30
The Journey to ORSA Begins Assessing the Results of the 2015 ORSA Survey from St. John’s University and Protiviti

ORSA Getting Ready for 2015

Embed Size (px)

DESCRIPTION

In partnership with St. John’s University, Protiviti publishes the Getting Ready for 2015 - ORSA Report. This study looks at the readiness of U.S. insurance carriers to comply with the upcoming ORSA Summary Report requirement.

Citation preview

Page 1: ORSA Getting Ready for 2015

The Journey to ORSA Begins Assessing the Results of the 2015 ORSA Survey from St. John’s University and Protiviti

Page 2: ORSA Getting Ready for 2015

1THE JOURNEY TO ORSA BEGINS

Executive Summary

PUBLIC COMPANIES HAVE SOX. FINANCIAL SERVICES ORGANIZATIONS (AND OTHERS) FACE DODD-

FRANK, SOLVENCY II AND MANY OTHER REGULATIONS. HEALTHCARE PROVIDERS HAVE HIPAA. AND

NOW, INSURANCE COMPANIES CONFRONT ORSA.

U.S.-based insurance companies have embarked on a new journey as they prepare to produce and file their first Own Risk and Solvency Assessment (ORSA) Summary Report in 2015. The filing of this report marks a key milestone of the Solvency Modernization Initiative. This is the endeavor by the National Association of Insurance Commissioners to modernize the regulatory framework used by state insurance departments to regulate the U.S. insurance industry and enhance the capability of insurance companies to weather economic storms similar to those that battered the broader financial services industry and contributed to the global financial crisis.

For some insurance companies, the ORSA journey has yet to begin, while other organizations already have a clear roadmap and a strategy to reach their destination in an organized and orderly manner. Many recognize that the unknown is proving to be a significant challenge. What is the key differentiator? The answer lies in the strength and maturity of an organization’s current risk management structure and practices.

St. John’s University recently teamed with Protiviti to conduct a survey of more than 100 industry executives to assess the state of readiness of insurance organizations as they continue with their preparation for their initial ORSA Summary Report, as well as to determine ORSA’s impact on different areas of their risk management processes.

Our 5 key findings:

1. Insurance offerings could change – A majority of respondents indicate that ORSA could affect the nature and types of insurance products sold.

2. ORSA will change risk oversight, improve ERM, and help with the integration of risk and strategy – The results suggest that half of all insurance companies already recognize the benefits of ORSA in en-hancing their ability to manage risk effectively. Among ORSA’s key perceived benefits are identifying and managing emerging, financial and strategic risks; improving and formalizing the ERM process; integrating risk management with strategy; measuring and quantifying operational risk; and enhancing risk oversight from the board and senior management.

3. Many organizations need new controls and policies – A majority of respondents believe ORSA creates the need for new risk management policies and internal controls.

4. More education and training is needed at the board and executive levels – New policies and con-trols will create opportunities for further education and training related to both ORSA and ERM.

5. In risk reporting, there’s some disagreement between management and the board – Board members may be more skeptical than management about current risk reporting. And management in less than half of all insurance organizations are comfortable that they have examined all possible risk outcomes in stress tests.

Page 3: ORSA Getting Ready for 2015

2 THE JOURNEY TO ORSA BEGINS

MethodologySt. John’s University and Protiviti conducted their ORSA study in the third quarter of 2014. More than 100 (n = 110) Chief Risk Officers, Chief Financial Officers, Chief Audit Executives, and other executives and leaders in the U.S. insurance industry completed an online questionnaire designed to assess the state of readiness of their organization to comply with the ORSA requirement, as well as their views of their institution’s current risk management policies and practices.

More than half of our respondents are from insurance organizations that have $1 billion or more in annual written premiums, and nearly one in three respondent organizations have annual written premiums greater than $3 billion. Additional respondent demographics can be found on page 26.

Since completion of the survey was voluntary, there is some potential for bias if those choosing to respond have significantly different views on matters covered by the survey from those who did not respond. Therefore, our study’s results may be limited to the extent that such a possibility exists. In addition, some respondents answered certain questions while not answering others. Despite these inherent limitations, we believe the survey results provide valuable insights regarding industry views on the ORSA Summary Report requirement and related risk management standards and practices.

