While
The regulation calls for insurers to manage a comprehensive ERM framework that is embedded within company operations by January 2015, and PwC noted that some insurance departments are already asking companies for their ORSA or similar documentation as part of the review process.
Of the survey’s 65 participants comprised a mixture of life, P&C and health insurance companies, 82 percent believe that their existing ERM processes are largely adequate for the requirements. However, 38 percent of company boards are not engaged or are only passively engaged in risk management, showing that risk governance may not be up to ORSA standards, PwC said. In addition, 35 percent of companies indicated that they do not have a risk appetite linked to business strategy and financial goals, which is crucial to a comprehensive and effective ERM program.
"Setting the risk strategy, implementing and validating a capital model and developing effective risk reporting capabilities could take a couple of years. Our survey shows that many organizations may be underestimating the amount of work it will take to meet the [ORSA] requirements," said Paul Delbridge, leader of PwC's risk and capital management services practice. "Achieving a risk-aware culture through the organization will require all areas to understand their roles and responsibilities in relation to risk identification, measurement, mitigation and monitoring within the ERM framework."
PwC's survey addressed the four main parts of an ERM program that have direct influence on ORSA preparation:
• Risk strategy – 25 percent of companies reported that risk appetite metrics are not part of the business planning process, while only 57 percent include some, highlighting a significant disconnect between risk management and strategic decision-making. A quarter of companies do not have a risk-specific limit framework to guide the business' compliance with risk appetite. A robust risk appetite and limits framework enhances risk governance and provides a platform on which to engage every stakeholder.
• Risk governance – More than 30 percent of companies do not have a dedicated chief risk officer, with three quarters of these insurers reporting that other positions cover the role, often on a part-time basis. The CRO or risk committees will be largely responsible for compliance with the ORSA requirements. A key component of successful ERM is a risk culture that involves the entire organization and fosters shared responsibility for risk management.
• Risk management – 22 percent of companies reported not having a formal process to address risk identification, with most of these insurers adopting an informal one to address risk identification. A small minority reported that they do not have or do not see a need for a formal process. Moreover, many companies do not have fully documented risk policies that cover the significant risks to which they are exposed. The ORSA process is also an ideal opportunity to perform a comprehensive stress, reverse stress and scenario testing exercise. ORSA should take place in conjunction with an organization's business planning process, leading to a high degree of coordination between risk, underwriting, strategy, finance and compliance functions.
• Risk quantification – 37 percent of companies are not using an economic capital measure in addition to the more traditional capital metrics of statutory capital, such as GAAP and rating agency capital. Economic capital models are very useful tools in risk management and risk aggregation, but even those organizations that have them in place do not necessarily use the information to the fullest to make strategic decisions. Given the business-critical uses to which capital models are put, ORSA requires models to meet the highest quality standards, be appropriately calibrated and fully tested and documented.
For the full report,
