ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW 2015/Sessions/ARF/ARF 3… · IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW Presentation: How much to disclose in the report

IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

A.R.F. Super Session The ORSA Journey – Where is it taking us?

Monday, June 8, 2015

3:30 – 5:00 p.m.


Objectives for this session

Past, present & future of ORSA

What is included in an ORSA report?

How ERM can provide a solid foundation for ORSA

How to gain efficiencies; what resources are needed

How ORSA may impact the future of regulations & ratings


Questions for the audience

If you work for an insurance company –

If your company is required to submit an ORSA report –

If you are allowed to say, was your company involved in an

ORSA pilot program?

If your company is exempt from ORSA –


G-20

Worldwide Industry’s Articulation of their

Governance

Solvency II

Insurance Core Principle (ICP) 16 – Enterprise Risk

Management

Financial Sector Assessment

Program

Why ORSA?

5


2 Primary Goals

Effective level of Insurer's Enterprise Risk Management

Provide a group-level perspective on risk and capital

What is ORSA?

OWN Solvency ERM

Component

> $500 M Individual > $1 Billion Group 6


Framework

• Maintain a risk management framework

ORSA Assessment

• Complete an Own Risk and Solvency Assessment

ORSA Report

• File an ORSA Summary Report with the insurance commissioner

ORSA Requirements

Effective date as of January 1, 2015,

with the first Summary Report filing

sometime in 2015, as states work with the

insurer for the states that have adopted

1/1/15 implementation date.

Adopted by NAIC

Sept. 2012

7


States that have Adopted ORSA

8

State Implementation Date


2012, 2013, 2014 ORSA Feedback

2012 2013 2014

Number of States Participating 12 16 26

Estimated Number of ORSA Reported Expected to

be Filed to Participating States

134 167 210

% of Total Estimated ORSA Reports Expected to be

Filed

50% 64% 77%

Number of Insurer/Groups Participating 14 22 28

Participants covered Life, P&C, Health & Title

9

2014 Pilot closed May 2015 Number of ORSA???


Presentation:

How much to disclose in the report

Content:

Alignment of risk and business strategy

Risk appetite statement at enterprise level

Risk thresholds and limits for each material risk

Support to choice of metric to quantify the solvency capital

Quantification of solvency capital for some specific risks: • operational, emerging

Stress tests

Prospective risk and solvency capital assessment

Use test – i.e. how the ORSA process is used to support management decisions

Roll-out of ORSA processes into all functions due to immaturity of ORSA processes

1

0

Challenging Areas for Companies


Scope out their first years’ reviews: breadth and depth

Use of foreign ORSAs for US regulatory purposes

Use of group ORSA by non-lead states

Training all staff – NAIC ORSA Training has been launched

and is being rolled out nationally

Lead State generally expected to perform review and

assessment

• Non-Lead States place significant reliance on Lead State

1

1

Challenging Areas for Regulators

Organizational charts

Entities covered by the group ORSA, preferably showing: • Accounting basis

• NAIC co-codes

Reason for entity exclusion

Status of development of ORSA processes: what has been developed and what is in progress

Current versus future state

Reference to data used (ie at what date)

Accounting basis used for section 3

Balance between depth of content and supporting evidence

List of ORSA documents available to examiners, with owner, date of last version

12

Like

A document (not PowerPoint slides)

A structure that reflects or can be reconciled to the ORSA Guidance Manual

A table of content

An executive summary

Use of appendices to supplement information in the main document

A glossary of terms used

Signed attestation from CRO or CRO-like

Use of heat maps to support risk identification

Use of graphics to explain processes / reporting lines

Use of comparatives for multi-year financial data

Clearly labeled exhibits/tables/graphs

Page numbers (!)