Page 4: ORSA Getting Ready for 2015

3THE JOURNEY TO ORSA BEGINS

Results and Analysis

THE BENEFITS OF ORSA

ORSA will help our organization improve the identification and management of:

Emerging risks Financial risk

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.71LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.67LEVEL OF

AGREEMENT

Strategic risk Risk culture

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.66LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.60LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Page 5: ORSA Getting Ready for 2015

4 THE JOURNEY TO ORSA BEGINS

Preparing for ORSA reporting will lead to an improved ERM process

in our organization

Complying with ORSA will help facilitate the integration of risk

management with strategy

Preparing for ORSA will lead to improved risk oversight from our board of directors

and senior management

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.82LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.68LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.75LEVEL OF

AGREEMENT

Our organization considers emerging risks through:

A committee Planning

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.82LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.72LEVEL OF

AGREEMENT

Reporting Operating systems

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.68LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.29LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Page 6: ORSA Getting Ready for 2015

5THE JOURNEY TO ORSA BEGINS

Commentary

• There generally is a high level of agreement, though not overwhelmingly so, regarding the overall benefits of ORSA, including identifying and managing emerging, financial and strategic risks.

• The results indicate a general belief that ORSA will be beneficial, particularly in the identification of emerging and financial risks, which scored highest. This is consistent with the feedback coming from the various NAIC working groups. Life and reinsurance firms expressed an especially high level of agreement with regard to these benefits of ORSA, as did insurance firms that have greater than $3B in written premi-ums. Based on our results, more than 60 percent of insurers consider emerging risk as part of the planning process and include it in evaluations by a risk committee.

• Notably, ORSA is viewed to have the least effect (albeit slight) in improving risk culture, suggesting that organizations either believe they have a strong risk culture already, or ORSA compliance doesn’t really affect culture. Levels of agreement are lowest among property & casualty firms (3.23) and specialty insur-ance companies (3.20), as well as firms at the $500M to $1B premium level (3.11). For organizations with a strong risk culture, this is a positive finding that is not unexpected given that risks and risk management are inherent to the business of insurance, and many organizations have worked to foster a strong risk culture that should support these initiatives.

• However, the risk culture-related results also may be an indicator that some companies lack an adequate understanding of ORSA requirements or a full appreciation of enterprise risk management.

• Many organizations share the view that ORSA reporting will improve their ERM processes, which was one of the NAIC’s key objectives in setting this requirement. Those respondent groups expressing particularly strong agreement with this include greater than $3B organizations (4.03), reinsurance firms (4.33) and health insurance companies (4.16).

• For all of the emphasis the industry is placing on technology and operating systems, this area scored noticeably lower in terms of how organizations consider emerging risks, suggesting that traditional risk assessments and an overarching risk committee still meet organizations’ perceived needs. Interestingly, our results suggest life insurance companies consider emerging risks through their operating systems much less compared to other types of insurance organizations.

• In general, there is agreement that ORSA will help bring awareness to risk oversight by the board of direc-tors and senior management, as evidenced by 69 percent of all respondents.

Key findings

• Two out of three insurance companies believe ORSA will help the organization improve the identifi-cation and management of strategic risks.

• Nearly three out of four insurance companies believe that preparing for ORSA reporting will lead to an improved ERM process.

Page 7: ORSA Getting Ready for 2015

6 THE JOURNEY TO ORSA BEGINS

OVERALL INDUSTRY CONSIDERATIONS

In preparing for ORSA, our organization has conducted a gap analysis against a suitable ERM

framework to determine needed improvements

Heightened regulatory scrutiny will impact the nature and types of insurance products sold

and the types of customers obtained

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.69LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.37LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Commentary

• There has been much discussion among insurance companies regarding how regulatory change and uncer-tainty will change the industry – this is a top-of-mind issue for senior insurance executives. Our results reflect this, as more than half (51 percent) are in agreement that heightened regulatory scrutiny will change the types of products they sell, while just one in five disagree. Reinsurance companies expressed a high level of agreement with this statement (3.83) compared to other groups.

• Looking at companies with $500M or more in annual written premiums (those that are required to file an ORSA Summary Report), 40 percent acknowledged that they have not conducted a gap analysis against a suitable ERM framework to determine needed improvements.

• Specialty and life insurance companies appear to be less prepared than reinsurance firms, most of which indicated they have conducted a gap analysis against a suitable ERM framework. Reinsurance companies likely are better prepared based on existing capital requirements with which they must comply.

• Overall, the results suggest that many organizations still have significant work to do to prepare for ORSA compliance, even as the compliance deadline in many states approaches.

Key findings

• 51 percent agree that heightened regulatory scrutiny will change the types of insurance products they sell.

• 40 percent have not conducted a gap analysis against a suitable ERM framework to determine needed improvements.

Page 8: ORSA Getting Ready for 2015

7THE JOURNEY TO ORSA BEGINS

ERM FRAMEWORK – RISK CULTURE AND GOVERNANCE

Our organization envisions more education and training at all levels, including the

board, related to ERM and ORSA

Responding to ORSA guidelines will require changes in corporate governance and may lead to new roles and resource

requirements

Our board is constructively engaged with management in aligning the ORSA scope

with the risk oversight process

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.63LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.51LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.36LEVEL OF

AGREEMENT

Compliance with ORSA is expected to formalize our firm’s ERM program and

framework significantly

ORSA will dramatically impact/change our organization’s risk culture

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.29LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2.94LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Commentary

• Many insurance companies (58 percent) plan to implement more training and education on ERM and ORSA at all levels of the organization – including for the board of directors.

• On the other hand, one in three respondents expressed pessimism that ORSA will dramatically change their organization’s risk culture, and based on our results, property & casualty firms are the most doubtful. This is likely good news, as it implies companies already are practicing sound risk practices and have already estab-lished a strong risk culture. However, this also indicates that some may not have an adequate understanding of ORSA requirements or a full appreciation of risk management at the enterprise level.

• There is general consensus that changes in corporate governance, roles and resources are needed to respond to ORSA. Specifically, more than half (60 percent) of respondents agreed that changes are necessary.

Page 9: ORSA Getting Ready for 2015

8 THE JOURNEY TO ORSA BEGINS

• More than half of our respondents indicated that their boards are not engaged constructively in ERM or ORSA. Life insurance companies stand out in this group, while boards for reinsurance companies appear to be more engaged. This is an area where additional training may be necessary.1

• Nearly half of all respondents (47 percent) envision that ORSA will help formalize their organization’s ERM program and framework in a significant manner. This is a positive development – as one of our respondents noted, “We can now get everyone to take ERM seriously.”

• Overall, these findings are significant by themselves. However, consider that, according to other results from our study, 70 percent of organizations agree that management and the board already discuss risk appetite and its alignment with risk strategy (see page 11). In other words, even though organizations already align appetite with risk strategy, they view ORSA to be a requirement that will lead to additional significant changes in governance and formalization of ERM programs. Thus, it is not surprising that these same organizations need additional training. The ORSA report should help companies shift focus toward managing overall risk and taking a more forward-looking approach to risk. Both of these areas represent emerging trends across the financial services industry as a whole and may present a significant struggle for many companies.

1 For additional information on guidance for board members in risk oversight, ERM and other issues, read Protiviti’s Board Perspectives: Risk Oversight series, available at www.protiviti.com.

Key findings

• In a majority of insurance companies, boards of directors may not be engaged constructively in ERM or ORSA.

• There is general consensus that changes in corporate governance are needed that may lead to new roles and resource requirements.

• Many insurance organizations view ORSA to be a requirement that will lead to additional significant changes in governance and formalization of ERM programs and frameworks.

Page 10: ORSA Getting Ready for 2015

9THE JOURNEY TO ORSA BEGINS

ERM FRAMEWORK – RISK IDENTIFICATION AND PRIORITIZATION

ORSA will have a significant impact on our organization’s process in identifying and analyzing:

Operational risk Underwriting risk Market risk

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.30LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.14LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.00LEVEL OF

AGREEMENT

Liquidity risk Credit risk

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2.99LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2.85LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Commentary

• Not surprisingly, insurance companies view operational risk to be the area most likely to be impacted by ORSA, and the area requiring the most transformational change. Among company categories, health insur-ance organizations indicated the strongest impact on operational risk (3.89) as a result of ORSA. This is interesting as these organizations face significant change in their operating environment.

Page 11: ORSA Getting Ready for 2015

10 THE JOURNEY TO ORSA BEGINS

• Underwriting risk ranks second, which is surprising. This has been a traditional area of focus for insur-ers. Again, the impact will be most significant within health insurance companies, while there will be less of an impact among companies with greater than $3B in annual written premiums. Health insurance organizations face significant shifts in their policyholder demographics, making pricing a challenge over the next several years.

• Our results indicate there will be less of an effect from ORSA on identifying and analyzing credit and liquidity risks. This is understandable, considering managing credit and liquidity is a core process in the industry. However, we encourage insurers not to underestimate the credit risk aspect of their risk manage-ment programs, and ultimately in completing their ORSA Summary Report. Insurers heavily rely upon reinsurance, third-party administrators (TPAs), general agencies (GAs) and other counterparties as a way of providing critical operational services and capital relief (reinsurers) during catastrophic events. The credit-worthiness of these third parties and the respective risks and controls around these counterparty arrange-ments should be described and measured as part of the ORSA process.

Key findings

• Insurance organizations view operational risk to be the area most likely to be impacted by ORSA.

• Many also perceive that ORSA will have a significant impact on underwriting risk, which is surpris-ing given that this is a traditional area of focus for insurers.

Page 12: ORSA Getting Ready for 2015

11THE JOURNEY TO ORSA BEGINS

ERM FRAMEWORK – RISK APPETITE, TOLERANCES AND LIMITS

Management and the board regularly discuss the company’s risk appetite and its

alignment with risk strategy

Risk appetite is cascaded downward into the organization through appropriate

risk tolerances and limits

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.90LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.75LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Commentary

• Companies appear to be using risk appetite statements as the primary vehicle to monitor and facilitate risk management discussions. Just 12 percent indicated disagreement with the statement that risk appetite is cascaded downward into the organization, with most of these respondents falling in the small company and specialty insurance categories. The highest levels of agreement were expressed by respondents from large companies along with reinsurance and diversified insurance firms.

• It is important to note that, within the risk appetite statement, there should be defined dollar value toler-ances, and as part of best practices, those tolerances should be reviewed and approved at the board level.

• Cascading of risk tolerances downward throughout an organization is never easy. Our respondents share this view and recognize the importance the ability to do this holds for the organization.

Key finding

• In 70 percent of insurance organizations, management and the board regularly discuss the compa-ny’s risk appetite and its alignment with risk strategy.

Page 13: ORSA Getting Ready for 2015

12 THE JOURNEY TO ORSA BEGINS

ERM FRAMEWORK – RISK MANAGEMENT AND CONTROLS

ORSA will create the need for new risk management policies and internal controls

ORSA will enhance our ability to address and manage risk effectively

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.58LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.40LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Commentary

• In addition to the changes in governance and the increased formalization of current ERM programs (as discussed earlier in our report), 60 percent of our respondents are in agreement that ORSA will lead to new risk management policies and internal controls.

• Though larger carriers are generally expected to have more mature ERM functions, particularly given the attention that rating agencies and regulators are devoting to these activities, it is also larger carriers (over $3B in annual written premiums) that are more likely to believe that preparing for ORSA will improve their organization’s ERM function and process.

• Among insurance organization categories, respondents from reinsurance and health insurance firms expressed the highest levels of agreement regarding ORSA’s effect on their risk management efforts.

• The fact that many organizations plan to formalize their ERM programs (see page 7) is good news. Since ERM has been shown to lead to better decision-making, there should be an overall improvement in risk management within insurance companies.2 Our results also suggest that half of all insurance companies already agree – even before the preparation and filing of their first ORSA Summary Report – that ORSA will enhance their ability to manage risk effectively. The most likely reasons include formalization of risk identification processes, better linkage of ERM to strategy-setting and capital planning, more consideration for emerging risks, greater transparency, and increased attention and education directed to ERM at the board level.

Key finding

• 60 percent agree that ORSA will lead to new policies and internal controls.

2 For additional information, read “Enterprise Risk Management: A Process for Enhanced Management and Improved Performance,” Stephen Gates, Ph.D., CFA; Jean-Louis Nicolas, Ph.D.; and Paul L .Walker, Ph.D., CPA, Management Accounting Quarterly, Spring 2012, Volume 13, No. 3.

Page 14: ORSA Getting Ready for 2015

13THE JOURNEY TO ORSA BEGINS

ERM FRAMEWORK – RISK REPORTING AND COMMUNICATION

Our risk reporting provides information needed about our top risks and how they are managed to:

Management The board of directors

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

4.18LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

4.02LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Commentary

• Most insurance organizations already provide information to the board and management about how top risks are managed. In our survey, respondents expressed a high level of confidence in their organizations’ risk reporting, and specifically its ability to provide information about top risks to management and the board of directors. Well over 70 percent of respondents feel strongly that their organizations are tracking and reporting risk appropriately at both the board and management levels.

• Agreement levels are remarkably high among reinsurance firms and large organizations.

• However, there are some interesting disparities between management and the board. Of particular note, the board may be more skeptical than management about current risk reporting. More than 40 percent agree strongly that risk reporting provides information needed by management about top risks and how they are managed, while less (36 percent) strongly agree that this needed information is provided to the board.

• Earlier (see page 7), we called out that only 46 percent of respondents noted that the board is constructively engaged with management in aligning the ORSA reporting scope with risk oversight. This finding and the findings above raise questions about the adequacy of time allocated on the board agenda to risk matters, the level of understanding directors have of the organization’s risks, the depth of their inquiries into the ERM process, and the extent to which management engages the board over risk matters in a timely manner.

Key finding

• The board may be more skeptical than management about current risk reporting.

Page 15: ORSA Getting Ready for 2015

14 THE JOURNEY TO ORSA BEGINS

RISK EXPOSURE ASSESSMENT

We have a process to assess the adequacy of enterprise risk management

ORSA will challenge our systems and data capabilities

Our management is comfortable that they have examined all possible risk outcomes in the stress tests the company performs

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.83LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.27LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.29LEVEL OF

AGREEMENT

The basis for the quantitative risk and capital analysis and the projections will be:

Internal model Statutory RBC approach

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.88LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.50LEVEL OF

AGREEMENT

Combination Other/hybrid

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.43LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.09LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Page 16: ORSA Getting Ready for 2015

15THE JOURNEY TO ORSA BEGINS

As a result of ORSA, we will begin performing:

Stress testing Solvency assessments Risk assessments

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.19LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.04LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2.95LEVEL OF

AGREEMENT

We currently have a process to assess current/prospective solvency positions under:

Normal stress scenarios Severe stress scenarios

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.87LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.66LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Commentary

• A majority of our respondents (64 percent) reported that their organizations have a process to assess the adequacy of ERM. However, in a separate question in our survey, one in three (33 percent) noted that ORSA reporting guidelines will cause them to focus on issues not considered by their current ERM program (see page 20).

• The stress testing response is interesting in that this represents a key requirement of the ORSA Summary Report. In one sense, we would expect to see a much higher level of agreement – less than half of respon-dents, in fact, agree that they will begin performing stress testing as a result of ORSA. It is possible that many organizations are already conducting stress testing and will continue to do so for ORSA, perhaps with some modifications. The lower level of agreement for large insurance firms (2.90) bears out this possibil-ity. On the other hand, these responses could reflect a lack of awareness of the full scale of stress testing required as part of ORSA.

Page 17: ORSA Getting Ready for 2015

16 THE JOURNEY TO ORSA BEGINS

• Still, the results indicate that most firms have some work to do in their stress testing efforts. More than half of our respondents (54 percent) indicated their management is not comfortable that all possible risk outcomes have been examined in the stress tests the company performs. This figure is remarkably high. The results are consistent across company size (even for large firms) and categories.

• Among the insurance firm category responses to the question about management’s comfort with the orga-nization’s stress tests, health insurance companies expressed the highest level of agreement (3.89), while reinsurance and specialty firms indicated the lowest levels of agreement (2.67 and 2.60, respectively).

• Although most companies agree that they already have a process to assess normal and severe stress scenarios (67 percent and 62 percent, respectively), many also admit they will be performing a series of new tests and assessments as a result of ORSA, including stress testing (45 percent), risk assessments (40 percent) and solvency assessments (40 percent).

• Not surprisingly, nearly half (48 percent) noted that changes will be needed in their systems and data capabilities.

• Of note, if organizations plan to use an internal model for quantitative risk and capital analysis, it will need to be defined and explained in detail as part of the ORSA report.

Key findings

• More than half of all survey respondents indicated management is not comfortable that they have examined all possible risk outcomes in the stress tests the company performs.

• Nearly half of insurance organizations require changes to their systems and data capabilities as a result of ORSA.

Page 18: ORSA Getting Ready for 2015

17THE JOURNEY TO ORSA BEGINS

GROUP ASSESSMENT OF RISK CAPITAL AND SOLVENCY

Management is comfortable that the assessment of economic capital required

that will be included in the ORSA report will be sufficient and unbiased

We have used economic capital methods or practices in the past as a tool for capital

allocation and performance assessment

The capital adequacy requirements of ORSA pose a significant challenge

to our company

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.68LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.52LEVEL OF

AGREEMENT

2.65LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Given ORSA’s focus at the group level, there is a greater chance that future/projected capital requirements may be:

Understated Overstated

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2.90LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2.88LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Commentary

• Interestingly, our respondents – across category and company size – are generally split as to whether the future/projected capital requirements noted in the ORSA Summary Report will be overstated or understated.

• Just one in five respondents from firms with more than $500M in annual written premiums – those required to file an ORSA Summary Report – believe the capital adequacy requirements of ORSA pose a significant challenge. Not surprisingly, the largest insurance firms view ORSA’s capital adequacy requirements to be less of a challenge (2.28) relative to other firms. Reinsurance companies (1.83) appear to be the most confi-dent that they can address these requirements sufficiently.

• While respondents don’t necessarily view the capital adequacy requirements of ORSA as a significant chal-lenge, one may ask whether companies would still choose additional flexibility related to the capital they hold and the ability to leverage a completely customized economic capital model.

Page 19: ORSA Getting Ready for 2015

18 THE JOURNEY TO ORSA BEGINS

• Those (59 percent) who believe that they will report sufficient and unbiased economic capital in ORSA reports will be likely to use economic capital for capital allocation and performance assessment, as well. This means that they view economic capital as a better measurement than solvency capital and are exploring its additional values or applications.

• Our results indicate that more than half of insurance organizations perform additional risk assessments such as liquidity, concentration, etc. In particular, liquidity risk seems to be assessed by most respondents (59 percent) who report sufficient and unbiased economic capital in ORSA reports – this can be seen from the similarity in their survey statistics.

We currently use a capital adequacy approach and assessment that takes into consideration:

The effect of liquidity risk, or calls on the insurer’s cash position, due to microeconomic factors and/or

macroeconomic factors

Elimination of intragroup transactions and double-gearing where the same capital is used simultaneously as a buffer against

risk in two or more entities

Diversification credits and restrictions on the fungibility of capital within the holding company system, including the availability

and transferability of surplus resources created by holding company system-level

diversification benefits

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.61LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.46LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.46LEVEL OF

AGREEMENT

The level of leverage, if any, resulting from holding company debt

The effects of contagion risk, concentration risk and complexity risk in the group

assessment of risk capital

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.40LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.41LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Page 20: ORSA Getting Ready for 2015

19THE JOURNEY TO ORSA BEGINS

ORSA REPORT PREPARATION

We would benefit from assistance with:

Improving risk quantification Stress testing Model validation

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.35LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.32LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.27LEVEL OF

AGREEMENT

Improving risk reporting Linking ERM/ORSA to strategyUnderstanding ORSA and its impact on

governance/culture

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.21LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.15LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.09LEVEL OF

AGREEMENT

Capital management

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2.99LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Page 21: ORSA Getting Ready for 2015

20 THE JOURNEY TO ORSA BEGINS

We’ve identified new resources needed for preparing the ORSA report

ORSA reporting guidelines focus attention on issues that are not considered by our current ERM program

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

3.29LEVEL OF

AGREEMENT

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2.90LEVEL OF

AGREEMENT

Agreement scale of 1-5:

5 = Completely agree1 = Completely disagree

Percentage agreement (response of “5” or “4”)

Percentage neutral (response of “3”)

Percentage disagreement (response of “1” or “2”)

Commentary

• Only one-third of all respondents, as well as those specifically from companies with more than $500M in annual written premiums, believe that ORSA reporting guidelines focus attention on issues that are not considered by their existing ERM programs. Our results indicate that health insurance firms are an excep-tion, in that a higher percentage of these companies believe ORSA’s guidelines are focusing attention on these issues. Still, the results suggest that one-third of insurance organizations will need to enhance their ERM programs.

• There also is a high level of agreement among health insurance firms (3.95) that they have identified new resources needed for preparing their ORSA Summary Report. Health insurance organizations also expressed a need for assistance in areas such as improving risk quantification (4.05) and model validation (4.00).

• Our results suggest that reinsurance and life insurance firms view their ERM programs and resources to be relatively well-positioned to meet the requirements of the ORSA Summary Report. The only minor excep-tion is an expressed need for assistance among life insurance company respondents in the areas of improving risk reporting and stress testing.

• Interestingly, the results across company size are relatively consistent, with large insurance firms indicating slightly less of a need for assistance with the various ORSA requirements. Also of note, 41 percent of insur-ance organizations can benefit from assistance with improving their risk reporting, despite the fact that, as reported earlier, three out of four companies, on average, believe their risk reporting provides information needed by management and the board about top risks and how they are managed (see page 13).

