ORSA: A Capital Adequacy Assessment Process for Insurers

Designed for insurers, ORSA is somewhat similar to Pillar II of the Basel II Accord, which forces banks to “assess their overall capital adequacy in relation to their risk profile and [create] a strategy for maintaining their capital levels.” The result of that Accord, the Internal Capital Adequacy Assessment Process (ICAAP), shares parallels with ORSA, as it asks for an economic capital review rather than regulatory-driven capital calculations (Pillar 1).

ORSA was introduced as part of the Solvency II regime in Europe, but its origins can be traced further back:

• The UK Financial Services Authority (FSA) insurance sector reforms requiring firms to develop internal models of their risks under the Individual Capital Adequacy Standards (ICAS)framework
• The introduction of Dynamic Capital Adequacy Testing (DCAT) to Boards by the Canadian Office of the Superintendent of Financial Institutions (OSFI) (1993)
• The increased use of internal models for valuation, capital, and risk management purposes by the industry and regulators alike (e.g., Swiss Solvency Test, variable annuities in US and Canada, etc.)
• Regulator recognition of a greater need for insurers to demonstrate prudent management of their business (including a system of governance, assessment of business risks, and the capital required to support these risks)

Since then, many countries outside of Europe have adopted the concept of the ORSA, either as part of a type of Solvency II regime or as a precursor to wider solvency legislation. An example of the latter approach is North America, where the OSFI and the National Association of Insurance Commissioners (NAIC) have introduced ORSA requirements to be implemented in 2014 and 2015, respectively. South Africa, Bermuda, Japan, and Mexico are also embracing insurance regulation. One key differentiator of ORSA is "Own." As an individualized assessment, ORSA is meant to reflect the unique risk management characteristics and profile of an institution. It is a process designed to support sound risk management and decision-making within the business. In effect, the process and resulting documentation, though based on a set of regulatory principles, are unique to every insurer. As such, the ORSA cannot be implemented and fulfilled by simply generating a pre-formatted report or regulator template. ORSA is a process, not merely a report – no two ORSAs should be the same.

Given that ORSAs vary greatly from institution to institution, how is it defined? Figure 1 outlines the definitions used by three key regulatory bodies. Four common elements exist within the definitions that help guide insurance companies in developing their ORSA:

• Identification and assessment of all material risks
• Sufficient capital to cover the identified risks on a forward-looking basis
• A risk management framework to monitor and control risk
• A risk management culture embedded within the business to support decision making

Figure 1. Common definitions of ORSA

Source: EIOPA, NAIC, and OFSI

These regulatory regimes require insurers to produce an ORSA document. However, it is clear that ORSA is fundamentally an internal process relating to how an insurer assesses and manages risk and capital within their business.

Although the European Insurance and Occupational Pensions Authority (EIOPA) initially established the base requirements for ORSA, the other regulators have adopted the measures. The International Association of Insurance Supervisors (IAIS) is promoting ORSA as a key component of regulatory reform.

Another example is the NAIC in the US, which issued its Solvency Modernization Initiative (SMI), followed by the Risk Management and Own Risk and Solvency Assessment Model Act (#505), requiring large and medium-size US insurance groups and/or insurers to regularly conduct an ORSA starting in 2015. The NAIC has also issued its own ORSA manual, which sets out requirements broadly similar to those of EIOPA:

1. Description of the Insurer’s Risk Management Framework, which is a high-level summary of its own risk management framework, including risk appetite, tolerance and limits, and internal controls
2. Insurer’s Assessment of Risk Exposure, which details the insurer's process for assessing risks (both qualitative and quantitative assessments should be performed) in both normal and stressed environments
3. Group Risk Capital and Prospective Solvency Assessment, which demonstrates that current and future capital is sufficient to support the identified risks

The current effective date for ORSA in the US is January 1, 2015, with insurers expected to file their first ORSA Summary Report during that year. However, to achieve this, insurers should already be tracking and collecting appropriate data during the 2013 calendar year. It is perhaps worth noting that a major difference between the US and Europe is that NAIC does not specify the capital measure that should be used in ORSA, but instead gives freedom to the insurer to use whatever measure they think is appropriate.

Figure 2 is a global map with notes on ORSA regulations in various regions. Another example is the South African Financial Services Board‘s (FSB) Solvency Assessment and Management (SAM) framework, which includes ORSA requirements based not only on EIOPA, but also experiences from the Canadian regulator (OFSI), the Australian Prudential Regulatory Authority (APRA), the Bermuda Monetary Authority (BMA), and IAIS Principles.

In China, the Insurance Regulatory Commission issued a second-generation solvency framework in May 2013 that is very similar to Solvency and contains three pillars – capital requirements, risk management, and disclosure – that are devised to align the capital adequacy of insurers / reinsurers with their risk profile.