Needs Improvement

Presentation – Regulators’ considerations (from ORSA pilots)

Use of risk management to support business decisions

Business Strategy / direction of the group

Core business initiatives

Core risk management initiatives

Important corporate life events: acquisitions and disinvestments

Current and prospective look

Bringing together the 3 sections

13

Observations

Key part that sets the overall tone

Summarized presentation of the business strategy objectives (over time horizon of business plan), relevant risk strategy and solvency position at group level

Length and format vary based on insurer size and complexity

Needs Improvement

Executive Summary – Regulators’ considerations (from ORSA pilots)

Overview of the ERM process: • Genesis

• Models used (COSO, ISO31000, own, other)

• Maturity

• Current versus future state

How business strategic objectives tie to: • ERM

• Capital

• Operations

Risk culture & governance: • in the absence of a CRO, who is the “risk-go” to

person and engagement w management

• tie between compensation & incentive and risk management

Risk identification and prioritization: • Outline of the processes

• Criteria used to “prioritize”

• Emerging risk framework

14

Observations

Overview of the ERM process:

• Follow the building blocks of the ORSA Manual

• Put the ORSA processes in the context of the maturity of own ERM

• It helps dialogue with regulator

• Where are you really at?

Risk culture & governance:

• clear definition of roles & responsibilities (owners versus doers, supervision, independent assurance, granularity within group).

• Reporting lines (use of charts welcome)

Risk identification and prioritization: • robust and detailed process of identification throughout

the group

• process for selecting key risks from risk universe

Needs Improvement

Section 1 – Regulators’ considerations (from ORSA pilots)

Section 1 – Regulators’

considerations (from ORSA

pilots)

Risk Appetite, Tolerances and Limits:

• Articulate individual limits

• Consistency with key risks identified in prior parts of the report

Risk management and controls: • Controls around the key risks (rather than

financial controls)

• Escalation process in event of breach

• Current involvement of Internal Audit

Risk reporting and communications:

• Use test

• Exchange of information within the group

• Feedback loops

• Examples help!

15

Observations

Risk Appetite, Tolerances and Limits: • Link between business strategy and risk

appetite framework

• Process from overall risk appetite to individual risk preferences, tolerances and limits for each key risk

Risk management and controls: • Process in place to manage key and non-

key risks (what, how and who)

• Specific risk controls

• From inherent to residual risk

Risk reporting and communications: • Translation of limits into operational

guidance

Needs Improvement

Assessment of risk exposures: • Overview and summarized

presentation of results for all risks under both current and stressed conditions (for example, at beginning of section 2)

• Consistency with key risks identified

• Support to methodology selected (for either qualitative or quantitative)

• Comparison against tolerances and limits in section 1

Stress tests: • Consistency with key risks identified

• Effect of single stresses

• Effect of combined stressed

16

Observations

Assessment of risk exposures: • For each key risk

• Qualitative or quantitative

• Methodology and data used

• Under current and stressed conditions

Stress tests:

• Risks stressed

• Methodology used to select the stresses

• Results of the stresses

Needs Improvement

Section 2 – Regulators’

considerations (from ORSA pilots)

Group assessment of risk capital:

• Consistency with key risks identified in prior parts of the report (sections 1 and 2)

• Description of the methodology used to quantify risk capital for each risk

• “Fitness for purpose” of the risk capital metrics used

• Explanation and overview of the calculation of the diversification benefit

• Data: sources, quality, testing

• If internal models are used to quantify the risk capital: validation framework (scope, process, governance, results)

Prospective risk assessment: • Missing so far in reports

Management actions to remedy capital inadequacy • Access to capital markets/ liquidity assets

• Interconnectedness of US business to the international affiliates/parent

17

Observations

Group assessment of risk capital:

• On current and prospective basis • For each key risk

• Metric to define risk capital

• Methodology for aggregation

• Accounting basis selected

• Methodology for diversification

• Methodology and time horizon for projections

• Comparison against available capital

• Validation of results

Prospective risk assessment: • Changes to risk profile over time horizon

of the business plan

Management actions to remedy capital inadequacy

Needs Improvement

Section 3 – Regulators’ considerations (from ORSA pilots)


Business strategic objectives

Maturity of ERM processes: what has been developed and what is in process? Do you have a plan to completion? What processes have been tested?

