IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

ORSA: Why Should Exempt Companies Care?

Jim Stangroom, Partner Bob Marshall, VP & CRO

ParenteBeard LLC Chesapeake Employers

Insurance Company

Session #: 304

What is an ORSA?

ORSA = Own Risk and Solvency Assessment

A tool that is prepared by an insurer or group to demonstrate

how its management measures, evaluates and understands how

well it manages/mitigates the risks it faces

A comprehensive view of risks: from underwriting, operational,

market, credit, strategic, reputational, etc.; each would be

assessed along with the inter-relationships between them

Would demonstrate management’s critical evaluation of the

overall completeness and effectiveness of its ERM process and

its potential impact on capital adequacy and solvency – ORSA is

one element of ERM

Of value to regulators, e.g., in connection with a risk-focused

examination, or between examinations

ORSA– NAIC Guidance Manual

General Guidance

Section 1 - Description of the Insurer’s Risk

Management Framework

Section 2 - Insurer’s Assessment of Risk Exposure

Section 3 – Group Risk Capital and Prospective

Solvency Assessment

ORSA Timeline

NAIC ORSA:

Intern’l ORSA:

2015 2014 2013 2012 2011

2015 2014 2013 2012 2011

Pilot project I

IAIS ICP 16 in

force Oct. 1,

2011

Bermudian

ORSA in force

Jan. 1, 2012

Australian ORSA

in force Jan. 1,

2013

Canada – Insurers notify

OSFI by March 31, 2014 of

expected ORSA Report

2014 filing date

Solvency II

ORSA in force

Jan. 1 ,2014

NAIC Guidance

Manual Nov.

2011

NAIC ORSA

Model Act

adopted Sept.

2012

NAIC ORSA

requirements

effective Jan. 1,

2015

Pilot project II Pilot project III

NAIC Guidance

Manual

Updates

2013/14

ORSA Guidance Manual & Model Act

Guidance Manual adopted March 2012

Model Act adopted by NAIC Financial Condition

Committee September 2012

Feedback Pilot Project I Fall 2012

Guidance Manual revised March 2013

Feedback Pilot Project II Fall 2013

Guidance Manual revised March 2014

Feedback Pilot Project III Fall 2014

ORSA – Applicability

Applicability based upon premium threshold: • Individual insurer – direct plus unaffiliated assumed equal or > $500 million

• Insurer Group - direct plus unaffiliated assumed equal or > $1 billion

Commissioner has discretion/authority to request an ORSA

from otherwise exempt company based on: • Type of business written

• Ownership and organizational structure

• Federal agency and/or international supervisor requests

• Regulatory concerns about rapidly growing risk concentration/exposure

• Triggered RBC action level

• Otherwise considered to be troubled

Insurer may request waiver if unique circumstances

ERM Framework – Key Principles

Risk Culture & Governance

Risk Identification & Prioritization

Risk Appetite, Tolerances & Limits

Risk Management & Controls

Risk Reporting & Communication

ORSA/ERM – Why Should Exempt Companies Care?

ERM/ORSA have become industry best practices

• Likely to trickle down (like MAR/SOX-lite did) and become common

practice

Rating agency expectations

• Companies with strong ERM and ORSA processes may be allowed to

maintain lower BCAR levels relative to peer companies with similar

ratings but less effective ERM and ORSA

Strong ERM and ORSA processes can favorably influence

a company’s relationship with its state regulators.

• Regulators are coming to expect some level of ERM/ORSA and will

ask and evaluate

• Effective and well-documented ERM/ORSA can influence financial

exam efficiency

ORSA/ERM – Why Should Exempt Companies Care? (cont’d)

Risk identification and risk mitigation strategies should link

to strategic planning

ORSA should link to budgeting/forecasting and capital

projections

Commissioner has discretion/authority to request an ORSA

from otherwise exempt company based on: • Type of business written

• Ownership and organizational structure

• Federal agency and/or international supervisor requests

• Regulatory concerns about rapidly growing risk concentration/exposure

• Triggered RBC action level

• Otherwise considered to be troubled

ORSA/ERM – Why Should Exempt Companies Care? (cont’d)

