OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

Similar documents
ACCELUS RISK MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS ACCELUS RISK MANAGEMENT SOLUTIONS

COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

Deriving Value from ORSA. Board Perspective

THOMSON REUTERS ACCELUS. The FCA: A Game Changer

Capital Adequacy: Advanced Measurement Approaches to Operational Risk

ORSA for Insurers A Global Concept

COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

ORSA Implementation Challenges

ACCELUS ORG ID KYC MANAGED SERVICE

Accelus Audit Manager THOMSON REUTERS ACCELUS

Better Board Governance: The Value of the Board Portal

CRO Forum Paper on the Own Risk and Solvency Assessment (ORSA): Leveraging regulatory requirements to generate value. May 2012.

Transforming risk management into a competitive advantage kpmg.com

IAIS Insurance Core Principle 16

THOMSON REUTERS ACCELUS. Know Your Customer (KYC), Kontrol Your Costs (KYC) and Keep Your Customers (KYC) happy

How To Manage Risk With Sas

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Principles for An. Effective Risk Appetite Framework

Solvency II Own Risk and Solvency Assessment (ORSA)

PART B INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)

Insurance Core Principles

Insurance Guidance Note No. 14 System of Governance - Insurance Transition to Governance Requirements established under the Solvency II Directive

ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Guidance Note: Stress Testing Class 2 Credit Unions. November, Ce document est également disponible en français

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Solvency Management in Life Insurance The company s perspective

Insurance Groups under Solvency II

CEIOPS Advice for Level 2 Implementing Measures on Solvency II: Articles 120 to 126. Tests and Standards for Internal Model Approval

Society of Actuaries in Ireland

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR NOAH GOTTESMAN

Preparing for ORSA - Some practical issues

BERMUDA MONETARY AUTHORITY

Regulatory Change Management:

Measurement of Banks Exposure to Interest Rate Risk and Principles for the Management of Interest Rate Risk respectively.

Understanding and articulating risk appetite

Risk Management. Trends for Insurance Companies. Jeffrey Lovern Genworth Financial VP, Enterprise Risk Management Global Mortgage Insurance

EIOPACP 13/011. Guidelines on PreApplication of Internal Models

Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3)

This section outlines the Solvency II requirements for a syndicate s own risk and solvency assessment (ORSA).

STRESS TESTING GUIDELINE

Solvency II Detailed guidance notes

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting

GUIDELINES ON CORPORATE GOVERNANCE FOR LABUAN BANKS

EIOPACP 13/09. Guidelines on Forward Looking assessment of own risks (based on the ORSA principles)

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Central Bank of Ireland Guidelines on Preparing for Solvency II Pre-application for Internal Models

Scenario Analysis Principles and Practices in the Insurance Industry

Enterprise Risk Management

From ICAAP/ORSA to ERM: Board and Senior Management Oversight. Leon Bloom, Partner, Deloitte & Touche LLP lebloom@deloitte.ca

ENTERPRISE RISK MANAGEMENT POLICY

Enterprise Risk Management A View. Clive Kelly CRO Zurich Insurance plc/zfs Europe (GI)

REINSURANCE RISK MANAGEMENT GUIDELINE

Final Report on Public Consultation No. 14/017 on Guidelines on own risk and solvency assessment

LIQUIDITY RISK MANAGEMENT GUIDELINE

System of Governance

ACCELUS ORG ID FOR CLIENTS OF FINANCIAL INSTITUTIONS

ORSA - The heart of Solvency II

on Asset Management Management

THE INSURANCE BUSINESS (SOLVENCY) RULES 2015

Implementation of Solvency II: The dos and the don ts

Opinion. of the European Insurance and Occupational Pensions Authority of 24 November 2014 on

The role and function of insurance company board of directors risk committees

Terms of Reference - Board Risk Committee

1. INTRODUCTION AND PURPOSE

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES 11 NYCRR 82 (INSURANCE REGULATION 203) ENTERPRISE RISK MANAGEMENT AND OWN RISK AND SOLVENCY ASSESSMENT

How To Transform It Risk Management

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

Positioning the internal audit function within the Solvency II framework Key challenges. Ludovic Bardon Senior Manager Audit Deloitte Luxembourg