Page 22: ORSA Getting Ready for 2015

21THE JOURNEY TO ORSA BEGINS

Who is involved in leading and coordinating your organization’s ORSA efforts?Multiple responses permitted

Company Size (annual written premiums)

Greater than $3B

$1B to $3B $500M to $1B$250M to

$500MLess than

$250M

Chief financial officer 29% 28% 47% 42% 60%

Chief risk officer 61% 56% 37% 42% 10%

Internal audit 3% 4% 5% 15% 0%

Other management 6% 12% 16% 0% 35%

Insurance Category

Diversified Health Life P&C Reinsurance Specialty

Chief financial officer 61% 53% 25% 28% 40% 40%

Chief risk officer 43% 29% 67% 53% 40% 20%

Internal audit 4% 12% 8% 0% 0% 20%

Other management 0% 12% 8% 25% 20% 20%

Commentary

• There are some notable disparities between the different company size and category groupings. For exam-ple, the CFO has the primary role in leading ORSA efforts within health and diversified insurance firms, while the CRO will assume these responsibilities in most life and property & casualty companies.

• Not surprisingly, the CRO will have a lead role in ORSA within many large insurance firms (greater than $1B in annual written premiums). In smaller organizations, ORSA leadership and coordination appears to be split between the CRO and CFO, with internal audit having some limited involvement, as well.

Page 23: ORSA Getting Ready for 2015

22 THE JOURNEY TO ORSA BEGINS

ORSA’s stress-testing requirements pose a significant challenge to our company in:

Company Size (annual written premiums)

Greater than $3B

$1B to $3B $500M to $1B$250M to

$500MLess than

$250M

Dates 44% 36% 32% 8% 35%

Models 25% 44% 58% 69% 45%

People 38% 44% 58% 54% 80%

Scenario Analysis 34% 24% 47% 31% 35%

Other 6% 12% 5% 0% 0%

Insurance Category

Diversified Health Life P&C Reinsurance Specialty

Dates 50% 59% 27% 26% 50% 20%

Models 32% 53% 64% 57% 25% 80%

People 73% 53% 45% 63% 25% 60%

Scenario Analysis 32% 53% 45% 40% 50% 0%

Other 5% 0% 9% 9% 25% 0%

Commentary

• Again, we can see some notable differences in the findings based on insurance firm size and category. ORSA’s stress-testing requirements appear to pose significant people/resource-related challenges for diversified and property & casualty firms, while models pose the greatest hurdle for life and specialty firms. Interestingly, heath insurance firms view similar challenges in each of the areas (dates, models, people, scenario analysis).

• As expected, challenges related to staffing and stress-testing models are more significant for smaller firms than larger organizations.

Page 24: ORSA Getting Ready for 2015

23THE JOURNEY TO ORSA BEGINS

Please rank the following components of the ORSA report according to the level of challenge each will pose for your organization to address:

• “10” indicates it will pose a very significant challenge• “1” indicates it will not pose a challenge

Level of Challenge

Quantitative Risk Exposure Assessment (stress environment) 5.73

Prospective Solvency Assessment 5.43

Qualitative Risk Exposure Assessment (stress environment) 5.42

Group Assessment of Risk Capital 5.31

Risk Appetite, Tolerances, and Limits ERM principle 5.05

Quantitative Risk Exposure Assessment (normal environment) 5.00

Risk Reporting and Communication ERM principle 4.98

Qualitative Risk Exposure Assessment (normal environment) 4.79

Risk Culture and Governance ERM principle 4.61

Risk Identification and Prioritization ERM principle 4.56

Risk Management and Controls ERM principle 4.54

Commentary

• Overall, the ORSA requirement pertaining to a Quantitative Risk Exposure Assessment of the organiza-tion’s stress environment is viewed to be the most challenging component of the ORSA report. Prospective Solvency Assessment and Qualitative Risk Exposure Assessment (stress environment) are also viewed to be significant challenges. The findings are relatively consistent across firm size and category, though health, life and specialty insurance firms view these components to be especially challenging.

• The least challenging components (overall) of the ORSA Summary Report are viewed to be the Risk Management and Controls ERM principle and the Risk Identification and Prioritization ERM principle. The latter was scored particularly low as a challenge by large insurance firms. Interestingly, health insurance organizations view these particular ORSA components to pose a much greater challenge compared to other insurance firm categories.

• The Risk Culture and Governance ERM principle also scored relatively low in terms of a challenge. As we suggested earlier, this could reflect a view among insurance companies that their risk culture is relatively mature.

