That's what the Prudential Regulatory Authority and EIOPA say about ORSA – and they want insurers' Boards to drive it:
In many respects, the ORSA can be considered the cornerstone of Solvency II. Solvency II: a turning point – insurance industry briefing by Prudential Regulatory Authority
The ORSA ... changing the viewing angle from bottom up to top down ... and gives the supervisor insight into the level of quality of the management or supervisory body's risk understanding ORSA: the heart of Solvency II – EIOPA
This thought piece is:
- high level enough to be understood by a Non-Executive Director without a risk management background
- detailed enough to be of practical use to someone with a responsibility for actually writing the ORSA report
What I'll cover
- The PRA's expectations: It will probably not surprise you to hear that they are relatively demanding.
- Why the ORSA is part of the good news of Solvency II. Demanding, but it shouldn't be too much hard work.
- How to structure an ORSA report. The PRA hasn't given much guidance. Others have.
- How to produce good scenarios. So the Board can drive, engage with and challenge them.
- The surprising heart of ORSA. It's management actions – how do we make them credible?
- The future. And, especially, avoiding a nightmare scenario.
ORSA background: what, who, why and timeline
That same day the PRA set out its expectations of authorised insurers, following EIOPA's guidelines for the 2014-2015 preparatory period.
What is the high level requirement?
The name "Own Risk and Solvency Assessment" (ORSA) is suggestive:
- ORSA is an ASSESSMENT. A capital calculation is an assessment; it might, for example, suggest an appropriate amount to hold if the aim is for the value of assets to exceed the value of liabilities in a year's time in 199 out of 200 cases i.e. a 1-in-200 probability of insolvency.
The ORSA difference
An insurer may calculate its capital today (t=0) then project it over future years (t=1,2,3,4 say) on the assumption that everything goes according to plan.
The ORSA assessment is more forward looking. The essential distinguishing feature is that ORSA considers the effect of things not working as expected over the planning cycle of, say, 3-5 years – between t=0 and t=4 in the notation above.
- ORSA is a RISK AND SOLVENCY assessment. ORSA asks a range of questions:
- How do you link risk, capital and your business plan? In its simplest form, if all goes as expected do you have enough capital to deliver your plan?
- What if things don't go as expected? "Risks" between t=0 and t=4 are considered in various ways, using stresses, scenarios and perhaps other techniques.
- It's about capital. The capital position of the firm is considered in the context of the scenarios above. This may suggest the need to action today.
Again, the ORSA uses stresses and scenarios to test the adequacy of actual versus required capital i.e. that we remain solvent (over the planning period).
The PRA will be particularly interested in scenarios where future available capital drops below that required by Pillar 1's Solvency Capital Requirement (SCR) and the extent to which it does so. The PRA may – and the insurer should – consider the corresponding results for the firm's Economic Capital, if higher.
Some standard Formula firms will be required to reconcile their SCR and ORSA capital – an interesting exercise in itself.
- ORSA is OUR assessment. There are many reasons why the assessment – even at t=0 – might be different that Solvency II's Pillar 1:
- The target level of solvency may be different: Pillar 1 works on a 1-in-200 basis. Most insurers will calibrate their economic capital a higher level
- Standard formula or model: A firm may use the Solvency II's Standard Formula for its Pillar 1 capital, but an internal model for its ORSA.
- Different models. Insurers need to apply to the PRA to use so-called matching / volatility adjustments in Pillar 1. But (supposedly) not in the ORSA.
Sting in the tail: capital add ons
Capital add ons are only supposed to be used in exceptional circumstances – see below – but could arise from the ORSA.
Who wants it – and why?
The ORSA is part of Solvency II's Pillar 2. At European level Solvency II is driven largely by European Insurance and Pensions Authority – EIOPA – supported by national regulators. In the case of the UK this is the Prudential Regulatory Authority (PRA).
The point of the ORSA is to integrate insurers' strategy, risk management and capital management over the business planning period.
The 2013-2016 ORSA time line
Solvency II has been many years in the planning and delivery. This has frustrated both firms and regulators. Important milestones are:
- December 2012. EIOPA Opinion Statement calls for calls for the early implementation of certain elements of Solvency II. The two-year preparatory period.
- March 2013. EIOPA issues Consultation Papers in four areas set out in the table below.
