risk management and governance

© 2012 The National Association of Insurance Commissioners

Risk Management and Governance

Lou Felice Health and Solvency Policy Advisor

NAIC

1


Recap and Going Forward• Touching on ERM and Governance in

Existing U.S. Solvency Regulation– RBC – Reserves– Analysis – Exams

• ORSA Coming On Line

• Corporate Governance Standards / Best Practices Being Developed

2


Risk Management Framework - RBCUse of the Capital Requirement

RBC has some influence on insurers’ risk management (e.g. Reserves reduced for reinsurance, but not for collateral); addressed mainly through other supervisory tools

SII is designed to provide incentives for risk management

Capital add on may be required by regulator, but it is not part of the RBC capital amount

SII capital add on increases SCR

3


Risk Management Framework – PBR Reserves• Governance Guidance in Valuation Manual

(VM-G) – All Applicable to the PBR function– Guidance for the Board of Directors

Best practices for oversight, review and interaction with senior management v

– Guidance for Senior ManagementOversight of actuarial valuation function:risk tolerance ;

assumptions; to mitigation strategies; adequate expertise and resources

– Guidance for Actuary Adequate review, testing of assumptions, cooperation

with internal / external auditors and regulators4


Risk Management Framework - Analysis

• Continuous monitoring/qualitative assessments using regulator only data – assess:• Changes in business plan• Material transactions, including group transactions • Implications for reputation/contagion risks • Impacts of major economic and insurance events, and • Stress testing

• In depth assessments of (potentially) troubled insurers • More frequent/extensive:

• Insurer reporting• Regulator analyses/exams

• Authorities for regulatory actions include• Conservation/rehabilitation/liquidation in the domiciliary state• Suspending or revoking license to write in the state 5


Risk Management Framework – Analysis (ORSA)• ORSA process is one element of insurer’s broader ERM

frameworko Links the insurer’s risk identification, measurement and prioritization

processes with capital management and strategic planningo Each insurer’s ORSA process will be unique, reflecting its business, strategy and

approach to ERM• Regulators will use the ORSA Summary Report to gain a high-level

understanding of the processo Summary Report may be provided in any combination as long as all insurance

legal entities within the group are representedo Summary Report will be supplemented by the insurer’s internal risk management

materialso Summary Report, at a minimum, should discuss:

• Section 1 – Description of Insurer’s Risk Management Framework• Section 2 – Insurer’s Assessment of Risk Exposure• Section 3 – Group Risk Capital and Prospective Solvency Assessment

6


Risk Management Framework – Financial ExamsPhase 1

Phase 2

Phase 3

Phase 4

Phase 5

Phase 6

Understand the Company and Identify KeyFunctional Activities to be Reviewed

Identify and Assess Inherent Risks in Activities

Identify and Evaluate Risk Mitigation Strategies/Controls

Determine Residual Risk

Establish/Conduct Exam Procedures

Update Prioritization and Supervisory Plan

Draft Exam Report and Management LetterBased on FindingsPhase 7

Planning

7


Risk Management Framework - Financial Exams

To provide a clear methodology for assessing residual risk and how it translates into

examination procedures;To allow the assessment of risk-management processes in addition to those which relate to

financial statement line items; andTo utilize examination findings to establish, verify

or revise company’s priority score.

8


Risk Management Framework - Exams1. Identify and understand internal controls that

the insurer has in place for each risk2. Consider whether the controls appear to be

designed appropriately to mitigate each risko If not, no need to test controls

3. If so, test the controls for operating effectivenesso Not required if testing will be inefficient

4. Conclude whether the internal controls effectively mitigate each inherent risko Strong, Moderate or Weak

9


Risk Management Framework – Financial Exams

• Review Existing Control Documentationo SOX Workpaperso Internal Audit Workpaperso External Audit Workpapers

o Model Audit Rule Requirements• Utilize where relevant to exam

10


Solvency Modernization Initiative (SMI):

ORSA

11


US Solvency Framework• US Own Risk & Solvency Assessment (ORSA)

o ORSA Manual developed with industry comments o Two primary goals:

