NAIC Risk Management and Own Risk and Solvency Assessment (RMORSA) Model Act Implementation for Insurance Companies

The paper will examine domestic and global insurer solvency requirements with a primary focus on the United States’ National Association of Insurance Commissioners’ (NAIC) Risk Management and Own Risk and Solvency Assessment (RMORSA) Model Act. In addition, this paper will provide industry guidance to small through midsized insurance companies that have recently breached or are close to reaching the $500 million of annual direct written and unaffiliated assumed premium. Insurance companies can use this information to develop an Enterprise Risk Management (ERM) framework based upon the International Association of Insurance Supervisors’ Insurance Core Principles (ICP) 16 on Enterprise Risk Management and NAIC’s Own Risk and Solvency Assessment (ORSA) Guidance Manual. In order to provide insurance companies an outline of ORSA, the review will include the European Union’s Solvency II Directive, ICP 16, and the NAIC ORSA Guidance Manual as well as the different perspectives of 1) Solvency; 2) Enterprise Risk Management; and 3) Own Risk and Solvency Assessment.


Insurance companies have a responsibility to their subscribers, members, policyholders, and other stakeholders to uphold the promise to provide benefits and pay claims as outlined by individual insurance policy contracts. Given this level of responsibility, and recent economic collapse in the late 2000’s, insurance companies domiciled within the United States that exceed specific levels of annual direct written and unaffiliated assumed premiums, are required to be compliant with individual states’ versions of the National Association of Insurance Commissioners’ Risk Management and Own Risk and Solvency Assessment (RMORSA) Model Act. This Model Act becomes effective January 1, 2015 (13). The objective of the solvency assessment is for insurers to develop, implement, and utilize on an ongoing basis, risk management and solvency reviews. Such reviews are to be conducted under both normal, as well as stressed, environments to ensure that insurers have adequate levels of capital (6).

The RMORSA Model Act is primarily the result of the NAIC’s Solvency Modernization Initiative (SMI) which began in June 2008 (9). The SMI timeline was quickened due to the economic collapse occurring around this time and the NAIC did not wait to improve its oversight on group insurers (Steve Johnson, personal communication, August 16, 2013). Pennsylvania’s Deputy Insurance Commissioner, Steve Johnson (personal communication, August 16, 2013), explained that the NAIC swiftly responded to the economic collapse with expanding the Insurance Holding Company System Regulatory Act and the Insurance Holding Company System Model Regulation. The expansion included the newly created Form F, requiring prior approval for insurance company transactions, and placing more responsibility on the company’s board (Steve Johnson, personal communication, August 16, 2013). Because of the economic collapse and SMI’s quickened timeline, a NAIC task force was developed and charged with the responsibility to devise guidance for the Model Act. The Model Act includes a “critical self-examination to update the United States’ insurance solvency regulation framework and includes a review of international developments regarding insurance supervision, banking supervision, and international accounting standards and their potential use in US insurance regulation” (11). On September 6, 2012, the Financial Condition (E) Committee of NAIC adopted principles based RMORSA Model Act. In addition, NAIC established the ORSA Guidance Manual in 2011. This guidance manual outlines how insurers are to report on the insurer’s RMORSA compliance. Currently this manual has been revised as insurers provide feedback and participate in pilot studies from its original form in 2011 to the current March 2013 version. The pilot studies included several insurers who prepared ORSA Summary Reports for insurance commissioner’s review and feedback.

NAIC’s RMORSA Model Act is among other solvency initiatives that have been developed globally. Three key solvency initiatives have developed occurred globally. The Group of Twenty (G20) Summit on Financial Markets and the World Economy presented a Declaration on November 15, 2008, which summarizes the need for developing solvency regulations, laws, and directives. The Declaration acknowledges that many countries have had to take urgent measures to support the economy and stabilize the financial markets globally, as well as the need for reform to ensure that the economic collapse does not happen again (2).

