The Latest on ORSA
By Ralph Blanchard
Many jurisdictions throughout the world are trying to define ORSA and the coming requirement for all insurers to have an ORSA. But what is ORSA, besides an acronym for “Own Risk & Solvency Assessment”? Where did it come from, and where is it heading? The following tries to briefly answer these questions.
What is ORSA—30-second version
The coming ORSA rules are a requirement for insurers to:
- Have in place a method (process?) for assessing their own current and future risk.1
- Have some quantification of their own view of needed capital/ surplus/equity.
- Report on such on a regular (annual?) basis if requested by their regulator/supervisor.
- Document their own risk and solvency assessment (and potentially share this documentation—or an abbreviated version—with their regulator/supervisor).
The details and extent of these requirements will vary by jurisdiction, and are generally still in the development phase. As of the publication date, ORSA is still largely an untested and somewhat undefined concept in the major jurisdictions of the world.2
The origins of ORSA
If ORSA is still somewhat undefined, where did it come from?
The term originated with the U.K. insurance regulator, the Financial Services Authority (FSA). Starting in 2005, under what was known as the Individual Capital Adequacy Standards Regime or ICAS, the FSA required insurers to evaluate their own risks and report the capital the insurer believed it needed to support those risks. The FSA discovered, however, that companies generally treated the ICAS as more of a compliance exercise than an integral part of the insurer’s risk management. Those that did the work to support ICAS weren’t necessarily tied in to the business operations. The FSA wanted to have the internal capital assessment process “owned” by the insurer (including the insurer’s board of directors) and integrated into the operations of the business.
Individual(s) within the FSA developed the concept of an Own Risk and Capital Assessment, based on the ICAS concept, and pushed for its acceptance within new Solvency II requirements. The European Commission endorsed the concept, but made a request that the ‘C’ (Capital) be changed to ‘S’ (for Solvency) to make it consistent with what they were generally calling their reforms: Solvency II. As a result, ORCA was changed to ORSA. The concept was also added to the International Association of Insurance Supervisors’ (IAIS) list of Insurance Core Principles, or ICPs. (It is currently included in the latest version of ICP 16, dealing with ERM requirements, adopted in October 2010.) This inclusion within the ICPs greatly expanded the geographic reach of the ORSA concept, as the ICPs are essentially the measuring stick used to accredit a country’s insurance regulation system.3 As such, ORSA is now a worldwide requirement.
ORSA versus ICAS
But what is ORSA exactly, and how does it differ from its ICAS predecessor? These are both good questions, but they don’t have a full answer yet. Even though the ORSA requirement was added to the ICPs in 2010, neither the U.S. nor Europe has implemented it as of this article’s publication date. Both groups are still trying to develop the details. Implementation is still a year or two away in those jurisdictions, although other countries may have implemented some version of an ORSA by now.
In theory, the principle difference between ORSA and the ICAS predecessor is a requirement for the ORSA results to actually be used in running the insurer. This is evident in the language of ICP 16.11.1 where it says “Every insurer should undertake its own risk and solvency assessment (ORSA) and document the rationale, calculations and action plans arising from this assessment [emphasis added].”
ICP 16 also includes the following additional requirements for the ORSA over those required by the ICAS system:
- The insurer’s “board and senior management” are responsible for the ORSA.
- The risks being evaluated must include “underwriting, credit, market, operational and liquidity risks and additional risks arising due to membership of a group.”
- The evaluation includes both current and future solvency/ capital needs.
Key points here are the requirement for the ORSA to lead to actual company action plans, a prospective look at solvency, and the requirement for the ORSA to include analysis of groupwide risks. The requirement for a group-wide assessment of risk addresses concerns arising from AIG’s difficulties and resulting bailout during the 2008 financial crisis.4
One last point here: the ICAS system required insurers to calculate their capital requirement for a 1 in 200 probability of ruin (99.5% VaR) over a one-year time horizon. This was meant to reflect the risk associated with a BBB credit rating. In contrast, the ORSA requirement does not mandate the risk metric to be used (although the Solvency II version does try to tie ORSA into the same 99.5% one year VaR— see below).
