Solvency Assessment and Management:

Steering Committee
Position Paper 341 (v 7)
Own Risk and Solvency Assessment

EXECUTIVE SUMMARY

1. INTRODUCTION AND PURPOSE

The purpose of this document is to present the currently available international guidance on
the Own Risk and Solvency Assessment (ORSA), to discuss its relevance to the South
African context and to make recommendations as to the secondary legislation on the ORSA
to be adopted under the Financial Services Board‘s (FSB‘s) Solvency Assessment and
Management (SAM) framework.

The ORSA and Use Test Task Group is of the opinion that the secondary legislation under
the SAM Framework should not be too prescriptive, but should rather be set as high-level
principles to which each insurer or insurance group (insurer) must adhere in performing its
Own Risk and Solvency Assessment. The ORSA is intended to be an insurer‘s own
individual assessment of its risk management framework and the resulting capital
requirements specific to it. An insurer therefore needs to focus on and think about its own
individual circumstances. The Task Group agrees that high-level principles are required in
order to guide the insurer‘s thinking in this regard.
There is a concern that legislation which is too prescriptive would limit the focus of the
assessment to only those areas specifically covered by the legislation and this could result in
significant, insurer-specific risks being excluded from the assessment. This may also reduce
the ORSA from a valuable risk identification and quantification process to a compliance ―box-
ticking‖ exercise.
The Task Group recognises the importance of the ORSA to be a document submitted under
the ―private‖ disclosure sections. The ORSA may contain commercially sensitive information
which may compromise insurers‘ (and insurance groups‘) competitive positions.
The Task Group recognises that where insurers (groups) have opted for an internal model
for regulatory purposes, the internal model will also be used to produce ORSA results. To
this effect, insurers (groups) may include additional information in the ORSA about the
internal model such as the performance of the internal model, or additional results derived
from the internal model such as profit attribution.

2. INTERNATIONAL STANDARDS: IAIS ICPs

1
Position Paper 34 (v 7) was approved as a FINAL Position Paper by the SAM Steering
Committee on 4 October 2012.
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

The International Association of Insurance Supervisors (IAIS) is the international standards

setting body for insurance supervisors. The FSB as a member of the IAIS aims to adhere to
these standards. The IAIS is currently revising its Insurance Core Principles (ICPs) and
corresponding standards and guidance material, with an intended adoption date of October
2011. The IAIS has indicated that further changes may be made to the ICPs.
The most relevant of these proposed ICPs to the ORSA is ICP 16 on enterprise risk
management. The ICP reads: ―The supervisory regime establishes enterprise risk
management requirements for solvency purposes that require insurers to address all
relevant and material risks.‖2 The ORSA, which forms part of an overall enterprise risk
management framework, is included under this ICP and is discussed further under the
related standards and guidance.
The IAIS insurance core principles (ICPs) that were adopted in 20033 do not make explicit
mention of an ORSA. Aspects of the ORSA are however alluded to through a number of
ICPs. The most relevant of these ICPs are:

 ICP 6 - Licensing: ―An insurer must be licensed before it can operate within a
jurisdiction. The requirements for licensing are clear, objective and public.‖ An
essential requirement of this ICP is information from the applicant for licensing on
its ‗business plan projected out for a minimum of three years. The business plan
must reflect the business lines and risk profile, and give details of projected setting-
up costs, capital requirements, projected development of business, solvency
margins and reinsurance arrangements.‘ This ICP will be replaced by ICP 4
intended to be adopted in October 2011.
 ICP 10 – Internal control: ―The supervisory authority requires insurers to have in
place controls that are adequate for the nature and scale of the business. The
oversight and reporting systems allow the board and management to monitor and
control the operations.‖ This ICP requires the establishment of a ‗risk management
system that includes setting and monitoring policies so that all major risks are
identified, measured, monitored and controlled on an ongoing basis.‘
 ICP 17 – Group-wide supervision: ―The supervisory authority supervises its insurers
on a solo and a group-wide basis.‖ As a supplement to solo supervision, this ICP
requires group-wide supervision of insurers which are part of insurance groups or
financial conglomerates, including adequate policies on and supervisory oversight
of group structure and interrelationships, capital adequacy, reinsurance, risk
concentrations, intra-group transactions and exposures, internal control
mechanisms and risk management processes. This ICP may be relevant in the
setting of requirements for solo and group-wide ORSAs.
 ICP 18 – Risk assessment and management: ―The supervisory authority requires
insurers to recognise the range of risks that they face and to assess and manage
them effectively.‖ This ICP requires risk management policies and risk control
systems that are appropriate to the complexity, size and nature of the insurer‘s
business. The insurer must establish an appropriate tolerance level or risk limit for
material sources of risk. Insurers are also required to ‗regularly review the market
environment in which they operate, draw appropriate conclusions as to the risks
posed and take appropriate actions to manage adverse impacts of the environment
on the insurer‘s business‘. This ICP will be replaced in part by ICP 16 on enterprise
risk management intended to be adopted in October 2011.
 ICP 20 – Liabilities: ―The supervisory authority requires insurers to comply with
standards for establishing adequate technical provisions and other liabilities, and

2
ICP 16 of the IAIS ICP material adopted October 2010 (to be included in full set of ICPs to
be adopted in 2011)
3
IAIS Insurance core principles and methodology (2003)

Page 2 of 25
 Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

making allowance for reinsurance recoverables. The supervisory authority has both
the authority and the ability to assess the adequacy of the technical provisions and
to require that these provisions be increased, if necessary.‖ An advanced criterion
requires insurers to ‗undertake regular stress testing for a range of adverse
scenarios in order to assess the adequacy of capital resources in case technical
provisions have to be increased.‘
 ICP 23 – Capital adequacy and solvency: ―The supervisory authority requires
insurers to comply with the prescribed solvency regime. This regime includes
capital adequacy requirements and requires suitable forms of capital that enable the
insurer to absorb significant unforeseen losses.‖ An advanced criterion requires
‗periodic, forward-looking analysis (e.g., dynamic solvency/stress testing) of an
insurer‘s ability to meet its obligations under various conditions.‘ This ICP will be
replaced in part by ICP 174 on capital adequacy intended to be adopted in
October 2011. ICP 17 does not make the same references but does make
reference to stress testing.

In addition to these insurance core principles, there are also IAIS principles on capital
adequacy and solvency5. Relevant to the ORSA is principle 13 on solvency assessment:
―Insurance supervisory authorities have to undertake solvency assessment.‖ This principle
requires insurance supervisory authorities to ‗consider the following elements when
undertaking solvency assessment:

 the adequacy, reliability, consistency and objectiveness of technical provisions,

assets and liability valuations and statutory reporting;
 compliance with the required solvency margin and control levels;
 the adequacy of the internal risk assessment processes of the insurer; and
 the risk management systems of the insurer.‘

Although this principle discusses the elements supervisory authorities must consider, it is
likely that similar elements would need to be considered in an insurer‘s own assessment.

3. EU DIRECTIVE ON SOLVENCY II: PRINCIPLES (LEVEL 1)

Article 45 of the EU directive on Solvency II is dedicated to the ORSA. It is reproduced here,

with explanations of the referenced sections in the EU directive where it would otherwise be
unclear.