Subject ST9 Enterprise Risk Management Syllabus

1. This Prudential Standard is made under paragraph 230A(1)(a) of the Life Insurance Act 1995 (the Act).

Solvency II Own risk and solvency assessment (ORSA)

MISSION VALUES. The guide has been printed by:

EIOPA-CP-11/008 7 November Consultation Paper On the Proposal for Guidelines on Own Risk and Solvency Assessment


Board Portal Security: How to keep one step ahead in an ever-evolving game

Regulatory Solvency Assessment of Property/Casualty Insurance Companies in the United States

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

Position paper on. Treatment of captives in SOLVENCY II

Solvency II for Beginners

Basel Committee on Banking Supervision

Guidelines on Investment in Shares, Interest-in-Shares and Collective Investment Schemes

Integrating Risk and Capital Management into Strategy and Planning. Key to Assessing Risk and Reward for Insurers

Public reporting in a Solvency II environment

DATA AUDIT: Scope and Content

NAIC OWN RISK AND SOLVENCY ASSESSMENT (ORSA) GUIDANCE MANUAL

EBA final draft Regulatory Technical Standards

SOLVENCY II HEALTH INSURANCE

THOMSON REUTERS ACCELUS

Transcription:

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT ERM as the foundation for regulatory compliance and strategic business decision making

CONTENTS Introduction... 3 Steps to developing an ORSA... 3 What is ORSA?... 4 Challenges of the ORSA... 5 Conclusion... 7 2

Introduction The thrust of global insurance regulation in the wake of the financial crisis is to make sure that organisations take on only as much risk as they have capital to cover. This is at the heart of measures being taken across all major insurance markets, to ensure that companies assess the adequacy of their risk management and their current and likely future solvency position. These measures are being formalised in the requirement for insurers to undertake a regular Own Risk and Solvency Assessment (ORSA) a process to identify, assess, monitor and manage the risks associated with a company s business strategy and to determine the own funds necessary to meet solvency needs at all times. The ORSA is at the heart of the Europe Union s new Solvency II Directive, as well as regulation recently adopted by the National Association of Insurance Commissioners in the US. The ORSA has been incorporated into the International Association of Insurance Supervisors (IAIS) list of Insurance Core Principles, and ORSA regimes are now being implemented or are under development in countries from Canada, to Singapore, to Australia and China. While each jurisdiction may give a local flavour to its ORSA, all seek a common goal and build on the underlying principles of the IAIS. Rather than imposing formulaic or rules-based requirements, an ORSA provides a framework and processes that will produce a comprehensive risk profile for a company given its particular business operations and strategy. This profile can then be measured against the company s stated risk appetite, as well as any prescribed solvency capital calculation. Because the ORSA is tailored to the individual company, it provides the board and senior management as well as supervisors with a mechanism for understanding the particular risks associated with their mix of business and how well the company is positioned to cope with them. The IAIS locates the ORSA squarely in its principles for enterprise risk management (ERM). It makes clear that the ability of an insurer to reflect risks in a robust manner in its own assessment of risk and solvency is supported by an effective overall ERM framework and by embedding its risk management policy in its operations. By making ORSA a cornerstone of an ERM framework, rather than treating it as a limited exercise in tick-box compliance, insurers will enable risk management to play an integral part in strategic business planning and achieving operational excellence. Steps to developing an ORSA Instead of presenting a check list or formula for calculating solvency capital, the ORSA asks insurers to develop a set of risk and solvency assessment processes and policies tailored to their particular organisation and its business. The ORSA must capture all the material exposures, and must demonstrate that risk management is embedded in the ongoing operations of the business. The organisation is required to produce a regular report for the Board and senior management and the supervisor. Top down ORSA starts at the top of the organisation. The Board must be the driver of the ORSA. It will also be the ultimate consumer of the ORSA report along with the supervisor. The Board must ensure that the ORSA is proportionate to the nature, scale and complexity of the business. It is not a prescribed one-size-fits-all exercise, but should be tailored to the individual company and its particular mix of business activities. Groups will need to produce a group-wide ORSA in addition to the individual entity ORSAs. Many departments will contribute to the ORSA actuarial, risk management, finance, operations and IT. The Board must decide who will coordinate these inputs and who will own the process of producing the ORSA report. 3