Figure 2. Global map of ORSA regulations

Source: Moody's Analytics

As a unique process defined by each particular insurer, no predefined approach to ORSA exists. The ORSA framework illustrated by Figure 3 is recommended based on the current regulatory guidelines and Moody’s Analytics best practices. Each of the listed elements form the building blocks of the ORSA and may be customized to meet both internal business needs and external regulatory requirements:

• Overview and processes
• Risk profile, appetite, and tolerance
• Risk identification and assessment processes, including materiality
• Methodologies and tools for risk and capital calculations
• Stress and scenario testing methodologies and assumptions
• Integrated business and contingency planning
• Integration of ORSA into capital management business as usual
• Mitigation and management actions
• Review, approval, audit, and documentation
• Key metrics

The overview establishes the scope and coverage of the assessment, enabling insurers to implement an effective and demonstrable risk management framework. Many insurers already have some form of enterprise risk management (ERM) system in place, which may need to be extended to cover the ORSA. In particular, analytical data quality and associated practices are important to address.

The ORSA should be proportionate in its sophistication and depth to the nature, scale, and complexity of the business. The development of a risk management culture within the business is key. Most insurers will embed their ORSA requirement within an ERM framework and operate a “three lines of defense” approach as the core of their risk management practice. Figure 4 illustrates the five main components of a typical ERM system.

Figure 3. Moody’s Analytics ORSA Framework

Source: Moody's Analytics

From a strategic and ORSA perspective, an insurer will have to define its risk profile, attitude, and tolerance. In many financial institutions, these factors already exist, but the ORSA will act as a catalyst to formalize and monitor them.

• Risk profile refers to the broad parameters an insurer considers when executing its business strategy in its market sector.
• Risk appetite describes the level of risk an institution is willing to assume, given the corresponding reward associated with the risk, attitude to risk, and the limits (or tolerances) within which it is prepared to operate. The appetite will articulate an institution’s attitude and exposure to risk and support the delivery of strategic objectives. The risk appetite should reflect the culture of the insurer and be articulated in a way that is easily understood. Ideally, the appetite will become embedded in the organization and be used in all levels to enhance decision-making. Many insurers are establishing a risk appetite framework to assess and manage the risks they want to acquire, avoid, retain, or divest.
• Risk tolerance is the stated amount of risk a company is willing and able to take on in executing its business strategy. It represents the risk appetite variation on the different risk factors relevant to the insurer.

Risk appetite and enterprise-level risk tolerance statements are critical to the effectiveness of a business. Senior management should be active participants in the identification and consideration of risk/reward tradeoffs. Once established, this element in turn will feed into the decision-making process. It is also worth noting that rating agencies typically look for management to link significant changes in its risk profile with corresponding changes to their risk appetite or risk tolerance.

Figure 4. ERM system components

Source: Moody's Analytics

Insurers should identify all material, current, and foreseeable risks relevant to their business and include them in the ORSA. This involves extending beyond the risks prescribed by EIOPA in the Solvency Capital Requirement (SCR), and includes insurance, credit, market, and operational risk.

As best practice, insurers should consider adding risk types, such as model risk, strategic risk, reputational risk, commercial risks (e.g., new market entrants, competition from different sectors), regulatory risks (e.g., ring-fencing of capital / liquidity, regulatory censure), and group risks (e.g., intra-group transactions, securities lending, etc.).

ORSA requires either the use of the regulatory capital measure (SCR) and/or the use of an economic capital measure produced as a result of an internal model. It should be noted that a firm’s own assessment of the economic capital requirements may be a different definition than that under Pillar 1.

Additionally, a key aspect of the ORSA is the projection of an insurer’s balance sheet, which includes both assets and liabilities over a three- to five-year horizon, based on a number of scenarios.

Typically, insurers adopt a small number (e.g., 6-7) of business planning scenarios to use in their ORSA. In order to test the impact of event-driven and alternative economic scenarios on a given insurance portfolio, macroeconomic scenarios may be used over the business planning horizon. An insurer must provide details of the calculation methods used in producing capital numbers and highlight the differences between the regulatory and economic capital numbers. Methods of aggregation and diversification (e.g., correlation matrices) should also be included where relevant. Validating capital models and assessing models is an important aspect of ORSA.

The scope of stress testing in ORSA is comprehensive and should include:

• Sensitivity measures: Measure the impact of a move in one particular risk driver and its impact on others
• Scenario analysis: Involves assessing the ability to absorb exceptional but plausible events with simultaneous moves in a number of risk drivers
• Scenario analysis through time: Is essentially capital planning simulation for stressed, severe, and optimistic stressed scenarios

Insurers should also perform reverse stress testing to identify and quantify those scenarios that could result in business failure, breach of economic solvency, breach of SCR and MCR, and other circumstances considered appropriate by senior management and the board.