1. As part of its risk-management system every insurance undertaking and reinsurance

undertaking shall conduct its own risk and solvency assessment.
That assessment shall include at least the following:
(a) the overall solvency needs taking into account the specific risk profile, approved
risk tolerance limits and the business strategy of the undertaking;
(b) the compliance, on a continuous basis, with the capital requirements, as laid
down in Chapter VI, Sections 4 and 5 and with the requirements regarding technical
provisions, as laid down in Chapter VI, Section 2;
(c) the significance with which the risk profile of the undertaking concerned deviates
from the assumptions underlying the Solvency Capital Requirement as laid down in

4
ICP 17 of the IAIS ICP material adopted October 2010 (to be included in full set of ICPs to
be adopted in 2011)
5
IAIS Principles on capital adequacy and solvency (2002)

Page 3 of 25
 Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

Article 101(3), calculated with the standard formula in accordance with Chapter VI,
Section 4, Subsection 2 or with its partial or full internal model in accordance with Chapter
VI, Section 4, Subsection 3.
2. For the purposes of paragraph 1(a), the undertaking concerned shall have in place
processes which are proportionate to the nature, scale and complexity of the risks inherent
in its business and which enable it to properly identify and assess the risks it faces in the
short and long term and to which it is or could be exposed. The undertaking shall
demonstrate the methods used in that assessment.
3. In the case referred to in paragraph 1(c), when an internal model is used, the assessment
shall be performed together with the recalibration that transforms the internal risk numbers
into the Solvency Capital Requirement risk measure and calibration.
4. The own-risk and solvency assessment shall be an integral part of the business strategy
and shall be taken into account on an ongoing basis in the strategic decisions of the
undertaking.
5. Insurance and reinsurance undertakings shall perform the assessment referred to in
paragraph 1 regularly and without any delay following any significant change in their risk
profile.
6. The insurance and reinsurance undertakings shall inform the supervisory authorities of the
results of each own-risk and solvency assessment as part of the information reported under
Article 35 [Information to be provided for supervisory purposes].
7. The own-risk and solvency assessment shall not serve to calculate a capital requirement.
The Solvency Capital Requirement shall be adjusted only in accordance with Articles 37
[Capital add-on], 231 to 233 [Group internal model, group capital add-on, and deduction and
aggregation method of calculating the group solvency capital requirement] and 238
[Subsidiaries of an insurance or reinsurance undertaking: determination of the Solvency
Capital Requirement].

The proposed SAM primary legislation in respect of the ORSA is similar to Article 45 of the
EU directive, amended as appropriate to reference the relevant sections in the SAM primary
legislation.

4. MAPPING ANY PRINCIPLE (LEVEL 1) DIFFERENCES BETWEEN IAIS ICP & EU

DIRECTIVE

The proposed IAIS ICP 166 only requires entities to establish an enterprise risk
management framework that addresses all relevant and material risks. The EU Directive
contains more detailed ORSA requirements, but does not contradict the proposed IAIS ICP
16, nor the dedicated sections on the ORSA included in the standards and guidance related
to the proposed ICP 16 (paragraph 16.11 onwards.

5. STANDARDS AND GUIDANCE (LEVELS 2 & 3)

5.1 IAIS standards and guidance papers

6
IAIS ICP material adopted October 2010 (to be included in full set of ICPs to be adopted in
2011)
http://www.iaisweb.org/__temp/ICP_16_Enterprise_Risk_Management__standards_and_guidance_m
aterial.pdf

Page 4 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

Several IAIS standards and guidance are directly relevant to or contain elements that would
be applicable to the ORSA.
The standards and guidance related to the proposed ICP 16 on enterprise risk management
have dedicated sections on the ORSA (from paragraph 16.11 onwards). The broader topics
on ERM discussed in the paper such as risk identification and measurement, documentation,
the risk management policy, the risk tolerance statement and the risk responsiveness of the
ERM framework are also applicable to the ORSA.
This guidance states that as part of its ORSA process, an insurer would be expected to
prepare a report which includes a detailed description of the relevant material categories of
risk that the insurer faces, its overall financial resource needs including its economic capital
and regulatory capital requirements as well as the available capital to meet these
requirements and projections of how such factors will develop in future. This report should
also include detailed descriptions and explanations of the risks covered in the ORSA, the
measurement approaches used and the key assumptions made. Other IAIS standards on
disclosures have limited relevance to the ORSA.
The standards and guidance on ICP 16 appear to replace the prior adopted standard7 and
guidance8 on ERM for capital adequacy and solvency purposes as much of the material
covered is the same. The prior adopted standard and guidance have thus not been explicitly
included for the purposes of this document.
The guidance paper on the structure of regulatory capital requirements9, as well as the
proposed ICP 1710 to be adopted in October 2011, raises additional points about the ORSA.
 In the context of the ORSA, an insurer would generally be expected to consider its
financial position from a going concern perspective (that is, assuming that it will
carry on its business as a going concern and continue to take on new business) but
may also need to consider a run-off and/or winding-up perspective (e.g. where the
insurer is in financial difficulty).
 Whilst the IAIS recognises that some risks may be difficult to quantify (e.g.
operational or liquidity risk), it is important that the insurer nevertheless addresses
all material risks in its ORSA.
 In undertaking the ORSA, the insurer would be expected to have considered the
extent to which the regulatory capital requirements (in particular, any standardised
formula) adequately reflect its particular risk profile. In this regard, the ORSA can be
a useful source of information to the supervisor in reviewing the adequacy of the
regulatory capital requirements of the insurer and in assessing the need for
variation in those requirements.

The standard on the structure of capital resources11 for solvency purposes specifies that ―the
solvency regime should require the insurer to assess the quality and adequacy of its capital
resources to meet regulatory capital requirements and any additional capital needs.‖ The
corresponding guidance paper12 discusses that ‗if an insurer suffers losses that are

7
IAIS Standard no. 2.2.6 on enterprise risk management for capital adequacy and solvency
purposes (2008)
8
IAIS Guidance paper no. 2.2.5 on enterprise risk management for capital adequacy and
solvency purposes (2008)
9
IAIS Guidance paper no. 2.1.1 on the structure of regulatory capital requirements (2008)
10
ICP 17 of the IAIS ICP material adopted October 2010 (to be included in full set of ICPs to
be adopted in 2011)
11
IAIS Standard no. 2.1.2 on the structure of capital resources for solvency purposes (2009)
12
IAIS Guidance paper no. 2.1.2 on the structure of capital resources for solvency purposes
(2009)

Page 5 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

absorbed by its available capital resources, it may need to raise capital to meet ongoing
regulatory capital requirements and to maintain its business strategies. It cannot be
assumed that capital will be readily available at the time it is needed. Therefore, an insurer‘s
own assessment of the quality of capital should also consider the issue of re-capitalisation,
especially the ability of capital to absorb losses on a going-concern basis and the extent to
which the capital instruments or structures that the insurer uses may facilitate or hinder
future re-capitalisation.‘

5.2 EIOPA’S CPs (consultation papers)

The European Commission will not be issuing any Level 2 implementing measures on the
ORSA but EIOPA (formerly CEIOPS) will be issuing Level 3 guidance on the principles
relating to the ORSA. This document has been developed taking CP008 (Proposal for
Guidelines on the Own Risk and Solvency Assessment) into account. A separate document
will be issued expanding the ORSA principles based on CP008. There are no
inconsistencies between tis document and CP008.
EIOPA‘s consultation paper on ―Supervision of Group Solvency for Groups with Centralised
Risk Management‖ (former CP66) discusses an ORSA in the context of insurance groups.
Where an insurer is part of an insurance group and the group complies with the principles of
―Consistent Group Wide Risk Management‖ (as set out in section 3.2) or the Group Risk
Management Function is centralised in such a way that section 3.3 of former CP66 applies,
then it is possible to have one document covering the assessment on solo and group level.

5.3 Other relevant jurisdictions (e.g. OSFI, APRA)

The Australian Prudential Regulatory Authority (―APRA‖) and the Office of the
Superintendent of Financial Institutions Canada (―OSFI‖) are the only two jurisdictions that
are considered in detail in this section. This is in line with the direction from the FSB to focus
on these jurisdictions. A brief reference to Bermuda‘s version of the ORSA process is
however made.