What is ORSA? ORSA is an internal assessment of the risks associated with an insurer s current and strategic business plan, and whether it has the capital resources to support these risks. The ORSA is a top down process. The board and senior management are required to take responsibility for the ORSA, and through it must demonstrate that they understand the risks associated with their business and that they are appropriate for the capital resources available. The ORSA must be proportional to the nature, scale and complexity of the business. Where appropriate, it should be assured through internal or external independent review. The ORSA must encompass all reasonably foreseeable and relevant material risks. It should create a holistic risk profile that includes those risks for which there is quantitative information, as well as those that are more difficult to quantify, like operational and business risks. For groups, it will include risks that arise from the structure of the group and events within it, and avoid double counting of capital. The ORSA must compare the company s risk profile with the risk appetite as set out by the board. It must also assess the relationship between the risk profile and the available capital resources and demonstrate that they are adequate. And it should link the risk appetite and profile with the organisation s risk management actions and internal control systems. The ORSA must be forward looking and assess risk and capital resources for the full period of the company s strategic business plan. This will typically be longer than the period for regulatory capital, and will require projections of the organisation s future financial position and capital resources. Companies will have to undertake scenario analysis of stress conditions, as well as reverse stress testing to identify plausible scenarios that could lead to business failure. The ORSA is a tool for supervisors to understand the risk exposure and solvency position of insurers. Organisations must provide supervisors with appropriate information to demonstrate the adequacy and soundness of their enterprise risk management framework and processes. The ORSA should be undertaken regularly, probably annually, as well as after any significant changes in an organisation s risk profile. Risk appetite The ORSA requires that the organisation has defined its risk appetite. This should be the first stage of any enterprise risk management process. If it has not already done so, the organisation will need to set out its overall risk tolerance, as well as the quantitative and qualitative tolerance levels for each of the risks to which it is exposed. The risk appetite statement will provide a yardstick against which the ORSA will compare the actual risks of the organisation s current and future business strategy. The organisation will also need to demonstrate that these tolerance limits are suitably embedded in its ongoing operational processes where they can be measured and monitored. And it will need to show through scenario analysis that the tolerances will remain suitable for its business under stressed market conditions. Holistic risk view The ORSA must encompass all reasonably foreseeable and relevant material risks that may have an impact an organization s ability to meet its obligations to its shareholders. This will include those risks that are more clearly defined and quantifiable, such as insurance, market, credit and liquidity risk, as well as those where qualitative information plays a greater part, for example in operational and business risk. Also included must be those risks that arise from being a member of a group, or from the structure of the group, for example where there are assumptions on the fungibility of capital or transferability of assets within the group. There will also be the potential for diversification of risk across the group. Some of the risks, such as insurance underwriting, will be measured as part of regular business activities, and these actuarial calculations can be fed directly into the ORSA framework. The same goes for market and credit risk, where the calculations will be part of ongoing asset and liability management. For others that are more difficult to quantify, most notably operational and business risks, the organisation must have in place processes to capture qualitative information, such as expert opinion and judgement, as well as any relevant quantified data. 4

