Own risk and solvency assessment


At the heart of the prudential Solvency II directive, the own risk and solvency assessment is defined as a set of processes constituting a tool for decision-making and strategic analysis. It aims to assess, in a continuous and prospective way, the overall solvency needs related to the specific risk profile of the insurance company.
Risk Management and own risk and solvency assessment is a similar regulation that has been enacted in the US by the NAIC. Other jurisdictions are enacting similar regulations to comply with the Insurance Core Principle 16 enacted by the IAIS.

Context

The second pillar of Solvency II plans to complete the quantitative capital requirements with quality requirements and a global and appropriate risk management system. The reform provides measures on governance, internal control and internal audit in order to ensure sound and prudent management practices from insurers. Impacts in terms of risk and solvency should supply into upstream strategic decisions. The internal assessment process of risks and solvency, known as the ORSA, is the centerpiece of this plan.
In an operational way, the ORSA is part of global process of enterprise risk management.
It is part of a cyclical and iterative system involving the board of directors, senior management, internal audit, internal control and all employees of the company. It aims to provide a reasonable insurance on compliance with the strategy of the company against risks.
The ORSA is voluntarily defined broadly by the regulation to encourage insurers to question themselves on the framework of an internal system dedicated to control and risk management. It must in all cases be succinct, easy to update and respect the principles of materiality and proportionality.

Regulatory references

Since 2003, Solvency II regulation follows the Lamfalussy process, which distinguishes 3 levels of measures, starting from the big principles to the enforcement measures necessary for the operational implementation.
The ORSA regulatory update from the NAIC follows the Solvency Modernization Initiative aimed at updating the US regulatory system.

Solvency II

Level 1 measures

Level 1 text is the regulatory basis of the reform. It was adopted in 2009 on the same text by the European Parliament and European Council.
The ORSA is defined in Article 45 of the Directive.
Article 45 of Solvency 2 directive framework
As part of its risk-management system every insurance undertaking and reinsurance undertaking shall conduct its own risk and solvency assessment.
That assessment shall include at least the following:
the overall solvency needs taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the undertaking;
the compliance, on a continuous basis, with the capital requirements, and with the requirements regarding technical provisions;
the significance with which the risk profile of the undertaking concerned deviates from the assumptions underlying the Solvency Capital Requirement.

Level 2 measures

Level 2 measures are technical implementing measures to complement the principles defined in the level 1 text, in view of the operational implementation requirements.
Level 2 measures should be adopted by the European Commission on a proposal from EIOPA. In order to advance the development of the reform, EIOPA consults the market, including through Consultation Papers.
The ORSA does not fall within Level 2 measures and as such in 2009, during the broad consultation on Level 2 measures, there were no Consultation Papers devoted exclusively to the ORSA. However, a significant number of them refer to it, for example:
Consultation paper No. 17 on the calculation of capital add-on
Consultation paper No. 24 on the principle of proportionality
Consultation paper No. 33 on the governance system
Consultation paper No. 56 on the validation of internal models
... etc.
Thus, if Level 2 measures do not specify the requirements for the ORSA, they can be used to better understand the interactions of the ORSA with other requirements and clarify the role of the ORSA within the Solvency II system of insurers.

Level 3 measures

Level 3 measures will be directly adopted by EIOPA. They generally correspond to non-binding recommendations. Since the creation of EIOPA in January 2011, its responsibilities were, however, extended to the production of Level 3 binding measures.
The ORSA comes under level 3 texts. To this end, a consultation paper was published in 7 November 2011.
This consultation paper presents a set of instructions for the ORSA:
This text is still under consultation, but can anticipate the impact of Level 3 measures on the ORSA.

NAIC ORSA regulation

While the high-level Risk Management and Own Risk and Solvency Assessment Model Act has been adopted by the NAIC in September 2012, the NAIC ORSA Guidance Manual is being revised in early 2013.
The State legislative process is still ongoing, but we can anticipate the regulation to be fully in place in 2015.

South Africa: Solvency Assessment and Management (SAM) ORSA regulation

Similar to Solvency II, Insurers and Reinsurers registered in South Africa will be required from 1 April 2017 to perform regular ORSAs. ORSA requirements in South Africa will meet the IAIS standards. Regular reporting will also be required to the Registrar of Insurers.

Operational implementation

Insurance companies are in the process of setting up their Solvency II plans and generally, the setting up of the pillar 1 has been prioritized.
Therefore the ORSA plans are still not mature on the market.
However, it appears that four key steps can be identified in the operational implementation of the ORSA:
In the US, companies are at various stages of ORSA readiness.

Definition of the risk profile

The risk profile includes all of the risks that the company is exposed, the quantification of these exposures and all protective measures to those risks.
The risk profile is different from the regulatory capital determined under Pillar 1. It takes into account the specificities of each insurance company, it integrates all material risks, in a prospective view, and the ORSA leaves open the definition of solvency or the risk aggregation methodologies.
In practice, the definition of the risk profile will be increased by the realization of an all-risks mapping, including both the risks identified as part of pillar 1 of the reform Solvency II – underwriting risk, market risk, counterparty default risk, operational risk, intangible asset risk – but also other risks specific to each insurer – illiquidity risk, business risk, strategic risk, reputation risk, etc..
Once the mapping is done, a metric must be defined to quantify the risks. The company can use what is done on the pillar 1 such as a measure of risk, a time horizon and/or a different security level most suitable to its strategy for controlling the risks.

Implementation of a risk management strategy

Once the risk profile is established, the administrative, management and supervisory body must set up the risk management strategy of the company through the following elements:
The risk appetite is the maximum aggregated level of risk that a company wishes to take. The risk tolerances represent bounds on the acceptable performance variation associated with the different risk factors.
One of the major roles of the risk management function is to support the administrative, management and supervisory body in order to get him to comment on this strategy. The risk management function must not only pass the information necessary to operate, but also give the keys to an appropriation of the culture of risk and a critical analysis of these elements by the leaders.
Finally, the risk limits are the operational implementation of the risk tolerances. The risk management function shall coordinate the trades in order to define:
All decisions made in the daily management of the company must then respect the strategy defined. In order to maintain the risk profile to a level consistent with the risk appetite, the leaders have four main strategies:
Major strategic processes of the insurance company, as the definition of trade policies, reinsurance and asset liability management, should be revised to integrate the dimensions of risk and solvency in the decision-making process.
Moreover, the ORSA should enable continued compliance with regulatory requirements in terms of own funds. For that the insurer must establish a set of systematic processes to monitor and control continuous compliance with the risk limits and identify major events – internal or external – which have a significant impact on the risk profile and lead to the update of the ORSA.

ORSA report

The ORSA is the subject of several reporting requirements:
Generally, a reporting on the ORSA will contain two parts:
The US ORSA report will contain three sections, as described in the ORSA Guidance Manual: