A thorough Own Risk and Solvency Assessment (ORSA) is the core process and output of an enterprise risk management (ERM) system. However, successfully implementing a robust and sustainable ERM program within an insurer’s framework is not without challenge. Some companies have thoroughly developed risk management programs with wide participation from all levels of management and functional areas in the risk assessment process. Other companies are just getting their ERM plans off the ground.
According to a new Insurance Regulatory & Risk Management Indicator, compiled by Wolters Kluwer Financial Services, only 26 percent of respondents indicated that their organization has an overall strategic ERM program in place. An additional 14 percent have an integrated risk assessment process in place that is actively used by all departments, although many are likely just beginning their efforts since they also indicated they understand and manage their risks but do not have a formal framework for an overall risk program in place.
As we make our way through 2014, ORSA implementation among insurers varies widely. Over a quarter of those who took the survey indicated that their organization has increased staff over the past 12 months to help manage compliance and risk efforts. Regarding their organization’s ORSA efforts, individual respondents largely indicated they were not sure of their level of readiness. This in itself indicates a very low degree of awareness of ORSA requirements, one of the most significant regulatory challenges facing the industry. Of those who were able to answer the question, nearly a quarter either have not started any ORSA activities or are just beginning the process.
One of the biggest challenges facing organizations is the rapidly approaching effective date provided for in the NAIC’s Risk Management and Own Risk and Solvency Model Act (#505). The Model Act requires that subject insurers build a solid ERM program, perform a risk-based solvency and capital assessment, and provide specific reporting about their efforts to their supervisory states.
States have been adopting the Model Act’s ORSA requirement, albeit slowly. To date, seven states—California, Iowa, Maine, New Hampshire, Pennsylvania, Rhode Island and Vermont—have essentially followed the NAIC’s lead and enacted ORSA provisions. It is expected that other states will consider and enact similar legislation in their 2014 sessions, as it is generally anticipated that NAIC state accreditation will eventually incorporate an ORSA requirement.
Across the industry, there are a number of common questions being discussed and addressed. Here we will look at a few of the major concerns.
Building an Overall Risk Management Framework
One of the major challenges in developing an ERM program is designing the overall framework or structure the company should implement to ensure that its program will withstand regulatory scrutiny. For better or worse, unlike past U.S. insurance regulatory mandates, the NAIC’s ORSA reporting requirements provide no concrete standards or minimum requirements that companies must implement to have an “acceptable” or “strong” ERM program. Rather, the NAIC has set broad principles-based reporting requirements that give companies flexibility in creating their own unique risk program.
The benefit of the NAIC’s plan is that companies can tailor their program to their size, lines of business written, capitalization structure, and management philosophy towards risk-taking in general. The NAIC hopes that this flexibility will enable companies to manage risk better with terminology, methodology, and reporting that will be truly meaningful to the business.
However, lack of clarity and specificity has its downsides as well. Risk managers, particularly those chief risk officers who are newly appointed or charged with creating ERM programs from scratch, are responsible for researching and developing program elements without a body of industry standards or best practices. This can be a stressful process.
Often for the first time, companies need to create a governance structure for risk management. They need to assign roles and responsibilities to managers and staff and ensure that there are specific people to assess risk, validate the operation of controls which affect risks, and share information across functions which may not have worked together on risk evaluation in the past. Who should be involved? How will the company establish a strong risk management culture from the top? How can they best communicate the significance and need for ERM throughout the company to get full buy-in for the program going forward?
One of the hottest issues is how to get the board of directors on board with ERM. Insurance board members have a limited amount of time in meetings to review all areas for which they are responsible. Public company boards already need to review results of a disclosure committee or other reports to meet Securities and Exchange Commission rules and Sarbanes-Oxley (SOX) anti-fraud law requirements. The failure of boards to sufficiently address these areas not only can result in fines and fees to the company, but also can impose personal liability on board members. Will the board want to, or be able to, give enough attention to ORSA or ERM-related issues if the ORSA requirement does not have similar “teeth” with specific penalties for deficient review and attention?
“The lack of engagement in ORSA efforts illustrated by our Insurance Indicator data provides us with a look into what we see as a real challenge to U.S. insurance institutions as we head into 2014,” says Pam Ewing, general manager of insurance compliance for Wolters Kluwer Financial Services. “Insurers are struggling not only to stay abreast of rapid regulatory changes but in establishing processes and, importantly, in developing an understanding of their true risk picture.”
Creating Common Risk Definitions and Taxonomies
Defining “risk” across multiple business areas is a challenge. Insurers are used to looking at risk in terms of underwriting loss, but risk within an ERM program is much broader. Companies are facing practical problems coming up with specific definitions for a central risk and control classification system that all departments will understand and be able to discuss. However, a common taxonomy for companywide risks and controls is critical to enable the insurer to roll up risks within multiple departments into a clear picture of the true impact of a loss event.
