Over the past few years, international supervisors, U.S. stateregulators, and major rating agencies such as Standard & Poor'sand A.M. Best have adopted regulatory and rating reviewprocesses to help ensure that insurers build strong enterprise riskmanagement (ERM) frameworks to help evaluate, govern, and managerisks of loss company-wide. 

This year, the National Association of Insurance Commissioners(NAIC) is finalizing a more formalized reporting requirement tomonitor risk and solvency levels of the largest insurancecompanies, going above and beyond the recent state regulatory pushtowards risk-based financial examinations. The NAIC's Own Risk andSolvency Assessment Proposal (ORSA) is defined as a set ofprocesses used for decision-making and strategic analysis, based onhow the company manages and controls its risks.

The goal of performing an ORSA is to analyze, in a continuousand proactive way, the overall solvency and capital requirements ofan insurance company in light of the specific business,operational, and underwriting risks uniquely faced by thatcompany. However, an ORSA exercise is not just aboutcapital. It marks a change in behavior, signaling a fundamentalshift towards a comprehensive enterprise risk management (ERM)culture. Ultimately, regulators are moving towards supervisoryrules and standards requiring insurance companies to integrate riskand risk management in all aspects of corporate day-to-daydecision-making.

Under the ORSA requirement, insurers writing more than $500million of annual direct written and assumed premium, or groupscollectively writing more than $1 billion, will be expected to"self-evaluate," using their own internal models, the sufficiencyof their capital given a wide range of risks inherent in currentand future business operations.  As currently proposed,insurers will be expected to detail the elements of their ERMframework and ORSA results in an annual Summary Report to theirhome-state regulator. Major changes to the ORSA review will besubmitted to the regulator on a rolling basis as needed, such asfollowing an update to the company's strategic business plan. Inthis Summary Report, subject insurers are asked to provide detailin three key sections:

• Section 1 — A description of the Insurer'sRisk Management Framework
• Section 2 — An Insurer's Assessment of RiskExposures
• Section 3 — Group Risk Capital and ProspectiveSolvency Assessment

To be ready for ORSA reporting by 2014, insurers may be at verydifferent stages of preparedness, depending on how they haveallocated resources and budgets to their overall ERM efforts overthe past few years. Many companies are running into practicalchallenges in identifying, organizing, assessing, and managingtheir necessary risk and control data, which need to be addressedbefore any reports are compiled. How can companies meet some ofthose challenges?

Practical Compliance Challenges

Companies may find it challenging to comply with the ORSArequirements for several practical reasons. First, theguidance itself is not strictly prescriptive, giving companiesgreat flexibility in how and what to report in the narrativesections on risk management and control framework or governanceprocess. This means that some companies may provide too muchinformation and some, not enough, and many companies have concernsabout privilege, confidentiality and trade secret protection indisclosing information in the amount of detail that regulatorsmight expect.

Second, the basic requirement of Section 1, adescription of the insurer's risk management framework, assumesthat companies of the stated size already have an overallERM framework in place, as described. However, even some largercompanies may be still working on developing a framework, or mayhave only a basic ERM program or governance system that they willwant to improve on over time, addressing more complex functions orelements.

Third, where companies do have a framework, the framework willnot be the same from company to company. There is not yet anestablished body of "best practices" or standardization ofdocuments, forms, reports, etc. that can simply be adopted orconfigured for individual entities. Companies continue to look forguidance and recommendations on how to develop solid procedures andpractices that will not only meet regulatory minimums forreporting, but can help actually manage, mitigate, and control riskeffectively.

With respect to Section 2, the Guidance Manualaddresses the insurer's assessment of risk exposures. However, perthe NAIC, "one of the most difficult exercises in modelinginsurer/group results is determining the relationships, if any,between risk categories." Even where companies are implementingframeworks to create risk and control libraries andscore/prioritize risks, it is difficult for insurers to take the"next step" to connecting risks which might have related or"knock-on impact" between departmental functions or areas.

For example, a hurricane may cause (a) underwriting loss (forissued property policies), (b) operational loss (if the company hasphysical operations or staff in the impacted territory), (c)increased legal, compliance and regulatory costs to comply withstate reporting and data call obligations, and (c) cash flowproblems, interest loss, reinsurance collection issues, and otherfinancial difficulties due to a sudden run of claims. Someframeworks can accommodate risk measurement but fail to adequatelyshow linkage of interconnected risks.