- October 2013. Having received feedback on the above, EIOPA issues Solvency II interim guidance across 4 areas:
# Pillar Guideline and link Comment 1 I Internal models: Pre-application of internal models Ongoing challenges. Interacts with ORSA. 2 II System of Governance: System of Governance Documented in the ORSA. Straightforward. 3 II ORSA / FLAOR: Forward Looking Assessment of Own Risks (based on the ORSA principles) Assessment of risk and solvency. 4 III Submissions to local regulators: Submission of Information to National Competent Authorities Reporting – beyond the scope of this article.
- 1 January 2014 - 31 December 2015. The Solvency II preparatory period. Perhaps a dry run for 2016, although the PRA emphasizes "preparatory".
- 2014. First ORSA in preparatory period. Firms have a choice over when to submit this to the PRA.
- 2015. Second preparatory ORSA. Firms continue to have a choice over the submission date, but PRA will expect a significantly stronger output.
- 1 Jan 2016. Full introduction of Solvency 2.
The PRA's Board requirements: a higher hurdle
The high level challenge
The PRA expects the Board to play an active part at various stages, providing initial steering on how the ORSA should be designed and documented, challenging on risk identification and mitigation along the way and culminating in the Board approving and communicating the finished product. Its involvement is likely to need to be far more extensive than setting risk appetites and tolerances and firms are expected to plan a schedule of Board meetings to allow adequate time and opportunity for discussion as work on the ORSA proceeds.
The PRA may check that such arrangements have been made. PRA: Solvency II: applying EIOPA's preparatory guidelines to PRA-authorised firms – SS4/13
The bad news
Not only are the requirements on Boards – and others that have to produce ORSA-related work – extensive, the PRA has deliberately not supplied detailed guidance; it is, after all, a form's Own Risk and Solvency Assessment. There is also the context of Solvency II rules not having been completely finalised.
But it's not all bad news. A practical operational point is that information is available from the US which has "leapfrogged" Europe by introducing ORSA reporting requirements. So you could look there for ideas on structuring your ORSA report. More detail later. That's some good news – and there's more.
ORSA: some good news
There are high level Board and operational challenges, with potential for a capital add on. Is there any good news? Can ORSA help us? "Yes and yes".
The good news
- Insurers have more control over the ORSA than if the content was more fully prescribed. It should fit the business.
- Firms have, over many years, developed significant experience with internal models. These are an important ORSA tool.
- Similarly, many of the risk management and governance aspects of the ORSA are already in place. Much of ORSA is not new material.
The good news is that insurers have been investing in enterprise risk management (ERM) for several years. Insurers should expect that their ERM activities will provide a strong foundation for the development of ORSA procedures. NAIC's ORSA: A broader approach to regulation Towers Watson (2011)
- Some UK insurers will have been doing forward looking assessments and projections as part of the voluntary "ICAS+" regime.
The best news
The best parts of ORSA – including some of the "stretching" bits – are good business practice and what insurers should be doing as part of strategic planning.
An insurer should expect to grow its understanding of its business dynamics – and its operational competence – as a result of:
- Demonstrating the circumstances in which it was solvent at year ends but insolvent between times.
- Understanding scenarios – "ordinary" and "extreme" – in which it runs out of capital.
- Investigating the extent to which effective management action was a non-capital mitigation of these results.
- Developing general contingency plans, with trigger points.
- Linking risk appetite to strategy and capital – something else the ORSA can "make real".
Live issues in the 2014-2015 preparation period
For some firms important areas in capital calculations remain unresolved. The "long term guarantees package" has been agreed, leading to the final Solvency II launch date of 1 January 2016, but annuity writers particularly will need to make an application to the PRA to secure the package's benefits.
Delay, uncertainty and the Standard Formula. For whatever reason (time, cost, possibility of PRA refusal?) some large firms have chosen the Standard Formula rather than the Internal Model route, even though:
- firms had such models for the FSA's ICAS regime
- the Standard Formula will probably give higher capital than the "typical" internal model
- It is likely – and desirable – that insurers will use their internal models to calculate their "ORSA capital".
- It is unclear whether the PRA will insist that firms calculate their economic capital as part of the ORSA.
- If so it is unclear whether the PRA will lean on firms to hold this as a "capital add on" – see below.
- The quality and credibility of management actions are important, as the ORSA may (should?) show scenarios in which the insurer's capital drops below the SCR.
From the ORSA to a capital add on
Article 45 ("ORSA") of the Solvency II Directive states that "The own-risk and solvency assessment shall not serve to calculate a capital requirement. The Solvency Capital Requirement shall be adjusted only in accordance with Articles 37, 231 to 233 and 238." Article 37 gives three circumstances for add ons:
- The actual risk profile of the firm differs significantly from the capital generated by its use of the Standard Formula.
