We advise insurers on emerging risk management and regulatory changes (including Dodd-Frank and Solvency II), help them design and implement enterprise risk management frameworks, and measure and manage risk and capital against a range of regulatory, internal, and external requirements, including risk-based capital, economic capital, Solvency II (standard and internal models), and rating agency capital.
PwC’s overall risk management solutions are based on key steps, outlined below, that companies must take to ensure a robust framework, coupled with critical drivers such as governance and communication and a thorough understanding of the place and degree of risk in strategy and business planning that contributes to successful management.
The NAIC’s 2012 adoption of the RMORSA Model Law requires insurers to “maintain a risk framework to assist the insurer with identifying, assessing, monitoring, managing, and reporting on its material and relevant risks.” The Law requires a summary report to be filed in 2015, but many states may require RMORSA-type disclosures before that. Companies must prepare to meet the RMORSA requirement, including the three major areas required in any report:
In order to comply with RMORSA guidelines, applicable to insurers that are part of company holding systems – which covers the vast majority of U.S. insurers – many insurers will need to undertake a comprehensive review of their risk management infrastructure, process, and controls, and be prepared to invest in areas of deficiency to ensure their ability to comply with the regulations in a timely manner.
When managing risk, both generally and in response to current and upcoming regulatory requirements, many companies have critical gaps as far as Board involvement as well as a company-wide lack of understanding of how risk appetite and tolerances should be linked to business strategy.
Risk should be a core consideration when setting strategy, formulating business plans, managing performance, and rewarding management success. Risk appetite should be clearly articulated and reflect the organization’s risk-carrying capacity, business strategy, and financial goals. Processes and procedures should be in place to manage risk on an enterprise-wide basis within defined boundaries, without stifling day-to-day operations.
A comprehensive risk review is central to ORSA guidelines, and documentation of an organization’s risk levels and management framework will be required for the first part of the three-section RMORSA report.
Risk-sensitive economic capital measures are used by businesses to help make risk quantification relevant to day-to-day business operations and can help insurers advance risk measurement and related decisions. Such measures should balance internal and external views as well as the differing perspectives of users, and provide the basis to determine the financial resources a company requires to achieve its business objectives over the planning period.
Section 3 of an insurer’s RMORSA Summary Report – Group Risk Capital and Prospective Solvency Assessment – should document these measures and consider the insurance group as a whole, including the impact of inter-group transactions and financing arrangements, the transferability and fungibility of capital, and any anticipated or foreseeable contagion risks.
In order to be fully compliant with RMORSA guidelines, any insurer affected by the guidelines must demonstrate that the organization has sufficient capital to execute its two-to-five-year business plan, taking into account the potential impact of adverse scenarios and a company’s solvency needs in addition to regulatory capital requirements. The section must also outline management actions to address areas where capital may not be adequate.
In addition to the broad risk management policies it outlines, the RMORSA Summary Report also requires insurers to document their risk exposures in normal and stressed economic environments. These stress tests – the results of which will comprise a company’s second RMORSA summary report section, Insurer’s Assessment of Risk Exposure – should be applied to any business unit or area of material risk identified through the risk management exercises companies will undergo to meet the requirements for the first section of the required three-section report to comply with the RMORSA.
One of the most difficult exercises in modeling insurer results is determining the relationships, if any, between risk categories. As compliance with ORSA guidelines will be a requirement for most U.S. insurers, companies will have to provide evidence of their stress testing of risk exposures across and between risk categories and will not only have to address their risk responses to various scenarios, but also ensure that such testing is accurate and encompassing of all identified risk.
As a result of the financial crisis and concerns over companies’ ability to properly manage and mitigate their business and financial risks, there has been increased scrutiny of the models that are used for risk management, valuation, and regulatory reporting. In response to these concerns, SR-117 provided updated guidance on model use that applies to all banks and federally regulated insurance entities, and will be similar to validation requirements under ORSA. Insurers will be expected to comply with this and forthcoming guidance through enhanced risk management and validation processes to ensure the reliability of the models they use to manage their risk as well as those models that form the basis of a company’s reporting and disclosure information to investors and the broader market.
Operational risk can be viewed as a distinct, individual risk type rather than the execution element of all risk types within an organization. Such an assumption may lead senior management and Boards to view the need for controls around it as duplicative with their existing, in-place processes, leading to an absence of effective operational risk management within regular risk and control procedures.
Similarly, operational risks are often seen as being subjective in nature and difficult to quantify. As insurers tend to focus on more traditional and tangible financial and underwriting risks, there is a potential for operational risk policies to be inadequate, leading to significant unmitigated exposures.
With increased scrutiny on the overall risk functions of insurers and the means companies are using to mitigate risk, operational risk measurement becomes a critical element of a robust risk framework, and integration into the larger ERM system is essential.
Risk reporting is critical to allow insurers and management to adequately evaluate and understand risk, yet risk managers are facing significant challenges when trying to distill vast quantities of data into concise, actionable, and forward-looking views of risk to help facilitate risk assessment and mitigation strategies.
Risk demands on insurers – from regulatory bodies, rating agencies, and shareholders – will not abate in the foreseeable future. Companies that are not able to respond to these demands through documented risk management and mitigation strategies may face queries and skepticism from ratings agencies and may experience higher levels of risk exposure or compromised competitive positions.
Dashboards that provide easily understandable information allow users to summarize the most relevant metrics, call attention to key areas of concern, access detailed information that is required to understand root causes and underlying trends, and identify, escalate, and potentially mitigate the impact of newly arising credit risk concerns earlier in the process. These capabilities underlie a robust risk reporting process.
Having a well-constructed risk governance framework provides the foundation upon which related activities will be built and is key to insurers’ broad risk strategy. A framework serves to communicate an organization’s approach to risk management, engage leading stakeholders, and should ideally include the identification of explicit owners of the risks and a clear allocation of responsibility for the management of risks on a day-to-day basis.
Senior management accountability and responsibility for “top-tier” risks and clear risk management policies and procedures for managing all material risks are also critical. Clearly defined and documented policies and risk appetite parameters for all key risks types should be available.
Growth in variable annuity sales surged through the last three decades, but escalating benefits shifted the sales proposition of the products and increased the risks absorbed by insurers. Given current economic volatility, combined with policyholder demographics, insurers have increased their use of hedging programs to limit risk as it relates to their variable annuity portfolios, even as many leave the business entirely.
For insurers with substantial variable annuity portfolios, hedging may be a way to alleviate part of the capital risk of maintaining those policies. Those exiting the variable annuity business or segregating their older policies will need to develop and implement risk management strategies; others may benefit from de-risking strategies as well as re-pricing and diversifying deposit limits, policy guarantees, asset classes, and funds.
Long-term care product performance continues to deteriorate as societal changes result in increasing claim costs. Such changes include the growth of assisted living facilities, the increase in the number of home health aides, low interest rates, and lower-than-originally-anticipated voluntary and involuntary policy terminations. State regulators continue to show a reluctance to grant rate increases and are demanding a greater level of analytics to support requested increases.
For insurers selling long-term care or in run-off, detailed analytics are crucial to managing the business while minimizing losses. Bundled claim cost models no longer provide sufficient information to correctly diagnose problems and develop strategies for managing these problems.