Australia

Australia does have a similar requirement explicitly as part of its Life and General Insurance
Capital (LAGIC) requirements and it is called, as in banking, an Internal Capital Adequacy
Assessment Process (ICAAP) which is largely based on the banking ICAAP as per the Basel
Accord.
As mentioned, this ICAAP has its roots in the Banking Regulations based on Basel II, and
only more recently (Insurance Capital Review Seminar – Sydney 9 June 2011, effective
March 2011) this has also been extended to the Insurance Industry in calculating capital
requirements not adequately covered by Pillar I rather than a true ORSA, as part of
improving alignment across industries. The ICAAP includes:
 Board and management oversight
 Risk assessment in context of appetite
 Target capital
 Managing capital around target; triggers
 Monitoring, reporting and review

Page 6 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

This is distinct from FCR, involves periodic review, continuous review and is reported to the
APRA. The Board and Management are responsible for ICAAP and capital. Principle 1
states ―Banks should have a process for assessing their overall capital adequacy
assessments and strategies, as well as their ability to monitor and ensure their compliance
with regulatory capital ratios. Supervisors should take appropriate supervisory actions if they
are not satisfied with the result of this process. [Information Paper ―Implementation of Basel
II Capital Framework – Supervisory Review Process. 21 December 2007.]
Also, in most cases an insurer must have an appointed actuary13 who must provide an
assessment of the overall financial condition and advice on the valuation of its liabilities on
an annual basis, in particular a Financial Condition Report and an Insurance Liability
Valuation Report (―ILVR‖).

The Appointed Actuary‘s Financial Condition Report must include14, where relevant:

 a business overview;
 an assessment of the insurer‘s recent experience and profitability;
 summary of the key results of the ILVR;
 assessment of the adequacy of past estimates for insurance liabilities;
 assessment of asset and liability management, including the insurer‘s investment
strategy;
 assessment of current and future capital adequacy and a discussion of the insurer‘s
approach to capital management;
 assessment of pricing, including adequacy of premiums;
 assessment of the suitability and adequacy of reinsurance arrangements; and
 high-level assessment of the suitability and adequacy of the risk management
framework.

The General Insurance Prudential Standard GPS 220 requires that insurers have in place a
risk management framework that includes certain key elements, to be described in a Risk
Management Strategy. The Risk Management Strategy would typically not contain policies
or procedures that underpin the risk management framework but may refer to them for
illustration purposes. Further details of this are provided in Appendix A.

Canada

There is no specific mention of an ORSA, but the internal modelling requirement and other
aspects indicate such an approach. The Office of the Superintendent of Financial
Institutions Canada (―OSFI‖) first required prospective scenario testing in 199015. This has
developed into the Dynamic Capital Adequacy Testing (―DCAT‖). An annual report on DCAT
must be filed, based on the analysis and projection of trends on the insurer‘s capital position
given its current circumstances, its recent past, and its intended business plan under a
variety of future scenarios.
They too require an Appointed Actuary to perform a series of deterministic adverse scenario
tests using the insurer‘s financial results and must certify that the financial position is
satisfactory after these tests. OSFI does not currently require the DCAT to be incorporated
into the insurer‘s risk management process. While some insurers incorporate the exercise
13
GPS 310 and APRA Solvency Modernisation Initiative issued November 2009; in the
South African context this would be the Statutory Actuary
14
APRA Solvency Modernisation Initiative issued November 2009
15
NAIC Consultation Paper on ORSA for the Solvency Modernization Initiative Aug 2010

Page 7 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

into their risk management process, some companies view DCAT as a compliance exercise.
Partly for this reason, OSFI is implementing more stress testing requirements.
Guidance on stress, scenario and sensitivity testing has been published by OSFI16 to extend
the use of testing beyond DCAT.

Stress testing must:

 Be documented, available to review and be embedded in enterprise-wide risk
management.
 Be utilized in decision making, including setting the institution‘s risk appetite, setting
exposure limits, and evaluating strategic choices in longer term business planning.
 Help to detect vulnerabilities such as unidentified risk concentrations or potential
interactions between types of risk that could threaten the viability of the institution.
 Be a central tool for assessing liquidity risks.
 Place special attention on risk mitigation, securitization and warehousing risks, risks
to reputation, counterparty credit risk, and risk concentrations.

Each federally registered institution is rated by OSFI according to its composite risk rating,
which is the institution‘s overall net risk rating after taking into account the institution‘s capital
and earnings. Net risk is obtained by offsetting the aggregate quality of risk management
against the aggregate level of inherent risk of the insurer. Inherent risks17 are classified into
the following groups:
 Credit risk
 Market risk
 Insurance risk
 Operational risk
 Liquidity risk
 Legal and Regulatory risk
 Strategic risk

An insurer is rated as low, moderate, above average or high for each of these categories.

The quality of risk management is also divided into groups18:

 Operational Management (i.e., day to day management)
 Financial Analysis
 Compliance
 Internal Audit
 Risk Management
 Senior Management
 Board Oversight

The quality of an insurer‘s risk management processes is assessed as strong, acceptable,

needs improvement or weak. The assessment of aggregate inherent risk and aggregate risk
management quality are based on judgments of all of the inherent risk and risk management
functions.
In addition to the assessment of net risk, the direction of net risk is considered in rating an
insurer. The level and frequency of supervisory scrutiny will depend on the risk assessment
of the institution.

16
OSFI Guideline E -18, December 2009
17
OSFI Solvency Modernization Initiative issued November 2009
18
OSFI Solvency Modernization Initiative issued November 2009

Page 8 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

Bermuda

The Bermuda Monetary Authority (BMA) has issued guidance19 on the ORSA, known in their
jurisdiction as the ―Commercial Insurer‘s Solvency Self Assessment‖ (―CISSA‖). This is not
reproduced in detail in this section but relevant points have been included where appropriate
in this document.

5.4 Mapping of differences between above approaches (Level 2 and 3)

This section focuses primarily on mapping the differences between the IAIS standards and
guidance and the EIOPA issues paper on the ORSA.. A separate discussion document will
be produced based on the EIOPA level 3 guidance. Where differences exist to the
Bermudan CISSA process, these have been highlighted.
Whilst APRA and OSFI contain guidance that is relevant to the ORSA, it is not as directly
applicable as the guidance from the IAIS and EIOPA and hence is only mentioned briefly in
this section.
None of these papers differentiate between life insurers, non-life insurers and reinsurers,
and hence the guidance on the ORSA should be viewed as being applicable to all of these
undertakings.
Overall, the IAIS, EIOPA and BMA guidance are very similar in context, with differences
arising primarily in terms of style and the level of detail at which principles are discussed.
This section will therefore highlight any contradictions that may exist between these papers
and point out for each jurisdiction where it has elaborated on principles more so than the
other jurisdictions.

Contradictions

There are no contradictions in the reviewed guidance on the ORSA. This demonstrates that
the principles underlying the ORSA are consistent across jurisdictions.

Extensions of one jurisdiction over the others

Definition of the ORSA

The EIOPA issues paper provides a definition for the ORSA. The Bermuda Monetary
Authority extends on this in their CISSA definition and includes a requirement for entities to
hold sufficient capital to ‗achieve its business goals‘. This is in line with the requirement for
the ORSA to be embedded in the business and reflect an undertaking‘s business plans.

Going concern versus wind-up

19
BMA Consultation paper on Commercial Insurer‘s Solvency Self Assessment (June 2010)
http://www.bma.bm/uploaded/507-
100709_Consultation_Paper_on_Commercial_Insurer_s_Solvency_Self-Assessment_(REVISED).pdf

Page 9 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

The IAIS specifically mentions that the ORSA should be conducted assuming the insurer will
continue to operate on a going concern basis unless the insurer is in financial difficulty. This
is not explicitly stated by EIOPA.