U.S. versus European Definitions
Even though all countries need to require an ORSA in order to comply with the IAIS Insurance Core Principles, the resulting definitions and requirements may differ greatly by country. In short, one country’s ORSA may be materially different from another country’s ORSA.
The U.S. attempts to define ORSA began in earnest in the summer of 2011. A draft guidance manual that was very prescriptive was exposed for comment early in the summer. Subsequent discussions led to a resulting ORSA manual that is much more principle-based. “Sample” reports in the initial draft were jettisoned due to the risk that they might become de facto industry standards. The final result was guidelines for an ORSA process, along with an annual ORSA “high-level summary report” to be filed on request, although efforts are underway to make this annual filing mandatory for the larger insurers and groups. (In order to keep it a high-level summary, the report may reference supporting documents rather than containing all otherwise-required details in the filed report.) The underlying model law that would implement this requirement is currently under development at the NAIC.
A major part of the U.S. initiative is the focus on a group ORSA, i.e., an ORSA for the entire group and not just the individual legal entities under the group. This at least partially addresses the biggest issue that arose the last time5 the U.S. insurance regulatory system underwent a review against the IAIS Insurance Core Principles, namely a lack of sufficient regulatory controls with regard to insurance groups.6 (Note, however, that the overall result of the FSAP review was positive, as witnessed by the lead sentence in the report’s Main Findings: “Insurance regulation in the United States is generally thorough and effective, although there are areas where development is needed.”)
On the documentation front, the U.S. approach is to require a company to “internally document the ORSA results to facilitate a more in-depth review by the regulator through analysis and examination processes.” This review could then lead to the state regulator “requesting additional information … through the state’s analysis or examination processes.” In other words, the intent seems to be to tie this to the regular financial examination process, hence relying at least partially on an audit trail rather than exclusively on a pre-existing documentation library.
The U.S. regulators are also performing a test of the ORSA concept, through a request for voluntary submissions of sample ORSA reports in the summer of 2012.
Europe’s Solvency II version
The definition of ORSA is not as far along under Solvency II. Draft guidance was exposed via a Consultation Paper in November 2011 with a comment deadline two months later. A revised draft reflecting those comments had yet to be published as of May 29, 2012.
Principal differences from the U.S. approach at this point seem to be:
- The use of ORSA as a test of the Solvency Capital Requirements (or SCR, the European version of RBC, set at a 1-in-200 year probability of ruin over a one-year time horizon). In fact, the draft guidelines require an insurer to test the assumptions in the SCR against its own view of risk, and to quantify any material differences.
- The requirement for a more fully completed documentation package on hand. This is consistent with the overall trend within Solvency II for extensive (some would say “excessive”) documentation.
- Explicit requirements to include many internal controls in the ORSA, including compliance with reserve setting requirements and the reflection of the risk assessment when designing new insurance products.7
Overall, the Solvency II requirements for ORSA will probably be more prescriptive than in the U.S., as witnessed by 30 pages of draft guidance in the November 2011 exposure draft, compared with only 8 pages of draft guidance in the final NAIC ORSA guidance manual.
Lloyd’s of London
Lloyd’s has already instituted an ORSA requirement for its members, effective with the December 2011 submission, despite the lack of a final Solvency II standard. This is an internal standard which anticipates features of the final regulatory standard, and hence is subject to change as the Solvency II regulations are finalized. (Note that Lloyd’s did not expect the December 2011 version of the ORSA report to be fully complete. Instead they saw it as a test of each syndicate’s level of preparedness with regard to ORSA requirements, in preparation for Lloyd’s 2012 submission to its regulator, the FSA.)
The Lloyd’s structure also results in a relatively unique situation vis-à-vis ORSA regulatory requirements. For solvency regulation purposes, all of the Lloyd’s syndicates combine into a single regulatory unit, with the whole of Lloyd’s acting as a guarantee fund with regard to each syndicate’s liabilities. Hence, Lloyd’s has to produce an aggregate ORSA report to its regulator (the FSA) that combines in some form the results of all the individual ORSA processes and reports of each of its syndicates.