Entities in scope and entities excluded

Deep dive into section 1 for first filings

Discussion around key risks

Exposures and stresses: current position against limits

Overall solvency position at group capital, access to capital sources

Evidence of use of all the above

Group perspective for risk and capital

18

What questions to expect from regulators


NAIC ORSA Guidance Manual (July 2014 version)

http://www.naic.org/store/free/ORSA_manual.pdf

RMORSA Model Act #505 (adopted on September 6th, 2012)

http://www.naic.org/documents/committees_e_risk_management_orsa_adopted_120906.pdf

SMI dashboard, showing the status of adoption by the individual states of a number of model acts as part of the Solvency Modernization Initiative (SMI), including the RMORSA Model Act #505 (on the second page), as of February 2, 2015:

http://www.naic.org/documents/committees_e_related_smi_dashboard.pdf?123

Latest draft guidance for financial analysts in the state Departments of Insurance on how to conduct analysis procedures on the ORSA reports:

http://www.naic.org/documents/committees_e_examover_fahwg_exposure_fin_analysis_handbook_prop_rev_form_draft.pdf (starts on page 171)

Latest draft guidance for financial examiners in the state Departments of Insurance on how to conduct an examination of the ORSA reports:

http://www.naic.org/documents/committees_e_examover_fehtg_exposure_orsa_guidance_rfswg.pdf

Basic Documents

1

9

http://www.naic.org/store/free/ORSA_manual.pdf



http://www.naic.org/documents/committees_e_related_smi_dashboard.pdf?123

http://www.naic.org/documents/committees_e_examover_fahwg_exposure_fin_analysis_handbook_prop_rev_form_draft.pdf







Tennessee Farmers Insurance Companies

EXPECTATIONS

ORSA Pilot Program

• Be able to use this report for AM Best

• Be one of the first insurance companies in Tennessee to file an

ORSA report

• We are in discussion with TDCI on what they expected to see in our ORSA

• Steering the analyst’s expectations


Tennessee Farmers Insurance

ORSA

OSRA – The name means something

Who does it belong to?

• “OWN” Risk Solvency Assessment



Where did we start?

Utilized common language

• Model Language

• ERM – Enterprise Risk Management Framework

• Insurer Assessment of Risk Exposures

• Group Assessment of Risk Capital and Prospective Solvency

Assessment

Used the model language to get an idea of the structure

Did not create any new processes or meetings

Documented everything



ORSA Lessons Learned

Only had 2 people

ORSA had to be filed through Texas for Confidentiality

Used all resources

• Actuaries and Auditors


ORSA Section 1 – Leveraging ERM Mary Peter, Director of ERM (Eide Bailly,LLP)

How Section 1 of ORSA embodies Enterprise Risk Management

How Enterprise Risk Management can be leveraged with ORSA


ORSA Section 1 - Leveraging ERM

Description of the Insurer’s Risk Management Framework

• Key Framework Principles:

• A. Risk Culture and Governance

• B. Risk Identification and Prioritization

• C. Risk Appetite, Tolerances and Limits

• D. Risk Management and Controls

• E. Risk Reporting and Communication

• To what extent does your ERM Program contain these principles?


ORSA – Leveraging ERM

ORSA

ORSA ERM


ORSA - Leveraging ERM

ERM first; ORSA second or:

ORSA first; ERM second

Either way, ORSA supports a robust ERM process

A robust ERM process supports ORSA as its foundation


Key Principles – Leveraging ERM

Risk Culture and Governance

• Cornerstone to managing risk

• Structure that clearly defines roles, responsibilities, accountabilities

• Risk Culture that supports accountability in risk-based decion-making

• Structure creates rigor within the organization

• Manages reasonably foreseeable and relevant material risk, in a

continuously improved manner

ERM needs this foundation for it to be successful and become

embedded in the organization.