Internal model v. standard formula Some insurers will choose to use an internal model or partial model for the measurement of at least some risks and the calculation of regulatory capital. In this case, many of the ORSA specifications will be mapped into the internal model and its output. Supervisors have recognised how closely the two processes are interlinked, and can require a full ORSA report as part of internal model approval. The ORSA should explicitly demonstrate the continued appropriateness of internal model assumptions over time. An overarching ERM framework will ensure that the complementary requirements of the ORSA and internal model are most efficiently met. For insurers taking the Standard Formula approach to regulatory capital, the ORSA provides the framework for a comprehensive assessment of risk and capital resources calibrated to the characteristics of the individual firm and its business. Much of the ORSA will be new to many companies, and will provide the foundation for a comprehensive ERM framework. Aggregating risk The organisation must be able to aggregate all the risks it has identified, gathering and combining information from multiple sources. Scenario simulations will be key to integrating the various data, and especially in incorporating qualitative data on operational and business risks, such as judgement and expert opinion. Stress tests will explore the impact of extreme events and market volatility on the organisation s overall risk profile. Questions ORSA should answer Armed with the company s aggregated risk profile, insurers will need to ask themselves a number of questions. How does the risk profile compare with the statement of risk appetite? Are major exposures in the areas where the insurer expected them to be? Are there concentrations of risk that the insurer was not aware of? How are risks changing over time? And the key questions that supervisors will want to know the answer to how well does the risk profile match the capital resources that the company holds against its risks? Supervisors will want to see evidence that the board and senior management understand the information they receive from the ORSA. Where there are mismatches between appetite and actual risk, or between risk and capital resources, the supervisor will want to know what the organisation is doing about it. Companies will have to demonstrate that they use the output from the ORSA in their business decision making. This includes forward planning through the full business cycle usually three to five years rather than a typical regulatory capital period of a year. Forward looking Insurers will have to demonstrate that that they are able to manage their risks over the longer term under a range of plausible and potentially challenging scenarios. These should include scenarios where the company might initiate changes, such as introducing new product designs or pricing structures, or making acquisitions, or expanding or contracting business lines. The scenarios should also include changes in external factors, such as market and economic conditions, industry innovations, legal or regulatory changes, or demographic or social developments. The analysis must include reverse stress tests scenarios under which the business would no longer be viable or where the market would lose confidence in it and how the organisation manages this risk. Supervisory tool The ORSA is a key tool for supervisors, helping them understand the specific risk exposure and solvency position of the insurer. Supervisors will use it to assess the adequacy and soundness of the insurer s risk management framework and processes, given the nature, complexity and scale of the business. They will examine how well the insurer uses the information it gathers in its business decision making and strategic planning, and how responsive the company is to stressed market conditions and changes in the business environment. It will expect the ORSA report to document the allocation of responsibilities for ERM and the oversight of risk, and will will use it to check the internal control systems and audit trails. Where they detect weaknesses, supervisors could intervene and require that the insurer strengthens its monitoring or controls. 5

Challenges of the ORSA The first challenge of the ORSA is to devise the organisational structure to implement it. The ORSA cuts across departments, requiring input from actuarial, asset and liability management, finance and operations. The company will need to decide who takes ownership of the methodology, processes and production of the ORSA report. ORSA is ultimately about measuring and managing risk, therefore it makes sense to locate the ORSA in an ERM framework, with the organisational structure to support it. The ORSA requires the organisation to define its risk appetite. This must be captured and documented, with tolerance limits set for individual risks. For these limits to be meaningful, they must be linked to business operations, with arrangements to track key risk indicators and the ability to raise alerts when thresholds are breached. The risk appetite statement may include measures that can be taken to mitigate increases in risks, such as hedging, which must also be monitored and managed. Quantifying risk Insurers will need to quantify all risks in calculating solvency capital. It will not be possible to ignore risks simply because they are more difficult to measure, or where there may be effective methods to manage them other than holding capital. Insurers must be able to incorporate judgement and expert opinion in the assessment of the possible impact of operational and business risks, supplementing this with quantified data where available. Assumptions of frequency and severity must be captured in a methodical way along with their rationale, and then built into scenarios simulations whose distributions can then be aggregated with those of market, credit and other more quantifiable risks. Organisations will need the capability to run Monte Carlo simulations across all of their risk factors for all their business activities. In addition, they will need to be able to stress the risk factors to assess capital resources to cope with extreme market and economic events. Furthermore, organisations must run reverse stress tests, exploring plausible scenarios that might expose weaknesses in the company s business model. These are not just more extreme version of the conditions in stress tests, but possible unexpected developments, such as black swan events, which might not immediately breach the organisation s risk appetite or solvency level, but will cause the business to fail in the end. Developing such reverse stress tests requires the thoughtful input of senior business and risk managers. A unique and particularly demanding aspect of the ORSA is the requirement to not only look at risk and capital in the regulatory solvency time frame typically a year but right across the period of the strategic business plan. This is usually three to five years, and organisations must have the ability to project their balance sheet forward over that period and demonstrate that they will have the capital resources to cover risk at all times. This adds another layer of complexity to the risk and capital modelling process, particularly where the insurers offer products with significant options and guarantees. Projecting the impact of stresses and possible management actions adds further complexity. Data management Experience throughout financial services has shown that one of the biggest challenges of any ERM effort is the gathering, cleaning and management of all the relevant data that is essential for the measurement of risk and the calculation of economic and regulatory capital. Insurers will have to source and integrate information from across their organisations. This will mean interfacing with a range of disparate systems and standardising and consolidating their data. A single central repository will make it easier to develop and maintain the single source of truth that will be essential for a coherent enterprise risk view. A single central repository will also be the key to providing both the dynamic interactive data that management needs on a day-to-day basis to run the business and the regular, most probably annual, ORSA report. Dashboards will enable senior managers to monitor key risk indicators, while drill down facilities will enable them to investigate issues or explore opportunities. The ORSA infrastructure must also be able to produce the regular printed report for board members, as well as the supervisor, so must have access to consolidated, high level data. 6