Frequency of calculation
EIOPA requires undertakings to ‗continuously meet the regulatory capital requirement, as
well as the internal capital targets they set themselves‘. This does not mean that an
insurance undertaking is required to calculate the SCR and MCR on a continuous basis, but
rather that it should comply with these capital requirements continuously. Thus the
undertaking will need to estimate the change in its capital requirements and eligible own
funds since the last full solvency calculation. EIOPA specifies that the ORSA should be
performed at least annually or following a significant change in risk profile. The undertaking
should justify the adequacy of the frequency of the assessment. The IAIS guidance states
that the ORSA should be performed regularly but does not specify this to be at least
annually. The IAIS also requires the ORSA to be performed following significant changes in
risk profile, and implies, though does not state explicitly, that the regulatory capital
requirements should be met at all times.

Risks covered
Although all the jurisdictions require the ORSA to consider all current and reasonably
foreseeable relevant material risks, the actual risks listed as a minimum differ across the
jurisdictions (as can be seen in the table below):

Risks EIOPA IAIS OSFI

Underwriting / √ √ √
Insurance
Market √ √ √
Credit √ √ √
Operational √ √ √
Liquidity √ √
Strategic √
Legal √
Regulatory √
Group √
Other Any other material
risks, examples of
which are liquidity risk,
reputational risk and
strategic risk.
Risk mitigation Consider impact of risk Consideration of
mitigation techniques effectiveness of
e.g. reinsurance, applicable controls to
diversification effects, mitigate risks
loss-absorbing

Page 10 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

capacity of technical
provisions and
deferred taxes

The IAIS and the Bermuda Monetary Authority recognise that some risks may be difficult to
quantify but require insurers to effectively consider these risks in their assessment and
address them appropriately.

Analysis of differences in economic and regulatory capital

The IAIS guidance states that although the amounts of economic capital20 and regulatory
capital requirements and the methods used to determine them may differ, an insurer should
be aware of, and be able to analyse and explain these differences. The EIOPA paper is
worded more strongly, specifying that although an insurer may perform its ORSA at a
different time horizon, confidence level and using different assumptions and assumed
management actions, it is required to perform the internal calculation on the basis of a
99.5% confidence level and a one-year time horizon. EIOPA is however clear that the
purpose of the ORSA is not to duplicate, validate or analyse in detail the parameterisation of
the SCR calculation. The BMA makes a recommendation that Class 4 and Class 3B 21
insurers‘ own capital calculation be done at a 99.0% TVaR22 over a one year horizon (same
confidence level and time horizon as the regulatory capital).

Forward-looking analysis and stress testing

In performing the forward-looking analysis of the ORSA, the IAIS guidance states that the
time horizon should be consistent with that needed for effective business planning, an
example of which is 3-5 years. EIOPA does not mention a specific time horizon, only that it
should be an ‗appropriate planning horizon‘. An insurer should be able to demonstrate an
ability to manage its risks over this longer time horizon under a range of plausible adverse
scenarios. Unlike EIOPA, the IAIS guidance states that the insurer should apply reverse
stress testing to identify scenarios that would likely cause business failure and the actions
necessary to manage this risk. The IAIS guidance notes that whilst insurers must carry out
stress testing, scenario analysis and risk modelling that are most appropriate for the
business, the supervisor may develop additional stress testing for insurers to perform. The
purposes of such testing may be to improve consistency of testing among a group of similar
insurers, and to assess the financial stability of the market to stresses such as pandemics
that impact a number of insurers simultaneously.

20
‗Economic capital‘ refers to the capital needed by the insurer to satisfy its risk tolerance
and support its business plans which is determined from an economic assessment of the
insurer‘s risks, the relationship between them and the risk mitigation in place.
21
As defined in the Bermuda Insurance Act 1978. Class 3B insurers include all short term
insurance companies which have annual premium income of more than $50m from
unrelated business. Class 4 insurers include all short term insurance companies which
have statutory capital requirements of $100m or greater and which write excess liability
business or property catastrophe reinsurance business provided that more than 80% of this
business is in respect of unrelated parties.
22
Tail Value-at-Risk (TVaR) is the expected value of the loss in those cases where it
exceeds a predefined confidence level.

Page 11 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

Proportionality
Both EIOPA and the IAIS advocate the use of the proportionality principle when performing
and reviewing ORSAs. This principle requires the ORSA to be proportionate in its
sophistication and depth to the nature, scale and complexity of the undertaking‘s business.
The IAIS gives further guidelines on this, specifying that when assessing risks, the methods
by which this could be done can range from simple stress testing events to more complex
interlocking stochastic modelling as appropriate to the nature, scale and complexity of the
risks concerned. The IAIS further comments that supervisors should not take a ‗one-size-fits-
all‘ approach to insurers‘ risk management but apply the principle of proportionality.

Group-wide and solo ORSAs

The EIOPA issues paper provides little guidance on ORSAs to be conducted by insurance
groups, barring a comment that EIOPA will likely develop additional guidance in future on the
group ORSA requirements. In contrast, the IAIS provides detailed guidance on the areas to
consider when performing group-wide and solo ORSAs. Apart from performing a group-wide
ORSA, the IAIS requires an ORSA to be done at the insurance legal entity and should
include any additional risks that arise as a result of it being part of an insurance group. An
insurance group should perform its ORSA to assess the adequacy of the group‘s risk
management and current, and likely future solvency position. This group ORSA should
capture all material risks of the group and the assessment of group-wide capital resources
including fungibility of capital, the transferability of assets within the group, multiple gearing,
leverage and intra-group creation of capital and reciprocal financing. It should also be
ensured that capital is not double counted. In normal circumstances, surplus capital at the
top of a group structure may be down-streamed to cover losses in group entities lower down
the chain. The ORSA should reflect that this parental support may not always be forthcoming
or permitted in times of stress. It may also be appropriate to consider scenarios in which the
group structure changes.
The proportionality principle applies to groups as well as solo entities, with particular care to
be given to group risks and group-wide capital resources for large complex groups. Given
that risks may be more complex and diverse for an insurance group, it may be appropriate to
use an internal model for a group‘s ORSA even where the use of an internal model is not a
proportionate approach for the insurance legal entities that form part of that group. The IAIS
provides further guidance to supervisors on how to review the group‘s ORSA.
Where the Bermuda Monetary Authority is the group-wide supervisor, insurers will be
required to file a legal entity CISSA in addition to the group CISSA. However, insurers may
apply for exemptions or modifications. An example of circumstances where an application for
an abbreviated CISSA would be considered includes instances where centralised risk
management exists so that the qualitative content of the legal entity and group CISSAs are
largely duplicative. For instance, the BMA would consider an exemption entirely from a legal
entity CISSA, where the scale of the legal entity comprises almost that of the entire group,
so that no material difference exists in relation to the quantification of CISSA capital and the
qualitative description of risk management in respect of the legal entity and group.
Where the BMA is not the group-wide supervisor, the BMA still requires an insurer to submit
a legal entity CISSA. Where the group CISSA submitted to the group-wide supervisor is of a
broadly equivalent nature and the results for the Bermuda legal entity are discernable, then
the BMA may accept the group CISSA submission and require no separate legal entity
CISSA.
Thus the BMA recognises that there may be instances where the ORSA at the legal entity
level may be waived. No such allowance is mentioned in the IAIS guidance.