- The risk profile differs significantly from the capital generated by its use of use of its internal model.
- The system of governance (including risk management) falls short of the standards required by Solvency II.
"Capital add ons ... can be applied for governance and risk profile deviations including where the standard formula is not appropriate and a model is required. PRA in its work and presentation on the Standard Formula
The PRA have stated the importance they attach to the ORSA in the context of governance (above) and "non-financial resources" (below):
... we attach considerable importance to the ORSA and the role that it will play in future to support the Threshold Condition that insurers must have appropriate non-financial resources and robust risk and capital management systems. Source: Solvency II – a turning point Julian Adams, Deputy Head of the PRA
The ORSA should be a quality process and product, used in major business decisions and explaining how the firm controls its business.
Structuring an ORSA report: divide and conquer
The PRA has given little guidance on the content of a report, not wanting to encourage "me too" ORSAs. But it makes sense for an report to build on existing good work. Taking our lead from the NAIC ORSA guidance we can divide an ORSA report into three parts:
- Framework for risk management: Risk vision and plan, framework, appetite, policies, process etc.
- Risk assessment: Both current and future. Includes business plan, stress and scenario testing, reverse stress testing etc.
- Solvency assessment: Again, current and future. Measured on a Pillar 1 (SCR) basis and the company's own economic capital standard.
Let's take the three parts in turn.
 Framework. For an insurer with a mature functioning enterprise risk management framework (1) should be straightforward, although there may be more emphasis than ever on quality documentation (and implementation). We should also note the scope that Article 37 of the Solvency II Directive gives scope for imposing a capital add on based on perceived weaknesses in risk management and governance alone.
Speaking about working through EIOPA's preparatory guidelines – rather than just risk frameworks – Julian Adams, Deputy Head of the PRA, said:
As many of the guidelines represent good practice in conformity with existing UK rules, they should not present an additional burden for many firms. Source: Solvency II – a turning point Julian Adams, Deputy Head of the Prudential Regulation Authority
 Risk assessment. Challenges include the selection of appropriate scenarios and their interaction with management actions – the main focus of what follows.
 Solvency assessment. I suggest below that Pillar 1 (SCR) capital and Economic Capital should be projected for each scenario. I do not consider all the complexities of doing this e.g. identifying qualifying assets. The implications of falling below the SCR in some scenarios are considered.
Two technical items: Standard Formula reconciliation and demonstration of continuous solvency
These two areas are sometimes put alongside ORSA so as to give (1) ORSA, (2) Standard Formula reconciliation and (3) demonstration of continuous solvency. The Board contribution to the scenarios and management actions part of ORSA is critical, while its contribution to (2) and (3) is likely to be less significant.
An ORSA exercise provides an excellent opportunity for enhanced collaboration between risk and actuarial functions.
But how can the Board engage with and drive forward the ORSA in practice? Let's make some suggestions.
Stress and scenario testing in ORSA: beyond a good news story
More than good news?
There are two ways to look at the ORSA report:
- An opportunity to present good news. The insurer remains easily solvent under all stresses and scenarios. Message to regulator: all is well.
- An opportunity to learn something. The insurer actively seeks out scenarios where it comes under significant pressure. Message: we're serious about this.
Of course it's a delicate balancing act; an insurer wouldn't want (2) to backfire, causing additional work and gaining a capital add on for its trouble.
The reality is, of course, that being solvent over a future time period is a probabilistic statement: it is as easy to choose scenarios which make the firm insolvent as it is to show no issues. A proactive and self-challenging approach is likely to be preferable. Consider the following:
- Insurer insolvency is already on the table; there is requirement to "test to destruction" using reverse stress testing.
- Recovery and resolution plans have received increased focus since the financial crisis. While aimed at banks, the ideas are portable to insurers.
- Regulatory relationships: The PRA's approach to insurance supervision suggests insures should be open and in turn commits to being proportionate.
The PRA wants straightforwardness and has promised proportionality, so that "Trust can thus be fostered on both sides" (PRA). The alternative unpleasant.
Stresses and scenarios: a tabular approach
In moving from high level ideas to the more specific a simple table can be a useful tool to present scenarios. The main ideas in the table below are:
- Business as usual, stress, scenario: These three aspects are covered in comments below the table.
- AC: This is the available capital at the worst point.
- SCR: The Pillar 1 capital requirement (Standard Formula or Internal Model) at the worst point.
- EC: This is the required economic (internal, risk-based) capital at the worst point. It will also be driven by e.g. marketing requirements.
- Management action: Either in place initially or as a result of the ORSA assessment, these are the actions intended to improve the result reported.
|Business as usual||Name||BAU description||AC||SCR||EC||Management actions|
|1||Vol-E||Base case: expected volume|
|4||App-H||At limit of risk appetite|
|5||Vol-H-App-H||High volume and at limit of risk appetite|
|Stress||Name||Stress description||AC||SCR||EC||Management actions|
|1||Stress-1||Swaps curve flat 1%|
|2||Stress-2||Mortality improvements 1% over best estimate forever|
|3||Stress-3||Lapse rates 150% of expected|
|Scenario||Name||Scenario description||AC||SCR||EC||Management actions|
|3||Scenario-3||Internal/external hybrid scenario|
On stress and scenario SELECTION
There are two issues here: the type of scenarios are the level of stress.
 What type of scenarios are "good"? If we want the scenarios to be genuinely useful we can get a steer from the PRA's recovery planning document. It suggests (for recovery purposes) that there should be at least three scenarios: one "internal", one "external" and one "hybrid". Not a bad idea for the ORSA.
Extreme scenarios and management actions
An added advantage of using the recovery planning document is that it suggests a level of detailed management actions that the PRA is seeking in response to such extreme scenarios. It's a balancing act. It may only be a matter of time until the PRA looks to use this tool for insurers too. Be prepared!
 How testing should these scenarios be? A good answer comes from avoiding – as a matter of your ORSA policy – the "only present good news" approach. Seeking out of "extreme" (or genuinely testing) stresses and scenarios is recommended by Dave Ingram:
RISKVIEWS suggests that Stress Tests should be chosen so that the company can demonstrate that they can pass ... under a wide range of scenarios AND ... that one or several of the Stress Tests are severe enough to produce a fail ... so that they can demonstrate that management has conceptualized the actions that would be needed in extreme loss situations. Source: Dave Ingram's ORSA: AC – ST > RCS
Finally, although outside the normal stress and scenario approach it is useful to have some idea of the likelihood of those scenarios which are associated with poor solvency results – obviously the idea is that they are remote and have compelling associated management actions.
See "Showing continuous compliance with Solvency II capital requirements" under "Two practical challenges" section for more reasons not to be intimidated.
Business as usual testing
This testing is a reality check both on results and functionality. Some (or all) of these might not be regarded as stresses; that's a terminology issue.
- Expected volume. Everything as expected. Problems here suggest the business plan is bust!
- Low volume. The solvency position should almost inevitably be better than under (1).
- High volume. This is "success" – so is another good check on the sufficiency of current capital to support business plans.
- At limit of risk appetite. (1)-(3) implicitly assume current or target level of risk. (4) assumes the "riskiest" position allowed by the risk appetite.
- High volume AND at limit of risk appetite. I suggest that this is still a "reasonable" rather than a stressful scenario. What stops (5) in practice?
Conventional stress testing
There are several approaches to stress testing, all of which can be useful:
- One parameter at a time. This is conventional stress testing. The single parameter approach underlies capital calculations.
- Reverse stress testing. One parameter is stressed until the firm becomes insolvent. There are scenario and multi-parameter alternatives to this approach.
- Several parameters at once. Sometimes called scenario testing – there may be no underlying "story". Individual parameters are stressed less than in (1).
Conventional stress testing shouldn't generate too much in the way of surprises. Suppose an insurer has a 200% solvency ratio, based on capital at a 1-in-200 level, and that credit risk makes up 40% of solvency capital. A 1-in-200 credit stress should broadly leave solvency at around 200% * (1 - 40%) = 120% level.
One could argue that the stress above is both relatively extreme and unrealistic on a stand alone basis – other approaches can allow for correlation.
A combination of art and science to which the Board should be making a major contribution. See "On stress and scenario SELECTION" above.
Two technical challenges
Firms don't have to "just" perform the vanilla ORSA, as described above. Many firms will need to carry out two other pieces of work, as described below. The EIOPA "proportionate" approach is that they are seeking 80% market coverage and that all firms with assets of more than 12 billion Euros should comply.
