The Solvency II Experts News

By Phil Whittingham, Solvency II Risk management Lead at Ernst and Young, UK.

As part of the Enterprise Risk Management Framework, Pillar 2 requires firms to undertake an Own Risk and Solvency Assessment (ORSA) to demonstrate “sound and prudent management of the business” and assess overall solvency needs. This article focusses on the impact of ORSA, the guidance to date, where companies currently stand and the key issues and challenges they face. Adhering to this aspect of Solvency II will mean significant and cultural change for many insurance companies.

 Figure 1: Enterprise Risk Management Framework

The ORSA is a powerful component of Pillar 2 that emphasizes risk management as the mechanism by which the Board satisfies itself that it has a process for managing risks to the business strategy and that this process works in practice. In examining ORSA, this article will focus on a demonstrable process that starts with an articulated strategy and appetite for risk that is forward looking, driven by business strategy and cascades through the entire organization.

Building a structure for Pillar 2 readiness in relation to the ORSA

Insurance companies have increased their awareness around risk and are beginning to understand the scale of effort required for Solvency II implementation. Pillar 2 and ORSA play an integral role in governance, management and decision making processes. However, the entire organization should recognize that there are key challenges to integrating modeling approaches into the risk framework and ORSA. While the Solvency II framework directive describes the need for an ORSA, and CEIOPS has discussed its scope in detail in an earlier issues paper , further guidance is still essential.

Unlike many other aspects of Solvency II readiness, Pillar 2 activity cuts across many different departments and functions in firms, making it difficult to reach organizational consensus on what is required. Nevertheless, there are clearly some attributes worth highlighting. The ORSA is a firm’s economic view of the capital required to run its business, irrespective of the requirements set out by the regulator. Confidence levels and timelines for the solvency capital requirement (SCR) may differ or not cover all material risks to which the firm is exposed (e.g., reputation, strategy and liquidity). In addition, ORSA provides a forward looking perspective that should support the business strategy. The expectation of wider stress and scenario testing (including reverse stress testing) drives contingency planning. An internal model is only required if firms are using that approach to calculate Pillar 1. When a model is used for Pillar 1 calculations, it should be consistent with the ORSA calculation. The regulator would expect the ORSA and SCR to be potentially different dimensions of the same calculation.
Achieving these objectives demands a robust process that should be clearly documented and reviewed. However, effectively implementing the ORSA process requires that it is used to inform key business decisions and is embedded within the appropriate governance arrangements. Companies need to understand risks to the business strategy and the escalation process through the appropriate committees so they can carry out their roles within that governance structure.

ORSA is about taking a risk-based view in running the business – a key point that is sometimes overlooked. This means that by default, the “use test” requirements for Pillar 1’s internal model (if used) also apply to Pillar 2. When using an internal model to quantify a risk, it should be applied within the business to manage risk at the front end. CEIOPS have set in CP56 guidance on how the internal model could be used within the business as illustrated in Figure 3.

Figure 3: Guiding principles behind the Use Test

There is a direct link between ORSA and the other components of Solvency II. Therefore, building an ORSA capability that ensures management buy-in must support an integrated framework around the principles highlighted in the following chart. As such, the ORSA is the undertaking’s responsibility and should:

• Be reviewed regularly and approved by its management or administrative staff
• Be based on adequate measurement and assessment processes
• Form an integral part of the firm’s management process and decision-making framework

Furthermore, ORSA should be forward-looking, taking into account the firm’s business plans and projections. This includes evaluating all material risks that may impact the firm’s ability to meet its obligations under insurance contracts. Finally, process and outcome should be internally documented and independently assessed by the internal and external audit functions

Figure 2: ORSA principles

Common challenges and shortcomings

Given the lack of regulatory guidance as to what is required for ORSA, many firms are struggling to shape their view. However, for those insurance companies that are building a process that meets the attributes mentioned above, there are a number of shortcomings with the current state. Typically, firms manage their business to a range of metrics and, in some cases, multiple models. This is further complicated by the fact that additional models are used within many of the key business processes or functions.

Many firms cannot adequately articulate their risk strategy, universe of risks or an agreed taxonomy of risks. As a result, they tend to focus on the largest “top down” risks and those that are “easy” to quantify. However, ORSA requires all material risks to be quantified despite their level of difficulty.