Next, on November 25, 2009, The European Union adopted a rules based Directive on Insurance and Reinsurance commonly referred to as Solvency II (1). In addition to the efforts of the European Union, the International Association of Insurance Supervisors established a rules based approach in 2010. This group developed an enterprise risk management framework through the use of the ICP 16. ICP 16 is among other enterprise risk management frameworks, however will be reviewed within this paper.

The objective of this paper is to investigate the similarities and difference between the declarations, directives, principles, and model acts as each individual document applies to NAIC’s RMORSA Model Act. Although the National Association of Insurance Commissioners’ distinctively distances RMORSA from other models, reviewing other models, regulations, declarations, and directive will provide assistance in understanding the Model Act and ORSA.

Literature Review

Undeniably, the economic events occurring over the past several years with insolvency have left a lasting impression on many. Since these insolvency events occurred, regulators have reviewed them and set forth new regulations, directives, and acts to mitigate future insolvencies in order to protect consumers. Research was performed to determine appropriate recommendations for insurance companies to implement NAIC’s RMORSA Model Act. The RMORSA Model Act is principles based and provides guidance rather than imposing specific rules, requirements, and methods to comply with the Model Act. Currently, research over the implementation of NAIC’s REMORSA is limited to regulation language, feedback from regulators on the initial pilot, and industry whitepapers.

Solvency defined within the business community

Solvency is critical in business as it is an indication of the financial state of the business. Solvent businesses have the ability to meet long-term financial obligations. In insurance, solvency represents the insurer’s ability to meeting its financial obligations to policyholders when due (6). The ICP 16 further explains that “…the insurer should consider its solvency position and its risk tolerance. [Risk] limits should be set after careful consideration of corporate objectives and circumstances… without endangering the capacity of the insurer to meet its commitments to policyholders” (6).

The European Union’s Solvency II Directive defines solvency as policyholder protection that occurs as a result of the efficient allocation of capital (1). One objective of the Directive is to provide better protection for insurance policyholders (1). Lastly, when NAIC’s RMORSA Model Act was adopted by the Financial Condition (E) Committee, it did not specifically define solvency (13). However, the NAIC does provide a general definition of solvency. The NAIC defines solvency as a means “to ensure that legal obligations to policyholders, contract holders, and others are met when they come due, insurers are required to maintain reserves and capital and surplus at all times and in such forms so as to provide an adequate margin of safety” (10). While there are differences between ICP 16, Solvency II, and RMORSA’s solvency definition, the solvency objective is similar.

Enterprise Risk Management

Enterprise Risk Management (ERM) is one of several highly discussed concepts with insurance industry executives and respective boards of directors and audit committees. The International Association of Insurance Supervisors defines ERM as a combination of “several different terms … commonly used to describe the process of identifying, assessing, measuring, monitoring, controlling, and mitigating risks” (6). ERM is a critical component to the implementation of NAIC’s RMORSA Model Act as indicated in the NAIC ORSA Guidance Manual. The Guidance Manual states that ORSA is only a portion of an insurer’s ERM framework (14).

Research indicates that many companies do not have a robust ERM framework in place. The data of three surveys were reviewed for the purpose of this analysis. The Institute of Internal Auditors, an international professional association, presented the KPMG Audit Committee Institute’s Public Company Audit Committee Member Survey results. 250 Audit Committee members responded to the survey. The results revealed that 105 respondents, or 42%, indicated that their company’s risk management system requires “substantial work” (19). Furthermore, the results indicated, “a gap in organizations’ proficiency in, or attention to, managing and overseeing risks” (19).

Comparative data was presented during the 2013 – 2nd Quarterly Insurance Industry Update meeting. It was presented that only 28% of respondents to the Report on the Current State of Enterprise Risk Oversight and Market Perceptions of Committee of Sponsoring Organizations of the Treadway Commission’s (COSO ERM Framework described their “current state of ERM implementation as ‘systematic, robust and repeatable with regular reporting to the board’” (17)).

