traditional ERM concepts with prospective business planning in both normal and stressed environments. ORSA has two primary goals:
- To foster an effective level of ERM at all insurers, through which each insurer identifies and quantifies its material and relevant risks, using techniques that are appropriate to the nature, scale and complexity of the insurer’s risk, in a manner that is adequate to support risk and capital decisions.
- To provide a group level perspective on risk and capital, as a supplement to the existing legal entity view.
The NAIC ORSA Guidance Manual (the NAIC Manual) contains three sections:
Section 1- Description of the Insurer’s Risk Management Framework.
This description should address risk culture and governance; risk identification and prioritization; risk appetite, tolerances and limits; risk management and controls; and risk reporting and communication.
We believe most fully developed ERM programs will produce the information necessary to satisfy Section 1 of ORSA. Companies need a comprehensive approach to identify and rank inherent risk as well as effective risk mitigation efforts to reduce identified risk to acceptable levels. Companies also need a real-time process to incorporate new risk information and monitor and respond to changes in their risk profile due to economic or operational shifts. However, many companies that meet the premium threshold for ORSA may require additional work to support the section 2&3 requirements explained below.
Section 2 - Insurer Assessment of Risk Exposures.
This section requires quantitative and qualitative assessments of risk exposure in both normal and stressed environments for each material risk category identified in Section 1. Examples of material risk categories include, but are not limited to, credit, market, liquidity, underwriting and operational risks.
The NAIC Manual does not require a standard set of stress conditions but allows the regulator to have input regarding the level of stress that company management should consider. The analysis should be conducted in a manner consistent with the way the business is managed, for example, on a group or legal entity basis. Where risks are not subject to quantitative analysis, the NAIC Manual suggests qualitative assessments and cites operational and reputational risks as areas requiring qualitative methods.
The goal of Section 2 is to provide the company and regulator information that allows better evaluation of risks that could cause the company to fail. The NAIC Manual acknowledges that history may be useful when assessing future risk impact, but in some cases history may not be a good predictor.
This section of ORSA likely will prove challenging for most companies, both large and small. A significant objective is a candid analysis of risk impact under normal and stressed conditions, which will require significant judgment. A challenging current example for the health industry is the impact of the Affordable Care Act (ACA) in 2014 and beyond. The ACA could dramatically impact existing book of business assumptions based on nationally defined essential benefit packages and exchanges. Consumer behavior under the ACA is hard to predict. There may be a change in the cash flow patterns of the business with the introduction of a new customer group as well as reimbursements from the government which may be delayed until August of the following year. Also, health entities may have difficulty generating future surplus via the underwriting cycle because of the rebate requirements included in the ACA.
Section 3 - Group Risk Capital and Prospective Solvency Assessment.
This section of ORSA requires a two-to-five year projection using the data in Sections 1 and 2. The goal is to determine if capital is sufficient under normal and stressed scenarios. It is expected that risk capital, which is the regulatory standard, will be compared to available capital to ascertain excess or deficient capital levels. The analysis should consider contagion risk, concentration risk and complexity risk in the group risk assessment. It should also consider liquidity risk and restrictions on the fungibility of capital within the holding company system.
This prospective solvency assessment should demonstrate that a company has the financial resources necessary to execute its multiyear business plan in accordance with its stated risk appetite and overall risk philosophy defined through its ERM program. Management should address actions it will take to remediate any capital adequacy concerns.
Key ORSA challenges
The most important element of effective ERM is the right tone at the top. From the board and senior management down, there has to be a consistent and disciplined emphasis on identifying, understanding and mitigating risk. That tone needs to be baked into processes across all facets of the operation – it has to become part of the company’s DNA. For too many insurers, risk management is a siloed process, and now must be integrated into operations.
Insurers also must make sure they are taking an appropriately broad view of risk. Some risks are clear. Life insurance companies are already painfully aware of the dangers of low interest rates. Property and casualty companies understand the need for underwriting discipline. Health insurance companies know that the ACA will create significant new risks, and that they must monitor developments as the program matures so that they can adjust appropriately.
But there are other risks, such as demographic risks, that also need to be considered. Younger consumers’ insurance habits are significantly different from those of proceeding generations. In general, when it comes to life insurance, they are buying less insurance and are buying it later in life. They are buying homes later, which affects property and casualty insurance decisions. Companies that rely on historical models to project future results could create significant risk if they do not consider these changes.
There are technical risks. Are your systems generating the information you need to appropriately understand your operations and, therefore, your risks? Consumers continue the trend away from buying and managing their insurance through agents. Instead, they are buying it online and are expecting to manage their claims online as well. Is your technology keeping pace?
There are market risks. For example, property and casualty insurers intent on chasing sales might relax underwriting standards or lower premiums to inappropriate levels in order to attract customers. If competing insurers follow suit, they end up taking on the same risks. Insurers have to have the discipline to stick to appropriately underwritten and priced products, even shrinking if necessary, to keep risks at acceptable levels.
The economic crisis drove home the point of economic risk, yet many insurers have not effectively integrated those lessons into their ERM practices. An economic downturn drives down demand for insurance products. Simultaneously, as businesses of all kinds learned, access to traditional sources of capital can dry up. How would your company address a decrease in revenue? Do your ERM practices effectively address a significant downturn in your investment portfolio’s performance? Finally, as many companies learned, you can’t base your stress testing on a bad-case scenario, you need to consider a worse-case scenario. Are you building enough stress into your modeling?
Companies should even consider issues like human resources risk, which can include steps like ensuring there are appropriate succession plans in place for key leadership positions.
These are just examples—each insurer is unique, so the total spectrum of risks you must consider is unique as well. What effective ERM does, and what ORSA will demand, is the disciplined and effective identification, quantification and mitigation of the full range of risks that you confront.
Are you ready?