Challenge 1: ORSA capital versus Pillar I standard formula
Internal model firms are exempt from this requirement. For Standard Formula firms this reconciliation seems entirely reasonable and shouldn't be overly difficult. As a practical point (obviously?) you can't simply opt for the standard formula, in Pillar 1 and / or Pillar 2:
The standard formula is designed to be used by the majority of firms, although firms must be able to demonstrate that it is appropriate, and that any deviations from the assumptions underlying the standard formula are not significant. In the event of significant deviations, firms should consider possible consequences of this deviation and options to address the issues. This should be detailed in the own risk and solvency assessment (ORSA). Source: PRA Standard Formula
Firms could end up stuck: a non-approved internal model, forced to use the Standard Formula while having suggested they don't think it is most appropriate.
Challenge 2: Showing continuous compliance with Solvency II capital requirements
You have the SCR covered at t=0,1,2,3 and 4: how do you know you didn't dip under this e.g. at t=2.5 i.e. between year ends?
The siren song of monitoring, calculating and mathematics
Showing continuous compliance can be a very interesting and technically demanding piece of work. Here's some material on the "set up" followed by some ideas on how to get more value out of this idea. Again, the ultimate objective should be more than presenting a good news story that "we were solvent every day".
The set up
You want to estimate the probability that over a time period from T0 to T1 the firm's solvency fell below a particular level. Example time periods are a year or the period between solvency calculations – perhaps a month. The level chosen could be a target level of capital, the SCR or 0. There are two perspectives:
- Backward looking. This is the obvious way of thinking, given the "continuous compliance" title. It feels somewhat defensive: we know our actual solvency at a point in time but, looking back, could there have been (was there?) a time in which things were tighter? Perhaps we were insolvent without noticing?!
- Forward looking. A more proactive and helpful perspective, with an action focus; if we are uncomfortable that the probability of "non-compliance" over a time period is too high what do we do about it? The forward looking perspective guides us to the right mix of maths, calculation, monitoring and action.
Beyond the siren song
- Maths. A starting point is that, for regulatory reasons, we should know the amount of capital giving a probability of 1-in-200 that, in the absence of management actions, the firm becomes of "absolutely insolvent" over the next year – i.e. the value of its assets is less than the value of its liabilities. A range of mathematical models – from Normal, Log Normal or more esoteric – help move us from that "absolutely insolvent" base. We can use them to change:
- The time period: to less than a year e.g. to a month or less.
- The amount: moving the focus from "absolute insolvency" to e.g. failing to cover the SCR.
- The probability: looking forward, what is an appropriate probability for failing to meet the SCR?
Looking forward, (3) is the reality. "Absolute continuous compliance" is a myth; a 1-in-200 probability of absolute insolvency means a larger probability of not meeting the SCR (over a year). We need to see beyond the siren song of fascinating maths.
- Calculation. Typically insurers will calculate their Pillar 1 solvency (SCR) and economic capital on a monthly basis. Some do daily solvency monitoring, using real time market data and simplified modelling approaches. These demand much less time and computing power, while sacrificing little in the way of accuracy.
- Monitoring. Calculation is time- and computationally-intensive. Typically the biggest (and fastest) solvency risks come from economic movements. Market assessments in the form of prices, yields, indices etc are forward looking. Credit spreads, for example, feed directly into the value of assets, indirectly into the value of liabilities and are partly indicative of future risks. A smart insurer uses spreads and other market data to inform the probability estimation in (3).
- Action. Looking forward, the maths can guide our expectations as to the likelihood of particular outcomes over a period (T0,T1) given the initial T0 position. Looking back, more complex maths can inform us of the likelihoods given the positions T0 and T1. More frequent calculations can help, especially if things are "tight". And monitoring – including estimation of the solvency position from the factors being monitored – can also help.
But help what? Help in decision making and timely action. There's no such thing as as a 100% guarantee of compliance with a solvency target.
Conclusion: more than a technical challenge
The forward looking emphasis is the key to making continuous compliance more about action than compliance. The same could be said for the whole ORSA.
Management actions: the heart of ORSA
The heart – really?
If you've started reading here – perhaps because this was the section I left "open" by default – you may be wondering why management actions are the real heart of ORSA. The name is Own Risk and Solvency Assessment: there's no direct pointer to action and typically, risk management doesn't emphasise action.
But sound risk management can never just be about having plenty of capital; there is always something unexpected on the horizontal and no shareholders want to provide capital which is absurdly value-inefficient. The value of an ORSA report which shows a strong solvency position in all circumstances is questionable: it may lack credibility and is a missed opportunity for an insurer to demonstrate to itself and its regulator the effectiveness of its management actions.
Gaining credibility:  articulation of management actions
How important is it for insurers to explain management actions in writing?
Documentation is the primary way to communicate with supervisory authorities about internal models to allow them to form a continuing judgment on the internal model's appropriateness and reliability. Level 2 advice on Tests and Standards for internal model approval
Try replacing "internal model" with "management action". Articulation is critical.