Further, today management of ERM-related tasks may often behandled informally or haphazardly, without consistent controls inplace to confirm that needed action steps, such as riskassessments, have been accomplished. Tracking of activities may bea difficult, manual process, reliant on email spreadsheets andad-hoc databases without adequate version or contentcontrol.  With the implementation of the ORSA requirement,insurers may find that they need to "beef up" and significantlyimprove their documentation, attestation  andrecord-keeping practices generally, particularly of any processesthat underlie the ORSA report or feed other ERM-related strategicrisk analysis.

Finally, whether preparing for the ORSA, or just implementingERM for other reasons, insurers may struggle with the balance andtension between their "high level" ERM governance practices, andtheir day-to-day compliance or operational management functions.Companies constantly struggle to improve a wide variety of internalcontrols, policies and procedures. However, with the implementationof ERM protocols which rate/rank control effectiveness, and attestto the operation of risk mitigation procedures, gaps anddeficiencies in controls may become more obvious, and reveal theneed for more resources in functional areas. Prioritizing andscoring risks and controls within an ERM program may, over time,actually lead to a shift of internal resources and management focusaway from original goals of analyzing high-priority risks.Additionally, it may result in using ERM information for strategicplanning, back to the nitty-gritty detail of better inventorying ormanaging operational, compliance, legal and regulatory risks.

Recommendations

More than ever before, the ORSA reporting requirement willrequire insurance companies to assimilate strong risk and controlmanagement practices into all aspects of everyday corporatedecision making, from setting financial strategies and establishingbusiness plans, to controlling routine compliance, legal, andoperational risk. Companies must widen and solidify the links andinter-relationships between all departments and functions thatmight impact either corporate losses, or business opportunities.What can be done?

Don't wait to design a solid ERM program untilregulatory reporting demands are imminent; develop a moreintegrated program of risk and control assessment and managementnow.

Even in companies which historically have a strong focus oncompliance or internal control issues in specific functional areassuch as finance, claims or underwriting, the process ofimplementing an integrated program of  riskidentification, assessment and control on a larger scale – acrossan organization – can take many months, if not years. It takes timeto review and catalog what controls are currently working, or not,and put remediation plans in place. It takes time to roll out newrisk assessment and communication protocols to key staff. It alsotakes time to determine what risks are higher in potential impactto the company, and thus, where to dedicate resources. Waitinguntil the last minute to start even a rudimentary review process,with the thought "we'll do it when we know exactly what regulatorswant us to report," will be too late to embed and test the successof expanded risk management tools and techniques.

Build on the company's current risk and controlmanagement expertise, and keep control-related functionswell-coordinated.

To ensure thorough review of risks and controls, as well as toprevent duplicating work, look for potential  synergiesbetween the ERM process and other control functions, such as legaland regulatory compliance, internal audit, and operationalmanagement teams. Try to integrate ERM/ORSA record keeping andsupporting tasks with other uses for related data, such as SOXcertifications, regulatory compliance or market conduct compliancemanagement audits, and any other processes that involve any reviewor analysis of potential loss to the company. 

For example, any process asking employees to sign off on orattest to the effectiveness of policies and procedures, SOX "keycontrols," or other controls mitigating risks should be discussedwith team members from other compliance-type functions to see ifthe sign-off process can be timed, or documents drafted, to be usedfor multiple purposes. Also, members of the various departmentsresponsible for the tracking of emerging risks, financial models,or the development of business plans should liaise on a regularbasis, to help ensure a consistent approach to those importantplanning processes.

Invest in technology to ensure risk information will beassessed and prioritized effectively, to help create links betweenrisks in different areas, and to streamline workflows.

Understanding and managing the quality and availability ofexisting information within the insurer is key to a successful ERMor ORSA implementation. Whether adopting ERM to comply withregulatory challenges, to meet rating agency expectations, or justas a good business practice, companies should not limit theirtechnology and planning efforts to the actuarial modeling of risk,or calculation of capital. Rather, implementing ERM should beviewed as a key opportunity to improve existing control processesand reporting tools, and to automate as many processes aspossible.

In sum, the NAIC's ORSA approach continues to evolve rapidly.Investing time and resources now to improve overall compliance andcontrol efforts, and establish solid enterprise-wide riskassessment, documentation, and communication, should go a long wayto meet upcoming ORSA reporting obligations. Ultimately, having acomplete, solid ERM framework, integrated with other companycompliance and control functions, should be a strong foundation forinsurers' long-term risk-based capital assessment goals.