Risk and Solvency Assessment: ORSA Explained

You've been tasked with implementing an ORSA process for your insurance company, but after searching online, you're overwhelmed by complex regulatory jargon and unclear guidance. The looming deadline from your state regulator adds pressure, and you're worried about whether your current risk assessment frameworks are even adequate for compliance.

The confusion is compounded when your CFO asks about capital requirements while your CRO discusses "risk appetites" and "tolerance statements" - leaving you wondering if everyone is speaking the same language. With $500 million in annual premiums at stake, the consequences of getting this wrong could be significant.

What is ORSA and Why Does It Matter?

The Own Risk and Solvency Assessment (ORSA) is not just another regulatory checkbox. Instituted after the 2008 financial crisis, it represents a fundamental shift in how insurers evaluate their financial resilience and risk management capabilities.

ORSA provides a structured framework for insurers to assess their current and future risk exposures, determine capital adequacy, and evaluate their risk management systems. Unlike traditional compliance exercises, ORSA encourages insurers to look beyond immediate risks and consider long-term solvency under various scenarios.

For insurers with annual premiums exceeding $500 million, ORSA is mandated by the National Association of Insurance Commissioners (NAIC) through the Risk Management and Own Risk and Solvency Assessment Model Act (#505), adopted in 2012. However, the benefits extend far beyond regulatory compliance.

A well-executed ORSA process can transform your organization's approach to risk management, providing senior leadership with invaluable insights for strategic decision-making and capital allocation. It bridges the gap between risk management and business strategy, creating a more resilient organization.

The Three Core Components of ORSA

Understanding the structure of ORSA will help clarify what might initially seem like an overwhelming process. The ORSA framework consists of three essential sections:

1. Description of the Insurer's Enterprise Risk Management Framework

This section requires a comprehensive overview of your organization's approach to identifying, assessing, monitoring, and managing risks. Key elements include:

• Risk Governance Structure: Define clear roles and responsibilities for risk management across all levels of the organization, from the Board of Directors to operational staff.
• Risk Identification Process: Document how your organization identifies existing and emerging risks that could impact business objectives.
• Risk Appetite and Tolerance Statements: Develop formal statements that quantify the level of risk your organization is willing to accept, with specific metrics and limits.
• Risk Management Policies: Outline policies for mitigating identified risks, including controls, monitoring procedures, and escalation protocols.

"Our risk assessment process seemed comprehensive until we started preparing our first ORSA report," shares a Chief Risk Officer at a mid-sized insurer. "We quickly realized that while we had various risk management activities in place, we lacked an integrated framework that connected these activities to our strategic objectives and capital planning."

2. Assessment of Risk Exposures in Normal and Stressed Environments

This component focuses on quantitative and qualitative analysis of your risk profile:

• Comprehensive Risk Inventory: Catalog all material risks facing your organization, including insurance, market, credit, operational, liquidity, and strategic risks.
• Risk Measurement Methodologies: Document the approaches used to quantify risks, whether through internal models, stress tests, or scenario analyses.
• Stress Testing Results: Analyze how various stress scenarios impact your risk profile and financial condition, including both isolated and combined stresses.
• Emerging Risk Assessment: Evaluate potential future risks that may not be fully captured in current models or historical data.

According to the NAIC's guidance, this section should demonstrate how the insurer measures its risks and determines the amount of capital needed to mitigate those risks using both quantitative and qualitative assessments.

3. Group Assessment of Risk Capital and Prospective Solvency

The final component evaluates your organization's current and projected capital adequacy:

• Available Capital Assessment: Evaluate the quality and quantity of capital resources available to absorb unexpected losses.
• Required Capital Assessment: Determine the level of capital needed to support your risk profile and business strategy.
• Capital Adequacy Analysis: Compare available capital to required capital under both normal and stressed conditions.
• Forward-Looking Solvency Assessment: Project capital needs over a multi-year planning horizon, incorporating business strategy and growth objectives.

ORSA Reporting Requirements

The ORSA process culminates in the preparation and submission of an ORSA Summary Report to the lead state commissioner. This report must be submitted:

• Annually, with specific deadlines varying by state
• Following any significant changes in your risk profile
• Upon request by the commissioner

The ORSA Summary Report is treated as confidential and proprietary information, protected from public disclosure. However, state regulators may share the information with other regulators to facilitate financial analysis and supervision.

"Many insurers initially struggle with the level of detail required in the ORSA Summary Report," notes a regulatory consultant. "It's not just about documenting processes—it's about demonstrating how those processes inform decision-making and capital management."

Best Practices for Implementing ORSA

1. Tailor the Process to Your Organization

Avoid a one-size-fits-all approach. The ORSA process should reflect your organization's specific risk profile, business model, and strategic objectives. As the Workiva blog suggests, customize your approach to address your unique circumstances rather than simply adopting generic templates.

2. Focus on Integration, Not Isolation

ORSA should not exist as a standalone compliance exercise. Instead, integrate it with your existing Enterprise Risk Management (ERM) framework and strategic planning processes. This integration ensures that ORSA insights inform business decisions and capital allocation.

"When we first implemented ORSA, we treated it as a separate compliance exercise," admits a Chief Financial Officer. "We quickly realized that ORSA is most valuable when integrated with our strategic planning and ERM processes. Now, ORSA insights directly inform our business strategy and capital planning."