Gaining credibility:  track record of contingency plans
Contingency plans are surprisingly rare in risk management. The focus is often on risk assessment rather than action to put in place contingency plans, controls, mitigations – or any other form of action. There are several reasons why this could be, including:
- The belief that the chances of something going wrong are so remote that it's not worth planning for.
- An emotional commitment to "Plan A". Often this can be supported by a visionary and entrepreneurial CEO – and we need those for sure!
- The natural bias of some risk people towards analysis and monitoring.
Examine your organisational track record: some areas will be directly relevant, while you may be able to "borrow credibility" from others.
Here are ways in which you can demonstrate a track record of delivery, even when this is not recovering from an SCR breach. While the articulation above may succeed in showing your plans, the intention of the track record is to show that "related" plans have proved useful and have been successfully executed in the past.
- Solvency contingency plans: As solvency levels decline various actions should be triggered: asset sales, reinsurance etc. More detail below.
- Risk contingency plans: What happens when you exceed your corporate (i.e. aggregate) risk appetite? Is there a formal plan to get back on track? Was that a contingency plan or policy, drawn up ahead of time, or something put together when the risk appetite was exceeded? Do you stick to actions and timescales?
- Operational contingency plans: How's your business continuity and disaster recovery? What about contingency planning in more mundane areas such as projects, an office move etc. Operational areas can have strong "Plan A" thinking, due to our familiarity with the operational business core.
- Action plans: It's not just the the big stuff. Does your firm have a consistent record of delivery, perhaps in the "non-risk" world? Are your commitments to shareholders honoured? Are your projects successfully managed, delivered in time and on budget? This can be any plans, not just contingency plans.
- Other judgements: So-called "optimism bias" e.g. consistent under-estimation of the time something will take can be significant. Do 50% of your tasks overrun, or is it closer to 90%? How often are your estimates revised up / down? Again this goes beyond formal risk management.
Solvency contingency plans: more detail
We look at an example of a UK insurance company as its solvency levels fall. In practice the action plan should be much more detailed than the table below.
In recent years a number of companies have entered – and often subsequently exited – the UK pensions buyout market. Such companies should have a plan for what happens if its solvency position worsens, particularly if it is owned by a bank or private equity firm. The plan might have a number of "triggers" as follows.
|Under target solvency (short term)||Project expected future solvency||
|Under target solvency (med term)||Request capital injection from shareholder||
|Under target solvency (med term)||Reduce or stop any dividends, plus one or all of:
Already this seems like "the beginning of the end", since new business may be cut back and market sentiment may turn negative.
All the other proposals lose economic value, reinforcing the perception that this is a bad business.
Cost reduction could also be considered, but is unlikely to make the difference, unless organisation is hugely overstaffed.
We now turn to alternative (more serious?) solvency triggers.
|Breach solvency commitments to clients||Enable clients to recapture business||
|Breach Solvency II technical provisions||Seek trade sale of business||The intention of the risk margin is that this should still be possible|
Peering into the future – and a nightmare scenario
The first few sections below peer into the future, based on publicly available information – and a little speculation of course. The impatient or intrigued may want to jump to the last section: a worst case "nightmare" scenario in which UK regulators use generic powers available to them to constrain you, because they believe your firm's plans or resources lack credibility; they think you have a bad plan or a lack or ability to execute, placing your policyholders at risk.
The all-too-real nightmare: Deutsche co-chiefs quit over scandal
It's 8 June 2015 and I sit here, having finished the ORSA article, sipping my well-deserved Americano. "Deutsche co-chiefs quit over scandal" is a Times headline:
- Co-chiefs Anshu Jain and Jurgen Fitschen step down, two weeks after a major reshuffle which placed them at the heart of a restructuring strategy.
- Deutsche Bank has paid 9 billion (Euros) in fines since 2012, with another 4 billion expected this year – several banks have many pages of dispute disclosures.
- The UK and US divisions are both in "special measures" and facing "enhanced supervision" by regulators "because of serious concerns over how they are run".
- At May 2015's annual meeting, leading investors criticised Jain and Fitschen for not providing enough detail on a proposed five-year recovery plan.
- Bank profitability is still a major issue. A fine of 2.5 billion (Euros) in April 2015 reduced annual profitability to 559m Euros, based on revenues of 10.4 billion.
Conclusion: behaviour and consequent regulatory fines are killing this bank. To be fair it's not clear that "vanilla" ERM will solve things.