Lastly, IBM Corporation conducted a survey of United States Life and Health and Property and Casualty senior risk officers at insurance and reinsurance companies to determine readiness for ORSA (3). The results revealed that 23% of the respondents indicated that their company’s ERM framework is not fully defined and 44% indicated their approach is defined, but not fully implemented respectively (3).

The ICP 16, although prescriptive and rules based, provides details on areas to consider as insurer’s implement the ERM framework. ICP 16 defines enterprise risk management and outlines a method for risk identification as well as measuring, analyzing, and modeling the level of risk (6). ICP 16 defines ERM as including “the self-assessment of all reasonably foreseeable and relevant material risks that an insurer faces and their interrelationships” (6). ICP 16 further provides guidance on the level of needed documentation, implementation of a risk management policy, development of a risk tolerance statement, responsiveness to risk profile changes, Own Risk and Solvency Assessment (ORSA), necessary economic and regulatory capital, need for continued analysis, and defines the supervisory role of risk management (6).

The European Union’s Solvency II Directive does not specifically name ERM within the Directive (1). However, the Directive presents a rules based approach to providing “general provisions for the solvency capital requirement using the standard formula or internal model [,]…solvency capital requirement standard formula [, and]…solvency capital requirement full and partial internal models” in Chapter VI, Section 4, Subsections 1-3 (1). Article 101, “Calculation of the Solvency Capital Requirement,” outlines requirements for insurers, including reinsurers, similar to those of ICP 16. Within Article 101, paragraph 2 states the “Solvency Capital Requirement shall be calculated on the presumption that the undertaking will pursue its business as a going concern” (1). Furthermore, in the Directive’s Article 101, requires of the solvency capital requirement calculation to include insurer consideration of all applicable quantifiable risks, includes current business from the perspective of unexpected losses as well as consideration for new business 12 months into the future (1).

The Directive further states that the Solvency Capital Requirement will include, at a minimum, non-life, life, and health underwriting risk as well as market, credit, and operational risk that includes legal and reputational risk (1). It is also noted that when calculating the Solvency Capital requirement, the insurer should consider the effect of its risk-mitigation (1). The risk considerations of within the Directive are consistent to those used within the insurance industry.

NAIC’s RMORSA Model Act as adopted by Financial Condition (E) Committee outlines Enterprise Risk Management  as that the insurer will maintain a risk management framework that provides assistance to the insurer in order to identify, assess, monitor, manage, and report its material and relevant risks (13). The Model Act furthers outlines the ORSA Summary reporting requirements of ERM  to include the signature of the insurer’s chief risk officer or executive responsible for the oversight of the insurer’s ERM process as an attestation to the best of their belief that the “knowledge that the insurer applies the enterprise risk management process described in the ORSA Summary Report and that a copy of the report has been provided to the insurer’s board of directors or the appropriate committee thereof” (13).

While the Model Act is vague in comparison to ICP 16 and Solvency II, the objective of insurers considering risks and calculating adequate level of capital under normal and stressed environments remains the same. Insurers have the option to determine which pre-established ERM framework to implement or develop the insurer’s own ERM framework in order to fit the needs of the company. Steve Johnson, Deputy Insurance Commissioner at the Pennsylvania Insurance Department, stated during his presentation at The Society of Financial Examiner’s Annual Career Development Seminar that NAIC RMORSA Model Act is not only a game changer for the industry. This allows regulators to look out the front window as to how insurers identify and manager risk rather than out of the back window of events that have already occurred (8).

Own Risk and Solvency Assessment

The term Own Risk and Solvency Assessment (ORSA) is utilized within both European Union’s Solvency II Directive and NAIC RMORSA frameworks and yet they have different means of achievement. “The ORSA concept requires every insurance company to carry out a regular assessment of all of its risk company-wide and evaluate its current and likely future solvency position. The purpose of implementing an ORSA requirement is to help regulators understand how insurers identify, assess, monitor and mitigate risk” (18). Wickland and Christopher (20) noted that the NAIC has “been hesitant to follow the regulatory path set in Europe, primarily citing their disinclination to rely on internal models to calculate regulatory capital. However … [the Commissioners] consistently supported Solvency II’s emphasis on risk management and governance and, in particular, the ORSA process.”

The rules based approach of European Union’s Solvency II Directive presents specific requirements in order to be in compliance with the Directive. The Directive states that all insurers should have a “regular practice of assessing their overall solvency needs with a view to their specific risk profile (own-risk and solvency assessment)” (1).

Article 45 of the Directive, specific to ORSA requires the following for compliance with ORSA to include:

  • the overall solvency needs taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the undertaking;
  • The compliance, on a continuous basis, with the capital requirements…;
  • The significance with which the risk profile of the undertaking concerned deviates from the assumptions underlying the Solvency Capital …. (1)

The principles based approach of the National Association of Insurance Commissioners’ Risk Management and Own Risk and Solvency Assessment Model Act defines ORSA as a “confidential internal assessment, appropriate to the nature, scale and complexity of an insurer …, … [including] the material and relevant risks associated with the insurer [‘s] … current business plan, and the sufficiency of capital resources to support those risks” (13). Furthermore, the Model Act states the insurer will regularly conduct an ORSA as outlined in the ORSA Guidance Manual no less than annually but at any point when the insurer identifies significant changes to its risk profile (13).

Due to the principles based approach of ORSA, compliance with the Model Act will vary among insurers and should be tailored to the individual insurer. Ingram (5) noted there is “no one-size-fits-all approach to an ORSA and company risk policies, procedures and management actions should differ according to the business strategy and risks.” The article further notes an ORSA requirement as such that the management and board of directors must evaluate the “adequacy of the firm’s ERM system and capital, based on their own assessment of the firm’s future plans, risks and risk capacity”  (5). Further review of the NAIC ORSA requirements is outlined below.


Insurers domiciled within the United States are exempt from NAIC’s RMORSA Model Act compliance if an individual insurer has less than $500 million or an insurance group has less than $1 billion in annual direct written premium and unaffiliated assumed premium and the state insurance commissioner does not require insurer compliance (13). Insurers that are not exempt will be required to be compliant as of January 1, 2015 (13). Compliance with the Model Act includes the implementation and ongoing monitoring of an ERM framework and ORSA assessment, which are presented in the insurers’ ORSA Summary Reports (13). It is important to note that although there are over 4,000 insurers within the United States, the Model Act based upon premium requirements will only require compliance for a small percent of insurers (Steve Johnson, personal communication, August 16, 2013). Despite this small percent of insurers complying with the Model Act, the Model Act will include between 85-90% of all written premium within the United States (Steve Johnson, personal communication, August 16, 2013).

The NAIC ORSA Summary Report requires insurers to present, in three sections, a description of the insurer’s ERM framework, insurer’s assessment of risk exposure, and a group assessment of risk capital and prospective solvency assessment (14). IBM Corporation highlighted the requirements of each section as follows:

  • Section One – The insurer will present its ERM Framework and address “Risk Culture and Governance, Risk Identification and Prioritization, Risk Appetite, Tolerances and Limits, Risk Management and Controls, and Risk Reporting and Communication” (3)
  • Section Two – The insurer will address the “quantitative assessment of risk” as well as outline types of scenarios that for example “products with embedded guarantees would most likely require the use of stochastic scenarios, whereas simple products could potentially use deterministic scenarios” (3)
  • Section Three – The insurer will address how risk capital is calculated and determined at an enterprise level. In addition, the “Prospective Solvency Assessment should demonstrate that the insurer has enough capital to execute its business strategy over the planning horizon” (3)

Providing the insurance commissioner with the ORSA Summary Report as previously outlined is an annual requirement. It is the expectation of insurance commissioners that the report will be scaled to the insurer and develops overtime.

While the recent economic events provide a need to implement a solvency framework such as NAIC’s RMORSA Model Act, a majority of insurers are currently unprepared based upon statistics and surveys. Given the insurer’s responsibility to subscribers, members, policyholders, and other stakeholders to uphold the promise made through the insurance policy contract, a solvency framework is needed in today’s economic environment to determine adequate insurer risk appetite, needed capital under normal and stressed environments, and to provide regulators with forward thinking documentation to review the insurers’ ongoing solvency.

Enterprise Risk Management Framework Selection

The RMORSA Model Act requires an insurer to maintain a risk management framework, however; the choice of framework is dependent upon the insurer. Insurers may select from, for example, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM Integrated Framework, ICP 16, ISO International Standards 31000, OCEG Red Book 2.1, or an internally developed framework (15). For the purpose of this paper, this section will focus on the ICP 16 ERM Framework. However, is noted that each model has different benefits and the insurer should evaluate the frameworks prior to implementation.

ICP 16 ERM Framework

The IAIS developed ICP 16, which is a “comprehensive statement of principles and objectives that includes risk management philosophy, risk statement, solvency assessment (ORSA), identification of economic and regulatory capital, continuity analysis, and annual update” (15). IAIS’s ICP 16 outlines a method for risk identification for an insurer’s ERM that includes identifying and addressing “all reasonably foreseeable and relevant material risks” that would include risks in underwriting, claims, expense and reserving, market, credit, operational, liquidity, legal, and reputational risks” (6). Although it is a challenge to quantify reputational risk, the insurer should consider the impact that, for example, catastrophes and credit agency downgrades would have on collateral calls and policyholder terminations that could further impact liquidity (6).

Under the ICP 16 ERM framework, insurers should “consider the causes of different risks and their impacts and assess the relationship between risk exposures” as well as consideration to external risk factors (6). The results should provide the insurer with its strengths and weaknesses in governance as well as outline areas of internal controls, risk management policies, and organizational structure improvements (6). Insurers should review the correlation between the tails of risk profiles that for example risks under normal economic conditions show no strong connection yet have a stronger connection under catastrophic and market risks (6).

Insurers, under ICP 16, are required to document the measurement of risk with “accurate documentation providing appropriately detailed descriptions and explanations of risks, the measurement approaches used and the key assumptions made” (6). Furthermore, insurers must have a documented risk management policy that outlines processes for the management of all relevant and material risk categories for the insurer’s day-to-day operations as well as strategic business plans (6). The risk management policy must also describe the “relationship between the insurer’s tolerance limits, regulatory capital requirements, economic capital and the processes and methods for monitoring risk” (6).

In order to coordinate the “management of risks associated with assets and liabilities, insurers should include an asset-liability management (ALM) policy. The policy should set…out how the investment and liability strategies adopted by the insurer allow for the interaction between assets and liabilities, how the liability cash flows will be met by the cash inflows and how the economic valuation of assets and liabilities will change under an appropriate range of different scenarios” (6). Furthermore, the risk management policy should include an investment policy that outlines that specifies the nature, role, and extent of the investment activities as well as means to comply with regulatory investment requirements (6). The investment policy should include the following:

  • Strategy for optimizing investment returns, specific asset allocation strategies, authorities for investments, and relate the investment policy to ALM (6).
  • Consideration for risky financial instruments that include, but not limited to, derivatives and alternative investment funds (6).

Investments are of utmost importance and therefore, the policy should include stress testing and contingency planning for the stressed conditions (6).

One subsection of the risk management policy or a separate policy must address underwriting risk. Included in this policy must be the topics of the “underwriting process, pricing, claims settlement both in terms of timing and amount and expense control aspects of managing the risks…” (6). Considering the claim timing and size uncertainty, underwriting risks should be addressed in the ALM policy (6). In addition, the insurer should address reinsurance and its approach to risk transfer (pg. 14-15, para 16.7.3). The insurer should determine its level of risk as well as the level of risk it will transfer on its book of business.

