ERM & RMORSA: Overcoming Over-Confidence

The Act, which each jurisdiction now needs to adopt in state law, requires many insurers to have a comprehensive ERM framework embedded into their organization and detail its elements in an annual Summary Report to their home-state regulator. Under the requirement to conduct an "Own Risk and Solvency Assessment" or ORSA, insurers will be expected to "self-evaluate" or model  the sufficiency of their capital, given each company's wide and unique range of risks inherent in their current and future business operations.

Many insurance and risk professionals are now trying to understand their obligations under the Model Act, and explore best practices for compliance. PwC noted that while the regulation calls for insurers to establish a robust ERM framework by January 2015, some insurance departments are already asking companies for their ORSA or similar documentation as part of their state financial examination review process. On the positive side, PwC cited several collateral benefits from a mandatory ORSA process, such as "better rating agency review of the ERM framework, lower impact regulatory exams, better risk practices and enhanced collaboration between actuaries and risk managers."

Evidence of Industry Overconfidence

PwC surveyed 65 life, P&C and health insurance companies, asking questions about their risk strategy, management, governance, and risk assessment or quantification practices. A large majority (82 percent) of the respondents opined that their current ERM program will be at least adequate for the requirements.

However, PwC then found a number of interesting conflicts in areas critical to a thorough and effective ERM program, including:  

• Many companies reported that they do not have fully documented risk policies that cover the significant risks to which they are exposed, and only 41 percent of companies actively review, update and enforce existing risk management policies.
• Thirty-five percent of companies indicated that they do not have a fully operational risk appetite with tolerances linked to business strategy.
• Nearly 40 percent of company boards are not engaged or are only passively engaged in risk management.
• Almost 40 percent of companies believe their risk aggregation approach needs improving or is at a low level of sophistication.

Further, at least three-quarters of the industry do not have risk metrics, measurement and management processes that are fully integrated in the business planning process, "representing a strategic opportunity and regulatory gap with respect to RMORSA readiness," according to PwC.

The findings clearly show that many insurers, even those who are subject to multiple international regulatory schemes and have been working to develop ERM programs for years, have been underestimating the amount of work it will take to meet upcoming RMORSA obligations.

Facing the Challenge

Companies may find it challenging to either implement ERM practices, or comply with specific RMORSA reporting requirements, for several reasons. First, insurers are in various stages of maturity in the long process of developing an ERM framework. It takes time and effort to catalog all significant risks and controls in any size organization, and ensure that risks are assigned owners who will monitor and control the risk effectively. Companies may have practical difficulties assessing risk frequency and severity across different functions. Additionally, it may be challenging to document risks and controls consistently in a coherent framework to produce supporting data and information that can be aggregated, which will be meaningful or useful to management and regulators.

Further, communication and "breaking down silos" between departments takes time. So does embedding a risk-aware culture into day-to-day workflows and company processes. In order to ensure compliance with the ORSA requirements, companies must invest time and resources over a long period to support risk communication and reporting throughout the organization. The pure scope of the endeavor can be naturally intimidating for companies of all sizes. There may still be strong voices within companies that say "we don't need to do this quite yet," or "what we have is good enough for now."

However, when companies do get it right, ERM provides significant benefits and opportunities. Echoing the benefits PwC noted above, adopting ERM and ORSA practices can lead to improved management and strategic decision-making. Insurers can make more accurate and reliable risk assessments, as well as better risk control or financing choices. From a regulatory perspective, the NAIC hopes that its adoption of the RMORSA Model Act might enable states to offer more flexible capital requirements to companies with sound ERM programs, and international insurance groups may benefit from increased recognition and reciprocity of their financials, facilitating competition in the global arena. More importantly, from an insurer's perspective, having a strong ERM framework and an ORSA process may lead in time to improved ratings, and ultimately, improved share prices.

What Do Companies Need to Do Now?

At this point, all insurers should be doing an honest self-evaluation of where they are in developing an enterprise risk program, and ensure that they are truly prepared for more risk-based reviews of their organization's financials. A risk "Maturity Model" such as that offered by the Risk and Insurance Management Society (RIMS) can be a helpful tool for companies in building a comprehensive ERM process over time, and assessing where there may be areas of improvement in current plans.

Companies also need to document current and future required risk management responsibilities and workflows, and evaluate human assets, in a more organized way. Improvements in risk and control assessment procedures, including scoring methodology and aggregation models, may be needed

Today management of ERM-related tasks may often be handled informally or haphazardly, without consistent controls in place to confirm that needed action steps, such as risk assessments, have been accomplished. Tracking of activities may be a difficult, manual process, reliant on email spreadsheets and ad-hoc databases without adequate version or content control. With the implementation of the ORSA requirement, insurers may find that they need to "beef up" and significantly improve their documentation, attestation and record-keeping practices generally, as well as ensure that they have complete audit trail capabilities

Further, to ensure that ERM principles and practices are solidly embedded throughout the company, a wider population of staff may need risk-related communications—from high-level managers, to risk owners working day-to-day in business units or functional areas. All participants should have access to information that would allow for better, more informed decisions about risks, controls and ERM processes company-wide that might apply to, or affect, their own business areas. Develop management dashboards and reporting for multiple audiences now in anticipation of increased use by the board, company managers and regulators.

Finally, if they have not started doing so yet, insurers need to begin developing processes and systems for stress testing and scenario planning that can support RMORSA capital and solvency analyses.