Other specific findings of the group from the pilot included the following:

• Many companies focused on the strength of their internal risk management program and overall governance structure. However, regulators will want to confirm this, and will expect to see more policies and procedures actually documented and approved by the board of directors over time, including specific written policies and procedures around the ERM or risk management process itself.
• The reports showed that some companies may have had difficulties quantifying, or at least did not document that they had quantified, certain types of risk in some fashion—particularly operational risks. Regulators will expect companies to document their attempts to quantify and prioritize their risks, with at least basic metrics, such as probability or frequency of loss and impact or amount of loss.
• A percentage of sample ORSA reports lacked any discussion of the company's risk appetites, tolerances or limits. Even though some companies may have scored or prioritized risk by severity and frequency, highlighting potential “top losses,” ultimately this information is most helpful to evaluation of capital adequacy and solvency when the total loss potential is weighed against the company's risk tolerance.

Some companies can withstand or tolerate high losses, whilst other companies may be more conservative and may not want to assume as much risk. Ideally, each company must manage their risk mitigation, control and reinsurance efforts according to risk limits, appetite or tolerances set forth in policies and procedures, with escalation of items outside of that appetite via referral to management or the board.

As a further step, regulators will want to see that companies have a formalized risk/reward framework in their business planning process, relating risk management analysis to company business and financial objectives such as return on equity, use of reinsurance and investment target goals. Has the company completed an overall cost/benefit analysis supporting its business plan and economic capital strategy? Is the rationale for such decisions well documented? Based on the pilot submissions, not all companies are doing this yet, and this may be a focus for many insures in the next two years.

As a result of the Pilot, further changes may be made to the Guidance Manual itself within the next six months. A second Pilot Program may be conducted in 2013, under enhancements to the Manual. The NAIC also expects to update the Manual periodically going forward, as submissions are made and additional areas for clarification are revealed. Some current points which may require clarification include:

• More guidance around capital allocation calculations could be given. Some of the pilot companies did not have their risk-based capital allocation strategy or methodologies clearly documented. For those that did have a calculation, methodologies varied significantly in confidence and time horizons for estimation. While companies are free to choose their own modeling techniques, more documentation around the methodology and assumptions used might be beneficial.
• Better documentation may be required for certain foundational assumptions and explanation of company-specific terms used in the report. For example, companies will be requested to specify method of accounting they are using, GAPP, STAT, etc. Information relating to subsidiaries and affiliates should be clarified, with organizational charts and internal company abbreviations were found to be extremely helpful. The review team appreciated any efforts to provide glossary-type exhibits of terms and acronyms.
• Insurers considered most prepared provided certain financial information proactively that may be incorporated into future manual guidance. For example, several leading companies showed year-to-year trends in financial results over several years, adding a new dimension to the review. Also, helpful liquidity discussions were noted by at least two companies.
• In the future, companies may be asked to better describe how risk management is tied to executive and management compensation. As ERM practices are integrated into company operations and strategic decision-making, risk management may become a significant component of executive compensation and an indicator that the company is giving attention to the issue “from the top down.”

As additional developments, companies with a parent in the European Union that file an ORSA report with a foreign regulator can expect that it will be accepted in the U.S. if and to the extent it covers U.S. operations. However, no foreign regulators have decided to accept a U.S. ORSA format yet, and the NAIC discussions on equivalency status continue.

Now that the Model Act is adopted, timing of individual state adoption of the Act depends on each jurisdiction's legislative calendar. Although some states may move to enact it quickly, the NAIC expects all states to target an effective date Jan. 1, 2015 for consistency purposes.

Consequences for companies not complying or falling short of expectations is still unclear, as specific financial penalties for non-compliance are not currently detailed. Nevertheless, it is clear that failure to provide an adequate ORSA report for companies meeting the financial threshold would be a significant finding in any examination report, triggering targeted financial examinations.

All of these developments underscore the need for insurers to sharpen their focus on developing ERM and ORSA programs. ERM and risk analysis efforts take significant time and effort, and companies will not be able to “turn on a dime” to change historical practices and implement new strategies. Lessons from the ORSA Feedback Pilot Project should help both regulators and insurers steer the course towards compliance.

Denise Tessier is senior regulatory consultant for Insurance Compliance Solutions, Enterprise Risk Management and the Consulting Practice at Wolters Kluwer Financial Services. She may be reached at [email protected].