Shocks on or before day-1
An internal model may not be approved – and if the application deadline is missed it won't be; the back of the queue awaits. There could be a capital add on, for a variety of reasons as explained above. This could, for example, be because your governance or risk management is deemed to be substandard.
The standard is likely to be raised after 2016. The PRA may argue this is because of initial proportionality rather than subsequent gold plating:
... getting to January 2016 in good shape is only the start. If our experience of Solvency II is the same as for the introduction of the ICAS regime in the UK – and taking into account transitional arrangements – we may be looking at the best part of a decade for us and firms to be able to use the regime. It is worth remembering that ICAS is both much simpler in design and ambition and also much less prescriptive than Solvency II. Source: Solvency II – a turning point Julian Adams, Deputy Head of the PRA
Beyond Solvency II
Ten years of Solvency II-related work won't be enough:
Looking beyond Europe, we are also at a point of fundamental change in the development of global insurance regulation. The IAIS is working towards a common supervisory framework for internationally active insurance groups through its ComFrame initiative. It has also recently announced that it will develop a risk-based global insurance capital standard within ComFrame by 2016. So European insurance regulation will have the ability to both shape – and in turn be shaped by – wider global developments. Source: Solvency II – a turning point Julian Adams, Deputy Head of the PRA
The nightmare scenario: use of generic regulatory powers
Finally, the PRA and FCA have powers tucked away.
Nightmare part 1: the PRA's 8 Fundamental Rules
- Fundamental Rule 3: ... act in a prudent manner
- Fundamental Rule 4: ... at all times maintain adequate financial resources
- Fundamental Rule 5: ... have effective risk strategies and risk management systems
- Fundamental Rule 8: ... prepare for resolution so, if the need arises, it can be resolved in an orderly manner with a minimum disruption of critical services
Evidently these are subjective areas, in which the PRA is permitted to form a judgement. Firms "must" satisfy these conditions, so we might ask: "what happens if my firm fails to meet condition X?" Is an improvement plan required, is there a capital add on, is the firm closed to new business?
The scariest area is Fundamental Rule 5 on effective risk strategies and risk management systems. Are you risk-effective? Have you articulated this?
Fundamental Rule 8 on resolution should be less scary (currently!) Its location in the PRA Handbook suggests that it applies to all PRA-regulated firms, but the PRA's more specific Supervisory Statement on recovery planning "is aimed at UK banks, building societies, UK designated investment firms and qualifying parent undertakings to which the Recovery Planning Part of the PRA Rulebook applies." It should not be used against insurers, though there's a "direction of travel".
Nightmare part 2: the FCA's Threshold Conditions
In the nightmare scenario if the PRA doesn't get you the FCA does! Included in the Threshold Conditions are:
- 2.3: effective supervision – the firm must be capable of being effectively supervised by the FCA having regard to all the circumstances
- 2.4: appropriate resources – the resources of a firm must be appropriate in relation to the regulated activities that it carries on or seeks to carry on
- 2.5: suitability – the "fit and proper person" requirement
- 2.7: business model – it must be "suitable" – and that seems to go way beyond solvency (see below)
Why are these so potentially scary? Regulators pass judgement on a firm's business model (and profitability):
Firms carrying on, or seeking to carry on, a PRA-regulated activity, should note that the PRA states in its Approach Documents that analysis of such firms' business models will form an important part of the PRA's supervisory approach. For the avoidance of doubt, this guidance does not apply to the PRA's own assessment of the firms' business models.
Did that "for the avoidance of doubt" work for you? No, it remains unclear to me too. In its Approach to insurance supervision document the PRA says:
Business model analysis forms an important part of the PRA's supervisory approach. The PRA examines threats to the viability of an insurer's business model, and the ways in which an insurer could create adverse effects on other participants in the system by the way it carries on its business. The analysis includes an assessment of where and how an insurer makes money and the risks it takes in so doing. Insurers are assessed at the level of the insurer or the sector as appropriate.
the FCA may consider all matters that might affect the design and execution of a firm's business model, taking into account the nature, scale and complexity of a firm's business.
firms should consider ...
- the assumptions underlying the firm's business model and justification for it;
- the rationale for the business the firm proposes to do or continues to do, its competitive advantage, viability and the longer-term profitability of the business;
- the expectations of stakeholders, for example, shareholders and regulators;
I suspect that – today – the PRA will only apply recovery and restitution planning to bank. Similarly there are strong indications that the intention is to only apply the FCA's "appropriate resources" Threshold Condition to investment firms and smaller insurers. But that's not a good argument to have.
