Eagerly anticipated, a Risk Management and Own Risk and SolvencyAssessment Model Act (RMORSA) was finally adopted on Sept. 12 bythe National Association of Insurance Commissioners (NAIC). Underthe Model Act, which still needs to be enacted into law byindividual states companies, companies that meet certain financialthresholds will be required to assess the adequacy of their riskmanagement programs, and their current, and likely future, solvencyposition. Formal reports summarizing the company's risk governanceprogram, and a risk-based solvency assessment will generally beprovided to regulators at least annually. However, exact filingdates and frequency may depend on a myriad of factors, such as thenature and complexity of a company's risks, financial position, aswell as the economic environment considerations.

As part of the development of this Model Act, a companionGuidance Manual was drafted, with some direction to insurers onperforming its analysis and presenting its findings in a formalreport. The Manual itself underwent several level approvals throughthe past two years. This year, the NAIC created an ORSA FeedbackPilot Project in order for regulators to be able to provide somehigh-level feedback to the industry on the reporting requirementsprior to the effective date of the implementation deadline, nowJan. 1, 2015.

In the Pilot Project, more than a dozen undisclosed insurancecompanies and groups voluntarily submitted a sample of their ORSASummary Report for regulatory review under a confidentialityagreement. The reports were delivered to the NAIC early in thesummer, and were recently reviewed by the committee over two days.Regulators went through each report one by one for comment andcriticism, both to provide feedback to the individual companiessubmitting the reports, and to address potential wording andsubstantive issues with the Manual itself.

Overall, the NAIC found that there were a wide variety ofresponses from the test group, and many different approaches tosubmitting the report, reflecting the fact that companies are invarious stages of developing enterprise risk management (ERM) orgovernance frameworks, as well as handling the capital and solvencyplanning and stress testing exercises expected by the NAIC to beexecuted by companies, and ultimately detailed in an ORSA report.

Other specific findings of the group from the pilot included thefollowing:

• Many companies focused on the strength of their internal riskmanagement program and overall governance structure. However,regulators will want to confirm this, and will expect to see morepolicies and procedures actually documented and approved by theboard of directors over time, including specific written policiesand procedures around the ERM or risk management processitself.
• The reports showed that some companies may have haddifficulties quantifying, or at least did not document that theyhad quantified, certain types of risk in some fashion—particularlyoperational risks. Regulators will expect companies to documenttheir attempts to quantify and prioritize their risks, with atleast basic metrics, such as probability or frequency of loss andimpact or amount of loss.
• A percentage of sample ORSA reports lacked any discussion ofthe company's risk appetites, tolerances or limits. Even thoughsome companies may have scored or prioritized risk by severity andfrequency, highlighting potential “top losses,” ultimately thisinformation is most helpful to evaluation of capital adequacy andsolvency when the total loss potential is weighed against thecompany's risk tolerance.

Some companies can withstand or tolerate high losses, whilstother companies may be more conservative and may not want to assumeas much risk. Ideally, each company must manage their riskmitigation, control and reinsurance efforts according to risklimits, appetite or tolerances set forth in policies andprocedures, with escalation of items outside of that appetite viareferral to management or the board.

As a further step, regulators will want to see that companieshave a formalized risk/reward framework in their business planningprocess, relating risk management analysis to company business andfinancial objectives such as return on equity, use of reinsuranceand investment target goals. Has the company completed an overallcost/benefit analysis supporting its business plan and economiccapital strategy? Is the rationale for such decisions welldocumented? Based on the pilot submissions, not all companies aredoing this yet, and this may be a focus for many insures in thenext two years.

As a result of the Pilot, further changes may be made to theGuidance Manual itself within the next six months. A second PilotProgram may be conducted in 2013, under enhancements to the Manual.The NAIC also expects to update the Manualperiodically going forward, as submissions are made and additionalareas for clarification are revealed. Some current points which mayrequire clarificationinclude:

• More guidance around capital allocationcalculations could be given. Some of the pilot companiesdid not have their risk-based capital allocation strategy ormethodologies clearly documented. For those that did have acalculation, methodologies varied significantly in confidence andtime horizons for estimation. While companies are free to choosetheir own modeling techniques, more documentation around themethodology and assumptions used might bebeneficial.
• Better documentation may be required forcertain foundational assumptions and explanation ofcompany-specific terms used in the report. For example, companieswill be requested to specify method of accounting they are using,GAPP, STAT, etc. Information relating to subsidiaries andaffiliates should be clarified, with organizational charts andinternal company abbreviations were found to be extremely helpful.The review team appreciated any efforts to provide glossary-typeexhibits of terms and acronyms.
• Insurers considered most prepared provided certainfinancial information proactively that may be incorporatedinto future manual guidance. For example, several leading companiesshowed year-to-year trends in financial results over several years,adding a new dimension to the review. Also, helpful liquiditydiscussions were noted by at least two companies.
• In the future, companies may be asked to better describehow risk management is tied to executive and managementcompensation. As ERM practices are integrated into companyoperations and strategic decision-making, risk management maybecome a significant component of executive compensation and anindicator that the company is giving attention to the issue “fromthe top down.”

As additional developments, companies with a parent in theEuropean Union that file an ORSA report with a foreign regulatorcan expect that it will be accepted in the U.S. if and to theextent it covers U.S. operations. However, no foreignregulators have decided to accept a U.S. ORSA format yet, and theNAIC discussions on equivalency status continue.

Now that the Model Act is adopted, timing of individual stateadoption of the Act depends on each jurisdiction's legislativecalendar. Although some states may move to enact it quickly, theNAIC expects all states to target an effective date Jan. 1, 2015for consistency purposes.

Consequences for companies not complying or falling short ofexpectations is still unclear, as specific financial penalties fornon-compliance are not currently detailed. Nevertheless, it isclear that failure to provide an adequate ORSA report for companiesmeeting the financial threshold would be a significant finding inany examination report, triggering targeted financialexaminations.

All of these developments underscore the need for insurers tosharpen their focus on developing ERM and ORSA programs. ERM andrisk analysis efforts take significant time and effort, andcompanies will not be able to “turn on a dime” to change historicalpractices and implement new strategies. Lessons from the ORSAFeedback Pilot Project should help both regulators and insurerssteer the course towards compliance.

Denise Tessier is senior regulatory consultant for InsuranceCompliance Solutions, Enterprise Risk Management and the ConsultingPractice at Wolters Kluwer Financial Services. She may be reachedat [email protected].