Certain states may require that companies adopt ERM

practices, regardless of size

• NY Reg 203 for example

Could become a competitive advantage

• Early identification and initiatives re emerging risks

• Effective use of risk capital

Monitoring risk appetite/tolerances/limits can identify

exposure and enable corrective action

May improve Board and senior management interaction

Promotes better understanding of business drivers and of

“what can go wrong”

ERM Defined - RIMS

Enterprise Risk Management (ERM) is a

strategic business discipline that supports

the achievement of an organization’s

objectives by addressing the full spectrum of

its risks and managing the combined impact

of those risks as an interrelated risk

portfolio.*

*Risk Insurance Management Society (RIMS)

ERM Defined - COSO

A process, effected by an entity’s board of directors, management and other personnel,

applied in strategy setting and across the enterprise, designed to identify potential

events that may affect the entity, and manage risk to be within its risk appetite, to provide

reasonable assurance regarding the achievement of entity objectives.

*Committee of Sponsoring Organizations (COSO)

ERM – Key Concepts

Board/Executive Management Driven

Enterprise-Wide

Setting Strategic Direction

Achieving Business Objectives

Managing Within Risk Appetite

Interrelated Risk Portfolio

Provide Reasonable Assurance

The ERM Challenge

Most entities have some form of risk management in place but:

•May be ad hoc and informal

•May be developed in “silos” and uncoordinated

•May fail to focus on strategic and emerging risks

•May lack transparency and sometimes objectivity

•May not provide boards / senior management with a

true “enterprise-wide” view of all business risks

Chesapeake Employers’ ERM Goals

Enterprise Risk Management Culture

• Enterprise-wide / Collaborative / Dynamic

Proactive Component of Strategic Business Planning

• Risks to address in strategic planning – both risk avoidance and “opportunities”

Quantitative Focus on Economic Capital Modeling of Risks

• Modeling of planned initiatives to determine effect on Economic Capital

• Ensuring capital adequacy considering the full inter-related risk portfolio

Two Key Enterprise Risk Management Outputs

• Risk Appetite Statement – management’s willingness to take on risk

• Risk Tolerance Limits – level beyond which risk too high in light of appetite

ERM Framework

ERM Foundation – Framework / Risk Appetite Statement

Risk Identification – What Risks – Multiple Categories

Risk Assessment – Unmitigated Impact / Probability

Risk Evaluation – Mitigated Impact / Probability

Risk Response Planning – Further Mitigation Efforts

Risk Monitoring and Reporting – Risk Limits

Linkage to Business Strategy – Risk as Opportunity

ERM Foundation – Step 1

Enterprise Risk Management Policy

• ERM Mission Statement

• ERM Team Members

• Overall ERM Process(es)

• Enterprise Risk Management

• Economic Capital Modeling

• ERM Communication Plan

• Board of Directors / Management Team / Employees

Risk Appetite / Tolerance Statement

Enterprise Risk Management / Economic Capital Modeling Process

ERM Foundation

(Policy/Appetite)

Identify Risks

Assess Risks

Evaluate Risks Risk Response

Plans

Monitor and Report

Link to Business Strategy Risk

Measurement

Economic Capital Modeling

Stress and Scenario Testing

Capital Management

Model Validation

Risk Identification – Step 2

Identify/Categorize All Risks that Could Affect the Business

Start with Weaknesses/Opportunities/Threats from SWOT

Determine a “Risk Taxonomy” appropriate for your business

• Hazard Risks – Injuries / Disasters / Product Liability

• Operational Risks (1st gen)– Disaster Response / Product Recalls

• Operational Risks (2nd gen) – IT / Supply Chains / Business Efficiency

• Legal/Regulatory Risks – Contracts / Fines / Lawsuits / Environmental

• Financial Risks – P & L / Solvency / Cash Flow / Credit / Investments

• Strategic Risks – Market Opportunities / Innovation / Reputation

• Emerging Risks – Climate Change / Geo Political / Nano Technology

Stress a “Holistic Enterprise View” to avoid “Risk Silos”