ERM Step 1



Risk Identification and Prioritization

• This is key to the organization

• Responsibility for this activity should be clear

• Risk management function is responsible for ensuring the processes

are appropriate and functioning properly.

• A process must identify risk and prioritizes such risks in a way that

potential are addressed in the framework.

ERM foundation needs to be established before beginning to identify

and prioritize enterprise risks. A cross-functional team will be best

equipped to complete this activitiy.



Risk Appetite, Tolerances and Limits

• A formal risk appetite statement, with associated risk tolerances and

limits is foundational element of a risk management framework

• Understanding the risk appetite statement ensures alignment with the

risk strategy set by senior management and the board of directors

• This should be easy to communicate, be understood, and should be

closely tied to the organization’s strategy.

• Underlying tolerances and limits can be selected and applied to

business units and risk areas as deemed appropriate.

• Risk tolerances/limits provide direction outlining the Company’s

tolerance for taking on certain risks

ERM utilizes a strong risk appetite in the assessment of enterprise risk.



Risk Management and Controls

• Managing risks is an ongoing ERM activity, operating at many levels

within the organization

• It is a key aspect of managing and controlling the reasonably

foreseeable and relevant material risks of the organization.

• Relevant business units put mechanisms in place to identify, quantify

and monitor risks

• Risks are reported up to the next level based upon the risk reporting

and risk limits.

• Controls are put in place on the backend, by internal audit or

independent consultant

ERM is most effective with both clear accountability and controls.



Risk Reporting and Communication

• Provide key constituents with transparency into the risk-management

processes

• Facilitates active, informal decisions on risk-taking and management.

• Reporting is made available to the management, board and

compliance as appropriate

• Reporting can allow decisions to be made throughout the

organization by appropriately authorized people, with ultimate

ownership by senior management or the Board , as appropriate

ERM is an active and living process that depends upon reporting and

communication to be value driven.


ORSA – Leveraging ERM (contd.)

Other essential items to include:

• How are risks monitored?

• How are new or emerging risks added to the process?

• How strategic or business decisions are impacted

• Signed by Chief Risk Officer (or executive responsible for the oversight of

the insurer’s ERM process); attesting to the best of his/her belief and

knowledge that the insurer applies the ERM process as described in

the ORSA Summary Report, and that a copy has been provided to

the board of directors or the appropriate committee


ORSA – Leveraging the Steps of ERM

Foundation

Risk Culture

Governance

Roles & Responsibility

Identification

Relevant

Inter-related

Risks being

Identified &

Categorized

Assessment

Risk Appetite

Risk Tolerance

Limits

Enterprise-Level,

Approved by Board

Effective Controls

Evaluate

Linked to Strategy

Prioritized

& Used in business strategy

Tools used

Risk Response

Reporting within the

Company

Controls used to

Mitigate or

Manage risk

Monitoring

ERM program

emerging risks


Maturity of Your ERM/ORSA Program

Non-Existent

Level 0

Ad hoc

Level 1

Insurer has not recognized a need for

risk management and risks aren’t

directly identified, monitored or

managed.

Insurer has not developed or

documented standardized risk

management processes and is relying

on the individual efforts of staff to

identify, monitor and manage risks.


Maturity of Your ERM/ORSA Program

Initial

Level 2

Repeatable

Level 3

Managed

Level 4

Leadership

Level 5

Insurer has

implemented risk

management

processes, but the

processes may not be

operating consistently

and effectively. Certain

risks are defined and

managed in silos

Rather than

consistently throughout

the organization

Insurer has risk

management processes

in place designed and

operated in a timely,

consistent and

sustained way. The

insurer takes action to

address issues related

to high priority risks.

Insurer is advanced in

its risk management

capabilities. Risk

management activities

are coordinated across

business areas and

tools and processes are

actively utilized.

Enterprise-wide risk

identification,

monitoring,

measurement and

reporting are in place.