Page 12 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

Governance
The BMA includes a requirement that those who administer the CISSA be fit and proper.
Whilst the IAIS and EIOPA have fit and proper requirements for Board members and all
persons who effectively run the undertaking or have key functions, these requirements are
not stated explicitly in their guidance on the ORSA. All jurisdictions place ultimate
responsibility for the ORSA on the Board and senior management. EIOPA and the BMA
explicitly require the Board or senior management to challenge the ORSA/CISSA.

Risk appetite
The BMA makes an explicit recommendation for the CISSA to include a description of how
an insurer‘s risk appetite is defined and measured as well as details around limits imposed
and how these limits are enforced. There is also an explicit recommendation around
reconciling the impact of stress and scenario testing on capital to risk appetite. Whilst the
IAIS notes that stress testing can help an insurer in ascertaining whether its tolerance limits
are suitable for its business, it does not explicitly require such a reconciliation.

Documentation standards
Each of the jurisdictions has provided different levels of guidance in respect of
documentation. The most rigorous of these is Bermuda which supplies reporting templates
that undertakings should complete. EIOPA lists the minimum requirements for
documentation. The IAIS does not include documentation standards explicitly but makes
broad comments of what insurers would be expected to report to the supervisor. The IAIS
states that while disclosing information on risk management helps to improve transparency
and comparability of solvency regimes, it recognises that care should be taken in deciding
what is publicly disclosed given the commercially sensitive nature of some of the information.

6. ASSESSMENT OF AVAILABLE APPROACHES GIVEN THE SOUTH AFRICAN

CONTEXT

6.1 Discussion of inherent advantages and disadvantages of each approach

When discussing the approaches that may be followed in conducting an ORSA, and in
particular the differences highlighted in section 5.4, it is important to consider the benefits as
well as any particular restrictions that may be imposed by following a given approach.

The nature of the ORSA

The secondary legislation under the SAM Framework should not be too prescriptive, but
should rather be set as high-level principles to which each insurer must adhere in performing
its ORSA. Legislation that is too prescriptive has the disadvantage of potentially being too
restrictive and narrowly-defined as well as setting a standard that insurers may view as a
minimum standard which must be met and no more. In the context of the ORSA, the
fundamental principle is that insurers should have robust risk and capital assessment and
management processes that reflect their unique circumstances. It would therefore be
expected that the application of the ORSA principles should be proportionate to the nature,
scale and complexity of risks inherent in the business. Further guidance on the

Page 13 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

implementation of an ORSA, whilst not viewed as prescriptive, can provide clarity to insurers
around the ORSA requirements.

Similar advantages and disadvantages can be applied to documentation standards.

Templates, as proposed by Bermuda, ease the collection and comparison of ORSAs from
different insurers. This is more efficient for the regulator than having to review ORSAs with
different styles and contents and may be particularly helpful in South Africa where resources
at the regulator may be limited. However, as the ORSA is an insurer‘s own assessment, it
follows that an insurer would be expected to discuss its risk and solvency landscape in a
way that makes sense for its business, subject to covering all the requirements that may be
expected in an ORSA. By not setting formal ORSA templates, this also encourages an
insurer to embed the ORSA in its business and decision-making processes and to derive
value from it rather than viewing it as a compliance exercise.

The IAIS guidance requires an ORSA to be performed at the group level and for each
insurance legal entity within the group. The advantage of performing the solo ORSAs at the
legal entity level is that it can assure the regulator (and the companies) that policyholder
interests within the group and each legal entity are expected to be met and that adequate
capital is held. This is also consistent with regulatory reporting that is required at legal entity
level.
There are however disadvantages to this approach and these are highlighted in the
Bermuda CISSA process, where the BMA may waive the ORSA requirement for an
insurance legal entity. There may be valid reasons for this, such as one legal entity making
up the vast majority of the group such that an individual ORSA would largely duplicate the
group ORSA. Furthermore, a group may contain a large number of small legal entities but it
may manage the business and its risks not by legal entity but rather according to some other
(e.g. business cluster) structure. In such a case, an ORSA for each legal entity would be a
drain on resources both for the insurer and the regulator reviewing them, likely add limited
value and may even be misleading as it does not reflect how the business is actually
managed. This may be a reason for the regulator waiving the solo ORSAs at legal entity
level. A group ORSA conducted at the level at which the business is managed, rather than at
legal entity level, may be more appropriate. The regulator may still need to be assured that
the material risks and capital requirements at the legal entity level have been allowed for
adequately.

Frequency of calculation
EIOPA requires entities to perform an ORSA at least annually and following any significant
changes in the entity‘s risk profile. More frequent assessments will have a resultant impact
on resources but the additional management information gained may be beneficial. The
adequacy of the frequency of the assessment should be justified by the insurer.

Risks covered
The reviewed international jurisdictions require the ORSA to consider all current and
reasonably foreseeable relevant material risks. Although minimum risks may be prescribed,
the list is not meant to exclude other risks that may be material to the insurer. This forces
each insurer to identify and understand the materiality of its own risks.

Reconciliations

Page 14 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

Reconciliations are useful in validating model assumptions and results. EIOPA recommends
a high level reconciliation between key items used in the ORSA and those corresponding
items in the financial statements. In addition, insurers are required to understand and assess
the differences between their regulatory and economic capital requirements. This aids an
insurer in better understanding, amongst others, how its business plans, inclusion of
additional risks not modelled in the SCR and any differences in confidence level or time
horizon impact on its capital requirements. Although not the primary purpose, this
reconciliation can aid the regulator in assessing the appropriateness of the calibration of the
standard formula SCR. This is particularly useful in South Africa, where parameterisation of
the standard formula is challenging given data and time constraints. It is noted that a higher
economic capital requirement as shown in the ORSA will not necessarily lead to a capital
add-on to the regulatory capital requirement. Capital add-ons may however be applied if
significant risks are highlighted in the ORSA which are not covered in the SCR or if the risk
management framework as described in the ORSA is considered to be inadequate.

Forward-looking analysis and stress testing

Under the ORSA, stress testing and scenario analysis are useful tools that insurers may use
to understand the risks to which they are exposed. These scenarios should reflect plausible
but severe events that may happen over the business planning projection period (e.g. 3-5
years). It can be time-consuming to derive and quantify the impact of the scenarios, but it is
very insightful for an insurer to go through the process of discussing possible scenarios, their
financial impacts, and possible management actions. It is therefore recommended that the
details of the scenarios (e.g. the quantum of the stresses) not be prescribed by the regulator
but rather be set by each insurer in accordance with its risk profile and business plans.
There can be a use for prescribed stresses by the regulator (e.g. to assess systemic risk
across insurers), but this will likely be viewed as ad-hoc or additional information that does
not absolve insurers from performing their own scenario analysis. The IAIS guidance
recommends testing more severe scenarios, known as reverse stress tests, which could
result in business failure or a breach of regulatory or economic capital requirements. The
number and complexity of these scenarios should be appropriate to the insurer and is not
viewed as unreasonably cumbersome in the South African environment.

Governance
A strong governance structure is required given the importance of the ORSA. This includes,
for example, fit and proper requirements for key personnel, robust documentation and
internal and/or external validation of the process. The Board and senior management are
responsible for and should ask probing questions on the ORSA. This challenging of the
ORSA is a vital part in ensuring the business derives value from this process and will require
Board members and senior management to become knowledgeable in this area.

Embedment in the business

The ORSA should be embedded in the business. It therefore makes sense to extend the
EIOPA definition to include that the ORSA is used to ensure that own funds are sufficient for
the insurer to achieve its business strategy. This is not viewed as being too restrictive.
Indeed, certainly if an approved internal model (partial or full) is used in the calculation of the
SCR and ORSA process, it would need to be shown that the model is being used in the
decision-making processes of the business to pass the ‗use test‘. If not using an internal
model, this does not absolve insurers from using the ORSA as a means to assess its ability
to ‗achieve its business goals‘.

