Enterprise Risk Management

The new sheriff in town

NAIC adopts model on ERM requirements

By Michael J. Moody, MBA, ARM

Enterprise risk management (ERM) has been the operational approach to risk management for over 10 years now. But, for much of those 10 years, ERM has failed to gain significant traction and as a result implementation has lagged predictions.

One of the first major uses of ERM occurred in the insurance industry. Acceptance grew significantly after the major rating agencies began to develop specific ERM requirements as part of their assessment matrix for insurers. Many risk management professionals believed it was the rating agencies involving ERM that resulted in the acceptance of the enterprise wide view of risk management. Many insurers followed the lead of the rating agencies and began to provide broader risk-based programs to comply with the agencies' requirements. While the rating agencies had been considered by many as the initial driver behind ERM implementation within the segmented financial service sector, it now appears that there is a new sheriff in town—and this one has regulatory clout.

NAIC takes the wheel

Over the past several years, the National Association of Insurance Commissioners (NAIC) via its solvency modernization initiative has been exploring ways to increase the regulatory focus on insurer's risk and capital management. Initially, the NAIC's suggested approach was provided in the form of a Guidance Manual that was the result of a 10-month process that included industry feedback as well as comments from interested parties. Additionally, the development of a model act included a "Feedback Pilot Project" so that regulators would be able to obtain some high-level industry feedback. For this aspect, more than a dozen undisclosed insurers voluntarily submitted a sample Summary Report for review by the regulators.

According to the NAIC, there were a wide variety of responses from the test group. They also found numerous approaches for submitting the summary reports. This insight allowed the NAIC to determine that companies are "in various stages of developing ERM and governance frameworks," as well as handling the capital and solvency planning and stress testing that is expected by the NAIC. A number of other important findings were noted from the group that was involved in the pilot program, including:

• Focused on strength—Most of the companies tended to focus on the strength of their internal risk management programs. The NAIC believes that a more in-depth focus will be required to comply with the enhanced approach that is documented and approved by the board. This would obviously include written policies and procedures that center on the ERM process itself.

• Quantification difficulties—Many of the reports showed that the companies had trouble quantifying some risks, in particular, operational risks. Accordingly, the NAIC thinks that a more detailed approach to quantifying and prioritizing risks, with at least basic metrics such as probability or frequency of loss, be required.

• Lack of specifics regarding risk appetites—The NAIC found that the majority of reports lacked any discussion of the company's risk appetites, tolerances or even limits. Additionally, there was a general lack of prioritizing risk by severity and frequency, thus failing to provide any insight into the "top losses" faced by the company or its ability to evaluate capital adequacy or solvency issues.

Based on the initial group of pilot reports, it is clear that the NAIC will need to provide significant training and guidance to insurers in the proper approach to completing the reports.

The Model Act

After some initial objections from insurers, the NAIC finally prevailed, and on September 12, 2012, adopted the Risk Management and Own Risk and Solvency Assessment Model Act (ORSA). In general, the act requires "insurers to maintain a framework for identifying, assessing, monitoring, managing and reporting on material and relevant risk associated with insurer's current business plans." Some would question how this is different from a more traditional ERM approach used by the rating agencies. While there are several important aspects to the act, it primarily revolves around initiatives that provide a new and, according to the NAIC, improved method of evaluating solvency, beyond the typical risk-based capital approach.

Certainly, developing a better method of assessing solvency is a noble goal. And again, according to the NAIC, implementation of ORSA is expected to increase the chances that the U.S. insurer's regulations will be viewed as equivalent to the solvency requirements as outlined in Solvency II. They believe that by implementing the new ORSA model act, U.S. insurers will be gaining a competitive advantage over other global insurers.

The act requires insurers to provide an in-depth, internal review of their risk management programs. This review should, at a minimum, be completed annually and should include a summary report assessing "the adequacy of the insurer's risk management and capital in light of its current and future business plans." As the act was being finalized, one of the major topics dealt with the coordination of regulators reviewing the summary reports. This was particularly important when an insurance group included carriers that were domiciled in numerous jurisdictions. Ultimately, the NAIC took the "lead state" approach in hopes of avoiding the need for conflicting or duplicate responses.

The summary report will require significant effort on the part of insurers in order to properly comply. The reports are expected to center their attention on three major areas:

• A description of the insurer's risk management framework

• An assessment of risk exposures

• An assessment of the insurer's capital to support its risk and a prospective solvency assessment

While as a group insurers could be considered early adopters of ERM, many insurers still have significant work to be done in order to be able to comply with the new legislative effort.

A new study from Conning Research, Insurance Solvency Regulations: The Race for a Workable Risk-Based Solution, looks at the growing regulatory activity that is being "focused on strengthening insurance solvency protection." The report concludes that this activity will result in "intensified focus on key levers of solvency protection: increased risk capital and enhanced risk management." In addition Conning indicated that one common theme is emerging—"the need for companies to have a clearer understanding of their risks, and for transparent structures and processes to be in place to manage these risks." The report goes on to note that it is not enough for insurers to understand their company's risks, they will need "to be able to present that view to regulators as well."

Conclusion

Make no mistake, the NAIC is taking its responsibility to the insurance purchasing public seriously. The new ORSA model act signifies a fundamental shift in how regulators view their job regarding scrutiny of the insurance industry as well as their monitoring responsibilities for enterprise risk management and capital management practices. While the model act must be passed in each jurisdiction and adopted as part of the state's insurance law, the NAIC expects little interference regarding this issue. As a result, most insurers are beginning to work toward compliance, despite the fact that the earliest that it will be required is January 1, 2015. Some insurers realize the PR value of early compliance, as well as the competitive advantage from the early involvement.

The insurance industry may once again be the model for ERM implementation since the act will require insurers to continuously bolster their ERM practices. Further, the act requires that insurers demonstrate a full understanding of the risks their firms face and they must highlight how their decision-making incorporates various risk factors. Obviously, compliance with the act will require significant preparation on the part of an insurer; however, the results should ultimately allow insurers to enhance their current ERM capabilities and thus appreciate more effective ways to integrate risk in a more holistic approach. This new, major emphasis on enterprise risk management should help insurers reach the original expectations that surrounded ERM.

The author

Michael J. Moody, MBA, ARM, retired as the managing director of Strategic Risk Financing, Inc. (SuRF), a firm that had been established to advance the practice of enterprise risk management. As a regular columnist, he continues to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.