ORSA is far more than a simple regulatory filing. It doesn’t just require companies to report on the risks they face: It demands that they prove that they have a robust enterprise risk management (ERM) framework in place — and that they are actually using it in making decisions about capital and solvency. For companies without an ERM or a well-defined risk appetite, ORSA will present large challenges. But even companies further along in the path toward effective risk management should take advantage of the ORSA process to bring their capabilities to a new and much-needed level.
Countdown to 2015
Your experience with risk, your hard-won intuitions, and even many of the systems and procedures you have already put into place to assess and manage risk have not yet caught up with a changing marketplace, but they do provide a foundation. The ORSA process is an ideal launch pad to rocket ahead. As the chart below shows, there are several key initiatives institutions can undertake to prepare for ORSA. For 2013, focus on the early steps:
Preparing for ORSA
Source: Oliver Wyman analysis
1You say that ORSA is more than just another regulatory requirement. Why?
ORSA is part of an overall push to make robust risk management a basic regulatory expectation for any insurer. As a result, the model law requires companies not only to report on risks they face, but to demonstrate that they have an enterprise risk management framework in place — and that they’re actually using it. For companies that don’t already have quality ERM in place, getting ready for ORSA will be a real challenge.
2How flexible is the model law in accommodating different business strategies?
Very. The goal is not to impose a single set of standards, but foster an effective level of ERM at all insurers. ORSA lets insurers set their own risk appetite and strategy, but it requires them to have a system in place that can identify, assess, monitor, prioritize, and report on the risks they face, using appropriate techniques and in a manner that is adequate to support risk and capital decisions.
3What kinds of capabilities will companies need?
First, they need to have an ERM framework and a well-defined risk appetite in place — and many don’t. Part of this will require more sophisticated financial projection capabilities. They are going to need to be able to perform multi-scenario-based quantitative analysis along traditional (underwriting, investment, and regulatory) and strategic dimensions, factoring in both their own and their competitors’ strategies and operations, along with the uncertainty of the Affordable Care Act’s implications.
4Why do you say, “Do it the hard way”?
There’s a temptation to take a check-the-boxes approach to regulatory filings, aiming just for a C+ grade. But healthcare today is in the midst of a true revolution. New business models are replacing old among providers, and the whole industry is shifting toward retail. There’s lots of uncertainty. If there was ever a time to get a solid grip on your risk exposure, this is it. Companies that go past the minimum in complying with ORSA are going to find themselves in a much better position.