Insurer is at the leading

edge of companies in

relation to risk

management. Risk

management is

embedded in strategic

planning, capital

allocation, and other

business processes

and is used in daily

decision-making. Risk

limits and early warning

systems are in place to

identify breaches and

require corrective action

from board &

management


ORSA Sections 2 & 3 Update Jerry Ravi, Partner (EisnerAmper)

How the assessment portion of ORSA ties into ERM and governance

How internal and external audit can be leveraged.


Key ORSA Components

• Utilize Best Practices - RIMS Risk Maturity Model (RMM)

• Evaluate key principles on an ongoing basis – start with a health check

• Define Risk Profile, Appetite and Tolerances

• Ensure integration and communication throughout the organization (leverage existing risk functions and assurance activities)

Evaluate the Maturity of the ERM Framework

• Organize information into main risk categories or risk objectives

• Ensure documentation and rationale for risk exposures under both normal and stressed scenarios

• Conduct workshops to evaluate exposures

• Prioritize and align to strategy, decisions and capital allocation

• Measurement and alignment to capital allocation / compensation

Assess Risk Exposure

• Relying on various models including internal and external models (RBC, BCAR, etc…)

• Review / utilize technology and software solutions (Igloo, MG-ALFA, etc…)

• Quantify necessary capital for different risks using various assumptions (stochastic and deterministic)

Determine internal capital assessment


Section 2 – Assessment of Risk Exposure

Phase 1 – Communicate /

Align to Objectives

Phase 2 – Identify, Analyze and

Prioritize

Phase 3 – Validate and Collaborate

Phase 4 –Report and Monitor


Risk Identification & Prioritization

Risk identification is the continuous process by which Risk Management

creates and updates its catalog of risks. • Cataloged by risk categories and sub-categories tailored to the insurer

• Risks have to be assessed for prioritization; too many risks to be monitored and managed at the

enterprise level

• Perform Risk Assessment to prioritize risks and to identify key risks

Leverage Internal and External Audit Process

Focus on continuous monitoring and follow-up


Risk Maturity Model – Evaluation (NAIC ORSA principles)

Key Principle(s)

Initial Repeatable Managed Leadership

Risk Identification and Prioritization

The ERC manages business area risks, creating context for risk assessment as a foundation of the ERM Process. ERM dedicated process owners identify and create risk indicator lists and share them with the ERM Process owners for tracking and measurement. Impact, likelihood, and controls’ effectiveness are standardized and used for prioritization and risk follow-ups.

ERM Program Managers review Risk indicators deemed critical to their areas with the ERM team on a weekly basis. ERM standardizes evaluation criteria of impact, likelihood, and controls’ effectiveness that are used to prioritize risk for follow-up activity.

ERM gathers and maintains Internal and external best practices based on experience to enhance the risk management process. The ERC, on a quarterly basis, provides risks and opportunities to senior management. Frontline employees’ participation is promoted through workshops.


Risk Based Decision Making

Risk Profile Monitoring &

Reporting

Company Structure

DECISIONS

Risk Processes & Tools

What types and levels of risk support objectives?

What data / analysis are needed?

What structure supports effective decision making?

What information is

needed to make the decision?


Risk Management and Controls Assessment

• If risk responses, including controls, are not in place and operating as

designed, then the likelihood of an event increases

• Assessing risk mitigation allows entities to gauge how well they’re

managing risks

• Risk mitigation assessment criteria include capabilities such as:

oScenario planning

oRisk responses in place

oAbility to respond and adapt quickly as events unfold

oCapacity to withstand events such as capital buffer and financial

strength

o Consider Data Analytics and Technology Solutions to enable

an effective assessment and monitoring process

Risk Assessment – Impact Criteria Rating Financial

Reputational Legal/Regulatory Operational People/safety/environmental

5

Extreme

• Annual

financial loss of

XXX

• International

long-term

negative media

coverage

• Game-changing

loss of market

share

• Significant prosecution

and fines, litigation

including class actions,

incarceration of

leadership

• Product Liability

significant

• Complete

disruption of

operations for

2 weeks or

more

• Loss of multiple, key executives

• Significant injuries or fatalities to employees

or third parties, such as customers or vendors

• Permanent environmental damage

attributable to the company

4

Major

• Annual

financial loss of

XX million up

to XX million

• National long-

term negative

media coverage;