And I would be much more concerned about the generic powers under "effective risk strategies and risk management systems". Make your ORSA good.
External resources – including "how to write an ORSA report"
UK emphasis: Solvency II specific
- ORSA for Dummies – Peter Taylor at the Institute of Risk Management Solvency II Group
- ORSA: the heart of Solvency II – Same link as above – useful summary of Lloyds ORSA Guidance
- Lloyds ORSA Guidance – including (undiluted) Lloyds on structuring an ORSA report
- Deriving Value from ORSA: Board Perspective – the International Actuarial Association
- System of governance and own risk and solvency assessment – introductory PRA material.
- EIOPA Solvency II Preparatory Phase – list of (and links to) the four guidelines issued by EIOPA in 2013.
- Solvency II: applying EIOPA's preparatory guidelines to PRA-authorised firms – the PRA's response and thought in response. Supervisory Statement 4/13.
- Analysis of EIOPA's final preparatory guidelines – E&Y, October 2013.
UK emphasis: Beyond Solvency II
- Corporate governance: Board responsibilities – PRA consultation, May 2015
- Recovery and Resolution plans – PRA consultation, May 2015
- Recovery planning – applies to banks but includes useful material on scenario planning and wind downs
- Overview of US ORSA – Feb 2015, National Association of Insurance Commissioners (NAIC)
- NAIC Own Risk and Solvency Assessment (ORSA) guidance manual – July 2014, National Association of Insurance Commissioners
- NAIC's ORSA: a broader approach to regulation – June 2011, Towers Watson
- ORSA: what's really going on?
- Full limits stress test
- Writing an ORSA report
Writing an ORSA report: Ingram and Willis
The US National Association of Insurance Commissioners (NAIC) has suggested three sections to an ORSA report:
|#||Our name||NAIC name||4A framework item(s)|
|1||Risk management framework||Description of the Insurer's Risk Management Framework||Articulation and administration|
|2||Risk assessment||Insurer's Assessment of Risk Exposures||Assessment|
|3||Prospective solvency assessment||Group Risk Capital and Prospective Solvency Assessment||Assessment and Action|
The Willis / Ingram take on what each section should contain is as follows:
Section 1: risk management framework
This section is descriptive. Willis suggests, based on their sense of NAIC's intent, that coverage should be at least:
- Risk identification including emerging risks
- Risk limits, mitigations and controls
- Risk organization
- Policies and standards
- Risk appetite and tolerance
- Risk governance
- Risk management culture
- Risk measurement and reporting
Interestingly, the assessment piece gets coverage here and in the item below. Perhaps not surprising: assessment the pivotal piece.
Section 2: risk assessment
The risk process and, especially, how the insurer assesses risks, particularly material risks.
- Risk measurement
- Stress testing
- Risk capital
- Interdependence of risks
- Economic capital model validation
Section 3: prospective solvency assessment
The final section of the ORSA report explains why management and the board have sufficient capital to undertake their business plan, even if future experience turns out to be much worse (due to internal or external factors) than is expected in the plan. Source: Wills Guide to writing an ORSA report
This sounds distinctly odd; the idea that you can fulfil your business plans over the next 5 years (rather than simply remaining solvent) even after "much worse" experience seems to imply that either you are running with far too much capital or you are deluded. Let's quote Ingram himself:
RISKVIEWS suggests that Stress Tests should be chosen so that the company can demonstrate that they can pass ... under a wide range of scenarios AND ... that one or several of the Stress Tests are severe enough to produce a fail ... so that they can demonstrate that management has conceptualized the actions that would be needed in extreme loss situations. Source: Dave Ingram's ORSA: AC – ST > RCS
That's my view too: whatever its name, management actions are the key to a dynamic ORSA which goes beyond analysis.
Writing an ORSA report: Ingram at Riskviews – a 17 Step ORSA process
Finally, in Instructions for a 17 Step ORSA Process Dave Ingram gave a split according to role and level of difficulty, rather than NAIC classification:
Five Intro to ERM Risk Control Cycle Topics
- Risk Identification
- Risk Measurement
- Risk Limits and Controlling
- Risk Organization
- Risk Management Policies and Standards
Advanced ERM topics
- Stress Testing
- Risk Capital
- Risk Appetite and Tolerance
- Emerging Risks
- Interdependence of Risks
- Risk Management Governance
- Risk Management Culture
- Change Risk
- Risk Disclosure
- Model Validation
Bringing it all together