U.S. insurers have made the case to the insurance regulators at the National Association of Insurance Commissioners (NAIC) who have been drafting the U.S. Own Risk and Solvency Assessment (ORSA) requirements that the ORSA report as defined will contain sensitive proprietary information and must be kept by the regulator in strict confidentiality. This is an indication that this new ORSA may require an entirely new level of disclosure to the regulators by insurers than anything prior.
What Europe Will Soon Require
In Europe, Solvency II will introduce additional disclosure requirements under its Pillar 3 requirements, which remain a work in progress.
Assuming no further delays, European Insurance and Occupational Pensions Authority (EIOPA)’s latest timeline would see the final guidelines published in July 2015 which leaves little time before the implementation date of 1 January 2016. EIOPA’s July 2012 report on its public consultation into reporting and disclosure included draft guidelines for the two reports which companies will need to prepare:
- Solvency and Financial Condition Report (SFCR) – this will be published
- Regular Supervisory Report (RSR) – a non-public report which will only be available to the national supervisor.
Regular Supervisory Report (RSR)
As would be expected, the RSR will be much more in-depth than the public SFCR and will include elements which will affect reinsurance decisions. For example, the section on risk profile will require companies to demonstrate that appropriate risk mitigation is in place for any significant risk concentration at group leve,l which is consistent with the group’s business model, risk appetite and strategy. Showing alignment of reinsurance and risk appetite will be increasingly important for our clients and a key part of our reinsurance optimization process.
Solvency and Financial Condition Report (SFCR)
Although a higher-level document, the SFCR report is expected to include disclosure on the structural elements of the governance structure and risk management system. More interestingly to rating agencies, it will also require an explanation of how the risk management function is integrated into the organizational structure and decision making process.
What the SEC Requires from U.S. Insurers
U.S. insurers who are already subject to extensive disclosure requirements under NAIC statutory reporting and under Securities and Exchange Commission-specified generally accepted accounting principles (GAAP) reporting for the most part include limited information about risk or risk management in either of their two public reports. And even those insurers that do disclose significant amounts of information about risk and risk management disperse that information widely in their annual reports to shareholders. Few, if any, U.S. mutual insurers who do not report to shareholders provide any significant information about risk and risk management to member/policyholders. Many major insurers in Canada, Europe, Bermuda and Asia, where there are not yet any disclosure requirements for risk or risk management information, have for many years been including significant amounts of information about their risks and risk management in their annual reports. Their disclosures inform this discussion of risk disclosure practices as a standard for communications to various constituencies about risk and risk management. Those disclosures do not include the full information that is contained in the ORSA report, but do include a large fraction of what will appear in the ORSA report. The disclosures fall into four main categories:
Risk Management Policy
At least one insurer has said that they simply publish their entire risk management policy in their annual report. Other insurers are doubtless disclosing summaries of their policies. Usually the goals and objectives of the risk management program are included and other aspects of the actual policy may be summarized. A few insurers disclose their risk appetite and tolerance as a part of this discussion.
Risk Management Organization and Governance
It is quite common for insurers to describe the organizational structure of their risk management effort, including especially the involvement of the board, top management and expert risk management staff.
Roughly half of the insurers who provide significant disclosures of risk management include some information about their risk profile, usually in the form of a summary table of internal economic capital model results by major risk type and/or by business unit and/or by territory. Some insurers will provide a discussion of the changes from the prior year to the risk profile.
Key Risk Mitigation Practices
Some insurers include a discussion of risk management at the corporate or group level as well as discussions of the management of each specific major risk category. This will most often include some exposition of the methods used to mitigate and manage the most significant risk expsoures. The ORSA report will require that all the above information and more be disclosed to the regulators. (See my recent post on the topic, U.S. Insurers Need to Get Ready for ORSA.)
Using Disclosure to Your Advantage
An insurer may adopt the practice of broadly disclosing their risk management practice for competitive purposes. Some insurers who have felt that they had superior risk mitigation practices had made selective disclosures of individual practices. So an insurer who feels that they are far ahead of their competitors may want to be the first in their peer group to include a public disclosure. Or another company may feel the pressure to begin disclosing risk management practice because their competitors already do so. To implement this risk management practice, an insurer would need to decide which of the materials that they prepare for their ORSA are not proprietary and confidential. The discussion above provides some examples of areas that other large insurers have already disclosed publically.