Best practices for creating your ORSA report

Best practices for creating your ORSA report
June 2, 2016


The Own Risk and Solvency Assessment (ORSA) has evolved from a relatively unknown requirement to a present reality, and companies continue to adapt their plans to comply with the mandate.

While the ORSA may not have come together as many planned, the planning process did provide tangible benefits. Gaps were identified, action plans developed, and processes improved. Risk identification, monitoring, and mitigation for many insurance companies have become more prominent and transparent than ever before.

The inaugural year of the ORSA process and its accompanying Summary Report presented significant challenges and opportunities for insurance companies. Although based on an organization’s ERM framework, ORSA was a totally new regulatory requirement that demanded a substantial investment of resources and time—and indeed still does.

The challenge presented by the ORSA requirement is to develop a process and produce a Summary Report that closely matches the unique goals, policies, and practices of the insurer, while avoiding a cookie-cutter approach.

This challenge is also an opportunity to take a fresh look at the organization’s risk protocols, deployment of capital, and ERM-related computer systems, perhaps leading to meaningful changes or simply confirming the adequacy of the current practices.

This paper provides tips to facilitate the process, avoid fundamental mistakes, and prepare the Summary Report efficiently.

Understanding the ORSA

The ORSA—applicable to individual insurers writing more than $500 million of annual direct written and assumed premiums, and/or groups writing more than $1 billion of annual direct written and assumed premiums—is a considerable hurdle for domestic and international insurers.

money spent for creating ORSA;

In essence, the ORSA is a mandated process that requires insurers to create internal processes to asses their risk management and solvency positions under normal and stressed scenarios.

It requires an insurer to analyze any and all relevant risks that could have an adverse impact on its ability to meet financial policyholder obligations. It is designed to be a nonprescriptive approach to risk management, where insurers are asked to use their best judgment in formulating their assessments of current and future risks.

Although it can be viewed by some as an annual report, the ORSA is designed to be continually evolving and should have a prevalent role in the enterprise risk management function.

Insurers required to comply with ORSA are required to:

  • Conduct an ORSA no less than annually
  • Document processes and results of the ORSA internally
  • Provide an ORSA Summary Report to the lead state insurance commissioner annually, if the insurer is a member of an insurance group, and upon request to the domiciliary state commissioner

As the emphasis is on the "Own" in Own Risk Solvency Assessment, insurers are left to decide what would best represent their present situations. And that means there is plenty of room for error.

The following are 10 best practices to follow when determining your path.

1. Do not make the ORSA Summary Report overly complex.

An assessment that is the right size does not overwhelm the reader, nor does it contain unnecessary complexity. Following the impulse to toss in every shred of related material creates a bloated report whose usefulness is questionable at best.

Instead, gear the report to an executive readership—senior management, board of directors, state commissioners, and perhaps, rating agencies. This level of readership appreciates concise messages as opposed to having their minds numbed by hundreds of pages of details.

At a deeper level, an overstuffed Summary Report may not clearly communicate the findings of the ORSA process. Therefore, it undercuts the most important purpose of that process—to identify and remediate risk-related deficiencies within the organization.

These deficiencies may include inappropriate spending, too little on problem areas and too much on risks that are less material or relevant, or problems that could be adequately addressed with fewer resources. You might also uncover deficiencies related to an organizational structure that is less than ideal, or one suffering from lack of appropriate governance or ineffective information sharing.

While sizing up the ORSA process and Summary Report requires a bit of subjective judgment, a guiding principle should be to create a product that provides information in a clear and concise manner to all stakeholders—boards, management, regulators, and ratings agencies. From this perspective, wasting resources on an overly complex process serves no one’s interests and can actually make it less understandable.

How to avoid:

  • Align ORSA participants with the expectations of the board and top leadership in regard to the project’s scope and constraints.
  • Arrange and present material starting with the highest level of abstraction and ending with the lowest—from executive summary, overview diagrams, and graphs, down to detailed appendices with supplemental information.
  • Use pictures, charts, and trend analysis to illustrate complex topics in easily understood terms.
  • Eliminate redundant effort by ensuring that all ORSA participants can share data and report drafts— documents, spreadsheets, databases, calendars, and comments.