Risk Categories w/ Examples

Hazard

Workplace Accidents

Disaster Prevention

Product Liability

Operational

Business Efficiency

Information Technology

Supply Chains

Legal

Regulatory

Govt/

Industry

Regulation

Contracts and

Execution

Environ-mental

Financial

Profit/Loss Cash Flow

Balance Sheet

Credit

Strategic

Market Opportunities

Innovation

Reputation

Emerging

Geo-Political

Climate Change

Nano Technology

Enterprise View of Identified Risks

Description of Each Risk and How it Could Affect Business

Stress a “Holistic Enterprise View” to Avoid “Risk Silos”

Identified Risk Description Financial Insurance Operations Strategic Regulatory

Emerging Risks

Geo – Political Large multi-national corporations must constantly consider the

risks associated with foreign operations, especially in the case

of political risks both in terms of corruption and insurgencies. X

X X X X

Climate Change While there is still debate on this issue, all businesses must at

least address that there is a very large potential risk associated

with more frequent and impactful climate related events and

develop the appropriate strategies to mitigate exposure/impact X

X X X X

Nano Technology As an emerging risk many are not even aware of how pervasive

“nano technology” has become over the last decade

Take those miracle moisture absorbing sports fabrics and

extend the concept to super strengthen building materials

Scientific studies have already shown that some levels of

certain “nano materials” cause mesothelioma in lab animals

Could one of these “nano particles” be the next ASBESTOS? X

X X X X

Risk Assessment – Step 3

Determine Unmitigated/Inherent Risk Probability and Impact

• Quantify Probability and Rank using 3 to 5 Levels

•Expected Once Every “x” Years or “x” % Chance in Any Year

• Quantify Impact and Rank using 3 to 5 Levels

•Effect on Revenue, Income, Cash Flow, or Balance Sheet

Quadrant Analysis / “Risk Heat Map”

•Plot Probability and Impact of Each Identified Risk

•Goal is to Highlight High Probability / High Impact Risks

Since Not Considering Mitigation Expect Many High Risks

Risk Heat Map / Quadrant Analysis

Risk Evaluation– Step 4

Document Enterprise-Wide Controls & Mitigation Efforts

Assess Effectiveness of Controls to Eliminate/Mitigate Risk

Determine Mitigated Probability / Impact (Highly Quantifiable)

Quadrant Analysis - High Probability / Impact Residual Risks

Determine if any “Black Swans” exist – risks so catastrophic

that even if extremely low probability must consider impact

Top 10 Risks - based on “Probability x Impact” but some risk

aggregation does occur as well as accounting for Black Swans

Risk Heat Maps / Quadrant Analysis

Risk Probability, Impact, and Mitigation Analysis

Brief Explanation of How the Unmitigated and Mitigated

Risk Probability and Impact Scores were Determined

Document Key Mitigation Tactics and which Score Affected

Identified Risk Unmitigated

Probability Unmitigated

Impact Probability, Impact, and Mitigation Analysis Mitigated

Probability Mitigated

Impact

Emerging Risks

Nano Technology

5 4

Unmitigated / Inherent Risk

- Short Explanation of Assumptions Used in Probability Rating

- Financial Impact via Results from Economic Capital Modeling

Key Risk Mitigation Tactics

- List 3-5 Key Business Tactics Developed to Mitigate this Risk

- For Each Tactic Note Whether Mitigates Probability, Impact, or Both

Mitigated / Residual Risk

- Short Explanation of Assumptions Used in Probability Rating

- Financial Impact via Results from Economic Capital Modeling 4 2

Risk Response Plans– Step 5

Top 10 Risks - Develop a Risk Response Plan for Each

Assign Leader to Champion Each Risk Response Plan

Include Multiple Divisions to Stress “Enterprise” View

Develop Strategic/Tactical Initiatives as Part of Strategic

Business Planning to Mitigate Risk Probability/Impact

Determine ROI on Initiatives to Compare Cost vs. Risk

Stress Accountability - Deadlines/Adherence to Risk Limits

Monitor and Report – Step 6

Ongoing Monitoring to Ensure Within Risk Tolerances

• Risk Limits - max/min tolerances for key risk/performance indicators

• Risk Dashboard – enterprise communication of adherence to risk limits

Regularly Scheduled ERM Team Meetings to:

