Guide to ERM: Writing an ORSA Report


Top Ten of 2014: #1Insurance regulators have made the Own Risk and Solvency Assessment (ORSA) into one of the global Insurance Core Principles that need to be adopted in all countries.

Several countries have already adopted an ORSA requirement and in all cases, there is a need for a report to share with the regulator that documents the ORSA process.

WillisWire has featured 14 posts about practices that insurers will need to support their ORSA process. This post will explain how the 14 enterprise risk management (ERM) practices are related to the ORSA process and report.

The ORSA report itself is an example of risk management disclosure. A company that has no history of disclosure of risk management information may struggle with creating an ORSA report that communicates their risk management efforts with sufficient, but not overwhelming, detail.

And while the requirements vary slightly, in most jurisdictions the board has a prescribed minimum role in the ORSA process.

That role may be a shock to boards who have not been involved in a process of risk management governance prior to the first ORSA process and report.

In the U.S., the National Association of Insurance Commissioners (NAIC) has suggested three segments to the ORSA report:

Section 1 – Description of the Insurer’s Risk Management Framework

A discussion of the ERM framework which includes eight of the ERM practices in the Willis Guide.

While this section is meant to be descriptive, it is clear that the regulators have minimal expectations for the particulars of the answers that they will be getting.

  • Risk Identification – How the insurer goes about deciding which risks that need to be included in their risk management process and in consideration for the ORSA process, including Emerging Risks.
  • Risk Limits, Mitigation and Controls – Discussion of the action steps in the risk management program.
  • Risk Organization – Clearly defined roles and responsibilities for the risk management process.
  • ERM Policies and Standards – Not specifically requested for the ORSA report, but an insurer that has these will have a much easier time pulling together an ORSA report and updates to that report.
  • Risk Appetite and Tolerance – Seen as foundational elements of a risk management program.  Board involvement is expected.
  • Risk Management Governance – Clear leadership from the board in the risk management process.
  • Risk Management Culture – Looking to hear how the company culture supports accountability for risk related decisions.
  • Risk Reporting – Good dissemination of risk information is seen as a clear requirement for a lively risk management program.

Section 2- Insurer’s Assessment of Risk Exposures

This section of the ORSA report is about the processes that the insurer uses to determine which risks are material to the solvency of the enterprise: in other words, a discussion of how risks are assessed by the insurer.

  • Risk Measurement – The primary topic of this section which asks how the insurer goes about assessing risks.
  • Stress Testing – An important form of risk measurement that is seen as one tool that must support the ORSA opinion about the sufficiency of the insurer’s capital.
  • Risk Capital – The answer to the question, “how much capital does the insurer need?”  For the ORSA, the necessary capital is expected to be determined in relation to the risks of the insurer.
  • Interdependence of Risks – While risk independence is one of the supporting pillars of the entire concept of insurance, experience tells us that many risks are partially or fully interdependent.  To complete the ORSA process, management must have a clear view of the interdependence of their risks.
  • Model Validation – While no regulator has suggested substituting the ORSA process for other solvency regimes, they do want an answer to the question, “Why should we believe this?” A model validation process is the best way to answer.

Section 3 – Group Risk Capital and Prospective Solvency Assessment

The final section of the ORSA report explains why management and the board have sufficient capital to undertake their business plan, even if future experience turns out to be  much worse (due to internal or external factors) than is expected in the plan.

  • Stress Testing – The actual solvency testing needs to be performed both under expected conditions and in an adverse environment.  Testing the impact of an adverse environment on an insurer is, of course, a stress test.
  • Risk Capital – Solvency testing in both the U.S. and Canada is in relation to a risk capital target that is established by the company management and board.  In the E.U., the ORSA tests the capital against the Pillar I risk capital requirement of Solvency II.
  • Interdependence of Risks – While the risk capital determination must reflect a view of interdependence, the stress tests may include some scenarios where there are simultaneous occurrences of more independent risks.
  • Change Risk – A unique feature of the ORSA process, at least with regard to the world of regulatory requirements, is that the assessment is permitted to assume that management has some discretion to act in the adverse scenarios that are being projected.  A firm with a robust change risk management process will have better justification for assuming robust and timely actions on the part of management.
  • Risk Management Governance – In the U.S., the ORSA regulations require that the board review the ORSA report before it is given to the regulator.  In other parts of the world, it is often required that the board take a much more active role in the ORSA process.  But regardless of the minimal stated requirements in the U.S., boards may well want to have a quite lively discussion with management about the ORSA report and the process that led up to the report.

Forward Looking Assessment of Own Risks

Solvency II’s Forward Looking Assessment of Own Risks (FLAOR) is the European equivalent of the ORSA. Unlike the solvency capital requirement (SCR) calculation, there is no prescribed method to follow.

Companies are free to choose their own assumptions and approach but will have to convince their regulator that their method is appropriate. European Insurance and Occupational Pensions Authority (EIOPA)’s latest timetable plans for final guidelines to be published in July 2015, after a public consultation running from December 2014 to March 2015.

EIOPA is keen to ensure that national regulators take a broadly consistent approach in the final preparatory phase.

To encourage this harmonized approach, transitional guidelines have been provided for the FLAOR and regulators are expected to comply with these.

The guidelines require companies to maintain policy documentation which details the processes and procedures in place to conduct the FLAOR.

It should also include details of stress testing and an explanation of the frequency with which the FLAOR is carried out. In particular, what would prompt an additional run outside of the minimum annual reporting requirement?

Formal reporting requirements will include internal and supervisory reports. In the internal report, regulators will expect companies to share the results and conclusions of each FLAOR with “all relevant staff.”

This will include the board of directors, who should be able to factor the results into ongoing capital allocation and strategic business planning.

The external report should also include the results and the conclusions drawn from them – a key point, as regulators will need to be satisfied that management is actively using the information to steer the company.

The methods and all assumptions used should also be explained and a comparison provided between the regulatory capital requirements and the undertaking’s own funds.

The ORSA process will need to rely upon all of the same practices that are mentioned above for the report.  The primary difference is that the ORSA process itself is unlikely to have three distinct sections.

The practices that support the ORSA are most likely woven together as a unified ERM process for the insurer – in which the information about risk is also used to help to assess, plan and manage the risk adjusted returns of the enterprise.


This article was authored with Stephen Mullan and originally published April 14, 2014.

About Dave Ingram

Dave is an Executive Vice President of Willis Re, specialising in theory and practice of ERM for insurers. Based in…
Categories: Reinsurance | Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *