During the past 15 months, as part of the NAIC's SolvencyModernization Initiative (SMI), the NAIC has been developingrequirements for all insurance companies regulated in the U.S. toconduct an Own Risk and Solvency Assessment (ORSA), and report theirenterprise risk management (ERM) practices and related findingsto their respective regulators.

The plan is moving forward. At the fall NAIC meeting in early November, an ORSA Guidance Manual (rev. Aug. 15, 2011), outliningproposed risk assessment and reporting guidelines was submitted bythe Group Solvency Task Force to the Financial Condition (E)Committee. Further industry comments are expected to be gatheredthrough this distribution. With the progress being made, it islikely that a final reporting proposal will be adopted by the NAICin some form in 2012. With so much activity happening now, it'shelpful to gain a high-level overview of this significant proposedregulation and the issues likely to be fleshed out next year.

What is an ORSA?

The ORSA concept requires every insurance company to carry out aregular assessment of all of their risk company-wide, and evaluatetheir current and likely future solvency position. Enterprise riskis defined by the NAIC as “any activity, circumstance, event orseries of events involving one or more affiliates of an insurerthat, if not remedied promptly, is likely to have a materialadverse effect upon the financial condition or liquidity of theinsurer or its insurance holding company system as a whole,including, but not limited to, anything that would cause theinsurers Risk-Based Capital to fall into company action level … orwould cause the insurer to be in a hazardous financialcondition.”

The purpose of implementing an ORSA requirement is to helpregulators understand how insurers identify, assess, monitor andmitigate risk. ORSA requirements have already been included inseveral international regulatory initiatives. The ERM solvencyregulations set by the International Association of InsuranceSupervisors (IAIS), for example, is a key element of the pendingSolvency II directive in Europe.

The NAIC ORSA Guidance Manual details the anticipatedrequirements for companies to perform their ORSA. As currentlyproposed, more specific analysis and reporting will need to beperformed as outlined within the “Form B” of the Insurance HoldingCompany System Annual Registration Statement of the NAIC'sInsurance Holding Company System Regulatory Regulation ( No.450). Proposed requirements include:

1. A detailed description of the company's risk managementpolicies

2. Quantitative measures of risk exposures, “in normal andstressed environments,” requiring companies to perform complexmodeling

3. An assessment of the company's economic capital andprospective solvency for the entire insurance group, in addition toentity-specific calculations

Through the ORSA process, each insurer determines the amount ofcapital it needs based on its own risk tolerance and businessplans. The company must also demonstrate that it can continue inbusiness over the next few years, even under stressedconditions–that is, assuming a range of adverse events orcatastrophes may occur.

Key Benefits

The main thrust behind the ORSA initiatives has been the needfor regulators to gain greater insight into the financial strengthof insurers. By requiring companies to implement robust ERMpractices, and assess their capital needs in line with their uniquerisk portfolios, regulators hope to improve capital adequacy acrossthe industry, and perhaps hedge against potential futurecatastrophes and economic crises.

Adopting an ORSA requirement, regulators may also createfinancial incentives for companies to manage their risk. Down theroad, companies that can demonstrate solid risk managementpractices could potentially benefit from more flexible capitalrequirements than what may be required by historical, fixed-dollarstatutory thresholds.

The NAIC is striving to coordinate its ORSA protocols withinternational standards, with the goal of making it easier forcompanies operating internationally to build common regulatoryreporting platforms. Shared reporting and examination requirementssuch as this risk self-assessment should help makemulti-jurisdiction compliance faster, more streamlined, andpotentially less expensive for all involved.

An ORSA requirement, in whole or part, could also serve as ahelpful tool in ratings analysis, and has been supported by ratingagencies. Ultimately, robust and transparent risk managementpractices, supported by objective financial reporting standards,may have a positive impact on insurance company share price.

Comments and Criticisms

The NAIC's original draft of proposed ORSA reportingrequirements was first subject to public comment through March.More than a dozen commentaries were provided from individual stateregulators and major industry organizations, including The AmericanCouncil of Life Insurers (ACLI), the National Association of MutualInsurance Companies (NAMIC), and the Property Casualty InsurersAssociation of America (PCI). While the value of ERM was generallyrecognized, opposition to the current proposed reporting mechanismhas been strong. Of note:

• Many concerns have been raised with the proposed specificreporting requirements of Form B, expected to be onerous andchallenging for many insurers. Pure size and complexity of a formalreport and the potential expense to produce it are immediateworries for hundreds of companies. As drafted, the proposal asksfor extremely broad information, which may be time consuming anddifficult to answer accurately. Adoption of robust technology tomanage related analysis and reporting will be crucial.
• Another worry raised early in the year was the frequency andtiming of any filings. In particular, if an ORSA requirement isultimately transformed into a Model Act enacted on a state-by-statebasis, assessment results may have to be provided to multiplestates at different times of the year. Commentators urged the NAICto consider a uniform reporting system which will streamlineprovision of key data to either a home-state regulator or centraldedicated repository.
• Proportionality, relevance to individual company size and lineof business, has also been an issue. While an insurer would beexempt from the ORSA requirement if it (a) has less than $500million in annual direct written premium and (b) it is not a memberof a group of affiliated insurers that has $1 billion or more inannual direct written premium, the draft manual, as written,applies to all companies and lines of business, regardless ofnature of underwriting risk assumed. Some companies may have uniqueor significantly different risk exposures which may not fitadequately into the generic framework as outlined. Further commentsmay be considered on this issue in 2012.
• Other criticisms have been received questioning the mechanicsof how group reporting would be accomplished.
• Concerns continue to be raised about the confidentiality ofreports, which could contain material trade secrets or othersensitive or confidential information.

Overall, most critics have argued that regulatory focus shouldbe on the effectiveness of a company's overall ERM program, andwhether these are practices embedded in the company's culture andday-to-day operations. Over-emphasis on formal regulatoryreporting, at the expense of the more human elements of managingrisk–identification, analysis, communication, and control–may notultimately help companies' solvency position, or preparation forfuture harmful events.

To avoid these dangers, some continue to suggest that futureORSA reports should become a tool within a larger, more thoroughrisk-focused examination process, rather than mandated as astandalone exhibit to an annual filing. This way, ORSA discussionscould balance regulators' desire for objective financialinformation with a discussion and analysis of companies' individualmanagement approaches, philosophies, policies, and practices usedto integrate the ERM into day-to-day operations.

At this juncture, however, many of these issues appear to haveweakened over time. As of the most recent quarterly (fall) meeting,the NAIC appears to be leaning more toward its plan to use Form Bas the vehicle for imposing the ORSA requirement, rather than anypreviously proposed or new alternative which would requirestatutory enactments.

Next Steps

Despite concerns and criticisms, current ORSA proposals continueto move through the NAIC approval process, under the assumptionthat the cost and efforts to produce the risk analysis will be faroutweighed by the potential wide-ranging benefits.

Pushing the ORSA Guidance Manual forward to theFinancial Condition (E ) Committee toward adoption, the GroupSolvency Task Force has drafted a cover letter to the (E) CommitteeChair, listing possible recommendations to “help map a successfulpath for the ORSA in the US Solvency Framework.” As noted in thedraft letter, some of the recommendations were the result ofdiscussions held by representatives of the North American ChiefRisk Officers (CRO) Council on Oct. 20, 2011.

“Recognize that implementation of this regulatory filing will bean evolving process over many years, “ notes the Group SolvencyTask Force. It suggests several possible implementation activities,including:

• Establishing an effective date for the receipt of the firstORSA Summary Report
• Developing initial technical guidance to assist analysts andfinancial examiners when reviewing the ORSA Summary Reports
• Considering proposals to ensure that collecting and reviewingthe ORSA Summary Reports during the financial analysis andexamination process will be uniformly adopted and applied amongstates
• Creating ERM education programs for regulators, as needed

An ORSA Feedback Pilot Project was also suggested for 2012, withfive to 10 undisclosed groups submitting a test or sample ORSASummary Report to a volunteer group of regulators. This wouldperhaps provide some high-level practical implementation advice andguidance to both regulators and the industry before an actual ORSASummary Report effective date.

It remains to be seen how exactly an ORSA requirement will beimplemented, and what measures will be taken to help regulatorstruly understand how insurers identify, assess, monitor andmitigate risk. No matter what the details, companies may want toconsider strategically developing their ERM talent and modelingexpertise, as well as their technology strategy, and expandingtheir financial analysis and reporting capabilities group-wide.