Graham Black, actuary at Capita, explores the European Union Directive Solvency II Pillar 2 - ORSA - as part of an effective enterprise risk management framework.
The concept of enterprise risk management (ERM) has existed for many years, but it wasn’t until the 2008 financial crash that it gained significant prominence.
More recently, the Solvency II European Union Directive has formed the core regulatory framework for insurers in the European Economic Area (EEA) , which includes the regulatory requirement to complete an own risk and solvency assessment - or ORSA.
This internal review process is designed to ensure insurers will always be able to meet their policyholder obligations, providing the Board, senior management and regulators of insurance companies with an assessment of:
- the adequacy of its risk management
- its current, and likely future, solvency position.
The ORSA can therefore be used to complement and strengthen an insurer’s ERM framework, across the following key areas:
Risk culture and governance
Under Solvency II, four functions (actuarial, risk management, audit and compliance) are established, which are naturally embedded into ERM’s three lines of defence model (business, risk management & compliance, and internal audit functions). This ensures clear, transparent roles and responsibilities which are well defined throughout the organisation to develop a culture that nurtures and supports accountability in risk making decisions.
Risk identification and assessment
The ORSA can also support the clear, coherent and consistent management of risk identification and assessment across the entire organisation by identifying areas of weakness so that further measures can be put in place.
Risk appetites and tolerances
Risk strategy formulation itself is rarely simple, but at least the focus required by the ORSA can ensure that, once the overall risk strategy of the Board has been agreed, that it’s clear and consistent, providing the company’s formal risk appetite. This can also include the provisision of associated risk tolerances (and limits) for the various sections of the organisation for further clarity.
Risk management and controls
The ERM framework enables management and operational controls to ensure risk is kept within the tolerances and limits set out by the company’s risk appetite – this is similar to the use of ORSA in providing information on a company’s risk management adequacy and solvency position, further ensuring robust controls.
Risk reporting and governance
Undertaking the ORSA process also enables greater transparency of the risk management reporting and governance processes throughout the ERM framework, evidencing that ORSA is actively used by senior management to aid strategic decision making.
What’s needed beyond Solvency II to deliver an effective ERM framework?
From a Solvency II perspective, the main focus is on solvency, primarily to ensure that companies’ undertakings are financially sound and can withstand adverse events to protect policyholders and the stability of the financial system as a whole.
However, organisations can be complex machines, not least the risks they have to manage. Throw in the importance - and complexity - of people and those complications can increase – potentially leading to financial loss, reputational damage and regulatory action.
The presence of people, particularly decision makers and those involved with the production of ORSA, can add additional risk which shouldn’t be overlooked. Therefore, the additional (people) risks, particularly key persons, should be considered for a more effective ERM framework.
Key persons should be held more accountable for their decisions but people can still easily commit misconduct– whether by accident or purposefully - despite the checks and balances in place. Unhelpful and risk behaviours can include, for instance:
- Not being rational
- Decisions made using emotions, gut-feeling, suspicions etc
- Poor assessment of probabilities
- Difficulty seeing a need for change
- Natural bias towards loss aversion
- Following the crowd mentality
- Cultural, religious or societal norms influencing behaviours.
For ERM, its scope is wider and, although there is no single definition for it, there is general agreement on the overall concept and principles. In addition to Solvency II, the following policies are needed to deliver an effective ERM framework and ultimately aid decision making and help to create value:
- Promotion of a holistic risk management approach rather than a silo-based approach
- A coordinated effort starting from the Board and promotion of strong corporate governance
- An integrated framework across the whole business
- Cultivating a positive risk culture across the business.
Preparation of the ORSA should be considered as part of a wider and robust ERM framework, rather than a bureaucratic tick-box. By focusing on ERM, an inherently risk-exposed insurance industry can lay down the foundations necessary to reduce the danger those risks pose.