The NAIC “2014 ORSA Pilot Key Results and Recommendations to the Industry Webinar” was held on August 11, 2015. It was scheduled to last two hours and provided a lot of good detail the entire time (although I was grateful for the 5 minute break in the middle of the webinar). Reading the “Observations of the Group Solvency Issues (E) Working Group” was helpful. Getting additional context and commentary from the source was even better. Sherry “Cyranna” L. Flippo and Elisabetta Russo, both with NAIC, were the presenters and I thought they did a great job of providing practical guidance to the audience. Here are a few of the items I took from the webinar that went beyond the written feedback found in the “Observations of the Group Solvency Issues (E) Working Group”:
- Some carriers had a risk universe of, say, 300 risks and included the top ten in the report. The rest were shown in an appendix. This is fine, but explain why the top ten were chosen.
- If you include a top ten, show their risk assessment results or explain why the results were not included (perhaps the risk was operational and not quantifiable).
- Think of this as what you would present to your board of directors.
- Include the strategy for the next year or three years or five years or whatever time period is covered by the business plan.
- The executive summary is a good starting point for regulators to interview carrier management.
- Honest dialogue of the organization’s current state is important. Regulators recognize that building an effective ERM process takes time (don’t need to be perfect yet).
- Is risk management limited to a department or is it really embedded within the organization?
- Many reports highlighted committees, which is fine, but regulators want to know who to interview and who is the “risk-go-to person.”
- Many reports talked about corporate values under Risk Culture & Governance instead of focusing on the items listed in the “Observations of the Group Solvency Issues (E) Working Group.”
- Risk Identification and Prioritization is a key building block. Describe how you do this, who is involved, how risks are ranked, how risks are detected and controlled, how risks are determined (brainstorming, surveys, etc.), and how regulators will know if an area of risk was left out.
- Risk Appetite, Tolerances, and Limits should be shown for each risk. If these cannot be established for a specific risk, explain why not.
- Under Risk Appetite, Tolerances, and Limits, the expectation is that what you do makes sense and that you can explain it.
- Under Risk Management and Controls, they are looking for the process for key and non-key risks. If policies are in place, organizations don’t need to attach them all, but should list them. Describe any monitoring systems in place for limits or exposures.
- If an organization is still developing the risk control framework, that’s understandable, but explain what the plan is to develop it. Don’t forget to involve internal audit.
- Show the effects of controls on risks and how the organization manages residual risk.
- Under Risk Reporting and Communication, don’t just provide a list of reports. Describe who gets the reports and how they are used.
- Assessment of Risk Exposures should include all risks identified earlier in Section 1. If a risk is excluded, explain why.
- Under Stre ss Tests, explain why the carrier selected the stresses that were tested.
Now is the time to evaluate and polish your organization’s ORSA summary report. If your ERM isn’t perfect, that’s okay, but it is clearly important to describe how progress is being made and the time frame(s) involved. So, take a deep breath and remember the words of the “Oracle of Omaha” ...
“Risk comes from not knowing what you’re doing.” - Warren Buffet