2. Avoid being too broad or too vague in the ORSA Summary Report.

While producing an overly complex Summary Report can be problematic, going too far in the opposite direction can create similar issues. At best, being too vague is the result of pressures to please a broad audience. At worst, it stems from an unwillingness to alarm that same audience with the result of an inadequate ERM framework.

Some ORSA participants might be greatly tempted to obscure problems for which they are responsible. Obviously, the organization’s ethos and the makeup of the ORSA team play a pivotal role in how open and candid the Summary Report becomes.

Another dimension of this issue is lack of experience in preparing the Summary Report. Risk management is a highly complex discipline that requires a good deal of expertise to adequately address. A superficial ORSA Summary Report could possibly represent the best efforts of otherwise capable individuals who are confronting the assessment for the first time.

How to avoid:

  • Be open and transparent in the ORSA Summary Report.
  • Describe the top risks of the organization in specific terms, supplemented with explicit risk metrics, tolerances, and limits.
  • Give an honest perspective—do not exaggerate how well you are managing risks. The Summary Report is not a marketing document about your own risk-management skills.
  • Describe specific areas where your organization needs to improve its ERM process. Risk management is a never-ending task requiring continual evolution and improvement.
  • Demonstrate a competent understanding of your organization’s risks and ERM challenges. Remember, regulators aren’t expecting perfection.

3. Avoid a prescriptive approach.

Stakeholders in the ORSA process are a heady group—NAIC, IAIS, your state’s regulators, ratings agencies, and your board of directors. All of these entities are exerting pressure on you to get it right.

For some, the impulse may be to use a prescribed or check-the-box process that slavishly adheres to the letter, if not spirit, of your state’s ORSA regulations. Resist this temptation. It will reduce the value of the ORSA process as a management tool and turn it into a compliance exercise.

Remember that the O in ORSA stands for Own, as in “you own it.” It is important for you to tailor the ORSA process to your business—appropriate to your company’s size, scale, and complexity. The ORSA process isn’t an end. Rather, it is a means to understand your risks, improve your ERM framework, and when necessary, recalibrate your exposure to risk. These goals require an approach unique to your organization. A cookie-cutter approach is, at best, a wasted opportunity.

How to avoid:

  • Be mindful of industry best practices, but don’t blindly follow someone else’s approach if not appropriate for your business.
  • Your management team and board need to understand and own the process.

4. Do not wait until the last minute to start the ORSA process or put together the Summary Report.

The competition for resources within your organization might create a tendency to push off the ORSA process until close to the due date. Yet, what higher priority can there be than to ensure the stability of your business in an ever-riskier world? A last-minute effort will undoubtedly produce suboptimal results and also deprive you of the valuable learning experience that a well-planned project can yield.

ORSA is an ongoing, multiyear process that will take time to assimilate efficiently into any organization’s reporting cycle. Regulators may take this into consideration and demonstrate leniency. However, expectations from regulators for the ORSA Summary Report will likely increase over time.

A good strategy to prepare for the predicted tougher requirements is to extract maximum value from your previous exercises.

How to avoid:

  • Engage project management resources and lay out a detailed project plan.
  • Secure resources.
  • Establish ORSA processes as a formal part of the objectives for responsible management and key resources.
  • Start now.

ORSA process;

5. Do not make ORSA a separate process.

ORSA and ERM share a common purpose: to illuminate how a company identifies, measures, and manages risk and the process it follows to determine the appropriate amount of capital for those risks. Thus, the ORSA Summary Report is merely a new process for sharing vital information in line with processes that have likely evolved over the life span of any organization. Any attempt to make ORSA a separate process only acts to devalue it.

Companies have been managing risk as part of successfully doing business for years. Risk management is embedded in various processes, e.g., underwriting, pricing and product development, investment activities and asset liability management, distribution management, operations. The ORSA Summary Report should tap into all of these activities as part of summarizing a company’s ERM framework and capital management. The ORSA is part of the way a company runs its business and should not be a separate process.

