Can ORSA Work For All Businesses?

In addition to impacting the way countless organizations conduct business, the 2008 financial crisis was an awakening for regulators charged with reviewing and setting the rules that shape the way organizations assume risk. Insurance, perhaps the riskiest business of them all, did not go unscathed.

Not only are insurers responsible for managing their own internal risks, but careful calculations and guidelines are built into their business models to ensure that the risks fall within set parameters. Regulators will argue, however, that this wasn’t always the case.

Own Risk Solvency Assessment (ORSA) was adopted and now serves as an internal process for insurers to assess their risk management processes and make sure that, under severe scenarios, they remains solvent.

U.S. insurers required to perform an ORSA must file a confidential summary report with their lead state’s department of insurance.  The assessment aims to demonstrate and document the insurer’s ability to:

  • Withstand financial and economic stress with a quantitative and qualitative assessment of exposures
  • Effectively apply enterprise risk management (ERM) to support decisions
  • Provide insights and assurance to external stakeholders

While ORSA is requirement for insurers, a new study by RIMS and the Property Casualty Insurers Association, Communicating the Value of Enterprise Risk Management: The Benefits of Developing an Own Risk and Solvency Assessment Report, maintains that ORSA can be used for all organizations looking to strengthen their ERM function.

According to the report:

Whether or not required by regulation or standard-setting bodies, documenting the following internal practices is a worthwhile endeavor for any company in any sector to utilize in their goal to preserve and create value:

  • Enterprise risk management capabilities

  • A solid understanding of the risks that can occur at catastrophic levels related to the chosen strategy

  • Validation that the entity has adequately considered such risks and has plans in place to address those risks and remain viable.

The connection between the ORSA regulation imposed on insurers and the development of an ERM program within an organization outside of the insurance industry is apparent.

ORSA and ERM both require the organization to strengthen communication between business functions. Breaking down those silos are key to uncovering business risk, but perhaps more importantly, is the interconnectedness of those risks.

Secondly, similar to ERM in non-insurance companies, ORSA requires risk management to document its findings, processes and strategies. Such documentation allows for the process of managing risks to be effectively communicated to operations, senior leadership, regulators and stakeholders. Additionally, documentation enhances monitoring efforts, the ability to make changes to the program and is a benefit that allows ERM to reach a “repeatable” maturity level as defined by the RIMS Risk Maturity Model.

Developing an ERM program has become a priority for many organizations as senior leaders recognize the value of having their entire organization thinking, talking and incorporating risk management into their work. Examining and implementing ORSA strategies can be an effective way for risk professionals to get their ERM program off the ground and operational.

Temple University Wins 2016 Spencer-RIMS Challenge

spencer rims challenge 2016

SAN DIEGO—A team of students from Temple University won this year’s Spencer-RIMS Risk Management Challenge, concluding a three-month case-study challenge against 20 other universities. Team members Andrew Donchez, Carolyn Murset, Sean Preis and Zilong Zhao, advised by Associate Professor R. B. Drennan, will take home the competition’s $4,000.

This year, Lego provided a case study for teams from 21 universities to studied the risk portfolio and develop an array of proposed solutions. Eight teams were then invited to attend the RIMS 2016 Conference here in San Diego to present their findings to judges and an audience of risk professionals.

“All of the students who took part in the Spencer-RIMS Risk Challenge are winners,” said Ron Davis, the newly elected chair of the Spencer Educational Foundation. “Each university team was prepared, smart and successfully delivered innovative risk management solutions for a very complex situation. It is truly rewarding to see them have the opportunity to shine during this competition and validates the critical work we do to support tomorrow’s risk management professionals.”

“This competition reinforces that the risk management profession’s future is bright,” said RIMS CEO Mary Roth. “The Rising Risk Professional demographic of RIMS members continues to grow and their contributions and professional needs have directly influenced the resources and opportunities the Society delivers. We are so proud to be able to introduce these students to the energy and excitement of a RIMS Annual Conference and congratulate all of them for participating in the challenge.”

Second place went to Florida State University, while the team from Butler University took third. The Temple team won $4,000, FSU $3,000 and Butler $2,000 for their achievements.

Cyber, Regulation Seen as Top Emerging Risks, Report Finds

SAN DIEGO—Forecasting risk is not expected to get easier in the next three years, with cyberattacks and regulation topping the list of emerging risks, according to a new report published jointly by Marsh and RIMS.

The 13th annual Excellence in Risk Management report found that while risk professionals are increasingly relied upon to identify and assess emerging risks, there are still organizational and other barriers to identifying those risks. In fact, nearly half of survey respondents—48%—predicted that forecasting critical business risks will be more difficult three years from now, while just over one-quarter said it would be the same.

“Whether emerging risks are on your doorstep, around the corner, or on the far horizon, they have the potential to catch organizations unaware,” said Brian Elowe, Marsh’s U.S. client executive leader and co-author of the report. “It’s important for risk professionals to maintain awareness of global risk trends, and to make the connection to their organizations’ business strategy.”

Where do risk professionals turn when trying to understand the impacts of emerging risks on their organization? According to the report:
One of the goals of this year’s Excellence survey’s goal was to better understand how organizations view the emerging risks facing them, what tools they use and the barriers they face in assessing, modeling, and understanding the risks. According to the findings, a majority of respondents—61%—cited cyber-attacks as the likely source of their organization’s next critical risk. This was followed by regulation, cited by 58% of the respondents, and talent availability, cited by 40% of the respondents.

Based on survey responses and insights from numerous focus group discussions, it became clear that risk professionals generally agree on the importance of identifying emerging risks, and also that there is no clearly established framework for doing so. More can be done to better identify, assess, and manage the impact emerging risks may have on organizations.

For example, a majority—60%—of the risk management respondents said they use claims-based reviews as one of the primary means to assess emerging risks, compared to 38% who said they use predictive analytics.

“The widespread use of claims-based reviews means that a majority of organizations are relying on studying past incidents to predict how emerging risks will behave rather than using predictive analytic techniques like stochastic modeling and game theory to help inform their decision making,” Elowe said.

Survey respondents also cited several barriers to understanding the impact of emerging risks on their business strategy. Decisions with lack of cross-organization collaboration ranked first among risk professional respondents.

“Lack of collaboration across the organization is still an issue for many risk professionals. On the other hand, breaking down silos has become less of a concern for executives,” said Carol Fox, vice president of strategic initiatives for RIMS and co-author of the report. “Tackling emerging risks often requires creative yet pragmatic approaches. It has to encompass internal cross-functional conversations — formal and informal — around the intersection of risk and strategy, senior-leadership engagement, and tapping into external information sources. Risk professionals are encouraged to broaden the scope and collaboration around emerging risk issues within their organizations.”

According to the report:

As the risk environment becomes increasingly complex and more entwined with financial decisions, risk strategy is increasingly a boardroom issue. As we have seen in past Excellence surveys, senior leaders’ expectations of the risk management department have increased in everything from leading enterprise risk management to providing better risk quantification and analysis.

However, while more is being asked of risk professionals, investment is not necessarily keeping pace. For example, the percentage that say they expect to hire more staff dropped to 25% this year from 37% when we asked in 2015. “We’ve all experienced this elevation of risk management at our institutions, but…as we are battling for budget, it becomes pretty easy for risk management to get pushed over to the side,” said the assistant vice president of risk management at a major university.

The survey is based on more than 700 responses to an online survey and a series of focus groups with risk executives in January and February 2016.