Page 15 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

6.2 Impact of the approaches on EU 3rd country equivalence

APRA and OSFI do not directly address the ORSA, but contain references and requirements
to principles addressed under the ORSA as defined by EIOPA. Thus considering adopting
the principles of these regimes as is, may not achieve third country equivalence.
The IAIS guidance, similar to EIOPA‘s guidance, is principles based. There are numerous
similarities between the IAIS guidance and EIOPA‘s issues paper on the ORSA. It should
however not be recommended that the IAIS guidance is adopted as is in South Africa since
the issues paper addresses areas not referred to by the IAIS (one such example is that there
is no clear definition of an ORSA in the IAIS guidance).
Bermuda guidance has been developed with the specific aim of achieving third country
equivalence and the BMA requirements are generally more onerous than those of EIOPA.
EIOPA is currently performing its assessment of Bermuda for purposes of third country
equivalence.
The approach that the Task Group has followed in developing the South African guidance is
to start with EIOPA‘s issues paper as the basis and adding on guidance from the IAIS, BMA
and other supervisors where applicable.
It should also be noted that the Task Group‘s information from EIOPA was limited, because
Level 3 guidance on the ORSA has not yet been issued by EIOPA and there is no Level 2
implementing measures.

6.3 Comparison of the approaches with the prevailing legislative framework

There is no prevailing South African legislation that is comparable to an ORSA.

As part of its interim measures, the FSB has requested insurers to conduct stress testing.
This stress testing however differs from the stress testing envisioned under the ORSA in the
following ways:

 The FSB‘s interim stress testing involves applying instantaneous stresses and
calculating a metric such as the Capital Adequacy Requirement thereafter. Under
the ORSA, the stresses are applied gradually over a multi-year projection period
and the metrics of interest are the financial position, regulatory capital requirement
and economic capital requirement for each year of the projection.
 The type and quantum of the FSB‘s stresses are prescribed. Under an ORSA,
however, stresses should not be prescribed but should rather be determined by
each insurer in accordance with its own risk landscape and risk management
framework. Any stresses that may be prescribed by the FSB under the SAM
framework should thus fall under the ambit of the stress testing task group and not
form part of the ORSA.

6.4 Conclusions on preferred approach

In summary, the Task Group considered the following sources as input to the
recommendations set out in the next section:
 Solvency II Level I Directive, Article 45

Page 16 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

 EIOPA‘s ORSA Issues Paper, dated May 2008

 EIOPA‘s former CP66 on Supervision of Group Solvency for Groups with Centralised
Risk Management
 IAIS Principles, specifically ICP16 and Guidance Paper 2.2.5
 Bermuda Monetary Authority (BMA), Consultation Paper on Commercial Insurer‘s
Solvency Self Assessment (June 2010)
 APRA framework (specific references indicated in the sections above)
 OSFI framework (specific references indicated in the sections above)
Generally, there is very little reference to the ORSA (or a similar concept) in both the APRA
and OSFI frameworks. The Task Group did however consider the relevant references and
factored those into the recommendation below.
The BMA Consultation paper was considered and although the Task Group‘s overall view
was that the paper establishes requirements that are perhaps too prescriptive, certain areas
were adopted in the recommendations set out below.
The Task Group supports a principle based approach to subordinated legislation for
purposes of the ORSA. Thus the majority of the recommendations set out in the section
below stem from EIOPA‘s Issues Paper on the ORSA and ICP16.

7. RECOMMENDATION

Minimum Requirements for the ORSA

This section could be included as secondary legislation.

Definition of an Own Risk and Solvency Assessment (ORSA)

The ORSA is defined as the entirety of the processes and procedures employed to identify,
assess, monitor, manage, and report the short and long term risks an insurance undertaking
(and insurance group) faces or may face and to determine the own funds necessary to
ensure that insurers (and groups) overall solvency needs are met at all times and are
sufficient to achieve its business strategy.
The ORSA is deemed to be a confidential document and is to be reported to the Regulator
as part of the ―private‖ disclosure requirements.

Requirement to perform an ORSA

Every insurer (solo requirement) and insurance group (group requirement) should perform
an ORSA and document the methodologies, rationale, calculations and results arising from
the assessment. The solo requirement should as a minimum be an assessment for each
legal insurance entity. In principle, the solo and group ORSA should be aligned with how the
insurer manages its business.
Where an insurer is part of an insurance group, the Regulator may waive the solo
submission/reporting requirement if the Regulator is assured that the material risks and
capital requirements at the legal entity level have been allowed for adequately at group level.
The frequency of the assessment should be of such a nature that the assessment provides
relevant information for current decision making. As such, insurers should produce the full
assessment at least annually and when there is a significant change in the insurer‘s risk
profile due to internal or external conditions changing. Although insurers (groups) may

Page 17 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

perform partial assessments during period ends, it is only expected that the results of each
full ORSA run will be submitted to the Regulator (i.e. annual or upon significant change of
the risk profile).
The Task Group recognises that the impact of the above is that entities or businesses
forming part of a group would not necessarily have to produce ORSA
submissions/reports. This may result in gaps. The Task Group proposes to follow
Level 3 guidance in this respect and recognises this as a specific area to address
once Level 3 guidance becomes available from EIOPA and market practices emerge
from Europe. The Task Group further has to consider the ORSA treatment of
insurance sub-groups.

Scope of the ORSA

The ultimate purpose of the ORSA would be to provide the Board and Senior Management
with an assessment of the risks that the insurer (group) is exposed to and the resulting
solvency requirements arising from this exposure. The ORSA should also inform the Board
as to the potential impact that this may have on the current (and likely future) solvency
position of the insurer (group). The level of sophistication of the ORSA should correspond to
the nature, complexity and scale of risks inherent in the business.
The ORSA should consider all material current and foreseeable risks that are relevant to the
insurer.
Underlying the ORSA should be the assumption that the insurer will continue as a going
concern for the foreseeable future. This assumption should be validated by the assessment.
Where this assumption is invalid, an insurer should specifically state this in the assessment.
This would include insurers which are either in run-off or being wound-up. In such cases, the
ORSA should reflect the actual circumstances of the insurer and so exclude any future new
business. The insurer must however ensure that any additional risks arising as a result of the
company being in run-off or being wound up are adequately allowed for within the ORSA.
The insurer should assess its ability to continue in business and assess the adequacy and
quality of economic capital over a longer time horizon (typically 3 – 5 years) than used to
determine regulatory capital requirements. This time horizon should correspond with the
business planning time horizon.

Governance of the ORSA

The ultimate accountability of the ORSA resides with the Board who should approve the
ORSA. When evaluating the ORSA, the Board and Senior Management should assess the
adequacy of the current and future solvency position. In addition the Board and Senior
Management are responsible to ensure that the ORSA is embedded in the business and
decision making processes.
The Board and Senior Management should also, through direct review and challenge and
through reliance on the governance process, conclude on the accuracy and completeness of
the ORSA calculations, assumptions and data used as input to the ORSA.
The ORSA should be appropriately evidenced and documented.
The ORSA document should be subject to an independent assessment either internally (e.g.
Internal Audit) or externally. This review must be carried out by persons different to those
performing the ORSA

Page 18 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

Additional Guidance
The following section contains recommendations and guidance around the implementation
and performance of an ORSA. It is not the intention that this section represents prescriptive
ORSA requirements. Insurers should however look to this section for further guidance and
clarity around the ORSA requirements. This represents the task group‘s current views on the
guidance that will form part of Level 3, and is not intended to be included in the secondary
legislation.