Page 25: ORSA Getting Ready for 2015

24 THE JOURNEY TO ORSA BEGINS

With regard to preparing the ORSA report, please rank the level of challenge as it relates to the capacity of the available internal resources in your organization:

• “10” indicates it will pose a very significant challenge• “1” indicates it will not pose a challenge

Level of Challenge

Actuarial 6.07

Risk management 6.01

Finance and accounting 5.83

Senior management 5.65

Compliance and regulatory 5.25

Internal audit 5.20

Underwriting 4.92

Claims 4.45

Commentary

• The capacity of actuarial and risk management resources presents the greatest challenges in preparing the ORSA Summary Report, while the availability of internal resources dedicated to claims and underwrit-ing is less of a challenge. The results are generally consistent across company size and category, though reinsurance firms rate actuarial and risk management resources as less significant challenges compared to other insurance firms. Also, health insurance firms view claims to be a more significant challenge relative to other organizations, which is not surprising given the changes in the payer industry.

• The ORSA Summary Report asks companies to look at risk quantification and risk management in a differ-ent way than the insurance industry has historically approached these topics. Insurance companies have focused primarily on quantifying and analyzing insurance risk through actuarial modeling and processes. For many companies, quantifying non-insurance risk areas will be a challenge from both a knowledge/talent standpoint and a workload perspective, especially to their actuarial and risk management teams.

Page 26: ORSA Getting Ready for 2015

25THE JOURNEY TO ORSA BEGINS

At this stage, the estimated length of our report will be:

Company Size (annual written premiums)

Greater than $3B

$1B to $3B $500M to $1B$250M to

$500MLess than

$250M

Length (no. of pages) 105 52 77 153 31

Insurance Category

Diversified Health Life P&C Reinsurance Specialty

Length (no. of pages) 66 137 49 60 40 15

Commentary

• As expected, healthcare companies anticipate having longer reports given the complexity of their organi-zations. Additionally, even though it may not be warranted, larger companies may anticipate producing a lengthier and more detailed report given that they have more established risk management functions.

Page 27: ORSA Getting Ready for 2015

26 THE JOURNEY TO ORSA BEGINS

Survey DemographicsPosition

Chief Risk Officer 16%

Chief Financial Officer 11%

Chief Audit Executive 10%

Chief Information Officer 3%

Chief Compliance Officer 5%

Chief Executive Officer/President 4%

Board Member 1%

Functional Executive 13%

ERM VP/Director 9%

IT VP/Director 7%

Operational Risk Management 9%

Vice President 7%

Other Insurance Management 5%

Type of Organization

Public 47%

Private 34%

Not-for-profit 10%

Other 9%

Insurance Company Category

Property & Casualty 55%

Life 25%

Health Insurer/Healthcare Payer 28%

Specialty Lines 24%

Reinsurance 16%

Broker/Agent 6%

Size of Organization (by annual written premiums)

Greater than $3 billion 30%

$1 billion to $3 billion 23%

$500 million to $1 billion 17%

$250 million to $500 million 12%

Less than $250 million 18%

Page 28: ORSA Getting Ready for 2015

27THE JOURNEY TO ORSA BEGINS

ABOUT THE ST. JOHN’S UNIVERSITY SCHOOL OF RISK MANAGEMENT

The School of Risk Management at St. John’s University’s Tobin College of Business offers degrees in actuarial science, risk, and enterprise risk management. The MS in Enterprise Risk Management is accredited by the AACSB. The school also hosts the Center for Excellence in ERM, run by Dr. Paul Walker. The Center hosts ERM roundtables, produces research and white papers on ERM, and conducts executive education in ERM.

ContactPaul L. Walker, Ph.D., CPAJames J. Schiro/Zurich Chair in Enterprise Risk ManagementExecutive Director, Center for Excellence in ERMSt. John’s University+1.212.284.7011

ABOUT PROTIVITI

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

ContactsShawn Seasongood Matthew MooreManaging Director Managing DirectorU.S. Insurance Practice U.S. Insurance Practice+1.646.242.7567 [email protected] [email protected]

Cory Gunderson Carol BeaumierManaging Director – U.S. Financial Services Practice Leader Executive Vice PresidentGlobal Leader – Risk & Compliance Solutions Global Leader – Financial Services Practice+1.212.708.6313 [email protected] [email protected]

Jim DeLoach Michael Pisano Managing Director Director+1.713.314.4981 U.S. Insurance [email protected] +1.212.708.6353

[email protected]

Page 29: ORSA Getting Ready for 2015
Page 30: ORSA Getting Ready for 2015

28PROTIVITI • BUILDING VALUE IN YOUR SOX COMPLIANCE PROGRAM

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

www.protiviti.com © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. PRO-0914-101067