In addition to the risk management policy, the insurer must develop a risk tolerance statement that address both quantitative and qualitative risk tolerance levels and defines how the insurer will define acceptable limits. The risk tolerance statement must also indicate how the insurer will use risk tolerance levels in both business plans and day-to-day operations. This statement should also guide the work of management and determine the level of risk the insurer is able to tolerate (6).

Upon completion of the insurer’s ERM framework, the insurer should note that ongoing maintenance of the framework is required to the extent that the framework and risk management policy is responsive to change in internal and external events (6). Because the business environment is constantly changing, the insurers ERM framework should incorporate new identified risks on an ongoing and consistent basis (6). Examples of internal changes include new acquisitions, change in investment positions, and increase or decrease in lines of business (6). External changes include, for example, changes in regulations, rate agency, political, and major catastrophic event occurrences (6). The insurer must incorporate a feedback loop to ensure that the “decisions made by the board and senior management are implemented and their effect monitored and reported in a timely and sufficiently frequent manner via good management information” (6). By engaging in all of these activities, the insurer’s ERM framework remains relevant in meeting the insurer’s strategic and risk objectives (6).

Beyond the implementing an ERM framework, ICP 16 requires insurers to perform its own risk and solvency assessment (ORSA) in order to assess “the adequacy of its risk management and current, and likely future, solvency position” (6). The ORSA should include the following elements:

  • “…Document the rationale, calculations, and action plans arising from this [ORSA] assessment. The ability of an insurer to reflect risks in a robust manner in its own assessment of risk and solvency is supported by an effective overall ERM framework, and by embedding its risk management policy in its operations” (6).
  • The insurers board and senior management must be responsible for the ORSA (6).
  • Scaled to an appropriate nature, scale, and complexity of risks for the insurer, the insurer’s ORSA must include all reasonably foreseeable and relevant material risks such as “underwriting, credit, market, operational and liquidity risks and additional risks arising due to membership of a group. The assessment is required to identify the relationship between risk management and the level and quality of financial resources needed and available” (6).

In order to provide the maximum benefit to the insurer, the insurer should perform ORSA on a regular basis as to continue to provide relevant information to management and aid in the decision making process (6).

In order to determine the needed capital, ICP 16 requires insurers to perform the following:

  • “determine, as part of its ORSA, the overall financial resources it needs to manage its business given its own risk tolerance and business plans, and to demonstrate that supervisory requirements are met” (6);
  • “base its risk management actions on consideration of its economic capital, regulatory capital requirements and financial resources, including its ORSA” (6);
  • “assess the quality and adequacy of its capital resources to meet regulator” (6).

Considering the insurer’s own ERM framework, the insurer should “distinguish between current capital needs and its projected future financial position, having regard for its longer-term business strategy and, in particular, new business plans” as well as consider the regulatory required capital thresholds (6). Insurers should consider events in which the insurer may suffers losses which will need to be absorbed by its capital and cause a need to raise new capital, or re-capitalize, as adequate capital may not be readily available (6). For an insurer to raise capital during times of financial stress, it is critical that the insurer maintains market confidence at all times via its “solvency and capital management, investor relationships, robust governance structure/practices and fair market conduct practices” (6).

As previously stated, developing an ERM framework and completing ORSA is not just a one-time event, but requires ongoing maintenance. ICP 16 specifically states the insurers requirement to analyze “its ability to continue in business, and the risk management and financial resources required to do so over a longer time horizon than typically used to determine regulatory capital requirements” as part of ORSA (6). Furthermore, the insurer is required continual analysis in order “to address a combination of quantitative and qualitative elements in the medium and longer-term business strategy of the insurer and include projections of its future financial position and analysis of its ability to meet future regulatory capital requirements” (6). The insurer is also responsible to demonstrate its ability to manage risk over the long term under reasonable adverse scenarios. The insurer must also address how they will respond to unexpected changes in the market, legal and regulatory arena, and innovations (6).