As a further complication, each syndicate is still allowed to adapt its ORSA to its own unique risks and following its own timetable, as long as they produce an overall assessment and report to the Lloyd’s leadership at least annually.
Canada—The insurance regulator in this country (OSFI) has announced that it will be issuing ORSA guidance later this year.
Australia—This country’s insurance regulator (APRA) will require insurers to have in place by the beginning of 2013 an ICAAP (Internal Capital Adequacy Assessment Process), which is meant to be equivalent to Solvency II’s ORSA (although it is unclear to the author how this can be evaluated, given that Solvency II’s version of ORSA has not yet been finalized).
What may be lost in all this discussion is that ORSA is just a part of ERM, and ERM should already be practiced by insurers today. Hence, none of this is totally new; it is just a formalization or codification of what companies should be doing in some form today. Whether or not the additional specifications and requirements add or detract from the overall ERM process remains to be seen, with the result probably varying significantly by jurisdiction.
Thanks to Rob Curtis, currently with KPMG and formerly of the U.K. FSA, for background on ICAS history. Thanks also to Kris DeFrain and Kathryn Morgan for their contributions and edits to this article, and to Chris Townsend and Rade Musulin for the Canadian and Australian insights, respectively.
Recommended Readings and References
Individual Capital Adequacy Standards (ICAS)
Huerta, Thomas F., “Modernisation of the regulatory regime in general insurance: How far have we come? An FSA Perspective,” Speech before the FSA Insurance Conference, http://goo.gl/fW7Gw.
Enterprise Risk Management, International Association of Insurance Supervisors, Insurance Core Principles (ICP) material adopted October 2010 (to be included in full set of ICPs to be adopted in 2011, http://goo.gl/SL4QW.
Yousfi, Jennifer, “ING Gets a $13.4 Billion Government Boost,” Money Morning, http://goo.gl/P3xCb.
“ING To Sell US Online Bank To Capital One For $9B In Order To Repay Bailout,” Reuters, http://goo.gl/9LJjR.
2009 FSAP and Tom Karp Role
International Monetary Fund, “United States: Publication of Financial Sector Assessment Program Documentation— Reports on Observance and Codes,” July 12, 2010, http://goo.gl/fW7Gw.
NAIC Own Risk and Solvency Assessment (ORSA) Guidance Manual – 2011
Solvency II ORSA Guidance
Lloyds of London
“Solvency II—Own Risk and Solvency Assessment (ORSA) - Guidance Notes,” September 2011, http://goo.gl/hBTfb.
1 This requirement may also be established by corporate governance requirements for an ERM process, which would then be leveraged by ORSA requirements.
2 The U.S., the U.K., and other jurisdictions, however, may already have explicit or implicit requirements for some form of ERM that may accomplish the same thing.
3 The U.S. insurance regulatory system was last reviewed for compliance with these ICPs in 2009, prior to the addition of the ORSA requirement. The next review of the U.S. system is scheduled for 2014. All members of the G-20 group of countries are required to have a similar review performed every five years, with the review carried out by the International Monetary Fund (IMF).
4 Note that AIG was not the only financial conglomerate with significant insurance operations that needed a bailout during the crisis. The Netherlands-based giant ING received a government bailout of €10 billion in 2008.
5 This occurred in 2009. The individual in charge of the review on behalf of the IMF was Tom Karp, an Australian who had previously worked for the Australian financial services regulator APRA.
6 The exact words used in the FSAP were: “The approach to supervision of groups needs significant development.” Financial Sector Assessment Program, United States Of America IAIS Insurance Core Principles, Report On Standards and Codes (ROSC) July 2010, page 7, found on the 53rd page of the pdf file at http://www.imf.org/external/pubs/ft/scr/2010/cr10250.pdf
7 Guidelines 12 and 14 as found in the Consultation Paper.