Historically, risk management activity has been backward looking, which is contrary to Solvency II’s requirement for companies to be forward-looking in their risk assessments. This touches on all key functions from pricing a product to reinsurance, effective management decisions, performance management, mergers and acquisitions, portfolio management and business planning. These and other activities need to be informed by a Pillar 2 compliant view on the levels of risk the business is facing.

There is also insufficient stress testing support, which is part of the Solvency II Pillar 2 requirements within ORSA. In particular, there is a lack of forward looking stress tests around the business strategy that drive contingency planning and reverse stress testing (i.e., testing to destruction). Recent financial market events have shown that many insurance companies do not have the ability to properly manage the risks they have in unpredictable situations. Even if they have identified the risks, the process is not sufficiently robust to monitor them and to recognize when something unforeseen occurs.

Building a solution that adds business value

The guiding principles around ORSA involve risk identification, risk assessment, management and, most importantly, an integrated policy framework. A sound ORSA process begins with a detailed understanding of business strategy risks. This suggests using a robust risk identification process (including emerging risks) to drive the risk assessment. Supporting a commonly-accepted “risk universe” forms the basis for the risk quantification processes and challenges the appetite and tolerances by raising the question of whether both exist for all risk sources. The ideal control environment can only be designed (either through control, transfer or other mitigation techniques) when firms have identified their desired appetite, limits and tolerances for each risk.

ORSA is important to the firm’s view of the business. A value adding ORSA process incorporates a comprehensive set of risk indicators. These are likely to link to risk appetite or to key stress points within the capital model (i.e., there should be an indicator attached when the model is particularly sensitive to a movement).

The risk framework designed must be embedded in the business – which is clearly the most important and complex element. In practical terms, this means that key business decision makers must be provided with risk management information and agreed risk quantification approaches that are consistent with the ORSA process. This will require business transformation in strategic and operational functions within the governance system, risk management system and decision-making framework of the organization. The key impact this will have on certain business processes is indicated in the chart below:

What advantages does this ORSA process under Solvency II offer to management?

• Management (and other stakeholders) will have confidence in understanding the sources of risk to the business strategy.
• There is a “single version of the truth” within the business. Different individuals responsible for making risk taking (or averting) decisions will not be using different metrics and information to inform their decisions. This should drive a greater consistency of decision making which is better linked to risk appetite.
• Matching Own Funds to the risk profile will help promote a strong culture of risk management, which is a key underlying feature of the ORSA process. Although the regulatory constraints of the Pillar 1 calculation capital requirements are not in place, the onus is still on the firm to demonstrate that it has access to the capital required to run its business.
• Pillar 1 looks at a 12 month time horizon, but insurance companies (especially life insurers) run their businesses on a much longer cycle. The onus is on management to demonstrate a deeper understanding of risks than they have in the past. Recent events have highlighted the benefits of a better understanding of business risks.
• ORSA policy will capture the entirety of the process and clearly establish the firm’s approach to risk management, the use of risk within decision making and the means of ensuring the adequacy of funds to underpin the business strategy.

In summary, the ORSA report and its 12 guiding principles (see the chart below) are the essential components that insurance companies need to demonstrate solvency and sound risk management strategies. The report is a roadmap for a forward looking assessment of capital and solvency position across a wide range of risks and is designed to ensure that an organization’s solvency needs are met at all times. Since this is the organization’s own view of economic capital, the ORSA report also plays an important role in rating agencies’ financial strength evaluations.

Figure 4: ORSA report 

Conclusion

ORSA represents a company’s opinion and understanding of its risks, overall solvency needs and Own Funds held. This key driver for embedding enterprise risk management (ERM) into the business is a powerful tool that should give insurance companies a competitive edge and alleviate some of the pain in meeting the regulatory components of Pillar 1. Furthermore, although there is controversy around the reporting requirements within Pillar 1 and 3, Pillar 2 affords an excellent way to manage risk and capital effectively. By applying ORSA, firms can drive the processes to make sure that their organizations are being run on a consistent basis.
The Pillar 2 requirements for the ORSA should be the output of a sound ERM framework: a continuous process supported by meaningful models, quality data, and timely, consistent and accurate management information. A key requirement of Pillar 2 is to have a system of governance in place that provides a robust assessment of business risks and the capital required to support these risks.