Regardless of the selected ERM model, states insurance commissioners, state examiners, and regulators will need to review the insurer’s ERM framework. “The insurer’s ERM framework and risk management processes (including internal controls) are critical to solvency assessment. Supervisors should therefore assess the adequacy and soundness of the insurer’s framework and processes by receiving the appropriate information, including the ORSA regularly” (6). The insurer must note that its operations are the primary responsibility of the board of directions and senior management (6). In addition, the board of directors and senior management must have the ability to exercise their own business judgment in order to carry out these responsibilities (6).

ORSA Summary Report

The insurer’s ORSA is a component of the insurer’s ERM framework and includes a confidential internal assessment of the insurer’s material and relevant risks associated with its current business plan and capital resources to support the risk (14). The insurer’s ORSA requirements are as follows:

  • “Regularly, no less than annually, conduct an ORSA to assess the adequacy of its risk management framework, and current and estimated projected future solvency position” (14);
  • “Internally document the process and results of the assessment” (14); and
  • “Provide a confidential high-level ORSA Summary Report annually to the lead state commissioner if the insurer is a member of an insurance group and, upon request, by the domiciliary state regulator (14).

The NAIC identified a goal of ORSA as a means to foster an ERM framework at all insurers that are appropriate to the individual insurer (14).

The ORSA Summary Report includes three sections

Section One, the Description of the Insurer’s ERM Framework, requires the insurer to provide evidence of risk culture and governance, risk identification and prioritization, risk appetite tolerances and limits, risk management and control, and risk reporting and communication (14). In addition, Section One of the ORSA Summary Report should include the following:

  • a high-level summary of the insurer’s ERM framework principles,
  • “describe how the insurer identifies and categorizes relevant and material risks and managers those risks as it executes its business strategy,” and
  • “describe risk monitoring processes and methods, provide risk appetite statements, and explain the relationship between risk tolerances and the amount and quality of risk capital” (14).

Within this section, the insurer should include its method to monitor and respond to changes in the risk profile as well as the method to include new risk information.

Section Two of the ORSA Summary Report indicates the insurer must provide a “high level summary of the quantitative and/or qualitative assessments of risk exposure in both normal and stressed environments for each material risk category in Section One” (14). This section should also include the following characteristics:

  • The assessment should include a “range of outcomes using risk assessment techniques that are appropriate to the nature, scale, and complexity of the risks. Examples of relevant material risk categories may include, but are not limited to, credit, market, liquidity, underwriting, and operational risks” (14).
  • “Methods for determining the impact on future financial position may include simple stress tests or more complex stochastic analyses” (14).
  • Evaluating risks should occur under both normal and stressed environment (14).
  • “The analysis should be conducted in a matter that is consistent with the way in which the business is managed” (14).
  • “Any risk tolerance statements should include material quantitative and qualitative risk tolerance limits and how the tolerance statements and limits are determined, taking into account relevant and material categories of risk and the risk relationships that are identified” (14).

Section Three of the ORSA Summary Report should explain how the “insurer combines the qualitative elements of its risk management policy with the quantitative measures of risk exposure in determining the level of financial resources needed to manage its current business and over a longer term business cycle (e.g., the next one to three years)” (14). The intent of this section is to provide the insurance commissions with information to assess the quality of the insurer’s risk and capital management (14).


State Insurance Commissioners from various states, while presenting at the Society of Financial Examiner’s conference in July 2013, explained that Risk Management and Own Risk and Solvency Assessment Model Act would continue to evolve. This Model Act is the future of the industry and it will not be deregulated. Insurance companies that have recently or are close to breaching the threshold for mandatory compliance should begin preparing by developing the insurer’s ERM framework, performing its Own Risk and Solvency Assessment, and drafting its ORSA Summary Report.