Robust infrastructure Overall, the requirements of the ORSA are such that it demands a robust technology infrastructure that can capture and manage all the relevant data, provide monitoring and controls of risk limits, perform aggregation and calculation of risk and capital, and provide feedback on a dynamic and formalised reporting basis. Processes will need to be industrialised and workflow automated wherever possible to achieve the efficiency and responsiveness that the ORSA demands. Full documentation and audit trails are also essential. Supervisors will want to see evidence that risk awareness is built into the organisation s daily operations, as well as strategic decision making and and forward business planning. They will expect the board and senior management to be familiar with the ORSA and be able to demonstrate their understanding of the link between risk assessment and solvency capital levels. The ORSA report will be the start of a conversation between the supervisors and the company, not the end of a formulaic compliance exercise. Conclusion ORSA is not really a new invention, but rather a formalisation of what insurers have long been trying to do in terms of aligning their risk and solvency positions. In mandating a rigorous, structured and calibrated own assessment process, regulators are embedding best practice as evolved by the industry over many years. ORSA should build on organisations existing risk and capital management functions, making them more tailored, dynamic, proactive and integrated into business decision making. Its forward looking nature makes ORSA a particularly powerful tool for strategic business and capital planning. Because the ORSA is top down and defined by policies set by the board and senior management, it empowers ERM and gives it a voice in business decision making and operational controls. ORSA provides a centralised source of information not only for supervisors, but for the board, business managers, risk management and the rating agencies. The ORSA will undoubtedly be a major project for many insurers, entailing significant effort and expense. Against this must be weighed the benefits of being able to more effectively and comprehensively identify and manage, or avoid, unwanted risk, as well as being able to recognise the potential opportunities for improved operations, increased capital efficiency and newbusiness opportunities. Treating the ORSA as just another compliance exercise is to not only miss the point, but also to miss the chance to create a truly embedded ERM framework that can give a competitive advantage and add value to the firm. Regulation may be the driver of ORSA, but insurers are realising that its underlying theme of robust ERM is the foundation for successful business and, ultimately, of benefit to all stakeholders. ORSA demands that insurers have the ability to make a comprehensive quantitative and qualitative assessment of risk and measure this against capital resources on an ongoing basis. Insurers must demonstrate that they have an ERM methodology in place and that it makes sense given the nature, complexity and scale of their particular business. 7

THOMSON REUTERS ACCELUS POWERED BY A THOMSON REUTERS BUSINESS The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity. Thomson Reuters Accelus connects business transactions, strategy and operations to the everchanging regulatory environment, enabling firms to manage business risk. A comprehensive platform supported by a range of applications and trusted regulatory and risk intelligence data, Accelus brings together market-leading solutions for governance, risk and compliance management, global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence, training and e-learning, and board of director and disclosure services. Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant For Operational Risk Management Systems, category leader in the Chartis RiskTech Quadrant for Enterprise Governance, Risk and Compliance Systems and has been positioned by Gartner, Inc. in its Leaders Quadrant of the Enterprise Governance, Risk and Compliance Platforms Magic Quadrant. Thomson Reuters was also named as Operational Risk Software Provider of the Year Award in the Operational Risk and Regulation Awards 2013. For more information, visit accelus.thomsonreuters.com 2013 Thomson Reuters GRC00549/10-13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information