Can ORSA Work For All Businesses?

In addition to impacting the way countless organizations conduct business, the 2008 financial crisis was an awakening for regulators charged with reviewing and setting the rules that shape the way organizations assume risk. Insurance, perhaps the riskiest business of them all, did not go unscathed.

Not only are insurers responsible for managing their own internal risks, but careful calculations and guidelines are built into their business models to ensure that the risks fall within set parameters. Regulators will argue, however, that this wasn’t always the case.

Own Risk Solvency Assessment (ORSA) was adopted and now serves as an internal process for insurers to assess their risk management processes and make sure that, under severe scenarios, they remains solvent.

U.S. insurers required to perform an ORSA must file a confidential summary report with their lead state’s department of insurance.  The assessment aims to demonstrate and document the insurer’s ability to:

  • Withstand financial and economic stress with a quantitative and qualitative assessment of exposures
  • Effectively apply enterprise risk management (ERM) to support decisions
  • Provide insights and assurance to external stakeholders

While ORSA is requirement for insurers, a new study by RIMS and the Property Casualty Insurers Association, Communicating the Value of Enterprise Risk Management: The Benefits of Developing an Own Risk and Solvency Assessment Report, maintains that ORSA can be used for all organizations looking to strengthen their ERM function.

According to the report:

Whether or not required by regulation or standard-setting bodies, documenting the following internal practices is a worthwhile endeavor for any company in any sector to utilize in their goal to preserve and create value:

  • Enterprise risk management capabilities

  • A solid understanding of the risks that can occur at catastrophic levels related to the chosen strategy

  • Validation that the entity has adequately considered such risks and has plans in place to address those risks and remain viable.

The connection between the ORSA regulation imposed on insurers and the development of an ERM program within an organization outside of the insurance industry is apparent.

ORSA and ERM both require the organization to strengthen communication between business functions. Breaking down those silos are key to uncovering business risk, but perhaps more importantly, is the interconnectedness of those risks.

Secondly, similar to ERM in non-insurance companies, ORSA requires risk management to document its findings, processes and strategies. Such documentation allows for the process of managing risks to be effectively communicated to operations, senior leadership, regulators and stakeholders. Additionally, documentation enhances monitoring efforts, the ability to make changes to the program and is a benefit that allows ERM to reach a “repeatable” maturity level as defined by the RIMS Risk Maturity Model.

Developing an ERM program has become a priority for many organizations as senior leaders recognize the value of having their entire organization thinking, talking and incorporating risk management into their work. Examining and implementing ORSA strategies can be an effective way for risk professionals to get their ERM program off the ground and operational.

RMORSA: Risk Culture and Governance

The National Association of Insurance Commissioners adoption of the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) requires insurance organizations to take a broader approach to risk management. As U.S. insurers begin to mobilize their efforts to comply with the regulation by the 2015 deadline, it’s important for them to take a step back, leverage their existing risk management operations, and develop their RMORSA efforts with a mind to the future.

The groundwork for RMORSA was laid with International Association of Insurance Supervisors’ (IAIS) Core Principle 16 – Enterprise Risk Management – and much of the ORSA requirements can be fulfilled with the adoption of an ERM framework that addresses:

• Risk culture and governance

• Risk identification and prioritization

• Risk appetite and tolerances

• Risk management and controls

• Risk reporting and communication

Before you scoff at the scope of these requirements, consider that the ORSA Guidance Manual stipulates that insurers with appropriately developed ERM frameworks “may not require the same scope or depth of review” as organizations with less defined processes.

As defined by the NAIC, risk culture and governance defines roles, responsibilities, and accountability in risk-based decision making. In effect, the principle builds off of a 2010 SEC mandate requiring corporate boards to document their role overseeing enterprise risk. This rule extends the board’s role in risk oversight from C-level risks, activities and decisions to now having accountability at the business process level. Boards are explicitly given a choice between either having effective risk management, or disclosing their ineffectiveness to the public. Doing neither is considered fraud or negligence. Enforcement actions by the SEC have doubled in recent years, so it’s likely your board has already established risk management as a priority, but what does this mean for your organization?

The first practical issue is that it is no longer sufficient to rely on the audit function as a hub for risk management. Risk responsibility has always been the responsibility of process owners, and ORSA is now mandating better oversight under the guidance of a risk management function. For many organizations, the critical first step has been taken by establishing executive responsibility in a chief risk officer (a CRO is actually required to sign off on the ORSA assessment), but without the appropriate tools to make risk management actionable, accountability beyond the CRO is never properly defined. Front line managers hear “risk responsibility” and take the same action they would for other lofty strategic initiatives—that is to say, they take no action at all.

To engage process owners in a risk culture, each business area must take ownership for a subset of the enterprise risks. Risk managers, in effect, do not own the risks to the organization; on the contrary, they own the ERM process. Their primary role is to lay the groundwork for risk assessments, aggregate risk intelligence for board reports and create actionable initiatives for business areas in need of oversight.

Engaging process owners has the dual effect of permeating an enterprise-wide risk culture, while also creating a sense of shared responsibility. The structure defined above also creates three levels of defense, a concept adopted and well-articulated by the Institute of Internal Auditors. The operational risks are owned by the process owners. The risk management function provides guidance and strategic alignment. And finally, internal audit ensures adherence to the proper policies and regulatory standards.

Risk culture and governance cannot be accomplished overnight, but significant progress can be made by adopting and articulating the best practices outlined above.

For more information on engaging process owners, implementing a standardized risk assessment process, and reporting this information to the board, download LogicManager’s complimentary eBook, Presenting Risk Management to the Board.