significant loss of

market share

• Report to regulator

requiring major project

for corrective action

• Complete

disruption for

less than 2

weeks

• Limited in-patient care required for

employees or third parties, such as customers

or vendors

• Some senior managers leave, high turnover of

experienced staff, not perceived as employer

of choice

• Environmental incident requires remediation

3

Moderate

• Annual

financial loss of

$XX million up

to $XX million

• National short-

term negative

media coverage

• Report of breach to

regulator with

immediate correction to

be implemented

• Major

interruption for

less than a

week

• Out-patient medical treatment required for

employees or third parties, such as customers

or vendors

• Widespread staff morale problems and high

turnover

• Environmental incident disrupts operations

2

Minor

• Annual

financial loss of

$XX million up

to $XX million

• Local reputational

damage

• Reportable incident to

regulator, no follow up

• Intermittent

interruption up

to a week

• No or minor injuries to employees or third

parties, such as customers or vendors

• General staff morale problems and increase

in turnover

1

Incidental

• Annual

financial loss of

less than $XX

million

• Local media

attention quickly

remedied

• Not reportable to

regulator

• interruption of

less than a day

• No injuries to employees or third parties,

such as customers or vendors

• Isolated staff dissatisfaction


RISK ASSESSMENT (Section 3 - from the Actuary’s Desk) Quantitative Considerations

Actuarial Standard of Practice #46 –

“Risk Evaluation in Enterprise Risk

Management”

ASOP 46 focuses on 5 aspects of risk evaluation:

1. Risk Evaluation Models

2. Economic Capital

3. Stress testing

4. Emerging Risks

5. Other Risk Evaluations


RISK ASSESSMENT

• They need to fit the purpose for which they are being used, and have the appropriate characteristics for the situation reflecting cost, timeliness, sophistication, ability to stress test, and also be integrated, complete and reproducible.

• The underlying model assumptions should be documented, supported and appropriate

Risk Evaluation

Models

• Model must reflect appropriate accounting considerations

• Since often the output is dependent on the distribution of outcomes under extreme events, the model should be validated by experience whenever possible and tested for reasonability

Economic Capital - (i.e. BCAR, RBC)

• Should consider varying time horizons (catastrophe vs recession)

• Scenarios should be appropriately selected and reflect potential resulting changes in behavior, both your own and/or others. (i.e. - demand surge after hurricane cats.)

Stress and Scenario Testing


Three Lines of Defense Drives Governance Structure

Senior Management

Board of Directors / Audit Committee

1st

Line of Defense 2nd

Line of Defense 3

rd Line of

Defense

Ad

min

istratio

n

Co

ntro

ls

In

te

rn

al C

on

tro

l

Me

asu

re

s

Financial Control

Security

Risk Management

Quality

Compliance

Legal

Assurance

&

Validation

Ex

te

rn

al A

ud

ito

r /

Re

gu

lato

r


External Audit Approach – Leveraging ERM

Interviews

• Enterprise Risk Committee

• Internal Audit

• Audit Committee

Review of company prepared risk assessment documents

• Inventory of risks

• Internal strategy documents

• Meeting minutes

Evaluate how changes to the environment are factored

• Rapid growth

• Change in business mix

• New products

• Changes in technology

ERM Evaluation

Financial Risks (Competition, Credit, Capital needs)

Operational Risks (Profitability, U/W, control Structure, key indicators, related party transactions, business continuity, business mix)

Prospective Risks (Regulatory, Liquidity, Reputational)

Benefit: An Audit that addresses key risks, a more efficient audit process, value

added recommendations

As part of audit planning, in order to understand the entity, we

complete a financial & operational risk assessment including:


Questions


Please Complete the Session Evaluation Form on the Conference App