Further Guidance on Aim and Purpose

The aims of the ORSA include:
 Ensuring that insurers and groups have robust processes for assessing and
monitoring risks and their overall solvency needs, including the adequacy and quality
of the assets required to cover the SCR, MCR and internal (economic) capital
requirements.
 A risk management tool that requires entities to assess their own short and long term
risks and the amounts required as own funds to cover these risks. It may serve as a
tool to enhance the entity‘s understanding of the interrelationships between current
(and future risks) and capital (both long and short term capital).

The results of the ORSA should be used to inform and improve business decisions, business
strategy and the ERM framework. The ORSA process should also identify the major issues
affecting the solvency of an insurer (or group).
In Article 45 (4), the Level 1 Directive makes a very clear link between the ORSA and the
business strategy. This implies that the business strategies should be at the heart of the
ORSA and the processes and procedures to manage risk be built around the business
strategies. This would highlight the need for very clear risk appetite statements that cascade
through to all areas of strategic importance. It is also implied that the ORSA should be
constructed in line with how the business is managed (e.g. business clusters) rather than in
such a way as to support regulatory reporting (legal entity).

Further Guidance on Scope

The overarching principle for the submission of an ORSA report to the Regulator is that the
information provided to the Regulator should be sufficient for the Regulator to exercise its
supervisory duties for both solo legal entities as well as groups. It is also not the purpose of
this guidance to change the management structure of insurers. The ORSA should however
best reflect how an insurer or insurance group manages its business and risks. Should an
insurer manage its business on a basis that differs from the legal structure, the insurer could
perform an ORSA on the basis that the business is managed and reported, upon Regulatory
approval. The Board and Senior Management should however be able to demonstrate that
through the ORSA processes all reasonably foreseeable and relevant material risks arising
from legal entities have been appropriately addressed and assessed. The ORSA should also
clearly explain how the information provided relates to the legal entities.
The Regulator may also waive the requirement for a solo ORSA submission/report under
certain circumstances. The Regulator should however be satisfied that upon waiving the solo
reporting requirement, the group ORSA will contain the relevant quantitative and qualitative
information necessary to allow the Regulator to exercise its supervisory duties. Examples of

Page 19 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

instances where the Regulator may waive the solo reporting requirement could include
cases where centralised risk management exists such that the qualitative content of the solo
and group ORSAs are largely duplicative or where the scale of the legal entity or business
unit comprises almost that of the entire group.
The ORSA should include an assessment (quantitative and qualitative) of the own funds
held, together with changes expected in stress situations. There is not an obligation on
insurers and groups to continuously recalculate SCR, MCR and economic capital. The
ORSA process should however by design enable entities to estimate changes in capital
requirements and the economic balance sheet since the last full calculation process. A full
calculation may however be required if an entity‘s risk profile changes significantly.
The ORSA report should be submitted to the Regulator at least annually, but should also be
submitted if an ORSA is performed in between annual period end dates due to significant
changes in the risk profile of the insurer or insurance group.

Further Guidance on Coverage

Insurers and insurance groups may consider addressing the following risks in the ORSA:
 Underwriting and insurance risk
 Market risk
 Credit risk (including e.g. counterparty default risk, instrument rating downgrades)
 Liquidity risk
 Operational risk
 Other risks relating to insurance groups, e.g. group contagion risk, both at group and
subsidiary level (e.g. subsidiary companies should discuss the risk of contagion in
the context of them belonging to a group)
 Other risks not considered adequately covered by the SCR calculation, for example
reputation and strategic risks
The above is a non-exhaustive list and it is recommended that risks are classified and
included in the ORSA consistently to which risks are classified and managed in the
business.
The Task Group recognises that this list of risks may need to be reassessed once
Level 3 guidance becomes available from EIOPA. It will also be ensured that these
risks are defined in the primary legislation.
Insurers and insurance groups should have in place a system of systematically identifying
current and future risks and gather information about these risks over all organisational and
operational levels.
The ORSA should address any risks that arise as a result of membership of a group
structure. The fungibility of capital and the transferability of assets within the group should be
taken into account.
The ORSA should identify dependencies and interrelationships between various risks.
The ORSA should (amongst other items) include assessments of an insurer and insurance
group‘s:
 Enterprise Risk Management framework. The ORSA should be performed in the
context of an insurer’s overall ERM framework. As part of the ERM framework, an
insurer should have sound and prudent capital management and monitoring
practices in place.
 Adequacy of current and future internal (economic) capital resources given its risk
appetite and tolerance levels. Current and future capital levels should take account

Page 20 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

of longer term business strategies, risk tolerances, current and new business plans
and risk mitigation processes and techniques. An insurer should understand how its
risk management and capital management approaches and processes interact and
thus determine how best to optimise its capital base, transfer or retain risk and price
risk.
 Risk management actions. The management actions included in the assessment
should be approved by Senior Management and the Board.
 Reinsurance. The ORSA should explain the mitigating objectives of reinsurance
arrangement together with an assessment of effectiveness of reinsurance
programmes. The assessment should also conclude on whether reinsurance
coverage is adequate.
 Adequacy of current and future regulatory capital position. The amounts of economic
and regulatory capital may differ. The insurer should however understand and
explain these differences.
 Quality of economic and regulatory capital resources. The economic capital of an insurer
should have loss absorbing capacity. It can however not be assumed that new capital will be
readily available.Adequacy and quality of economic and regulatory capital in stressed
conditions. Stressed conditions may include most likely and worst case stress
scenarios. Stress scenarios should include economic stresses, demographic
stresses and stresses resulting from operational risk. Stress testing should include
considerations of scenarios that could result in business failure (such as a breach of
economic solvency, breach of SCR or MCR or other circumstances considered
appropriate by Senior Management and the Board). The ORSA should consider the
evaluation of these scenarios by the Board and Senior Management and where
appropriate the quantification thereof. Further guidance on reverse stress tests will
be developed by the FSB outside the ORSA position paper.

Further Guidance on Calculation

While there may be insurers or insurance groups using the SCR standard formula for ORSA
purposes, due to the size and complexity of the organisations, it may not be the case for all
insurers and groups that their risk profiles are reflected appropriately within the standard
formula. More complex insurers and groups should consider using an internal model for
ORSA purposes. The models used for calculating economic capital for ORSA purposes
should appropriately reflect and quantify all the material risks identified by the insurer‘s ERM
framework, their impact on the insurer and potential mitigating actions. It is therefore likely
that most insurers will use their own models to calculate economic capital for ORSA
purposes. The following requirements should be considered:
 Risk categories should be clearly identified and documented
 Methods used in identifying and analysing risks for economic capital purposes should
be documented
 Modelling criteria and calibrations should be clearly documented. Some examples
include methods used for valuing assets and liabilities, risk modelling techniques,
confidence levels and time horizons.
 In determining economic capital, an insurer should ensure that its economic capital
requirement is sufficient to continuously meet its policyholder liabilities. In calculating
and meeting economic capital requirements, policyholder interests should not be put
at risk.
 Although the model used for calculating economic capital is not expected to meet
regulatory approval, the insurer should ensure that the model is subject to periodic
independent review. The independent review can either be internal, where an insurer
has the appropriate independent skills and expertise in-house (e.g. Internal Audit), or

Page 21 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

external. Where modelling and analysis techniques remain consistent from one year
to the next, these elements need to be reviewed once every three years. Other
elements of the model (such as completeness and accuracy of data, appropriateness
of assumptions, etc) should be reviewed annually.

The output of the ORSA process should be a report which (amongst other items) evidences
the risk and capital management processes and procedures and express a view of the
current and future capital positions of the undertaking.

