Enterprise Risk Management Requirements of ORSA

Written by: Jon Siegler

Reviewed by:
Updated: April 24, 2023

Table of contents

In 2012, the National Association of Insurance Commissioners (NAIC) adopted the Risk Management and Own Risk and Solvency Assessment Model Act (#505) and although some state legislative processes have been slow, all states are expected to adopt Model #505 by the end of 2017. At that point, it is expected that most companies should be ready for ORSA and should be using it as part of their ERM framework. This post explores the Enterprise Risk Managment (ERM) program requirements of ORSA.

Regular preparation of ORSA reports, at least annually, is not only a sensible idea to gain a thorough understanding of an organization's position in the market, but is also part of the regulatory requirements brought in through the adoption of the Risk Management and Own Risk and Solvency Assessment Model Act. Each report consists of three main sections giving an overview of current and future risk exposure and management. These are:

1) Description of the Insurers Enterprise Risk Management Framework

2) Insurer Assessment of Risk Exposure

3) Group Assessment of Risk Capital and Prospective Solvency Assessment

A summary report is prepared for the state commissioner based on the full, internal, ORSA report as prepared for the board of directors and as part of internal ERM program.

Enterprise Risk Management Framework

According to the ORSA manual, there are a minimum of five key principles that a robust ERM framework should encompass. In a prior post, we've explored how not having the right framework and simply ignoring enterprise risks can result in damaging losses.

Risk Culture and Governance

Roles and responsibilities need to be well defined and within your organization a culture should be nurtured that supports accountability in risk making decisions.

Risk Identification and Prioritization

Clear management of the risk identification process is essential and responsibility for this process must be clear. You need to ensure these procedures are operating effectively throughout your organization. Putting the right risk assessment process in place through the use of ERM software can help tremendously.

Risk Appetite, Tolerance and Limits

To ensure that the risk strategy of the Board of Directors is made clear, a formal Risk Appetite Statement needs to be written and detailing associated risk tolerance and limits.

Risk Management and Controls

Throughout your organization ERM should operate to ensure risk is kept within the boundaries defined by the Risk Appetite Statement.

Risk Reporting and Communication

To ensure transparency of the risk management processes your key personnel require strong reporting and communication procedures. However, your organization should ensure that this does not impede active, informal management decisions on risk-taking.


Own Risk and Solvency Assessment

There are three sections expected in the report around which the assessment should be focused.

Section 1 – Description of Insurers Enterprise Risk Management Framework

Section 1 of the report should summarize your approach to the five key principles of ERM, identifying relevant and material risks and describing how such risks are managed as part of your wider business strategy.

Section 2 - Insurer Assessment of Risk Exposures

Within this section each of the material risks identified in section 1 needs to be isolated and analyzed. The section will also contain details of the assessment methodology used to ascertain the risk exposure of each of the material risks or risk categories.

Some risk categories are best assessed using a quantitative approach whilst others are best assessed using a qualitative measure. For some risks, there may be standard methods for assessing the risk whilst for others an internal, insurer specific standard may be used. Regardless, each organization will have their own priorities which will have an impact on the way in which they assess risk.

This analysis needs to be performed in a consistent and transparent manner with all relevant assumptions listed. It needs to be performed in an appropriate manner for your type of organization with reference to your business model, legal status and management structure.

Each risk should be assessed under both normal and stressed conditions. The commissioner may provide specific parameters or ask for analysis of certain scenarios. A statement of risk tolerance, with quantitative and qualitative limits should be made indicating how you determined those risk limits and with reference to the relationships between various risk categories.

The risk assessment should also consider the impact of the risks on your balance sheet, taking into account regulatory requirements, economic and rating agency requirements, available capital and risk capital requirements.

Although there is often overlap between risk categories by identifying and analyzing each risk individually you and the commissioner can better identify scenarios in which unfortunate sequences of events could cause your business to fail.

Section 3 - Group Assessment of Risk Capital and Prospective Solvency Assessment

This section deals with your organizations position within your specific insurance group and should be performed regardless of basis of your organization. It combines the qualitative and quantitative measures of risk exposure to determine the medium to long term financial resources required.

The Group Assessment of Risk Capital compares aggregate available capital against the various adverse risks. You need to ensure that group assessment is integrated into your management and decision-making procedures.

There also needs to be a historical comparison of risk capital data from the previous year with any changes to the risks identified highlighted. The commissioner may request further information as the year progresses as changes in the economic environment occur due to external events.

When performing the analysis, the methodology used should be detailed and a list of assumptions and considerations taken into account should be provided. These considerations - Definition of Solvency; Accounting or Validation Regime; Business Included; Time Horizon; Risks Modeled; Quantification Method; Risk Capital Metric; Defined Security Standard; Aggregation and Diversification – need to be accompanied by a description of how they were factored into the ORSA, with examples as necessary.

Group Assessment of Risk Capital should not be approached as a procedure to determine the minimum risk capital required, rather it should be used to determine a comfortable level of risk capital that will allow your organization to prosper.

Business Planning and Enterprise Risk Management both require information about the future to be successful and the Prospective Solvency Assessment provides a forecast of risk capital in relation to the risk appetite of your organization and where a shortfall is identified, it should include details on how the gap will be filled.



Preparing an ORSA report should be seen as part of the ERM framework in place within your organization rather than an extra piece of red tape. By focusing on enterprise risk management an inherently risk exposed industry can take the steps necessary to minimize the danger those risks pose.

Related Posts