Scenarios should reflect plausible events (both severe and optimistic) that may happen over the business planning projection period (e.g., 3-5 years). It can be time-consuming to derive and quantify the impact of the scenarios. However, it is insightful to go through the process of discussing possible scenarios, their financial impacts, and possible management actions.

It is important to note that the stress test program should be duly structured, validated, and documented.

When developing the stresses, an insurer may consider different types of scenarios, such as:

• “Top-down” macroeconomic scenarios capturing systematic exposure to economic and financial market outcomes
• “Bottom-up” scenarios that reflect firm-specific risk exposures arising from their strategy and operational profile
• Systematic insurance risk scenarios, such as longevity and underwriting risks

Although ORSA is largely a regulatory initiative, it should be at the heart of the insurer’s business decision-making process. The ORSA should include:

• Baseline capital forecasts
• A 3-5 year capital forecast
• Contingency plans
• A description of capital planning process
• Plans on how to meet internal and regulatory capital requirements

Many insurers will most likely also use additional ORSA indicators and targets in their strategic framework, for example, to set a minimum target for SCR coverage.

The board and senior management are responsible for ensuring that the ORSA is embedded in the business and decision-making processes. Ideally, senior leadership will also decide on the accuracy and completeness of the ORSA through direct review and reliance on the governance process.

The results of the ORSA should be used to inform and improve business decisions, business strategy, and the ERM framework. The ORSA process should also identify the major issues affecting the solvency of an insurer (or group). In practice, this means the key decision makers in the business must be provided with relevant risk management information and risk quantification approaches consistent with the ORSA. Decision-making should demonstrate what elements have been taken into consideration. A key facet of ORSA is that is should provide the board and senior management with a holistic view of risk and capital within their business.

Generating correct and meaningful reports is an undoubtedly important part of the ORSA and the associated decision-making process, but so too is the willingness of management to take action based on the information provided. In some situations, management actions can be pre-built into certain scenarios, so that in the event of the scenario materializing, a series of pre-planned actions are triggered. In other circumstances, actions will have to be much more reactive.

If the stress tests indicate scenarios where the solvency ratio dips below desired levels, then insurers need to develop plausible management actions. This includes hedging risk to reduce market risk exposure, transferring risk via reinsurance, reviewing product mix, potentially exiting specific products or lines of business, and raising new capital in extreme cases. These plans need to be documented and should be regularly reviewed and approved by the board.

In practice, the ORSA should continuously trigger management decisions and actions. An insurer can take, mitigate, transfer, or terminate a risk depending on the circumstances.

The ORSA is the responsibility of the board and the senior management and should be regularly reviewed and approved. They are also responsible for ensuring that the ORSA is administered by personnel with the relevant skills and expertise.

The ORSA should be appropriately evidenced and documented. Some examples include methods valuing assets and liabilities, risk modeling techniques, confidence levels, and time horizons.

The effectiveness of the ORSA should be independently assessed, either internally (e.g., internal audit) or externally. This review must be carried out by different people from those performing the ORSA.

ORSA should be a continually evolving process, and while the regulators expect that the initial processes might be flawed, they will expect improvement over time.

The ORSA should include an assessment (quantitative and qualitative) of the own funds held, together with changes expected in stress situations. Currently, no specific obligation on insurers – solo or group entities – exists to continuously recalculate SCR, MCR, and economic capital. In reality, however, many insurers are moving to continuous solvency monitoring.

The ORSA process should by design enable entities to estimate changes in capital requirements and the economic balance sheet since the last full calculation process. A full calculation may be required if a firm’s risk profile changes significantly.

Figure 5 illustrates the cyclical nature of the ORSA process, with an emphasis of some of the potential quantitative outputs.

ORSA introduces a new risk and capital management environment for insurers. It also highlights the need for a robust methodology relating to actuarial and capital modeling systems that support the business. Equally important is the analytical data fed into those systems – data quality, validation, lineage, and approvals – which all must be addressed in a data quality framework.

The operational consequences of ORSA will be far reaching. They will provide impetus for insurers to systematically design and use risk-adjusted performance management criteria. While regulatory-driven, ORSA presents a great opportunity for insurers to step beyond mere compliance and develop sound risk management processes that serve as the basis for informed business decision-making.

Figure 5. The cyclical nature of ORSA

Source: Moody's Analytics

1. Embed ORSA fully into the culture of the business and day-to-day decision-making process
2. Develop solutions and approaches that go beyond regulatory compliance
3. Ensure excellent, hands-on project management
4. Get buy-in from senior executives and the board of directors
5. Execute a comprehensive communication strategy across all levels of the organization
6. Formulate clear, accurate, and auditable documentation
7. Implement a sound data quality and governance program
8. Design and implement a dedicated stress testing and scenario process
9. Set up extensive audit and challenge mechanisms
10. Avoid underestimating the ORSA requirements