Forward looking nature of the ORSA

Forward looking economic capital should be determined, taking into account the following:
 Overall risk management strategy
 Future cash flow position
 Business plans and new business strategies
 Changes in the external environment (such as economic, demographic and
environmental changes)
 Contingency plans
 Product design and pricing

An insurer and insurance group should evaluate the results and conclusions from its forward
looking capital projections and use this to inform business decisions, business strategy and
the ERM framework.

Further Governance Considerations

The Board and Senior Management are responsible to ensure that the ORSA is
administered by personnel with the relevant skills and expertise to do so.
Insurers and insurance groups should explain how the ORSA is used in management of the
business and decision making. Entities should also explain how the ORSA is embedded
within strategic, operational and risk management processes.
The ORSA should clearly document the assumptions used to assess and aggregate risks
and highlight where these are different from those used in the SCR calculation.
An entity should be able to explain and justify:
 Methodology and key assumptions used in assessing each risk type
 The result of the assessment including sensitivity of the result to key assumptions
 Appropriateness of the modelling approach, including how it captures all risk types
 Sources of data used in the ORSA and the controls around the integrity of the data

Differences in the valuation bases used for ORSA purposes from that used for purposes of
SCR calculations should be clearly identified together with justification and impact of the
variances.
Insurers and insurance groups should also provide an explanation within the ORSA of key
differences between economic and financial reporting measures.
Other specific documentation requirements should include, but are not limited to:
 Description of areas included in the ORSA

Page 22 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

 Description of processes conducted in the ORSA and the personnel involved

 Stress tests used and their results
 Amount of overall solvency needs and the financial condition of the insurer (and
group)
 Description of the insurer‘s policy on independent assessments, a description of the
assessment process and the results of the last assessment
 Other key management information that may be useful for decision making purposes

The Task Group recognises the potential need for a document (internal to the insurer) that
describes the principles underpinning the process whereby the ORSA is performed and the
ORSA report. Thus insurers and insurance groups should develop a policy specifically
relating to the ORSA. This policy should form part of the overall policy suite and governance
framework.
The ORSA and documentation around the ORSA should be performed in such a way that it
can be reviewed with reasonable effort by a third party. Thus the documentation should be
complete, accurate and present clear audit trails. Documentation should not be overly and
unnecessarily complex.
The independent assessment should be performed over the ORSA report. The independent
assessment of the ORSA should be performed by persons who do not have specific
responsibility for the ORSA process (or section of the process). The results of the
independent assessment should be communicated to Senior Management and the Board,
who are responsible for the identification and implementation of remedial actions. The
implementation of remedial actions should be tracked by Senior Management and the
Board. The overall conclusion from the independent assessment should be reported to the
Regulator, together with the ORSA report/submission. The detailed findings from the
independent assessment, together with the Board and Senior Management‘s responses to
these findings should be available to the Regulator upon request.
Regarding the independent assessment, the following principles should apply:
 The scope and corresponding timing of the independent assessment of the ORSA
should correspond with the related information reported to the Regulator in the
relevant statutory returns.
 It is also not intended that the independent assessment of the ORSA should
duplicate areas subject to independent assurance in the statutory regulatory reports
and annual financial statements.
 The independent assessment should include an assessment of the process whereby
the ORSA has been performed and whether the ORSA policy has been complied
with.
 The Task Group subscribes to the combined assurance concept introduced by the
King III code and thus recognises that the independent assessment can be achieved
through a combination of assurance providers.
The Task Group recommends that the ORSA policy explicitly states which areas of the
ORSA are subject to independent review and the frequency at which these assessments are
performed. In addition, the assessment report on the ORSA should stipulate the areas of
the ORSA that are within the scope of the assessment and the frequency at which these
areas are subject to review.
The Task Group recognises that the scope and basis of the independent assessment
needs to be refined throughout the SAM programme, in the Reporting Task Group.
Thus this is an area where the Task Group will perform further work in conjunction
with the Reporting Task Group.

Page 23 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

APPENDIX A

Australian guidance on risk management

GPS 220 requires that insurers have in place a risk management framework that includes
certain key elements, to be described in a Risk Management Strategy. The Risk
Management Strategy would typically not contain policies or procedures that underpin the
risk management framework but may refer to them for illustration purposes.
The process of risk identification, as part of an insurer‘s risk management framework 23,
would typically be comprehensive and systematic and include a process for updating and re-
assessing risks and/or identifying new risks. There are a number of techniques available to
an insurer to enable the identification, assessment and quantification of risks and their
impact on the insurer‘s operations. Where appropriate, an insurer may typically consider
using such techniques as:

 self or risk assessment — the insurer assesses its operations and activities against
a menu of potential risk vulnerabilities. This process can be facilitated through a
workshop conducted by the risk management function and may incorporate
checklists or the use of other risk identification tools to identify the strengths and
weaknesses of the risk environment;
 risk mapping — during this process, various business units, organisational
functions, process flows and interdependencies are mapped by risk type. This
exercise can reveal areas of weakness and help prioritise subsequent management
action; and
 risk indicators — risk indicators are statistics and/or metrics, often financial, which
can provide insight into an insurer‘s risk position. These risk indicators would
normally be reviewed on a regular basis (such as monthly or quarterly) to alert the
board to changes that may be indicative of risk concerns.

In the assessment of risks, an insurer would typically indicate the level of confidence it
places on the estimations as to the levels of risk. Also, an insurer would typically indicate the
assumptions made as part of the assessment and analysis of risks. As a guide, for each
identified risk, APRA24 envisages that an insurer would:

 assess the inherent impact and likelihood;

 decide whether to accept the risk;
 identify risk mitigation and control strategies; and
 assess the residual risk.

APRA has created a risk rating model called Probability and Impact Rating System or
PAIRS. This model directs supervisory attention to entities based on their likely failure rate
and on the impact should they fail. (That is, size of the institution is reflected in the impact of
failure.)
When performing a PAIRS risk assessment, supervisors make an assessment of the
following categories: Board; Management; Risk Governance; Strategy and Planning;
Liquidity Risk; Operational Risk; Credit Risk; Market and Investment Risk; Insurance Risk;
Capital Coverage/Surplus; Earnings; and Access to Additional Capital.

23
GPG 200 issued July 2008
24
GPG 200 issued July 2008

Page 24 of 25
Solvency Assessment and Management: Steering Committee
Position Paper 34 (v 7) - Own Risk and Solvency Assessment

PAIRS involves an assessment of four key factors:

Inherent Risk – any uncertainty in relation to the business operations of an entity, whether
statistically quantifiable or not, that has the potential to affect the financial position of an
entity. (Involves supervisory rating of the categories: Strategy & Planning, Liquidity Risk;
Operational Risk; Credit Risk; Market and Investment Risk; and Insurance Risk)

Management and Control – encapsulates how an entity identifies, measures, monitors, and
controls the risks inherent in its business. The capability of an entity to manage and control
inherent risks arises from the underlying policies, practices, systems, and controls
established. (Involves supervisory rating of the categories Strategy & Planning; Liquidity
Risk; Operational Risk; Credit Risk; Market and Investment Risk; and Insurance Risk)

Net risk – residual risk remaining after taking into account the mitigating effect of
management and controls. (Involves averaging of Strategy & Planning, Liquidity Risk;
Operational Risk; Credit Risk; Market and Investment Risk; and Insurance Risk ratings. Also
involves supervisory assessment of the categories Board, Management, and Risk
Governance.)

Capital support – buffer available to absorb unexpected losses. Most regulated entities are
required to maintain minimum levels of regulatory capital, but APRA expects such entities to
target a level of economic capital that is sufficient to support their particular risk exposures
and continuing business needs rather than simply meeting minimum regulatory
requirements. (Involves supervisory rating of the categories Capital Coverage/ Surplus;
Earnings; and Access to Additional Capital.)

Page 25 of 25