Surveys have revealed that insurance companies are not prepared and do not have a developed ERM framework. Insurers have the option to select an externally developed or develop its own internal ERM framework. The ERM framework should consider underwriting, market, credit, and operational risks that include legal and reputational risk as well as the relationship between risks if specific events occur. Insurers should review its risks and risk relationships under both normal and stressed conditions in order to develop an action plan to raise needed capital in order to remain solvent in the future as part of its ORSA.

Implementing an ERM framework and assessing the insurer’s adequacy of its ERM framework as part of ORSA may become a challenge for insurers that may not have the needed expertise or resources to dedicate to become RMORSA Model Act compliance. Unfortunately, in some instances it may take a crisis like the economic collapse in the late 2000’s to cause the needed change in regulation and internal business culture and priorities. Although the insurance industry fared better than other industries did such as banking and investments with Goldman Sachs, JP Morgan Chase, and Lehman Brothers, the insurance industry must be vigilante in managing its risks and assessing its future capital requirements. If not already started, insurance companies must begin internal conversations as to the needed resource requirements and its plan to become Risk Management and Own Risk and Solvency Assessment Model Act compliant by January 1, 2015.

For more information on this topic, or to learn how Baker Tilly's insurance industry specialists can help, contact our team.


  1. European Parliament and the Council of the European Union. (November 2009). Directive 2009/138/EC of the European Parliament and of the Council on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II). Official Journal of the European Union. Retrieved from
  2. Group of Twenty. (2008). Proceedings from G20 Summit on Financial Markets and the World Economy.  Washington, D.C.
  3. IBM Corporation. (November 2012). ORSA state of readiness survey – addressing the preparedness of US insurers for the RMORSA Model Act [White paper]. Retrieved from
  4. Hugendubler, CPA, K. & Romano, CPA, CFE, J. (April 2013). U.S. own risk and solvency assessment (ORSA) initiative – quarterly update. Retrieved from
  5. Ingram, D. (December 2011/ January 2012). How to handle ORSA – are you ready for the changes?  The Actuary, 8 (6).
  6. International Association of Insurance Supervisors. (October 2010). Insurance core principle 16: enterprise risk management. Retrieved from
  7. International Association of Insurance Supervisors. (n.d.). Solvency. Retrieved from
  8. Johnson, S. (July 2013). Proceedings from the Society of Financial Examiners’ Annual Career Development Seminar. Summerlin, NV
  9. National Association of Insurance Commissioners. (n.d.). Solvency Modernization Initiative (SMI). Retrieved from
  10. National Association of Insurance Commissioners. (2010). The United States Insurance Financial Solvency Framework and Core Principles. Retrieved from
  11. National Association of Insurance Commissions. (2012). Solvency Modernization Initiative
  12. ROADMAP. Retrieved from
  13. National Association of Insurance Commissioners. (September 2012). Risk management and own risk and solvency assessment model act. Retrieved from
  14. National Association of Insurance Commissioners. (March 2013). NAIC own risk and solvency assessment (ORSA) guidance manual. Retrieved from
  15. Romano, CPA, CFE, J. & Schmoyer, CFE, P. (July 2013). Enterprise Risk Management (ERM)
  16. Assessment Case Study [PowerPoint Slides].
  17. Schmoyer, CFE, P. (July 2013). 2013 – 2nd Quarterly Insurance Industry Update [PowerPoint Slides].
  18. Tessier, D. (December 2011). NAIC’s plan for risk, solvency assessments tests gains steam. National Underwriter/ Property and Casualty, 115 (42), 12.
  19. The Institute of Internal Auditors. (February 2012). Rest assured. Tone at the top, (54). Retrieved from
  20. Wickland, D. & Christopher, G. (March 2012). The new rules of risk. Best’s Review, 112 (11), 65-67.