How to avoid:

  • Start by assessing current risk management practices throughout the organization—there’s no need to reinvent the wheel.
  • ORSA should be a reflection of your ERM process. Focus resources on enhancing the ERM process as opposed to focusing on ORSA itself.
  • It can be helpful to tie the ORSA effort into an existing annual planning cycle, even making the Summary Report an output of that process.

6. Avoid manual and time-consuming reporting processes.

Companies no sooner want to manually enact the ORSA process and produce the Summary Report than perform capital budgeting with only a pencil and paper. However, the Summary Report often relies on many other reports, databases, and processes throughout the company, making it a time-consuming effort to pull together all necessary information. Even more worrisome—manual methods invite opportunities for inconsistencies and errors.

In the nightmare scenario, an organization would have redundant and inconsistent data scattered among incompatible databases and spreadsheets, each with its own reporting mechanism—whether built-in or ad hoc. Even if a company had the foresight to establish one central repository of risk- and capital-related data, the glass is only half full unless the ORSA team can exploit this data with automated summary and detailed reporting.

A lack of enterprise software capable of automating information sharing can greatly complicate the Summary Report’s preparation.

How to avoid:

  • Look for opportunities to automate and streamline reporting processes.
  • Build checks and controls into the risk reporting process.
  • Develop a single source of truth for risk- and capital-related data
  • Invest in technology that enables high-level reporting and allows viewers to then drill down into the necessary details by product line, business unit, risk, etc.

7. Look beyond the statutes to figure capital requirements.

The statutory approach for defining risk-based capital (RBC) requirements is not designed for determining the correct amount of capital to actually hold. The current factor-based RBC approach cannot keep up with product innovation and will not appropriately capture all of the risks that an insurance company faces. The events of 2008 have seared into the collective consciousness of the insurance industry that risk events can arise in ways not anticipated. Indeed, those events prompted the NAIC to launch its Solvency Modernization Initiative, which included ORSA.

The ORSA process assumes an internal view of the appropriate amount of capital to hold for the risks that the business undertakes. In contrast, statutory RBC serves as an early warning signal for regulators and is not meant to be an appropriate measure of capital adequacy—it simply guarantees and authorizes regulatory action.

Unfortunately, by the time the state regulators come calling, that company may have suffered irreversible damage. This damage may arise from inadequate capital modeling techniques, an unclear appetite for risk, lack of tail risk stress testing or operational deficiencies in maintaining data about risks and capital.

How to avoid:

  • Consider the development of best practices for risk assessment and measurement, such as internal economic capital modeling capabilities.
  • Develop a risk appetite statement that clearly states the appropriate amount of capital that the business owns or should own.
  • Incorporate stress and scenario testing as part of organizational capital adequacy processes.

8. Do not produce the ORSA Summary Report in a vacuum.

Just as the ORSA is an outgrowth of a company’s ERM, deficiencies in the ORSA Summary Report, or at least in its first draft, is a warning that something in your ERM needs to be improved. Only through systematic collaboration will the resulting ORSA Summary Report provide maximum benefit to the organization and its stakeholders.

To ensure appropriate levels of collaboration are going into the ORSA process, it may be necessary to appoint an executive-level position to oversee the ORSA. A chief risk officer overseeing the ORSA process and Summary Report development would provide an optimal amount of visibility to all key stakeholders in the company’s risk and capital policies, procedures, and operations. The ORSA project’s value will suffer without team collaboration that spans across the organization and dives deeply into the daily decision-making that implements policies and practices.

How to avoid:

  • Engage a wide range of stakeholders throughout the process, including the management team and the board.
  • Make clear from the inception of the process what information you’ll need from different areas of the organization—and ensure you get it.
  • Consider a formal sign-off process for the numerous sections and contributors to the report.
  • Avoid an approach that fails to consider rating agencies in the assessment, as they are likely to be interested in your Summary Report.
  • Document within the report the governance process pertaining to developing the ORSA process, including the roles of the various team members and stakeholders.