3. Ensure Data Quality and Consistency

The credibility of your ORSA process depends on the quality and consistency of underlying data. Establish robust data governance processes to ensure accurate, complete, and timely information for risk assessment and capital modeling.

4. Adopt a Forward-Looking Perspective

While historical data provides valuable context, ORSA should primarily focus on forward-looking assessments. Consider emerging risks, changing market conditions, and evolving regulatory requirements in your analysis.

5. Engage Stakeholders Across the Organization

Effective ORSA implementation requires collaboration across various functions, including risk management, actuarial, finance, compliance, and business units. Engage stakeholders early and often to ensure comprehensive risk identification and assessment.

Common ORSA Challenges and Solutions

Challenge 1: Lack of Clear Risk Appetite Statements

Many insurers struggle to develop quantitative risk appetite statements that meaningfully guide business decisions.

Solution: Start with qualitative statements aligned with strategic objectives, then gradually introduce quantitative metrics and limits. Ensure these statements are practical and actionable for business units.

Challenge 2: Insufficient Stress Testing

Basic stress tests may not capture complex risk interactions or tail risks.

Solution: Develop comprehensive stress scenarios that consider multiple risk factors simultaneously. Include reverse stress testing to identify scenarios that could threaten solvency.

Challenge 3: Fragmented Risk Management Processes

Siloed risk management activities can undermine the effectiveness of ORSA.

Solution: Establish an integrated risk management framework with consistent methodologies, tools, and reporting across the organization. Consider implementing GRC (Governance, Risk, and Compliance) assessment tools to streamline processes.

Challenge 4: Limited Board Engagement

Board members may struggle to understand complex risk and capital concepts.

Solution: Develop clear, concise reporting that focuses on key insights rather than technical details. Use visual aids and executive summaries to communicate critical information effectively.

Conclusion

Conducting an effective Own Risk and Solvency Assessment is about more than regulatory compliance—it's about developing a deeper understanding of your organization's risks and capital needs to support strategic decision-making.

By tailoring the ORSA process to your organization, integrating it with existing risk management frameworks, and following best practices, you can transform ORSA from a compliance burden into a valuable strategic tool.

Remember that ORSA is an iterative process that should evolve as your organization and the external environment change. Regular review and refinement will ensure that your ORSA process continues to provide meaningful insights for risk management and capital planning.

Frequently Asked Questions (FAQ)

What is the Own Risk and Solvency Assessment (ORSA)?

The Own Risk and Solvency Assessment (ORSA) is a comprehensive process for insurers to evaluate their risk management frameworks, assess current and future risk exposures, and determine their capital adequacy. Instituted after the 2008 financial crisis, it aims to enhance financial resilience by encouraging insurers to adopt a forward-looking perspective on their solvency and risk management capabilities.

Why is ORSA implementation crucial for insurance companies?

ORSA implementation is crucial because it provides a structured framework for insurers to understand their financial resilience, improve risk management capabilities, and make informed strategic decisions. Beyond regulatory compliance mandated for larger insurers, a well-executed ORSA helps align risk management with business strategy, offering valuable insights for capital allocation and supporting long-term solvency.

Which insurers are required to conduct an ORSA?

Insurers with annual premiums exceeding $500 million are generally required to conduct an ORSA. This requirement is mandated by the National Association of Insurance Commissioners (NAIC) through the Risk Management and Own Risk and Solvency Assessment Model Act (#505). While targeted at larger insurers, the principles of ORSA can benefit insurers of all sizes.

What are the key components of an ORSA report?

An ORSA report typically has three key components:

1. Description of the Insurer's Enterprise Risk Management (ERM) Framework: This details the organization's approach to risk governance, identification, appetite, and management policies.
2. Assessment of Risk Exposures in Normal and Stressed Environments: This involves a quantitative and qualitative analysis of all material risks, including stress testing results and emerging risk assessments.
3. Group Assessment of Risk Capital and Prospective Solvency: This evaluates the insurer's current and projected capital adequacy, comparing available capital to required capital under various conditions.

How often does an ORSA Summary Report need to be submitted?

The ORSA Summary Report must be submitted annually to the lead state commissioner. In addition to the annual submission, the report is also required following any significant changes in the insurer's risk profile or upon specific request by the commissioner.

What is a common challenge when developing an ORSA and how can it be addressed?

A common challenge is developing clear, quantitative risk appetite statements that meaningfully guide business decisions and are actionable. This can be addressed by starting with qualitative statements aligned with strategic objectives, then gradually introducing quantitative metrics and limits. It's crucial to ensure these statements are practical and effectively communicated to business units.

How can an insurer make ORSA a strategic tool rather than just a compliance exercise?

Insurers can make ORSA a strategic tool by deeply integrating it with their existing Enterprise Risk Management (ERM) framework and strategic planning processes. This integration ensures that the insights derived from ORSA directly inform business decisions, capital allocation, and overall business strategy, transforming it from a perceived compliance burden into a valuable activity that enhances organizational resilience and performance.

References

• National Association of Insurance Commissioners (NAIC)
• NAIC's Own Risk and Solvency Assessment Page
• LogicGate's Enterprise Risk Management solutions
• Workiva on best practices for creating ORSA reports