• Foster effective level of ERM, thru which each insurer identifies and quantifies material and relevant risks using techniques appropriate to the nature, scale and complexity of the insurer’s risks, in a manner adequate to support risk and capital decisions

• Provide a group-level perspective on risk and capital as a supplement to the existing legal entity view

• ORSA Exemptiono Individual insurer’s annual direct written and unaffiliated assumed premium,

including international direct and assumed premium but excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, is less than $500,000,000; and

o Insurance group’s (all insurance legal entities within the group) same annual premium is less than $1,000,000,000

o Insurer specific waiver granted by Commissioner based upon unique circumstances including, but not limited to, type and/or volume of business written

12


• Model adopted effective 1/1/15

• ORSA Guidance Manual• Section 1-Description of insurers ERM• Section 2-Insurer assessment of risk exposure• Section 3-Group risk capital and prospective

solvency assessment

ORSA

13


• Current Status• ORSA Pilot Project

• Summer 2012• Feedback to industry• ORSA Subgroup report to E Committee

• Make a few modifications to the guidance manual• Post observations to NAIC website• Referrals to FAH and FEH-Subgroup to continue to

provide guidance to these groups• No Part B Accreditation Standards at this time• 2013 ORSA Pilot

ORSA

14


• No two ORSAs will be the same, nor should they• Regulatory guidance will be high level• Regulators need to learn by reviewing

• Staffing?• ERM expert?• ERM or actuarial consultant?• As you learn, you will begin to see what you believe are

best practices, and begin to set expectations• Will result in interaction, but hopefully not mandates with

some exceptions• Internationally active insurers ORSAs (or result) may be

treated differently

ORSA-What to Expect

15


• Section 1-Description of insurers ERM• Risk Culture and Governance• Risk Identification and Prioritization• Risk Appetite, Tolerances and Limits• Risk Management and Controls• Risk Reporting and Communications

ORSA-What is Included in Manual

16


• Section 2-Insurer assessment of risk exposure• This section typically identifies where the insurer believes its major risks lie (e.g. interest rate

risk, equity risk, catastrophe risk, terrorism risk, certain lines of business, certain investment risks, etc.)

• May also identify financing risk (debt covenants, rating agency requirements, unused debt or unused liquidity)

• Typically contains some amount of discussion on how each of the risks are mitigated. In some cases the information may be very quantitative (e.g. limits), in other cases more qualitative (e.g. reinsurance limits, hedging program discussion and limits, and other more specific mitigators for more specific risks.

• Less of a sales opportunity and less need to be examined that section 1 since it will likely tend to be more specific and factual.

• Maybe the single most important part of the ORSA to the extent company can articulate how well the mitigators and stresses are used and relate to the major risks of the company.

• Particularly helpful where there is a particular area of concern that the regulator may have (e.g. low interest rate environment, concentration risk, etc.)

• Helpful because it demonstrates the rigor and thoughtfulness of the company. • Likely would need to be explained by the company to make sure there is a good understanding. • Role of the examiner vs. analyst to avoid duplication

ORSA-What to Expect

17


• Section 3-Group risk capital and prospective solvency assessment• Combines outcomes of sections 1 and 2• Testing available capital• Description of methods and assumptions used

• Basis of accounting (e.g. GAAP, economic)• Time Horizon (e.g. for economic)• Value at risk (Var), Tail-value at risk (TVAR), Probability of Ruin• AA solvency, 99.X%, 1-year VAR, TVAR or CTE, X% of RBC,

etc• Aggregation or diversification

ORSA-What is Included in Manual

18


• Section 3-Group risk capital and prospective solvency assessment• Perhaps the most useful section, particularly to the analysis process• Provides a new window (to rating agency capital) that was always desired but rarely

provided to regulators. Typically some comparison to SAP RBC. • Provides even more useful data for the more sophisticated companies in the form of

an economic capital. Some of the largest companies will likely submit an assessment that may share Solvency II type of methods (1 year 99.5% Var approach) or methods looked for by rating agencies (e.g. AA rating from S&P)

• May identify the capital by areas of risk. • May discuss liquidity in addition to capital in similar fashion.• Should include how the capital changes under different stresses.• Particularly helpful where there is concern regarding sensitivity of the business plan to

ratings. • Similar to section 2, demonstrates the rigor and thoughtfulness of the company. • May need to be explained by the company to make sure there is a good understanding. • Role of the examiner vs. analyst to avoid duplication

ORSA-What to Expect

19


Solvency Modernization Initiative (SMI):

Corporate Governance

20


• What is Corporate Governance?– CG address insurer insolvencies

• Rules and practices ensuring:– Accountability

– fairness and

– Transparency

What is Corporate Governance?

21


Rules and practices ensuring:• Accountability

• fairness and

• Transparency

Between insurers and stakeholders.

What is Corporate Governance?

22


Topic Recommendation Suitability of Persons Specific requirements in relation to individuals’ fitness and

propriety should be adopted.

Corporate Governance

Consider issuing more guidance on good and bad practices in corporate governance for insurers

Internal Controls Consider the scope for issuing guidance on good and bad practices in internal control. Make a formal requirement for insurers to have an internal audit function.

Enforcement or Sanctions

The insurance laws should be changed to provide the supervisory authority with powers to fine individual directors and senior managers of insurers

Risk Assessment and Management

The relevant laws, regulations or standards should be changed to include a requirement that an insurer have in place comprehensive risk management policies and systems capable of promptly identifying, measuring, assessing, reporting and controlling their risks.

Insurance Activity: Board Approval Requirement

The relevant laws or regulation should explicitly provide that an insurer must have in place strategic underwriting and pricing policies approved and reviewed regularly by the Board.

FSAP- 2009 CG Recommendations

23


• Part of a broader Solvency Modernization Initiative

• Considering changes to improve Corporate Governance practices and regulator assessment

Corporate Governance Working Group- Formed

http://www.naic.org/committees_e_isftf_corp_governance.htm

Formed at the 2009 Winter NM

24

http://www.naic.org/committees_e_isftf_corp_governance.htm


CGWG ChargesCharges Outline high-level corporate governance principles. Determine the appropriate methodology to evaluate adherence with such principles, giving due consideration to development of a model law.

• Analyze the requirements, regulatory initiatives and best practices of the states, other countries and regulators, and the insurance industry, to assist in principle development.

Develop additional regulatory guidance including detailed best practices for the corporate governance of insurers

Review the current IAIS principles and standards related to corporate governance. Critically review and provide input and drafting to the IAIS Governance and Compliance Subcommittee, and on other IAIS papers as assigned by the parent Task Force. From this work, identify future initiatives to improve our regulatory solvency system.

Consider the development of insurance regulatory education for members of insurers’ Boards of Directors.

25


Study of existing requirements related to corporate governance

Corporate Governance Working Group

US- Non-

Insurance

US- Insuranc

e

IAIS- ICPs

Comparative Analysis

• ICP 5: Suitability of Persons

• ICP 7: Corporate Governance

• ICP 8: Risk Management and Internal Controls

26


• September 28, 2012 - Exposure Proposed Responses to a Comparative Analysis of Existing U.S. Corporate Governance Requirements Summary available at:http://www.naic.org/documents/committees_e_isftf_corp_governance_exposures_proposed_responses_comparative_analysis.pdf

Corporate Governance Working Group

27

http://www.naic.org/documents/committees_e_isftf_corp_governance_exposures_proposed_responses_comparative_analysis.pdf




Example of Proposed Enhancement to CG• Annual reporting of

CG practicesEXAMPLE TOPIC

Describe your organization’s governance structure,

including a description of the

Board and various

committees ultimately

responsible for governing the organization.

a. Discuss the rationale for the current Board size

and structure, explaining why the

organization believes

it to be appropriate;

28


Example of Proposed Enhancement to CG• Develop a more Common

Methodology for both analyst and examiners to use in the assessment of Corporate Governance.

29


Other Proposed Enhancements to CG• Internal Audit- Large Insurers• Referrals to other NAIC

working groups• Requiring an element of CG

be included in Model #385 for Accreditation purposes.

30

risk management and governance

Documents

capital management

insurers risk identification

group risk capital

risk managementcapital

insurance events

senior management vguidance

risk tolerance assumptions

troubled insurers