9. Do not take a siloed approach to the ORSA process.

The focus of ERM and ORSA is to have an enterprise-wide approach to risk management that takes into account all organizational risks. A blinkered approach toward identifying and assessing organizational risks is likely to overlook some risks, which may result in missing opportunities for diversification benefits across risks or areas. The scope of the ORSA process encompasses a world of danger, including insurer’s underwriting, claims, investments, asset-liability management, counterparty risk, and operational risk.

Beyond the risk of insufficient capital during times of stress, an organization must consider other forms of risk, including reputational, liquidity, and operational. In complex situations, different risks may create a negative synergy that generates dangers exceeding the sum of the individual risks. Perhaps the biggest risk is an ORSA process and Summary Report that fails to consider interactions among risks and their related potential damage to the organization.

How to avoid:

  • Have an ERM/ORSA team that is responsible for the aggregation of all risks as well as the interactions between risks. Make sure to discuss these interactions in the Summary Report.
  • Measure the impact on all important metrics such as liquidity and reputation—not just on capital.
  • Companies should have a risk appetite statement that captures these measures. It’s simply a best practice within the insurance industry.

10. Do not simply report on past results.

Past is not necessarily prelude, especially in the insurance industry. New risks continually arise, and old ones morph in nature, size, and impact. The ORSA process and Summary Report are meant to have a prospective view. In risk reporting, various metrics are often based on historical results. While much can learned by studying the past, much more can be gained by understanding the present and making educated predictions about the future.

The ORSA team should take care not to prepare a rear-facing Summary Report. It is imperative that the team has a profound understanding of the company’s strategic direction, so it can adequately assess the forward-looking risks the company will face. Scenario testing should not automatically exclude black swan events that, although extremely unlikely or unprecedented, can nonetheless wreak havoc upon the organization. Fortunately, there are standard weighting techniques that provide for the unlikely without obsessing about it. It is better to consider a risk that never materializes than to face a risk never contemplated.

How to avoid:

  • Be prospective whenever possible within the ORSA Summary Report.
  • Quantify potential future impacts under various projected scenarios.
  • Provide insight into what the historical risk metrics and trends lead to predictions for the future.


10 Best Practices

1. Don't make the Summary Report overly complex.

    If your stakeholders aren't concerned with it, it shouldn't be included.

2. Avoid being too broad or too vague.

    Don't block your path to improvement by glossing over the details.

3. Avoid a prescriptive approach. 

    Don't get distracted by best practices and forget the content of your report.

4. Don't wait until the last minute to start.

    The stability of your business deserves more than a last-minute effort.

5. Don't make ORSA a separate process.

    ORSA looks at all aspects of a business and needs to be integrated.

6. Avoid manual and time-consuming reporting processes.

    Wrangling unstructured data opens the door for inconsistencies and errors.

7. Look beyond the statutes to figure capital requirements.

    Statutes are not one-size-fits-all and may not be enough to avoid regulatory action.

8. Don't produce the ORSA Summary Report in a vacuum.

    Collaborate with stakeholders who actually handle the data you need.

9. Don't take a siloed approach to the ORSA process. 

    The risk of insufficient capital can come from anywhere, making a shortsighted approach dangerous.

10. Don't simply report on past results. 

    Historical data should only serve to help make educated predictions about the future.

The ORSA Summary Report process is now an integral part of the reporting cycle and will become increasingly relevant in subsequent years. Developing a sound plan for dealing with the requirement is good strategy, good planning, and just good business.

Following the 10 steps described here can help any company not only meet the ORSA requirement, but provide an expected advantage when competing with other organizations that are not as forward thinking.

Download a PDF copy of this piece

Jeff Fitch headshot

About the author

Jeff Fitch is President of Fitch Consulting Inc., which provides actuarial, risk management, tax, and accounting consulting services. Previously, Jeff was Chief Risk Officer of Aviva USA from 2009 to 2013. In this role, he was responsible for developing a robust enterprise risk management framework, ensuring that the business is within its risk tolerance, and optimizing the company’s risk and reward profile. Prior to Aviva USA, he served more than 13 years at Principal Financial Group. Jeff is Fellow of the Society of Actuaries, a member of the American Academy of Actuaries, a Chartered Enterprise Risk Analyst, and an Enrolled Agent.