In the remaining year before Solvency II comes into effect, Neil Cantle explains how to prepare for the Own Risk and Solvency Assessment part of the new regulatory regime
Many of the architects of Solvency II have described the Own Risk and Solvency Assessment (ORSA) as being at the heart of the new regulatory framework, and we are now in the final year of trial runs. Rooted in articles 41, 44, 45 and 246 of the directive, the ORSA provides the central context for managing risk. This 'risk' is not that of failing to meet regulatory capital requirements (emphasised in the draft Level 3 guidance). Rather, it relates to the uncertainties associated with delivering company goals and ensuring they are understood and managed with appropriate resources, so the risk profile of the firm remains within the risk appetite set by the board.
Throughout the Solvency II design process, firms have asked for more guidance about what exactly was meant by the ORSA, but the consistent response has been "your own assessment of your own risks and the associated solvency requirements". The draft Level 3 guidance offered 21 guidelines (see Table 1, below), which expand upon the expected substance of the ORSA process and its documentation.
Guideline 2 relates to a cultural change and makes it very clear that the board is to take a hands-on role in steering how the ORSA assessment should be carried out and in challenging the results of the process. This is different to the level of engagement needed for Internal Capital Assessment (ICA) exercises, and boards are concerned about how this should work in practice - particularly how they will go about providing suitable evidence for the regulator that this engagement or challenge has taken place and that its insights have been used in decision-making (guideline 13). Many firms are still wrestling with this, but those closest to meeting regulator expectations have thought carefully about recording specific ORSA output discussions and decisions that involve them.
Assessing solvency needs
Although the ORSA component is one of the few things all territories agreed upon during the development process, it is fair to say that not every country's regulator positions ORSA in quite the same way. The UK regulator has it more within the strategic management of the business, whereas many other countries focus more on the solvency aspect of it and position it as a capital management tool. Arguably, the UK stance makes more sense from a risk management perspective, as firms would otherwise need to embed ORSA within a wider process that covers the risks for which capital is not a complete mitigant.
The assessment of solvency needs (guideline 7) requires firms to consider all of their material risks (not just the ones covered by the regulatory Solvency Capital Requirement (SCR) calculation) whether they are deemed quantifiable or not. Guideline 12 is also high on the regulator's list, where you must explain how your risk profile differs from that in the SCR, even if you are only calculating it with the standard formula approach. This essentially asks you to describe why you think your risk management approach will be successful in maintaining your risk profile within appetite.
To assess continuous compliance (guideline 10) some firms have implemented daily solvency monitoring approaches, while others are relying more on indicators and extrapolations.
For quantifiable risks most firms are building on work previously done under the ICA regime, but many seem to be struggling to convincingly describe risks not covered by their ICA. This requirement to 'explain' a risk profile exposes the lack of maturity most firms have in areas like operational, strategic and reputational risk.
The focus on risks that produce financial uncertainty, and specifically those which might be absorbed with capital, has arguably led to a rather indirect way of thinking about risk in insurance. Most firms equate 'risk' with the capital needed to absorb it and often avoid the issue of understanding the actual risk itself, which can have consequences beyond immediate financial losses. This has led to wide-spread use of statistical approaches based on loss data and expert estimates which, by design, do not provide any rigorous linkage to other (non-capital) outcomes or directly back to risk management efforts. Scenario-based approaches are slightly more helpful but arguably leave firms open to the criticism that they have missed important scenarios, so the process for choosing them needs to be pretty robust. Developments in causal modelling have enabled firms to tackle this problem and show how the underlying dynamics of risks can simultaneously lead to a range of outcomes.
The regulator has expressed some concern that the types of scenarios and stresses being considered are too focused on regulatory capital (rather than the amount of capital you think you need), concentrated too much on the risks covered by the SCR, and have been rather too simple. Scenario and stress testing methodologies have advanced considerably over the past few years, and a key theme is the need to consider multivariate conditions (as real life tends to combine events).
In most cases, the shortcoming in the methodology is in developing the scenarios in the first place - the models are quite capable of producing the results once you know what the scenario is. The draft guidance is clear that the assessment of risk includes deciding the extent to which non-capital mitigation techniques are used and consideration of the effectiveness of the system of governance in different circumstances. While it is useful to have capital model outputs help you decide whether a scenario is extreme or not, take care not to create a circular argument centred on the model - it is better to decide the right scenarios and then explore their dynamics including, but not limited to, capital consequences.
One particularly important feature of ORSA is that companies are being asked to look ahead. It is not just an assessment of your current risk profile but rather a consideration of how it, and your ability to manage it, might evolve. There is a clear statement at the start of the draft Level 3 guidance that "supervisory authorities are expected to ensure that undertakings take a forward-looking view on the risks to which they are exposed". This is essential if the outputs from the process are going to inform business planning and strategic considerations.
Again, the technical challenge of projecting risks and associated solvency requirements is only part of the issue (firms tend to be adopting some variation of projecting risk drivers, a proxy model approach or full future calculation). The regulator has indicated it is expecting to see more realistic future scenarios and risk dynamics being discussed, and in particular some sense that the future is not always perfect. Constructing multivariate scenarios from a deep understanding of the dynamics driving your risk profile is therefore a core part of the ORSA (methods from the social sciences are a useful tool in this area).
In many respects, the key challenge that firms face is cultural, both in terms of what we think risk means and how the ORSA is regulated. For the former, firms need to think of risk as it pertains to achieving business goals, not just capital. This means widening their repertoire of risk management tools to go beyond capital modelling, embracing good disciplines around scenario development and creating models of business dynamics. Developing better narratives will also help boards to engage and evidence their role clearly.
For the latter there needs to be further work this year, with industry and regulator actively engaging in dialogue about finding ways to focus on the quality of the ORSA process outcomes, and not reverting to a benchmarking of the inputs that go into the process.
The ORSA is undoubtedly going to be a crucial part of the new regime so it seems well worth taking the effort to make it work properly.
Neil Cantle is a principal and consulting actuary at Milliman