Take hurricane risk, for example. Underwriting aspects of hurricane risk have been assessed by companies for hundreds of years. Yet for ERM purposes, companies need to consider the operational, regulatory, physical, employment, and third-party risks that result from a disaster. How do you describe or classify these risks in language that everyone understands and agrees on? How can you describe financial and nonfinancial risks so they can be correlated? Where do risks interrelate, and how can you word the risk in a concise form that can be put into a database or spreadsheet and be aggregated mathematically with similar risks? This requires creativity and collaboration, often from the whole ERM team.
Establishing Sustainable Quantification Measurements
A related issue is how to measure risk once it is identified. An ERM risk assessment methodology involves measurement of both easily quantifiable risk as well as risk that is hard or impossible to measure effectively, like reputational risk. Many companies strive to measure risk of loss in terms of potential pure dollars lost or as a percentage of company capital to facilitate downstream ORSA-required capital effect calculations. But many are concerned with the degree of accuracy of such measurements and how they may ultimately give a false picture of solvency.
First, on the front end, risk assessors within the business may not have enough information to put a dollar value on risk in their areas. There aren’t statistical or historical trends for every kind of risk, and rare, extreme events—often referred to as “black swans”—are never easily identified, never mind financially estimated, in advance with any confidence.
Second, risk should be assessed on both an inherent and residual basis—without, then with, consideration of mitigating controls. Some companies may not be adequately considering what impact their controls, or lack of controls, have on risk. Having effective controls in place is not just a SOX audit issue. It is sometimes treated as if it were a mere audit exercise, however. For effective risk measurement, companies need to know that controls are working as intended and measurement of risk with a corresponding evaluation of controls can lead to downstream calculation havoc. Beware of the dangers of a “garbage in, garbage out” strategy.
Third, there is no agreement from an actuarial perspective on what probability/variances and confidence thresholds should be as a base for risk calculations and, ultimately, the downstream required capital and solvency evaluations. Companies are trying to evaluate how ERM for ORSA either supplements or changes traditional risk-based capital calculations required for annual statements and may need to consider how ERM financials and dollar statements might vary under different accounting methodologies like GAAP versus STAAT principles. Different slicing and dicing of projections may also be needed for rating agency and internal models. It is enough to give even the most expert actuary headaches.
Setting Risk Appetite
Knowing your limits is essential to establishing an effective ERM program. Having a plan to address scenarios where risk is above those limits is a critical component of the overall plan. Even when issues appear to be well handled, companies may struggle with how to express their risk appetite or tolerance and compare actual incurred risk to that appetite. The issue comes down to terminology and philosophy as well as a need for quantification. The major question all companies face is: Where should thresholds be set? Philosophies vary, and with no industry standard, there is little insight on best practices.
In some cases, risk thresholds may be set at a very high level and applied to risks affecting the whole company, well beyond the level of individual department risks. These high-level risk statements may describe the company’s overall tolerance for variances to its overall marketing or business plan, desire for a share in certain lines of business, aggressiveness of growth strategies, etc. They may track factors like changes in investment strategies or increasing share price. Addressing these risk thresholds at such a high level can serve a purpose, but they can be difficult to manage. Risk managers will want to consider what metrics can be tracked if risk tolerances have been breached and potentially dangerous breaches are systemically evaluated.
On the other hand, risk appetite and tolerance may be set at a lower level, specific to a functional department or line of business. Here, tolerance for risk might include specific targets for line of business underwriting ratios, changes in consumer complaints, and claims volume levels. Setting risk tolerance at this level may be more easily managed since the company would likely have routine measurements and metrics handy to track against appetite statements. But how can such appetite statements be used to benefit the company with its more strategic, companywide decisions on how to allocate capital? Companies are now looking at setting risk appetites and tolerance levels with a mix of both high- and low-level perspectives. Finding the right mix will be a long-term effort and may require trial and error.
There are significant challenges ahead for organizations, but implementing a sound enterprise risk management system can be advanced by taking a measured approach. Designing and building an overall risk management framework starts with creating a governance structure for risk management.
Second, plan to identify and document common risk definitions and taxonomies to ensure consistency across the organization and a uniform approach to risk. Establishing sustainable quantification measurements should cover easily quantifiable risks as well as less tangible risks like reputational risk, which may be challenging to measure using traditional measurement techniques.
Finally, knowing and defining your organization’s risk thresholds and establishing a plan to address scenarios where risk is above those limits will provide meaningful markers and targets on the roadmap to ORSA compliance.