• Review adherence to risk limits/progress on risk response plans

• Determine if any new risks have arisen/existing risks to be removed

• Assess and evaluate new risks including capital modeling efforts

Communicate Updates on New Risks/Mitigation Progress

Link to Business Strategy – Step 7

ERM Analysis Helps to Define Business Strategy

• Top “x” risks to be addressed in strategic plan

• Key risk response plan initiatives as tactics

• Risk as an “Opportunity” vs. “Impediment”

ERM Analysis Helps to Evaluate Potential Strategies

• For each strategy identify/assess/evaluate associated business risks

• Prospectively model expected business outcomes of new strategies

Recurring Annual Assessment of Risks & Mitigation Efforts

Enterprise Risk Management / Economic Capital Modeling Process

ERM Foundation

(Policy/Appetite)

Identify Risks

Assess Risks

Evaluate Risks Risk Response

Plans

Monitor and Report

Link to Business Strategy Risk

Measurement

Economic Capital Modeling

Stress and Scenario Testing

Capital Management

Model Validation

ERM Evolution to Desired State

Cannot Accomplish Everything the First Time

Framework and Process Completion

More in Depth and Quantitative Risk Focus

Key Next Steps in Achieving Desired State

Identify Quantify Mitigate

Risk

Appetite

Risk

Tolerances Risk Limits

Risk Monitoring Enterprise-wide Communication

Stochastic Modeling

ERM and ORSA

NAIC goal is to ensure strong ERM throughout the industry

ERM unique for each insurer / hence the “OWN” in ORSA

ORSA as annual documentation of insurers ERM efforts

ERM themes directly tie to NAIC suggested report outline

• Description of the Insurer’s Risk Management Framework

• Evidence of a proactive ERM program following best practices in terms of risk framework

• Insurer’s Quantitative Assessment of Risk Exposures

• Risk quantification via Economic Capital Modeling including scenario and stress testing

• Group Risk Capital and Prospective Solvency Assessment

• Aggregation of risks to determine effect on economic capital in light of risk appetite/tolerances

ERM – Regulators / Rating Agencies

Even if below ORSA threshold – regulators are requiring a

documented ERM model as part of risk-focused examinations

Quality of ERM Summary Report may affect timing, scope, and

depth of regulator’s subsequent risk-focused examinations

Standard & Poor’s Rating Services view on ERM • Our assessment of ERM examines whether insurers execute risk management practices in

a systematic, consistent, and strategic manner across the enterprise that effectively limits

future losses within the insurers' optimal risk/reward framework.*

ERM can significantly affect an Insurer’s AM Best rating

• The fundamental difference in the revised approach is that for companies with STRONG risk

management capabilities, A.M. Best will consider allowing companies to maintain lower

BCAR levels relative to the guideline for their ratings based on a case-by-case evaluation of

an insurer’s overall risk management capabilities – relative to its risk profile.**

* S&P Rating Direct ® - Enterprise Risk Management - 5/7/13

** AM Best – Risk Management and the Rating Process for Insurance Companies - 4/2/13

Questions for Insurers to Ask Themselves to Assess Their ORSA Readiness

Do we understand the requirements in the ORSA Guidance

Manual? ICP on ERM?

Do we have an ERM framework?

Do we have a documented risk appetite? Does it influence

business decision making?

Do we have a consistent approach to measuring risks?

Are we able to project future risk capital requirements consistent

with short-term and multi-year business plans?

Have we dedicated the resources to make the implementation a

success?

Do we foster a risk-aware culture?

Starting at Ground Zero?

Drive from top down

• Get the board on board

Appoint a facilitator

Brainstorm about current and emerging risks

• Include mid-management

Build consensus across the organization and business units

Assess current state and define desired future state

• Governance and culture

• Leverage existing risk functions, processes and controls

Assign responsibility and accountability

ERM framework 1st – then ORSA

One Size Does Not Fit All

Consider:

•Nature/number of product lines/business segments

•Complexity of risks or products

• Investment portfolio risk profile

•Volatility of operating performance

• Leverage – premiums, reserves, financial

•Competitive markets

• Financial flexibility

•Available resources

Risk Identification

Self assessment processes

• Periodic ongoing, but at least annual, process

• Each business unit and major functional area participates in a joint

effort with ERM to define and assess the risks inherent in the

business

• Continuous monitoring and updating as risks intensify and new risks

emerge

Emerging risks identification

• Typically Committee driven

• CRO lead effort

• Requires creative thought about events that have not occurred before

• Critical assessment of the balance sheet and company practices

Risk Universe – One Example

Financial Operational External/Environmental

Mortality/morbidity - Life Business process Macro-economic

Catastrophe – P&C Information systems Regulatory

Interest rate Strategic Tax

Credit Employee fraud Competitive pressure

Equity market price Disaster recovery Terrorism

Currency Financial reporting Reputational

Capital adequacy Compliance/market

conduct

Etc.

Derivatives/hedge

effectiveness

Litigation

Liquidity Pricing adequacy

Etc. Etc.

Inherent Risk Assessment

High

Low

Low Impact High

Lik

elih

oo

d

Residual Risk Assessment

High

Low

Strong Mitigating Controls Weak

Inh

eren

t R

isk

Financial Risk Mapping – One Example

Risk Sector Risk

Categories

SubRisks Sr. Mgmt. Risk

Oversight

Board Committee

Financial

Risks

Insurance

Risks

Reserve Risk

Mortality, Longevity,

Lapses, Other customer

behavior, expense

ALM Committee

Underwriting

Committee

New Product

Committee

Investment &

Finance Committee

Board Underwriting

Risk

Disability, Long Term

Care

Catastrophic

Risk

Cat event, Pandemic

Operational

Risks

Other Risks

Quantitative Models

Appropriate for the size and complexity of the business and its products

Stress tests, scenario analysis

Address risk correlation

Pass the “use test”

Back-testing

Liquidity and group-wide risks

Model validation controls and source data input controls

Models inform risk management; they aren’t management

Enterprise Risk Management / Economic Capital Modeling Process

ERM Foundation

(Policy/Appetite)

Identify Risks

Assess Risks

Evaluate Risks Risk Response

Plans

Monitor and Report

Link to Business Strategy Risk

Measurement

Economic Capital Modeling

Stress and Scenario Testing

Capital Management

Model Validation

Economic Capital Modeling Process

Risk Measurement

Economic Capital Modeling

Stress and Scenario Testing

Capital Management

Model Validation

Identified

Risks

Economic Capital Modeling Process

Risk Measurement

• Determine most appropriate way to measure business impact and assumptions to use

Economic Capital Modeling

• Develop quantitative model to determine business impact on key performance indicators

Stress and Scenario Testing

• Consider effects on economic capital over a wide range of scenario’s including “Extremes”

• European Solvency II requires modeling for the “1 in 200 Year Event” (0.5% probability)

Capital Management

• Correlate and aggregate risk impacts to ensure regulatory/rating agency capital adequacy

Model Validation

• Ensure model results are accurate and based on sound business assumptions / calculations

Economic Capital Modeling Working Group

Economic Capital Modeling Working Group Membership

• Chief Risk Officer–coordinate / compile results / document efforts

• Chief Finance Officer–audited financials / multi-year forecasting

• Chief Actuary–actuarially sound reserve and base rate calculations

• Chief Investment Officer–historical market trends / portfolio allocation

More Frequent/Hands-on Meetings Developing Detailed

Risk Quantification Strategies and the Actual Risk Models

Each Year 1-4 In Depth Key Risks Analyses Undertaken

ORSA– NAIC Guidance Manual

General Guidance

Section 1 - Description of the Insurer’s Risk

Management Framework

Section 2 - Insurer’s Assessment of Risk Exposure

Section 3 – Group Risk Capital and Prospective

Solvency Assessment

For more information, contact

Jim Stangroom, CPA

Partner

ParenteBeard, LLC

410-824-6001

James.Stangroom@ParenteBeard.com

Bob Marshall

Vice President & Chief Risk Officer

Chesapeake Employers Insurance

Company

410-494-2214

RMarshall@ceiwc.com

IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

Please Complete the Session Evaluation Form on the Conference App and Include Your Conference Registration ID# to be Included in a Drawing for a Free Conference Registration for the 2014 Annual Conference! NOTE: Your Conference Registration ID# is Located at the

Bottom Left Hand Corner of Your Badge.